Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Facturas Pagadas Al Vencimiento.exe

Overview

General Information

Sample Name:Facturas Pagadas Al Vencimiento.exe
Analysis ID:433561
MD5:c8d357afda8635441bc5838244ca0029
SHA1:026b3b6bafa462c763860afeb21b3cfe05aeb600
SHA256:94bfbe95a21d987080ac95825abde8cf1aa7955fa711c8daeea32ba18590979d
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Checks if the current process is being debugged
Detected potential crypto function
One or more processes crash
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Facturas Pagadas Al Vencimiento.exe (PID: 5992 cmdline: 'C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe' MD5: C8D357AFDA8635441BC5838244CA0029)
    • WerFault.exe (PID: 4020 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3468 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1dBTGLOe-ZeMuRpNWg8qsJp7BOE8QNF9s5l"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Facturas Pagadas Al Vencimiento.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: Facturas Pagadas Al Vencimiento.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1dBTGLOe-ZeMuRpNWg8qsJp7BOE8QNF9s5l"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Facturas Pagadas Al Vencimiento.exeVirustotal: Detection: 71%Perma Link
    Source: Facturas Pagadas Al Vencimiento.exeMetadefender: Detection: 45%Perma Link
    Source: Facturas Pagadas Al Vencimiento.exeReversingLabs: Detection: 69%
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1dBTGLOe-ZeMuRpNWg8qsJp7BOE8QNF9s5l

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_004014BC0_2_004014BC
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209123671.0000000000421000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGRFTNING.exe vs Facturas Pagadas Al Vencimiento.exe
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209337429.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Facturas Pagadas Al Vencimiento.exe
    Source: Facturas Pagadas Al Vencimiento.exeBinary or memory string: OriginalFilenameGRFTNING.exe vs Facturas Pagadas Al Vencimiento.exe
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal76.rans.troj.winEXE@3/8@0/1
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5992
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3CC.tmpJump to behavior
    Source: Facturas Pagadas Al Vencimiento.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Facturas Pagadas Al Vencimiento.exeVirustotal: Detection: 71%
    Source: Facturas Pagadas Al Vencimiento.exeMetadefender: Detection: 45%
    Source: Facturas Pagadas Al Vencimiento.exeReversingLabs: Detection: 69%
    Source: unknownProcess created: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe 'C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe'
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Facturas Pagadas Al Vencimiento.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_00406C48 push edi; iretd 0_2_00406C4C
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040A4F0 push edi; retf 0_2_0040A4F6
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040B88A push es; ret 0_2_0040B902
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_004018A5 push eax; retn 0041h0_2_004018AD
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CD40 push FFFFFF87h; ret 0_2_0040CD42
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040AD1C pushfd ; ret 0_2_0040AD2E
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040DE63 push ds; ret 0_2_0040DE6D
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040C20B push FFFFFFF9h; ret 0_2_0040C2DE
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040C20D push FFFFFFF9h; ret 0_2_0040C2DE
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040CAC2 pushad ; ret 0_2_0040CAD2
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_00405EC5 push es; ret 0_2_00405EC8
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040D6DA push cs; ret 0_2_0040D6F1
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040BA91 push ss; ret 0_2_0040BA92
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_0040829F push 00000055h; ret 0_2_004082BD
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_00409768 push ebp; ret 0_2_0040976D
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_00409F3A push 00000048h; ret 0_2_00409F92
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_00409FCB push 00000048h; ret 0_2_00409F92
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeCode function: 0_2_004077DD push ebp; ret 0_2_0040780E
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exeProcess queried: DebugPortJump to behavior
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209299905.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209299905.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209299905.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209299905.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection2Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Facturas Pagadas Al Vencimiento.exe71%VirustotalBrowse
    Facturas Pagadas Al Vencimiento.exe49%MetadefenderBrowse
    Facturas Pagadas Al Vencimiento.exe70%ReversingLabsWin32.Trojan.Midie

