Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report OFFER-8768777765554-PDF.exe

Overview

General Information

Sample Name:OFFER-8768777765554-PDF.exe
Analysis ID:435174
MD5:dd34ccb897fa3b88af6d3da17b713b3a
SHA1:01f5eebafc304ec00e25c2c52751cc24d05dd8c9
SHA256:709cc1b84208f4dd7f541a50772c7888f704561866eccd4b1aee0e1ba6e3ac74
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • OFFER-8768777765554-PDF.exe (PID: 5804 cmdline: 'C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe' MD5: DD34CCB897FA3B88AF6D3DA17B713B3A)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=51D628A65732BF05&resid=51D628A65732BF05%21161&authkey=ABg4zwujoOrC4rM, https://onedrive.live.com/download?cid=CC6C941704A208C4&resid=CC6C941704"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
OFFER-8768777765554-PDF.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: OFFER-8768777765554-PDF.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=51D628A65732BF05&resid=51D628A65732BF05%21161&authkey=ABg4zwujoOrC4rM, https://onedrive.live.com/download?cid=CC6C941704A208C4&resid=CC6C941704"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: OFFER-8768777765554-PDF.exeVirustotal: Detection: 13%Perma Link
    Source: OFFER-8768777765554-PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=51D628A65732BF05&resid=51D628A65732BF05%21161&authkey=ABg4zwujoOrC4rM, https://onedrive.live.com/download?cid=CC6C941704A208C4&resid=CC6C941704
    Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577399025.00000000006AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E5A9F NtAllocateVirtualMemory,0_2_022E5A9F
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E574E NtAllocateVirtualMemory,0_2_022E574E
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E5B47 NtAllocateVirtualMemory,0_2_022E5B47
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E5BB0 NtAllocateVirtualMemory,0_2_022E5BB0
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E5B93 NtAllocateVirtualMemory,0_2_022E5B93
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_0040DCBE0_2_0040DCBE
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E5A9F0_2_022E5A9F
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E3E2B0_2_022E3E2B
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E82330_2_022E8233
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E761E0_2_022E761E
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E12120_2_022E1212
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E0E6B0_2_022E0E6B
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E96A10_2_022E96A1
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E3E870_2_022E3E87
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E8A980_2_022E8A98
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E06C40_2_022E06C4
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E12D50_2_022E12D5
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E3F3D0_2_022E3F3D
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E230E0_2_022E230E
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E2F1B0_2_022E2F1B
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E574E0_2_022E574E
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E374B0_2_022E374B
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E5B470_2_022E5B47
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E27510_2_022E2751
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E2F8B0_2_022E2F8B
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E37830_2_022E3783
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E3F950_2_022E3F95
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E2BC40_2_022E2BC4
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E1BC10_2_022E1BC1
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E283B0_2_022E283B
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E00000_2_022E0000
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E587C0_2_022E587C
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E10430_2_022E1043
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E2C560_2_022E2C56
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E40550_2_022E4055
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E8C530_2_022E8C53
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E40AD0_2_022E40AD
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E10AB0_2_022E10AB
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E2CA30_2_022E2CA3
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E4CBC0_2_022E4CBC
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E60890_2_022E6089
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E8C910_2_022E8C91
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E10CD0_2_022E10CD
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E292F0_2_022E292F
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E0D250_2_022E0D25
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E45230_2_022E4523
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E211D0_2_022E211D
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E0D6D0_2_022E0D6D
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E11670_2_022E1167
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E25640_2_022E2564
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E29440_2_022E2944
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E11A70_2_022E11A7
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E05BE0_2_022E05BE
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E4D890_2_022E4D89
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E11E30_2_022E11E3
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E3DE30_2_022E3DE3
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E29FF0_2_022E29FF
    Source: OFFER-8768777765554-PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: OFFER-8768777765554-PDF.exe, 00000000.00000000.194465860.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStemmeskred7.exe vs OFFER-8768777765554-PDF.exe
    Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577492034.00000000021C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStemmeskred7.exeFE2Xe vs OFFER-8768777765554-PDF.exe
    Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577518185.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs OFFER-8768777765554-PDF.exe
    Source: OFFER-8768777765554-PDF.exeBinary or memory string: OriginalFilenameStemmeskred7.exe vs OFFER-8768777765554-PDF.exe
    Source: OFFER-8768777765554-PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5C597FFB7E664D03.TMPJump to behavior
    Source: OFFER-8768777765554-PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: OFFER-8768777765554-PDF.exeVirustotal: Detection: 13%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: OFFER-8768777765554-PDF.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.OFFER-8768777765554-PDF.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.OFFER-8768777765554-PDF.exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_0040506F pushfd ; retf 0_2_0040508C
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_00408090 push BAD2BC25h; retf 0_2_004080B9
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_00404D00 push ds; ret 0_2_00404D0F
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_00405535 push cs; ret 0_2_00405553
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_00408D99 push cs; ret 0_2_00408DA3
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_00404206 push ebp; ret 0_2_00404207
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_00407E0B push ds; retf 0_2_00407E0D
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_00404A19 push edx; iretd 0_2_00404A53
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_00405619 push es; ret 0_2_0040561F
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E8D5B push eax; ret 0_2_022E8D63
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E8A98 0_2_022E8A98
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E8C53 0_2_022E8C53
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E6089 0_2_022E6089
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E8C91 0_2_022E8C91
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E05BE 0_2_022E05BE
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeRDTSC instruction interceptor: First address: 00000000022E012B second address: 00000000022E012B instructions:
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeRDTSC instruction interceptor: First address: 00000000022E0392 second address: 00000000022E0392 instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeRDTSC instruction interceptor: First address: 00000000022E012B second address: 00000000022E012B instructions:
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeRDTSC instruction interceptor: First address: 00000000022E0392 second address: 00000000022E0392 instructions:
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeRDTSC instruction interceptor: First address: 00000000022E548D second address: 00000000022E548D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8513714Ah 0x00000007 sub eax, BC31FDEAh 0x0000000c sub eax, D99E02B9h 0x00000011 add eax, 10BC8F5Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007FF5107330C6h 0x0000001b cmp ax, 0000AF66h 0x0000001f call 00007FF5107330D7h 0x00000024 lfence 0x00000027 mov edx, 0ACECDC1h 0x0000002c xor edx, 9CCC939Eh 0x00000032 add edx, 5020915Ah 0x00000038 xor edx, 99DCEFADh 0x0000003e mov edx, dword ptr [edx] 0x00000040 lfence 0x00000043 ret 0x00000044 sub edx, esi 0x00000046 ret 0x00000047 pop ecx 0x00000048 jmp 00007FF5107330C2h 0x0000004a cmp edx, ecx 0x0000004c add edi, edx 0x0000004e test dl, cl 0x00000050 dec ecx 0x00000051 cmp ecx, 00000000h 0x00000054 jne 00007FF51073307Dh 0x00000056 mov dword ptr [ebp+00000200h], esi 0x0000005c mov esi, ecx 0x0000005e push esi 0x0000005f mov esi, dword ptr [ebp+00000200h] 0x00000065 cmp ch, bh 0x00000067 call 00007FF5107330F6h 0x0000006c call 00007FF510733112h 0x00000071 lfence 0x00000074 mov edx, 0ACECDC1h 0x00000079 xor edx, 9CCC939Eh 0x0000007f add edx, 5020915Ah 0x00000085 xor edx, 99DCEFADh 0x0000008b mov edx, dword ptr [edx] 0x0000008d lfence 0x00000090 ret 0x00000091 mov esi, edx 0x00000093 pushad 0x00000094 rdtsc
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E3E2B rdtsc 0_2_022E3E2B
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeAPI coverage: 8.5 %
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E3E2B rdtsc 0_2_022E3E2B
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E8A98 mov eax, dword ptr fs:[00000030h]0_2_022E8A98
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E536F mov eax, dword ptr fs:[00000030h]0_2_022E536F
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E374B mov eax, dword ptr fs:[00000030h]0_2_022E374B
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E3783 mov eax, dword ptr fs:[00000030h]0_2_022E3783
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E2BC4 mov eax, dword ptr fs:[00000030h]0_2_022E2BC4
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E7C09 mov eax, dword ptr fs:[00000030h]0_2_022E7C09
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E811C mov eax, dword ptr fs:[00000030h]0_2_022E811C
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exeCode function: 0_2_022E1453 cpuid 0_2_022E1453

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery41Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    OFFER-8768777765554-PDF.exe13%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://onedrive.live.com/download?cid=51D628A65732BF05&resid=51D628A65732BF05%21161&authkey=ABg4zwujoOrC4rM, https://onedrive.live.com/download?cid=CC6C941704A208C4&resid=CC6C941704false
      		high

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:32.0.0 Black Diamond
      Analysis ID:435174
      Start date:16.06.2021
      Start time:05:32:24
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 32s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:OFFER-8768777765554-PDF.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:36
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal84.troj.evad.winEXE@1/0@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 52.5% (good quality ratio 31.2%)
      • Quality average: 37.6%
      • Quality standard deviation: 35.6%
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      • Override analysis time to 240s for sample files taking high CPU consumption
      Warnings:
      Show All
      • Max analysis timeout: 220s exceeded, the analysis took too long
      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):5.8993604994375675
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.15%
      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:OFFER-8768777765554-PDF.exe
      File size:94208
      MD5:dd34ccb897fa3b88af6d3da17b713b3a
      SHA1:01f5eebafc304ec00e25c2c52751cc24d05dd8c9
      SHA256:709cc1b84208f4dd7f541a50772c7888f704561866eccd4b1aee0e1ba6e3ac74
      SHA512:a27103e8c475bfe2edbbc1d6de7b9526fc2eca1b0ac2f029c784088fc635892d3fe5c402fe8c55971face6309bd17b8f326c1b384a940803fd4ea1eede4b9f29
      SSDEEP:1536:0VktxQ6lleR1nwjoWlc7hyCTyStNCEXHa3y2C/u5W3EUanOYA2nJ29GLwb7zN9gm:0OXQqlG1w0WqwCTySPNu5W3EUanOYA2a
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.S............&........ .......$......Rich....................PE..L....:.H.................@...0......D........P....@........

      File Icon

      Icon Hash:11c0c48486cc08c4

      Static PE Info

      General

      Entrypoint:0x401644
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      DLL Characteristics:
      Time Stamp:0x48913AA8 [Thu Jul 31 04:08:08 2008 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:d5d16d1b76210dd28c8586fe9bac3119

      Entrypoint Preview

      Instruction
      push 00402794h
      call 00007FF510CDF283h
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      xor byte ptr [eax], al
      add byte ptr [eax], al
      inc eax
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add dh, bl
      je 00007FF510CDF27Dh
      cwde
      rol byte ptr [ecx+19h], 00000043h
      wait
      call far 0FA0h : FF9A47FDh
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add dword ptr [eax], eax
      add byte ptr [eax], al
      pop ss
      add eax, dword ptr [edi+00h]
      add byte ptr [eax], al
      outsd
      jo 00007FF510CDF304h
      imul esp, dword ptr [ebx+esi*2+6Eh], 65676E69h
      jc 00007FF510CDF292h
      pop es
      inc ecx
      add byte ptr [eax], al
      add byte ptr [eax], al
      add bh, bh
      int3
      xor dword ptr [eax], eax
      add dh, bl
      scasb
      adc al, 00h
      jo 00007FF510CDF2F3h
      cmpsd
      dec edi
      xchg eax, edi
      cli
      sbb dword ptr [edi+58h], 97C001B7h
      mov ch, 3Fh
      std
      out dx, eax
      xchg eax, edx
      and al, byte ptr [eax+esi*4+53h]
      inc ebx
      mov byte ptr [3A942196h], al
      dec edi
      lodsd
      xor ebx, dword ptr [ecx-48EE309Ah]
      or al, 00h
      stosb
      add byte ptr [eax-2Dh], ah
      xchg eax, ebx
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      pop esi
      or al, byte ptr [eax]
      add byte ptr [ecx+0Ah], bl
      add byte ptr [eax], al
      add byte ptr [edx], cl
      add byte ptr [edx+4Fh], dl
      push ebx
      inc ecx
      dec ebp
      push ebp
      dec esi
      inc esp
      inc ecx
      push ebx
      add byte ptr [73000F01h], cl
      je 00007FF510CDF30Bh
      jc 00007FF510CDF2F7h

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x13b940x28.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000xd86.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
      IMAGE_DIRECTORY_ENTRY_IAT0x10000x190.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x131c80x14000False0.495971679688data6.27184152045IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .data0x150000x1b840x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .rsrc0x170000xd860x1000False0.346435546875data3.582300179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x17c5e0x128GLS_BINARY_LSB_FIRST
      RT_ICON0x173b60x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16776176, next used block 10526884
      RT_GROUP_ICON0x173940x22data
      RT_VERSION0x171200x274dataEnglishUnited States

      Imports

      DLLImport
      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLineInputStr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaErase, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, _CIexp, __vbaFreeObj, __vbaFreeStr

      Version Infos

      DescriptionData
      Translation0x0409 0x04b0
      InternalNameStemmeskred7
      FileVersion1.00
      CompanyNameViolet Solution
      CommentsViolet Solution
      ProductNameopridsninger
      ProductVersion1.00
      OriginalFilenameStemmeskred7.exe

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      Analysis Process: OFFER-8768777765554-PDF.exe PID: 5804 Parent PID: 5696

      General

      Start time:05:33:09
      Start date:16/06/2021
      Path:C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe'
      Imagebase:0x400000
      File size:94208 bytes
      MD5 hash:DD34CCB897FA3B88AF6D3DA17B713B3A
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Visual Basic
      Reputation:low

      Chronological Activities

      Disassembly

      Code Analysis

      Reset < >

        Analysis Process: OFFER-8768777765554-PDF.exe PID: 5804 Parent PID: 5696 OFFER-8768777765554-PDF.exeCOMMON

        Execution Graph

        Execution Coverage:0.6%
        Dynamic/Decrypted Code Coverage:73%
        Signature Coverage:52.4%
        Total number of Nodes:523
        Total number of Limit Nodes:19

