Play interactive tour

Edit tour

Analysis Report VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Overview

General Information

Sample Name:	VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Analysis ID:	395503
MD5:	b1b0e80b7df8ae67ed83e366f46b265b
SHA1:	53c2f6377d7cc97ccb2c718eeabbf16e00830656
SHA256:	ec455e6dcab1f953bd685bc9674dbe7e2fbf7afcbef4d731edd9a818048f2227
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe (PID: 5476 cmdline: 'C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe' MD5: B1B0E80B7DF8AE67ED83E366F46B265B)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1eFQiCYQnU0gxJtdFGliDTfHvfIG3lmKt", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.810709106.0000000000580000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.810709106.0000000000580000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1eFQiCYQnU0gxJtdFGliDTfHvfIG3lmKt", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Multi AV Scanner detection for submitted file

Show sources

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Virustotal: Detection: 20%			Perma Link
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	ReversingLabs: Detection: 19%

Machine Learning detection for sample

Show sources

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Joe Sandbox ML: detected

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1eFQiCYQnU0gxJtdFGliDTfHvfIG3lmKt

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.815929680.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewdmaud.drv.muij% vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVitiations3.exe vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.815804111.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVitiations3.exeFE2X vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.815804111.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVitiations3.exeFE2XSoftSignalC vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.815804111.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVitiations3.exeFE2XSoftSignal vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.815804111.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVitiations3.exeFE2XSoftSignalN vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.815804111.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVitiations3.exeFE2XSoftSignal' vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.815804111.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVitiations3.exeFE2XSoftSignalI vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.815804111.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVitiations3.exeFE2XSoftSignal" vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.815804111.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVitiations3.exeFE2XSoftSignalT vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.812873484.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Binary or memory string: OriginalFilenameVitiations3.exe vs VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF84F0FE996D23CFC0.TMP

Jump to behavior

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Virustotal: Detection: 20%
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	ReversingLabs: Detection: 19%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.810709106.0000000000580000.00000040.00000001.sdmp, type: MEMORY

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Static PE information: real checksum: 0x30b8d should be: 0x33065

Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_0040445E push edi; iretd	0_2_0040445F
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_0040527C push edx; ret	0_2_0040528B
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_004052E0 push esi; retf	0_2_004052EA
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_004032EE push edx; ret	0_2_004032EF
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_00405296 push edx; ret	0_2_0040528B
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_00401CA1 push ss; retf 0000h	0_2_00401CA2
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_00406757 push esi; iretd	0_2_004067F3
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_00403575 push 00000034h; retf	0_2_0040357E
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_004067D4 push esi; iretd	0_2_004067F3
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_004039D6 push edx; ret	0_2_004039FF
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_004035D8 push eax; ret	0_2_004035DB
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_00403F85 push ebp; ret	0_2_00403F86
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Code function: 0_2_004067A1 push esi; iretd	0_2_004067D3

Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	RDTSC instruction interceptor: First address: 000000000040A029 second address: 000000000040A029 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 000000E4h 0x00000008 cmp eax, 000000A2h 0x0000000d cmp eax, 3Ch 0x00000010 cmp eax, 79h 0x00000013 cmp ebx, 0Bh 0x00000016 wait 0x00000017 fnclex 0x00000019 punpckldq xmm2, xmm3 0x0000001d paddsb mm0, mm4 0x00000020 punpcklwd mm0, mm4 0x00000023 punpckldq mm0, mm1 0x00000026 packuswb xmm5, xmm2 0x0000002a jmp 00007F45D4A1BDBBh 0x0000002c cmp eax, 3Fh 0x0000002f cmp ebx, 6Eh 0x00000032 cmp ebx, 00000096h 0x00000038 cmp edi, 002EAFF4h 0x0000003e movd mm1, ebx 0x00000041 movd mm1, ebx 0x00000044 movd mm1, ebx 0x00000047 movd mm1, ebx 0x0000004a jne 00007F45D4A1BC1Fh 0x00000050 inc edi 0x00000051 cmp eax, 47h 0x00000054 cmp ebx, 000000CDh 0x0000005a cmp ebx, 000000A7h 0x00000060 cmp eax, 000000DDh 0x00000065 cmp ebx, 36h 0x00000068 cmp eax, 3Ch 0x0000006b cmp eax, 68h 0x0000006e fdiv st(0), st(0) 0x00000070 psubusb xmm6, xmm6 0x00000074 paddw xmm1, xmm4 0x00000078 fldl2t 0x0000007a por xmm6, xmm1 0x0000007e psubw mm2, mm6 0x00000081 por mm1, mm2 0x00000084 jmp 00007F45D4A1BDBBh 0x00000086 cmp ebx, 000000C1h 0x0000008c cmp ebx, 000000AEh 0x00000092 cmp eax, 5Bh 0x00000095 rdtsc
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	RDTSC instruction interceptor: First address: 00000000005863AE second address: 00000000005833A8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 test bh, ch 0x00000005 ret 0x00000006 cmp dh, bh 0x00000008 test dl, FFFFFFC4h 0x0000000b call 00007F45D4CE1CB1h 0x00000010 cmp eax, ecx 0x00000012 call 00007F45D4CDECB7h 0x00000017 test ah, bh 0x00000019 cmp cl, cl 0x0000001b cmp ch, bh 0x0000001d xor edi, edi 0x0000001f test ax, dx 0x00000022 mov ecx, 00A95F60h 0x00000027 test di, 3043h 0x0000002c push ecx 0x0000002d jmp 00007F45D4CDEDEAh 0x0000002f cmp dx, bx 0x00000032 call 00007F45D4CDEE1Bh 0x00000037 call 00007F45D4CDEE04h 0x0000003c lfence 0x0000003f mov edx, dword ptr [7FFE0014h] 0x00000045 lfence 0x00000048 ret 0x00000049 mov esi, edx 0x0000004b pushad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	RDTSC instruction interceptor: First address: 00000000005833A8 second address: 00000000005833A8 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F45D4A1BD84h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dl, bl 0x0000001f pop ecx 0x00000020 test ax, dx 0x00000023 test edx, ebx 0x00000025 add edi, edx 0x00000027 cmp ch, FFFFFFA4h 0x0000002a dec ecx 0x0000002b nop 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F45D4A1BD2Bh 0x00000031 push ecx 0x00000032 jmp 00007F45D4A1BD7Ah 0x00000034 cmp dx, bx 0x00000037 call 00007F45D4A1BDABh 0x0000003c call 00007F45D4A1BD94h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.812567759.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.812567759.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.812567759.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe, 00000000.00000002.812567759.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	21%	Virustotal	Browse
VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	19%	ReversingLabs
VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	395503
Start date:	22.04.2021
Start time:	15:54:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 84.7% (good quality ratio 51.2%) Quality average: 37.5% Quality standard deviation: 33.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.862205071482885
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
File size:	155648
MD5:	b1b0e80b7df8ae67ed83e366f46b265b
SHA1:	53c2f6377d7cc97ccb2c718eeabbf16e00830656
SHA256:	ec455e6dcab1f953bd685bc9674dbe7e2fbf7afcbef4d731edd9a818048f2227
SHA512:	e7262d9270796a6b815d6fd405b8b02db85b16531d1aa510a4976fa163722930f5006449d48d37ac57788bba0b218d2d26fa23917088dc6008a987f3f98688f7
SSDEEP:	3072:jLPrJP47wFh/t9iQ2rSjVffNeYWf7M/v3w:jJP47CRzdxNfv3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...n.yW.....................`......x.............@................

File Icon


Icon Hash:	dadadadaeeced8da

Static PE Info

General
Entrypoint:	0x401c78
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5779156E [Sun Jul 3 13:38:54 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1fa6aac839727b3340226df771ac8ef4

Entrypoint Preview

Instruction
push 0040FCB0h
call 00007F45D4F74625h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], bl
sti
clc
mov dword ptr [bx], edx
jbe 00007F45D4F74678h
mov bh, 7Bh
ret
and byte ptr [esi], dl
retf 0000h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ebp
push 6F6D7261h
outsb
imul esp, dword ptr [ebp+72h], 0000656Eh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
push cs
sbb dh, bl
call far 9F42h : 1AEE2F58h
leave
xlatb
pop ds
fadd qword ptr [edi+584300E6h]
jc 00007F45D4F745CAh
xor al, D8h
push edi
inc edx
xchg eax, esi
and ecx, dword ptr [ebx-40B64F1Ch]
enter 4F3Ah, ADh
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x206b4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x3916	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x174	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1fcf4	0x20000	False	0.36799621582	data	6.10209072911	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x21000	0x1254	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0x3916	0x4000	False	0.354858398438	data	5.2522569983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x252ee	0x1628	dBase IV DBT of \200.DBF, blocks size 0, block length 4608, next free block index 40, next free block 4294901758, next used block 4294901758
RT_ICON	0x24246	0x10a8	data
RT_ICON	0x238be	0x988	data
RT_ICON	0x23456	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x23418	0x3e	data
RT_VERSION	0x23180	0x298	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, _CIlog, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Vitiations3
FileVersion	1.00
CompanyName	SoftSignal
Comments	SoftSignal
ProductName	SoftSignal
ProductVersion	1.00
FileDescription	SoftSignal
OriginalFilename	Vitiations3.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe PID: 5476 Parent PID: 5628

General

Start time:	15:55:41
Start date:	22/04/2021
Path:	C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe'
Imagebase:	0x7ff724940000
File size:	155648 bytes
MD5 hash:	B1B0E80B7DF8AE67ED83E366F46B265B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000000.00000002.810709106.0000000000580000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe PID: 5476 Parent PID: 5628 VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exeCOMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	1.6%
Signature Coverage:	0%
Total number of Nodes:	256
Total number of Limit Nodes:	30

Executed Functions

Function 00411EB4, Relevance: 147.9, APIs: 79, Strings: 5, Instructions: 927
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00411EB4(signed int _a4) {
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v64;
				void* _v84;
				short _v124;
				char _v200;
				short _v868;
				void* _v880;
				short _v928;
				signed int _v932;
				char _v936;
				char _v948;
				char _v952;
				intOrPtr _v972;
				char _v980;
				signed int _v1016;
				signed int _v1020;
				char _v1028;
				signed int _v1036;
				intOrPtr _v1044;
				char _v1112;
				char _v1116;
				char _v1120;
				intOrPtr _v1144;
				char _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1496;
				signed int _v1500;
				signed int _v1504;
				intOrPtr* _v1608;
				intOrPtr* _v1612;
				signed int _v1616;
				signed int _v1620;
				intOrPtr* _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				intOrPtr* _v1644;
				signed int _v1648;
				intOrPtr* _v1652;
				signed int _v1656;
				intOrPtr* _v1660;
				signed int _v1664;
				intOrPtr* _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				intOrPtr* _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				intOrPtr* _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _t507;
				signed int _t511;
				signed int _t515;
				signed int _t519;
				signed int _t528;
				signed int _t532;
				signed int _t536;
				signed int _t540;
				signed int _t544;
				signed int _t557;
				signed int _t561;
				signed int _t568;
				signed int _t572;
				char* _t574;
				signed int _t584;
				signed int _t589;
				signed int _t594;
				signed int _t598;
				signed int _t602;
				signed int _t608;
				signed int _t613;
				signed int _t623;
				signed int _t629;
				signed int _t642;
				signed int _t649;
				signed int _t653;
				signed int _t659;
				signed int _t668;
				signed int _t673;
				char* _t675;
				signed int _t682;
				signed int _t687;
				signed int _t694;
				void* _t695;
				char* _t702;
				intOrPtr _t713;
				intOrPtr _t717;
				signed int* _t720;
				char* _t726;
				signed int* _t736;
				char* _t747;
				void* _t751;
				void* _t755;
				intOrPtr _t759;
				long long* _t760;
				long long* _t761;
				long long* _t762;
				long long* _t763;
				signed int _t767;