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious

    Private

    IP
    192.168.2.1

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:433561
    Start date:12.06.2021
    Start time:15:15:46
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 19s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:Facturas Pagadas Al Vencimiento.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Run name:Run with higher sleep bypass
    Number of analysed new started processes analysed:32
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal76.rans.troj.winEXE@3/8@0/1
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 14.2% (good quality ratio 2.9%)
    • Quality average: 15.3%
    • Quality standard deviation: 28.6%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Sleeps bigger than 120000ms are automatically reduced to 1000ms
    • Found application associated with file extension: .exe
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 20.82.210.154, 184.30.20.56, 20.54.26.129, 2.20.142.209, 2.20.142.210, 51.103.5.159, 92.122.213.247, 92.122.213.194, 20.54.7.98
    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Facturas Pagadas_2024e1b44264dba4d9a5d8d4883c883c62d1e68_380e93cd_0decea8c\Report.wer
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
    Category:dropped
    Size (bytes):11522
    Entropy (8bit):3.7779875477893152
    Encrypted:false
    SSDEEP:96:E0WeR7FA3gQzFD7DcSpXIQcQ5c6ScE4cw3M+HbHg/TVG4rmMoVazWbSmnFdOyPnn:V/RZKC0HnWSZja0I/u7sBS274ItSBH
    MD5:4B4AAAB6AA87EE3404CD940DAFFD5E10
    SHA1:9D8F2B8D18BB78CE8FA09F90FFB6CF1AA7B0633B
    SHA-256:60A9774D4EAE77F5E8FEA37CDC7A02F19AD6D43A828CDEB930846AE9ED8F5639
    SHA-512:CE4A08AAC1F739181241AE00918C2E98871697520D655A187CC5AAF3CB2F3044E3CBEE17BDE38D347A593F146889A9F70A2F15F2187234FD771DB48B7412F8DF
    Malicious:false
    Reputation:low
    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.8.0.0.9.8.1.6.5.5.6.1.6.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.8.0.0.9.8.1.7.2.5.9.2.8.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.e.6.b.0.4.2.-.7.f.6.4.-.4.5.7.d.-.b.4.7.5.-.4.8.1.6.6.8.6.f.7.0.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.4.8.6.8.0.7.-.7.2.d.6.-.4.5.5.e.-.b.8.f.0.-.a.6.b.0.c.0.1.8.8.a.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.F.a.c.t.u.r.a.s. .P.a.g.a.d.a.s. .A.l. .V.e.n.c.i.m.i.e.n.t.o...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.G.R.F.T.N.I.N.G...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.6.8.-.0.0.0.1.-.0.0.1.7.-.f.3.6.3.-.b.4.9.9.d.8.5.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.2.e.9.0.d.e.3.b.2.2.c.3.8.1.3.0.2.7.1.1.4.8.7.a.2.3.3.c.3.1.6.0.0.0.0.3.0.0.4.!.0.0.0.0.0.2.6.b.3.b.6.b.a.f.a.
    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Facturas Pagadas_e1b59d2026da206526c3718df9ca6d5772b50_380e93cd_0fd4bcc5\Report.wer
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
    Category:dropped
    Size (bytes):11522
    Entropy (8bit):3.7742938090874323
    Encrypted:false
    SSDEEP:96:t6GRK3gQzFD7fcSpXIQcQNc6LmgcEdcw3++HbHg/TVG4rmMoVazWbSmnFdOyPnri:sGRs+0HDOgHTja0I/u7sBS274ItSBu
    MD5:8260AD2649897CE3374067EF099A5818
    SHA1:4F6FD36E5C60F25339EC5B4875FACF7FA5657B9D
    SHA-256:41C4BD73CDC2CAB31F0D1CE35988A27921BEADE4B3C247A184F70E1F97E1D605
    SHA-512:B78DA89F6631DFEDF6D4468A22519810FACA74DF1AEC319DEBF84FCA179744636A6B5D13DF7FABEE05C81787EA16CA712BB5A3D86F7348F9ED79B47EB6600B43
    Malicious:false
    Reputation:low
    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.8.0.0.9.8.0.4.6.0.3.0.7.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.8.0.0.9.8.0.5.3.5.3.0.6.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.2.c.d.9.b.b.-.b.5.a.4.-.4.d.8.e.-.b.e.0.9.-.a.b.1.d.a.7.8.e.b.a.8.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.b.d.6.d.f.6.-.7.8.3.7.-.4.8.a.c.-.b.5.b.e.-.f.4.0.6.c.e.a.9.9.3.0.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.F.a.c.t.u.r.a.s. .P.a.g.a.d.a.s. .A.l. .V.e.n.c.i.m.i.e.n.t.o...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.G.R.F.T.N.I.N.G...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.6.8.-.0.0.0.1.-.0.0.1.7.-.f.3.6.3.-.b.4.9.9.d.8.5.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.2.e.9.0.d.e.3.b.2.2.c.3.8.1.3.0.2.7.1.1.4.8.7.a.2.3.3.c.3.1.6.0.0.0.0.3.0.0.4.!.0.0.0.0.0.2.6.b.3.b.6.b.a.f.a.
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3CC.tmp.dmp
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Sat Jun 12 22:16:45 2021, 0x1205a4 type
    Category:dropped
    Size (bytes):51454
    Entropy (8bit):2.2977818654342994
    Encrypted:false
    SSDEEP:192:CIht6jjRywPqC8vPl/SM4Lek2kIZm2Gi8mzF9Vm2gOf73qTf5ByX:RD6AqV8vPlKM22TZ6uY2U5I
    MD5:40BA2704DA382E2ED63FDA445C8C5137
    SHA1:FE7AA8F39E0CD12428DFF528EF7B98C703F56187
    SHA-256:9E1F43BC1230C158B5E0AC5B5C1D40F66331BD39DD442F4865515EA77A6F1F63
    SHA-512:A701B0AAA880183C72FBC1F1CC453A8DCD4B53AD12E14946A4142139F68A57D3F7FD5CC71506BBEC2F5527E2E7998DCA406AAE55B3467695F1C3376A282A3758
    Malicious:false
    Reputation:low
    Preview: MDMP....... .......M2.`...................U...........B..............GenuineIntelW...........T.......h...@2.`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB592.tmp.WERInternalMetadata.xml
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
    Category:dropped
    Size (bytes):8388
    Entropy (8bit):3.697296467124024
    Encrypted:false
    SSDEEP:192:Rrl7r3GLNipiD6IDNLMecp6YSISUuUn95ksgmfo0vFSBWCpr+89bILsfw4m:RrlsNip+6IDa6Y9SUPnjgmfo0NSvIQfW
    MD5:A5F48B31EED215788A3E197603FB151A
    SHA1:E5DE19D278B807DF7BB2CCF62B5BD36A9EA1D014
    SHA-256:308D44600633D8C49F628B22BB7FB449651E45201EDE94024F48391CB5BA4E57
    SHA-512:687D5ABC5F672398B06A05851BF4FD205F03D0CF5EE8D9E9FFE7C4017C9FE5AB82E60555BE04CAD5B59DEA930EB198EED8CFE7286ECC29A0D5F1ABE0AAB07E3F
    Malicious:false
    Reputation:low
    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.9.2.<./.P.i.d.>.......
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB620.tmp.xml
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4741
    Entropy (8bit):4.500617379796648
    Encrypted:false
    SSDEEP:48:cvIwSD8zskJgtWI9tpWSC8B28fm8M4JXT7/SIFAo+q8a7lIclCzX3XH8Pd:uITfiqYSNFJHNlEHHgd
    MD5:82480489627A469CB8B64F9F25FBA641
    SHA1:AF29C719D34F13F8177C9801C1B02782035AF5B5
    SHA-256:DB82AA4A5A7E71C2110B36F53DEC4A46B11A12F9279757444E5D15CB4FA982C6
    SHA-512:7853DFE8AD7648CBBFC4F180D9995173884D689F6591218C37C9F0E99F72CE4C46215C5A4D524725D777A3D3BC14E306B1BAA098BDAFF5CAF1A433E6C874D725
    Malicious:false
    Reputation:low
    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1031487" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE27D.tmp.dmp
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Sat Jun 12 22:16:56 2021, 0x1205a4 type
    Category:dropped
    Size (bytes):46842
    Entropy (8bit):2.142337644740741
    Encrypted:false
    SSDEEP:192:TIh/7xjYsPSk2kIZi270hF8mzF3hp8yDOQOSObI5ehZrL2:s97vPp2TlQwudOI5GG
    MD5:4C981AA79224125A1E780F9D1015A72B
    SHA1:85C83302C1E9528E18916BD10692C77DA2E53EF4
    SHA-256:34B661D83ACF83D81780724FCC6CE328D8E21BEFF02EF9F37A693B3F93C8E5D5
    SHA-512:5D823E8792151DED4C21678212301893B9C633508BCE07FD1CAFB30515A3AA6D8810CA4788C78BD0461FAB06475DA533D6AB2B1BE5A6BCFECBC06EF76787F019
    Malicious:false
    Reputation:low
    Preview: MDMP....... .......X2.`...................U...........B..............GenuineIntelW...........T.......h...@2.`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE443.tmp.WERInternalMetadata.xml
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
    Category:dropped
    Size (bytes):8394
    Entropy (8bit):3.7033486108502083
    Encrypted:false
    SSDEEP:192:Rrl7r3GLNipiH6IDChcp6YS9SUTnCZgmfo0jFSKCpDW89bbLsfVpm:RrlsNipa6IDD6YYSUTncgmfo05SlbQfC
    MD5:F5C74121B5DC9EE9131757F8F2AFE6A4
    SHA1:4FF4B4382606315D7340C280370D0243AF67A8CD
    SHA-256:25F595AB58251EDA060DD93BFCFE1C0070E007F5AEF3F5B1F08AD57D3A09A1B7
    SHA-512:CF911D20F34F8F87D18CFE32B1D431E35AFFC0ABA46C4DBD00B185E2A06620F2234E4B7051AD24BA5DAA104E8EC1D2CC0AA75ACFB1A288FA74713AC5945A8AA1
    Malicious:false
    Reputation:low
    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.9.2.<./.P.i.d.>.......
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4B2.tmp.xml
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4741
    Entropy (8bit):4.499433919214349
    Encrypted:false
    SSDEEP:48:cvIwSD8zskJgtWI9tpWSC8BNs8fm8M4JXT7/SWFGm+q8a7l2clCzX3XH8Pd:uITfiqYSN3RJrTlEHHgd
    MD5:247823C0DFE1056D126DCFEFF884585A
    SHA1:E5795350EAAE9A34C6E9D540BC0BFDF6345CBA37
    SHA-256:31458DB04F33FEB4CC874E0F39C370A98C637DA7FE1A95D00CB04AFA209ADFEA
    SHA-512:F35626524A9F16C3B863B3CE2EA6C66584994FE1CE9699EB15985EE807469C7E1B477C7BFCB84ED33B5AE6C77539D5043DE4CFB58659D8D98AF4881F399CC115
    Malicious:false
    Reputation:low
    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1031487" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.463887810480926
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Facturas Pagadas Al Vencimiento.exe
    File size:135168
    MD5:c8d357afda8635441bc5838244ca0029
    SHA1:026b3b6bafa462c763860afeb21b3cfe05aeb600
    SHA256:94bfbe95a21d987080ac95825abde8cf1aa7955fa711c8daeea32ba18590979d
    SHA512:0630394ea500b46626aeb13033d6d6c213c79f1d7babc187e3bc62e4dc43272b57863fe1cdd33d83312866374801f47b4975f2631c44c96aa23f48150b8498bd
    SSDEEP:1536:8r2A295OAR92knLfapZm5sXu0dtyb/vxG8A:9A295OAR9ffUb+3m
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...hO.`.....................0....................@................

    File Icon

    Icon Hash:20047c7c70f0e004

    Static PE Info

    General

    Entrypoint:0x4014bc
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x60BD4F68 [Sun Jun 6 22:42:48 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:54ea68151857c1f30c42224007018bf1

    Entrypoint Preview

    Instruction
    push 00401764h
    call 00007FCBE49FFB95h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    dec eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add ch, ah
    leave
    cmp al, 4Fh
    push esi
    arpl word ptr [ebp-32207EBAh], bp
    cmp dword ptr fs:[esi+0000B89Ah], esp
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc edx
    add byte ptr [esi], al
    push eax
    add dword ptr [ecx], 61h
    outsd
    jo 00007FCBE49FFC16h
    imul esi, dword ptr [esi+66h], 646C726Fh
    jc 00007FCBE49FFC07h
    outsb
    jnc 00007FCBE49FFBA3h
    add byte ptr [eax], al
    pushad
    jle 00007FCBE49FFBBEh
    add eax, dword ptr [eax]
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    or ah, dl
    xchg eax, ebp
    sub bl, al
    jne 00007FCBE49FFB55h
    jnp 00007FCBE49FFBE9h
    call far 4E1Ch : 67233F9Ch
    out dx, eax
    daa
    sahf
    stosb
    jmp far AE85h : 4982311Ah
    dec ebp
    xchg eax, esp
    pop esp
    push cs
    push es
    or dword ptr [edx], edi
    dec edi
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xchg eax, ebp
    add dword ptr [eax], eax
    add byte ptr [edi+00h], cl
    add byte ptr [eax], al
    add byte ptr [ebx], cl
    add byte ptr [edi+ecx*2+52h], dl
    push ebx
    dec ecx
    dec edi
    inc edi
    push edx
    inc ecx
    push eax
    dec eax

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1e6040x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000x9b8.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x14c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1db780x1e000False0.337109375data4.7219788122IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x1f0000x12300x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x210000x9b80x1000False0.178466796875data2.11818351755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x218880x130data
    RT_ICON0x215a00x2e8data
    RT_ICON0x214780x128GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x214480x30data
    RT_VERSION0x211500x2f8dataSesotho (Sutu)South Africa

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaUI1Str, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0430 0x04b0
    LegalCopyrightTera data
    InternalNameGRFTNING
    FileVersion1.00
    CompanyNameTera data
    LegalTrademarksTera data
    CommentsTera data
    ProductNameTera data
    ProductVersion1.00
    FileDescriptionTera data
    OriginalFilenameGRFTNING.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    Sesotho (Sutu)South Africa