        Graph

        execution_graph 19982 40fd30 __vbaChkstk 19983 40fd85 #526 __vbaVarTstNe __vbaFreeVar 19982->19983 19984 40fe92 19983->19984 19985 40fdec __vbaOnError #610 #552 __vbaVarMove __vbaFreeVar 19983->19985 19986 40fec8 19984->19986 19987 40feac __vbaNew2 19984->19987 19988 40fe5e 19985->19988 19990 40ff0a __vbaHresultCheckObj 19986->19990 19991 40ff2d 19986->19991 19987->19986 19988->19984 19989 40fe6f __vbaHresultCheckObj 19988->19989 19989->19984 19990->19991 19992 40ff70 __vbaHresultCheckObj 19991->19992 19993 40ff96 19991->19993 19994 40ffa0 __vbaFreeObj __vbaVarDup #562 __vbaFreeVar 19992->19994 19993->19994 19995 4102c3 __vbaStrToAnsi 19994->19995 19996 41001d 19994->19996 20128 4036a0 19995->20128 19998 410049 19996->19998 19999 41002d __vbaNew2 19996->19999 20005 41008b __vbaHresultCheckObj 19998->20005 20006 4100ae 19998->20006 19999->19998 20000 4102e6 __vbaSetSystemError __vbaFreeStr 20001 410325 20000->20001 20067 4105bd 20000->20067 20002 410351 20001->20002 20003 410335 __vbaNew2 20001->20003 20012 410393 __vbaHresultCheckObj 20002->20012 20013 4103b6 20002->20013 20003->20002 20004 4105d7 __vbaSetSystemError 20007 4105f3 20004->20007 20008 41079f 20004->20008 20005->20006 20014 4100f1 __vbaHresultCheckObj 20006->20014 20015 410117 20006->20015 20009 410603 __vbaNew2 20007->20009 20010 41061f 20007->20010 20011 4107af __vbaSetSystemError 20008->20011 20009->20010 20023 410661 __vbaHresultCheckObj 20010->20023 20024 410684 20010->20024 20016 410ac7 20011->20016 20017 4107cb 20011->20017 20012->20013 20027 4103f9 __vbaHresultCheckObj 20013->20027 20028 41041f 20013->20028 20018 410121 __vbaFreeObj 20014->20018 20015->20018 20025 410b29 __vbaHresultCheckObj 20016->20025 20026 410b4c 20016->20026 20019 4107f7 20017->20019 20020 4107db __vbaNew2 20017->20020 20021 410164 20018->20021 20022 410148 __vbaNew2 20018->20022 20030 410839 __vbaHresultCheckObj 20019->20030 20037 41085c 20019->20037 20020->20019 20034 4101a6 __vbaHresultCheckObj 20021->20034 20044 4101c9 20021->20044 20022->20021 20023->20024 20032 4106c7 __vbaHresultCheckObj 20024->20032 20033 4106ed 20024->20033 20025->20026 20035 410ba6 __vbaHresultCheckObj 20026->20035 20038 410bc9 20026->20038 20029 410429 __vbaFreeObj 20027->20029 20028->20029 20031 410450 __vbaNew2 20029->20031 20039 41046c 20029->20039 20030->20037 20031->20039 20036 4106f7 8 API calls 20032->20036 20033->20036 20034->20044 20035->20038 20036->20008 20040 4108c5 20037->20040 20041 41089f __vbaHresultCheckObj 20037->20041 20052 410c24 __vbaHresultCheckObj 20038->20052 20053 410c47 20038->20053 20042 4104d1 20039->20042 20043 4104ae __vbaHresultCheckObj 20039->20043 20045 4108cf __vbaFreeObj 20040->20045 20041->20045 20054 410514 __vbaHresultCheckObj 20042->20054 20055 41053a 20042->20055 20043->20042 20046 410209 __vbaHresultCheckObj 20044->20046 20047 41022c 20044->20047 20048 410907 20045->20048 20049 4108eb __vbaNew2 20045->20049 20050 410236 __vbaStrMove __vbaFreeObj 20046->20050 20047->20050 20060 410949 __vbaHresultCheckObj 20048->20060 20061 41096c 20048->20061 20049->20048 20051 410285 20050->20051 20057 410296 __vbaHresultCheckObj 20051->20057 20058 4102b9 20051->20058 20059 410c51 __vbaStrCopy 20052->20059 20053->20059 20056 410544 __vbaStrMove __vbaFreeObj 20054->20056 20055->20056 20063 41058b 20056->20063 20057->19995 20058->19995 20062 410ccf 20059->20062 20060->20061 20069 4109d5 20061->20069 20070 4109af __vbaHresultCheckObj 20061->20070 20064 410d01 20062->20064 20065 410cde __vbaHresultCheckObj 20062->20065 20066 41059a __vbaHresultCheckObj 20063->20066 20063->20067 20068 410d0b __vbaFreeStr __vbaStrCopy 20064->20068 20065->20068 20066->20067 20067->20004 20072 410d6e 20068->20072 20071 4109df __vbaI2I4 __vbaFreeObj 20069->20071 20070->20071 20073 410a12 __vbaNew2 20071->20073 20074 410a2e 20071->20074 20075 410da0 20072->20075 20076 410d7d __vbaHresultCheckObj 20072->20076 20073->20074 20079 410a75 __vbaHresultCheckObj 20074->20079 20080 410a98 20074->20080 20077 410daa __vbaFreeStr __vbaStrCopy 20075->20077 20076->20077 20078 410e1f 20077->20078 20081 410e51 20078->20081 20082 410e2e __vbaHresultCheckObj 20078->20082 20083 410aa2 __vbaStrMove 20079->20083 20080->20083 20084 410e5b __vbaFreeStr __vbaStrCopy 20081->20084 20082->20084 20083->20016 20085 410eb1 20084->20085 20086 410ec0 __vbaHresultCheckObj 20085->20086 20087 410ee3 20085->20087 20088 410eed __vbaFreeStr 20086->20088 20087->20088 20127 413070 34 API calls 20088->20127 20089 410f3a 20090 410f49 __vbaHresultCheckObj 20089->20090 20098 410f6c 20089->20098 20090->20098 20091 411025 20092 40dcbe VirtualAlloc 20091->20092 20093 411040 __vbaI4Var __vbaStrToAnsi 20092->20093 20095 4036f0 20093->20095 20094 410fd8 __vbaStrCopy 20097 411010 __vbaFreeStr 20094->20097 20096 41106f __vbaStrMove __vbaSetSystemError __vbaStrToUnicode __vbaR8Str 20095->20096 20099 4110ab __vbaFreeStrList 20096->20099 20097->20098 20098->20091 20098->20094 20101 411347 __vbaErrorOverflow 20098->20101 20102 411293 6 API calls 20099->20102 20103 4110ff #705 __vbaStrMove __vbaFreeVar #554 20099->20103 20104 411350 __vbaStrCopy #696 20101->20104 20106 411179 20103->20106 20107 41115d __vbaNew2 20103->20107 20109 411463 __vbaFreeStr __vbaFreeStr 20104->20109 20110 4113b7 20104->20110 20114 4111bb __vbaHresultCheckObj 20106->20114 20115 4111de 20106->20115 20107->20106 20112 4113cf 20110->20112 20113 4113bf __vbaNew2 20110->20113 20117 4113e5 __vbaHresultCheckObj 20112->20117 20118 4113f8 20112->20118 20113->20112 20116 4111e8 __vbaChkstk 20114->20116 20115->20116 20119 411249 20116->20119 20117->20118 20123 411424 __vbaStrMove __vbaFreeObj #535 20118->20123 20124 411416 __vbaHresultCheckObj 20118->20124 20120 41125a __vbaHresultCheckObj 20119->20120 20121 41127d 20119->20121 20122 411287 __vbaFreeObj 20120->20122 20121->20122 20122->20102 20125 411451 20123->20125 20124->20123 20125->20109 20126 411455 __vbaHresultCheckObj 20125->20126 20126->20109 20127->20089 20129 4036a9 20128->20129 20130 401644 #100 20131 40164e 20130->20131 20132 22e5bb0 20133 22e5bc0 NtAllocateVirtualMemory 20132->20133 20139 22e07e7 20133->20139 20136 22e5d2d 20138 22e7c87 20143 22e5387 20138->20143 20255 22e811c GetPEB 20138->20255 20139->20136 20139->20138 20141 22e4b93 20139->20141 20155 22e969c NtAllocateVirtualMemory NtAllocateVirtualMemory NtAllocateVirtualMemory GetPEB GetPEB 20139->20155 20156 22e462c 20139->20156 20168 22e06c4 20139->20168 20215 22e8a98 20139->20215 20142 22e969c 5 API calls 20141->20142 20144 22e4ba4 20142->20144 20145 22e969c 5 API calls 20144->20145 20147 22e4bb9 20145->20147 20146 22e7e00 20146->20143 20148 22e811c GetPEB 20146->20148 20150 22e969c 5 API calls 20147->20150 20149 22e7e34 20148->20149 20149->20143 20152 22e811c GetPEB 20149->20152 20151 22e4c1d 20150->20151 20153 22e969c 5 API calls 20151->20153 20152->20143 20154 22e4c69 20153->20154 20155->20139 20156->20143 20253 22e969c 20156->20253 20169 22e0715 20168->20169 20202 22e0771 20169->20202 20257 22e7c87 20169->20257 20171 22e084c 20265 22e572f 20171->20265 20173 22e06c4 5 API calls 20173->20202 20174 22e0862 20175 22e7c87 GetPEB 20174->20175 20176 22e08bf 20175->20176 20178 22e969c 5 API calls 20176->20178 20177 22e8a98 5 API calls 20177->20202 20179 22e0a70 20178->20179 20180 22e7c87 GetPEB 20179->20180 20181 22e0a99 20180->20181 20195 22e0aa5 20181->20195 20181->20202 20182 22e7c87 20182->20139 20184 22e811c GetPEB 20182->20184 20187 22e5387 20182->20187 20183 22e969c NtAllocateVirtualMemory NtAllocateVirtualMemory NtAllocateVirtualMemory GetPEB GetPEB 20183->20202 20190 22e7e00 20184->20190 20185 22e4b93 20186 22e969c 5 API calls 20185->20186 20188 22e4ba4 20186->20188 20187->20139 20189 22e969c 5 API calls 20188->20189 20191 22e4bb9 20189->20191 20190->20187 20192 22e811c GetPEB 20190->20192 20194 22e969c 5 API calls 20191->20194 20193 22e7e34 20192->20193 20193->20187 20197 22e811c GetPEB 20193->20197 20196 22e4c1d 20194->20196 20307 22e05be 20195->20307 20200 22e969c 5 API calls 20196->20200 20197->20187 20199 22e6e37 20201 22e4c69 20200->20201 20201->20139 20202->20139 20202->20173 20202->20177 20202->20182 20202->20183 20202->20185 20203 22e462c 20202->20203 20203->20187 20204 22e969c 5 API calls 20203->20204 20205 22e4786 20204->20205 20205->20185 20206 22e969c 5 API calls 20205->20206 20207 22e4a86 20206->20207 20207->20185 20208 22e969c 5 API calls 20207->20208 20209 22e4ae2 20208->20209 20209->20185 20210 22e4aeb 20209->20210 20211 22e969c 5 API calls 20210->20211 20212 22e4b40 20211->20212 20213 22e969c 5 API calls 20212->20213 20214 22e4b7a 20213->20214 20214->20139 20216 22e7c87 GetPEB 20215->20216 20217 22e8aa8 20216->20217 20218 22e7c87 GetPEB 20217->20218 20219 22e8ad1 GetPEB 20218->20219 20240 22e07e7 20219->20240 20220 22e8d15 20220->20139 20221 22e8a98 4 API calls 20221->20240 20222 22e7c87 20222->20139 20223 22e811c GetPEB 20222->20223 20226 22e5387 20222->20226 20229 22e7e00 20223->20229 20224 22e4b93 20225 22e969c 4 API calls 20224->20225 20227 22e4ba4 20225->20227 20226->20139 20228 22e969c 4 API calls 20227->20228 20230 22e4bb9 20228->20230 20229->20226 20231 22e811c GetPEB 20229->20231 20233 22e969c 4 API calls 20230->20233 20232 22e7e34 20231->20232 20232->20226 20235 22e811c GetPEB 20232->20235 20234 22e4c1d 20233->20234 20236 22e969c 4 API calls 20234->20236 20235->20226 20237 22e4c69 20236->20237 20237->20139 20238 22e969c NtAllocateVirtualMemory NtAllocateVirtualMemory NtAllocateVirtualMemory GetPEB 20238->20240 20239 22e06c4 4 API calls 20239->20240 20240->20139 20240->20220 20240->20221 20240->20222 20240->20224 20240->20238 20240->20239 20241 22e462c 20240->20241 20241->20226 20242 22e969c 4 API calls 20241->20242 20243 22e4786 20242->20243 20243->20224 20244 22e969c 4 API calls 20243->20244 20245 22e4a86 20244->20245 20245->20224 20246 22e969c 4 API calls 20245->20246 20247 22e4ae2 20246->20247 20247->20224 20248 22e4aeb 20247->20248 20249 22e969c 4 API calls 20248->20249 20250 22e4b40 20249->20250 20251 22e969c 4 API calls 20250->20251 20252 22e4b7a 20251->20252 20252->20139 20502 22e96a1 20253->20502 20256 22e8136 20255->20256 20256->20146 20257->20171 20259 22e7c9d 20257->20259 20258 22e5387 20258->20171 20259->20258 20260 22e811c GetPEB 20259->20260 20261 22e7e00 20260->20261 20261->20258 20262 22e811c GetPEB 20261->20262 20263 22e7e34 20262->20263 20263->20258 20264 22e811c GetPEB 20263->20264 20264->20258 20266 22e7c87 GetPEB 20265->20266 20267 22e5740 20266->20267 20354 22e574e 20267->20354 20269 22e5a86 20270 22e5a47 20270->20269 20271 22e7c87 GetPEB 20270->20271 20293 22e07e7 20270->20293 20273 22e5b77 NtAllocateVirtualMemory 20271->20273 20272 22e06c4 4 API calls 20272->20293 20273->20293 20274 22e5d2d 20276 22e8a98 4 API calls 20276->20293 20277 22e7c87 20277->20174 20278 22e811c GetPEB 20277->20278 20281 22e5387 20277->20281 20284 22e7e00 20278->20284 20279 22e4b93 20280 22e969c 4 API calls 20279->20280 20282 22e4ba4 20280->20282 20281->20174 20283 22e969c 4 API calls 20282->20283 20285 22e4bb9 20283->20285 20284->20281 20286 22e811c GetPEB 20284->20286 20288 22e969c 4 API calls 20285->20288 20287 22e7e34 20286->20287 20287->20281 20290 22e811c GetPEB 20287->20290 20289 22e4c1d 20288->20289 20291 22e969c 4 API calls 20289->20291 20290->20281 20292 22e4c69 20291->20292 20292->20174 20293->20174 20293->20272 20293->20274 20293->20276 20293->20277 20293->20279 20294 22e969c NtAllocateVirtualMemory NtAllocateVirtualMemory GetPEB GetPEB 20293->20294 20295 22e462c 20293->20295 20294->20293 20295->20281 20296 22e969c 4 API calls 20295->20296 20297 22e4786 20296->20297 20297->20279 20298 22e969c 4 API calls 20297->20298 20299 22e4a86 20298->20299 20299->20279 20300 22e969c 4 API calls 20299->20300 20301 22e4ae2 20300->20301 20301->20279 20302 22e4aeb 20301->20302 20303 22e969c 4 API calls 20302->20303 20304 22e4b40 20303->20304 20305 22e969c 4 API calls 20304->20305 20306 22e4b7a 20305->20306 20306->20174 20308 22e5a9f 5 API calls 20307->20308 20309 22e05eb 20308->20309 20310 22e7c87 GetPEB 20309->20310 20311 22e0634 20310->20311 20312 22e6e73 20311->20312 20323 22e07e7 20311->20323 20318 22e6e97 20312->20318 20447 22e0671 20312->20447 20314 22e8a98 5 API calls 20314->20323 20316 22e6eb6 20316->20199 20317 22e6ee2 20318->20316 20319 22e6ec1 20318->20319 20320 22e6eb2 20318->20320 20491 22e6868 20319->20491 20483 22e68ed 20320->20483 20323->20199 20323->20314 20324 22e7c87 20323->20324 20325 22e969c NtAllocateVirtualMemory NtAllocateVirtualMemory NtAllocateVirtualMemory GetPEB GetPEB 20323->20325 20329 22e4b93 20323->20329 20341 22e06c4 5 API calls 20323->20341 20342 22e462c 20323->20342 20324->20199 20326 22e5387 20324->20326 20327 22e811c GetPEB 20324->20327 20325->20323 20326->20199 20328 22e7e00 20327->20328 20328->20326 20334 22e811c GetPEB 20328->20334 20330 22e969c 5 API calls 20329->20330 20331 22e4ba4 20330->20331 20332 22e969c 5 API calls 20331->20332 20333 22e4bb9 20332->20333 20336 22e969c 5 API calls 20333->20336 20335 22e7e34 20334->20335 20335->20326 20338 22e811c GetPEB 20335->20338 20337 22e4c1d 20336->20337 20339 22e969c 5 API calls 20337->20339 20338->20326 20340 22e4c69 20339->20340 20340->20199 20341->20323 20342->20326 20343 22e969c 5 API calls 20342->20343 20344 22e4786 20343->20344 20344->20329 20345 22e969c 5 API calls 20344->20345 20346 22e4a86 20345->20346 20346->20329 20347 22e969c 5 API calls 20346->20347 20348 22e4ae2 20347->20348 20348->20329 20349 22e4aeb 20348->20349 20350 22e969c 5 API calls 20349->20350 20351 22e4b40 20350->20351 20352 22e969c 5 API calls 20351->20352 20353 22e4b7a 20352->20353 20353->20199 20355 22e5760 20354->20355 20403 22e5a9f 20355->20403 20357 22e06c4 4 API calls 20363 22e07e7 20357->20363 20358 22e5795 20359 22e85ef 20358->20359 20360 22e57e4 20358->20360 20358->20363 20361 22e811c GetPEB 20359->20361 20441 22e57eb 20360->20441 20368 22e8600 20361->20368 20363->20270 20363->20357 20365 22e8a98 4 API calls 20363->20365 20370 22e7c87 20363->20370 20374 22e4b93 20363->20374 20380 22e5d2d 20363->20380 20390 22e969c NtAllocateVirtualMemory NtAllocateVirtualMemory GetPEB GetPEB 20363->20390 20391 22e462c 20363->20391 20364 22e5a09 20366 22e574e 4 API calls 20364->20366 20365->20363 20369 22e5a47 20366->20369 20367 22e5a86 20369->20363 20369->20367 20372 22e7c87 GetPEB 20369->20372 20370->20270 20371 22e5387 20370->20371 20373 22e811c GetPEB 20370->20373 20371->20270 20378 22e5b77 NtAllocateVirtualMemory 20372->20378 20379 22e7e00 20373->20379 20375 22e969c 4 API calls 20374->20375 20376 22e4ba4 20375->20376 20377 22e969c 4 API calls 20376->20377 20381 22e4bb9 20377->20381 20378->20363 20379->20371 20383 22e811c GetPEB 20379->20383 20385 22e969c 4 API calls 20381->20385 20384 22e7e34 20383->20384 20384->20371 20387 22e811c GetPEB 20384->20387 20386 22e4c1d 20385->20386 20388 22e969c 4 API calls 20386->20388 20387->20371 20389 22e4c69 20388->20389 20389->20270 20390->20363 20391->20371 20392 22e969c 4 API calls 20391->20392 20393 22e4786 20392->20393 20393->20374 20394 22e969c 4 API calls 20393->20394 20395 22e4a86 20394->20395 20395->20374 20396 22e969c 4 API calls 20395->20396 20397 22e4ae2 20396->20397 20397->20374 20398 22e4aeb 20397->20398 20399 22e969c 4 API calls 20398->20399 20400 22e4b40 20399->20400 20401 22e969c 4 API calls 20400->20401 20402 22e4b7a 20401->20402 20402->20270 20405 22e5ab2 20403->20405 20404 22e06c4 4 API calls 20412 22e07e7 20404->20412 20407 22e7c87 GetPEB 20405->20407 20405->20412 20406 22e5d2d 20408 22e5b77 NtAllocateVirtualMemory 20407->20408 20408->20412 20410 22e8a98 4 API calls 20410->20412 20411 22e7c87 20411->20358 20414 22e811c GetPEB 20411->20414 20417 22e5387 20411->20417 20412->20358 20412->20404 20412->20406 20412->20410 20412->20411 20413 22e969c NtAllocateVirtualMemory NtAllocateVirtualMemory GetPEB GetPEB 20412->20413 20415 22e4b93 20412->20415 20429 22e462c 20412->20429 20413->20412 20420 22e7e00 20414->20420 20416 22e969c 4 API calls 20415->20416 20418 22e4ba4 20416->20418 20417->20358 20419 22e969c 4 API calls 20418->20419 20421 22e4bb9 20419->20421 20420->20417 20422 22e811c GetPEB 20420->20422 20423 22e969c 4 API calls 20421->20423 20424 22e7e34 20422->20424 20425 22e4c1d 20423->20425 20424->20417 20426 22e811c GetPEB 20424->20426 20427 22e969c 4 API calls 20425->20427 20426->20417 20428 22e4c69 20427->20428 20428->20358 20429->20417 20430 22e969c 4 API calls 20429->20430 20431 22e4786 20430->20431 20431->20415 20432 22e969c 4 API calls 20431->20432 20433 22e4a86 20432->20433 20433->20415 20434 22e969c 4 API calls 20433->20434 20435 22e4ae2 20434->20435 20435->20415 20436 22e4aeb 20435->20436 20437 22e969c 4 API calls 20436->20437 20438 22e4b40 20437->20438 20439 22e969c 4 API calls 20438->20439 20440 22e4b7a 20439->20440 20440->20358 20442 22e581d 20441->20442 20443 22e5a9f 5 API calls 20442->20443 20444 22e583a 20443->20444 20444->20364 20445 22e811c GetPEB 20444->20445 20446 22e8600 20445->20446 20448 22e5a9f 5 API calls 20447->20448 20449 22e069c 20448->20449 20450 22e7c87 GetPEB 20449->20450 20469 22e06a7 20450->20469 20451 22e06c4 5 API calls 20451->20469 20452 22e8a98 5 API calls 20452->20469 20453 22e7c87 20453->20312 20454 22e811c GetPEB 20453->20454 20457 22e5387 20453->20457 20460 22e7e00 20454->20460 20455 22e4b93 20456 22e969c 5 API calls 20455->20456 20458 22e4ba4 20456->20458 20457->20312 20459 22e969c 5 API calls 20458->20459 20461 22e4bb9 20459->20461 20460->20457 20462 22e811c GetPEB 20460->20462 20464 22e969c 5 API calls 20461->20464 20463 22e7e34 20462->20463 20463->20457 20466 22e811c GetPEB 20463->20466 20465 22e4c1d 20464->20465 20467 22e969c 5 API calls 20465->20467 20466->20457 20468 22e4c69 20467->20468 20468->20312 20469->20312 20469->20451 20469->20452 20469->20453 20469->20455 20470 22e969c NtAllocateVirtualMemory NtAllocateVirtualMemory NtAllocateVirtualMemory GetPEB GetPEB 20469->20470 20471 22e462c 20469->20471 20470->20469 20471->20457 20472 22e969c 5 API calls 20471->20472 20473 22e4786 20472->20473 20473->20455 20474 22e969c 5 API calls 20473->20474 20475 22e4a86 20474->20475 20475->20455 20476 22e969c 5 API calls 20475->20476 20477 22e4ae2 20476->20477 20477->20455 20478 22e4aeb 20477->20478 20479 22e969c 5 API calls 20478->20479 20480 22e4b40 20479->20480 20481 22e969c 5 API calls 20480->20481 20482 22e4b7a 20481->20482 20482->20312 20484 22e6903 20483->20484 20487 22e5387 20483->20487 20485 22e5a9f 5 API calls 20484->20485 20486 22e6922 20485->20486 20488 22e7c87 GetPEB 20486->20488 20487->20199 20489 22e6947 20488->20489 20490 22e7c87 GetPEB 20489->20490 20490->20487 20492 22e5387 20491->20492 20493 22e6892 20491->20493 20492->20317 20494 22e5a9f 5 API calls 20493->20494 20495 22e689f 20494->20495 20496 22e7c87 GetPEB 20495->20496 20497 22e68b0 20496->20497 20498 22e7c87 GetPEB 20497->20498 20499 22e68dd 20498->20499 20500 22e68ed 5 API calls 20499->20500 20501 22e6eb9 20500->20501 20501->20317 20503 22e96ac 20502->20503 20537 22e8956 20503->20537 20505 22e07e7 20506 22e5387 20505->20506 20507 22e06c4 5 API calls 20505->20507 20508 22e8a98 5 API calls 20505->20508 20509 22e7c87 20505->20509 20511 22e4b93 20505->20511 20524 22e969c NtAllocateVirtualMemory NtAllocateVirtualMemory NtAllocateVirtualMemory GetPEB GetPEB 20505->20524 20525 22e462c 20505->20525 20507->20505 20508->20505 20509->20506 20510 22e811c GetPEB 20509->20510 20515 22e7e00 20510->20515 20512 22e969c 5 API calls 20511->20512 20513 22e4ba4 20512->20513 20514 22e969c 5 API calls 20513->20514 20516 22e4bb9 20514->20516 20515->20506 20517 22e811c GetPEB 20515->20517 20519 22e969c 5 API calls 20516->20519 20518 22e7e34 20517->20518 20518->20506 20521 22e811c GetPEB 20518->20521 20520 22e4c1d 20519->20520 20522 22e969c 5 API calls 20520->20522 20521->20506 20523 22e4c69 20522->20523 20524->20505 20525->20506 20526 22e969c 5 API calls 20525->20526 20527 22e4786 20526->20527 20527->20511 20528 22e969c 5 API calls 20527->20528 20529 22e4a86 20528->20529 20529->20511 20530 22e969c 5 API calls 20529->20530 20531 22e4ae2 20530->20531 20531->20511 20532 22e4aeb 20531->20532 20533 22e969c 5 API calls 20532->20533 20534 22e4b40 20533->20534 20535 22e969c 5 API calls 20534->20535 20536 22e4b7a 20535->20536 20538 22e811c GetPEB 20537->20538 20539 22e8963 20538->20539 20539->20505

