Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Facturas Pagadas Al Vencimiento.exe

Overview

General Information

Sample Name:Facturas Pagadas Al Vencimiento.exe
Analysis ID:431502
MD5:882a1c19dc7f3ac4fadac702125649c0
SHA1:9566eae6967084d05f21d614686eaa28a3b66a8d
SHA256:ebf355b0e58fcf5b9cf1718b6fd09003932fe3b7ed5b08ffc9ac2f987e0d189d
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Facturas Pagadas Al Vencimiento.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: Facturas Pagadas Al Vencimiento.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Facturas Pagadas Al Vencimiento.exeVirustotal: Detection: 52%Perma Link
    Source: Facturas Pagadas Al Vencimiento.exeReversingLabs: Detection: 30%
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1j7lPzKHjaJ361TpkvK1-2kTy_ducVUTL

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4A6F0_2_024C4A6F
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C34250_2_024C3425
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C34230_2_024C3423
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4C230_2_024C4C23
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4C350_2_024C4C35
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C40EA0_2_024C40EA
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C349D0_2_024C349D
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024CA5550_2_024CA555
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4B0E0_2_024C4B0E
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C49300_2_024C4930
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C49C80_2_024C49C8
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024D0D8D0_2_024D0D8D
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C49830_2_024C4983
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4B9A0_2_024C4B9A
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4BA20_2_024C4BA2
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.646223178.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKoordineredes.exe vs Facturas Pagadas Al Vencimiento.exe
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168544909.00000000022C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Facturas Pagadas Al Vencimiento.exe
    Source: Facturas Pagadas Al Vencimiento.exeBinary or memory string: OriginalFilenameKoordineredes.exe vs Facturas Pagadas Al Vencimiento.exe
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal92.rans.troj.evad.winEXE@1/0@0/0
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Facturas Pagadas Al Vencimiento.exeVirustotal: Detection: 52%
    Source: Facturas Pagadas Al Vencimiento.exeReversingLabs: Detection: 30%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Facturas Pagadas Al Vencimiento.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040C88E push esi; iretd 0_2_0040C890
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_00409C9A pushfd ; retf 0_2_00409C9E
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040C4A6 pushfd ; retf 0_2_0040C4A9
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_004050B3 push edi; iretd 0_2_00405165
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CE7A pushfd ; ret 0_2_0040CE85
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CADE push esi; iretd 0_2_0040CAE8
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CAE9 push esi; iretd 0_2_0040CB08
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040A2F6 push esi; iretd 0_2_0040A300
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CE86 push esp; ret 0_2_0040CE89
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040A356 push esi; iretd 0_2_0040A358
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040C7F8 push cs; ret 0_2_0040C88D
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_004087FB push ebp; iretd 0_2_004087FD
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C08EC push edi; retf 0_2_024C08ED
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C09F6 push es; ret 0_2_024C09F8
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024D0D8D 0_2_024D0D8D
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024CF386 second address: 00000000024CF386 instructions:
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024C0A8B second address: 00000000024C0A8B instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024CF386 second address: 00000000024CF386 instructions:
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024C0A66 second address: 00000000024C0A8B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 22DF60AAh 0x00000008 test dx, dx 0x0000000b push 3FAA25DDh 0x00000010 cmp ebx, B089EE68h 0x00000016 push 988351A5h 0x0000001b test ax, 00009A75h 0x0000001f push 541CB5A6h 0x00000024 pushad 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024C0A8B second address: 00000000024C0A8B instructions:
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeRDTSC instruction interceptor: First address: 00000000024C9D4C second address: 00000000024C9D4C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 049510E3h 0x00000007 xor eax, 4F70CED7h 0x0000000c xor eax, 2D367B3Ch 0x00000011 add eax, 992C5AF9h 0x00000016 cpuid 0x00000018 jmp 00007F788CBA4ADEh 0x0000001a test dh, bh 0x0000001c popad 0x0000001d call 00007F788CBA4B14h 0x00000022 lfence 0x00000025 mov edx, D77D1D8Eh 0x0000002a add edx, 01BEBE33h 0x00000030 xor edx, A8C558E2h 0x00000036 xor edx, 0E008337h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 test ecx, ecx 0x00000047 pop ecx 0x00000048 add edi, edx 0x0000004a dec ecx 0x0000004b cmp ecx, 00000000h 0x0000004e jne 00007F788CBA4A62h 0x00000050 test ebx, ecx 0x00000052 mov dword ptr [ebp+000001F7h], esi 0x00000058 mov esi, ecx 0x0000005a pushad 0x0000005b mov cl, 3Fh 0x0000005d cmp cl, 0000003Fh 0x00000060 jne 00007F788CBA48FDh 0x00000066 popad 0x00000067 push esi 0x00000068 mov esi, dword ptr [ebp+000001F7h] 0x0000006e cmp bh, ch 0x00000070 call 00007F788CBA4B10h 0x00000075 call 00007F788CBA4B85h 0x0000007a lfence 0x0000007d mov edx, D77D1D8Eh 0x00000082 add edx, 01BEBE33h 0x00000088 xor edx, A8C558E2h 0x0000008e xor edx, 0E008337h 0x00000094 mov edx, dword ptr [edx] 0x00000096 lfence 0x00000099 ret 0x0000009a mov esi, edx 0x0000009c pushad 0x0000009d rdtsc
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4058 rdtsc 0_2_024C4058
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C4058 rdtsc 0_2_024C4058
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024CF080 mov eax, dword ptr fs:[00000030h]0_2_024CF080
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024C9ABD mov eax, dword ptr fs:[00000030h]0_2_024C9ABD
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024CF7E2 mov eax, dword ptr fs:[00000030h]0_2_024CF7E2
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_024D0D8D mov eax, dword ptr fs:[00000030h]0_2_024D0D8D
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000002.1168387920.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Facturas Pagadas Al Vencimiento.exe53%VirustotalBrowse
    Facturas Pagadas Al Vencimiento.exe30%ReversingLabsWin32.Trojan.VBodius

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:431502
    Start date:08.06.2021
    Start time:20:20:46
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 32s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:Facturas Pagadas Al Vencimiento.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:17
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal92.rans.troj.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 4.9% (good quality ratio 0.6%)
    • Quality average: 6.8%
    • Quality standard deviation: 15%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.619538143256787
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Facturas Pagadas Al Vencimiento.exe
    File size:147456
    MD5:882a1c19dc7f3ac4fadac702125649c0
    SHA1:9566eae6967084d05f21d614686eaa28a3b66a8d
    SHA256:ebf355b0e58fcf5b9cf1718b6fd09003932fe3b7ed5b08ffc9ac2f987e0d189d
    SHA512:33776a0903527f9548aa15f1f6be67388b928f602698cd711e38a010763e58c7bf14c26423ac3fec800f198d17f3d69826403b120fbd03cbeffc69269b75258d
    SSDEEP:1536:BgXhQ6fSRjYxtNejzOU0N8mopUiDhRTUaZz5jYINm1aiQny+qxp:/cNozFDdpUgRTUaZz50INiaiM4p
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......`.....................0............... ....@................

    File Icon

    Icon Hash:20047c7c70f0e004

    Static PE Info

    General

    Entrypoint:0x4014b8
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x60BF1788 [Tue Jun 8 07:08:56 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:b1d5215cf0ff1abab4dacdc311d642d4

    Entrypoint Preview

    Instruction
    push 004017E4h
    call 00007F788C81DB25h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add ah, bl
    push 00000057h
    jecxz 00007F788C81DB06h
    retn 4F31h
    or byte ptr [edi], 00000058h
    sub bh, byte ptr [eax]
    xor dword ptr [eax+0000001Fh], 01000000h
    add byte ptr [eax], al
    add byte ptr [edx+00h], al
    push es
    push eax
    add dword ptr [ecx], 68h
    insb
    push 6C736465h
    jnc 00007F788C81DBA0h
    imul ebp, dword ptr [esi+67h], 00030073h
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    or byte ptr [edx-0Ah], dh
    mov cl, D1h
    mul byte ptr [ebp+46B04178h]
    mov esi, 0B9C2E02h
    retn D0DEh
    test byte ptr [esi-37h], dl
    sbb dword ptr [ebx+ecx*2], edx
    mov dword ptr [edi], ebp
    pop edi
    and byte ptr [eax+05h], ah
    push esi
    aam 3Ah
    dec edi
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], 00000000h
    add byte ptr [edi+00h], al
    add byte ptr [eax], al
    add byte ptr [edi], al
    add byte ptr [ebp+esi*2+64h], dl
    insb
    imul ebp, dword ptr [ebx+73h], 09010D00h
    add byte ptr [edx+65h], al
    jnc 00007F788C81DB95h
    outsd
    jne 00007F788C81DBA4h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x20db40x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000xa0c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x154.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x2032c0x21000False0.324329723011data4.86252007342IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x220000x12340x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x240000xa0c0x1000False0.1826171875data2.19787994537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x248dc0x130data
    RT_ICON0x245f40x2e8data
    RT_ICON0x244cc0x128GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x2449c0x30data
    RT_VERSION0x241500x34cdataSesotho (Sutu)South Africa

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0430 0x04b0
    LegalCopyrightYonyou Network
    InternalNameKoordineredes
    FileVersion1.00
    CompanyNameYonyou Network
    LegalTrademarksYonyou Network
    CommentsYonyou Network
    ProductNameYonyou Network
    ProductVersion1.00
    FileDescriptionYonyou Network
    OriginalFilenameKoordineredes.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    Sesotho (Sutu)South Africa

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    Analysis Process: Facturas Pagadas Al Vencimiento.exe PID: 7072 Parent PID: 5868

    General

    Start time:20:21:34
    Start date:08/06/2021
    Path:C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe'
    Imagebase:0x400000
    File size:147456 bytes
    MD5 hash:882A1C19DC7F3AC4FADAC702125649C0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Reputation:low

    Chronological Activities

    Disassembly

    Code Analysis

    Reset < >

      Analysis Process: Facturas Pagadas Al Vencimiento.exe PID: 7072 Parent PID: 5868 Facturas Pagadas Al Vencimiento.exeCOMMON

      Execution Graph

      Execution Coverage:7%
      Dynamic/Decrypted Code Coverage:9.9%
      Signature Coverage:3%
      Total number of Nodes:666
      Total number of Limit Nodes:105