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jun 12, 2021 15:16:26.804151058 CEST5598453192.168.2.38.8.8.8
    Jun 12, 2021 15:16:26.856765985 CEST53559848.8.8.8192.168.2.3
    Jun 12, 2021 15:16:28.003192902 CEST6418553192.168.2.38.8.8.8
    Jun 12, 2021 15:16:28.053436995 CEST53641858.8.8.8192.168.2.3
    Jun 12, 2021 15:16:28.896166086 CEST6511053192.168.2.38.8.8.8
    Jun 12, 2021 15:16:28.948915005 CEST53651108.8.8.8192.168.2.3
    Jun 12, 2021 15:16:30.230477095 CEST5836153192.168.2.38.8.8.8
    Jun 12, 2021 15:16:30.296926975 CEST53583618.8.8.8192.168.2.3
    Jun 12, 2021 15:16:31.388452053 CEST6349253192.168.2.38.8.8.8
    Jun 12, 2021 15:16:31.441940069 CEST53634928.8.8.8192.168.2.3
    Jun 12, 2021 15:16:32.537820101 CEST6083153192.168.2.38.8.8.8
    Jun 12, 2021 15:16:32.599221945 CEST53608318.8.8.8192.168.2.3
    Jun 12, 2021 15:16:33.900259972 CEST6010053192.168.2.38.8.8.8
    Jun 12, 2021 15:16:33.962090969 CEST53601008.8.8.8192.168.2.3
    Jun 12, 2021 15:16:35.027460098 CEST5319553192.168.2.38.8.8.8
    Jun 12, 2021 15:16:35.077635050 CEST53531958.8.8.8192.168.2.3
    Jun 12, 2021 15:16:36.140914917 CEST5014153192.168.2.38.8.8.8
    Jun 12, 2021 15:16:36.193645000 CEST53501418.8.8.8192.168.2.3
    Jun 12, 2021 15:16:37.293864965 CEST5302353192.168.2.38.8.8.8
    Jun 12, 2021 15:16:37.353868961 CEST53530238.8.8.8192.168.2.3
    Jun 12, 2021 15:16:38.251410007 CEST4956353192.168.2.38.8.8.8
    Jun 12, 2021 15:16:38.302751064 CEST53495638.8.8.8192.168.2.3
    Jun 12, 2021 15:16:39.179737091 CEST5135253192.168.2.38.8.8.8
    Jun 12, 2021 15:16:39.240017891 CEST53513528.8.8.8192.168.2.3
    Jun 12, 2021 15:16:40.652875900 CEST5934953192.168.2.38.8.8.8
    Jun 12, 2021 15:16:40.704669952 CEST53593498.8.8.8192.168.2.3
    Jun 12, 2021 15:16:41.557509899 CEST5708453192.168.2.38.8.8.8
    Jun 12, 2021 15:16:41.607686043 CEST53570848.8.8.8192.168.2.3
    Jun 12, 2021 15:16:44.318110943 CEST5882353192.168.2.38.8.8.8
    Jun 12, 2021 15:16:44.370758057 CEST53588238.8.8.8192.168.2.3
    Jun 12, 2021 15:16:45.829204082 CEST5756853192.168.2.38.8.8.8
    Jun 12, 2021 15:16:45.879513979 CEST53575688.8.8.8192.168.2.3
    Jun 12, 2021 15:16:46.316755056 CEST5054053192.168.2.38.8.8.8
    Jun 12, 2021 15:16:46.370966911 CEST53505408.8.8.8192.168.2.3
    Jun 12, 2021 15:16:47.035818100 CEST5436653192.168.2.38.8.8.8
    Jun 12, 2021 15:16:47.096365929 CEST53543668.8.8.8192.168.2.3
    Jun 12, 2021 15:16:58.042124033 CEST5303453192.168.2.38.8.8.8
    Jun 12, 2021 15:16:58.105380058 CEST53530348.8.8.8192.168.2.3
    Jun 12, 2021 15:17:01.257519960 CEST5776253192.168.2.38.8.8.8
    Jun 12, 2021 15:17:01.319787979 CEST53577628.8.8.8192.168.2.3
    Jun 12, 2021 15:17:04.113409996 CEST5543553192.168.2.38.8.8.8
    Jun 12, 2021 15:17:04.204963923 CEST53554358.8.8.8192.168.2.3
    Jun 12, 2021 15:17:19.246231079 CEST5071353192.168.2.38.8.8.8
    Jun 12, 2021 15:17:19.313440084 CEST53507138.8.8.8192.168.2.3
    Jun 12, 2021 15:17:21.740040064 CEST5613253192.168.2.38.8.8.8
    Jun 12, 2021 15:17:21.800991058 CEST53561328.8.8.8192.168.2.3
    Jun 12, 2021 15:17:22.149930000 CEST5898753192.168.2.38.8.8.8
    Jun 12, 2021 15:17:22.211107969 CEST53589878.8.8.8192.168.2.3
    Jun 12, 2021 15:17:31.109142065 CEST5657953192.168.2.38.8.8.8
    Jun 12, 2021 15:17:31.170680046 CEST53565798.8.8.8192.168.2.3
    Jun 12, 2021 15:18:09.008579016 CEST6063353192.168.2.38.8.8.8
    Jun 12, 2021 15:18:09.067521095 CEST53606338.8.8.8192.168.2.3
    Jun 12, 2021 15:18:10.114607096 CEST6129253192.168.2.38.8.8.8
    Jun 12, 2021 15:18:10.173486948 CEST53612928.8.8.8192.168.2.3
    Jun 12, 2021 15:19:21.747770071 CEST6361953192.168.2.38.8.8.8
    Jun 12, 2021 15:19:21.894028902 CEST53636198.8.8.8192.168.2.3
    Jun 12, 2021 15:19:22.618247986 CEST6493853192.168.2.38.8.8.8
    Jun 12, 2021 15:19:22.746741056 CEST53649388.8.8.8192.168.2.3
    Jun 12, 2021 15:19:23.453610897 CEST6194653192.168.2.38.8.8.8
    Jun 12, 2021 15:19:23.512445927 CEST53619468.8.8.8192.168.2.3
    Jun 12, 2021 15:19:23.957577944 CEST6491053192.168.2.38.8.8.8
    Jun 12, 2021 15:19:24.019500971 CEST53649108.8.8.8192.168.2.3
    Jun 12, 2021 15:19:24.609534979 CEST5212353192.168.2.38.8.8.8
    Jun 12, 2021 15:19:24.671161890 CEST53521238.8.8.8192.168.2.3
    Jun 12, 2021 15:19:25.215337038 CEST5613053192.168.2.38.8.8.8
    Jun 12, 2021 15:19:25.274247885 CEST53561308.8.8.8192.168.2.3
    Jun 12, 2021 15:19:25.794810057 CEST5633853192.168.2.38.8.8.8
    Jun 12, 2021 15:19:25.853364944 CEST53563388.8.8.8192.168.2.3
    Jun 12, 2021 15:19:26.720243931 CEST5942053192.168.2.38.8.8.8
    Jun 12, 2021 15:19:26.780031919 CEST53594208.8.8.8192.168.2.3
    Jun 12, 2021 15:19:27.780113935 CEST5878453192.168.2.38.8.8.8
    Jun 12, 2021 15:19:27.838810921 CEST53587848.8.8.8192.168.2.3
    Jun 12, 2021 15:19:28.327281952 CEST6397853192.168.2.38.8.8.8
    Jun 12, 2021 15:19:28.389535904 CEST53639788.8.8.8192.168.2.3

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    Analysis Process: Facturas Pagadas Al Vencimiento.exe PID: 5992 Parent PID: 5660

    General

    Start time:15:16:32
    Start date:12/06/2021
    Path:C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe'
    Imagebase:0x400000
    File size:135168 bytes
    MD5 hash:C8D357AFDA8635441BC5838244CA0029
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Reputation:low

    Chronological Activities

    Analysis Process: WerFault.exe PID: 4020 Parent PID: 5992

    General

    Start time:15:16:43
    Start date:12/06/2021
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700
    Imagebase:0xbb0000
    File size:434592 bytes
    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Reputation:high

    Chronological Activities

    Analysis Process: WerFault.exe PID: 3468 Parent PID: 5992

    General

    Start time:15:16:56
    Start date:12/06/2021
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700
    Imagebase:0xbb0000
    File size:434592 bytes
    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Reputation:high

    Chronological Activities

    Disassembly

    Code Analysis

    Reset < >

      Analysis Process: Facturas Pagadas Al Vencimiento.exe PID: 5992 Parent PID: 5660 Facturas Pagadas Al Vencimiento.exeCOMMON

      Execution Graph

      Execution Coverage:6.9%
      Dynamic/Decrypted Code Coverage:3.5%
      Signature Coverage:0.9%
      Total number of Nodes:227
      Total number of Limit Nodes:12