				 *[fs:0x0] = _t759;
				L00401A50();
				_v28 = _t759;
				_v24 = E00401178;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t751, _t755, _t695,  *[fs:0x0], 0x401a56);
				_v8 = 1;
				_push(0x11);
				_push(0x411764);
				_push( &_v64);
				L00401C5A();
				_v8 = 2;
				if( *0x421010 != 0) {
					_v1608 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v1608 = 0x421010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v1608)) + 0x328))( *_v1608));
				_t507 =  &_v952;
				_push(_t507);
				L00401C54();
				_v1160 = _t507;
				_v1020 = 0x80020004;
				_v1028 = 0xa;
				if( *0x421010 != 0) {
					_v1612 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v1612 = 0x421010;
				}
				_t511 =  &_v948;
				L00401C54();
				_v1152 = _t511;
				_t515 =  *((intOrPtr*)( *_v1152 + 0x1c0))(_v1152,  &_v932, _t511,  *((intOrPtr*)( *((intOrPtr*)( *_v1612)) + 0x32c))( *_v1612));
				asm("fclex");
				_v1156 = _t515;
				if(_v1156 >= 0) {
					_v1616 = _v1616 & 0x00000000;
				} else {
					_push(0x1c0);
					_push(0x411498);
					_push(_v1152);
					_push(_v1156);
					L00401C48();
					_v1616 = _t515;
				}
				L00401A50();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t519 =  *((intOrPtr*)( *_v1160 + 0x1ec))(_v1160, _v932, 0x10);
				asm("fclex");
				_v1164 = _t519;
				_t767 = _v1164;
				if(_t767 >= 0) {
					_v1620 = _v1620 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x411498);
					_push(_v1160);
					_push(_v1164);
					L00401C48();
					_v1620 = _t519;
				}
				_t702 =  &_v932;
				L00401C42();
				_push( &_v952);
				_push( &_v948);
				_push(2);
				L00401C3C();
				_t760 = _t759 + 0xc;
				_v8 = 3;
				_push(0x4112e8);
				L00401C2A();
				L00401C30();
				L00401C36();
				asm("fcomp qword [0x401948]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t767 != 0) {
					_v8 = 4;
					L00401C24();
					_v8 = 5;
					if( *0x421408 != 0) {
						_v1624 = 0x421408;
					} else {
						_push(0x421408);
						_push(0x4114cc);
						L00401C4E();
						_v1624 = 0x421408;
					}
					_v1152 =  *_v1624;
					_t682 =  *((intOrPtr*)( *_v1152 + 0x14))(_v1152,  &_v948);
					asm("fclex");
					_v1156 = _t682;
					if(_v1156 >= 0) {
						_v1628 = _v1628 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4114bc);
						_push(_v1152);
						_push(_v1156);
						L00401C48();
						_v1628 = _t682;
					}
					_v1160 = _v948;
					_t687 =  *((intOrPtr*)( *_v1160 + 0x110))(_v1160,  &_v932);
					asm("fclex");
					_v1164 = _t687;
					if(_v1164 >= 0) {
						_v1632 = _v1632 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x4114dc);
						_push(_v1160);
						_push(_v1164);
						L00401C48();
						_v1632 = _t687;
					}
					_v1496 = _v932;
					_v932 = _v932 & 0x00000000;
					L00401C1E();
					L00401C18();
					_v8 = 6;
					_v972 = 0x17;
					_v980 = 2;
					L00401C12();
					L00401C1E();
					_t702 =  &_v980;
					L00401C0C();
					_v8 = 7;
					_v1036 = 0x80020004;
					_v1044 = 0xa;
					_v1020 = 0x80020004;
					_v1028 = 0xa;
					L00401A50();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401A50();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t694 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v980, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe);
					asm("fclex");
					_v1152 = _t694;
					if(_v1152 >= 0) {
						_v1636 = _v1636 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x410d20);
						_push(_a4);
						_push(_v1152);
						L00401C48();
						_v1636 = _t694;
					}
				}
				_v8 = 9;
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4);
				_v8 = 0xa;
				_v1148 =  *0x401940;
				 *_t760 =  *0x401938;
				_t528 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v1148, _t702, _t702);
				_v1152 = _t528;
				if(_v1152 >= 0) {
					_v1640 = _v1640 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x410d50);
					_push(_a4);
					_push(_v1152);
					L00401C48();
					_v1640 = _t528;
				}
				_v8 = 0xb;
				if( *0x421010 != 0) {
					_v1644 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v1644 = 0x421010;
				}
				_t532 =  &_v948;
				L00401C54();
				_v1152 = _t532;
				_t536 =  *((intOrPtr*)( *_v1152 + 0x48))(_v1152,  &_v932, _t532,  *((intOrPtr*)( *((intOrPtr*)( *_v1644)) + 0x30c))( *_v1644));
				asm("fclex");
				_v1156 = _t536;
				if(_v1156 >= 0) {
					_v1648 = _v1648 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x4114ec);
					_push(_v1152);
					_push(_v1156);
					L00401C48();
					_v1648 = _t536;
				}
				if( *0x421010 != 0) {
					_v1652 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v1652 = 0x421010;
				}
				_t540 =  &_v952;
				L00401C54();
				_v1160 = _t540;
				_t544 =  *((intOrPtr*)( *_v1160 + 0x1a0))(_v1160,  &_v1112, _t540,  *((intOrPtr*)( *((intOrPtr*)( *_v1652)) + 0x32c))( *_v1652));
				asm("fclex");
				_v1164 = _t544;
				if(_v1164 >= 0) {
					_v1656 = _v1656 & 0x00000000;
				} else {
					_push(0x1a0);
					_push(0x411498);
					_push(_v1160);
					_push(_v1164);
					L00401C48();
					_v1656 = _t544;
				}
				_v1116 = _v1112;
				_v1500 = _v932;
				_v932 = _v932 & 0x00000000;
				L00401C1E();
				 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v936,  &_v1116);
				L00401C42();
				_push( &_v952);
				_push( &_v948);
				_push(2);
				L00401C3C();
				_t761 = _t760 + 0xc;
				_v8 = 0xc;
				if( *0x421010 != 0) {
					_v1660 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v1660 = 0x421010;
				}
				_t713 =  *((intOrPtr*)( *_v1660));
				_t557 =  &_v948;
				L00401C54();
				_v1152 = _t557;
				_t561 =  *((intOrPtr*)( *_v1152 + 0x198))(_v1152,  &_v1120, _t557,  *((intOrPtr*)(_t713 + 0x32c))( *_v1660));
				asm("fclex");
				_v1156 = _t561;
				if(_v1156 >= 0) {
					_v1664 = _v1664 & 0x00000000;
				} else {
					_push(0x198);
					_push(0x411498);
					_push(_v1152);
					_push(_v1156);
					L00401C48();
					_v1664 = _t561;
				}
				 *_t761 =  *0x401930;
				 *((intOrPtr*)( *_a4 + 0x718))(_a4, _v1120, _t713, _t713);
				L00401C18();
				_v8 = 0xd;
				if( *0x421010 != 0) {
					_v1668 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v1668 = 0x421010;
				}
				_t717 =  *((intOrPtr*)( *_v1668));
				_t568 =  &_v948;
				L00401C54();
				_v1152 = _t568;
				_t572 =  *((intOrPtr*)( *_v1152 + 0x160))(_v1152,  &_v952, _t568,  *((intOrPtr*)(_t717 + 0x300))( *_v1668));
				asm("fclex");
				_v1156 = _t572;
				if(_v1156 >= 0) {
					_v1672 = _v1672 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x4114fc);
					_push(_v1152);
					_push(_v1156);
					L00401C48();
					_v1672 = _t572;
				}
				L00401C06();
				_t762 = _t761 + 0x10;
				 *_t762 =  *0x401928;
				_t574 =  &_v980;
				L00401C00();
				 *((intOrPtr*)( *_a4 + 0x718))(_a4, _t574, _t574, _t717, _t717,  &_v980, _v952, 0, 0);
				L00401C3C();
				_t763 = _t762 + 0xc;
				L00401C0C();
				_v8 = 0xe;
				L00401BFA();
				_t584 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v932, 0x567d0d,  &_v1112, 2,  &_v948,  &_v952);
				_v1152 = _t584;
				if(_v1152 >= 0) {
					_v1676 = _v1676 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x410d50);
					_push(_a4);
					_push(_v1152);
					L00401C48();
					_v1676 = _t584;
				}
				_v928 = _v1112;
				_t720 =  &_v932;
				L00401C42();
				_v8 = 0xf;
				_t589 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v1112);
				_v1152 = _t589;
				if(_v1152 >= 0) {
					_v1680 = _v1680 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x410d50);
					_push(_a4);
					_push(_v1152);
					L00401C48();
					_v1680 = _t589;
				}
				_v124 = _v1112;
				_v8 = 0x10;
				_v1148 =  *0x401920;
				 *_t763 =  *0x401918;
				_t594 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v1148, _t720, _t720);
				_v1152 = _t594;
				if(_v1152 >= 0) {
					_v1684 = _v1684 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x410d50);
					_push(_a4);
					_push(_v1152);
					L00401C48();
					_v1684 = _t594;
				}
				_v8 = 0x11;
				if( *0x421010 != 0) {
					_v1688 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v1688 = 0x421010;
				}
				_t598 =  &_v948;
				L00401C54();
				_v1152 = _t598;
				_t602 =  *((intOrPtr*)( *_v1152 + 0x158))(_v1152,  &_v932, _t598,  *((intOrPtr*)( *((intOrPtr*)( *_v1688)) + 0x310))( *_v1688));
				asm("fclex");
				_v1156 = _t602;
				if(_v1156 >= 0) {
					_v1692 = _v1692 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x4114ec);
					_push(_v1152);
					_push(_v1156);
					L00401C48();
					_v1692 = _t602;
				}
				_v1504 = _v932;
				_v932 = _v932 & 0x00000000;
				L00401C1E();
				_t608 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v936, 0x215366,  &_v1112);
				_v1160 = _t608;
				if(_v1160 >= 0) {
					_v1696 = _v1696 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x410d50);
					_push(_a4);
					_push(_v1160);
					L00401C48();
					_v1696 = _t608;
				}
				_v868 = _v1112;
				L00401C42();
				_t726 =  &_v948;
				L00401C18();
				_v8 = 0x12;
				_v1148 =  *0x401910;
				 *_t763 =  *0x401908;
				_t613 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v1148, _t726, _t726);
				_v1152 = _t613;
				if(_v1152 >= 0) {
					_v1700 = _v1700 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x410d50);
					_push(_a4);
					_push(_v1152);
					L00401C48();
					_v1700 = _t613;
				}
				_v8 = 0x13;
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4);
				_v8 = 0x14;
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4);
				_v8 = 0x15;
				L00401BF4();
				_v8 = 0x16;
				_t623 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v1112, 0xffffffff);
				asm("fclex");
				_v1152 = _t623;
				if(_v1152 >= 0) {
					_v1704 = _v1704 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x410d20);
					_push(_a4);
					_push(_v1152);
					L00401C48();
					_v1704 = _t623;
				}
				_t629 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
				asm("fclex");
				_v1156 = _t629;
				if(_v1156 >= 0) {
					_v1708 = _v1708 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x410d20);
					_push(_a4);
					_push(_v1156);
					L00401C48();
					_v1708 = _t629;
				}
				_v8 = 0x17;
				_v1020 = _v1020 & 0x00000000;
				_v1016 = _v1016 & 0x00000000;
				_v1028 = 6;
				L00401BEE();
				while(1) {
					_v8 = 0x19;
					_v1020 = 1;
					_v1028 = 2;
					L00401BE8();
					L00401BEE();
					_v8 = 0x1a;
					_v1112 = 0xd0d;
					L00401BFA();
					 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v932,  &_v1112,  &_v980,  &_v1028,  &_v200);
					L00401C42();
					_v8 = 0x1b;
					_v1112 = 0x1e45;
					_v1148 = 0xd45fb320;
					_v1144 = 0x5afc;
					_t642 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v1148,  &_v1112);
					_v1152 = _t642;
					if(_v1152 >= 0) {
						_v1712 = _v1712 & 0x00000000;
					} else {
						_push(0x704);
						_push(0x410d50);
						_push(_a4);
						_push(_v1152);
						L00401C48();
						_v1712 = _t642;
					}
					_v8 = 0x1c;
					 *((intOrPtr*)( *_a4 + 0x70c))(_a4);
					_v8 = 0x1d;
					if( *0x421010 != 0) {
						_v1716 = 0x421010;
					} else {
						_push(0x421010);
						_push(0x410168);
						L00401C4E();
						_v1716 = 0x421010;
					}
					_t649 =  &_v948;
					L00401C54();
					_v1152 = _t649;
					_t653 =  *((intOrPtr*)( *_v1152 + 0x98))(_v1152,  &_v1112, _t649,  *((intOrPtr*)( *((intOrPtr*)( *_v1716)) + 0x304))( *_v1716));
					asm("fclex");
					_v1156 = _t653;
					if(_v1156 >= 0) {
						_v1720 = _v1720 & 0x00000000;
					} else {
						_push(0x98);
						_push(0x4114fc);
						_push(_v1152);
						_push(_v1156);
						L00401C48();
						_v1720 = _t653;
					}
					_v1116 = _v1112;
					_v1148 = 0xc59ada20;
					_v1144 = 0x5af4;
					_t659 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v1148,  &_v1116);
					_v1160 = _t659;
					if(_v1160 >= 0) {
						_v1724 = _v1724 & 0x00000000;
					} else {
						_push(0x704);
						_push(0x410d50);
						_push(_a4);
						_push(_v1160);
						L00401C48();
						_v1724 = _t659;
					}
					L00401C18();
					_v8 = 0x1e;
					_v1112 = 0x7338;
					_t747 = L"LITURGISTICAL";
					L00401BFA();
					 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v932,  &_v1112);
					_t736 =  &_v932;
					L00401C42();
					_v8 = 0x1f;
					_v1148 =  *0x401900;
					 *_t763 =  *0x4018f8;
					_t668 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v1148, _t736, _t736);
					_v1152 = _t668;
					if(_v1152 >= 0) {
						_v1728 = _v1728 & 0x00000000;
					} else {
						_push(0x700);
						_push(0x410d50);
						_push(_a4);
						_push(_v1152);
						L00401C48();
						_v1728 = _t668;
					}
					_v8 = 0x20;
					_v1112 = 0x6f29;
					_v1148 = 0x58fac2c0;
					_v1144 = 0x5afb;
					_t673 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v1148,  &_v1112);
					_v1152 = _t673;
					if(_v1152 >= 0) {
						_v1732 = _v1732 & 0x00000000;
					} else {
						_push(0x704);
						_push(0x410d50);
						_push(_a4);
						_push(_v1152);
						L00401C48();
						_v1732 = _t673;
					}
					_v8 = 0x21;
					_v1020 = 0x11110;
					_v1028 = 0x8003;
					_push( &_v200);
					_t675 =  &_v1028;
					_push(_t675);
					L00401BE2();
					if(_t675 == 0) {
						break;
					}
				}
				_v8 = 0x24;
				_v1020 = 0xea;
				do {
					_t747 =  &(_t747[1]);
				} while (_t747 != 0x32a8fe);
				_push( &(_t747[0xdf564]));
				goto ( *__ecx);
			}