        Executed Functions

        Function 022E574E, Relevance: 1.9, APIs: 1, Instructions: 354COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 260 22e574e-22e57cd call 22e5a9f 265 22e07e7-22e0823 call 22e06c4 260->265 266 22e57d3-22e57de call 22e587c 260->266 275 22e3d26-22e3dc8 265->275 271 22e85ef-22e863e call 22e811c call 22e8633 266->271 272 22e57e4-22e5a19 call 22e57eb 266->272 296 22e8640-22e865d 271->296 286 22e5a1f-22e5a72 call 22e574e 272->286 287 22e5a1b 272->287 284 22e3dce-22e3e67 275->284 285 22e7c87-22e7d3b 275->285 297 22e3e73-22e4119 call 22e4caf call 22e969c 284->297 298 22e3e6e call 22e8a98 284->298 316 22e5387-22e538d 285->316 317 22e7d41-22e7ddc 285->317 312 22e5a9d 286->312 313 22e5a74 286->313 287->286 296->296 302 22e865f-22e884a call 22e86ee 296->302 390 22e411f-22e441f call 22e5123 call 22e7b6e call 22e969c 297->390 391 22e4b93-22e4c9c call 22e969c * 4 297->391 298->297 314 22e5a7e 313->314 315 22e5a76 313->315 324 22e5aa9 314->324 325 22e5a80 314->325 320 22e5a78-22e5a7a 315->320 321 22e5a99 315->321 322 22e538e-22e53d1 316->322 370 22e7e6d-22e7e7f call 22e7e80 317->370 371 22e7de2-22e7e1b call 22e811c 317->371 320->312 337 22e5a7c 320->337 330 22e5a9a 321->330 338 22e53d3-22e53d5 322->338 336 22e5aaa 324->336 332 22e5a8a 325->332 333 22e5a82 325->333 339 22e5a9c 330->339 340 22e5ac5-22e5ac7 330->340 345 22e5a8c 332->345 346 22e5aad 332->346 342 22e5a84 333->342 343 22e5aa5-22e5aa6 333->343 347 22e5aac 336->347 348 22e5acd-22e5ad3 336->348 337->314 349 22e5a86-22e5a87 337->349 339->312 350 22e5ad6 339->350 351 22e5ac9-22e5acb 340->351 342->349 353 22e5ac2 342->353 343->351 355 22e5aa8 343->355 357 22e5a8e-22e5a90 345->357 358 22e5a96-22e5a98 345->358 359 22e5aae 346->359 347->346 354 22e5ad4 348->354 349->312 363 22e5adb-22e5cd7 call 22e7c87 NtAllocateVirtualMemory 350->363 351->348 353->354 354->350 355->324 355->336 357->330 373 22e5a92 357->373 358->321 368 22e5aa2 358->368 360 22e5ad9-22e5ada 359->360 361 22e5ab0-22e5ab2 359->361 360->363 375 22e5ab5-22e5abc 361->375 381 22e5cd9-22e5d27 363->381 368->348 378 22e5aa4 368->378 371->316 402 22e7e21-22e7e25 371->402 374 22e5a94 373->374 373->375 374->358 375->353 375->381 378->343 378->359 381->265 392 22e5d2d-22e5e23 call 22e7bc3 call 22e5d52 381->392 390->391 442 22e4425-22e44c9 390->442 407 22e7e57-22e7e6b call 22e7e80 402->407 408 22e7e27-22e7e37 call 22e811c 402->408 407->370 408->407 421 22e7e39-22e7e52 call 22e811c 408->421 421->407 442->265 445 22e44cf-22e4580 call 22e969c 442->445 445->391 450 22e4586-22e4626 445->450 450->275 453 22e462c-22e4710 450->453 453->316 457 22e4716-22e478b call 22e969c 453->457 457->391 461 22e4791-22e4796 457->461 461->391 462 22e479c-22e47ac 461->462 463 22e47ae-22e47b1 462->463 464 22e47d0-22e47dd 462->464 463->391 465 22e47b7-22e47cd 463->465 464->391 466 22e47e3-22e4971 call 22e807b 464->466 465->464 466->391 474 22e4977-22e49fa call 22e5387 466->474 474->391 479 22e4a00-22e4a89 call 22e969c 474->479 479->391 484 22e4a8f-22e4ae5 call 22e969c 479->484 484->391 488 22e4aeb-22e4b7a call 22e969c * 2 484->488
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID:
        • API String ID: 2167126740-0
        • Opcode ID: 69b248f5eb48717a5b55b4e4770cfe6ceafeca9016f6fed424941847c7a5fbd6
        • Instruction ID: 7d8e561e8287b73d16db67873826f60dd8dca3c8cfa47aa36387d3774c6298b6
        • Opcode Fuzzy Hash: 69b248f5eb48717a5b55b4e4770cfe6ceafeca9016f6fed424941847c7a5fbd6
        • Instruction Fuzzy Hash: D3D166715343868FDF349EB888D87E937A2AF0531CFD5005ED8978B269C735898ADB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E5A9F, Relevance: 1.7, APIs: 1, Instructions: 151memorynativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 494 22e5a9f-22e5abc 497 22e5cd9-22e5d27 494->497 498 22e5ac2-22e5cd7 call 22e7c87 NtAllocateVirtualMemory 494->498 501 22e5d2d-22e5e23 call 22e7bc3 call 22e5d52 497->501 502 22e07e7-22e0823 call 22e06c4 497->502 498->497 515 22e3d26-22e3dc8 502->515 521 22e3dce-22e3e67 515->521 522 22e7c87-22e7d3b 515->522 530 22e3e73-22e4119 call 22e4caf call 22e969c 521->530 531 22e3e6e call 22e8a98 521->531 540 22e5387-22e538d 522->540 541 22e7d41-22e7ddc 522->541 566 22e411f-22e441f call 22e5123 call 22e7b6e call 22e969c 530->566 567 22e4b93-22e4c9c call 22e969c * 4 530->567 531->530 543 22e538e-22e53d1 540->543 556 22e7e6d-22e7e7f call 22e7e80 541->556 557 22e7de2-22e7e1b call 22e811c 541->557 549 22e53d3-22e53d5 543->549 557->540 574 22e7e21-22e7e25 557->574 566->567 607 22e4425-22e44c9 566->607 577 22e7e57-22e7e6b call 22e7e80 574->577 578 22e7e27-22e7e37 call 22e811c 574->578 577->556 578->577 587 22e7e39-22e7e52 call 22e811c 578->587 587->577 607->502 610 22e44cf-22e4580 call 22e969c 607->610 610->567 615 22e4586-22e4626 610->615 615->515 618 22e462c-22e4710 615->618 618->540 622 22e4716-22e478b call 22e969c 618->622 622->567 626 22e4791-22e4796 622->626 626->567 627 22e479c-22e47ac 626->627 628 22e47ae-22e47b1 627->628 629 22e47d0-22e47dd 627->629 628->567 630 22e47b7-22e47cd 628->630 629->567 631 22e47e3-22e4971 call 22e807b 629->631 630->629 631->567 639 22e4977-22e49fa call 22e5387 631->639 639->567 644 22e4a00-22e4a89 call 22e969c 639->644 644->567 649 22e4a8f-22e4ae5 call 22e969c 644->649 649->567 653 22e4aeb-22e4b7a call 22e969c * 2 649->653
        APIs
        • NtAllocateVirtualMemory.NTDLL ref: 022E5CA6
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID:
        • API String ID: 2167126740-0
        • Opcode ID: 12b1580cb88ed6afe704c7b20e0a36b8cdcb0031e71c6139c8fdb254ba7150fa
        • Instruction ID: 908e32586566435721a40a5114aec36d77bde8879330072d16ace39c4ce91aac
        • Opcode Fuzzy Hash: 12b1580cb88ed6afe704c7b20e0a36b8cdcb0031e71c6139c8fdb254ba7150fa
        • Instruction Fuzzy Hash: F8513671524345CFDF749EA8C8907EA77A1AF16354FD1051EDC8ADB264C3758982CF02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E5B47, Relevance: 1.6, APIs: 1, Instructions: 143memorynativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 659 22e5b47-22e5d27 call 22e7c87 NtAllocateVirtualMemory 670 22e5d2d-22e5e23 call 22e7bc3 call 22e5d52 659->670 671 22e07e7-22e0823 call 22e06c4 659->671 679 22e3d26-22e3dc8 671->679 683 22e3dce-22e3e67 679->683 684 22e7c87-22e7d3b 679->684 689 22e3e73-22e4119 call 22e4caf call 22e969c 683->689 690 22e3e6e call 22e8a98 683->690 698 22e5387-22e538d 684->698 699 22e7d41-22e7ddc 684->699 724 22e411f-22e441f call 22e5123 call 22e7b6e call 22e969c 689->724 725 22e4b93-22e4c9c call 22e969c * 4 689->725 690->689 701 22e538e-22e53d1 698->701 714 22e7e6d-22e7e7f call 22e7e80 699->714 715 22e7de2-22e7e1b call 22e811c 699->715 707 22e53d3-22e53d5 701->707 715->698 732 22e7e21-22e7e25 715->732 724->725 765 22e4425-22e44c9 724->765 735 22e7e57-22e7e6b call 22e7e80 732->735 736 22e7e27-22e7e37 call 22e811c 732->736 735->714 736->735 745 22e7e39-22e7e52 call 22e811c 736->745 745->735 765->671 768 22e44cf-22e4580 call 22e969c 765->768 768->725 773 22e4586-22e4626 768->773 773->679 776 22e462c-22e4710 773->776 776->698 780 22e4716-22e478b call 22e969c 776->780 780->725 784 22e4791-22e4796 780->784 784->725 785 22e479c-22e47ac 784->785 786 22e47ae-22e47b1 785->786 787 22e47d0-22e47dd 785->787 786->725 788 22e47b7-22e47cd 786->788 787->725 789 22e47e3-22e4971 call 22e807b 787->789 788->787 789->725 797 22e4977-22e49fa call 22e5387 789->797 797->725 802 22e4a00-22e4a89 call 22e969c 797->802 802->725 807 22e4a8f-22e4ae5 call 22e969c 802->807 807->725 811 22e4aeb-22e4b7a call 22e969c * 2 807->811
        APIs
        • NtAllocateVirtualMemory.NTDLL ref: 022E5CA6
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID:
        • API String ID: 2167126740-0
        • Opcode ID: 7dbb6633f3be611bd0947c82aec78fa96a6d5311545e618306b3f875c3bc2976
        • Instruction ID: 275c841d0a8f97167faab5925c0b1071caa6b06bdf4d1d4a926776bf630f1f92
        • Opcode Fuzzy Hash: 7dbb6633f3be611bd0947c82aec78fa96a6d5311545e618306b3f875c3bc2976
        • Instruction Fuzzy Hash: A3513371528385CFEF649EA8C8907EA77B1AF15318FC1001EDC8ACB2A4C3758982CF02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E5BB0, Relevance: 1.6, APIs: 1, Instructions: 120memorynativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 817 22e5bb0-22e5cb4 NtAllocateVirtualMemory 821 22e5cc6-22e5d27 817->821 824 22e5d2d-22e5e23 call 22e7bc3 call 22e5d52 821->824 825 22e07e7-22e0823 call 22e06c4 821->825 833 22e3d26-22e3dc8 825->833 837 22e3dce-22e3e67 833->837 838 22e7c87-22e7d3b 833->838 843 22e3e73-22e4119 call 22e4caf call 22e969c 837->843 844 22e3e6e call 22e8a98 837->844 852 22e5387-22e538d 838->852 853 22e7d41-22e7ddc 838->853 878 22e411f-22e441f call 22e5123 call 22e7b6e call 22e969c 843->878 879 22e4b93-22e4c9c call 22e969c * 4 843->879 844->843 855 22e538e-22e53d1 852->855 868 22e7e6d-22e7e7f call 22e7e80 853->868 869 22e7de2-22e7e1b call 22e811c 853->869 861 22e53d3-22e53d5 855->861 869->852 886 22e7e21-22e7e25 869->886 878->879 919 22e4425-22e44c9 878->919 889 22e7e57-22e7e6b call 22e7e80 886->889 890 22e7e27-22e7e37 call 22e811c 886->890 889->868 890->889 899 22e7e39-22e7e52 call 22e811c 890->899 899->889 919->825 922 22e44cf-22e4580 call 22e969c 919->922 922->879 927 22e4586-22e4626 922->927 927->833 930 22e462c-22e4710 927->930 930->852 934 22e4716-22e478b call 22e969c 930->934 934->879 938 22e4791-22e4796 934->938 938->879 939 22e479c-22e47ac 938->939 940 22e47ae-22e47b1 939->940 941 22e47d0-22e47dd 939->941 940->879 942 22e47b7-22e47cd 940->942 941->879 943 22e47e3-22e4971 call 22e807b 941->943 942->941 943->879 951 22e4977-22e49fa call 22e5387 943->951 951->879 956 22e4a00-22e4a89 call 22e969c 951->956 956->879 961 22e4a8f-22e4ae5 call 22e969c 956->961 961->879 965 22e4aeb-22e4b7a call 22e969c * 2 961->965
        APIs
        • NtAllocateVirtualMemory.NTDLL ref: 022E5CA6
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID:
        • API String ID: 2167126740-0
        • Opcode ID: c2ef351154fd522164ed497badb69803817f3911d8c6b685d7d064b06966120e
        • Instruction ID: 906f238ffb86c62189b903b7fc166d353118aad0caba9ea977137d125d1bea1a
        • Opcode Fuzzy Hash: c2ef351154fd522164ed497badb69803817f3911d8c6b685d7d064b06966120e
        • Instruction Fuzzy Hash: 1A412571528385CFDF649EA8CC907EA7BB1AF25318F85041EDCCA9B164C3318982DB56
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E5B93, Relevance: 1.6, APIs: 1, Instructions: 98memorynativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 971 22e5b93-22e5d27 NtAllocateVirtualMemory 978 22e5d2d-22e5e23 call 22e7bc3 call 22e5d52 971->978 979 22e07e7-22e0823 call 22e06c4 971->979 987 22e3d26-22e3dc8 979->987 991 22e3dce-22e3e67 987->991 992 22e7c87-22e7d3b 987->992 997 22e3e73-22e4119 call 22e4caf call 22e969c 991->997 998 22e3e6e call 22e8a98 991->998 1006 22e5387-22e538d 992->1006 1007 22e7d41-22e7ddc 992->1007 1032 22e411f-22e441f call 22e5123 call 22e7b6e call 22e969c 997->1032 1033 22e4b93-22e4c9c call 22e969c * 4 997->1033 998->997 1009 22e538e-22e53d1 1006->1009 1022 22e7e6d-22e7e7f call 22e7e80 1007->1022 1023 22e7de2-22e7e1b call 22e811c 1007->1023 1015 22e53d3-22e53d5 1009->1015 1023->1006 1040 22e7e21-22e7e25 1023->1040 1032->1033 1073 22e4425-22e44c9 1032->1073 1043 22e7e57-22e7e6b call 22e7e80 1040->1043 1044 22e7e27-22e7e37 call 22e811c 1040->1044 1043->1022 1044->1043 1053 22e7e39-22e7e52 call 22e811c 1044->1053 1053->1043 1073->979 1076 22e44cf-22e4580 call 22e969c 1073->1076 1076->1033 1081 22e4586-22e4626 1076->1081 1081->987 1084 22e462c-22e4710 1081->1084 1084->1006 1088 22e4716-22e478b call 22e969c 1084->1088 1088->1033 1092 22e4791-22e4796 1088->1092 1092->1033 1093 22e479c-22e47ac 1092->1093 1094 22e47ae-22e47b1 1093->1094 1095 22e47d0-22e47dd 1093->1095 1094->1033 1096 22e47b7-22e47cd 1094->1096 1095->1033 1097 22e47e3-22e4971 call 22e807b 1095->1097 1096->1095 1097->1033 1105 22e4977-22e49fa call 22e5387 1097->1105 1105->1033 1110 22e4a00-22e4a89 call 22e969c 1105->1110 1110->1033 1115 22e4a8f-22e4ae5 call 22e969c 1110->1115 1115->1033 1119 22e4aeb-22e4b7a call 22e969c * 2 1115->1119
        APIs
        • NtAllocateVirtualMemory.NTDLL ref: 022E5CA6