      Graph

      execution_graph 859 41dc00 860 41dc3a __vbaStrCopy __vbaVarDup #629 __vbaVarTstNe __vbaFreeVarList 859->860 861 41dd09 __vbaFreeStr 860->861 862 41dcdc __vbaVarDup #600 __vbaFreeVar 860->862 862->861 864 41d200 865 41d24a 864->865 866 41d23a __vbaNew2 864->866 867 41d260 __vbaHresultCheckObj 865->867 868 41d26f 865->868 866->865 867->868 869 41d287 __vbaHresultCheckObj 868->869 870 41d299 __vbaFreeObj 868->870 869->870 871 41d2c4 870->871 872 41d2b9 #568 870->872 872->871 980 41c580 981 41c5c0 __vbaAryConstruct2 __vbaUI1Str 980->981 982 41c5e5 __vbaFileOpen 981->982 983 41c5f6 __vbaAryDestruct 981->983 982->983 873 41e200 874 41e24a 873->874 875 41e23a __vbaNew2 873->875 876 41e260 __vbaHresultCheckObj 874->876 877 41e26f 874->877 875->874 876->877 878 41e287 __vbaHresultCheckObj 877->878 879 41e299 __vbaI2I4 __vbaFreeObj 877->879 878->879 880 41e2c4 879->880 891 41d8c0 #673 __vbaFpR8 892 41d934 __vbaFreeVar 891->892 894 41d951 __vbaVarDup #667 __vbaStrMove __vbaFreeVar 892->894 895 41d985 __vbaFreeStr 892->895 894->895 932 41d300 933 41d33a __vbaStrCopy __vbaI4Str #608 __vbaVarTstNe __vbaFreeVar 932->933 934 41d4e2 __vbaFreeObj __vbaFreeStr 933->934 935 41d3b4 933->935 937 41d3cc 935->937 938 41d3bc __vbaNew2 935->938 939 41d493 __vbaHresultCheckObj 937->939 940 41d4a2 __vbaLateIdSt __vbaFreeVar 937->940 938->937 939->940 940->934 941 41df00 942 41df37 6 API calls 941->942 943 41e023 __vbaFreeStr 942->943 944 41dfa4 942->944 945 41dfbc 944->945 946 41dfac __vbaNew2 944->946 948 41dfe1 945->948 949 41dfd2 __vbaHresultCheckObj 945->949 946->945 950 41e000 __vbaHresultCheckObj 948->950 951 41e00f __vbaStrMove __vbaFreeObj 948->951 949->948 950->951 951->943 952 41db00 __vbaStrCopy #618 __vbaStrMove __vbaStrCmp __vbaFreeStr 953 41dbb4 __vbaFreeStr 952->953 954 41db7a 952->954 954->953 955 41dbf6 954->955 957 41dba2 __vbaHresultCheckObj 954->957 955->955 957->953 963 41d9c0 964 41d9f7 __vbaStrCopy __vbaVarDup #522 __vbaVarTstNe __vbaFreeVarList 963->964 965 41daab __vbaFreeStr 964->965 968 41da74 964->968 966 41daf4 966->966 968->965 968->966 969 41da99 __vbaHresultCheckObj 968->969 969->965 912 41d550 __vbaStrCopy 913 41d595 __vbaNew2 912->913 914 41d5a5 912->914 913->914 915 41d5bb __vbaHresultCheckObj 914->915 916 41d5ca 914->916 915->916 917 41d5e5 __vbaHresultCheckObj 916->917 918 41d5f7 __vbaFreeObj 916->918 917->918 919 41d611 __vbaFreeStr 918->919 958 41e110 __vbaStrCopy __vbaVarDup #557 __vbaFreeVar 959 41e190 958->959 960 41e1b2 __vbaFreeStr 958->960 959->960 962 41e1a0 __vbaHresultCheckObj 959->962 962->960 852 40125a 853 40126f 852->853 854 4012d0 __vbaChkstk __vbaExceptHandler 853->854 855 4012ec 853->855 854->855 920 41dd60 921 41dd97 920->921 922 41ddb2 921->922 923 41dda2 __vbaNew2 921->923 924 41ddd7 922->924 925 41ddc8 __vbaHresultCheckObj 922->925 923->922 926 41ddf2 __vbaHresultCheckObj 924->926 927 41de04 __vbaFreeObj 924->927 925->924 926->927 928 41de1e 927->928 970 41e3e0 __vbaStrCopy #516 971 41e435 970->971 972 41e4b8 __vbaFreeStr 970->972 973 41e44d 971->973 974 41e43d __vbaNew2 971->974 976 41e463 __vbaHresultCheckObj 973->976 977 41e472 973->977 974->973 976->977 978 41e4a0 __vbaHresultCheckObj 977->978 979 41e4af __vbaFreeObj 977->979 978->979 979->972 984 41d7a0 __vbaStrCopy __vbaStrCopy __vbaStrToAnsi 985 402974 984->985 986 41d7ff __vbaSetSystemError __vbaFreeStr 985->986 987 41d825 __vbaFpI4 986->987 988 41d86c __vbaFreeStr __vbaFreeStr 986->988 990 41d854 987->990 990->988 991 41d85a __vbaHresultCheckObj 990->991 991->988 929 40df6c 930 41de77 __vbaStrCopy #539 __vbaStrVarMove __vbaStrMove __vbaFreeVar 929->930 931 41dec6 __vbaFreeStr __vbaFreeStr 930->931 746 41c630 747 41c673 __vbaVarDup #557 __vbaFreeVar 746->747 748 41c748 747->748 749 41c76b 747->749 748->749 751 41c755 __vbaHresultCheckObj 748->751 750 41c771 __vbaStrCopy __vbaStrCopy 749->750 752 41c7c1 750->752 751->750 753 41c7d3 __vbaFreeStr 752->753 754 41c7c5 __vbaHresultCheckObj 752->754 755 41c812 __vbaStrCopy 753->755 754->753 845 402974 755->845 757 41c855 __vbaFreeStr 758 41c86a __vbaStrCopy 757->758 759 41c8a7 758->759 760 41c8b9 __vbaFreeStr 759->760 761 41c8ab __vbaHresultCheckObj 759->761 762 41c8e4 __vbaStrCopy 760->762 761->760 763 41c928 762->763 764 41c93a __vbaFreeStr 763->764 765 41c92c __vbaHresultCheckObj 763->765 766 41c97b 764->766 765->764 767 41c98d 766->767 768 41c97f __vbaHresultCheckObj 766->768 769 41c9fc 767->769 770 41c9ee __vbaHresultCheckObj 767->770 768->767 771 41ca32 __vbaStrCopy 769->771 772 41ca24 __vbaHresultCheckObj 769->772 770->769 773 41ca71 __vbaFreeStr 771->773 772->771 774 41caa8 773->774 775 41cad0 __vbaHresultCheckObj 774->775 776 41cade __vbaStrCopy 774->776 775->776 778 41cb55 776->778 779 41cb67 __vbaFreeStr 778->779 780 41cb59 __vbaHresultCheckObj 778->780 781 41cb7c 779->781 780->779 782 41cb90 781->782 783 41cb82 __vbaHresultCheckObj 781->783 784 41cb9c __vbaVarAdd __vbaVarMove __vbaVarTstLt 782->784 783->782 784->784 785 41cbf5 #595 __vbaFreeVarList __vbaStrToAnsi 784->785 786 4027ec 785->786 787 41cc9e __vbaSetSystemError __vbaFreeStr 786->787 788 41cd65 787->788 789 41ccd7 787->789 792 41cd74 __vbaSetSystemError 788->792 790 41ccf0 _adj_fdiv_m64 789->790 791 41cce8 789->791 790->791 795 41cd11 __vbaFpI4 791->795 796 41d1f9 791->796 793 41cd90 792->793 794 41cd88 #571 792->794 797 41cd9a __vbaSetSystemError 793->797 794->793 798 41cd4d 795->798 796->796 799 4028d8 797->799 798->788 800 41cd53 __vbaHresultCheckObj 798->800 801 41cda1 __vbaSetSystemError 799->801 800->788 802 41cdb5 __vbaEnd 801->802 803 41cdbb __vbaRecUniToAnsi 801->803 802->803 804 402920 803->804 805 41cddf __vbaSetSystemError __vbaRecAnsiToUni 804->805 806 41ce71 __vbaStrToAnsi 805->806 807 41ce0c 805->807 808 402974 806->808 809 41ce25 __vbaObjVar __vbaObjSetAddref 807->809 810 41ce15 __vbaNew2 807->810 811 41ce89 __vbaSetSystemError __vbaFreeStr 808->811 812 41ce4a 809->812 810->809 813 41cf00 811->813 814 41ceb8 __vbaFpI4 811->814 815 41ce50 __vbaHresultCheckObj 812->815 816 41ce5f __vbaFreeObj 812->816 819 41cf1e __vbaSetSystemError 813->819 817 41cee4 814->817 815->816 816->806 817->813 818 41ceea __vbaHresultCheckObj 817->818 818->813 820 41cfa3 819->820 821 41cf32 819->821 824 41cfb2 __vbaSetSystemError 820->824 822 41cf4b 821->822 823 41cf3b __vbaNew2 821->823 827 41cf64 __vbaHresultCheckObj 822->827 828 41cf6f 822->828 823->822 825 41d073 824->825 826 41cfca 824->826 831 41d08c __vbaSetSystemError 825->831 829 41cfe3 826->829 830 41cfd3 __vbaNew2 826->830 827->828 836 41cf97 __vbaFreeObj 828->836 837 41cf8c __vbaHresultCheckObj 828->837 834 41d007 829->834 835 41cffc __vbaHresultCheckObj 829->835 830->829 832 41d143 831->832 833 41d0a4 __vbaVarDup #595 __vbaFreeVarList 831->833 838 41d15e __vbaSetSystemError 832->838 833->832 842 41d061 __vbaFreeObj 834->842 843 41d052 __vbaHresultCheckObj 834->843 835->834 836->820 837->836 839 41d172 #568 838->839 840 41d17a __vbaFreeVar __vbaFreeVar 838->840 839->840 842->825 843->842 846 40297d 845->846 856 41e070 857 41e0a7 #648 __vbaFreeVar 856->857 858 41e0e7 857->858 881 41d630 #512 __vbaStrMove __vbaStrCmp __vbaFreeStr 882 41d749 __vbaFreeObj 881->882 883 41d6aa 881->883 885 41d6c2 883->885 886 41d6b2 __vbaNew2 883->886 887 41d6e7 885->887 888 41d6d8 __vbaHresultCheckObj 885->888 886->885 889 41d72b __vbaObjSet __vbaFreeObj 887->889 890 41d71c __vbaHresultCheckObj 887->890 888->887 889->882 890->889 897 41e4f0 898 41e527 __vbaVarErrI4 #559 __vbaFreeVar 897->898 899 41e5c5 898->899 900 41e55f 898->900 901 41e577 900->901 902 41e567 __vbaNew2 900->902 903 41e58d __vbaHresultCheckObj 901->903 904 41e59c 901->904 902->901 903->904 905 41e5ad __vbaHresultCheckObj 904->905 906 41e5bc __vbaFreeObj 904->906 905->906 906->899 907 41e2f0 908 41e327 __vbaLenBstrB 907->908 909 41e383 __vbaFreeVar 908->909 910 41e346 __vbaVarDup #666 __vbaVarMove __vbaFreeVar 908->910 910->909 847 4014bc #100 848 4014fd 847->848