      Graph

      execution_graph 4329 24d0d8d 4330 24cf0f1 GetPEB 4329->4330 4331 24d0da0 4330->4331 4332 24cf0f1 GetPEB 4331->4332 4333 24d0dbe GetPEB 4332->4333 4334 24d0e20 4333->4334 4233 41f640 __vbaStrCopy __vbaI4Str #698 __vbaVarTstNe __vbaFreeVar 4234 41f6c5 #569 4233->4234 4235 41f6cd __vbaFreeStr 4233->4235 4234->4235 3930 420c00 3931 420c37 __vbaVarDup #564 3930->3931 3932 420c72 __vbaHresultCheck 3931->3932 3933 420c79 __vbaVarTstNe __vbaFreeVarList 3931->3933 3932->3933 3934 420cba 3933->3934 3935 420caf #568 3933->3935 3935->3934 4154 420d00 __vbaVarTstNe 4155 420d6a 4154->4155 4156 420d5f #532 4154->4156 4156->4155 4161 4209c0 4162 4209f7 4161->4162 4163 420a09 __vbaNew2 4162->4163 4164 420a1e __vbaObjSet 4162->4164 4163->4164 4166 420a44 __vbaNew2 4164->4166 4167 420a59 __vbaObjSet 4164->4167 4166->4167 4169 420a78 4167->4169 4170 420a90 4169->4170 4171 420a7e __vbaHresultCheckObj 4169->4171 4172 420ad0 __vbaFreeStr __vbaFreeObjList 4170->4172 4173 420abe __vbaHresultCheckObj 4170->4173 4171->4170 4174 420b10 4172->4174 4173->4172 4315 24c45ce 4317 24c4608 4315->4317 4316 24cf0f1 GetPEB 4319 24c1265 4316->4319 4317->4319 4320 24c4884 4317->4320 4318 24cf294 4319->4316 4319->4318 4321 24cf7e2 GetPEB 4319->4321 4322 24c4983 GetPEB 4320->4322 4321->4319 4323 24c492e 4322->4323 3775 40db04 3778 41da09 3775->3778 3779 41da18 __vbaObjSet 3778->3779 3781 41da3e 3779->3781 3782 41da44 __vbaHresultCheckObj 3781->3782 3783 41da4f 3781->3783 3782->3783 3784 41da58 __vbaNew2 3783->3784 3785 41da6d __vbaObjSet 3783->3785 3784->3785 3787 41da96 3785->3787 3788 41daaa __vbaStrMove 3787->3788 3789 41da9c __vbaHresultCheckObj 3787->3789 3790 41dae9 3788->3790 3789->3788 3791 41dafb __vbaFreeStr __vbaFreeObjList 3790->3791 3792 41daed __vbaHresultCheckObj 3790->3792 3793 41db29 __vbaNew2 3791->3793 3794 41db3e __vbaObjSet 3791->3794 3792->3791 3793->3794 3796 41db67 3794->3796 3797 41db7b __vbaFreeObj __vbaStrCopy 3796->3797 3798 41db6d __vbaHresultCheckObj 3796->3798 3800 41dbf0 __vbaFreeStr 3797->3800 3798->3797 3801 41dc05 __vbaNew2 3800->3801 3802 41dc1a __vbaObjSet 3800->3802 3801->3802 3804 41dc43 3802->3804 3805 41dc57 3804->3805 3806 41dc49 __vbaHresultCheckObj 3804->3806 3807 41dc60 __vbaNew2 3805->3807 3808 41dc75 __vbaObjSet 3805->3808 3806->3805 3807->3808 3810 41dc9e 3808->3810 3811 41dcb2 __vbaStrMove 3810->3811 3812 41dca4 __vbaHresultCheckObj 3810->3812 3813 41dd1b 3811->3813 3812->3811 3814 41dd2d __vbaFreeStrList __vbaFreeObjList 3813->3814 3815 41dd1f __vbaHresultCheckObj 3813->3815 3816 41dd65 __vbaNew2 3814->3816 3817 41dd7a __vbaObjSet 3814->3817 3815->3814 3816->3817 3819 41dda3 3817->3819 3820 41ddb7 3819->3820 3821 41dda9 __vbaHresultCheckObj 3819->3821 3822 41ddc0 __vbaNew2 3820->3822 3823 41ddd5 __vbaObjSet 3820->3823 3821->3820 3822->3823 3825 41ddfe 3823->3825 3826 41de12 __vbaStrCopy __vbaLateIdCallLd __vbaI4Var 3825->3826 3827 41de04 __vbaHresultCheckObj 3825->3827 3828 41de73 3826->3828 3827->3826 3829 41de85 __vbaFreeStr __vbaFreeObjList __vbaFreeVar 3828->3829 3830 41de77 __vbaHresultCheckObj 3828->3830 3831 41dec6 __vbaNew2 3829->3831 3832 41dedb __vbaObjSet 3829->3832 3830->3829 3831->3832 3834 41df04 3832->3834 3835 41df18 3834->3835 3836 41df0a __vbaHresultCheckObj 3834->3836 3837 41df21 __vbaNew2 3835->3837 3838 41df36 __vbaObjSet 3835->3838 3836->3835 3837->3838 3840 41df5f 3838->3840 3841 41df73 3840->3841 3842 41df65 __vbaHresultCheckObj 3840->3842 3843 41df91 __vbaObjSet 3841->3843 3844 41df7c __vbaNew2 3841->3844 3842->3841 3846 41dfba 3843->3846 3844->3843 3847 41dfc0 __vbaHresultCheckObj 3846->3847 3848 41dfce __vbaStrCopy 3846->3848 3847->3848 3849 41e02b __vbaFreeStr __vbaFreeObjList 3848->3849 3850 41e060 __vbaNew2 3849->3850 3851 41e075 __vbaObjSet 3849->3851 3850->3851 3853 41e09e 3851->3853 3854 41e0b2 3853->3854 3855 41e0a4 __vbaHresultCheckObj 3853->3855 3856 41e0d0 __vbaObjSet 3854->3856 3857 41e0bb __vbaNew2 3854->3857 3855->3854 3859 41e0f9 3856->3859 3857->3856 3860 41e10d 3859->3860 3861 41e0ff __vbaHresultCheckObj 3859->3861 3862 41e178 __vbaFreeObjList 3860->3862 3863 41e16a __vbaHresultCheckObj 3860->3863 3861->3860 3864 41e19a __vbaNew2 3862->3864 3865 41e1af __vbaObjSet 3862->3865 3863->3862 3864->3865 3867 41e1d8 3865->3867 3868 41e1ec 3867->3868 3869 41e1de __vbaHresultCheckObj 3867->3869 3870 41e1f5 __vbaNew2 3868->3870 3871 41e20a __vbaObjSet 3868->3871 3869->3868 3870->3871 3873 41e233 3871->3873 3874 41e247 __vbaFreeObjList 3873->3874 3875 41e239 __vbaHresultCheckObj 3873->3875 3877 41e293 3874->3877 3875->3874 3878 41e2a7 3877->3878 3879 41e299 __vbaHresultCheckObj 3877->3879 3880 41e2b9 __vbaVarAdd __vbaVarMove __vbaVarTstLt 3878->3880 3879->3878 3880->3880 3881 41e30e 3880->3881 4265 24cf080 4266 24cf0ce GetPEB 4265->4266 3525 41cbd0 3526 41cc13 __vbaVarDup #563 __vbaFreeVar 3525->3526 3527 41cd48 #606 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 3526->3527 3528 41cd3d #531 3526->3528 3529 41ce19 3527->3529 3530 41cdac 3527->3530 3528->3527 3533 41ce28 __vbaNew2 3529->3533 3534 41ce3d __vbaObjSet 3529->3534 3531 41cdc5 __vbaObjSetAddref 3530->3531 3532 41cdb5 __vbaNew2 3530->3532 3535 41cde0 3531->3535 3532->3531 3533->3534 3539 41ce66 3534->3539 3536 41ce05 __vbaFreeObj 3535->3536 3537 41cde6 __vbaHresultCheckObj __vbaFreeObj 3535->3537 3536->3529 3537->3529 3540 41ce7a __vbaFreeObj 3539->3540 3541 41ce6c __vbaHresultCheckObj 3539->3541 3543 41cef2 __vbaNew2 3540->3543 3544 41cf07 __vbaObjSet 3540->3544 3541->3540 3543->3544 3546 41cf30 3544->3546 3547 41cf44 3546->3547 3548 41cf36 __vbaHresultCheckObj 3546->3548 3549 41cf62 __vbaObjSet 3547->3549 3550 41cf4d __vbaNew2 3547->3550 3548->3547 3552 41cf8b 3549->3552 3550->3549 3553 41cf91 __vbaHresultCheckObj 3552->3553 3554 41cf9f __vbaStrCopy 3552->3554 3553->3554 3555 41cfe9 3554->3555 3556 41cffb __vbaFreeStr __vbaFreeObjList 3555->3556 3557 41cfed __vbaHresultCheckObj 3555->3557 3558 41d029 __vbaNew2 3556->3558 3559 41d03e __vbaObjSet 3556->3559 3557->3556 3558->3559 3561 41d067 3559->3561 3562 41d07b __vbaLateIdCallLd 3561->3562 3563 41d06d __vbaHresultCheckObj 3561->3563 3564 41d0b4 __vbaObjSet 3562->3564 3565 41d09f __vbaNew2 3562->3565 3563->3562 3567 41d0dd 3564->3567 3565->3564 3568 41d0f1 3567->3568 3569 41d0e3 __vbaHresultCheckObj 3567->3569 3570 41d0fa __vbaNew2 3568->3570 3571 41d10f __vbaObjSet 3568->3571 3569->3568 3570->3571 3573 41d135 3571->3573 3574 41d146 __vbaStrCopy __vbaStrVarMove __vbaStrMove 3573->3574 3575 41d13b __vbaHresultCheckObj 3573->3575 3576 41d1ad __vbaFreeStrList __vbaFreeObjList __vbaFreeVar 3574->3576 3575->3574 3577 41d206 __vbaNew2 3576->3577 3578 41d21b __vbaObjSet 3576->3578 3577->3578 3580 41d244 3578->3580 3581 41d258 3580->3581 3582 41d24a __vbaHresultCheckObj 3580->3582 3583 41d297 __vbaFreeObj 3581->3583 3584 41d289 __vbaHresultCheckObj 3581->3584 3582->3581 3585 41d2c1 __vbaObjSet 3583->3585 3586 41d2ac __vbaNew2 3583->3586 3584->3583 3588 41d2e7 3585->3588 3586->3585 3589 41d2f8 3588->3589 3590 41d2ed __vbaHresultCheckObj 3588->3590 3591 41d301 __vbaNew2 3589->3591 3592 41d316 __vbaObjSet 3589->3592 3590->3589 3591->3592 3594 41d33f 3592->3594 3595 41d353 __vbaStrMove 3594->3595 3596 41d345 __vbaHresultCheckObj 3594->3596 3597 41d3a8 __vbaFreeStr __vbaFreeObjList 3595->3597 3596->3595 3598 41d3dd 3597->3598 3599 41d3e6 __vbaNew2 3598->3599 3600 41d3fb __vbaObjSet 3598->3600 3599->3600 3602 41d424 3600->3602 3603 41d438 __vbaStrMove __vbaStrCopy 3602->3603 3604 41d42a __vbaHresultCheckObj 3602->3604 3605 41d4a3 3603->3605 3604->3603 3606 41d4b5 __vbaFreeStrList __vbaFreeObj 3605->3606 3607 41d4a7 __vbaHresultCheckObj 3605->3607 3608 41d4e3 __vbaNew2 3606->3608 3609 41d4f8 __vbaObjSet 3606->3609 3607->3606 3608->3609 3611 41d521 3609->3611 3612 41d535 3611->3612 3613 41d527 __vbaHresultCheckObj 3611->3613 3614 41d553 __vbaObjSet 3612->3614 3615 41d53e __vbaNew2 3612->3615 3613->3612 3617 41d579 3614->3617 3615->3614 3618 41d58a 3617->3618 3619 41d57f __vbaHresultCheckObj 3617->3619 3620 41d593 __vbaNew2 3618->3620 3621 41d5a8 __vbaObjSet 3618->3621 3619->3618 3620->3621 3623 41d5d1 3621->3623 3624 41d5e5 __vbaStrCopy 3623->3624 3625 41d5d7 __vbaHresultCheckObj 3623->3625 3626 41d633 3624->3626 3625->3624 3627 41d645 __vbaFreeStr __vbaFreeObjList 3626->3627 3628 41d637 __vbaHresultCheckObj 3626->3628 3629 41d67a __vbaNew2 3627->3629 3630 41d68f __vbaObjSet 3627->3630 3628->3627 3629->3630 3632 41d6b8 3630->3632 3633 41d6cc __vbaFreeObj 3632->3633 3634 41d6be __vbaHresultCheckObj 3632->3634 3636 41d713 __vbaNew2 3633->3636 3637 41d728 __vbaObjSet 3633->3637 3634->3633 3636->3637 3639 41d751 3637->3639 3640 41d765 3639->3640 3641 41d757 __vbaHresultCheckObj 3639->3641 3642 41d783 __vbaObjSet 3640->3642 3643 41d76e __vbaNew2 3640->3643 3641->3640 3645 41d7ac 3642->3645 3643->3642 3646 41d7c0 3645->3646 3647 41d7b2 __vbaHresultCheckObj 3645->3647 3648 41d804 __vbaFreeObjList 3646->3648 3649 41d7f6 __vbaHresultCheckObj 3646->3649 3647->3646 3650 41d826 __vbaNew2 3648->3650 3651 41d83b __vbaObjSet 3648->3651 3649->3648 3650->3651 3653 41d864 3651->3653 3654 41d878 3653->3654 3655 41d86a __vbaHresultCheckObj 3653->3655 3656 41d8b5 __vbaFreeObj 3654->3656 3657 41d8a7 __vbaHresultCheckObj 3654->3657 3655->3654 3658 41d8ca __vbaNew2 3656->3658 3659 41d8df __vbaObjSet 3656->3659 3657->3656 3658->3659 3661 41d908 3659->3661 3662 41d91c 3661->3662 3663 41d90e __vbaHresultCheckObj 3661->3663 3664 41d925 __vbaNew2 3662->3664 3665 41d93a __vbaObjSet 3662->3665 3663->3662 3664->3665 3667 41d960 3665->3667 3668 41d971 __vbaStrMove 3667->3668 3669 41d966 __vbaHresultCheckObj 3667->3669 3670 41d9cb __vbaFreeStrList __vbaFreeObjList 3668->3670 3669->3668 3671 41da03 __vbaNew2 3670->3671 3672 41da18 __vbaObjSet 3670->3672 3671->3672 3674 41da3e 3672->3674 3675 41da44 __vbaHresultCheckObj 3674->3675 3676 41da4f 3674->3676 3675->3676 3677 41da58 __vbaNew2 3676->3677 3678 41da6d __vbaObjSet 3676->3678 3677->3678 3680 41da96 3678->3680 3681 41daaa __vbaStrMove 3680->3681 3682 41da9c __vbaHresultCheckObj 3680->3682 3683 41dae9 3681->3683 3682->3681 3684 41dafb __vbaFreeStr __vbaFreeObjList 3683->3684 3685 41daed __vbaHresultCheckObj 3683->3685 3686 41db29 __vbaNew2 3684->3686 3687 41db3e __vbaObjSet 3684->3687 3685->3684 3686->3687 3689 41db67 3687->3689 3690 41db7b __vbaFreeObj __vbaStrCopy 3689->3690 3691 41db6d __vbaHresultCheckObj 3689->3691 3693 41dbf0 __vbaFreeStr 3690->3693 3691->3690 3694 41dc05 __vbaNew2 3693->3694 3695 41dc1a __vbaObjSet 3693->3695 3694->3695 3697 41dc43 3695->3697 3698 41dc57 3697->3698 3699 41dc49 __vbaHresultCheckObj 3697->3699 3700 41dc60 __vbaNew2 3698->3700 3701 41dc75 __vbaObjSet 3698->3701 3699->3698 3700->3701 3703 41dc9e 3701->3703 3704 41dcb2 __vbaStrMove 3703->3704 3705 41dca4 __vbaHresultCheckObj 3703->3705 3706 41dd1b 3704->3706 3705->3704 3707 41dd2d __vbaFreeStrList __vbaFreeObjList 3706->3707 3708 41dd1f __vbaHresultCheckObj 3706->3708 3709 41dd65 __vbaNew2 3707->3709 3710 41dd7a __vbaObjSet 3707->3710 3708->3707 3709->3710 3712 41dda3 3710->3712 3713 41ddb7 3712->3713 3714 41dda9 __vbaHresultCheckObj 3712->3714 3715 41ddc0 __vbaNew2 3713->3715 3716 41ddd5 __vbaObjSet 3713->3716 3714->3713 3715->3716 3718 41ddfe 3716->3718 3719 41de12 __vbaStrCopy __vbaLateIdCallLd __vbaI4Var 3718->3719 3720 41de04 __vbaHresultCheckObj 3718->3720 3721 41de73 3719->3721 3720->3719 3722 41de85 __vbaFreeStr __vbaFreeObjList __vbaFreeVar 3721->3722 3723 41de77 __vbaHresultCheckObj 3721->3723 3724 41dec6 __vbaNew2 3722->3724 3725 41dedb __vbaObjSet 3722->3725 3723->3722 3724->3725 3727 41df04 3725->3727 3728 41df18 3727->3728 3729 41df0a __vbaHresultCheckObj 3727->3729 3730 41df21 __vbaNew2 3728->3730 3731 41df36 __vbaObjSet 3728->3731 3729->3728 3730->3731 3733 41df5f 3731->3733 3734 41df73 3733->3734 3735 41df65 __vbaHresultCheckObj 3733->3735 3736 41df91 __vbaObjSet 3734->3736 3737 41df7c __vbaNew2 3734->3737 3735->3734 3739 41dfba 3736->3739 3737->3736 3740 41dfc0 __vbaHresultCheckObj 3739->3740 3741 41dfce __vbaStrCopy 3739->3741 3740->3741 3742 41e02b __vbaFreeStr __vbaFreeObjList 3741->3742 3743 41e060 __vbaNew2 3742->3743 3744 41e075 __vbaObjSet 3742->3744 3743->3744 3746 41e09e 3744->3746 3747 41e0b2 3746->3747 3748 41e0a4 __vbaHresultCheckObj 3746->3748 3749 41e0d0 __vbaObjSet 3747->3749 3750 41e0bb __vbaNew2 3747->3750 3748->3747 3752 41e0f9 3749->3752 3750->3749 3753 41e10d 3752->3753 3754 41e0ff __vbaHresultCheckObj 