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID:
        • API String ID: 2167126740-0
        • Opcode ID: b5fad6eed3b155155da9ee1f6e70e1515066ab6cd8944fd69ee197fa72f4245b
        • Instruction ID: 4440e3fd2ea5eddde09802689773ac2603d4ee94e9a1d0ebf6fcbe267dcf8b41
        • Opcode Fuzzy Hash: b5fad6eed3b155155da9ee1f6e70e1515066ab6cd8944fd69ee197fa72f4245b
        • Instruction Fuzzy Hash: 5B41E071528385CFDF749EA8C8907EA77B1BF16358F95041ADC8ADB264C3319A82CF06
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040DCBE, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1125 40dcbe-40dd8b 1128 40dd8d-40dd94 1125->1128 1128->1128 1129 40dd96-40de85 VirtualAlloc 1128->1129 1132 40deaa-40deb0 1129->1132 1133 40deb5-40df07 1132->1133 1135 40df09 1133->1135
        APIs
        • VirtualAlloc.KERNELBASE(00000000,0000F000,00001000,?,00411040,?,?,?), ref: 0040DE61
        Memory Dump Source
        • Source File: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 78fe51739af18337ffb0466f99c6c816bac09bc3606635ae22bcd7b704629f7f
        • Instruction ID: a2ecab26e3da36d737f0f95e5fdd10f0a0b155872d0b55debb7c229a61bc1933
        • Opcode Fuzzy Hash: 78fe51739af18337ffb0466f99c6c816bac09bc3606635ae22bcd7b704629f7f
        • Instruction Fuzzy Hash: 7A31C063E257249EC7835970CC40A917B51AF22291722877BED15B71A0FB3A5C4F29C9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040FD30, Relevance: 253.3, APIs: 117, Strings: 27, Instructions: 1278COMMON
        Download Yara Rule
        APIs
        • __vbaChkstk.MSVBVM60(?,004013F6), ref: 0040FD4E
        • #526.MSVBVM60(?,00000001,?,?,?,?,004013F6), ref: 0040FD9C
        • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0040FDC4
        • __vbaFreeVar.MSVBVM60 ref: 0040FDD7
        • __vbaOnError.MSVBVM60(000000FF), ref: 0040FDF5
        • #610.MSVBVM60(?), ref: 0040FE09
        • #552.MSVBVM60(?,?,00000001), ref: 0040FE1F
        • __vbaVarMove.MSVBVM60 ref: 0040FE31
        • __vbaFreeVar.MSVBVM60 ref: 0040FE3D
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403524,0000015C), ref: 0040FE84
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 0040FEB6
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000014), ref: 0040FF1F
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000C0), ref: 0040FF88
        • __vbaFreeObj.MSVBVM60 ref: 0040FFB1
        • __vbaVarDup.MSVBVM60 ref: 0040FFDD
        • #562.MSVBVM60(?), ref: 0040FFEA
        • __vbaFreeVar.MSVBVM60 ref: 00410008
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00410037
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000014), ref: 004100A0
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000C8), ref: 00410109
        • __vbaFreeObj.MSVBVM60 ref: 00410132
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00410152
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000014), ref: 004101BB
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000060), ref: 0041021E
        • __vbaStrMove.MSVBVM60 ref: 00410258
        • __vbaFreeObj.MSVBVM60 ref: 00410264
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403524,0000015C), ref: 004102AB
        • __vbaStrToAnsi.MSVBVM60(?,Expertize,?), ref: 004102DA
        • __vbaSetSystemError.MSVBVM60(00000000), ref: 004102EC
        • __vbaFreeStr.MSVBVM60 ref: 00410310
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 0041033F
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000014), ref: 004103A8
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000B8), ref: 00410411
        • __vbaFreeObj.MSVBVM60 ref: 0041043A
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 0041045A
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000014), ref: 004104C3
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000F0), ref: 0041052C
        • __vbaStrMove.MSVBVM60 ref: 00410563
        • __vbaFreeObj.MSVBVM60 ref: 0041056F
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403554,0000071C), ref: 004105AF
        • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 004105DD
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 0041060D
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000014), ref: 00410676
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000118), ref: 004106DF
        • __vbaI2I4.MSVBVM60 ref: 004106FD
        • __vbaFreeObj.MSVBVM60 ref: 0041070D
        • #594.MSVBVM60(0000000A), ref: 00410735
        • __vbaFreeVar.MSVBVM60 ref: 00410741
        • __vbaVarDup.MSVBVM60 ref: 00410775
        • #667.MSVBVM60(0000000A), ref: 00410782
        • __vbaStrMove.MSVBVM60 ref: 0041078D
        • __vbaFreeVar.MSVBVM60 ref: 00410799
        • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 004107B5
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004107E5
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000014), ref: 0041084E
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000138), ref: 004108B7
        • __vbaFreeObj.MSVBVM60 ref: 004108D5
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004108F5
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000014), ref: 0041095E
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000118), ref: 004109C7
        • __vbaI2I4.MSVBVM60 ref: 004109E5
        • __vbaFreeObj.MSVBVM60 ref: 004109F5
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00410A1C
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000048), ref: 00410A8A
        • __vbaStrMove.MSVBVM60 ref: 00410AC1
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403554,000006F8), ref: 00410B3E
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403554,000006FC), ref: 00410BBB
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403554,00000700), ref: 00410C39
        • __vbaStrCopy.MSVBVM60 ref: 00410C94
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403554,00000704), ref: 00410CF3
        • __vbaFreeStr.MSVBVM60 ref: 00410D23
        • __vbaStrCopy.MSVBVM60 ref: 00410D44
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403554,00000708), ref: 00410D92
        • __vbaFreeStr.MSVBVM60 ref: 00410DB9
        • __vbaStrCopy.MSVBVM60 ref: 00410DDB
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403554,0000070C), ref: 00410E43
          • Part of subcall function 0040DCBE: VirtualAlloc.KERNELBASE(00000000,0000F000,00001000,?,00411040,?,?,?), ref: 0040DE61
        • __vbaFreeStr.MSVBVM60 ref: 00410E61
        • __vbaStrCopy.MSVBVM60 ref: 00410E82
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403554,00000710), ref: 00410ED5
        • __vbaFreeStr.MSVBVM60 ref: 00410EFC
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403554,00000714), ref: 00410F5E
        • __vbaStrCopy.MSVBVM60 ref: 00410FEA
        • __vbaFreeStr.MSVBVM60 ref: 00411016
        • __vbaI4Var.MSVBVM60(00000009,?,?,?), ref: 00411047
        • __vbaStrToAnsi.MSVBVM60(?,Cuproplumbite,?,?,?), ref: 00411063
        • __vbaStrMove.MSVBVM60(00000000,?,?,?), ref: 00411077
        • __vbaSetSystemError.MSVBVM60(?,?,?), ref: 0041107D
        • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?), ref: 00411091
        • __vbaR8Str.MSVBVM60(00000000,?,?,?), ref: 00411098
        • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?), ref: 004110E7
        • #705.MSVBVM60(00000002,00000000), ref: 00411123
        • __vbaStrMove.MSVBVM60 ref: 0041112E
        • __vbaFreeVar.MSVBVM60 ref: 0041113A
        • #554.MSVBVM60 ref: 00411147
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00411167
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,0000004C), ref: 004111D0
        • __vbaChkstk.MSVBVM60 ref: 0041120D
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A18,0000002C), ref: 0041126F
        • __vbaFreeObj.MSVBVM60 ref: 0041128D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$CheckHresult$Free$New2$Move$CopyError$System$AnsiChkstk$#526#552#554#562#594#610#667#705AllocListUnicodeVirtual
        • String ID: ,8@$/$<]A$<]A$<]A$<]A$<]A$<]A$<]A$<]A$<]A$<]A$BULKY$Basisidia9$Cuproplumbite$Effigiating9$Expertize$Fustager$Hydraemic6$SAMFUNDSANSVARETS$SUPERMASCULINE$TRANSPARENCIES$UNIVERSALLSNINGERNE$Y)$entertainer$ucensureret$unbudgeable
        • API String ID: 3305970385-486493427
        • Opcode ID: 90a1d07b09d0e5e780a5b7832f7ced7f605ba4c07cf5c743c45768fba80a7b0f
        • Instruction ID: b09836e425959881c00ac2eed53493007bd6658662152b3aa39dd16ee242cd0b
        • Opcode Fuzzy Hash: 90a1d07b09d0e5e780a5b7832f7ced7f605ba4c07cf5c743c45768fba80a7b0f
        • Instruction Fuzzy Hash: 1BD207B4900229DFDB24DF50CD88BD9BBB4BB48305F1081EAE609776A0DBB85AC5DF54
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00413070, Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 249COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • __vbaStrCopy.MSVBVM60 ref: 004130CE
        • __vbaStrCopy.MSVBVM60 ref: 004130D6
        • #609.MSVBVM60 ref: 004130D8
        • #557.MSVBVM60(?), ref: 004130EC
        • __vbaFreeVar.MSVBVM60 ref: 00413103
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00413124
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 0041314F
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000D8), ref: 0041317D
        • __vbaStrMove.MSVBVM60 ref: 00413188
        • __vbaFreeObj.MSVBVM60 ref: 00413191
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004131A9
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 004131CE
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000078), ref: 004131EE
        • __vbaFreeObj.MSVBVM60 ref: 004131F3
        • #569.MSVBVM60(000000C9), ref: 004131FE
        • #628.MSVBVM60(FGFG,00000001,00000008), ref: 00413222
        • __vbaStrMove.MSVBVM60 ref: 0041322D
        • __vbaStrCmp.MSVBVM60(00403AEC,00000000), ref: 00413239
        • __vbaFreeStr.MSVBVM60 ref: 0041324C
        • __vbaFreeVar.MSVBVM60 ref: 00413255
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00413276
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 0041329B
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000C0), ref: 004132C1
        • __vbaFreeObj.MSVBVM60 ref: 004132C6
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004132DE
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 00413303
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000F0), ref: 00413329
        • __vbaStrMove.MSVBVM60 ref: 00413334
        • __vbaFreeObj.MSVBVM60 ref: 0041333D
        • #571.MSVBVM60(00000024), ref: 00413345
        • __vbaFreeStr.MSVBVM60(00413390), ref: 0041337E
        • __vbaFreeStr.MSVBVM60 ref: 00413383
        • __vbaFreeStr.MSVBVM60 ref: 00413388
        • __vbaFreeStr.MSVBVM60 ref: 0041338D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$Free$CheckHresult$New2$Move$Copy$#557#569#571#609#628
        • String ID: FGFG
        • API String ID: 995505225-2759163656
        • Opcode ID: 51f15f27bd3a0d1d0d26800db3a66869711653b91b1e46e1f2a9c3e26abfb8d3
        • Instruction ID: 048bffb482636d2ac0d8794fae09c137758c84020e0dec1ec84ca7b13f0a0607
        • Opcode Fuzzy Hash: 51f15f27bd3a0d1d0d26800db3a66869711653b91b1e46e1f2a9c3e26abfb8d3
        • Instruction Fuzzy Hash: 779150B1900219EBCB14EFA5DD88EDEBBB8FF48705B10852AF501B72A0DA785945CF58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401644, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 242 401644-401649 #100 243 40164e-401661 242->243 243->243 244 401663-401681 243->244 246 401683-40169d 244->246 247 4016f5-4016ff 244->247 249 401700-401708 246->249 250 40169f-4016f3 246->250 247->249 251 401783 249->251 252 40170a-40170c 249->252 250->247 254 401784-401786 251->254 255 401787-4017a4 252->255 256 40170e 252->256 254->255 256->254 257 401710-401712 256->257 257->251 258 401715-401782 257->258 258->251
        C-Code - Quality: 15%
        			_entry_() {
				signed char _t40;
				intOrPtr* _t41;
				signed char _t42;
				signed char _t48;
				signed char _t49;
				signed char _t50;
				signed char _t51;
				signed char _t52;
				signed int _t61;
				void* _t65;
				intOrPtr* _t66;
				signed char _t67;
				signed char _t68;
				intOrPtr* _t69;
				intOrPtr* _t70;
				signed int _t77;
				void* _t79;
				intOrPtr _t90;