      Executed Functions

      Function 004014BC, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 306COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 116 4014bc-4014fb #100 117 401571-40158e 116->117 118 4014fd-401504 116->118 121 401591-4015a0 117->121 122 4015ff-401606 117->122 119 401506-40150d 118->119 120 40156b-401570 118->120 126 40152b-40152c 119->126 127 40150f-40151f 119->127 120->117 124 4015a2-4015fd 121->124 125 40160b 121->125 122->125 124->122 128 401681 125->128 129 40160e-401628 125->129 133 401568-40156a 126->133 127->133 136 401521-40152a 127->136 134 401682-40169f 128->134 130 40162a-40163d 129->130 131 40165c-401662 129->131 140 401673-40167e 130->140 141 40163f-40164f 130->141 137 401664-401665 131->137 138 4016c5-4016cc 131->138 133->120 139 4016a0-4016ae 134->139 136->126 142 401668 137->142 143 4016cd-4016ce 137->143 138->143 144 401720-401721 139->144 145 4016b1-4016c1 139->145 140->128 141->134 147 401651-401658 141->147 146 4016cf-4016d3 142->146 149 40166a-40166b 142->149 143->146 155 401722-40179c 144->155 145->138 150 4016d5-4016ef 146->150 151 401707-40171f 146->151 147->131 149->139 153 40166d-401671 149->153 154 4016f1-401705 150->154 150->155 151->144 153->140 154->151
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: 5f3e2e100136f1232d624c4753613b012adc6fe0ec8d1085d54ea81a9ba19397
      • Instruction ID: a6ea99614695e4be4f8370293d5bc7d4b887457d99e0c55c48bf5437bc75f3b0
      • Opcode Fuzzy Hash: 5f3e2e100136f1232d624c4753613b012adc6fe0ec8d1085d54ea81a9ba19397
      • Instruction Fuzzy Hash: CFB1326284E3C19FC7139B708D655A27FB0AE1321431E09DBC4C1DE0F3D22C9A5AC76A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041C630, Relevance: 161.7, APIs: 73, Strings: 19, Instructions: 730COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 41c630-41c746 __vbaVarDup #557 __vbaFreeVar 2 41c748-41c753 0->2 3 41c76b 0->3 2->3 6 41c755-41c769 __vbaHresultCheckObj 2->6 4 41c771-41c7c3 __vbaStrCopy * 2 3->4 8 41c7d3-41c8a9 __vbaFreeStr __vbaStrCopy call 402974 __vbaFreeStr __vbaStrCopy 4->8 9 41c7c5-41c7d1 __vbaHresultCheckObj 4->9 6->4 15 41c8b9-41c92a __vbaFreeStr __vbaStrCopy 8->15 16 41c8ab-41c8b7 __vbaHresultCheckObj 8->16 9->8 19 41c93a-41c97d __vbaFreeStr 15->19 20 41c92c-41c938 __vbaHresultCheckObj 15->20 16->15 22 41c98d-41c9ec 19->22 23 41c97f-41c98b __vbaHresultCheckObj 19->23 20->19 26 41c9fc-41ca22 22->26 27 41c9ee-41c9fa __vbaHresultCheckObj 22->27 23->22 29 41ca32-41cace __vbaStrCopy __vbaFreeStr 26->29 30 41ca24-41ca30 __vbaHresultCheckObj 26->30 27->26 34 41cad0-41cadc __vbaHresultCheckObj 29->34 35 41cade-41cb57 __vbaStrCopy 29->35 30->29 34->35 38 41cb67-41cb80 __vbaFreeStr 35->38 39 41cb59-41cb65 __vbaHresultCheckObj 35->39 41 41cb90-41cb96 38->41 42 41cb82-41cb8e __vbaHresultCheckObj 38->42 39->38 43 41cb9c-41cbf3 __vbaVarAdd __vbaVarMove __vbaVarTstLt 41->43 42->41 43->43 44 41cbf5-41ccd1 #595 __vbaFreeVarList __vbaStrToAnsi call 4027ec __vbaSetSystemError __vbaFreeStr 43->44 47 41cd65-41cd6f call 40283c 44->47 48 41ccd7-41cce6 44->48 52 41cd74-41cd86 __vbaSetSystemError 47->52 50 41ccf0-41ccfc _adj_fdiv_m64 48->50 51 41cce8-41ccee 48->51 53 41cd01-41cd0b 50->53 51->53 54 41cd90-41cdb3 call 40288c __vbaSetSystemError call 4028d8 __vbaSetSystemError 52->54 55 41cd88-41cd8a #571 52->55 56 41cd11-41cd51 __vbaFpI4 53->56 57 41d1f9 53->57 64 41cdb5 __vbaEnd 54->64 65 41cdbb-41ce0a __vbaRecUniToAnsi call 402920 __vbaSetSystemError __vbaRecAnsiToUni 54->65 55->54 56->47 62 41cd53-41cd5f __vbaHresultCheckObj 56->62 57->57 62->47 64->65 68 41ce71-41ceb6 __vbaStrToAnsi call 402974 __vbaSetSystemError __vbaFreeStr 65->68 69 41ce0c-41ce13 65->69 75 41cf00 68->75 76 41ceb8-41cee8 __vbaFpI4 68->76 71 41ce25-41ce4e __vbaObjVar __vbaObjSetAddref 69->71 72 41ce15-41ce1f __vbaNew2 69->72 77 41ce50-41ce59 __vbaHresultCheckObj 71->77 78 41ce5f-41ce6b __vbaFreeObj 71->78 72->71 79 41cf06-41cf30 call 4029bc __vbaSetSystemError 75->79 76->75 82 41ceea-41cefe __vbaHresultCheckObj 76->82 77->78 78->68 84 41cfa3-41cfc4 call 402a00 __vbaSetSystemError 79->84 85 41cf32-41cf39 79->85 82->79 91 41d073-41d09e call 402a50 __vbaSetSystemError 84->91 92 41cfca-41cfd1 84->92 87 41cf4b-41cf62 85->87 88 41cf3b-41cf45 __vbaNew2 85->88 93 41cf64-41cf6d __vbaHresultCheckObj 87->93 94 41cf6f-41cf8a 87->94 88->87 101 41d143-41d170 call 402a9c __vbaSetSystemError 91->101 102 41d0a4-41d140 __vbaVarDup #595 __vbaFreeVarList 91->102 96 41cfe3-41cffa 92->96 97 41cfd3-41cfdd __vbaNew2 92->97 93->94 105 41cf97-41cf9d __vbaFreeObj 94->105 106 41cf8c-41cf95 __vbaHresultCheckObj 94->106 103 41d007-41d050 96->103 104 41cffc-41d005 __vbaHresultCheckObj 96->104 97->96 110 41d172-41d174 #568 101->110 111 41d17a-41d1d9 __vbaFreeVar * 2 101->111 102->101 113 41d061-41d06d __vbaFreeObj 103->113 114 41d052-41d05b __vbaHresultCheckObj 103->114 104->103 105->84 106->105 110->111 113->91 114->113
      APIs
      • __vbaVarDup.MSVBVM60 ref: 0041C716
      • #557.MSVBVM60(?), ref: 0041C723
      • __vbaFreeVar.MSVBVM60 ref: 0041C73D
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402600,0000071C), ref: 0041C767
      • __vbaStrCopy.MSVBVM60(00401180,?), ref: 0041C77B
      • __vbaStrCopy.MSVBVM60 ref: 0041C792
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402600,000006F8), ref: 0041C7D1
      • __vbaFreeStr.MSVBVM60 ref: 0041C7D9
      • __vbaStrCopy.MSVBVM60 ref: 0041C82D
      • __vbaFreeStr.MSVBVM60 ref: 0041C85B
      • __vbaStrCopy.MSVBVM60 ref: 0041C875
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402600,000006FC), ref: 0041C8B7
      • __vbaFreeStr.MSVBVM60 ref: 0041C8BF
      • __vbaStrCopy.MSVBVM60 ref: 0041C8EF
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402600,00000700), ref: 0041C938
      • __vbaFreeStr.MSVBVM60 ref: 0041C940
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402600,00000704), ref: 0041C98B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402600,00000708), ref: 0041C9FA
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402600,0000070C), ref: 0041CA30
      • __vbaStrCopy.MSVBVM60 ref: 0041CA3D
      • __vbaFreeStr.MSVBVM60 ref: 0041CA77
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402600,00000710), ref: 0041CADC
      • __vbaStrCopy.MSVBVM60 ref: 0041CB30
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402600,00000714), ref: 0041CB65
      • __vbaFreeStr.MSVBVM60 ref: 0041CB6D
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,004025D0,000002B4), ref: 0041CB8E
      • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0041CBC2
      • __vbaVarMove.MSVBVM60 ref: 0041CBC9
      • __vbaVarTstLt.MSVBVM60(00000002,?), ref: 0041CBEA
      • #595.MSVBVM60(00008003,00000000,?,?,?), ref: 0041CC5B
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041CC78
      • __vbaStrToAnsi.MSVBVM60(?,Mobbes6,9666ED25), ref: 0041CC92
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041CCAA
      • __vbaFreeStr.MSVBVM60 ref: 0041CCC8
      • _adj_fdiv_m64.MSVBVM60 ref: 0041CCFC
      • __vbaFpI4.MSVBVM60(42280000,?,40C00000), ref: 0041CD2B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,004025D0,000002C0,?,40C00000), ref: 0041CD5F
      • __vbaSetSystemError.MSVBVM60(0034274C,9666ED25), ref: 0041CD7A
      • #571.MSVBVM60(00000063), ref: 0041CD8A
      • __vbaSetSystemError.MSVBVM60(FE2C7C74), ref: 0041CD9A
      • __vbaSetSystemError.MSVBVM60 ref: 0041CDA7
      • __vbaEnd.MSVBVM60 ref: 0041CDB5
      • __vbaRecUniToAnsi.MSVBVM60(00402728,?,?), ref: 0041CDCE
      • __vbaSetSystemError.MSVBVM60(0031C67A,00000000), ref: 0041CDE5
      • __vbaRecAnsiToUni.MSVBVM60(00402728,?,?), ref: 0041CDFA
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0), ref: 0041CE1F
      • __vbaObjVar.MSVBVM60(?), ref: 0041CE31
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041CE3F
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,00000010), ref: 0041CE59
      • __vbaFreeObj.MSVBVM60 ref: 0041CE65
      • __vbaStrToAnsi.MSVBVM60(?,Abhorlagerstyringer8), ref: 0041CE7D
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041CE8F