3752->3754 3755 41e178 __vbaFreeObjList 3753->3755 3756 41e16a __vbaHresultCheckObj 3753->3756 3754->3753 3757 41e19a __vbaNew2 3755->3757 3758 41e1af __vbaObjSet 3755->3758 3756->3755 3757->3758 3760 41e1d8 3758->3760 3761 41e1ec 3760->3761 3762 41e1de __vbaHresultCheckObj 3760->3762 3763 41e1f5 __vbaNew2 3761->3763 3764 41e20a __vbaObjSet 3761->3764 3762->3761 3763->3764 3766 41e233 3764->3766 3767 41e247 __vbaFreeObjList 3766->3767 3768 41e239 __vbaHresultCheckObj 3766->3768 3770 41e293 3767->3770 3768->3767 3771 41e2a7 3770->3771 3772 41e299 __vbaHresultCheckObj 3770->3772 3773 41e2b9 __vbaVarAdd __vbaVarMove __vbaVarTstLt 3771->3773 3772->3771 3773->3773 3774 41e30e 3773->3774 3885 41f850 #538 #557 __vbaFreeVar 3886 41f8c7 3885->3886 3887 41f8bf #570 3885->3887 3888 41f8d0 __vbaNew2 3886->3888 3889 41f8e5 __vbaObjSet 3886->3889 3887->3886 3888->3889 3891 41f908 3889->3891 3892 41f920 __vbaLateIdCallLd __vbaI4Var __vbaFreeObjList __vbaFreeVar 3891->3892 3893 41f90e __vbaHresultCheckObj 3891->3893 3894 41f979 3892->3894 3893->3892 4093 41f490 4094 41f4ca #693 4093->4094 4095 41f5e2 4094->4095 4096 41f4f5 #685 __vbaObjSet 4094->4096 4097 41f535 __vbaNew2 4096->4097 4098 41f54a __vbaObjSet 4096->4098 4097->4098 4100 41f56c 4098->4100 4101 41f572 __vbaHresultCheckObj 4100->4101 4102 41f584 4100->4102 4101->4102 4103 41f5b7 __vbaFreeObjList __vbaFreeVarList 4102->4103 4104 41f5a8 __vbaHresultCheckObj 4102->4104 4103->4095 4104->4103 4105 41fc90 4106 41fcc7 4105->4106 4107 41fcd9 __vbaNew2 4106->4107 4108 41fcee __vbaObjSet 4106->4108 4107->4108 4110 41fd32 4108->4110 4111 41fd38 __vbaHresultCheckObj 4110->4111 4112 41fd4a __vbaFreeObj 4110->4112 4111->4112 4113 41fd73 4112->4113 3895 420850 3896 420887 __vbaStrCopy __vbaVarDup #528 __vbaVarTstNe __vbaFreeVarList 3895->3896 3897 420907 3896->3897 3898 42096d __vbaFreeStr 3896->3898 3899 42091f 3897->3899 3900 42090f __vbaNew2 3897->3900 3902 420944 3899->3902 3903 420935 __vbaHresultCheckObj 3899->3903 3900->3899 3904 420964 __vbaFreeObj 3902->3904 3905 420955 __vbaHresultCheckObj 3902->3905 3903->3902 3904->3898 3905->3904 3936 420410 3937 420449 __vbaR4Str 3936->3937 3938 420461 __vbaFileOpen 3937->3938 3939 420472 3937->3939 3938->3939 4237 420210 __vbaStrCopy __vbaStrCopy #515 __vbaVarTstNe __vbaFreeVar 4238 420342 4237->4238 4239 4202bf 4237->4239 4240 420360 __vbaObjSet 4238->4240 4241 42034b __vbaNew2 4238->4241 4242 4202d7 4239->4242 4243 4202c7 __vbaNew2 4239->4243 4246 420380 4240->4246 4241->4240 4245 4202ed __vbaHresultCheckObj 4242->4245 4249 4202fc 4242->4249 4243->4242 4245->4249 4247 420386 __vbaHresultCheckObj 4246->4247 4248 420395 __vbaFreeObj 4246->4248 4247->4248 4250 4203d1 __vbaFreeStr __vbaFreeStr __vbaFreeStr 4248->4250 4251 42032a __vbaStrMove __vbaFreeObj 4249->4251 4252 42031b __vbaHresultCheckObj 4249->4252 4251->4238 4252->4251 4184 24c2794 4185 24c279b 4184->4185 4186 24cf0f1 GetPEB 4185->4186 4187 24c27b9 4185->4187 4186->4187 4147 40115b 4149 401256 __vbaExceptHandler 4147->4149 3906 24c4650 3907 24c4657 3906->3907 3910 24c4884 3907->3910 3912 24c1265 3907->3912 3909 24cf294 3920 24c4983 3910->3920 3911 24cf7e2 GetPEB 3911->3912 3912->3909 3912->3911 3915 24cf0f1 3912->3915 3914 24c492e 3919 24c1265 3915->3919 3916 24cf0f1 GetPEB 3916->3915 3917 24cf294 3917->3912 3918 24cf7e2 GetPEB 3918->3919 3919->3916 3919->3917 3919->3918 3923 24c1265 3920->3923 3921 24cf0f1 GetPEB 3921->3923 3922 24cf7e2 GetPEB 3922->3923 3923->3921 3923->3922 3924 24c4b05 3923->3924 3924->3914 3946 24c26d3 3947 24c26df 3946->3947 3948 24c2744 3947->3948 3949 24cf0f1 GetPEB 3947->3949 3950 24cf0f1 GetPEB 3948->3950 3949->3948 3951 24c27b9 3950->3951 4188 41f9a0 #591 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 4189 41fa27 4188->4189 4190 41fa8f 4188->4190 4191 41fa30 __vbaNew2 4189->4191 4192 41fa45 __vbaObjSet 4189->4192 4191->4192 4194 41fa68 4192->4194 4195 41fa80 __vbaFreeObj 4194->4195 4196 41fa6e __vbaHresultCheckObj 4194->4196 4195->4190 4196->4195 4253 41fae0 4254 41fb17 6 API calls 4253->4254 4255 41fc26 __vbaFreeObj __vbaFreeStr 4254->4255 4256 41fb7d 4254->4256 4258 41fb95 4256->4258 4259 41fb85 __vbaNew2 4256->4259 4260 41fbab __vbaHresultCheckObj 4258->4260 4261 41fbba __vbaCastObj __vbaObjSet 4258->4261 4259->4258 4260->4261 4262 41fbfe 4261->4262 4263 41fc13 __vbaFreeObjList 4262->4263 4264 41fc04 __vbaHresultCheckObj 4262->4264 4263->4255 4264->4263 4271 41f720 4272 41f757 #713 __vbaStrMove __vbaStrCmp __vbaFreeStr 4271->4272 4273 41f800 4272->4273 4274 41f79a 4272->4274 4275 41f7a2 __vbaNew2 4274->4275 4276 41f7b2 4274->4276 4275->4276 4277 41f7d7 4276->4277 4278 41f7c8 __vbaHresultCheckObj 4276->4278 4279 41f7f7 __vbaFreeObj 4277->4279 4280 41f7e8 __vbaHresultCheckObj 4277->4280 4278->4277 4279->4273 4280->4279 4341 41f3a0 4342 41f3d9 __vbaNew2 4341->4342 4343 41f3ee __vbaObjSet 4341->4343 4342->4343 4345 41f432 4343->4345 4346 41f438 __vbaHresultCheckObj 4345->4346 4347 41f44a __vbaFreeObj 4345->4347 4346->4347 4348 41f46b 4347->4348 3952 4200e0 3953 420117 #606 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 3952->3953 3954 420172 3953->3954 3955 4201c6 3953->3955 3956 42018a __vbaObjSetAddref 3954->3956 3957 42017a __vbaNew2 3954->3957 3958 4201a8 3956->3958 3957->3956 3959 4201ae __vbaHresultCheckObj 3958->3959 3960 4201bd __vbaFreeObj 3958->3960 3959->3960 3960->3955 4123 4204a0 #592 __vbaFreeVar 4124 420504 4123->4124 4125 42056b 4123->4125 4126 42051d 4124->4126 4127 42050d __vbaNew2 4124->4127 4128 420542 4126->4128 4129 420533 __vbaHresultCheckObj 4126->4129 4127->4126 4130 420562 __vbaFreeObj 4128->4130 4131 420553 __vbaHresultCheckObj 4128->4131 4129->4128 4130->4125 4131->4130 3961 40d8e4 3964 41d7e9 3961->3964 3965 41d7f2 3964->3965 3966 41d804 __vbaFreeObjList 3965->3966 3967 41d7f6 __vbaHresultCheckObj 3965->3967 3968 41d826 __vbaNew2 3966->3968 3969 41d83b __vbaObjSet 3966->3969 3967->3966 3968->3969 3971 41d864 3969->3971 3972 41d878 3971->3972 3973 41d86a __vbaHresultCheckObj 3971->3973 3974 41d8b5 __vbaFreeObj 3972->3974 3975 41d8a7 __vbaHresultCheckObj 3972->3975 3973->3972 3976 41d8ca __vbaNew2 3974->3976 3977 41d8df __vbaObjSet 3974->3977 3975->3974 3976->3977 3979 41d908 3977->3979 3980 41d91c 3979->3980 3981 41d90e __vbaHresultCheckObj 3979->3981 3982 41d925 __vbaNew2 3980->3982 3983 41d93a __vbaObjSet 3980->3983 3981->3980 3982->3983 3985 41d960 3983->3985 3986 41d971 __vbaStrMove 3985->3986 3987 41d966 __vbaHresultCheckObj 3985->3987 3988 41d9cb __vbaFreeStrList __vbaFreeObjList 3986->3988 3987->3986 3989 41da03 __vbaNew2 3988->3989 3990 41da18 __vbaObjSet 3988->3990 3989->3990 3992 41da3e 3990->3992 3993 41da44 __vbaHresultCheckObj 3992->3993 3994 41da4f 3992->3994 3993->3994 3995 41da58 __vbaNew2 3994->3995 3996 41da6d __vbaObjSet 3994->3996 3995->3996 3998 41da96 3996->3998 3999 41daaa __vbaStrMove 3998->3999 4000 41da9c __vbaHresultCheckObj 3998->4000 4001 41dae9 3999->4001 4000->3999 4002 41dafb __vbaFreeStr __vbaFreeObjList 4001->4002 4003 41daed __vbaHresultCheckObj 4001->4003 4004 41db29 __vbaNew2 4002->4004 4005 41db3e __vbaObjSet 4002->4005 4003->4002 4004->4005 4007 41db67 4005->4007 4008 41db7b __vbaFreeObj __vbaStrCopy 4007->4008 4009 41db6d __vbaHresultCheckObj 4007->4009 4011 41dbf0 __vbaFreeStr 4008->4011 4009->4008 4012 41dc05 __vbaNew2 4011->4012 4013 41dc1a __vbaObjSet 4011->4013 4012->4013 4015 41dc43 4013->4015 4016 41dc57 4015->4016 4017 41dc49 __vbaHresultCheckObj 4015->4017 4018 41dc60 __vbaNew2 4016->4018 4019 41dc75 __vbaObjSet 4016->4019 4017->4016 4018->4019 4021 41dc9e 4019->4021 4022 41dcb2 __vbaStrMove 4021->4022 4023 41dca4 __vbaHresultCheckObj 4021->4023 4024 41dd1b 4022->4024 4023->4022 4025 41dd2d __vbaFreeStrList __vbaFreeObjList 4024->4025 4026 41dd1f __vbaHresultCheckObj 4024->4026 4027 41dd65 __vbaNew2 4025->4027 4028 41dd7a __vbaObjSet 4025->4028 4026->4025 4027->4028 4030 41dda3 4028->4030 4031 41ddb7 4030->4031 4032 41dda9 __vbaHresultCheckObj 4030->4032 4033 41ddc0 __vbaNew2 4031->4033 4034 41ddd5 __vbaObjSet 4031->4034 4032->4031 4033->4034 4036 41ddfe 4034->4036 4037 41de12 __vbaStrCopy __vbaLateIdCallLd __vbaI4Var 4036->4037 4038 41de04 __vbaHresultCheckObj 4036->4038 4039 41de73 4037->4039 4038->4037 4040 41de85 __vbaFreeStr __vbaFreeObjList __vbaFreeVar 4039->4040 4041 41de77 __vbaHresultCheckObj 4039->4041 4042 41dec6 __vbaNew2 4040->4042 4043 41dedb __vbaObjSet 4040->4043 4041->4040 4042->4043 4045 41df04 4043->4045 4046 41df18 4045->4046 4047 41df0a __vbaHresultCheckObj 4045->4047 4048 41df21 __vbaNew2 4046->4048 4049 41df36 __vbaObjSet 4046->4049 4047->4046 4048->4049 4051 41df5f 4049->4051 4052 41df73 4051->4052 4053 41df65 __vbaHresultCheckObj 4051->4053 4054 41df91 __vbaObjSet 4052->4054 4055 41df7c __vbaNew2 4052->4055 4053->4052 4057 41dfba 4054->4057 4055->4054 4058 41dfc0 __vbaHresultCheckObj 4057->4058 4059 41dfce __vbaStrCopy 4057->4059 4058->4059 4060 41e02b __vbaFreeStr __vbaFreeObjList 4059->4060 4061 41e060 __vbaNew2 4060->4061 4062 41e075 __vbaObjSet 4060->4062 4061->4062 4064 41e09e 4062->4064 4065 41e0b2 4064->4065 4066 41e0a4 __vbaHresultCheckObj 4064->4066 4067 41e0d0 __vbaObjSet 4065->4067 4068 41e0bb __vbaNew2 4065->4068 4066->4065 4070 41e0f9 4067->4070 4068->4067 4071 41e10d 4070->4071 4072 41e0ff __vbaHresultCheckObj 4070->4072 4073 41e178 __vbaFreeObjList 4071->4073 4074 41e16a __vbaHresultCheckObj 4071->4074 4072->4071 4075 41e19a __vbaNew2 4073->4075 4076 41e1af __vbaObjSet 4073->4076 4074->4073 4075->4076 4078 41e1d8 4076->4078 4079 41e1ec 4078->4079 4080 41e1de __vbaHresultCheckObj 4078->4080 4081 41e1f5 __vbaNew2 4079->4081 4082 41e20a __vbaObjSet 4079->4082 4080->4079 4081->4082 4084 41e233 4082->4084 4085 41e247 __vbaFreeObjList 4084->4085 4086 41e239 __vbaHresultCheckObj 4084->4086 4088 41e293 4085->4088 4086->4085 4089 41e2a7 4088->4089 4090 41e299 __vbaHresultCheckObj 4088->4090 4091 41e2b9 __vbaVarAdd __vbaVarMove __vbaVarTstLt 4089->4091 4090->4089 4091->4091 4092 41e30e 4091->4092 4281 24c253c 4282 24c2543 4281->4282 4283 24cf0f1 GetPEB 4282->4283 4284 24c2744 4283->4284 4285 24cf0f1 GetPEB 4284->4285 4286 24c27b9 4285->4286 4132 24c9abd GetPEB 4133 24c9b11 4132->4133 4197 41fdb0 4198 41fe02 __vbaObjSet 4197->4198 4199 41fded __vbaNew2 4197->4199 4201 41fe28 __vbaNew2 4198->4201 4202 41fe3d __vbaObjSet 4198->4202 4199->4198 4201->4202 4204 41fe5c 4202->4204 4205 41fe62 __vbaHresultCheckObj 4204->4205 4206 41fe74 4204->4206 4205->4206 4207 41fea2 __vbaHresultCheckObj 4206->4207 4208 41feb4 __vbaFreeStr __vbaFreeObjList 4206->4208 4207->4208 4209 41ff02 4208->4209 4287 41ff30 4288 41ff67 4287->4288 4289 41ff79 __vbaNew2 4288->4289 4290 41ff8e __vbaObjSet 4288->4290 4289->4290 4292 420011 4290->4292 4293 420017 __vbaHresultCheckObj 4292->4293 4294 420029 __vbaFreeObj 4292->4294 4293->4294 4295 420052 __vbaObjSet 4294->4295 4296 42003d __vbaNew2 4294->4296 4298 420075 4295->4298 4296->4295 4299 42007b __vbaHresultCheckObj 4298->4299 4300 42008d __vbaFreeObj 4298->4300 4299->4300 4301 4200aa 4300->4301 4210 4205b0 __vbaVarDup #522 __vbaVarTstNe __vbaFreeVarList 4211 420788 4210->4211 4214 42065f 4210->4214 4212 420791 __vbaNew2 4211->4212 4213 4207a6 __vbaObjSet 4211->4213 4212->4213 4222 4207c9 4213->4222 4215 420687 4214->4215 4216 420675 __vbaHresultCheckObj 4214->4216 4218 42069f 4215->4218 4219 42068f __vbaNew2 4215->4219 4216->4215 4220 4206c3 __vbaObjSet 4218->4220 4221 4206ae __vbaNew2 4218->4221 4219->4218 4227 4206e6 4220->4227 4221->4220 4223 4207e1 __vbaFreeObj 4222->4223 4224 4207cf __vbaHresultCheckObj 4222->4224 4225 420830 4223->4225 4224->4223 4228 4206fe __vbaLateIdCallLd __vbaStrVarMove __vbaStrMove __vbaObjSet 4227->4228 4229 4206ec __vbaHresultCheckObj 4227->4229 4230 420748 4228->4230 4229->4228 4231 420750 __vbaHresultCheckObj 4230->4231 4232 42075f __vbaFreeStr __vbaFreeObjList __vbaFreeVar 4230->4232 4231->4232 4232->4211 4302 420b30 __vbaStrCopy 4303 420b76 __vbaNew2 4302->4303 4304 420b8b __vbaObjSet 4302->4304 4303->4304 4306 420baa 4304->4306 4307 420bc2 __vbaFreeObj 4306->4307 4308 420bb0 __vbaHresultCheckObj 4306->4308 4309 420bdc __vbaFreeStr 4307->4309 4308->4307 3882 4014b8 #100 3883 4014d9 3882->3883 3884 4014ad 3882->3884 3884->3882 4157 24c0f34 4158 24c0f3b 4157->4158 4159 24cf0f1 GetPEB 4158->4159 4160 24c0ff2 4159->4160 4310 24c4930 4311 24c1265 4310->4311 4312 24cf0f1 GetPEB 4311->4312 4313 24c4b05 4311->4313 4314 24cf7e2 GetPEB 4311->4314 4312->4311 4314->4311