				_push("VB5!6&*"); // executed
				L0040163C(); // executed
				do {
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 ^ _t40;
					 *_t40 =  *_t40 + _t40;
					_t40 = _t40 + 1;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					_t68 = _t68 + _t52;
				} while (_t68 == 0);
				_t41 = _t40;
				asm("rol byte [ecx+0x19], 0x43");
				asm("wait");
				0xfa0();
				 *_t41 =  *_t41 + _t41;
				 *_t41 =  *_t41 + _t41;
				 *_t41 =  *_t41 + _t41;
				 *_t41 =  *_t41 + _t41;
				 *_t41 =  *_t41 + _t41;
				_pop(ss);
				_t42 = _t41 +  *_t70;
				 *_t42 =  *_t42 + _t42;
				asm("outsd");
				if( *_t42 < 0) {
					L6:
					 *_t68 =  *_t68 + 0x3f;
					 *((intOrPtr*)(_t68 + 0x4f)) =  *((intOrPtr*)(_t68 + 0x4f)) + _t68;
					_push(_t52);
					_t65 = 0x40;
					_push(_t79 - 1);
					L7:
					_t66 = _t65 + 1;
					_push(_t52);
					 *0x73000f01 =  *0x73000f01 + _t66;
					_t90 =  *0x73000f01;
					if(_t90 == 0) {
						L15:
						 *_t42 =  *_t42 + _t42;
						L16:
						 *_t42 =  *_t42 + _t42;
						 *((char*)(_t42 + 0x8000)) =  *((char*)(_t42 + 0x8000));
						L17:
						 *_t42 =  *_t42 + 0x80;
						 *_t42 =  *_t42 + _t42;
						 *((intOrPtr*)(_t42 - 0x7fff8000)) =  *((intOrPtr*)(_t42 - 0x7fff8000)) + _t42;
						 *_t42 =  *_t42;
						asm("rol al, 0xc0");
						 *((intOrPtr*)(_t42 + 0x8080)) =  *((intOrPtr*)(_t42 + 0x8080)) + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + 1;
						 *_t42 =  *_t42 + _t42;
						asm("invalid");
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + 1;
						asm("invalid");
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t66 =  *_t66 + _t68;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t66 =  *_t66 + _t42;
						asm("cdq");
						asm("cdq");
						asm("adc [eax], al");
						 *_t42 =  *_t42 + _t42;
						 *((intOrPtr*)(_t66 + 0x90f11f)) =  *((intOrPtr*)(_t66 + 0x90f11f)) + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52 + _t52;
						asm("adc esi, [ebx]");
						 *((intOrPtr*)(_t66 + 0x109100ff)) =  *((intOrPtr*)(_t66 + 0x109100ff)) + _t68;
						_t67 = _t42;
						asm("invalid");
						asm("adc [ecx], cl");
						_t61 = _t66;
						asm("invalid");
						 *(_t67 - 0x40f7ff67) =  *(_t67 - 0x40f7ff67) | _t61;
						asm("invalid");
						 *0x91b8ff00 =  *0x91b8ff00 + 0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00 + 0x91b8ff00;
						 *_t61 =  *_t61 + _t68;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *_t61 =  *_t61 + _t67;
						asm("sbb al, 0x0");
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						asm("invalid");
						 *0x91b8ff00 =  *0x91b8ff00;
						asm("invalid");
						 *0x91b8ff00 =  *0x91b8ff00;
						asm("jecxz 0x1");
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0xFFFFFFFF91B8FFFF =  *((intOrPtr*)(0xffffffff91b8ffff));
						asm("rol dword [eax], 0x0");
						 *0x91b8ff00 =  *0x91b8ff00;
						asm("pushad");
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0x91b8ff00 =  *0x91b8ff00;
						asm("sbb [eax-0x7f7d0000], eax");
						 *0x91b8ff00 =  *0x91b8ff00;
						 *0 =  *0;
						goto __edi;
					}
					if(_t90 < 0) {
						L14:
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42;
						 *_t42 =  *_t42;
						goto L15;
					}
					if(_t90 >= 0) {
						goto L17;
					}
					if(_t90 >= 0) {
						goto L16;
					}
					asm("gs insd");
					if(_t90 < 0) {
						goto L15;
					}
					 *[gs:ecx] =  *[gs:ecx] + _t52;
					 *_t42 =  *_t42 + _t42;
					_t69 = _t68 + 1;
					 *_t69 =  *_t69 + _t42;
					 *_t66 =  *_t66 - 1;
					 *_t42 =  *_t42 + _t42;
					asm("insb");
					if ( *_t42 == 0) goto L13;
					_t68 = _t69 + _t69;
					 *_t42 =  *_t42 | _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t66 =  *_t66 + _t42;
					 *_t68 =  *_t68 + _t42;
					 *_t42 =  *_t42 + _t68;
					asm("adc [eax], dl");
					 *_t66 =  *_t66 + _t42;
					 *((intOrPtr*)(_t42 + _t42)) =  *((intOrPtr*)(_t42 + _t42)) + _t42;
					 *_t66 =  *_t66 - _t42;
					 *_t42 =  *_t42 + _t42;
					 *[es:eax] =  *[es:eax] + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 & _t42;
					 *_t66 =  *_t66 + _t42;
					 *_t42 =  *_t42 + _t66;
					 *((intOrPtr*)(_t42 + 0x4e000008)) =  *((intOrPtr*)(_t42 + 0x4e000008)) + _t66;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t66;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t68;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t66 =  *_t66 + _t42;
					 *((intOrPtr*)(_t42 + _t42)) =  *((intOrPtr*)(_t42 + _t42)) + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					asm("rol byte [eax], 0x0");
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					goto L14;
				}
				if ( *(_t52 + 0x6e + _t77 * 2) * 0x65676e69 < 0) goto L4;
				_pop(es);
				_t65 = 0x40;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				_t52 = _t52 + _t52;
				asm("int3");
				 *_t42 =  *_t42 ^ _t42;
				_t68 = _t68 + _t52;
				asm("scasb");
				asm("adc al, 0x0");
				if(_t68 < 0) {
					goto L7;
				}
				asm("cmpsd");
				asm("cli");
				asm("sbb dword [edi+0x58], 0x97c001b7");
				asm("std");
				asm("out dx, eax");
				_t48 = _t68;
				_t68 = _t70 - 1;
				_t49 = _t48 &  *(_t48 + 0x53 + _t77 * 4);
				 *0x3a942196 = _t49;
				_t70 = _t42 - 1;
				asm("lodsd");
				_t50 = _t49;
				asm("stosb");
				 *((intOrPtr*)(_t50 - 0x2d)) =  *((intOrPtr*)(_t50 - 0x2d)) + _t50;
				_t51 = _t52 + 0x00000001 ^  *0xFFFFFFFFB711CFA5;
				_t52 = _t50;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				_pop(_t77);
				_t42 = _t51 |  *_t51;
				 *0x00000049 =  *((intOrPtr*)(0x49)) + _t52;
				 *_t42 =  *_t42 + _t42;
				goto L6;
			}





