      • __vbaFreeStr.MSVBVM60 ref: 0041CEAD
      • __vbaFpI4.MSVBVM60 ref: 0041CEC0
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401180,004025D0,000002C8), ref: 0041CEFC
      • __vbaSetSystemError.MSVBVM60(001DCB78,?,001AC0B5,9666ED25), ref: 0041CF24
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0), ref: 0041CF45
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,0000001C), ref: 0041CF6D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402CAC,00000064), ref: 0041CF95
      • __vbaFreeObj.MSVBVM60 ref: 0041CF9D
      • __vbaSetSystemError.MSVBVM60(FE2C7C74,FE2C7C74), ref: 0041CFB8
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0), ref: 0041CFDD
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,0000001C), ref: 0041D005
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402CAC,00000060), ref: 0041D05B
      • __vbaFreeObj.MSVBVM60 ref: 0041D067
      • __vbaSetSystemError.MSVBVM60(004738FF,FE2C7C74,FE2C7C74,00448DA2), ref: 0041D092
      • __vbaVarDup.MSVBVM60 ref: 0041D0F2
      • #595.MSVBVM60(?,00000000,?,?,?), ref: 0041D116
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041D13A
      • __vbaSetSystemError.MSVBVM60(003EFA1E,9666ED25), ref: 0041D164
      • #568.MSVBVM60(0000001E), ref: 0041D174
      • __vbaFreeVar.MSVBVM60(0041D1DA), ref: 0041D1D2
      • __vbaFreeVar.MSVBVM60 ref: 0041D1D7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckHresult$Free$ErrorSystem$Copy$Ansi$New2$#595List$#557#568#571AddrefMove_adj_fdiv_m64
      • String ID: 7-7-7$Abhorlagerstyringer8$ECHESSTRIKKEGARNERNE$FAGBEVGELSER$Forhindringslbene5$Generablenessbitnivea$MAXILNGDES$Mentation5$Mobbes6$PRg$Rabarbergrdens1$Underlivssygdoms$dddd$i1,$inchamber$j57$n]$stakkequantisesamphi$vd
      • API String ID: 3255940769-2400406674
      • Opcode ID: 2286620ca421027be3d5757f4616a8f7b8a59af013d0e07b865e4e9c96fe17fe
      • Instruction ID: 1c506ac426c7594ec2cc0800950d7c5936de1471703447b537eee888befbfee4
      • Opcode Fuzzy Hash: 2286620ca421027be3d5757f4616a8f7b8a59af013d0e07b865e4e9c96fe17fe
      • Instruction Fuzzy Hash: 175281B0940219AFDB24DF50DD88FDAB7B8EF48705F1041AAF249B7190DBB45A85CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 0041DF00, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 97COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaVarDup.MSVBVM60 ref: 0041DF5A
      • #591.MSVBVM60(?), ref: 0041DF64
      • __vbaStrMove.MSVBVM60 ref: 0041DF75
      • __vbaStrCmp.MSVBVM60(String,00000000), ref: 0041DF7D
      • __vbaFreeStr.MSVBVM60 ref: 0041DF90
      • __vbaFreeVar.MSVBVM60 ref: 0041DF99
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0), ref: 0041DFB6
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,0000004C), ref: 0041DFDB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D10,00000024), ref: 0041E009
      • __vbaStrMove.MSVBVM60 ref: 0041E018
      • __vbaFreeObj.MSVBVM60 ref: 0041E01D
      • __vbaFreeStr.MSVBVM60(0041E050), ref: 0041E049
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresultMove$#591New2
      • String ID: AIRPORT$String$stakkequantisesamphi
      • API String ID: 1960000165-2758877968
      • Opcode ID: 6e6de76e73fc4e516c1b139133c41a352bd416d3a9000c91e3ef47d1af8138dc
      • Instruction ID: 5c53ebd34566d4f060092860e9737ad9c2f736007af54a82bc23b527de218dd1
      • Opcode Fuzzy Hash: 6e6de76e73fc4e516c1b139133c41a352bd416d3a9000c91e3ef47d1af8138dc
      • Instruction Fuzzy Hash: CA314074900219EBCB14DF95DE499EEBBB4FF58704F10412AE901B32A0D7B85945CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D300, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 0041D367
      • __vbaI4Str.MSVBVM60(00402CD0), ref: 0041D372
      • #608.MSVBVM60(?,00000000), ref: 0041D37D
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 0041D399
      • __vbaFreeVar.MSVBVM60 ref: 0041D3A5
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0), ref: 0041D3C6
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,00000044), ref: 0041D49C
      • __vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041D4D3
      • __vbaFreeVar.MSVBVM60 ref: 0041D4DC
      • __vbaFreeObj.MSVBVM60(0041D520), ref: 0041D510
      • __vbaFreeStr.MSVBVM60 ref: 0041D519
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#608CheckCopyHresultLateNew2
      • String ID: Abhorlagerstyringer8
      • API String ID: 1142404513-2192159559
      • Opcode ID: 7a0a5e527309c5dab745b373e19e9749e15eb4043a8c7e2ee8ed2e78a6463dc2
      • Instruction ID: 20e86767211a625e44834e2a19053fbe2e53b5e75779c37eac627a63fa1dc932
      • Opcode Fuzzy Hash: 7a0a5e527309c5dab745b373e19e9749e15eb4043a8c7e2ee8ed2e78a6463dc2
      • Instruction Fuzzy Hash: 946105B0D01218DFCB04DFA8DA89A9DBBB4FF48704F20C16AE409AB351D7759946CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041DC00, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 83COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 0041DC58
      • __vbaVarDup.MSVBVM60 ref: 0041DC83
      • #629.MSVBVM60(?,?,00000001,?), ref: 0041DC93
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 0041DCB8
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041DCCE
      • __vbaVarDup.MSVBVM60 ref: 0041DCF0
      • #600.MSVBVM60(?,00000002), ref: 0041DCF8
      • __vbaFreeVar.MSVBVM60 ref: 0041DD03
      • __vbaFreeStr.MSVBVM60(0041DD37), ref: 0041DD30
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#600#629CopyList
      • String ID: FGFG$Generablenessbitnivea
      • API String ID: 3038482304-923814605
      • Opcode ID: acddb5484b3e0e7e796480fecba725cec68c465bcebdd560aefad694a3a3b342
      • Instruction ID: 8c5ac99677db49bf3f8db40310f0fcbd83aa9cb25ddf5ef00e12905d69efe1d5
      • Opcode Fuzzy Hash: acddb5484b3e0e7e796480fecba725cec68c465bcebdd560aefad694a3a3b342
      • Instruction Fuzzy Hash: 7731F5B1810228EFCB10DFA4DD88ADDBBB8FB48704F10815AE105A7290DBB45949CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D7A0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 71COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D7E0
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D7E8
      • __vbaStrToAnsi.MSVBVM60(?,Indtrykker4,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D7F3
      • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D801
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D81A
      • __vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D830
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025D0,000002C8,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D866
      • __vbaFreeStr.MSVBVM60(0041D896), ref: 0041D88E
      • __vbaFreeStr.MSVBVM60 ref: 0041D893
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$Copy$AnsiCheckErrorHresultSystem
      • String ID: Indtrykker4
      • API String ID: 2456558797-126329048
      • Opcode ID: dc5a99cc17f2c90df6bf25ccec4b5336b2c462be703901eb22e9a9e5c3fa82e6
      • Instruction ID: 88b8aa6b14f7c13a5743bea83aa0e018d727a95f6644cdac54b229180ecd0f83
      • Opcode Fuzzy Hash: dc5a99cc17f2c90df6bf25ccec4b5336b2c462be703901eb22e9a9e5c3fa82e6
      • Instruction Fuzzy Hash: 2421B0B1C40219ABCB14EF61DE499EEBF78EF58790F104026FA01B72A0DB741945CBA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D8C0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 204 41d8c0-41d932 #673 __vbaFpR8 205 41d934-41d939 204->205 206 41d93b 204->206 207 41d93d-41d94f __vbaFreeVar 205->207 206->207 208 41d951-41d983 __vbaVarDup #667 __vbaStrMove __vbaFreeVar 207->208 209 41d985-41d9a0 __vbaFreeStr 207->209 208->209
      APIs
      • #673.MSVBVM60(00000000,40280000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?), ref: 0041D91B
      • __vbaFpR8.MSVBVM60 ref: 0041D921
      • __vbaFreeVar.MSVBVM60 ref: 0041D94A
      • __vbaVarDup.MSVBVM60 ref: 0041D965
      • #667.MSVBVM60(00000002), ref: 0041D96F
      • __vbaStrMove.MSVBVM60 ref: 0041D97A
      • __vbaFreeVar.MSVBVM60 ref: 0041D983
      • __vbaFreeStr.MSVBVM60(0041D9A1), ref: 0041D99A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#667#673Move
      • String ID: Generablenessbitnivea
      • API String ID: 1795453576-1714275343