      Executed Functions

      Function 0041CBD0, Relevance: 328.9, APIs: 175, Strings: 12, Instructions: 1669COMMON
      Download Yara Rule
      APIs
      • __vbaVarDup.MSVBVM60 ref: 0041CD0C
      • #563.MSVBVM60(?), ref: 0041CD19
      • __vbaFreeVar.MSVBVM60 ref: 0041CD32
      • #531.MSVBVM60(Sammenskruendes), ref: 0041CD42
      • #606.MSVBVM60(00000001,?), ref: 0041CD65
      • __vbaStrMove.MSVBVM60 ref: 0041CD73
      • __vbaStrCmp.MSVBVM60(00402BA4,00000000), ref: 0041CD7F
      • __vbaFreeStr.MSVBVM60 ref: 0041CD95
      • __vbaFreeVar.MSVBVM60 ref: 0041CDA1
      • __vbaNew2.MSVBVM60(00402BC8,004223C0), ref: 0041CDBF
      • __vbaObjSetAddref.MSVBVM60(?,00401168), ref: 0041CDD5
      • __vbaHresultCheckObj.MSVBVM60(00000000,022BEDD4,00402BB8,00000010), ref: 0041CDF5
      • __vbaFreeObj.MSVBVM60 ref: 0041CDFD
      • __vbaFreeObj.MSVBVM60 ref: 0041CE11
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041CE32
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041CE4E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000158), ref: 0041CE78
      • __vbaFreeObj.MSVBVM60 ref: 0041CEE3
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041CEFC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041CF18
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000001E0), ref: 0041CF42
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041CF57
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041CF73
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000001A0), ref: 0041CF9D
      • __vbaStrCopy.MSVBVM60 ref: 0041CFAA
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,000006F8), ref: 0041CFF9
      • __vbaFreeStr.MSVBVM60 ref: 0041D001
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D017
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D033
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D04F
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BFC,00000130), ref: 0041D079
      • __vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041D08D
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D0A9
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D0C5
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000001D8), ref: 0041D0EF
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D104
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D120
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000048), ref: 0041D144
      • __vbaStrCopy.MSVBVM60 ref: 0041D151
      • __vbaStrVarMove.MSVBVM60(00000002), ref: 0041D15E
      • __vbaStrMove.MSVBVM60 ref: 0041D16C
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041D1C4
      • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041D1E8
      • __vbaFreeVar.MSVBVM60 ref: 0041D1F7
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D210
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D22C
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000150), ref: 0041D256
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,000006FC), ref: 0041D295
      • __vbaFreeObj.MSVBVM60 ref: 0041D29D
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D2B6
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D2D2
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BFC,00000050), ref: 0041D2F6
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D30B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D327
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,000000E8), ref: 0041D351
      • __vbaStrMove.MSVBVM60 ref: 0041D373
      • __vbaFreeStr.MSVBVM60 ref: 0041D3AE
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D3C4
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D3F0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D40C
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000001E0), ref: 0041D436
      • __vbaStrMove.MSVBVM60 ref: 0041D462
      • __vbaStrCopy.MSVBVM60 ref: 0041D473
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000700), ref: 0041D4B3
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D4C5
      • __vbaFreeObj.MSVBVM60 ref: 0041D4D4
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D4ED
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D509
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BFC,00000190), ref: 0041D533
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D548
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D564
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000070), ref: 0041D588
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D59D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D5B9
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000001C8), ref: 0041D5E3
      • __vbaStrCopy.MSVBVM60 ref: 0041D5F0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000704), ref: 0041D643
      • __vbaFreeStr.MSVBVM60 ref: 0041D64B
      • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041D668
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D684
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D6A0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000001F0), ref: 0041D6CA
      • __vbaFreeObj.MSVBVM60 ref: 0041D704
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D71D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D739
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000128), ref: 0041D763
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D778
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D794
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000088), ref: 0041D7BE
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000708), ref: 0041D802
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D814
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D830
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D84C
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000000E0), ref: 0041D876
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,0000070C), ref: 0041D8B3
      • __vbaFreeObj.MSVBVM60(?,00402614,0000070C,?,12A00000,4202A0C7,000065BC,?), ref: 0041D8BB
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D8D4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D8F0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000148), ref: 0041D91A
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D92F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D94B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000048), ref: 0041D96F
      • __vbaStrMove.MSVBVM60 ref: 0041D99B
      • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041D9DB
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D9F1
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DA0D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DA29
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000058), ref: 0041DA4D
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DA62
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DA7E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000148), ref: 0041DAA8
      • __vbaStrMove.MSVBVM60 ref: 0041DAC0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000710), ref: 0041DAF9
      • __vbaFreeStr.MSVBVM60(?,00402614,00000710,?,?,?), ref: 0041DB01
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DB17
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DB33
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DB4F
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000178), ref: 0041DB79
      • __vbaFreeObj.MSVBVM60 ref: 0041DBB3
      • __vbaStrCopy.MSVBVM60 ref: 0041DBC4
      • __vbaFreeStr.MSVBVM60(?,C30250C0,00005AFB,?,00004B73,?), ref: 0041DBF6
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DC0F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC2B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000001E0), ref: 0041DC55
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DC6A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC86
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000218), ref: 0041DCB0
      • __vbaStrMove.MSVBVM60(?,C30250C0,00005AFB,?,00004B73,?), ref: 0041DCDC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000714), ref: 0041DD2B
      • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041DD3D
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DD53
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DD6F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DD8B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BFC,00000120), ref: 0041DDB5
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DDCA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DDE6
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000110), ref: 0041DE10
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,12A00000,4202A0C7,000065BC,?), ref: 0041DE29
      • __vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041DE43
      • __vbaI4Var.MSVBVM60(00000000), ref: 0041DE4D
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000718), ref: 0041DE83
      • __vbaFreeStr.MSVBVM60(?,00402614,00000718,?,4B3150F8,?,000336B8,?,00000000), ref: 0041DE8B
      • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DEA8
      • __vbaFreeVar.MSVBVM60(?,000336B8,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041DEB7
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DED0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DEEC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000000D8), ref: 0041DF16
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DF2B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DF47
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000170), ref: 0041DF71
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DF86
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DFA2
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000170), ref: 0041DFCC
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,12A00000), ref: 0041DFF1
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,Frihedsheltens,5F2DDA30,00005B03), ref: 0041E031
      • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041E04E
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E06A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E086
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000130), ref: 0041E0B0
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E0C5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E0E1
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000130), ref: 0041E10B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,0000071C), ref: 0041E176
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E188
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E1A4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E1C0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000001C0), ref: 0041E1EA
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E1FF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E21B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000110), ref: 0041E245
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E281
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,004025E4,000002B4), ref: 0041E2A5
      • __vbaVarAdd.MSVBVM60(00000002,00000008,?), ref: 0041E2DF
      • __vbaVarMove.MSVBVM60 ref: 0041E2E6
      • __vbaVarTstLt.MSVBVM60(00000002,?), ref: 0041E307
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckHresult$Free$New2$List$Move$Copy$CallLate$#531#563#606Addref
      • String ID: $BEGROANS$CARCINEMIA$Daftardar7$Estancieros$FORSRGELSES$Frihedsheltens$Logria1$Sammenskruendes$Whiney$skattejagters$}D
      • API String ID: 450096576-3881086472
      • Opcode ID: 5d1baf045010b4d4b2a564743d3ddbef3a1f147a45f635e1a03230bdda9b7dd7
      • Instruction ID: 6dffa55aba012ce7f410e9cc6d87506084740bae1828fa8bbd6cbcc811721a74
      • Opcode Fuzzy Hash: 5d1baf045010b4d4b2a564743d3ddbef3a1f147a45f635e1a03230bdda9b7dd7
      • Instruction Fuzzy Hash: 8DE240B0A00219ABDB25DF54CD88FDA77BCBF48704F0045AAF649F7190DA746A85CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D7E9, Relevance: 160.1, APIs: 86, Strings: 5, Instructions: 826COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 256 41d7e9 257 41d7f2-41d7f4 256->257 258 41d804-41d824 __vbaFreeObjList 257->258 259 41d7f6-41d802 __vbaHresultCheckObj 257->259 260 41d826-41d836 __vbaNew2 258->260 261 41d83b-41d868 __vbaObjSet 258->261 259->258 260->261 264 41d878-41d8a5 261->264 265 41d86a-41d876 __vbaHresultCheckObj 261->265 267 41d8b5-41d8c8 __vbaFreeObj 264->267 268 41d8a7-41d8b3 __vbaHresultCheckObj 264->268 265->264 269 41d8ca-41d8da __vbaNew2 267->269 270 41d8df-41d90c __vbaObjSet 267->270 268->267 269->270 273 41d91c-41d923 270->273 274 41d90e-41d91a __vbaHresultCheckObj 270->274 275 41d925-41d935 __vbaNew2 273->275 276 41d93a-41d964 __vbaObjSet 273->276 274->273 275->276 279 41d971-41da01 __vbaStrMove __vbaFreeStrList __vbaFreeObjList 276->279 280 41d966-41d96f __vbaHresultCheckObj 276->280 282 41da03-41da13 __vbaNew2 279->282 283 41da18-41da42 __vbaObjSet 279->283 280->279 282->283 286 41da44-41da4d __vbaHresultCheckObj 283->286 287 41da4f-41da56 283->287 286->287 288 41da58-41da68 __vbaNew2 287->288 289 41da6d-41da9a __vbaObjSet 287->289 288->289 292 41daaa-41daeb __vbaStrMove 289->292 293 41da9c-41daa8 __vbaHresultCheckObj 289->293 295 41dafb-41db27 __vbaFreeStr __vbaFreeObjList 292->295 296 41daed-41daf9 __vbaHresultCheckObj 292->296 293->292 297 41db29-41db39 __vbaNew2 295->297 298 41db3e-41db6b __vbaObjSet 295->298 296->295 297->298 301 41db7b-41dc03 __vbaFreeObj __vbaStrCopy __vbaFreeStr 298->301 302 41db6d-41db79 __vbaHresultCheckObj 298->302 305 41dc05-41dc15 __vbaNew2 301->305 306 41dc1a-41dc47 __vbaObjSet 301->306 302->301 305->306 309 41dc57-41dc5e 306->309 310 41dc49-41dc55 __vbaHresultCheckObj 306->310 311 41dc60-41dc70 __vbaNew2 309->311 312 41dc75-41dca2 __vbaObjSet 309->312 310->309 311->312 315 41dcb2-41dd1d __vbaStrMove 312->315 316 41dca4-41dcb0 __vbaHresultCheckObj 312->316 318 41dd2d-41dd63 __vbaFreeStrList __vbaFreeObjList 315->318 319 41dd1f-41dd2b __vbaHresultCheckObj 315->319 316->315 320 41dd65-41dd75 __vbaNew2 318->320 321 41dd7a-41dda7 __vbaObjSet 318->321 319->318 320->321 324 41ddb7-41ddbe 321->324 325 41dda9-41ddb5 __vbaHresultCheckObj 321->325 326 41ddc0-41ddd0 __vbaNew2 324->326 327 41ddd5-41de02 __vbaObjSet 324->327 325->324 326->327 330 41de12-41de6c __vbaStrCopy __vbaLateIdCallLd __vbaI4Var 327->330 331 41de04-41de10 __vbaHresultCheckObj 327->331 332 41de73-41de75 330->332 331->330 333 41de85-41dec4 __vbaFreeStr __vbaFreeObjList __vbaFreeVar 332->333 334 41de77-41de83 __vbaHresultCheckObj 332->334 335 41dec6-41ded6 __vbaNew2 333->335 336 41dedb-41df08 __vbaObjSet 333->336 334->333 335->336 339 41df18-41df1f 336->339 340 41df0a-41df16 __vbaHresultCheckObj 336->340 341 41df21-41df31 __vbaNew2 339->341 342 41df36-41df63 __vbaObjSet 339->342 340->339 341->342 345 41df73-41df7a 342->345 346 41df65-41df71 __vbaHresultCheckObj 342->346 347 41df91-41dfbe __vbaObjSet 345->347 348 41df7c-41df8c __vbaNew2 345->348 346->345 351 41dfc0-41dfcc __vbaHresultCheckObj 347->351 352 41dfce-41e05e __vbaStrCopy __vbaFreeStr __vbaFreeObjList 347->352 348->347 351->352 354 41e060-41e070 __vbaNew2 352->354 355 41e075-41e0a2 __vbaObjSet 352->355 354->355 358 41e0b2-41e0b9 355->358 359 41e0a4-41e0b0 __vbaHresultCheckObj 355->359 360 41e0d0-41e0fd __vbaObjSet 358->360 361 41e0bb-41e0cb __vbaNew2 358->361 359->358 364 41e10d-41e168 360->364 365 41e0ff-41e10b __vbaHresultCheckObj 360->365 361->360 367 41e178-41e198 __vbaFreeObjList 364->367 368 41e16a-41e176 __vbaHresultCheckObj 364->368 365->364 369 41e19a-41e1aa __vbaNew2 367->369 370 41e1af-41e1dc __vbaObjSet 367->370 368->367 369->370 373 41e1ec-41e1f3 370->373 374 41e1de-41e1ea __vbaHresultCheckObj 370->374 375 41e1f5-41e205 __vbaNew2 373->375 376 41e20a-41e237 __vbaObjSet 373->376 374->373 375->376 379 41e247-41e297 __vbaFreeObjList 376->379 380 41e239-41e245 __vbaHresultCheckObj 376->380 383 41e2a7-41e2b3 379->383 384 41e299-41e2a5 __vbaHresultCheckObj 379->384 380->379 385 41e2b9-41e30c __vbaVarAdd __vbaVarMove __vbaVarTstLt 383->385 384->383 385->385 386 41e30e-41e376 385->386 387 41e37c 386->387 387->387