        0x00401644
        0x00401649
        0x0040164e
        0x0040164e
        0x00401650
        0x00401652
        0x00401654
        0x00401656
        0x00401658
        0x00401659
        0x0040165b
        0x0040165d
        0x0040165f
        0x0040165f
        0x00401663
        0x00401664
        0x00401668
        0x00401669
        0x00401670
        0x00401672
        0x00401674
        0x00401676
        0x00401678
        0x0040167a
        0x0040167b
        0x0040167e
        0x00401680
        0x00401681
        0x004016f5
        0x004016f5
        0x004016f7
        0x004016fa
        0x004016fb
        0x004016fd
        0x00401700
        0x00401700
        0x00401701
        0x00401702
        0x00401702
        0x00401708
        0x00401783
        0x00401783
        0x00401784
        0x00401784
        0x00401786
        0x00401787
        0x00401787
        0x0040178a
        0x0040178c
        0x00401792
        0x00401795
        0x00401798
        0x004017a0
        0x004017a2
        0x004017a4
        0x004017a6
        0x004017aa
        0x004017b2
        0x004017b6
        0x004017b8
        0x004017ba
        0x004017bc
        0x004017be
        0x004017c0
        0x004017c2
        0x004017c4
        0x004017c6
        0x004017c8
        0x004017cc
        0x004017ce
        0x004017d0
        0x004017d2
        0x004017d4
        0x004017d6
        0x004017d8
        0x004017da
        0x004017db
        0x004017dc
        0x004017de
        0x004017e0
        0x004017e6
        0x004017e8
        0x004017f4
        0x004017fa
        0x00401802
        0x00401805
        0x00401807
        0x00401809
        0x0040180f
        0x00401811
        0x00401813
        0x00401815
        0x00401819
        0x0040181b
        0x0040181d
        0x0040181f
        0x00401821
        0x00401823
        0x00401825
        0x00401827
        0x00401829
        0x0040182b
        0x0040182d
        0x0040182f
        0x00401831
        0x00401833
        0x00401835
        0x00401837
        0x00401839
        0x0040183b
        0x0040183d
        0x0040183f
        0x00401841
        0x00401843
        0x00401848
        0x0040184e
        0x00401851
        0x00401852
        0x00401853
        0x00401855
        0x00401857
        0x00401859
        0x0040185b
        0x0040185d
        0x00401863
        0x00401867
        0x00401869
        0x00401869
        0x0040170a
        0x00401771
        0x00401771
        0x00401773
        0x00401775
        0x00401777
        0x00401779
        0x0040177b
        0x0040177d
        0x0040177f
        0x00401782
        0x00000000
        0x00401782
        0x0040170c
        0x00000000
        0x00000000
        0x0040170e
        0x00000000
        0x00000000
        0x00401710
        0x00401712
        0x00000000
        0x00000000
        0x00401715
        0x00401718
        0x0040171a
        0x0040171b
        0x0040171f
        0x00401721
        0x00401723
        0x00401724
        0x00401726
        0x00401728
        0x0040172a
        0x0040172c
        0x0040172e
        0x00401730
        0x00401732
        0x00401734
        0x00401736
        0x00401739
        0x0040173b
        0x0040173d
        0x00401740
        0x00401742
        0x00401744
        0x00401746
        0x00401748
        0x0040174e
        0x00401750
        0x00401752
        0x00401754
        0x00401756
        0x00401758
        0x0040175a
        0x0040175c
        0x0040175e
        0x00401761
        0x00401763
        0x00401765
        0x00401768
        0x0040176a
        0x0040176c
        0x0040176e
        0x00401770
        0x00000000
        0x00401770
        0x0040168b
        0x0040168d
        0x0040168e
        0x0040168f
        0x00401691
        0x00401693
        0x00401695
        0x00401696
        0x00401698
        0x0040169a
        0x0040169b
        0x0040169d
        0x00000000
        0x00000000
        0x0040169f
        0x004016a2
        0x004016a3
        0x004016ac
        0x004016ad
        0x004016ae
        0x004016ae
        0x004016af
        0x004016b5
        0x004016ba
        0x004016bb
        0x004016c2
        0x004016c4
        0x004016c5
        0x004016c8
        0x004016c8
        0x004016c9
        0x004016cb
        0x004016cd
        0x004016cf
        0x004016d1
        0x004016d3
        0x004016d5
        0x004016d7
        0x004016d9
        0x004016db
        0x004016dd
        0x004016df
        0x004016e1
        0x004016e3
        0x004016e5
        0x004016e7
        0x004016e9
        0x004016eb
        0x004016ed
        0x004016ee
        0x004016f0
        0x004016f3
        0x00000000