      • Opcode ID: 3ae6f8913cd669990ab44c5dd52e77a573c7313df06c385752ffae39b019039c
      • Instruction ID: 899ac447f112ca5ab891a2c2d9295d6589279ea99d41affff6287f21166c1537
      • Opcode Fuzzy Hash: 3ae6f8913cd669990ab44c5dd52e77a573c7313df06c385752ffae39b019039c
      • Instruction Fuzzy Hash: 812151B1C00109ABCB04DFA5DF89BEEB7B8FB08745F204169E541B22A4DB746E45CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D630, Relevance: 15.1, APIs: 10, Instructions: 95COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • #512.MSVBVM60(00402D00,00000002), ref: 0041D671
      • __vbaStrMove.MSVBVM60 ref: 0041D67C
      • __vbaStrCmp.MSVBVM60(00402D0C,00000000), ref: 0041D688
      • __vbaFreeStr.MSVBVM60 ref: 0041D69B
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0), ref: 0041D6BC
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,0000004C), ref: 0041D6E1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D10,0000001C), ref: 0041D725
      • __vbaObjSet.MSVBVM60(?,?), ref: 0041D73A
      • __vbaFreeObj.MSVBVM60 ref: 0041D743
      • __vbaFreeObj.MSVBVM60(0041D77E), ref: 0041D777
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$#512MoveNew2
      • String ID:
      • API String ID: 2567612295-0
      • Opcode ID: ee2d4821bc1f903b44d6fae543a212fa15949565442d38f0f81a16c4b66a477f
      • Instruction ID: c032454cf80a4b2eda38b0934c3614cbff27b060431469753513e862b3c7607b
      • Opcode Fuzzy Hash: ee2d4821bc1f903b44d6fae543a212fa15949565442d38f0f81a16c4b66a477f
      • Instruction Fuzzy Hash: DF3150B0900218EBDB14DF95DE49ADEBBB8FF48701F20412AE945F72A0D7785945CBA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041DB00, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 223 41db00-41db78 __vbaStrCopy #618 __vbaStrMove __vbaStrCmp __vbaFreeStr 224 41dbb4-41dbd6 __vbaFreeStr 223->224 225 41db7a-41db89 223->225 226 41dbf6 225->226 227 41db8b-41dba0 225->227 226->226 227->224 230 41dba2-41dbae __vbaHresultCheckObj 227->230 230->224
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 0041DB39
      • #618.MSVBVM60(?,00000001,?,?,?,?,?,?,?,?,004012D6), ref: 0041DB45
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 0041DB50
      • __vbaStrCmp.MSVBVM60(00402D60,00000000,?,?,?,?,?,?,?,?,004012D6), ref: 0041DB5C
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 0041DB6F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025D0,00000084,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DBAE
      • __vbaFreeStr.MSVBVM60(0041DBD7), ref: 0041DBD0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#618CheckCopyHresultMove
      • String ID: var
      • API String ID: 592353017-1842382598
      • Opcode ID: 33e36e849ec0ca678fe8c027a43b03a3b3c94ea942beb6d4313aae297f06a140
      • Instruction ID: f2abc3237e8a0c19798317378e3d3d2f154e3e6414dcab5d8d05d7927f082734
      • Opcode Fuzzy Hash: 33e36e849ec0ca678fe8c027a43b03a3b3c94ea942beb6d4313aae297f06a140
      • Instruction Fuzzy Hash: C9218174D40105EBCB109F54DE49AEEBB78FF08701F11416AE942B32E0CB781985CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D550, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 231 41d550-41d593 __vbaStrCopy 232 41d5a5-41d5b9 231->232 233 41d595-41d59f __vbaNew2 231->233 235 41d5bb-41d5c4 __vbaHresultCheckObj 232->235 236 41d5ca-41d5e3 232->236 233->232 235->236 238 41d5e5-41d5f1 __vbaHresultCheckObj 236->238 239 41d5f7-41d61a __vbaFreeObj __vbaFreeStr 236->239 238->239
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D587
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D59F
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,00000014,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D5C4
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402CBC,00000138,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D5F1
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D5FA
      • __vbaFreeStr.MSVBVM60(0041D61B,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D614
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$CopyNew2
      • String ID: penetrancy
      • API String ID: 3978771648-2862842630
      • Opcode ID: e67b23dc1a8a4f6aca74fb13f12aae3e40ad280111b9de58c14bf78419b425ff
      • Instruction ID: efc14aa7d3f6c450c66ed766238e6b1322676a3dbb26bb6da62429b6ec9d7e3f
      • Opcode Fuzzy Hash: e67b23dc1a8a4f6aca74fb13f12aae3e40ad280111b9de58c14bf78419b425ff
      • Instruction Fuzzy Hash: 061160B0940205ABDB14DF54CE4AEEEBBB8FB58701F204127F505F31E0D7745585CAA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E110, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 241 41e110-41e18e __vbaStrCopy __vbaVarDup #557 __vbaFreeVar 242 41e190-41e19e 241->242 243 41e1b2-41e1db __vbaFreeStr 241->243 242->243 246 41e1a0-41e1ac __vbaHresultCheckObj 242->246 246->243
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E14A
      • __vbaVarDup.MSVBVM60 ref: 0041E164
      • #557.MSVBVM60(?), ref: 0041E16E
      • __vbaFreeVar.MSVBVM60 ref: 0041E185
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402600,0000071C), ref: 0041E1AC
      • __vbaFreeStr.MSVBVM60(0041E1DC), ref: 0041E1D5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#557CheckCopyHresult
      • String ID: 7-7-7
      • API String ID: 400132357-1053354141
      • Opcode ID: 2f05f71067ded4ddc0b3035411f63e84704510dc57d4280d08d86cb1754a5fbb
      • Instruction ID: e83486beffe51088c9b2ee67b202b40823170cfdd5884b4b70c55a7f866ae462
      • Opcode Fuzzy Hash: 2f05f71067ded4ddc0b3035411f63e84704510dc57d4280d08d86cb1754a5fbb
      • Instruction Fuzzy Hash: 61118774C01209EBCB04DFA5DA49ADEBB74FF14700F10812AE801B75A0D7745945CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E2F0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#666BstrMove
      • String ID: Amagermadders3
      • API String ID: 2589103371-518441997
      • Opcode ID: 8547d1a91256089206e3596cb7d4e547dd70d7ab1b86845974af1e9fc0e176f9
      • Instruction ID: 8182846e64e33a909989e2372d58b4c9b024265b326ea5b80334f2e66b35b31c
      • Opcode Fuzzy Hash: 8547d1a91256089206e3596cb7d4e547dd70d7ab1b86845974af1e9fc0e176f9
      • Instruction Fuzzy Hash: B311D7B4C00249EBCB00DF94DA89ACDBFB8FF48705F10815AF401B76A4D7B81989CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D9C0, Relevance: 10.6, APIs: 7, Instructions: 81COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60 ref: 0041DA0F
      • __vbaVarDup.MSVBVM60 ref: 0041DA29
      • #522.MSVBVM60(?,?), ref: 0041DA37
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 0041DA53
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041DA66
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401208,004025D0,00000084), ref: 0041DAA5
      • __vbaFreeStr.MSVBVM60(0041DAD5), ref: 0041DACE
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$#522CheckCopyHresultList
      • String ID:
      • API String ID: 101959151-0
      • Opcode ID: 0a49b0e6daeb0e4723f4920b6d29c503952f6023fd2793d6be574ec82b8ef3cb
      • Instruction ID: b7b156cd76bafcecbbe3baac2bb129b2862aa39542046b9d3affd1a26464b4da
      • Opcode Fuzzy Hash: 0a49b0e6daeb0e4723f4920b6d29c503952f6023fd2793d6be574ec82b8ef3cb
      • Instruction Fuzzy Hash: 783146B0C00249ABCB00DF94D988AEEFFB8FF58704F10851AE545B72A0D7B45589CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E4F0, Relevance: 10.6, APIs: 7, Instructions: 73COMMON
      Download Yara Rule
      APIs
      • __vbaVarErrI4.MSVBVM60(?,0000648E,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E536
      • #559.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E53D
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E554
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E571
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,0000001C), ref: 0041E596
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402CAC,00000050), ref: 0041E5B6
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E5BF
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$#559New2
      • String ID:
      • API String ID: 3171936532-0
      • Opcode ID: 31755a79dc863be21276d05616d63058e39f022dbb771b2537fa65fb3f52c116