      APIs
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000708), ref: 0041D802
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D814
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D830
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D84C
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000000E0), ref: 0041D876
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,0000070C), ref: 0041D8B3
      • __vbaFreeObj.MSVBVM60(?,00402614,0000070C,?,12A00000,4202A0C7,000065BC,?), ref: 0041D8BB
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D8D4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D8F0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000148), ref: 0041D91A
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041D92F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D94B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000048), ref: 0041D96F
      • __vbaStrMove.MSVBVM60 ref: 0041D99B
      • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041D9DB
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D9F1
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DA0D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DA29
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000058), ref: 0041DA4D
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DA62
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DA7E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000148), ref: 0041DAA8
      • __vbaStrMove.MSVBVM60 ref: 0041DAC0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000710), ref: 0041DAF9
      • __vbaFreeStr.MSVBVM60(?,00402614,00000710,?,?,?), ref: 0041DB01
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DB17
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DB33
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DB4F
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000178), ref: 0041DB79
      • __vbaFreeObj.MSVBVM60 ref: 0041DBB3
      • __vbaStrCopy.MSVBVM60 ref: 0041DBC4
      • __vbaFreeStr.MSVBVM60(?,C30250C0,00005AFB,?,00004B73,?), ref: 0041DBF6
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DC0F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC2B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000001E0), ref: 0041DC55
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DC6A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC86
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000218), ref: 0041DCB0
      • __vbaStrMove.MSVBVM60(?,C30250C0,00005AFB,?,00004B73,?), ref: 0041DCDC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000714), ref: 0041DD2B
      • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041DD3D
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DD53
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DD6F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DD8B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BFC,00000120), ref: 0041DDB5
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DDCA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DDE6
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000110), ref: 0041DE10
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,12A00000,4202A0C7,000065BC,?), ref: 0041DE29
      • __vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041DE43
      • __vbaI4Var.MSVBVM60(00000000), ref: 0041DE4D
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000718), ref: 0041DE83
      • __vbaFreeStr.MSVBVM60(?,00402614,00000718,?,4B3150F8,?,000336B8,?,00000000), ref: 0041DE8B
      • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DEA8
      • __vbaFreeVar.MSVBVM60(?,000336B8,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041DEB7
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DED0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DEEC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000000D8), ref: 0041DF16
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DF2B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DF47
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000170), ref: 0041DF71
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DF86
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DFA2
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000170), ref: 0041DFCC
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,12A00000), ref: 0041DFF1
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,Frihedsheltens,5F2DDA30,00005B03), ref: 0041E031
      • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041E04E
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E06A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E086
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000130), ref: 0041E0B0
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E0C5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E0E1
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000130), ref: 0041E10B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,0000071C), ref: 0041E176
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E188
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E1A4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E1C0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000001C0), ref: 0041E1EA
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E1FF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E21B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000110), ref: 0041E245
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E281
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,004025E4,000002B4), ref: 0041E2A5
      • __vbaVarAdd.MSVBVM60(00000002,00000008,?), ref: 0041E2DF
      • __vbaVarMove.MSVBVM60 ref: 0041E2E6
      • __vbaVarTstLt.MSVBVM60(00000002,?), ref: 0041E307
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckHresult$FreeNew2$List$Move$Copy$CallLate
      • String ID: CARCINEMIA$Daftardar7$FORSRGELSES$Frihedsheltens$}D
      • API String ID: 1985927409-805847792
      • Opcode ID: f023c8980515154346ee847b1048fd32ad877adbeea586ebfd92a78f6e789dfa
      • Instruction ID: bd8fb28364a3d8c05907cb3c32451278d023dd69c149be59ff67ebc68aa96b4b
      • Opcode Fuzzy Hash: f023c8980515154346ee847b1048fd32ad877adbeea586ebfd92a78f6e789dfa
      • Instruction Fuzzy Hash: AB6240B0A00218AFDB25DB54CD88FDA77BCBF48704F0045A9F649F7191DA746A85CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041DA09, Relevance: 130.2, APIs: 69, Strings: 5, Instructions: 673COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 388 41da09-41da42 __vbaObjSet 392 41da44-41da4d __vbaHresultCheckObj 388->392 393 41da4f-41da56 388->393 392->393 394 41da58-41da68 __vbaNew2 393->394 395 41da6d-41da9a __vbaObjSet 393->395 394->395 398 41daaa-41daeb __vbaStrMove 395->398 399 41da9c-41daa8 __vbaHresultCheckObj 395->399 401 41dafb-41db27 __vbaFreeStr __vbaFreeObjList 398->401 402 41daed-41daf9 __vbaHresultCheckObj 398->402 399->398 403 41db29-41db39 __vbaNew2 401->403 404 41db3e-41db6b __vbaObjSet 401->404 402->401 403->404 407 41db7b-41dc03 __vbaFreeObj __vbaStrCopy __vbaFreeStr 404->407 408 41db6d-41db79 __vbaHresultCheckObj 404->408 411 41dc05-41dc15 __vbaNew2 407->411 412 41dc1a-41dc47 __vbaObjSet 407->412 408->407 411->412 415 41dc57-41dc5e 412->415 416 41dc49-41dc55 __vbaHresultCheckObj 412->416 417 41dc60-41dc70 __vbaNew2 415->417 418 41dc75-41dca2 __vbaObjSet 415->418 416->415 417->418 421 41dcb2-41dd1d __vbaStrMove 418->421 422 41dca4-41dcb0 __vbaHresultCheckObj 418->422 424 41dd2d-41dd63 __vbaFreeStrList __vbaFreeObjList 421->424 425 41dd1f-41dd2b __vbaHresultCheckObj 421->425 422->421 426 41dd65-41dd75 __vbaNew2 424->426 427 41dd7a-41dda7 __vbaObjSet 424->427 425->424 426->427 430 41ddb7-41ddbe 427->430 431 41dda9-41ddb5 __vbaHresultCheckObj 427->431 432 41ddc0-41ddd0 __vbaNew2 430->432 433 41ddd5-41de02 __vbaObjSet 430->433 431->430 432->433 436 41de12-41de6c __vbaStrCopy __vbaLateIdCallLd __vbaI4Var 433->436 437 41de04-41de10 __vbaHresultCheckObj 433->437 438 41de73-41de75 436->438 437->436 439 41de85-41dec4 __vbaFreeStr __vbaFreeObjList __vbaFreeVar 438->439 440 41de77-41de83 __vbaHresultCheckObj 438->440 441 41dec6-41ded6 __vbaNew2 439->441 442 41dedb-41df08 __vbaObjSet 439->442 440->439 441->442 445 41df18-41df1f 442->445 446 41df0a-41df16 __vbaHresultCheckObj 442->446 447 41df21-41df31 __vbaNew2 445->447 448 41df36-41df63 __vbaObjSet 445->448 446->445 447->448 451 41df73-41df7a 448->451 452 41df65-41df71 __vbaHresultCheckObj 448->452 453 41df91-41dfbe __vbaObjSet 451->453 454 41df7c-41df8c __vbaNew2 451->454 452->451 457 41dfc0-41dfcc __vbaHresultCheckObj 453->457 458 41dfce-41e05e __vbaStrCopy __vbaFreeStr __vbaFreeObjList 453->458 454->453 457->458 460 41e060-41e070 __vbaNew2 458->460 461 41e075-41e0a2 __vbaObjSet 458->461 460->461 464 41e0b2-41e0b9 461->464 465 41e0a4-41e0b0 __vbaHresultCheckObj 461->465 466 41e0d0-41e0fd __vbaObjSet 464->466 467 41e0bb-41e0cb __vbaNew2 464->467 465->464 470 41e10d-41e168 466->470 471 41e0ff-41e10b __vbaHresultCheckObj 466->471 467->466 473 41e178-41e198 __vbaFreeObjList 470->473 474 41e16a-41e176 __vbaHresultCheckObj 470->474 471->470 475 41e19a-41e1aa __vbaNew2 473->475 476 41e1af-41e1dc __vbaObjSet 473->476 474->473 475->476 479 41e1ec-41e1f3 476->479 480 41e1de-41e1ea __vbaHresultCheckObj 476->480 481 41e1f5-41e205 __vbaNew2 479->481 482 41e20a-41e237 __vbaObjSet 479->482 480->479 481->482 485 41e247-41e297 __vbaFreeObjList 482->485 486 41e239-41e245 __vbaHresultCheckObj 482->486 489 41e2a7-41e2b3 485->489 490 41e299-41e2a5 __vbaHresultCheckObj 485->490 486->485 491 41e2b9-41e30c __vbaVarAdd __vbaVarMove __vbaVarTstLt 489->491 490->489 491->491 492 41e30e-41e376 491->492 493 41e37c 492->493 493->493
      APIs
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DA29
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000058), ref: 0041DA4D
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DA62
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DA7E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000148), ref: 0041DAA8
      • __vbaStrMove.MSVBVM60 ref: 0041DAC0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000710), ref: 0041DAF9
      • __vbaFreeStr.MSVBVM60(?,00402614,00000710,?,?,?), ref: 0041DB01
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DB17
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DB33
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DB4F
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000178), ref: 0041DB79
      • __vbaFreeObj.MSVBVM60 ref: 0041DBB3
      • __vbaStrCopy.MSVBVM60 ref: 0041DBC4
      • __vbaFreeStr.MSVBVM60(?,C30250C0,00005AFB,?,00004B73,?), ref: 0041DBF6
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DC0F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC2B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000001E0), ref: 0041DC55
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DC6A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC86
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000218), ref: 0041DCB0
      • __vbaStrMove.MSVBVM60(?,C30250C0,00005AFB,?,00004B73,?), ref: 0041DCDC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000714), ref: 0041DD2B
      • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041DD3D
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DD53
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DD6F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DD8B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BFC,00000120), ref: 0041DDB5
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DDCA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DDE6
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000110), ref: 0041DE10
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,12A00000,4202A0C7,000065BC,?), ref: 0041DE29
      • __vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041DE43
      • __vbaI4Var.MSVBVM60(00000000), ref: 0041DE4D
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,00000718), ref: 0041DE83
      • __vbaFreeStr.MSVBVM60(?,00402614,00000718,?,4B3150F8,?,000336B8,?,00000000), ref: 0041DE8B
      • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DEA8
      • __vbaFreeVar.MSVBVM60(?,000336B8,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041DEB7
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DED0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DEEC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000000D8), ref: 0041DF16
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DF2B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DF47
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000170), ref: 0041DF71
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041DF86
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DFA2
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000170), ref: 0041DFCC
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,12A00000), ref: 0041DFF1
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,Frihedsheltens,5F2DDA30,00005B03), ref: 0041E031
      • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041E04E
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E06A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E086
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000130), ref: 0041E0B0
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E0C5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E0E1
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000130), ref: 0041E10B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402614,0000071C), ref: 0041E176
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E188
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E1A4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E1C0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000001C0), ref: 0041E1EA
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041E1FF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041E21B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000110), ref: 0041E245
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E281
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401168,004025E4,000002B4), ref: 0041E2A5
      • __vbaVarAdd.MSVBVM60(00000002,00000008,?), ref: 0041E2DF
      • __vbaVarMove.MSVBVM60 ref: 0041E2E6
      • __vbaVarTstLt.MSVBVM60(00000002,?), ref: 0041E307
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckHresult$FreeNew2$List$CopyMove$CallLate
      • String ID: CARCINEMIA$Daftardar7$FORSRGELSES$Frihedsheltens$}D
      • API String ID: 1378283144-805847792
      • Opcode ID: a8f0ae07251a1415c797322cc31c4b91ff84cf0bbb9756e19209cda9e7bbc984
      • Instruction ID: 224c24e9d1301f1a0256878383445c939596703d86228fd5613df73e58d82a67
      • Opcode Fuzzy Hash: a8f0ae07251a1415c797322cc31c4b91ff84cf0bbb9756e19209cda9e7bbc984
      • Instruction Fuzzy Hash: 0B4240B0A00218AFDB25DB54CD88FDA77BCBF48704F0045A9F649F7191DA746A85CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004014B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 494 4014b8-4014d7 #100 495 4014d9 494->495 496 4014ad 494->496 496->494
      C-Code - Quality: 73%
      			_entry_(signed int __eax, void* __ebx) {
				intOrPtr* _t2;