0x00411ec6
0x00411ed2
0x00411eda
0x00411edd
0x00411eea
0x00411ef3
0x00411ef6
0x00411f05
0x00411f08
0x00411f0f
0x00411f11
0x00411f19
0x00411f1a
0x00411f1f
0x00411f2d
0x00411f4a
0x00411f2f
0x00411f2f
0x00411f34
0x00411f39
0x00411f3e
0x00411f3e
0x00411f6d
0x00411f6e
0x00411f74
0x00411f75
0x00411f7a
0x00411f80
0x00411f8a
0x00411f9b
0x00411fb8
0x00411f9d
0x00411f9d
0x00411fa2
0x00411fa7
0x00411fac
0x00411fac
0x00411fdc
0x00411fe3
0x00411fe8
0x00412003
0x00412009
0x0041200b
0x00412018
0x0041203d
0x0041201a
0x0041201a
0x0041201f
0x00412024
0x0041202a
0x00412030
0x00412035
0x00412035
0x00412047
0x00412054
0x00412055
0x00412056
0x00412057
0x0041206c
0x00412072
0x00412074
0x0041207a
0x00412081
0x004120a6
0x00412083
0x00412083
0x00412088
0x0041208d
0x00412093
0x00412099
0x0041209e
0x0041209e
0x004120ad
0x004120b3
0x004120be
0x004120c5
0x004120c6
0x004120c8
0x004120cd
0x004120d0
0x004120d7
0x004120dc
0x004120e1
0x004120e6
0x004120eb
0x004120f1
0x004120f3
0x004120f4
0x004120fa
0x00412101
0x00412106
0x00412114
0x00412131
0x00412116
0x00412116
0x0041211b
0x00412120
0x00412125
0x00412125
0x00412143
0x0041215e
0x00412161
0x00412163
0x00412170
0x00412192
0x00412172
0x00412172
0x00412174
0x00412179
0x0041217f
0x00412185
0x0041218a
0x0041218a
0x0041219f
0x004121ba
0x004121c0
0x004121c2
0x004121cf
0x004121f4
0x004121d1
0x004121d1
0x004121d6
0x004121db
0x004121e1
0x004121e7
0x004121ec
0x004121ec
0x00412201
0x00412207
0x0041221a
0x00412225
0x0041222a
0x00412231
0x0041223b
0x00412254
0x0041225e
0x00412263
0x00412269
0x0041226e
0x00412275
0x0041227f
0x00412289
0x00412293
0x004122a0
0x004122ad
0x004122ae
0x004122af
0x004122b0
0x004122b4
0x004122c1
0x004122c2
0x004122c3
0x004122c4
0x004122cd
0x004122d3
0x004122d5
0x004122e2
0x00412304
0x004122e4
0x004122e4
0x004122e9
0x004122ee
0x004122f1
0x004122f7
0x004122fc
0x004122fc
0x004122e2
0x0041230b
0x0041231a
0x00412320
0x0041232d
0x0041233b
0x0041234d
0x00412353
0x00412360
0x00412382
0x00412362
0x00412362
0x00412367
0x0041236c
0x0041236f
0x00412375
0x0041237a
0x0041237a
0x00412389
0x00412397
0x004123b4
0x00412399
0x00412399
0x0041239e
0x004123a3
0x004123a8
0x004123a8
0x004123d8
0x004123df
0x004123e4
0x004123ff
0x00412402
0x00412404
0x00412411
0x00412433
0x00412413
0x00412413
0x00412415
0x0041241a
0x00412420
0x00412426
0x0041242b
0x0041242b
0x00412441
0x0041245e
0x00412443
0x00412443
0x00412448
0x0041244d
0x00412452
0x00412452
0x00412482
0x00412489
0x0041248e
0x004124a9
0x004124af
0x004124b1
0x004124be
0x004124e3
0x004124c0
0x004124c0
0x004124c5
0x004124ca
0x004124d0
0x004124d6
0x004124db
0x004124db
0x004124f1
0x004124fe
0x00412504
0x00412517
0x00412532
0x0041253e
0x00412549
0x00412550
0x00412551
0x00412553
0x00412558
0x0041255b
0x00412569
0x00412586
0x0041256b
0x0041256b
0x00412570
0x00412575
0x0041257a
0x0041257a
0x004125a0
0x004125aa
0x004125b1
0x004125b6
0x004125d1
0x004125d7
0x004125d9
0x004125e6
0x0041260b
0x004125e8
0x004125e8
0x004125ed
0x004125f2
0x004125f8
0x004125fe
0x00412603
0x00412603
0x0041261a
0x0041262b
0x00412637
0x0041263c
0x0041264a
0x00412667
0x0041264c
0x0041264c
0x00412651
0x00412656
0x0041265b
0x0041265b
0x00412681
0x0041268b
0x00412692
0x00412697
0x004126b2
0x004126b8
0x004126ba
0x004126c7
0x004126ec
0x004126c9
0x004126c9
0x004126ce
0x004126d3
0x004126d9
0x004126df
0x004126e4
0x004126e4
0x00412704
0x00412709
0x00412714
0x00412717
0x0041271e
0x0041272c
0x00412742
0x00412747
0x00412750
0x00412755
0x00412767
0x00412787
0x0041278d
0x0041279a
0x004127bc
0x0041279c
0x0041279c
0x004127a1
0x004127a6
0x004127a9
0x004127af
0x004127b4
0x004127b4
0x004127ca
0x004127d1
0x004127d7
0x004127dc
0x004127f2
0x004127f8
0x00412805
0x00412827
0x00412807
0x00412807
0x0041280c
0x00412811
0x00412814
0x0041281a
0x0041281f
0x0041281f
0x00412835
0x00412839
0x00412846
0x00412854
0x00412866
0x0041286c
0x00412879
0x0041289b
0x0041287b
0x0041287b
0x00412880
0x00412885
0x00412888
0x0041288e
0x00412893
0x00412893
0x004128a2
0x004128b0
0x004128cd
0x004128b2
0x004128b2
0x004128b7
0x004128bc
0x004128c1
0x004128c1
0x004128f1
0x004128f8
0x004128fd
0x00412918
0x0041291e
0x00412920
0x0041292d
0x00412952
0x0041292f
0x0041292f
0x00412934
0x00412939
0x0041293f
0x00412945
0x0041294a
0x0041294a
0x0041295f
0x00412965
0x00412978
0x00412998
0x0041299e
0x004129ab
0x004129cd
0x004129ad
0x004129ad
0x004129b2
0x004129b7
0x004129ba
0x004129c0
0x004129c5
0x004129c5
0x004129db
0x004129e8
0x004129ed
0x004129f3
0x004129f8
0x00412a05
0x00412a13
0x00412a25
0x00412a2b
0x00412a38
0x00412a5a
0x00412a3a
0x00412a3a
0x00412a3f
0x00412a44
0x00412a47
0x00412a4d
0x00412a52
0x00412a52
0x00412a61
0x00412a70
0x00412a76
0x00412a85
0x00412a8b
0x00412a94
0x00412a99
0x00412aaf
0x00412ab5
0x00412ab7
0x00412ac4
0x00412ae6
0x00412ac6
0x00412ac6
0x00412acb
0x00412ad0
0x00412ad3
0x00412ad9
0x00412ade
0x00412ade
0x00412b02
0x00412b08
0x00412b0a
0x00412b17
0x00412b39
0x00412b19
0x00412b19
0x00412b1e
0x00412b23
0x00412b26
0x00412b2c
0x00412b31
0x00412b31
0x00412b40
0x00412b47
0x00412b4e
0x00412b55
0x00412b6b
0x00412b70
0x00412b70
0x00412b77
0x00412b81
0x00412ba0
0x00412bad
0x00412bb2
0x00412bb9
0x00412bcd
0x00412be8
0x00412bf4
0x00412bf9
0x00412c00
0x00412c09
0x00412c13
0x00412c33
0x00412c39
0x00412c46
0x00412c68
0x00412c48
0x00412c48
0x00412c4d
0x00412c52
0x00412c55
0x00412c5b
0x00412c60
0x00412c60
0x00412c6f
0x00412c7e
0x00412c84
0x00412c92
0x00412caf
0x00412c94
0x00412c94
0x00412c99
0x00412c9e
0x00412ca3
0x00412ca3
0x00412cd3
0x00412cda
0x00412cdf
0x00412cfa
0x00412d00
0x00412d02
0x00412d0f
0x00412d34
0x00412d11
0x00412d11
0x00412d16
0x00412d1b
0x00412d21
0x00412d27
0x00412d2c
0x00412d2c
0x00412d42
0x00412d49
0x00412d53
0x00412d73
0x00412d79
0x00412d86
0x00412da8
0x00412d88
0x00412d88
0x00412d8d
0x00412d92
0x00412d95
0x00412d9b
0x00412da0
0x00412da0
0x00412db5
0x00412dba
0x00412dc1
0x00412dca
0x00412dd5
0x00412df0
0x00412df6
0x00412dfc
0x00412e01
0x00412e0e
0x00412e1c
0x00412e2e
0x00412e34
0x00412e41
0x00412e63
0x00412e43
0x00412e43
0x00412e48
0x00412e4d
0x00412e50
0x00412e56
0x00412e5b
0x00412e5b
0x00412e6a
0x00412e71
0x00412e7a
0x00412e84
0x00412ea4
0x00412eaa
0x00412eb7
0x00412ed9
0x00412eb9
0x00412eb9
0x00412ebe
0x00412ec3
0x00412ec6
0x00412ecc
0x00412ed1
0x00412ed1
0x00412ee0
0x00412ee7
0x00412ef1
0x00412f01
0x00412f02
0x00412f08
0x00412f09
0x00412f13
0x00000000
0x00000000
0x00412f15
0x00412f1a
0x00412f21
0x00412f2b
0x00412f2b
0x00412f2e
0x00412f3c
0x00412f3f