      • Instruction ID: 0798f42a38d5d688e458dd4ed7917b7e69d2242546db28fdbd7f1393e821792c
      • Opcode Fuzzy Hash: 31755a79dc863be21276d05616d63058e39f022dbb771b2537fa65fb3f52c116
      • Instruction Fuzzy Hash: 53219078900244EBDB10AFA5CE49AEEBFB9FF48704F10402BF501F31A0D77855828B68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E3E0, Relevance: 10.6, APIs: 7, Instructions: 73COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E41A
      • #516.MSVBVM60(00402CDC,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E425
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E447
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,0000004C), ref: 0041E46C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D10,0000002C), ref: 0041E4A9
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E4B2
      • __vbaFreeStr.MSVBVM60(0041E4D3,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E4CC
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$#516CopyNew2
      • String ID:
      • API String ID: 742114213-0
      • Opcode ID: 3a33a085d3c05f40fbe405be33fea8a8e08105136c39eede7eb5bced538454c6
      • Instruction ID: aa0fba7c589133053b453d7b7152c341a6f1b5e33c6f078f8bb56a6e01046427
      • Opcode Fuzzy Hash: 3a33a085d3c05f40fbe405be33fea8a8e08105136c39eede7eb5bced538454c6
      • Instruction Fuzzy Hash: C6219F74900205EFDB04DF95CA49ADEBBB4FF48700F20802BE945F72A0D7785985CBA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E200, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E244
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,00000014,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E269
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402CBC,00000118,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E293
      • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E29C
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041E2A5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckHresult$FreeNew2
      • String ID: *:>K
      • API String ID: 4261391273-1744597861
      • Opcode ID: b1b2aa4e03aefe6bbbec172f20a46d7db6e9d1805fb5a9f366fd3ce2bf14addd
      • Instruction ID: b3482982f9fe15922e01429ad109d1ad9cbf6900ed1ff56ea03b5bf39c95b5e5
      • Opcode Fuzzy Hash: b1b2aa4e03aefe6bbbec172f20a46d7db6e9d1805fb5a9f366fd3ce2bf14addd
      • Instruction Fuzzy Hash: 3B119374940218AFDB04DF96CE49EEEBBBCFB18700F10406BF905F32A0D67855858BA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041DE40, Relevance: 10.5, APIs: 7, Instructions: 43COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DE7A
      • #539.MSVBVM60(?,00000001,00000001,00000001,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DE8A
      • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DE94
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DE9F
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DEA8
      • __vbaFreeStr.MSVBVM60(0041DED7), ref: 0041DECF
      • __vbaFreeStr.MSVBVM60 ref: 0041DED4
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$Move$#539Copy
      • String ID:
      • API String ID: 602717009-0
      • Opcode ID: 60e40e99383cac3c8f0a159078a5a471e48aaaac025b06a6d05fc387bcec4f1d
      • Instruction ID: 211c1ff9f3fa9503c494fab271d7933cba4c939a0907b1826060bee7fe07ab76
      • Opcode Fuzzy Hash: 60e40e99383cac3c8f0a159078a5a471e48aaaac025b06a6d05fc387bcec4f1d
      • Instruction Fuzzy Hash: CD011E71D00249DFCB04DFA4DE49BDEBB74EB18701F10802AE512B75A0EB745945CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040DF6C, Relevance: 10.5, APIs: 7, Instructions: 27COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DE7A
      • #539.MSVBVM60(?,00000001,00000001,00000001,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DE8A
      • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DE94
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DE9F
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DEA8
      • __vbaFreeStr.MSVBVM60(0041DED7), ref: 0041DECF
      • __vbaFreeStr.MSVBVM60 ref: 0041DED4
      Memory Dump Source
      • Source File: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Free$Move$#539Copy
      • String ID:
      • API String ID: 602717009-0
      • Opcode ID: 062a5767022abc8e4cec8aa812fd7015ea7f94117fa93f4adcfcce68afa64b94
      • Instruction ID: a218a64bd59ea96a2749f4da53b0db40172508048fae6a011051069e40661559
      • Opcode Fuzzy Hash: 062a5767022abc8e4cec8aa812fd7015ea7f94117fa93f4adcfcce68afa64b94
      • Instruction Fuzzy Hash: CBF01DB1C40249CBCF04DFA0EE49AED7734EB18302F108029E1527A5B0DB745685CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041DD60, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
      Download Yara Rule
      APIs
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DDAC
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,00000014,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DDD1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402CBC,00000138,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DDFE
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 0041DE07
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckHresult$FreeNew2
      • String ID: Generablenessbitnivea
      • API String ID: 4261391273-1714275343
      • Opcode ID: 09d1d12dcdc7a890b4f388ff128e6233f0f7815727146e6a8cd0583b9ff3f24d
      • Instruction ID: a9bde41df517a60458a420625a1ab6136d2888d2e7fad34ea439bdf2f43837d4
      • Opcode Fuzzy Hash: 09d1d12dcdc7a890b4f388ff128e6233f0f7815727146e6a8cd0583b9ff3f24d
      • Instruction Fuzzy Hash: 62115EB1A40604ABCB109F95CE49FDABFB8FB58704F104067F541F72E0D7B85982CAA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041C580, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • __vbaAryConstruct2.MSVBVM60(?,00402B58,00000011), ref: 0041C5D0
      • __vbaUI1Str.MSVBVM60(00402B30), ref: 0041C5DB
      • __vbaFileOpen.MSVBVM60(00000020,000000FF,00000027,dikteringers), ref: 0041C5F0
      • __vbaAryDestruct.MSVBVM60(00000000,?,0041C611), ref: 0041C60A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$Construct2DestructFileOpen
      • String ID: dikteringers
      • API String ID: 1429767298-700272923
      • Opcode ID: 5ffa5469cc6c6d4234d2e58e8c53087094aa25e3ee39bf47b307da304a6fe653
      • Instruction ID: 2f8f11b67df2d858c9bb2c5e87a26682a655a52952ad5532c7cf96a0f59dba60
      • Opcode Fuzzy Hash: 5ffa5469cc6c6d4234d2e58e8c53087094aa25e3ee39bf47b307da304a6fe653
      • Instruction Fuzzy Hash: 9C012171980248EBCB14DFA8CE4ABCEBF74EB48B50F10812AF555BA2D0C7B86541CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D200, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
      Download Yara Rule
      APIs
      • __vbaNew2.MSVBVM60(00402C9C,0041F3C0,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D244
      • __vbaHresultCheckObj.MSVBVM60(00000000,0210EDD4,00402C8C,00000014), ref: 0041D269
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402CBC,00000100), ref: 0041D293
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D2AE
      • #568.MSVBVM60(000000B3,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0041D2BE
      Memory Dump Source
      • Source File: 00000000.00000002.254741129.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.254706537.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.254716661.0000000000401000.00000020.00020000.sdmp Download File
      • Associated: 00000000.00000002.254748574.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.254755279.0000000000421000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Facturas Pagadas Al Vencimiento.jbxd
      Similarity
      • API ID: __vba$CheckHresult$#568FreeNew2
      • String ID:
      • API String ID: 575755541-0
      • Opcode ID: 89629db3dca6d6e7bb7afacd9593b11d1788586d592765de329ed5aac03ad74d
      • Instruction ID: dbe345694a245fdaa23d6683cef54c1253d844e3224ed668d2030c6bb47a2c7d
      • Opcode Fuzzy Hash: 89629db3dca6d6e7bb7afacd9593b11d1788586d592765de329ed5aac03ad74d
      • Instruction Fuzzy Hash: 1221C3B4D40614ABDB049B55CD49FEFBBB8FB5C700F144067F815F32A0D37858818AA8
      Uniqueness

      Uniqueness Score: -1.00%