				_push("VB5!6&*"); // executed
				L004014B2(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t2 = __eax + 1;
				 *_t2 =  *_t2 + _t2;
				 *_t2 =  *_t2 + _t2;
				 *_t2 =  *_t2 + _t2;
				_push(0x57);
				asm("jecxz 0xffffffd6");
				return _t2 + __ebx;
			}




      0x004014b8
      0x004014bd
      0x004014c2
      0x004014c4
      0x004014c6
      0x004014c8
      0x004014ca
      0x004014cc
      0x004014cd
      0x004014cf
      0x004014d1
      0x004014d5
      0x004014d7
      0x004014d9

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: 42ea54740031a7ea187f4527ac3c969fbd78615bde2a2f907e792f8715ace456
      • Instruction ID: a03c6f57f63f4d6ecb773ed9725071e499abb257f6bd6121e869ea494a9ccc00
      • Opcode Fuzzy Hash: 42ea54740031a7ea187f4527ac3c969fbd78615bde2a2f907e792f8715ace456
      • Instruction Fuzzy Hash: 15D0480589E3C00ED30316615D21A862FB04A1371474B00E791C1EA4F3C05C4849C33A
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 024D0D8D, Relevance: .5, Instructions: 462COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d5a9aef4ef3ad28eebbcdec3a8dbd818bcf7415db66612361b6e6514b58c5af4
      • Instruction ID: 7cdd69fdb47505063066ed5f2c5281b6e7a444995578d231eeaf2ae54b12f39a
      • Opcode Fuzzy Hash: d5a9aef4ef3ad28eebbcdec3a8dbd818bcf7415db66612361b6e6514b58c5af4
      • Instruction Fuzzy Hash: FEF1CA205483828EDF219A7884A879ABBD25F13360F59C39BCCDE8B5D7D3658487C713
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C4983, Relevance: .3, Instructions: 302COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fd808f3b533fb54f81d26784e0917730dd4928f90002ecc82fbd7658b9ff3563
      • Instruction ID: daf3900f05ba7f13e050c45384d2673960993ebfedd484cffe2e89958e1c6964
      • Opcode Fuzzy Hash: fd808f3b533fb54f81d26784e0917730dd4928f90002ecc82fbd7658b9ff3563
      • Instruction Fuzzy Hash: 8EA16A396043069FCB646E288D657EB77E3AF91390FE2412FDCCA9B244D7354986CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C4930, Relevance: .2, Instructions: 245COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ba231eb36a4143b714835a1ebf64f8a122287a79cb48a632663027f6712f86f1
      • Instruction ID: fb6cadac8297e9a7aa0479c58610bf7d95f12b880b8cffbf66a347d9657fbe01
      • Opcode Fuzzy Hash: ba231eb36a4143b714835a1ebf64f8a122287a79cb48a632663027f6712f86f1
      • Instruction Fuzzy Hash: 259147396083469FCB246E2889617EB77E3EF91390F92851FECC69B244D73149C6CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C49C8, Relevance: .2, Instructions: 229COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 237e8dfea80db878f1c30db37c478b0d3f22374c46ea44487608eef7e23a1ef2
      • Instruction ID: 61515719dc756cfe105473d3650b5ba05911e5eb7edb4288434e0c8fd09bea3e
      • Opcode Fuzzy Hash: 237e8dfea80db878f1c30db37c478b0d3f22374c46ea44487608eef7e23a1ef2
      • Instruction Fuzzy Hash: 2F8149396083469FCB246E2899607EB73E3EFD1390F96851FECC69B254D7314986CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C4A6F, Relevance: .2, Instructions: 203COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ea15f2233715ef435e0f3ab9d1238b8006731e1b4ddd5c23488eb62c937e8435
      • Instruction ID: 4048f4c0b0318ca8d3d0d22ad89190cf3250d0e2558ff6c2beffc01f69aa4a7f
      • Opcode Fuzzy Hash: ea15f2233715ef435e0f3ab9d1238b8006731e1b4ddd5c23488eb62c937e8435
      • Instruction Fuzzy Hash: 067126396083469FCB246E2899647EB73A3EF91790F96411FDCC65B284D7314986CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C3425, Relevance: .2, Instructions: 183COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5f048db6b9b60bbef6f8ce342b74c5b50013dd8e094ea7f669de5b400842d656
      • Instruction ID: dd365ac203578b6d8eb5f5b05e4df05d36cdc37ee585b03232c7573cc25be90f
      • Opcode Fuzzy Hash: 5f048db6b9b60bbef6f8ce342b74c5b50013dd8e094ea7f669de5b400842d656
      • Instruction Fuzzy Hash: 876127757042459BCF34AE648DA47EE37B2EF89300F95802FEC9A5B254C73149C6CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C4B0E, Relevance: .2, Instructions: 183COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8a08e9fd6c3e469cce011946bd3afb9a967d425dbd5b76a355d8794b8586fe89
      • Instruction ID: f766b243e6266356fcb61a01437de2cde0bac6891f704611787d165aabbc8f4e
      • Opcode Fuzzy Hash: 8a08e9fd6c3e469cce011946bd3afb9a967d425dbd5b76a355d8794b8586fe89
      • Instruction Fuzzy Hash: CF6106396083469BCB246E2899647EB73A3EFD1790FD1451FDCCAAB284D7314982CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C349D, Relevance: .2, Instructions: 173COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 002ce0f81089fd61f9857c0aded377aac0a6d7b90eb1ec9b1d11bd2b94cbc985
      • Instruction ID: bbc0013c72c2bdb4c4ed6adc21b14014b755840017bffe6f6319712c8f3ad70c
      • Opcode Fuzzy Hash: 002ce0f81089fd61f9857c0aded377aac0a6d7b90eb1ec9b1d11bd2b94cbc985
      • Instruction Fuzzy Hash: AB510375B0424A9BCF34AE648CA47EE37B6EF89700F95806FEC9A5B254C73049C6CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C3423, Relevance: .2, Instructions: 171COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1f558ba466941f96fb5a3d4c2ed5d4a5947b76b584e7afa8aed7e4640fbd1fb7
      • Instruction ID: 8bce164df37ce3603801de20dd4657b8d69aa2574e7aa7cdffb5dd0ecc5e77db
      • Opcode Fuzzy Hash: 1f558ba466941f96fb5a3d4c2ed5d4a5947b76b584e7afa8aed7e4640fbd1fb7
      • Instruction Fuzzy Hash: A551E8756042599FCF349E688DA47EB37B6EF89700F95812EEC9A9B210C73149C6CF11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C4B9A, Relevance: .2, Instructions: 168COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3e20a1a95f81bbf7c09a4c5d308a928b33fbcc1d65dc2c47e38700e62d7911a4
      • Instruction ID: c636ab062ee394d1c305d410a4b117efd937c470963d8a246980d59d6ffd57e0
      • Opcode Fuzzy Hash: 3e20a1a95f81bbf7c09a4c5d308a928b33fbcc1d65dc2c47e38700e62d7911a4
      • Instruction Fuzzy Hash: 085129396083469BCB246E2899657EF73B2EF91790F91451FDCC6AB294C7314982CB82
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C4BA2, Relevance: .2, Instructions: 166COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 90b37ff79df9b2ef6842bf424769a0a4f3c34efe417ff8faee1031ab8b7db308
      • Instruction ID: 37a3ae096ecd966072001a2254c2dc121ef08774c3b2f7788de1ba92ec2f44b2
      • Opcode Fuzzy Hash: 90b37ff79df9b2ef6842bf424769a0a4f3c34efe417ff8faee1031ab8b7db308
      • Instruction Fuzzy Hash: 29513B396083469BCB246E289D647EF73B3EF91790F91411FDCC6AB294C7314982CB82
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C4C23, Relevance: .1, Instructions: 149COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3a02ad41b95bda4e5d406b00cda7d9014ce552f48b1b26f3ece8799fa7db4492
      • Instruction ID: 36b6342dcc18a96e8743a0f62ea42e80b0251f846528d0beb22e96d8b9c0ff65
      • Opcode Fuzzy Hash: 3a02ad41b95bda4e5d406b00cda7d9014ce552f48b1b26f3ece8799fa7db4492
      • Instruction Fuzzy Hash: 9A5108396043869BCB246E28D9657FE73A2EFD1391F81441FDCC6AB284C7314982CB82
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C4C35, Relevance: .1, Instructions: 147COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f0e41b5a4e36743ca2f8232697923ee8061ae6ea120cc4f98c032ea2d8ba5f61
      • Instruction ID: 726c6b846d8b07c2c255c47fa275e042d0a5a0396dc043f26768dd7bc7b3dcf4
      • Opcode Fuzzy Hash: f0e41b5a4e36743ca2f8232697923ee8061ae6ea120cc4f98c032ea2d8ba5f61
      • Instruction Fuzzy Hash: 755107396083869FCB246E2899657EE73A2EF91391F91451EDCC6AB284C7314D82CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C40EA, Relevance: .1, Instructions: 125COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0361db317f53f112f168d524031338b6c075e21fc46f0f8b31c798aa1c0e1b67
      • Instruction ID: dccba163b3141dc6407695d017532be274a655111c22a30028732342d130fcba
      • Opcode Fuzzy Hash: 0361db317f53f112f168d524031338b6c075e21fc46f0f8b31c798aa1c0e1b67
      • Instruction Fuzzy Hash: E041E5786043459FCB70AE2989E47DA77A7AF64340FE5412EDD8DC7204D73649C5CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024CA555, Relevance: .1, Instructions: 82COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b8009f93903095ef4d1380b9939d4b80c7c9265e78cdcfc1097d65969e74db38
      • Instruction ID: 329c9c6dbca8422337dfef5e9e6434368705a089950007c6599188ca1138083b
      • Opcode Fuzzy Hash: b8009f93903095ef4d1380b9939d4b80c7c9265e78cdcfc1097d65969e74db38
      • Instruction Fuzzy Hash: E4210475A543198FEBA09E7898C47EABBA5BF18350F81042ECCC696114D33044C5CB16
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C4058, Relevance: .0, Instructions: 39COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8c31684fa950b07cf9ee3ffd67df19f694a107e58c386e013a9ef76f7471fa79
      • Instruction ID: 6f0908d3ad6c881833804547a890f2d013e98e01784cdecde4caf5c6f2f8d302
      • Opcode Fuzzy Hash: 8c31684fa950b07cf9ee3ffd67df19f694a107e58c386e013a9ef76f7471fa79
      • Instruction Fuzzy Hash: DFF06D4CE0D25BCA5BE8284D87B13FF114A4E932A8E74413F8C9713859B28645CBD402
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024CF7E2, Relevance: .0, Instructions: 35COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 77f17e6d79ac704eff2e857d5ad65428e5a1adeb646f111a807573100f17aee6
      • Instruction ID: 92405dd7d05cc04b0974291424e2a42f169d7a3891e082309ede6b74a023b927
      • Opcode Fuzzy Hash: 77f17e6d79ac704eff2e857d5ad65428e5a1adeb646f111a807573100f17aee6
      • Instruction Fuzzy Hash: 1CF037386052018FCBA8DA1CD594BAA73B2AF58750F32806FD80AC7A15C735E885CA21
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024C9ABD, Relevance: .0, Instructions: 8COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 12058ecf7fa922b1966b0573699363742f3f49beacc3e41cff2a9601a2994401
      • Instruction ID: 7b957900f91ab36ab69451d814a091b510f6cb392a189635f6687a3d6c1120e3
      • Opcode Fuzzy Hash: 12058ecf7fa922b1966b0573699363742f3f49beacc3e41cff2a9601a2994401
      • Instruction Fuzzy Hash: B5C048BA200580EBEE86CA08C9A2B6073A0BB15A88B080494E8029F612D224EE00CA00
      Uniqueness