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 00411ED2
__vbaAryConstruct2.MSVBVM60(?,00411764,00000011,?,?,?,?,00401A56), ref: 00411F1A
__vbaNew2.MSVBVM60(00410168,00421010,?,00411764,00000011,?,?,?,?,00401A56), ref: 00411F39
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411F75
__vbaNew2.MSVBVM60(00410168,00421010,?,00000000), ref: 00411FA7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411FE3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,000001C0), ref: 00412030
__vbaChkstk.MSVBVM60(00000000,?,00411498,000001C0), ref: 00412047
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,000001EC), ref: 00412099
__vbaFreeStr.MSVBVM60(00000000,?,00411498,000001EC), ref: 004120B3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004120C8
__vbaR8Str.MSVBVM60(004112E8,?,?,00401A56), ref: 004120DC
__vbaFPFix.MSVBVM60(004112E8,?,?,00401A56), ref: 004120E1
__vbaFpR8.MSVBVM60(004112E8,?,?,00401A56), ref: 004120E6
#554.MSVBVM60(004112E8,?,?,00401A56), ref: 00412101
__vbaNew2.MSVBVM60(004114CC,00421408,004112E8,?,?,00401A56), ref: 00412120
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,00000014), ref: 00412185
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114DC,00000110), ref: 004121E7
__vbaStrMove.MSVBVM60(00000000,?,004114DC,00000110), ref: 0041221A
__vbaFreeObj.MSVBVM60(00000000,?,004114DC,00000110), ref: 00412225
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00412254
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041225E
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00412269
__vbaChkstk.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 004122A0
__vbaChkstk.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 004122B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D20,000002B0), ref: 004122F7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,00000700), ref: 00412375
__vbaNew2.MSVBVM60(00410168,00421010), ref: 004123A3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004123DF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004114EC,00000048), ref: 00412426
__vbaNew2.MSVBVM60(00410168,00421010), ref: 0041244D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412489
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,000001A0), ref: 004124D6
__vbaStrMove.MSVBVM60(00000000,?,00411498,000001A0), ref: 00412517
__vbaFreeStr.MSVBVM60 ref: 0041253E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00412553
__vbaNew2.MSVBVM60(00410168,00421010,?,?,?,?,?,00401A56), ref: 00412575
__vbaObjSet.MSVBVM60(?,00000000), ref: 004125B1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,00000198), ref: 004125FE
__vbaFreeObj.MSVBVM60(?,?,00000000,?,00411498,00000198), ref: 00412637
__vbaNew2.MSVBVM60(00410168,00421010), ref: 00412656
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412692
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114FC,00000160), ref: 004126DF
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00412704
__vbaI4Var.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041271E
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 00412742
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 00412750
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 00412767
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,000006F8), ref: 004127AF
__vbaFreeStr.MSVBVM60(00000000,?,00410D50,000006F8), ref: 004127D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,000006FC), ref: 0041281A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,00000700), ref: 0041288E
__vbaNew2.MSVBVM60(00410168,00421010), ref: 004128BC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004128F8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004114EC,00000158), ref: 00412945
__vbaStrMove.MSVBVM60(00000000,00000000,004114EC,00000158), ref: 00412978
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,000006F8), ref: 004129C0
__vbaFreeStr.MSVBVM60(00000000,?,00410D50,000006F8), ref: 004129E8
__vbaFreeObj.MSVBVM60(00000000,?,00410D50,000006F8), ref: 004129F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,00000700), ref: 00412A4D
__vbaOnError.MSVBVM60(000000FF), ref: 00412A94
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D20,000001B8), ref: 00412AD9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D20,000001BC), ref: 00412B2C
__vbaVarMove.MSVBVM60(00000000,?,00410D20,000001BC), ref: 00412B6B
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00412BA0
__vbaVarMove.MSVBVM60(?,00000002,?), ref: 00412BAD
__vbaStrCopy.MSVBVM60(?,00000002,?), ref: 00412BCD
__vbaFreeStr.MSVBVM60 ref: 00412BF4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,00000704), ref: 00412C5B
__vbaNew2.MSVBVM60(00410168,00421010), ref: 00412C9E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412CDA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004114FC,00000098), ref: 00412D27
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,00000704), ref: 00412D9B
__vbaFreeObj.MSVBVM60(00000000,?,00410D50,00000704), ref: 00412DB5
__vbaStrCopy.MSVBVM60(00000000,?,00410D50,00000704), ref: 00412DD5
__vbaFreeStr.MSVBVM60 ref: 00412DFC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,00000700), ref: 00412E56
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410D50,00000704), ref: 00412ECC
__vbaVarTstLt.MSVBVM60(00008003,?), ref: 00412F09

Strings

)o, xrefs: 00412E71
FLODSENGS, xrefs: 0041275C
Frugtbart, xrefs: 00412BC2
LITURGISTICAL, xrefs: 00412DCA
$, xrefs: 00412F1A

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$CheckHresult$Free$New2$Move$Chkstk$CopyList$#554#702CallConstruct2ErrorLate
String ID: $$)o$FLODSENGS$Frugtbart$LITURGISTICAL
API String ID: 773194236-4262948561
Opcode ID: 365eea724f13ae63df7ac9c2184368cafe8bf086ae6d202f14db18b4d5e2de22
Instruction ID: 73c536df0b60a26c393537f6f1ab0b9193f03024db07a031ef4bfc0a32030c9e
Opcode Fuzzy Hash: 365eea724f13ae63df7ac9c2184368cafe8bf086ae6d202f14db18b4d5e2de22
Instruction Fuzzy Hash: 6BA217B0904228EFDB21DF50CD44BDDBBB5BB48304F1041EAE649AB2A1CB795AD4DF18

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCE2, Relevance: 33.2, APIs: 22, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E0041FCE2(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v40;
				void* _v44;
				signed int _v48;
				char _v52;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				char* _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				char* _t114;
				signed int _t120;
				signed int _t125;
				signed int _t133;
				char* _t138;
				signed int _t142;
				signed int _t146;
				void* _t165;
				void* _t167;
				intOrPtr _t168;

				_t168 = _t167 - 0x18;
				 *[fs:0x0] = _t168;
				L00401A50();
				_v28 = _t168;
				_v24 = 0x4019f0;
				_v20 = 0;
				_v16 = 0;
				_t114 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401a56, _t165);
				_v8 = 1;
				_v8 = 2;
				E00411268(); // executed
				_v92 = _t114;
				L00401BDC();
				if(_v92 == 0x5d65db) {
					_v8 = 3;
					if( *0x421408 != 0) {
						_v144 = 0x421408;
					} else {
						_push(0x421408);
						_push(0x4114cc);
						L00401C4E();
						_v144 = 0x421408;
					}
					_v96 =  *_v144;
					_t120 =  *((intOrPtr*)( *_v96 + 0x14))(_v96,  &_v52);
					asm("fclex");
					_v100 = _t120;
					if(_v100 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4114bc);
						_push(_v96);
						_push(_v100);
						L00401C48();
						_v148 = _t120;
					}
					_v104 = _v52;
					_t125 =  *((intOrPtr*)( *_v104 + 0xe0))(_v104,  &_v48);
					asm("fclex");
					_v108 = _t125;
					if(_v108 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0xe0);
						_push(0x4114dc);
						_push(_v104);
						_push(_v108);
						L00401C48();
						_v152 = _t125;
					}
					_v140 = _v48;
					_v48 = _v48 & 0x00000000;
					L00401C1E();
					L00401C18();
					_v8 = 4;
					_v64 = 2;
					_v72 = 2;
					_push( &_v72);
					L00401B52();
					L00401C1E();
					L00401C0C();
					_v8 = 5;
					_push(0xffffffff);
					L00401BF4();
					_v8 = 6;
					if( *0x421408 != 0) {
						_v156 = 0x421408;
					} else {
						_push(0x421408);
						_push(0x4114cc);
						L00401C4E();
						_v156 = 0x421408;
					}
					_v104 =  *_v156;
					_t133 =  *((intOrPtr*)( *_v104 + 0x1c))(_v104,  &_v56);
					asm("fclex");
					_v108 = _t133;
					if(_v108 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4114bc);
						_push(_v104);
						_push(_v108);
						L00401C48();
						_v160 = _t133;
					}
					_v112 = _v56;
					_v80 = 0x80020004;
					_v88 = 0xa;
					if( *0x421010 != 0) {
						_v164 = 0x421010;
					} else {
						_push(0x421010);
						_push(0x410168);
						L00401C4E();
						_v164 = 0x421010;
					}
					_t138 =  &_v52;
					L00401C54();
					_v96 = _t138;
					_t142 =  *((intOrPtr*)( *_v96 + 0x50))(_v96,  &_v48, _t138,  *((intOrPtr*)( *((intOrPtr*)( *_v164)) + 0x304))( *_v164));
					asm("fclex");
					_v100 = _t142;
					if(_v100 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x4114fc);
						_push(_v96);
						_push(_v100);
						L00401C48();
						_v168 = _t142;
					}
					L00401A50();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t146 =  *((intOrPtr*)( *_v112 + 0x60))(_v112, _v48, 0x10);
					asm("fclex");
					_v116 = _t146;
					if(_v116 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x4116b0);
						_push(_v112);
						_push(_v116);
						L00401C48();
						_v172 = _t146;
					}
					L00401C42();
					_push( &_v56);
					_t114 =  &_v52;
					_push(_t114);
					_push(2);
					L00401C3C();
				}
				_push(0x420034);
				L00401C42();
				L00401C42();
				return _t114;
			}

0x0041fce5
0x0041fcf4
0x0041fd00
0x0041fd08
0x0041fd0b
0x0041fd12
0x0041fd19
0x0041fd28
0x0041fd2b
0x0041fd32
0x0041fd39
0x0041fd3e
0x0041fd41
0x0041fd4d
0x0041fd53
0x0041fd61
0x0041fd7e
0x0041fd63
0x0041fd63
0x0041fd68
0x0041fd6d
0x0041fd72
0x0041fd72
0x0041fd90
0x0041fd9f
0x0041fda2
0x0041fda4
0x0041fdab
0x0041fdc7
0x0041fdad
0x0041fdad
0x0041fdaf
0x0041fdb4
0x0041fdb7
0x0041fdba
0x0041fdbf
0x0041fdbf
0x0041fdd1
0x0041fde0
0x0041fde6
0x0041fde8
0x0041fdef
0x0041fe0e
0x0041fdf1
0x0041fdf1
0x0041fdf6
0x0041fdfb
0x0041fdfe
0x0041fe01
0x0041fe06
0x0041fe06
0x0041fe18
0x0041fe1e
0x0041fe2b
0x0041fe33
0x0041fe38
0x0041fe3f
0x0041fe46
0x0041fe50
0x0041fe51
0x0041fe5b
0x0041fe63
0x0041fe68
0x0041fe6f
0x0041fe71
0x0041fe76
0x0041fe84
0x0041fea1
0x0041fe86
0x0041fe86
0x0041fe8b
0x0041fe90
0x0041fe95
0x0041fe95
0x0041feb3
0x0041fec2
0x0041fec5
0x0041fec7
0x0041fece
0x0041feea
0x0041fed0
0x0041fed0
0x0041fed2
0x0041fed7
0x0041feda
0x0041fedd
0x0041fee2
0x0041fee2
0x0041fef4
0x0041fef7
0x0041fefe
0x0041ff0c
0x0041ff29
0x0041ff0e
0x0041ff0e
0x0041ff13
0x0041ff18
0x0041ff1d
0x0041ff1d
0x0041ff4d
0x0041ff51
0x0041ff56
0x0041ff65
0x0041ff68
0x0041ff6a
0x0041ff71
0x0041ff8d
0x0041ff73
0x0041ff73
0x0041ff75
0x0041ff7a
0x0041ff7d
0x0041ff80
0x0041ff85
0x0041ff85
0x0041ff97
0x0041ffa1
0x0041ffa2
0x0041ffa3
0x0041ffa4
0x0041ffb0
0x0041ffb3
0x0041ffb5
0x0041ffbc
0x0041ffd8
0x0041ffbe
0x0041ffbe
0x0041ffc0
0x0041ffc5
0x0041ffc8
0x0041ffcb
0x0041ffd0
0x0041ffd0
0x0041ffe2
0x0041ffea
0x0041ffeb
0x0041ffee
0x0041ffef
0x0041fff1
0x0041fff6
0x0041fff9
0x00420026
0x0042002e
0x00420033