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: #100
        • String ID: VB5!6&*
        • API String ID: 1341478452-3593831657
        • Opcode ID: 413304fc87e49b8787cbf3ea19da981c23c55b689e641670966b3969554464a0
        • Instruction ID: 6c48dc7cbd1364696c35c54fb2dc1a0f0f035683db7b68fcd4f7e9733d927028
        • Opcode Fuzzy Hash: 413304fc87e49b8787cbf3ea19da981c23c55b689e641670966b3969554464a0
        • Instruction Fuzzy Hash: 315152A548E7C14FD70387744C696903FB0AE13229B0E46EBC895DF4F3E26E484AD766
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 022E761E, Relevance: 7.1, Strings: 5, Instructions: 896COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: >s2+$>s2+$bE$I$}/q?$3J
        • API String ID: 0-3070882053
        • Opcode ID: 8c44b38c6729859b9cdef6d577db694cc7713c98f8c7a572a324ff3871c40c7f
        • Instruction ID: 8cb7dee121e1edcdd77b7ad55302fd2dc0324a5850c05d5fef6294bc20ba5e2a
        • Opcode Fuzzy Hash: 8c44b38c6729859b9cdef6d577db694cc7713c98f8c7a572a324ff3871c40c7f
        • Instruction Fuzzy Hash: DD7232B1614345DFDF389E78C9957EA7BA2FF55300F85422EEC8A8B258D3708985DB02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E2751, Relevance: 4.7, Strings: 3, Instructions: 944COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: EJ5x$G[Xo$bE$I
        • API String ID: 0-1801337898
        • Opcode ID: 8ed099eb8eaf6d4772b12e55c6c316995df902bc2d3032c3cd1118af480c66b4
        • Instruction ID: ccae87f9d0a707605e7b3eb7ee79b00f0e2b2d9ecb3b0b91163a6ce4a07d31b2
        • Opcode Fuzzy Hash: 8ed099eb8eaf6d4772b12e55c6c316995df902bc2d3032c3cd1118af480c66b4
        • Instruction Fuzzy Hash: B47251B16143499FDF349E78CD947EA77A2FF49300F85422EEC8A8B258D3748985DB02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E0D25, Relevance: 4.7, Strings: 3, Instructions: 918COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: Hoa$O?xH$}/q?
        • API String ID: 2167126740-374400973
        • Opcode ID: 363d8bd1fa7dc418a0439050d5edb4ebcf0f144d6784d49f0908b01c74aff956
        • Instruction ID: 15aa05e1b7d8f2d91279bf2919835d0cf123f614d91fe9fc0da1fcc0ad95f59e
        • Opcode Fuzzy Hash: 363d8bd1fa7dc418a0439050d5edb4ebcf0f144d6784d49f0908b01c74aff956
        • Instruction Fuzzy Hash: 8C626A7162434A8FDF349EA48C947EE33A3AF95350FD5412EDC8BAB248D7748981DB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E2BC4, Relevance: 3.9, Strings: 2, Instructions: 1353COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: [:KR$bE$I
        • API String ID: 0-681504058
        • Opcode ID: d64d1d9919fd8856cb0dae92dfa8cede52e580ff00f8dbb380b73cefe568423e
        • Instruction ID: bd8deac551b34edd792ae74913338d04a74403b9deda3c0d10f325325054c873
        • Opcode Fuzzy Hash: d64d1d9919fd8856cb0dae92dfa8cede52e580ff00f8dbb380b73cefe568423e
        • Instruction Fuzzy Hash: 6BB220B161434ADFDF24DF68C8957EA77A2FF49300F95422EDC8A8B218D3749985CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E8A98, Relevance: 3.6, Strings: 2, Instructions: 1131COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I$fYk
        • API String ID: 0-3911877772
        • Opcode ID: 842837b7518a1eace181c9b08ee0ab4d742d9127983a3e60c5382dafe025a15d
        • Instruction ID: fa588ffb5050bd0f1c7a6eb74cf1375584c8b6fef8cc8410658374392152dbeb
        • Opcode Fuzzy Hash: 842837b7518a1eace181c9b08ee0ab4d742d9127983a3e60c5382dafe025a15d
        • Instruction Fuzzy Hash: 6D9259716143858FDF249F78C8987DA7BE2AF46310F85826EDCCA8B299D3748585DB03
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E6089, Relevance: 3.5, Strings: 2, Instructions: 990COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: @O$bE$I
        • API String ID: 2167126740-1201749089
        • Opcode ID: ef9092b44f21fd0fd9d4e359385c968b08ffdd682e3f2fb370f7fc10c103e999
        • Instruction ID: cc4edec2d019db73bbe0e418ab32db7ba90ea6caa11de06cab9e10f89b311dbf
        • Opcode Fuzzy Hash: ef9092b44f21fd0fd9d4e359385c968b08ffdd682e3f2fb370f7fc10c103e999
        • Instruction Fuzzy Hash: D38231B16143469FDF349E78CD957EA77A2FF55340F81822EDC8A8B258D3708A85DB02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E0D6D, Relevance: 2.9, Strings: 2, Instructions: 436COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: 5a1c52844f600a780ea028a7c2416580794b15e70428271910e43dc608637e8d
        • Instruction ID: 20349cdb2606c47f68cfd6cda899c85a837e5fd7842e7cffbad28913b59f9c01
        • Opcode Fuzzy Hash: 5a1c52844f600a780ea028a7c2416580794b15e70428271910e43dc608637e8d
        • Instruction Fuzzy Hash: 3BE11875A2434A8FDF385EA4CC947EE33A3AF85350F95412ADC4F9B248DB748981DB12
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E0E6B, Relevance: 2.9, Strings: 2, Instructions: 384COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: fa094d22c362583db55b4089fa2ee6732c94606f98b6b3435b2db45675116a11
        • Instruction ID: 2408f5bad285223e3807a168e05061eee5b9722415425af3fd5832fc9750bd37
        • Opcode Fuzzy Hash: fa094d22c362583db55b4089fa2ee6732c94606f98b6b3435b2db45675116a11
        • Instruction Fuzzy Hash: 72D13775A3434A8FDF385EA48C947FE23A3AF85350FD5412EDC8B9B248DB744981DA12
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E10AB, Relevance: 2.8, Strings: 2, Instructions: 288COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: 29bb83deeeb316d1ee1981c49f70f55cdc19940b4ddad93b9f1a2a9ddd2f9dd1
        • Instruction ID: 1bc3d2a7a5277b3d1a02a6039e64aefef3b94fdfbdaa9f32358a75e460e76b24
        • Opcode Fuzzy Hash: 29bb83deeeb316d1ee1981c49f70f55cdc19940b4ddad93b9f1a2a9ddd2f9dd1
        • Instruction Fuzzy Hash: ED912671A2434A8FDF385EA4CC947EE23A7AF45350FD5412EDC8F9B248DB744D819A02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E1043, Relevance: 2.8, Strings: 2, Instructions: 287COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: 2ba9d363e94385cba8cf1685a225d6db6b81dbe5583d881fd21d25546ddcf228
        • Instruction ID: d735cc771f14d4de92e627a5dcde4bb16a5ce442bda8dd3ad233ef5c4411fdaa
        • Opcode Fuzzy Hash: 2ba9d363e94385cba8cf1685a225d6db6b81dbe5583d881fd21d25546ddcf228
        • Instruction Fuzzy Hash: EFA1F675A2434A8FDF385EA4CC547EE23A7AF85350FD5812EDC8F9B248D7744D819A02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E10CD, Relevance: 2.8, Strings: 2, Instructions: 279COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: b73d6cc0f6414a58d9388cf1bfa3575f6155c6354f3ee24046f68c5264ef97fd
        • Instruction ID: a4849bf20c31e3f4a6bb20cc8f5449aa584df7e9fce85f1ed3e3b9b3cb3911fe
        • Opcode Fuzzy Hash: b73d6cc0f6414a58d9388cf1bfa3575f6155c6354f3ee24046f68c5264ef97fd
        • Instruction Fuzzy Hash: 519126B1A2434A8FDF385EA4CC547EE23A3AF45354FD5812EDC8F9B248DB744D819A02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E1167, Relevance: 2.7, Strings: 2, Instructions: 241COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: 3d036ece91fc9e68e5b943929ad37e488de5e9186ecebf23729dbe345f1fa49d
        • Instruction ID: 7a29b3b9813e9a1a09462c92af712da593bf72350950bdb0f4d07a2aec3c49a3
        • Opcode Fuzzy Hash: 3d036ece91fc9e68e5b943929ad37e488de5e9186ecebf23729dbe345f1fa49d
        • Instruction Fuzzy Hash: 4C81147162434A8FDF385EA4CC947FE23A7AF45350FD5412ADC8F9B248DB744D91AA02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E1212, Relevance: 2.7, Strings: 2, Instructions: 232COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: 168fd865b2808641936f361590cf9e3345aa067eaa5d45ee9225c6595856025d
        • Instruction ID: 8f9b45005fb738b122f0b9b947c03e09b7e0fb63c9033cc550082f75689fd960
        • Opcode Fuzzy Hash: 168fd865b2808641936f361590cf9e3345aa067eaa5d45ee9225c6595856025d
        • Instruction Fuzzy Hash: 367137716343468FDF385EA8CC947EE23A3AF55340FD5852ADC8F8B248DB748D959A02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E11A7, Relevance: 2.7, Strings: 2, Instructions: 229COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: 253e6ca100be61e9852bc3a1b6b478c84d270cfa49ce15fd33a423c7eda1a8d4
        • Instruction ID: 2b99874766c56edd702149154ec90a3f64d306c215f234a90b4952b6fcfd1e94
        • Opcode Fuzzy Hash: 253e6ca100be61e9852bc3a1b6b478c84d270cfa49ce15fd33a423c7eda1a8d4
        • Instruction Fuzzy Hash: D37116756283468FDF385EA4CC947FE23A3AF45340FD5852EDC8B9B248DB744D91AA02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E11E3, Relevance: 2.7, Strings: 2, Instructions: 228COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: cb8044eefbd7c03b7de3782b0c1522666810ae9483cf777bab432681dd213a5d
        • Instruction ID: 136da9c4d9391819b1bd61a15303021e9bb47edc5da1adfe887e0d73ca1d6730
        • Opcode Fuzzy Hash: cb8044eefbd7c03b7de3782b0c1522666810ae9483cf777bab432681dd213a5d
        • Instruction Fuzzy Hash: 1B7109716283468FDF385EA4CC947EE23A3AF55340FD5412EDC8B9B248DB784D959A02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E12D5, Relevance: 2.7, Strings: 2, Instructions: 186COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: Hoa$O?xH
        • API String ID: 0-3790608845
        • Opcode ID: 5c49da8b1f7d896ea3c99bb8bc948f9d978aaf4c296895192f0a4d17c8ecf374
        • Instruction ID: fe4b06e0749dd4c95dc1979118f7b67fb24728ffc6a3aa874ed4be28810e36a4
        • Opcode Fuzzy Hash: 5c49da8b1f7d896ea3c99bb8bc948f9d978aaf4c296895192f0a4d17c8ecf374
        • Instruction Fuzzy Hash: 865128756342468FDF385E98CC947EE23A7AF55340FD5802ADC8F9B208DB748D959A02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E8233, Relevance: 2.3, Strings: 1, Instructions: 1005COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: 4a7a01f75ebf222c83961d084507b52a746bbe187175242b000a22317ee6547b
        • Instruction ID: f55fd242eaf30d6aa57a08d0a54a6e367f56a3cca56553e84c4ce9b110f48296
        • Opcode Fuzzy Hash: 4a7a01f75ebf222c83961d084507b52a746bbe187175242b000a22317ee6547b
        • Instruction Fuzzy Hash: F78263B1614346DFDF389EB8C9953EA77A2FF45300F95422EDC8A8B258D3708981DB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E230E, Relevance: 2.1, Strings: 1, Instructions: 822COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: bE$I
        • API String ID: 2167126740-953333549
        • Opcode ID: 4a17b0a1fd2c37e2ce0d8ef7e45f18cfff1e5103119f9aee0e221c8eee7f7e30
        • Instruction ID: 4927e4bd6c9f2d28a08beffb857d80142f9ccb20b42d8d32eabc5e0f0308fed9
        • Opcode Fuzzy Hash: 4a17b0a1fd2c37e2ce0d8ef7e45f18cfff1e5103119f9aee0e221c8eee7f7e30
        • Instruction Fuzzy Hash: F16222B161434A9FDF349F78C9957EA7BA2FF45300F85422EDC8A8B258D3748985DB02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E2564, Relevance: 2.1, Strings: 1, Instructions: 810COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: bE$I
        • API String ID: 2167126740-953333549
        • Opcode ID: 32e8d539e1f2f788a497c2f4213567312121e8dc12a4e61cfa98da138404c03b
        • Instruction ID: 8dcd2eabca14a0f65e9a7617102ea8d2c491d70f9905049bf62aabc41c8df787
        • Opcode Fuzzy Hash: 32e8d539e1f2f788a497c2f4213567312121e8dc12a4e61cfa98da138404c03b
        • Instruction Fuzzy Hash: 0E6210B161434A9FDF349F68CD957EA7BA2FF45300F95422EDC8A9B218D3748985CB02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E05BE, Relevance: 2.0, Strings: 1, Instructions: 792COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: bE$I
        • API String ID: 2167126740-953333549
        • Opcode ID: 96f48fc6e18994918c0933a47859945a42f4021bc1aa74d6b34d2a0a7f6d601b
        • Instruction ID: 97d0847fcd154f61746650300bf018dd2ebd375e8de35ee861d9c878736aa1c5
        • Opcode Fuzzy Hash: 96f48fc6e18994918c0933a47859945a42f4021bc1aa74d6b34d2a0a7f6d601b
        • Instruction Fuzzy Hash: 5E5252B16143469FDF389F78C9957EA7BA2FF55300F85422EDC8A8B218D3748985DB02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E3DE3, Relevance: 1.9, Strings: 1, Instructions: 679COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: df2b53c46f89c438dd9130b3ab8ec854c2d545f182fd4f7de850dfc46c37ef12
        • Instruction ID: abd9e280d585c78f8eaf63de804156a07752922f28254c82b3ee7d199f6ce37e
        • Opcode Fuzzy Hash: df2b53c46f89c438dd9130b3ab8ec854c2d545f182fd4f7de850dfc46c37ef12
        • Instruction Fuzzy Hash: 634222B16143459FDF289F78C9957EA7BA2FF55300F85412EDC8A8B218D3748985CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E3E2B, Relevance: 1.9, Strings: 1, Instructions: 661COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: 8164c248905ab1487ca6e3d1f0df102867510d9925523b9fe5e5d70f8f72a9be
        • Instruction ID: d317697b8b58f1492b1ee7308508617403e41c4ab92706f40a836e30f3587693
        • Opcode Fuzzy Hash: 8164c248905ab1487ca6e3d1f0df102867510d9925523b9fe5e5d70f8f72a9be
        • Instruction Fuzzy Hash: 6E4221B16143499FDF389F78C9957EA7BA2FF55300F85812EDC8A8B218D3748984CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E3E87, Relevance: 1.9, Strings: 1, Instructions: 645COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: ae4613e004bbb1140742a77e5e42cbb86fee9c7717b1f242724ad97d69cb02fd
        • Instruction ID: 89a6ce9c9a5ab1d102d8a824fb006a70a7b3a6b68dd4fc17400c8671dcafb153
        • Opcode Fuzzy Hash: ae4613e004bbb1140742a77e5e42cbb86fee9c7717b1f242724ad97d69cb02fd
        • Instruction Fuzzy Hash: 144211B16143499FDF389F68CD957EA77A2FF55300F85812EDC8A8B218D3748984DB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E3F3D, Relevance: 1.9, Strings: 1, Instructions: 615COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: 30a86c190c657b4afae8d061b0de96857599abd59aa739fd18dbd38fa9dc28f7
        • Instruction ID: 0aefe0d0878a398ad1059fb7f7e5b0127dacff01640eda4cb4e6377c37a7df71
        • Opcode Fuzzy Hash: 30a86c190c657b4afae8d061b0de96857599abd59aa739fd18dbd38fa9dc28f7
        • Instruction Fuzzy Hash: 2E3201B16143499FDF389F68CD957EA77A2FF55300F85812EDC8A8B218D3748A84DB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E3F95, Relevance: 1.8, Strings: 1, Instructions: 600COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: 0ff81875119b2c9da7f9e865e399df250dd31243c1d1915641df54c1e4996f4b
        • Instruction ID: 18db2a532bfb0f879c3a324447fc02dd06fbedd8a34c1607ee6fa2f1e9f9756e
        • Opcode Fuzzy Hash: 0ff81875119b2c9da7f9e865e399df250dd31243c1d1915641df54c1e4996f4b
        • Instruction Fuzzy Hash: 093202B16143499FDF389F68CD957EA7BA2FF55300F85812EDC8A8B218D3748984DB02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E4055, Relevance: 1.8, Strings: 1, Instructions: 565COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: 832dcb54f748dd983605e3f7283ad7444582524e9e1d525c20d77108db9f9065
        • Instruction ID: 30c348a6c59ad45ed89aecb3deed07c9bdb729b4d732673662348da10aa55600
        • Opcode Fuzzy Hash: 832dcb54f748dd983605e3f7283ad7444582524e9e1d525c20d77108db9f9065
        • Instruction Fuzzy Hash: B42234B16143499FDF389F68CD957EA77A2FF55300F85822EDC8A8B214D3748A84DB02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E40AD, Relevance: 1.8, Strings: 1, Instructions: 546COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: 3b5a7911ca93a6fc2f7e8968353992d48bf234bd7a787901be166419f87c6a92
        • Instruction ID: 52c15cad11dabaabac232c347e7b0034c19f5e33f1559a68e5a92ebee51cc125
        • Opcode Fuzzy Hash: 3b5a7911ca93a6fc2f7e8968353992d48bf234bd7a787901be166419f87c6a92
        • Instruction Fuzzy Hash: 832214B16143459FDF389F68CD957EA77A2FF55300F85822EDC8A8B214D3748A84DB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E2C56, Relevance: 1.6, Strings: 1, Instructions: 400COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: [:KR
        • API String ID: 0-2187104751
        • Opcode ID: c15bddeae35d508253e663a47b39aa18779d4932e3c428ff1e09a24ffa9c2255
        • Instruction ID: d8797d6e67a94d4aabc15b611688f0e027bbe0726807872e28b773ea9503713b
        • Opcode Fuzzy Hash: c15bddeae35d508253e663a47b39aa18779d4932e3c428ff1e09a24ffa9c2255