      Uniqueness Score: -1.00%

      Function 024CF080, Relevance: .0, Instructions: 7COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1168606124.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_24c0000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 06632a09c628c811134d50645f5c4c4faba004328ecc28b94d3cc3bb6f2f90eb
      • Instruction ID: f0dea05c000ae4dc690b544d51860d01d6a7e1900b15ebea8ebd3afe71c36364
      • Opcode Fuzzy Hash: 06632a09c628c811134d50645f5c4c4faba004328ecc28b94d3cc3bb6f2f90eb
      • Instruction Fuzzy Hash: D2C0923D2116408FCE89CE09C280F8073B1BB54E50F53488AEC218BB11E368E80ACF00
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420210, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 136COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 00420265
      • __vbaStrCopy.MSVBVM60 ref: 0042026F
      • #515.MSVBVM60(?,?,00000002), ref: 00420288
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 004202A4
      • __vbaFreeVar.MSVBVM60 ref: 004202B0
      • __vbaNew2.MSVBVM60(00402BC8,004223C0), ref: 004202D1
      • __vbaHresultCheckObj.MSVBVM60(00000000,022BEDD4,00402BB8,0000004C), ref: 004202F6
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402F30,00000024), ref: 00420324
      • __vbaStrMove.MSVBVM60 ref: 00420333
      • __vbaFreeObj.MSVBVM60 ref: 0042033C
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 00420355
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042036E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000068), ref: 0042038F
      • __vbaFreeObj.MSVBVM60 ref: 0042039E
      • __vbaFreeStr.MSVBVM60(004203E7), ref: 004203DA
      • __vbaFreeStr.MSVBVM60 ref: 004203DF
      • __vbaFreeStr.MSVBVM60 ref: 004203E4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$CopyNew2$#515Move
      • String ID: CAREENING$Monascidian$var
      • API String ID: 860825397-1736873049
      • Opcode ID: 8578ea81576940a2629aa60c196a3de34aca7545adb1f17a96632eca6b7b09f1
      • Instruction ID: bcdfe8464909d73dd4c15ec63dfffe8be50d845b8c14779d71394d03564216e8
      • Opcode Fuzzy Hash: 8578ea81576940a2629aa60c196a3de34aca7545adb1f17a96632eca6b7b09f1
      • Instruction Fuzzy Hash: F7513D71940219ABCB10DF94DE88ADEBBF8FF58700F20402AE905F72A0D7B85945CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004205B0, Relevance: 31.7, APIs: 21, Instructions: 182COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaVarDup.MSVBVM60 ref: 00420610
      • #522.MSVBVM60(?,?), ref: 0042061E
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 0042063A
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042064D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025E4,00000160), ref: 00420681
      • __vbaNew2.MSVBVM60(00402BC8,004223C0), ref: 00420699
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 004206B8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004206D1
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,00000120), ref: 004206F8
      • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00420716
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00420720
      • __vbaStrMove.MSVBVM60 ref: 0042072B
      • __vbaObjSet.MSVBVM60(?,?,00000000), ref: 00420737
      • __vbaHresultCheckObj.MSVBVM60(00000000,022BEDD4,00402BB8,00000040), ref: 00420759
      • __vbaFreeStr.MSVBVM60 ref: 00420762
      • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00420776
      • __vbaFreeVar.MSVBVM60 ref: 00420782
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0042079B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004207B4
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C30,000000E8), ref: 004207DB
      • __vbaFreeObj.MSVBVM60 ref: 004207EA
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$New2$ListMove$#522CallLate
      • String ID:
      • API String ID: 3206667697-0
      • Opcode ID: 0cf9b59044591327311f57a06e184d6f5cafccdfacc5ea84e8186295296eb478
      • Instruction ID: 68ed3f34ffeab08c38f1d9541db58260fc65ac81ed65f6c4a92377056c4974da
      • Opcode Fuzzy Hash: 0cf9b59044591327311f57a06e184d6f5cafccdfacc5ea84e8186295296eb478
      • Instruction Fuzzy Hash: 29612AB1900259AFCB10DFA4DD88EDEBBB8FB48700F50452AF646B32A1D7786545CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041FAE0, Relevance: 21.1, APIs: 14, Instructions: 113COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 0041FB32
      • __vbaI4Str.MSVBVM60(00402E80), ref: 0041FB3D
      • #697.MSVBVM60(00000000), ref: 0041FB44
      • __vbaStrMove.MSVBVM60 ref: 0041FB4F
      • __vbaStrCmp.MSVBVM60(00402B78,00000000), ref: 0041FB5B
      • __vbaFreeStr.MSVBVM60 ref: 0041FB6E
      • __vbaNew2.MSVBVM60(00402BC8,004223C0), ref: 0041FB8F
      • __vbaHresultCheckObj.MSVBVM60(00000000,022BEDD4,00402BB8,0000001C), ref: 0041FBB4
      • __vbaCastObj.MSVBVM60(?,00402D5C), ref: 0041FBE8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041FBF3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,00000058), ref: 0041FC0D
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FC1D
      • __vbaFreeObj.MSVBVM60(0041FC64), ref: 0041FC54
      • __vbaFreeStr.MSVBVM60 ref: 0041FC5D
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$#697CastCopyListMoveNew2
      • String ID:
      • API String ID: 1550409211-0
      • Opcode ID: dec79ddcaa2731d3793e24cc3f3389b821fc6f86b8c719fcc1a43190bf259ad6
      • Instruction ID: fa788f03b85518bc6d568c9efcd5b80f2c4519a98d65b297ab95d78ea02eb182
      • Opcode Fuzzy Hash: dec79ddcaa2731d3793e24cc3f3389b821fc6f86b8c719fcc1a43190bf259ad6
      • Instruction Fuzzy Hash: 9E4121B1D40209ABCB04DF95DA49ADEBBB8FF58701F10812AF941F72A0D7785945CFA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F9A0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • #591.MSVBVM60(?), ref: 0041F9E9
      • __vbaStrMove.MSVBVM60 ref: 0041F9F4
      • __vbaStrCmp.MSVBVM60(Integer,00000000), ref: 0041FA00
      • __vbaFreeStr.MSVBVM60 ref: 0041FA13
      • __vbaFreeVar.MSVBVM60 ref: 0041FA1C
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041FA3A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041FA53
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000080), ref: 0041FA7A
      • __vbaFreeObj.MSVBVM60 ref: 0041FA89
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#591CheckHresultMoveNew2
      • String ID: Integer$KK
      • API String ID: 609433361-2898439456
      • Opcode ID: b82f7f8ba8c1302ee65da9922a863e48dcde9d4a4eb556bb3e259b6c5583e474
      • Instruction ID: 77985914ceb2c62596258a1049ad9bd42d4f39883c1d602b7e297ce2b9e3d6e8
      • Opcode Fuzzy Hash: b82f7f8ba8c1302ee65da9922a863e48dcde9d4a4eb556bb3e259b6c5583e474
      • Instruction Fuzzy Hash: 8E2161759402159FC710DF94DE49AEEBBB8FF58701F104126E542F32A0D7785946CB98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004200E0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 74COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • #606.MSVBVM60(00000001,?), ref: 00420134
      • __vbaStrMove.MSVBVM60 ref: 0042013F
      • __vbaStrCmp.MSVBVM60(00402BA4,00000000), ref: 0042014B
      • __vbaFreeStr.MSVBVM60 ref: 0042015E
      • __vbaFreeVar.MSVBVM60 ref: 00420167
      • __vbaNew2.MSVBVM60(00402BC8,004223C0), ref: 00420184
      • __vbaObjSetAddref.MSVBVM60(?,00401218), ref: 0042019A
      • __vbaHresultCheckObj.MSVBVM60(00000000,022BEDD4,00402BB8,00000010), ref: 004201B7
      • __vbaFreeObj.MSVBVM60 ref: 004201C0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#606AddrefCheckHresultMoveNew2
      • String ID:
      • API String ID: 2885364696-3916222277
      • Opcode ID: 42817327d9ecb01db82565240ad0cde369ab6602ccfd262910e213a8b1d3e7b5
      • Instruction ID: 4e6be18c86265021636ad89bdcd8d7c66c3f6806dcfeca67c5885bc78f9f54fc
      • Opcode Fuzzy Hash: 42817327d9ecb01db82565240ad0cde369ab6602ccfd262910e213a8b1d3e7b5
      • Instruction Fuzzy Hash: C7218271900255AFCB009FA4DE89AEEBBB4FF08701F50412AE941F31A0D7781545CFA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F850, Relevance: 16.6, APIs: 11, Instructions: 89COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • #538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 0041F891
      • #557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F89B
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F8B8
      • #570.MSVBVM60(0000004F,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F8C1
      • __vbaNew2.MSVBVM60(00401C88,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F8DA
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F8F3
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BFC,00000158), ref: 0041F91A
      • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041F92A
      • __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F934
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F947
      • __vbaFreeVar.MSVBVM60 ref: 0041F953
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#538#557#570CallCheckHresultLateListNew2
      • String ID:
      • API String ID: 729259385-0
      • Opcode ID: 3b27b5dca1f95d907cf530132f38fbc6c9eec71e80f68786ba946c24b8d4a8d6
      • Instruction ID: 28a998137c1d835f3c71259e68d6e9a4c87c9980e91c18bd07e2ed946d22039d
      • Opcode Fuzzy Hash: 3b27b5dca1f95d907cf530132f38fbc6c9eec71e80f68786ba946c24b8d4a8d6
      • Instruction Fuzzy Hash: 24319EB0940244ABCB10EBA4DD89FEE7BB8FB88B00F00452AF542B71A0D7785449CB68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420850, Relevance: 15.1, APIs: 10, Instructions: 95COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 004208A2
      • __vbaVarDup.MSVBVM60 ref: 004208BC
      • #528.MSVBVM60(?,?), ref: 004208CA
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 004208E6
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004208F9
      • __vbaNew2.MSVBVM60(00402BC8,004223C0), ref: 00420919
      • __vbaHresultCheckObj.MSVBVM60(00000000,022BEDD4,00402BB8,0000001C), ref: 0042093E
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,00000050), ref: 0042095E
      • __vbaFreeObj.MSVBVM60 ref: 00420967
      • __vbaFreeStr.MSVBVM60(0042099F), ref: 00420998
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$#528CopyListNew2
      • String ID:
      • API String ID: 1123914322-0
      • Opcode ID: bb1443740ffcede94451316bc6eb411010b75f5c665883fa5847039922e76513
      • Instruction ID: 2e6f7271918206ee901e3630b5768a48c4a91c0a1fbf0744049b49a04d00629f
      • Opcode Fuzzy Hash: bb1443740ffcede94451316bc6eb411010b75f5c665883fa5847039922e76513
      • Instruction Fuzzy Hash: 08314AB0D00249ABDB04DFE5D949ADEFBB8FF58704F10802AE512B72A1D7B85545CFA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F640, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 0041F67D
      • __vbaI4Str.MSVBVM60(00402E80), ref: 0041F688
      • #698.MSVBVM60(?,00000000), ref: 0041F693
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 0041F6AF
      • __vbaFreeVar.MSVBVM60 ref: 0041F6BA
      • #569.MSVBVM60(00000068), ref: 0041F6C7
      • __vbaFreeStr.MSVBVM60(0041F6F9), ref: 0041F6F2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#569#698Copy
      • String ID: G*
      • API String ID: 3581547392-626655979
      • Opcode ID: e7923cee0c49f45b1ec313d467d14189356175ce0d1f456a878ef30e5c033253
      • Instruction ID: 8f054ead442aeae686aa10a4ac0bb6df2d51a15e889d36b5a8fa1a60e0102db3
      • Opcode Fuzzy Hash: e7923cee0c49f45b1ec313d467d14189356175ce0d1f456a878ef30e5c033253
      • Instruction Fuzzy Hash: E6111CB5C002499BCB10DFA5DA49ADEFBB8BF48700F10C12AE552B36A0D778554ACF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F490, Relevance: 13.6, APIs: 9, Instructions: 116COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 599 41f490-41f4ef #693 601 41f5e2-41f615 599->601 602 41f4f5-41f533 #685 __vbaObjSet 599->602 604 41f535-41f545 __vbaNew2 602->604 605 41f54a-41f570 __vbaObjSet 602->605 604->605 608 41f572-41f57e __vbaHresultCheckObj 605->608 609 41f584-41f5a6 605->609 608->609 611 41f5b7-41f5df __vbaFreeObjList __vbaFreeVarList 609->611 612 41f5a8-41f5b1 __vbaHresultCheckObj 609->612 611->601 612->611
      APIs
      • #693.MSVBVM60(00402B78), ref: 0041F4E7
      • #685.MSVBVM60 ref: 0041F4F5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041F506
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041F53F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041F558
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000001A8), ref: 0041F57E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402E6C,00000044), ref: 0041F5B1
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F5C1
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041F5D9
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultList$#685#693New2
      • String ID:
      • API String ID: 587155547-0
      • Opcode ID: 05b6b0fd58470c25d9ac0d43219a0454d5854c0a4bb4c12ea4442ecbd3d2b615
      • Instruction ID: 4386f42cab463f89c2d52a28f3307560ac98c29214669afa7051233b460a5736
      • Opcode Fuzzy Hash: 05b6b0fd58470c25d9ac0d43219a0454d5854c0a4bb4c12ea4442ecbd3d2b615
      • Instruction Fuzzy Hash: 614127B1D00208AFCB14CF99D988AEEBBB8BB48700F50842AF655F7290D6785946CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041FF30, Relevance: 12.1, APIs: 8, Instructions: 120COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 613 41ff30-41ff77 615 41ff79-41ff89 __vbaNew2 613->615 616 41ff8e-420015 __vbaObjSet 613->616 615->616 619 420017-420023 __vbaHresultCheckObj 616->619 620 420029-42003b __vbaFreeObj 616->620 619->620 621 420052-420079 __vbaObjSet 620->621 622 42003d-42004d __vbaNew2 620->622 625 42007b-420087 __vbaHresultCheckObj 621->625 626 42008d-4200aa __vbaFreeObj 621->626 622->621 625->626
      APIs
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041FF83
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041FF9C
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000224), ref: 00420023
      • __vbaFreeObj.MSVBVM60 ref: 00420032
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 00420047
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00420060
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000000D0), ref: 00420087
      • __vbaFreeObj.MSVBVM60 ref: 00420096
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID:
      • API String ID: 1645334062-0
      • Opcode ID: c340743920098c95755803172a7564e9cee5b388d4087479a9bdd1550532e9c3
      • Instruction ID: 36296e4132f598ea8c5907e7be4136f87fc530f73f16b72cabb268674a138ef5
      • Opcode Fuzzy Hash: c340743920098c95755803172a7564e9cee5b388d4087479a9bdd1550532e9c3
      • Instruction Fuzzy Hash: 80412A74A00214AFDB14DFA9D988B9ABBF9FF48700F10856AE945F7361D7789802CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004209C0, Relevance: 12.1, APIs: 8, Instructions: 101COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 628 4209c0-420a07 630 420a09-420a19 __vbaNew2 628->630 631 420a1e-420a42 __vbaObjSet 628->631 630->631 633 420a44-420a54 __vbaNew2 631->633 634 420a59-420a7c __vbaObjSet 631->634 633->634 637 420a90-420abc 634->637 638 420a7e-420a8a __vbaHresultCheckObj 634->638 640 420ad0-420b10 __vbaFreeStr __vbaFreeObjList 637->640 641 420abe-420aca __vbaHresultCheckObj 637->641 638->637 641->640
      APIs
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 00420A13
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00420A32
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 00420A4E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00420A67
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,000000E8), ref: 00420A8A
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000001EC), ref: 00420ACA
      • __vbaFreeStr.MSVBVM60 ref: 00420AD3
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420AE3
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2$List
      • String ID:
      • API String ID: 2509323985-0
      • Opcode ID: 3309d732e4ea09f7bf8e1b03d28e07ac95b6904aff8370bb60358c00fc30767a
      • Instruction ID: 866836eaf2bb7818a24de3e9a0c27ae917f03596975a99d98b1aca6bb0b16c44
      • Opcode Fuzzy Hash: 3309d732e4ea09f7bf8e1b03d28e07ac95b6904aff8370bb60358c00fc30767a
      • Instruction Fuzzy Hash: 3C313FB0A00214AFC710DFA8DD49F9EBBF8FB48700F50856AF945F7251D6789946CBA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041FDB0, Relevance: 12.1, APIs: 8, Instructions: 98COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 643 41fdb0-41fdeb 644 41fe02-41fe26 __vbaObjSet 643->644 645 41fded-41fdfd __vbaNew2 643->645 647 41fe28-41fe38 __vbaNew2 644->647 648 41fe3d-41fe60 __vbaObjSet 644->648 645->644 647->648 651 41fe62-41fe6e __vbaHresultCheckObj 648->651 652 41fe74-41fea0 648->652 651->652 654 41fea2-41feae __vbaHresultCheckObj 652->654 655 41feb4-41ff02 __vbaFreeStr __vbaFreeObjList 652->655 654->655
      APIs
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041FDF7
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041FE16
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041FE32
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041FE4B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C20,00000198), ref: 0041FE6E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000001EC), ref: 0041FEAE
      • __vbaFreeStr.MSVBVM60 ref: 0041FEB7
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FEC7
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2$List
      • String ID:
      • API String ID: 2509323985-0
      • Opcode ID: c92375b3669eecdba1e24a38cdf8049b736c4a3e6432f0e3dd97020a5830201b
      • Instruction ID: d7cc6ce4d10214c6cd8abce74a3fbd6c0287ab40830f7e2ad3ebfcff73dd1ecc
      • Opcode Fuzzy Hash: c92375b3669eecdba1e24a38cdf8049b736c4a3e6432f0e3dd97020a5830201b
      • Instruction Fuzzy Hash: 73313FB0A00204ABD710DFA8DD49FDE7BB8FB48704F10446AF945F7251D6799946CBA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F720, Relevance: 12.1, APIs: 8, Instructions: 78COMMON
      Download Yara Rule
      APIs
      • #713.MSVBVM60(00402E8C,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F765
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F770
      • __vbaStrCmp.MSVBVM60(00402E98,00000000,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F77C
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F78F
      • __vbaNew2.MSVBVM60(00402BC8,004223C0,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F7AC
      • __vbaHresultCheckObj.MSVBVM60(00000000,022BEDD4,00402BB8,0000001C,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F7D1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402EA0,00000050,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F7F1
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F7FA
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$#713MoveNew2
      • String ID:
      • API String ID: 1476637831-0
      • Opcode ID: 184d8b4424cf2edefd211811e4ff9871d15d60b1a9306e67a6e39b34239b4ef4
      • Instruction ID: 799749629f76d2f6249c38512525a59c30af2305141121e4f38c7e21d2b69855
      • Opcode Fuzzy Hash: 184d8b4424cf2edefd211811e4ff9871d15d60b1a9306e67a6e39b34239b4ef4
      • Instruction Fuzzy Hash: 0C217475940254ABCB109FA4DE49AAEBBB8FF48701F604026F942F72A0C7785946CB98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004204A0, Relevance: 9.1, APIs: 6, Instructions: 68COMMON
      Download Yara Rule
      APIs
      • #592.MSVBVM60(?), ref: 004204E2
      • __vbaFreeVar.MSVBVM60 ref: 004204F9
      • __vbaNew2.MSVBVM60(00402BC8,004223C0), ref: 00420517
      • __vbaHresultCheckObj.MSVBVM60(00000000,022BEDD4,00402BB8,0000001C), ref: 0042053C
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402EA0,00000050), ref: 0042055C
      • __vbaFreeObj.MSVBVM60 ref: 00420565
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$#592New2
      • String ID:
      • API String ID: 3172800638-0
      • Opcode ID: 364b4a7278ac4e8497e5359268955a84d77214bfc0baea8627ccfcc8d2217d90
      • Instruction ID: f1112d9f8d98a5fe932b75d48b696e00baebf898d6c64982f1a7121a90d72e1e
      • Opcode Fuzzy Hash: 364b4a7278ac4e8497e5359268955a84d77214bfc0baea8627ccfcc8d2217d90
      • Instruction Fuzzy Hash: 2B219270640265ABDB10DFA4DE49F9A7BF8AF08B04F50002AF941F3291D7B859458BA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420C00, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • __vbaVarDup.MSVBVM60 ref: 00420C5A
      • #564.MSVBVM60(?,?), ref: 00420C68
      • __vbaHresultCheck.MSVBVM60(00000000), ref: 00420C73
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 00420C8F
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00420CA1
      • #568.MSVBVM60(00000093), ref: 00420CB4
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$#564#568CheckFreeHresultList
      • String ID:
      • API String ID: 1114338403-0
      • Opcode ID: 3fcf5eb8d824bb5e2bbdee9bc08964923bdd229eef3ce541c34133cc9b260f35
      • Instruction ID: 7dbccddee69fcd9b9cdcab9f78b628ac1a3635663d60977db8433598e9f753ef
      • Opcode Fuzzy Hash: 3fcf5eb8d824bb5e2bbdee9bc08964923bdd229eef3ce541c34133cc9b260f35
      • Instruction Fuzzy Hash: 5F2124B5800258EFDB04DFD4DA89ADEBFB8FB48B04F10411AF506BB250D7B45589CBA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420B30, Relevance: 9.1, APIs: 6, Instructions: 52COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,004012C6), ref: 00420B67
      • __vbaNew2.MSVBVM60(00401C88,00422010,?,?,?,?,?,?,?,004012C6), ref: 00420B80
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004012C6), ref: 00420B99
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,00000208,?,?,?,?,?,?,?,004012C6), ref: 00420BBC
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,004012C6), ref: 00420BC5
      • __vbaFreeStr.MSVBVM60(00420BE6,?,?,?,?,?,?,?,004012C6), ref: 00420BDF
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$CheckCopyHresultNew2
      • String ID:
      • API String ID: 4138333463-0
      • Opcode ID: ebc5125059d4af1d826e05cc324e8be2f722c6d8cc1f6915712f23e0e196e421
      • Instruction ID: f1cffd853ca6d2939abfe0b80a7d007cb2caa80ef04af30e455e08e5b8c1cb02
      • Opcode Fuzzy Hash: ebc5125059d4af1d826e05cc324e8be2f722c6d8cc1f6915712f23e0e196e421
      • Instruction Fuzzy Hash: AB119170640204AFC710DFA4DE89FAF7BB8EB48701F604526F942F32A1D7786941CBA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041FC90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
      Download Yara Rule
      C-Code - Quality: 17%
      			E0041FC90(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t28;
				intOrPtr* _t30;
				intOrPtr* _t40;
				void* _t41;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t45;