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 0041FD00
__vbaSetSystemError.MSVBVM60(?,?,?,?,00401A56), ref: 0041FD41
__vbaNew2.MSVBVM60(004114CC,00421408), ref: 0041FD6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,00000014), ref: 0041FDBA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114DC,000000E0), ref: 0041FE01
__vbaStrMove.MSVBVM60(00000000,?,004114DC,000000E0), ref: 0041FE2B
__vbaFreeObj.MSVBVM60(00000000,?,004114DC,000000E0), ref: 0041FE33
#536.MSVBVM60(00000002), ref: 0041FE51
__vbaStrMove.MSVBVM60(00000002), ref: 0041FE5B
__vbaFreeVar.MSVBVM60(00000002), ref: 0041FE63
__vbaOnError.MSVBVM60(000000FF,00000002), ref: 0041FE71
__vbaNew2.MSVBVM60(004114CC,00421408,000000FF,00000002), ref: 0041FE90
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,0000001C), ref: 0041FEDD
__vbaNew2.MSVBVM60(00410168,00421010), ref: 0041FF18
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FF51
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114FC,00000050), ref: 0041FF80
__vbaChkstk.MSVBVM60(00000000,?,004114FC,00000050), ref: 0041FF97
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116B0,00000060), ref: 0041FFCB
__vbaFreeStr.MSVBVM60(00000000,?,004116B0,00000060), ref: 0041FFE2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FFF1
__vbaFreeStr.MSVBVM60(00420034), ref: 00420026
__vbaFreeStr.MSVBVM60(00420034), ref: 0042002E

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$ChkstkErrorMove$#536ListSystem
String ID:
API String ID: 2061941190-0
Opcode ID: 9dc20a94ccc2de61452998b04669bb2c485a439f39831cd8b06bdeb1ffe91270
Instruction ID: 34a994c288ca3ccee9b44a149b33dae6bc13181701bfa33c6e9b06d4d860509d
Opcode Fuzzy Hash: 9dc20a94ccc2de61452998b04669bb2c485a439f39831cd8b06bdeb1ffe91270
Instruction Fuzzy Hash: FBA10770E44218DFDB10EFA5C945BDDBBB4BF15304F50806AE109BB2A1D7785A8ADF18

Uniqueness

Uniqueness Score: -1.00%

Function 0041F984, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E0041F984(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				char _v44;
				char* _v52;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				char* _t56;
				signed int _t60;
				char* _t64;
				signed int _t67;
				intOrPtr _t90;

				_push(0x401a56);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t90;
				_push(0x44);
				L00401A50();
				_v12 = _t90;
				_v8 = 0x4019c8;
				_v52 = L"Suppresser6";
				_v60 = 8;
				L00401AFE();
				_push(0);
				_push( &_v44); // executed
				L00401B04(); // executed
				L00401C1E();
				L00401C0C();
				if( *0x421010 != 0) {
					_v76 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v76 = 0x421010;
				}
				_t56 =  &_v28;
				L00401C54();
				_v64 = _t56;
				_v52 = 0x80020004;
				_v60 = 0xa;
				L00401A50();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 =  *((intOrPtr*)( *_v64 + 0x1ec))(_v64, L"Messan7", 0x10, _t56,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x328))( *_v76));
				asm("fclex");
				_v68 = _t60;
				if(_v68 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x411498);
					_push(_v64);
					_push(_v68);
					L00401C48();
					_v80 = _t60;
				}
				L00401C18();
				if( *0x421010 != 0) {
					_v84 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v84 = 0x421010;
				}
				_t64 =  &_v28;
				L00401C54();
				_v64 = _t64;
				_t67 =  *((intOrPtr*)( *_v64 + 0x208))(_v64, _t64,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x32c))( *_v84));
				asm("fclex");
				_v68 = _t67;
				if(_v68 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x208);
					_push(0x411498);
					_push(_v64);
					_push(_v68);
					L00401C48();
					_v88 = _t67;
				}
				L00401C18();
				_push(0x41fb3a);
				L00401C42();
				return _t67;
			}

0x0041f989
0x0041f994
0x0041f995
0x0041f99c
0x0041f99f
0x0041f9a7
0x0041f9aa
0x0041f9b1
0x0041f9b8
0x0041f9c5
0x0041f9ca
0x0041f9cf
0x0041f9d0
0x0041f9da
0x0041f9e2
0x0041f9ee
0x0041fa08
0x0041f9f0
0x0041f9f0
0x0041f9f5
0x0041f9fa
0x0041f9ff
0x0041f9ff
0x0041fa23
0x0041fa27
0x0041fa2c
0x0041fa2f
0x0041fa36
0x0041fa40
0x0041fa4a
0x0041fa4b
0x0041fa4c
0x0041fa4d
0x0041fa5b
0x0041fa61
0x0041fa63
0x0041fa6a
0x0041fa86
0x0041fa6c
0x0041fa6c
0x0041fa71
0x0041fa76
0x0041fa79
0x0041fa7c
0x0041fa81
0x0041fa81
0x0041fa8d
0x0041fa99
0x0041fab3
0x0041fa9b
0x0041fa9b
0x0041faa0
0x0041faa5
0x0041faaa
0x0041faaa
0x0041face
0x0041fad2
0x0041fad7
0x0041fae2
0x0041fae8
0x0041faea
0x0041faf1
0x0041fb0d
0x0041faf3
0x0041faf3
0x0041faf8
0x0041fafd
0x0041fb00
0x0041fb03
0x0041fb08
0x0041fb08
0x0041fb14
0x0041fb19
0x0041fb34
0x0041fb39

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 0041F99F
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041F9C5
#645.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041F9D0
__vbaStrMove.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041F9DA
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041F9E2
__vbaNew2.MSVBVM60(00410168,00421010,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041F9FA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000), ref: 0041FA27
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,00000000), ref: 0041FA40
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,000001EC,?,?,?,00000000), ref: 0041FA7C
__vbaFreeObj.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041FA8D
__vbaNew2.MSVBVM60(00410168,00421010,?,?,?,00000000), ref: 0041FAA5
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00000000), ref: 0041FAD2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,00000208,?,?,?,?,?,00000000), ref: 0041FB03
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00000000), ref: 0041FB14
__vbaFreeStr.MSVBVM60(0041FB3A,?,?,?,?,?,00000000), ref: 0041FB34

Strings

Suppresser6, xrefs: 0041F9B1
Messan7, xrefs: 0041FA4E

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$#645Move
String ID: Messan7$Suppresser6
API String ID: 4058107095-1785867165
Opcode ID: 9ea867b03be2bea527bc8f0ce5661e26d98ad42a95ee36738ccae9092e1c9ae9
Instruction ID: 8d10e114418fd37993e082756617ec489b59c3fe668dc4669762dc5c1c8f5089
Opcode Fuzzy Hash: 9ea867b03be2bea527bc8f0ce5661e26d98ad42a95ee36738ccae9092e1c9ae9
Instruction Fuzzy Hash: DB410770E44248EFDB14EF90D856BDDBBB4BF18704F50442AF501BB2A1CBB95886CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401C78, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401C7D

Strings

VB5!6&*, xrefs: 00401C78

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 08c88f93f2534afaace40c1409475e3d3ee1bfcb8e66df4efca98e13744361d9
Instruction ID: 0b4cf6f78273fd1424aec40b56d45c8969a176d59c1d783bc631d034d74b7b4c
Opcode Fuzzy Hash: 08c88f93f2534afaace40c1409475e3d3ee1bfcb8e66df4efca98e13744361d9
Instruction Fuzzy Hash: E6F01E2048E3E14FD3438BB888A51063F70A95324034A80EBC4C4CF0E3D22D980EC33A

Uniqueness

Uniqueness Score: -1.00%

Function 00411268, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02179048b884e986029aa482e75aee96499a12d1d097d3b8ca46628c946232b
Instruction ID: cc550fa7e3b643d8715b9ede1ea3cb39998d1ed5c3e47de835c2aec2dbaf9988
Opcode Fuzzy Hash: b02179048b884e986029aa482e75aee96499a12d1d097d3b8ca46628c946232b
Instruction Fuzzy Hash: 97B012343880019A6A2083D48C829A321C0D3503C03204D73F512E12B0D67CCD41452D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00420147, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00420147(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				long long* _v12;
				intOrPtr _v24;
				void* _v40;
				long long _v48;
				signed int _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v104;
				char _v112;
				intOrPtr _v120;
				char _v128;
				short _v164;
				char _v168;
				intOrPtr* _v172;
				signed int _v176;
				void* _v180;
				signed int _v184;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v208;
				intOrPtr* _v212;
				signed int _v216;
				intOrPtr* _v220;
				intOrPtr* _v224;
				signed int _v228;
				signed int _v232;
				char* _t147;
				signed int _t151;
				char* _t153;
				char* _t158;
				char* _t162;
				signed int _t166;
				signed int _t170;
				char* _t172;
				signed int _t184;
				signed int _t189;
				char* _t195;
				char* _t196;
				signed int _t199;
				char* _t209;
				long long* _t232;
				void* _t234;
				long long _t248;

				_push(0x401a56);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t232;
				L00401A50();
				_v12 = _t232;
				_v8 = 0x401a40;
				if( *0x421010 != 0) {
					_v192 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v192 = 0x421010;
				}
				_t147 =  &_v60;
				L00401C54();
				_v172 = _t147;
				_t151 =  *((intOrPtr*)( *_v172 + 0x50))(_v172,  &_v164, _t147,  *((intOrPtr*)( *((intOrPtr*)( *_v192)) + 0x32c))( *_v192));
				asm("fclex");
				_v176 = _t151;
				if(_v176 >= 0) {
					_v196 = _v196 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x411498);
					_push(_v172);
					_push(_v176);
					L00401C48();
					_v196 = _t151;
				}
				_push(_v164);
				_t153 =  &_v128;
				_push(_t153);
				L00401AF2();
				_push(_t153);
				L00401AF8();
				_v180 =  ~(0 | _t153 != 0x0000ffff);
				L00401C18();
				_t209 =  &_v128;
				L00401C0C();
				if(_v180 != 0) {
					_v104 = 0x80020004;
					_v112 = 0xa;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_v72 = 0x80020004;
					_v80 = 0xa;
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_t248 =  *0x4018e8;
					_push(_t209);
					_push(_t209);
					 *_t232 = _t248;
					asm("fld1");
					_push(_t209);
					_push(_t209);
					 *_t232 = _t248;
					asm("fld1");
					_push(_t209);
					_push(_t209);
					 *_t232 = _t248;
					L00401B76();
					_v48 = _t248;
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_push(3);
					L00401B82();
					_t234 = _t232 + 0x10;
					if( *0x421408 != 0) {
						_v200 = 0x421408;
					} else {
						_push(0x421408);
						_push(0x4114cc);
						L00401C4E();
						_v200 = 0x421408;
					}
					_v172 =  *_v200;
					_t184 =  *((intOrPtr*)( *_v172 + 0x14))(_v172,  &_v60);
					asm("fclex");
					_v176 = _t184;
					if(_v176 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4114bc);
						_push(_v172);
						_push(_v176);
						L00401C48();
						_v204 = _t184;
					}
					_v180 = _v60;
					_t189 =  *((intOrPtr*)( *_v180 + 0x118))(_v180,  &_v168);
					asm("fclex");
					_v184 = _t189;
					if(_v184 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x4114dc);
						_push(_v180);
						_push(_v184);
						L00401C48();
						_v208 = _t189;
					}
					L00401AEC();
					_v52 = _t189;
					L00401C18();
					_push( &_v80);
					L00401B46();
					_push(1);
					_push( &_v80);
					_push( &_v96);
					L00401B4C();
					L00401BEE();
					L00401C0C();
					if( *0x421408 != 0) {
						_v212 = 0x421408;
					} else {
						_push(0x421408);
						_push(0x4114cc);
						L00401C4E();
						_v212 = 0x421408;
					}
					_v172 =  *_v212;
					_t195 =  &_v80;
					L00401AE6();
					_t232 = _t234 + 0x10;
					L00401B1C();
					_t196 =  &_v60;
					L00401B22();
					_t199 =  *((intOrPtr*)( *_v172 + 0xc))(_v172, _t196, _t196, _t195, _t195, _t195, _v24, L"wWGlXSvjVswiceEOeD9ow0AF9RZQHm228", 0);
					asm("fclex");
					_v176 = _t199;
					if(_v176 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0xc);
						_push(0x4114bc);
						_push(_v172);
						_push(_v176);
						L00401C48();
						_v216 = _t199;
					}
					L00401C18();
					L00401C0C();
				}
				if( *0x421010 != 0) {
					_v220 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v220 = 0x421010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v220)) + 0x324))( *_v220));
				_t158 =  &_v64;
				_push(_t158);
				L00401C54();
				_v180 = _t158;
				_v120 = 0x80020004;
				_v128 = 0xa;
				if( *0x421010 != 0) {
					_v224 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v224 = 0x421010;
				}
				_t162 =  &_v60;
				L00401C54();
				_v172 = _t162;
				_t166 =  *((intOrPtr*)( *_v172 + 0x218))(_v172,  &_v56, _t162,  *((intOrPtr*)( *((intOrPtr*)( *_v224)) + 0x320))( *_v224));
				asm("fclex");
				_v176 = _t166;
				if(_v176 >= 0) {
					_v228 = _v228 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x4116c0);
					_push(_v172);
					_push(_v176);
					L00401C48();
					_v228 = _t166;
				}
				L00401A50();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t170 =  *((intOrPtr*)( *_v180 + 0x1ec))(_v180, _v56, 0x10);
				asm("fclex");
				_v184 = _t170;
				if(_v184 >= 0) {
					_v232 = _v232 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4116c0);
					_push(_v180);
					_push(_v184);
					L00401C48();
					_v232 = _t170;
				}
				L00401C42();
				_push( &_v64);
				_t172 =  &_v60;
				_push(_t172);
				_push(2);
				L00401C3C();
				asm("wait");
				_push(0x42068e);
				L00401C18();
				L00401C0C();
				return _t172;
			}