				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				_t45 = _t44 - 0x2c;
				_v16 = _t45;
				_v12 = 0x4011e8;
				_v8 = 0;
				_t21 = _a4;
				 *((intOrPtr*)( *_t21 + 4))(_t21, __edi, __esi, __ebx,  *[fs:0x0], 0x4012c6, _t41);
				_t23 =  *0x422010; // 0x5a20a0
				_v32 = 0;
				_v28 = 0;
				_v36 = 0;
				if(_t23 == 0) {
					__imp____vbaNew2(0x401c88, 0x422010);
					_t23 =  *0x422010; // 0x5a20a0
				}
				_t25 =  &_v36;
				__imp____vbaObjSet(_t25,  *((intOrPtr*)( *_t23 + 0x318))(_t23));
				_t30 = _t45 - 0x10;
				 *_t30 = 0xa;
				_t40 = _t25;
				 *((intOrPtr*)(_t30 + 4)) = _v48;
				 *((intOrPtr*)(_t30 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t30 + 0xc)) = _v40;
				_t28 =  *((intOrPtr*)( *_t40 + 0x1ec))(_t40, L"Skottehistorien");
				asm("fclex");
				if(_t28 < 0) {
					__imp____vbaHresultCheckObj(_t28, _t40, 0x402bd8, 0x1ec);
				}
				__imp____vbaFreeObj();
				_v32 = 0x99500000;
				_v28 = 0x4202a36b;
				asm("wait");
				_push(0x41fd74);
				return _t28;
			}





















      0x0041fc93
      0x0041fca2
      0x0041fca9
      0x0041fcaf
      0x0041fcb2
      0x0041fcbb
      0x0041fcbe
      0x0041fcc4
      0x0041fcc7
      0x0041fcce
      0x0041fcd1
      0x0041fcd4
      0x0041fcd7
      0x0041fce3
      0x0041fce9
      0x0041fce9
      0x0041fcf8
      0x0041fcfc
      0x0041fd05
      0x0041fd0c
      0x0041fd11
      0x0041fd15
      0x0041fd1d
      0x0041fd29
      0x0041fd2c
      0x0041fd32
      0x0041fd36
      0x0041fd44
      0x0041fd44
      0x0041fd4d
      0x0041fd53
      0x0041fd5a
      0x0041fd61
      0x0041fd62
      0x00000000

      APIs
      • __vbaNew2.MSVBVM60(00401C88,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041FCE3
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041FCFC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000001EC), ref: 0041FD44
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041FD4D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID: Skottehistorien
      • API String ID: 1645334062-3067532313
      • Opcode ID: f64e007f0e89c5c8a3c2bebbafe1ca7bcf7ebb9c19d6faa37a88e7944336a70b
      • Instruction ID: 24f21426e5cce719035c9a05dc6bebaff0ba7d3eb39f6cbc2da9d715ed175d18
      • Opcode Fuzzy Hash: f64e007f0e89c5c8a3c2bebbafe1ca7bcf7ebb9c19d6faa37a88e7944336a70b
      • Instruction Fuzzy Hash: 54213270A40204ABCB00DF99DA89ADEBBF9FF59700F10856AE905F7251D7789541CF98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F3A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
      Download Yara Rule
      APIs
      • __vbaNew2.MSVBVM60(00401C88,00422010), ref: 0041F3E3
      • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F3FC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BD8,000001EC), ref: 0041F444
      • __vbaFreeObj.MSVBVM60 ref: 0041F44D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID: weet
      • API String ID: 1645334062-3595723829
      • Opcode ID: 9e6a794667844231a66294033109904e56799ce44c11663cd9cc67dcb4afdd8d
      • Instruction ID: a7e52106cc8cb69be928560c679e2f1930c8ad4679fa73ab9c9ed0786819239a
      • Opcode Fuzzy Hash: 9e6a794667844231a66294033109904e56799ce44c11663cd9cc67dcb4afdd8d
      • Instruction Fuzzy Hash: 0F115474A40245AFC700DFA8CA49F9ABBF8FB08701F10853AE545F7690D7785945CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420410, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
      Download Yara Rule
      C-Code - Quality: 20%
      			E00420410(intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr* _t13;
				signed char _t14;
				intOrPtr* _t15;
				void* _t18;
				void* _t23;
				void* _t25;
				intOrPtr _t27;

				 *[fs:0x0] = _t27;
				_v16 = _t27 - 0x18;
				_v12 = 0x401240;
				_v8 = 0;
				_t13 = _a4;
				_t14 =  *((intOrPtr*)( *_t13 + 4))(_t13, _t23, _t25, _t18,  *[fs:0x0], 0x4012c6);
				__imp____vbaR4Str(0x402f44);
				asm("fcomp dword [0x401238]");
				asm("fnstsw ax");
				if((_t14 & 0x00000040) == 0) {
					__imp____vbaFileOpen(0x20, 0xffffffff, 0x30, L"imprejudice");
				}
				_t15 = _a4;
				 *((intOrPtr*)( *_t15 + 8))(_t15);
				 *[fs:0x0] = _v24;
				return _v8;
			}














      0x00420422
      0x0042042f
      0x00420432
      0x00420439
      0x00420440
      0x00420446
      0x0042044e
      0x00420454
      0x0042045a
      0x0042045f
      0x0042046c
      0x0042046c
      0x00420472
      0x00420478
      0x00420483
      0x0042048e

      APIs
      • __vbaR4Str.MSVBVM60(00402F44,?,?,?,?,?,?,?,?,004012C6), ref: 0042044E
      • __vbaFileOpen.MSVBVM60(00000020,000000FF,00000030,imprejudice,?,?,?,?,?,?,?,?,004012C6), ref: 0042046C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$FileOpen
      • String ID: imprejudice
      • API String ID: 1444369698-3142114848
      • Opcode ID: 39863a561b55bb2115271411c66debceae1de35c3586fe0bc56d348b7c86f09d
      • Instruction ID: 72b214d80ec3a0e60a883404857dd585d88d82731f05bb3600f171ff53060fff
      • Opcode Fuzzy Hash: 39863a561b55bb2115271411c66debceae1de35c3586fe0bc56d348b7c86f09d
      • Instruction Fuzzy Hash: 63018F75A40204EFC700DF98DA49B4ABBB8FB48B50F1082AAF945B73E1C3B85940CB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420D00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
      Download Yara Rule
      APIs
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 00420D54
      • #532.MSVBVM60(Emotionen3), ref: 00420D64
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1168176169.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1168153350.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168162247.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168183221.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1168194723.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: #532__vba
      • String ID: Emotionen3
      • API String ID: 1414456671-3255538820
      • Opcode ID: d8f3bc02e5584c2b07d5dcc433b893d2e20c782a16353777b3a42c4173464dcf
      • Instruction ID: ae921b9b2815b34c7d9f06a440cc09d13f270e151df82d51b59331e8de7d3893
      • Opcode Fuzzy Hash: d8f3bc02e5584c2b07d5dcc433b893d2e20c782a16353777b3a42c4173464dcf
      • Instruction Fuzzy Hash: 19F062B4901248AFCB10DFD4DA49BDDBBF8FB18745F60405AF441B2290C7B82A09CF69
      Uniqueness

      Uniqueness Score: -1.00%