0x0042014c
0x00420157
0x00420158
0x00420164
0x0042016c
0x0042016f
0x0042017d
0x0042019a
0x0042017f
0x0042017f
0x00420184
0x00420189
0x0042018e
0x0042018e
0x004201be
0x004201c2
0x004201c7
0x004201e2
0x004201e5
0x004201e7
0x004201f4
0x00420216
0x004201f6
0x004201f6
0x004201f8
0x004201fd
0x00420203
0x00420209
0x0042020e
0x0042020e
0x00420224
0x00420225
0x00420228
0x00420229
0x0042022e
0x0042022f
0x0042023f
0x00420249
0x0042024e
0x00420251
0x0042025f
0x00420265
0x0042026c
0x00420273
0x0042027a
0x00420281
0x00420288
0x00420292
0x00420296
0x0042029a
0x0042029b
0x004202a1
0x004202a2
0x004202a3
0x004202a6
0x004202a8
0x004202a9
0x004202aa
0x004202ad
0x004202af
0x004202b0
0x004202b1
0x004202b4
0x004202b9
0x004202bf
0x004202c3
0x004202c7
0x004202c8
0x004202ca
0x004202cf
0x004202d9
0x004202f6
0x004202db
0x004202db
0x004202e0
0x004202e5
0x004202ea
0x004202ea
0x00420308
0x00420320
0x00420323
0x00420325
0x00420332
0x00420354
0x00420334
0x00420334
0x00420336
0x0042033b
0x00420341
0x00420347
0x0042034c
0x0042034c
0x0042035e
0x00420379
0x0042037f
0x00420381
0x0042038e
0x004203b3
0x00420390
0x00420390
0x00420395
0x0042039a
0x004203a0
0x004203a6
0x004203ab
0x004203ab
0x004203c0
0x004203c5
0x004203cc
0x004203d4
0x004203d5
0x004203da
0x004203df
0x004203e3
0x004203e4
0x004203ef
0x004203f7
0x00420403
0x00420420
0x00420405
0x00420405
0x0042040a
0x0042040f
0x00420414
0x00420414
0x00420432
0x00420442
0x00420446
0x0042044b
0x0042044f
0x00420455
0x00420459
0x0042046d
0x00420470
0x00420472
0x0042047f
0x004204a1
0x00420481
0x00420481
0x00420483
0x00420488
0x0042048e
0x00420494
0x00420499
0x00420499
0x004204ab
0x004204b3
0x004204b3
0x004204bf
0x004204dc
0x004204c1
0x004204c1
0x004204c6
0x004204cb
0x004204d0
0x004204d0
0x004204ff
0x00420500
0x00420503
0x00420504
0x00420509
0x0042050f
0x00420516
0x00420524
0x00420541
0x00420526
0x00420526
0x0042052b
0x00420530
0x00420535
0x00420535
0x00420565
0x00420569
0x0042056e
0x00420586
0x0042058c
0x0042058e
0x0042059b
0x004205c0
0x0042059d
0x0042059d
0x004205a2
0x004205a7
0x004205ad
0x004205b3
0x004205b8
0x004205b8
0x004205ca
0x004205d4
0x004205d5
0x004205d6
0x004205d7
0x004205e9
0x004205ef
0x004205f1
0x004205fe
0x00420623
0x00420600
0x00420600
0x00420605
0x0042060a
0x00420610
0x00420616
0x0042061b
0x0042061b
0x0042062d
0x00420635
0x00420636
0x00420639
0x0042063a
0x0042063c
0x00420644
0x00420645
0x00420680
0x00420688
0x0042068d

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 00420164
__vbaNew2.MSVBVM60(00410168,00421010,?,?,?,?,00401A56), ref: 00420189
__vbaObjSet.MSVBVM60(?,00000000), ref: 004201C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,00000050), ref: 00420209
__vbaVarErrI4.MSVBVM60(?,?), ref: 00420229
#559.MSVBVM60(00000000,?,?), ref: 0042022F
__vbaFreeObj.MSVBVM60(00000000,?,?), ref: 00420249
__vbaFreeVar.MSVBVM60(00000000,?,?), ref: 00420251
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A,00000000,?,?), ref: 004202B4
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A,00000000,?,?), ref: 004202CA
__vbaNew2.MSVBVM60(004114CC,00421408), ref: 004202E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,00000014), ref: 00420347
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114DC,00000118), ref: 004203A6
__vbaI2I4.MSVBVM60(00000000,?,004114DC,00000118), ref: 004203C0
__vbaFreeObj.MSVBVM60(00000000,?,004114DC,00000118), ref: 004203CC
#610.MSVBVM60(?), ref: 004203D5
#552.MSVBVM60(?,?,00000001,?), ref: 004203E4
__vbaVarMove.MSVBVM60(?,?,00000001,?), ref: 004203EF
__vbaFreeVar.MSVBVM60(?,?,00000001,?), ref: 004203F7
__vbaNew2.MSVBVM60(004114CC,00421408,?,?,00000001,?), ref: 0042040F
__vbaLateMemCallLd.MSVBVM60(?,?,wWGlXSvjVswiceEOeD9ow0AF9RZQHm228,00000000,?,?,00000001,?), ref: 00420446
__vbaObjVar.MSVBVM60(00000000), ref: 0042044F
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 00420459
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,0000000C), ref: 00420494
__vbaFreeObj.MSVBVM60(00000000,?,004114BC,0000000C), ref: 004204AB
__vbaFreeVar.MSVBVM60(00000000,?,004114BC,0000000C), ref: 004204B3
__vbaNew2.MSVBVM60(00410168,00421010,00000000,?,?), ref: 004204CB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?), ref: 00420504
__vbaNew2.MSVBVM60(00410168,00421010,?,00000000,?,?,?,?,00000000,?,?), ref: 00420530
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?), ref: 00420569
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C0,00000218,?,?,?,?,00000000,?,?), ref: 004205B3
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,00000000,?,?), ref: 004205CA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C0,000001EC,?,?,?,?,?,?,00000000,?,?), ref: 00420616
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000,?,?), ref: 0042062D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0042063C
__vbaFreeObj.MSVBVM60(0042068E), ref: 00420680
__vbaFreeVar.MSVBVM60(0042068E), ref: 00420688

Strings

wWGlXSvjVswiceEOeD9ow0AF9RZQHm228, xrefs: 0042043A

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$ChkstkList$#552#559#610#680AddrefCallLateMove
String ID: wWGlXSvjVswiceEOeD9ow0AF9RZQHm228
API String ID: 3186785867-2484082180
Opcode ID: 2cb448f44c94807be73dee74f13a8b72284f1cfc7de17f85b663a06477fe6ce6
Instruction ID: e42da22152e914129827c78457991228c71465be0fd96aac03b470351b514d5e
Opcode Fuzzy Hash: 2cb448f44c94807be73dee74f13a8b72284f1cfc7de17f85b663a06477fe6ce6
Instruction Fuzzy Hash: 85E11970A40228EFDB24EF91DC45FDEB7B5AF15304F5080AAE109B71A1DB785A85CF29

Uniqueness

Uniqueness Score: -1.00%

Function 0041F448, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E0041F448(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v56;
				void* _v60;
				char _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				char _v92;
				char _v108;
				char _v124;
				char _v140;
				intOrPtr _v164;
				char _v172;
				intOrPtr _v180;
				char _v188;
				char _v192;
				void* _v196;
				signed int _v200;
				void* _v204;
				signed int _v208;
				signed int _v232;
				signed int _v236;
				intOrPtr* _v240;
				signed int _v244;
				signed int _v248;
				intOrPtr* _v252;
				signed int _v256;
				signed int _v260;
				intOrPtr* _v264;
				signed int _v268;
				intOrPtr* _v272;
				signed int _v276;
				signed int _t155;
				signed int _t160;
				char* _t166;
				short _t170;
				char* _t175;
				signed int _t181;
				signed int _t186;
				char* _t192;
				signed int _t196;
				signed int _t203;
				void* _t225;
				intOrPtr _t226;

				_t226 = _t225 - 0x18;
				_push(0x401a56);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t226;
				L00401A50();
				_v28 = _t226;
				_v24 = 0x401980;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				_v8 = 2;
				if( *0x421408 != 0) {
					_v240 = 0x421408;
				} else {
					_push(0x421408);
					_push(0x4114cc);
					L00401C4E();
					_v240 = 0x421408;
				}
				_v196 =  *_v240;
				_t155 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v72);
				asm("fclex");
				_v200 = _t155;
				if(_v200 >= 0) {
					_v244 = _v244 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4114bc);
					_push(_v196);
					_push(_v200);
					L00401C48();
					_v244 = _t155;
				}
				_v204 = _v72;
				_t160 =  *((intOrPtr*)( *_v204 + 0xd8))(_v204,  &_v68);
				asm("fclex");
				_v208 = _t160;
				if(_v208 >= 0) {
					_v248 = _v248 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x4114dc);
					_push(_v204);
					_push(_v208);
					L00401C48();
					_v248 = _t160;
				}
				_v232 = _v68;
				_v68 = _v68 & 0x00000000;
				L00401C1E();
				L00401C18();
				_v8 = 3;
				_push( &_v92);
				L00401B46();
				_push( &_v108);
				L00401B46();
				_v164 = 1;
				_v172 = 2;
				_push(1);
				_push(1);
				_push( &_v108);
				_push( &_v172);
				_t166 =  &_v124;
				_push(_t166);
				L00401BE8();
				_push(_t166);
				_push( &_v92);
				_push(0x411780);
				_push( &_v140);
				L00401B0A();
				_v180 = 1;
				_v188 = 0x8002;
				_push( &_v140);
				_t170 =  &_v188;
				_push(_t170);
				L00401B10();
				_v196 = _t170;
				_push( &_v140);
				_push( &_v124);
				_push( &_v92);
				_push( &_v108);
				_push(4);
				L00401B82();
				_t175 = _v196;
				if(_t175 != 0) {
					_v8 = 4;
					if( *0x421408 != 0) {
						_v252 = 0x421408;
					} else {
						_push(0x421408);
						_push(0x4114cc);
						L00401C4E();
						_v252 = 0x421408;
					}
					_v196 =  *_v252;
					_t181 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v72);
					asm("fclex");
					_v200 = _t181;
					if(_v200 >= 0) {
						_v256 = _v256 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4114bc);
						_push(_v196);
						_push(_v200);
						L00401C48();
						_v256 = _t181;
					}
					_v204 = _v72;
					_t186 =  *((intOrPtr*)( *_v204 + 0x108))(_v204,  &_v192);
					asm("fclex");
					_v208 = _t186;
					if(_v208 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x4114dc);
						_push(_v204);
						_push(_v208);
						L00401C48();
						_v260 = _t186;
					}
					_v40 = _v192;
					L00401C18();
					_v8 = 5;
					_push(0xffffffff);
					L00401BF4();
					_v8 = 6;
					_push( &_v92);
					L00401B34();
					L00401BEE();
					_v8 = 7;
					_v8 = 8;
					if( *0x421010 != 0) {
						_v264 = 0x421010;
					} else {
						_push(0x421010);
						_push(0x410168);
						L00401C4E();
						_v264 = 0x421010;
					}
					_t192 =  &_v72;
					L00401C54();
					_v196 = _t192;
					_t196 =  *((intOrPtr*)( *_v196 + 0x168))(_v196,  &_v192, _t192,  *((intOrPtr*)( *((intOrPtr*)( *_v264)) + 0x30c))( *_v264));
					asm("fclex");
					_v200 = _t196;
					if(_v200 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x168);
						_push(0x4114ec);
						_push(_v196);
						_push(_v200);
						L00401C48();
						_v268 = _t196;
					}
					if( *0x421408 != 0) {
						_v272 = 0x421408;
					} else {
						_push(0x421408);
						_push(0x4114cc);
						L00401C4E();
						_v272 = 0x421408;
					}
					_v204 =  *_v272;
					_v164 = 0x43;
					_v172 = 2;
					L00401A50();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t203 =  *((intOrPtr*)( *_v204 + 0x34))(_v204, 0x10, _v192,  &_v76);
					asm("fclex");
					_v208 = _t203;
					if(_v208 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x34);
						_push(0x4114bc);
						_push(_v204);
						_push(_v208);
						L00401C48();
						_v276 = _t203;
					}
					_v236 = _v76;
					_v76 = _v76 & 0x00000000;
					_push(_v236);
					_t175 =  &_v64;
					_push(_t175);
					L00401C54();
					L00401C18();
				}
				_push(0x41f971);
				L00401C0C();
				L00401C42();
				L00401C18();
				return _t175;
			}

0x0041f44b
0x0041f44e
0x0041f459
0x0041f45a
0x0041f466
0x0041f46e
0x0041f471
0x0041f478
0x0041f47f
0x0041f486
0x0041f48d
0x0041f49b
0x0041f4b8
0x0041f49d
0x0041f49d
0x0041f4a2
0x0041f4a7
0x0041f4ac
0x0041f4ac
0x0041f4ca
0x0041f4e2
0x0041f4e5
0x0041f4e7
0x0041f4f4
0x0041f516
0x0041f4f6
0x0041f4f6
0x0041f4f8
0x0041f4fd
0x0041f503
0x0041f509
0x0041f50e
0x0041f50e
0x0041f520
0x0041f538
0x0041f53e
0x0041f540
0x0041f54d
0x0041f572
0x0041f54f
0x0041f54f
0x0041f554
0x0041f559
0x0041f55f
0x0041f565
0x0041f56a
0x0041f56a
0x0041f57c
0x0041f582
0x0041f58f
0x0041f597
0x0041f59c
0x0041f5a6
0x0041f5a7
0x0041f5af
0x0041f5b0
0x0041f5b5
0x0041f5bf
0x0041f5c9
0x0041f5cb
0x0041f5d0
0x0041f5d7
0x0041f5d8
0x0041f5db
0x0041f5dc
0x0041f5e1
0x0041f5e5
0x0041f5e6
0x0041f5f1
0x0041f5f2
0x0041f5f7
0x0041f601
0x0041f611
0x0041f612
0x0041f618
0x0041f619
0x0041f61e
0x0041f62b
0x0041f62f
0x0041f633
0x0041f637
0x0041f638
0x0041f63a
0x0041f642
0x0041f64b
0x0041f651
0x0041f65f
0x0041f67c
0x0041f661
0x0041f661
0x0041f666
0x0041f66b
0x0041f670
0x0041f670
0x0041f68e
0x0041f6a6
0x0041f6a9
0x0041f6ab
0x0041f6b8
0x0041f6da
0x0041f6ba
0x0041f6ba
0x0041f6bc
0x0041f6c1
0x0041f6c7
0x0041f6cd
0x0041f6d2
0x0041f6d2
0x0041f6e4
0x0041f6ff
0x0041f705
0x0041f707
0x0041f714
0x0041f739
0x0041f716
0x0041f716
0x0041f71b
0x0041f720
0x0041f726
0x0041f72c
0x0041f731
0x0041f731
0x0041f747
0x0041f74e
0x0041f753
0x0041f75a
0x0041f75c
0x0041f761
0x0041f76b
0x0041f76c
0x0041f777
0x0041f77c
0x0041f783
0x0041f791
0x0041f7ae
0x0041f793
0x0041f793
0x0041f798
0x0041f79d
0x0041f7a2
0x0041f7a2
0x0041f7d2
0x0041f7d6
0x0041f7db
0x0041f7f6
0x0041f7fc
0x0041f7fe
0x0041f80b
0x0041f830
0x0041f80d
0x0041f80d
0x0041f812
0x0041f817
0x0041f81d
0x0041f823
0x0041f828
0x0041f828
0x0041f83e
0x0041f85b
0x0041f840
0x0041f840
0x0041f845
0x0041f84a
0x0041f84f
0x0041f84f
0x0041f86d
0x0041f873
0x0041f87d
0x0041f894
0x0041f8a1
0x0041f8a2
0x0041f8a3
0x0041f8a4
0x0041f8b3
0x0041f8b6
0x0041f8b8
0x0041f8c5
0x0041f8e7
0x0041f8c7
0x0041f8c7
0x0041f8c9
0x0041f8ce
0x0041f8d4
0x0041f8da
0x0041f8df
0x0041f8df
0x0041f8f1
0x0041f8f7
0x0041f8fb
0x0041f901
0x0041f904
0x0041f905
0x0041f90d
0x0041f90d
0x0041f912
0x0041f95b
0x0041f963
0x0041f96b
0x0041f970

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 0041F466
__vbaNew2.MSVBVM60(004114CC,00421408,?,?,?,?,00401A56), ref: 0041F4A7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,00000014), ref: 0041F509
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114DC,000000D8), ref: 0041F565
__vbaStrMove.MSVBVM60(00000000,?,004114DC,000000D8), ref: 0041F58F
__vbaFreeObj.MSVBVM60(00000000,?,004114DC,000000D8), ref: 0041F597
#610.MSVBVM60(?), ref: 0041F5A7
#610.MSVBVM60(?,?), ref: 0041F5B0
__vbaVarAdd.MSVBVM60(?,00000002,?,00000001,00000001,?,?), ref: 0041F5DC
#662.MSVBVM60(?,00411780,?,00000000,?,00000002,?,00000001,00000001,?,?), ref: 0041F5F2
__vbaVarTstNe.MSVBVM60(00008002,?,?,00411780,?,00000000,?,00000002,?,00000001,00000001,?,?), ref: 0041F619
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00008002,?,?,00411780,?,00000000,?,00000002,?,00000001,00000001), ref: 0041F63A
__vbaNew2.MSVBVM60(004114CC,00421408,?,?,?,?,00401A56), ref: 0041F66B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,00000014), ref: 0041F6CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114DC,00000108), ref: 0041F72C
__vbaFreeObj.MSVBVM60(00000000,?,004114DC,00000108), ref: 0041F74E
__vbaOnError.MSVBVM60(000000FF), ref: 0041F75C
#546.MSVBVM60(?,000000FF), ref: 0041F76C
__vbaVarMove.MSVBVM60(?,000000FF), ref: 0041F777
__vbaNew2.MSVBVM60(00410168,00421010,?,000000FF), ref: 0041F79D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F7D6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114EC,00000168), ref: 0041F823
__vbaNew2.MSVBVM60(004114CC,00421408), ref: 0041F84A
__vbaChkstk.MSVBVM60(?,?), ref: 0041F894
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,00000034), ref: 0041F8DA
__vbaObjSet.MSVBVM60(?,?), ref: 0041F905
__vbaFreeObj.MSVBVM60(?,?), ref: 0041F90D
__vbaFreeVar.MSVBVM60(0041F971,?,?,?,?,00401A56), ref: 0041F95B
__vbaFreeStr.MSVBVM60(0041F971,?,?,?,?,00401A56), ref: 0041F963
__vbaFreeObj.MSVBVM60(0041F971,?,?,?,?,00401A56), ref: 0041F96B

Strings

C, xrefs: 0041F873

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$#610ChkstkMove$#546#662ErrorList
String ID: C
API String ID: 1515733208-1037565863
Opcode ID: 2716dace5b155da55c8fb9acd16f8f2937ff74668b04499818804edc09c25e34
Instruction ID: 73a0ae7e5a606f9d67bce5b59382ce8c5adf9296c4b3abb5c9c9cd7733158079
Opcode Fuzzy Hash: 2716dace5b155da55c8fb9acd16f8f2937ff74668b04499818804edc09c25e34
Instruction Fuzzy Hash: 8DD1E170945228EBEB20EF91CC45FDDB7B4BB14304F1081EAE109B72A1D7785AC99F68

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB4D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E0041FB4D(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				char* _t48;
				signed int _t52;
				char* _t56;
				signed int _t59;
				intOrPtr _t76;

				_push(0x401a56);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t76;
				_push(0x34);
				L00401A50();
				_v12 = _t76;
				_v8 = 0x4019e0;
				if( *0x421010 != 0) {
					_v60 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v60 = 0x421010;
				}
				_t48 =  &_v28;
				L00401C54();
				_v48 = _t48;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L00401A50();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t52 =  *((intOrPtr*)( *_v48 + 0x1ec))(_v48, L"BERTA", 0x10, _t48,  *((intOrPtr*)( *((intOrPtr*)( *_v60)) + 0x330))( *_v60));
				asm("fclex");
				_v52 = _t52;
				if(_v52 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x411498);
					_push(_v48);
					_push(_v52);
					L00401C48();
					_v64 = _t52;
				}
				L00401C18();
				if( *0x421010 != 0) {
					_v68 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v68 = 0x421010;
				}
				_t56 =  &_v28;
				L00401C54();
				_v48 = _t56;
				_t59 =  *((intOrPtr*)( *_v48 + 0x22c))(_v48, _t56,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x30c))( *_v68));
				asm("fclex");
				_v52 = _t59;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x22c);
					_push(0x4114ec);
					_push(_v48);
					_push(_v52);
					L00401C48();
					_v72 = _t59;
				}
				L00401C18();
				_v24 =  *0x4019d8;
				asm("wait");
				_push(0x41fcc7);
				return _t59;
			}

0x0041fb52
0x0041fb5d
0x0041fb5e
0x0041fb65
0x0041fb68
0x0041fb70
0x0041fb73
0x0041fb81
0x0041fb9b
0x0041fb83
0x0041fb83
0x0041fb88
0x0041fb8d
0x0041fb92
0x0041fb92
0x0041fbb6
0x0041fbba
0x0041fbbf
0x0041fbc2
0x0041fbc9
0x0041fbd3
0x0041fbdd
0x0041fbde
0x0041fbdf
0x0041fbe0
0x0041fbee
0x0041fbf4
0x0041fbf6
0x0041fbfd
0x0041fc19
0x0041fbff
0x0041fbff
0x0041fc04
0x0041fc09
0x0041fc0c
0x0041fc0f
0x0041fc14
0x0041fc14
0x0041fc20
0x0041fc2c
0x0041fc46
0x0041fc2e
0x0041fc2e
0x0041fc33
0x0041fc38
0x0041fc3d
0x0041fc3d
0x0041fc61
0x0041fc65
0x0041fc6a
0x0041fc75
0x0041fc7b
0x0041fc7d
0x0041fc84
0x0041fca0
0x0041fc86
0x0041fc86
0x0041fc8b
0x0041fc90
0x0041fc93
0x0041fc96
0x0041fc9b
0x0041fc9b
0x0041fca7
0x0041fcb2
0x0041fcb5
0x0041fcb6
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 0041FB68
__vbaNew2.MSVBVM60(00410168,00421010,?,?,?,?,00401A56), ref: 0041FB8D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041FBBA
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041FBD3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,000001EC,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041FC0F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041FC20
__vbaNew2.MSVBVM60(00410168,00421010,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041FC38
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041FC65
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114EC,0000022C), ref: 0041FC96
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0041FCA7

Strings

BERTA, xrefs: 0041FBE1

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID: BERTA
API String ID: 4127847336-4176431027
Opcode ID: 24e8e3842d1732ac3c2ff7a50c4a6aec79ec8e90f4e7e41e0030ef94d13a6a85
Instruction ID: 98061c11e553b0e5c1e7d7ff84c1613137ec7461d79aacfb7b436b7b961add6f
Opcode Fuzzy Hash: 24e8e3842d1732ac3c2ff7a50c4a6aec79ec8e90f4e7e41e0030ef94d13a6a85
Instruction Fuzzy Hash: 924136B0A44208EFDB10EFA4D885FDDBBB4BF09704F10402AF501BB2A1D7B96885DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0CE, Relevance: 10.6, APIs: 7, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E0041F0CE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401A50();
				_v16 = _t71;
				_v12 = 0x401950;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401a56, _t68);
				if( *0x421408 != 0) {
					_v72 = 0x421408;
				} else {
					_push(0x421408);
					_push(0x4114cc);
					L00401C4E();
					_v72 = 0x421408;
				}
				_v44 =  *_v72;
				_t54 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v40);
				asm("fclex");
				_v48 = _t54;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4114bc);
					_push(_v44);
					_push(_v48);
					L00401C48();
					_v76 = _t54;
				}
				_v52 = _v40;
				_t59 =  *((intOrPtr*)( *_v52 + 0xe0))(_v52,  &_v36);
				asm("fclex");
				_v56 = _t59;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x4114dc);
					_push(_v52);
					_push(_v56);
					L00401C48();
					_v80 = _t59;
				}
				_t60 = _v36;
				_v68 = _t60;
				_v36 = _v36 & 0x00000000;
				L00401C1E();
				L00401C18();
				_v28 = 0x50b8;
				_push(0x41f1f8);
				L00401C42();
				return _t60;
			}

0x0041f0d1
0x0041f0e0
0x0041f0ea
0x0041f0f2
0x0041f0f5
0x0041f0fc
0x0041f10b
0x0041f115
0x0041f12f
0x0041f117
0x0041f117
0x0041f11c
0x0041f121
0x0041f126
0x0041f126
0x0041f13b
0x0041f14a
0x0041f14d
0x0041f14f
0x0041f156
0x0041f16f
0x0041f158
0x0041f158
0x0041f15a
0x0041f15f
0x0041f162
0x0041f165
0x0041f16a
0x0041f16a
0x0041f176
0x0041f185
0x0041f18b
0x0041f18d
0x0041f194
0x0041f1b0
0x0041f196
0x0041f196
0x0041f19b
0x0041f1a0
0x0041f1a3
0x0041f1a6
0x0041f1ab
0x0041f1ab
0x0041f1b4
0x0041f1b7
0x0041f1ba
0x0041f1c4
0x0041f1cc
0x0041f1d1
0x0041f1d7
0x0041f1f2
0x0041f1f7

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 0041F0EA
__vbaNew2.MSVBVM60(004114CC,00421408,?,?,?,?,00401A56), ref: 0041F121
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,00000014), ref: 0041F165
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114DC,000000E0), ref: 0041F1A6
__vbaStrMove.MSVBVM60 ref: 0041F1C4
__vbaFreeObj.MSVBVM60 ref: 0041F1CC
__vbaFreeStr.MSVBVM60(0041F1F8), ref: 0041F1F2

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ChkstkMoveNew2
String ID:
API String ID: 1253681662-0
Opcode ID: 3ee42947b8523aba83339ad93b9f3978b2483a46676e3bde51c46784aaf40190
Instruction ID: 55a3f2ac6b36b04f651b48d5d72bbacff67866b4fa311c10b2153c7b7556bf66
Opcode Fuzzy Hash: 3ee42947b8523aba83339ad93b9f3978b2483a46676e3bde51c46784aaf40190
Instruction Fuzzy Hash: BE310371E40218EFDB10EF95C945BDDBBB0BF18705F60802AF105B72A1D778998A8F68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F221, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E0041F221(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t34;
				signed int _t37;
				void* _t45;
				void* _t47;
				intOrPtr _t48;

				_t48 = _t47 - 0xc;
				 *[fs:0x0] = _t48;
				L00401A50();
				_v16 = _t48;
				_v12 = 0x401960;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401a56, _t45);
				if( *0x421010 != 0) {
					_v52 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v52 = 0x421010;
				}
				_t34 =  &_v32;
				L00401C54();
				_v36 = _t34;
				_t37 =  *((intOrPtr*)( *_v36 + 0x20c))(_v36, _t34,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x330))( *_v52));
				asm("fclex");
				_v40 = _t37;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x20c);
					_push(0x411498);
					_push(_v36);
					_push(_v40);
					L00401C48();
					_v56 = _t37;
				}
				L00401C18();
				_v28 = 0x3327;
				_push(0x41f2ff);
				return _t37;
			}

0x0041f224
0x0041f233
0x0041f23d
0x0041f245
0x0041f248
0x0041f24f
0x0041f25e
0x0041f268
0x0041f282
0x0041f26a
0x0041f26a
0x0041f26f
0x0041f274
0x0041f279
0x0041f279
0x0041f29d
0x0041f2a1
0x0041f2a6
0x0041f2b1
0x0041f2b7
0x0041f2b9
0x0041f2c0
0x0041f2dc
0x0041f2c2
0x0041f2c2
0x0041f2c7
0x0041f2cc
0x0041f2cf
0x0041f2d2
0x0041f2d7
0x0041f2d7
0x0041f2e3
0x0041f2e8
0x0041f2ee
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 0041F23D
__vbaNew2.MSVBVM60(00410168,00421010,?,?,?,?,00401A56), ref: 0041F274
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F2A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,0000020C), ref: 0041F2D2
__vbaFreeObj.MSVBVM60 ref: 0041F2E3

Strings

'3, xrefs: 0041F2E8

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID: '3
API String ID: 4127847336-617398668
Opcode ID: 96fbb1e2bcfc7d509160a398de47bf1e0036497a0e7468f3d59cc4e7d9dc6999
Instruction ID: 8094380eeb339fc4e494b87faf413244b7a32d0bbae44aee7a7733fea45dbe7d
Opcode Fuzzy Hash: 96fbb1e2bcfc7d509160a398de47bf1e0036497a0e7468f3d59cc4e7d9dc6999
Instruction Fuzzy Hash: F121E474A40218EFCB00EF94D849FDDBBB4BB08744F60406AF005BB2A1C77E5985DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420053, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E00420053(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				signed int _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t30;
				signed int _t34;
				intOrPtr _t47;

				_push(0x401a56);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_push(0x28);
				L00401A50();
				_v12 = _t47;
				_v8 = 0x401a30;
				if( *0x421010 != 0) {
					_v56 = 0x421010;
				} else {
					_push(0x421010);
					_push(0x410168);
					L00401C4E();
					_v56 = 0x421010;
				}
				_t30 =  &_v24;
				L00401C54();
				_v44 = _t30;
				_v32 = _v32 & 0x00000000;
				_v40 = 2;
				L00401A50();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t34 =  *((intOrPtr*)( *_v44 + 0x200))(_v44, 0x10, _t30,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x32c))( *_v56));
				asm("fclex");
				_v48 = _t34;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x411498);
					_push(_v44);
					_push(_v48);
					L00401C48();
					_v60 = _t34;
				}
				L00401C18();
				_push(0x420134);
				return _t34;
			}

0x00420058
0x00420063
0x00420064
0x0042006b
0x0042006e
0x00420076
0x00420079
0x00420087
0x004200a1
0x00420089
0x00420089
0x0042008e
0x00420093
0x00420098
0x00420098
0x004200bc
0x004200c0
0x004200c5
0x004200c8
0x004200cc
0x004200d6
0x004200e0
0x004200e1
0x004200e2
0x004200e3
0x004200ec
0x004200f2
0x004200f4
0x004200fb
0x00420117
0x004200fd
0x004200fd
0x00420102
0x00420107
0x0042010a
0x0042010d
0x00420112
0x00420112
0x0042011e
0x00420123
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 0042006E
__vbaNew2.MSVBVM60(00410168,00421010,?,?,?,?,00401A56), ref: 00420093
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 004200C0
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 004200D6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411498,00000200,?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0042010D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401A56), ref: 0042011E

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 4de0da517bbc84d5d282b487758d7cbd772566f77ea02350904c9121fc9062f5
Instruction ID: 346dff2efff632b2816c31799097291a44b9061b3d7d2edac702ff0ba1b3ebad
Opcode Fuzzy Hash: 4de0da517bbc84d5d282b487758d7cbd772566f77ea02350904c9121fc9062f5
Instruction Fuzzy Hash: EB214A70A41208AFDB00DF94D98ABEDBBF5AB08714F60442AF101772A1C7BE59848B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F328, Relevance: 7.6, APIs: 5, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0041F328(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				void* _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _t48;
				signed int _t53;
				short _t54;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				L00401A50();
				_v16 = _t62;
				_v12 = 0x401970;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401a56, _t59);
				if( *0x421408 != 0) {
					_v64 = 0x421408;
				} else {
					_push(0x421408);
					_push(0x4114cc);
					L00401C4E();
					_v64 = 0x421408;
				}
				_v40 =  *_v64;
				_t48 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v32);
				asm("fclex");
				_v44 = _t48;
				if(_v44 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4114bc);
					_push(_v40);
					_push(_v44);
					L00401C48();
					_v68 = _t48;
				}
				_v48 = _v32;
				_t53 =  *((intOrPtr*)( *_v48 + 0x68))(_v48,  &_v36);
				asm("fclex");
				_v52 = _t53;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x4114dc);
					_push(_v48);
					_push(_v52);
					L00401C48();
					_v72 = _t53;
				}
				_t54 = _v36;
				_v28 = _t54;
				L00401C18();
				_push(0x41f429);
				return _t54;
			}

0x0041f32b
0x0041f33a
0x0041f344
0x0041f34c
0x0041f34f
0x0041f356
0x0041f365
0x0041f36f
0x0041f389
0x0041f371
0x0041f371
0x0041f376
0x0041f37b
0x0041f380
0x0041f380
0x0041f395
0x0041f3a4
0x0041f3a7
0x0041f3a9
0x0041f3b0
0x0041f3c9
0x0041f3b2
0x0041f3b2
0x0041f3b4
0x0041f3b9
0x0041f3bc
0x0041f3bf
0x0041f3c4
0x0041f3c4
0x0041f3d0
0x0041f3df
0x0041f3e2
0x0041f3e4
0x0041f3eb
0x0041f404
0x0041f3ed
0x0041f3ed
0x0041f3ef
0x0041f3f4
0x0041f3f7
0x0041f3fa
0x0041f3ff
0x0041f3ff
0x0041f408
0x0041f40c
0x0041f413
0x0041f418
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401A56), ref: 0041F344
__vbaNew2.MSVBVM60(004114CC,00421408,?,?,?,?,00401A56), ref: 0041F37B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114BC,00000014), ref: 0041F3BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004114DC,00000068), ref: 0041F3FA
__vbaFreeObj.MSVBVM60 ref: 0041F413

Memory Dump Source

Source File: 00000000.00000002.810349995.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.810324903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.810414194.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.810433195.0000000000423000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.jbxd

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2
String ID:
API String ID: 1616694062-0
Opcode ID: 0d4a61eca0309c1a5b12dfa7c95e4de9f03d86658adce77cdeaa839a45b4984a
Instruction ID: 20441c83e2c59b735f60d186070deb6758ef58348c1bd9fe7e9fafc414f32f51
Opcode Fuzzy Hash: 0d4a61eca0309c1a5b12dfa7c95e4de9f03d86658adce77cdeaa839a45b4984a
Instruction Fuzzy Hash: 34310174E40208EFCB00EFA5C945BDEBBB4BB18704F10802AF411B62A1C37898868F68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe PID: 5476 Parent PID: 5628

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exe PID: 5476 Parent PID: 5628 VENTANASBRISA SL, COMPROBANTE DE TRANSFERENCIA PENDIENTE DE PAGO.exeCOMMON

Execution Graph

Graph

Function 00411EB4, Relevance: 147.9, APIs: 79, Strings: 5, Instructions: 927
COMMON

Function 0041FCE2, Relevance: 33.2, APIs: 22, Instructions: 213
COMMON

Function 0041F984, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 123
COMMON

Function 00401C78, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Function 00411268, Relevance: .0, Instructions: 8
COMMON

Function 00420147, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 323
COMMON

Function 0041F448, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 285
COMMON

Function 0041FB4D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110
COMMON

Function 0041F0CE, Relevance: 10.6, APIs: 7, Instructions: 83
COMMON

Function 0041F221, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00420053, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Function 0041F328, Relevance: 7.6, APIs: 5, Instructions: 76
COMMON