        • Instruction Fuzzy Hash: 1DE1E17161474ADFDF24CF68C8D0BEAB7A5BF48310F95422EDC5A9B244C770A991CB82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E2CA3, Relevance: 1.6, Strings: 1, Instructions: 379COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: [:KR
        • API String ID: 0-2187104751
        • Opcode ID: 18c8db8ff7f13a97be1c16078151c951bbdea273a8424790670d126713997b28
        • Instruction ID: d8b31af13eaff58db98a06f09602aa07b475d61c68221e2c5ca296aa37520463
        • Opcode Fuzzy Hash: 18c8db8ff7f13a97be1c16078151c951bbdea273a8424790670d126713997b28
        • Instruction Fuzzy Hash: 1CE1F17161434ADFDF24CF68C8D0BEAB7A5BF48310F95422EDC5A9B254C770A991CB82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E4523, Relevance: 1.6, Strings: 1, Instructions: 326COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: 7365690f3f71ca1ef65c65d955983818c992a513043c5cad151df402c25c7bbb
        • Instruction ID: 43756601a4a189c19756f6a5b637b6119dbee35d3dac62ab9878a460071d5c47
        • Opcode Fuzzy Hash: 7365690f3f71ca1ef65c65d955983818c992a513043c5cad151df402c25c7bbb
        • Instruction Fuzzy Hash: 2AC127B56143499FDF399E68CD547EA3BA2FF59300F84412DEC8ACB258D7748A84DB01
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E211D, Relevance: 1.5, Strings: 1, Instructions: 281COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: }/q?
        • API String ID: 2167126740-188924682
        • Opcode ID: d99f9f9a0793aa8b5f6cc805fcbf218ee1746f1c497bd64c5e8a939a16e1b254
        • Instruction ID: f1de0ff118fcd203835b73180cc173e9d16a6d1217e47db20ffb0a3119bae812
        • Opcode Fuzzy Hash: d99f9f9a0793aa8b5f6cc805fcbf218ee1746f1c497bd64c5e8a939a16e1b254
        • Instruction Fuzzy Hash: 5D917E716203498FEF349EB088647EB73A3AFA1350FD1411EDC8767248D7758986DB52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E06C4, Relevance: 1.5, Strings: 1, Instructions: 255COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: bE$I
        • API String ID: 0-953333549
        • Opcode ID: c5689e69ffff14c0bc15cc6a50cbb5be8d0400b20083eebf59ed55f1d515da8b
        • Instruction ID: 0d8626594f8ced121d80c2cddd53b5a8d9ab3e7829d1555c4135e18d9c985433
        • Opcode Fuzzy Hash: c5689e69ffff14c0bc15cc6a50cbb5be8d0400b20083eebf59ed55f1d515da8b
        • Instruction Fuzzy Hash: D2915F75624349CBEF209EB0C9607EB37A2AF92350FD1411EDC8BA7248D7758A46CB52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E0000, Relevance: 1.5, Strings: 1, Instructions: 249COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: ok
        • API String ID: 0-3694418724
        • Opcode ID: 7ffe7dba65292bb5c71dc5e110d13b2621e8d7fb3e56caf0e9ca530fffc983f6
        • Instruction ID: 6ee3d94ec3e8f34807a72299688a55cabe5055a6639c72a093912d740e832906
        • Opcode Fuzzy Hash: 7ffe7dba65292bb5c71dc5e110d13b2621e8d7fb3e56caf0e9ca530fffc983f6
        • Instruction Fuzzy Hash: EF814E71524349CBEF209EF089543EB32A2AF62354FD1411ADC877B248E3B58A46DB92
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E4CBC, Relevance: 1.5, Strings: 1, Instructions: 248COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID: )k:
        • API String ID: 2167126740-4084727042
        • Opcode ID: ba38b4a2cefc4b5359f00553bfc529490150696f45f1c4c70544efd7a4eaa6a3
        • Instruction ID: 66390aefeedcd0130cd5200c64549f14de07253d6a196934f9247f598aaf9ebc
        • Opcode Fuzzy Hash: ba38b4a2cefc4b5359f00553bfc529490150696f45f1c4c70544efd7a4eaa6a3
        • Instruction Fuzzy Hash: 4C816E71620349DFEF209EB088603EB73A3AF92750FD5411EDC8767248E7758986DB92
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E2F1B, Relevance: 1.5, Strings: 1, Instructions: 246COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: [:KR
        • API String ID: 0-2187104751
        • Opcode ID: c36f6745b6b06528ce9a399d696f04720b6358e1c51edd679f268cd7c81189a7
        • Instruction ID: 50108a8f7871b3922b4890cbf142e97de90d63390bb0323f2fa0286951cec0af
        • Opcode Fuzzy Hash: c36f6745b6b06528ce9a399d696f04720b6358e1c51edd679f268cd7c81189a7
        • Instruction Fuzzy Hash: 3D91317162034ACFDF24CF68C8D1BEAB7E1BF09310F95421ED89A9B214C7709985CB82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E96A1, Relevance: 1.5, Strings: 1, Instructions: 205COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: }/q?
        • API String ID: 0-188924682
        • Opcode ID: f53fd7fe8a6602a9312db116a500ac0afe291a36a3106b327ec6aeeed73c01d6
        • Instruction ID: 76218bd0546e10ec196c61d93b4226832382973dac72a85bedd074a115520591
        • Opcode Fuzzy Hash: f53fd7fe8a6602a9312db116a500ac0afe291a36a3106b327ec6aeeed73c01d6
        • Instruction Fuzzy Hash: 045163726342068FDF388DA8C8A53F93796AF56200FC5452BD853CB25CD3B9C5C9EA12
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E283B, Relevance: 1.4, Strings: 1, Instructions: 178COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: G[Xo
        • API String ID: 0-3892434268
        • Opcode ID: 86f7f06bb2de03fb086da92073b578779e02a1005266debce97117f2294ebc06
        • Instruction ID: d5772f36d81a63b768035efd4a479310b96cf0d91eca787f6f3c39dbf74a3cf2
        • Opcode Fuzzy Hash: 86f7f06bb2de03fb086da92073b578779e02a1005266debce97117f2294ebc06
        • Instruction Fuzzy Hash: A0510671214349CFDF348E64CC94BEE77AAAF95320F90461EEC5BDB258C3708985DA52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E1BC1, Relevance: 1.4, Strings: 1, Instructions: 176COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: }/q?
        • API String ID: 0-188924682
        • Opcode ID: a5f3319bbe41d732e02d2213cee094195c13798f8b871cd23ebf99cf50d7f6b9
        • Instruction ID: 7fe5439d0d44d77344119b52dd63297c5c8fae5a4271321135f926a4dcc5da83
        • Opcode Fuzzy Hash: a5f3319bbe41d732e02d2213cee094195c13798f8b871cd23ebf99cf50d7f6b9
        • Instruction Fuzzy Hash: EE510371914345DFDF389E688CA07EA77A7AF98390F91002EEC8A9B254D7714D81DB02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E8C53, Relevance: 1.4, Strings: 1, Instructions: 167COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: fYk
        • API String ID: 0-2440650808
        • Opcode ID: 712ce78ca2df51c21040986bfd53e89fbace84d377a7ffd10cb83b7ea45d1552
        • Instruction ID: f9867f0f281134689a819a6d76f426b696584ce8619dd6560351fbf62d00c6f9
        • Opcode Fuzzy Hash: 712ce78ca2df51c21040986bfd53e89fbace84d377a7ffd10cb83b7ea45d1552
        • Instruction Fuzzy Hash: 2A51B7619183828EDF629BB88858756BAD1AF13270F8DC2EDCCD74E0EBD3A54046D717
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E292F, Relevance: 1.4, Strings: 1, Instructions: 156COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: G[Xo
        • API String ID: 0-3892434268
        • Opcode ID: fe09bca6f3ec496bc651e892cec40513bb3cebd679e392d9d09cfa37482fdc4e
        • Instruction ID: 85e9f5147448f7138683c285c77165e084f2a4f7fe0a9a53b29aab78e8ac140f
        • Opcode Fuzzy Hash: fe09bca6f3ec496bc651e892cec40513bb3cebd679e392d9d09cfa37482fdc4e
        • Instruction Fuzzy Hash: 66510470218349CFDF388E648C94BEE77A6AF95320FD0461EEC5B9B298C3744985DA16
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E8C91, Relevance: 1.4, Strings: 1, Instructions: 148COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: fYk
        • API String ID: 0-2440650808
        • Opcode ID: 586b90beb24320b51cb0a5c491dfc300514d8217746f081d82ba2c07b57f2156
        • Instruction ID: 78459834d2eb6d2cbdb8ef76dcf030558bc434767704195877da5c06350c8419
        • Opcode Fuzzy Hash: 586b90beb24320b51cb0a5c491dfc300514d8217746f081d82ba2c07b57f2156
        • Instruction Fuzzy Hash: BA51CA619183828EDF625BB88898756BAD1AF13260F8DC2EDCCD74E0EFD3654046D713
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E2944, Relevance: 1.4, Strings: 1, Instructions: 129COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: G[Xo
        • API String ID: 0-3892434268
        • Opcode ID: df8bf355eef7af0b1c9676881356dff43a1832a86ed487d60fd9b4f34a3f33f3
        • Instruction ID: d8088477445ef126db1d0b19443c73d2bd0199943b7e5e8fad3d4f75b5f77cb1
        • Opcode Fuzzy Hash: df8bf355eef7af0b1c9676881356dff43a1832a86ed487d60fd9b4f34a3f33f3
        • Instruction Fuzzy Hash: BC41367021474ACFDF388E64CC94BEE77A6AF99310FC0462EEC5B9B295D3708945DA02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E29FF, Relevance: 1.3, Strings: 1, Instructions: 85COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID: G[Xo
        • API String ID: 0-3892434268
        • Opcode ID: 8383de5f21178ab9a87ab914ad0b63fbe90dc5cdb272855984ddb197512da667
        • Instruction ID: 245a2c9f06cc1e410d4a43f9682322e8997c64c941dd49d8c74cce85e9a6d246
        • Opcode Fuzzy Hash: 8383de5f21178ab9a87ab914ad0b63fbe90dc5cdb272855984ddb197512da667
        • Instruction Fuzzy Hash: E2310571218349CFDF389E748C40BEF76A6AF95310FD18A2EEC5787298D3758945DA02
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E374B, Relevance: .4, Instructions: 365COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e8d3eeb28f958988ff0ad53c28ddcf1e4d0b6906ba3154061d83c3471b889368
        • Instruction ID: 598889739132d99740ce8f9b6b4483215a4c6bab7a6c69bff212d478654ea981
        • Opcode Fuzzy Hash: e8d3eeb28f958988ff0ad53c28ddcf1e4d0b6906ba3154061d83c3471b889368
        • Instruction Fuzzy Hash: D3D17B75A24349CFEF249EB0C9647EB37A2AF51350FC6411EDC8B67248D3748A85CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E4D89, Relevance: .2, Instructions: 241COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: AllocateMemoryVirtual
        • String ID:
        • API String ID: 2167126740-0
        • Opcode ID: 21b72a7690ef31796dd82eb156d077c0ae8117920e8ca9ce86d162be876774d5
        • Instruction ID: 089dfd6828a88cd611a10b60fc63edd764860f1e433ce1ab298c5c8fdcad440c
        • Opcode Fuzzy Hash: 21b72a7690ef31796dd82eb156d077c0ae8117920e8ca9ce86d162be876774d5
        • Instruction Fuzzy Hash: 59817D71624349CFEF309EB0C8507EB3392AF52350FC5411ADC876B248D7758A86DB92
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E2F8B, Relevance: .2, Instructions: 222COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 42bac37489ad672aa0007e9771345f6ecff5b9b63cbd1f815deebe39f71748d1
        • Instruction ID: d1fd8ac4032a34ee01f6b517731b7ace6d34e4f741e937ec57f9a8a181d37ea4
        • Opcode Fuzzy Hash: 42bac37489ad672aa0007e9771345f6ecff5b9b63cbd1f815deebe39f71748d1
        • Instruction Fuzzy Hash: 0A81223121034ADFDF24CF68C8D1BEAB7E1BF49310F95421ED89A9B255C7709A85CB82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E3783, Relevance: .2, Instructions: 151COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6ee5b1ef8fd2f720bef1850057b3f83ec5a99949ae7359c9b896603703cbdcfb
        • Instruction ID: 73d09379c4d726efc14e6d8a4805e558c8538e97e82b6a53d40f59329e8d1113
        • Opcode Fuzzy Hash: 6ee5b1ef8fd2f720bef1850057b3f83ec5a99949ae7359c9b896603703cbdcfb
        • Instruction Fuzzy Hash: 0C515376A24345CFDF248EA489687FA77E2EF04350F86055E9C4BAB219D3748A80DF42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E1453, Relevance: .1, Instructions: 132COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f5f1209f761b49a4460f3bd5ffe117f76b0fb1555a63a933fc7fb21724a5a9bc
        • Instruction ID: ea345a2d9366fee17557a7c07937af2eba12d8a8cac212525bc2459f580b3fdb
        • Opcode Fuzzy Hash: f5f1209f761b49a4460f3bd5ffe117f76b0fb1555a63a933fc7fb21724a5a9bc
        • Instruction Fuzzy Hash: D6413BB4678346CEDF345DD48C447EA33A7AF59340FC4413ADC4F9A20CD3B58A96AA12
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E587C, Relevance: .1, Instructions: 64COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b3c55ddd4cf6806cc80ee2517df3917710f63184416616dedc4e0a4d21da7f30
        • Instruction ID: 2299b7109f128352c2952fe4f8a67cb8922cd4525871c71930f5444090400250
        • Opcode Fuzzy Hash: b3c55ddd4cf6806cc80ee2517df3917710f63184416616dedc4e0a4d21da7f30
        • Instruction Fuzzy Hash: 68210774628344CFDF388E608C947EEB2A2BF94314F92861E98C656298C7314580DA12
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E811C, Relevance: .0, Instructions: 35COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3106b8968947ad1005b79228e105dcdc66007c79e1d4627a40b22f40cc688e59
        • Instruction ID: 83ab7be5f3faa8b22b5826cade5861ca5a1564eb51060a43656faa126c288fde
        • Opcode Fuzzy Hash: 3106b8968947ad1005b79228e105dcdc66007c79e1d4627a40b22f40cc688e59
        • Instruction Fuzzy Hash: 41F06D783212468FCF28DF54C5D4BAD73A2EB54740FC18069DD8A8F639C730E884DA12
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E7C09, Relevance: .0, Instructions: 6COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6f45ff7528e353acff3aadd33ec376ab4f0e224937e261f8559201b535bcf6ed
        • Instruction ID: fcb8ebf10623066ddde74114faec8019a324cee3a6b4470c3832b3f1645147b6
        • Opcode Fuzzy Hash: 6f45ff7528e353acff3aadd33ec376ab4f0e224937e261f8559201b535bcf6ed
        • Instruction Fuzzy Hash: B5B09230620980CFCE99CA49C190E14B3F4BB08A00B411890E00ACBA11C264E800DA00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 022E536F, Relevance: .0, Instructions: 6COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.577531426.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_22e0000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
        • Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
        • Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
        • Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411E30, Relevance: 68.5, APIs: 35, Strings: 4, Instructions: 261COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • __vbaChkstk.MSVBVM60(?,004013F6), ref: 00411E4E
        • #525.MSVBVM60(00000001,?,?,?,?,004013F6), ref: 00411E8A
        • __vbaStrMove.MSVBVM60(?,?,?,?,004013F6), ref: 00411E95
        • __vbaStrCmp.MSVBVM60(0040382C,00000000,?,?,?,?,004013F6), ref: 00411EA1
        • __vbaFreeStr.MSVBVM60(?,?,?,?,004013F6), ref: 00411EB6
        • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004013F6), ref: 00411ED1
        • #594.MSVBVM60(0000000A), ref: 00411EF0
        • __vbaFreeVar.MSVBVM60 ref: 00411EF9
        • #716.MSVBVM60(0000000A,Crombie,00000000), ref: 00411F18
        • __vbaChkstk.MSVBVM60 ref: 00411F23
        • __vbaLateIdSt.MSVBVM60(?,00000000), ref: 00411F47
        • __vbaFreeVar.MSVBVM60 ref: 00411F50
        • __vbaFPInt.MSVBVM60(?,?,?,?,004013F6), ref: 00411F63
        • __vbaFpR8.MSVBVM60(?,?,?,?,004013F6), ref: 00411F69
        • #611.MSVBVM60(?,?,?,?,004013F6), ref: 00411F87
        • __vbaStrMove.MSVBVM60(?,?,?,?,004013F6), ref: 00411F92
        • #705.MSVBVM60(00000002,00000000), ref: 00411FB3
        • __vbaStrMove.MSVBVM60 ref: 00411FBE
        • __vbaFreeVar.MSVBVM60 ref: 00411FC7
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00411FEE
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,0000004C), ref: 0041203F
        • __vbaChkstk.MSVBVM60(?), ref: 00412074
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A18,0000001C), ref: 004120B8
        • __vbaObjSet.MSVBVM60(?,?), ref: 004120EB
        • __vbaFreeObj.MSVBVM60 ref: 004120F4
        • __vbaNew2.MSVBVM60(00403850,00415D3C,?,?,?,?,004013F6), ref: 00412114
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403840,00000014), ref: 00412165
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000060), ref: 004121AD
        • __vbaStrMove.MSVBVM60 ref: 004121DE
        • __vbaFreeObj.MSVBVM60 ref: 004121E7
        • __vbaFreeObj.MSVBVM60(00412257), ref: 0041222C
        • __vbaFreeStr.MSVBVM60 ref: 00412235
        • __vbaFreeStr.MSVBVM60 ref: 0041223E
        • __vbaFreeObj.MSVBVM60 ref: 00412247
        • __vbaFreeStr.MSVBVM60 ref: 00412250
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$Free$CheckHresultMove$Chkstk$New2$#525#594#611#705#716ErrorLate
        • String ID: <]A$<]A$Crombie$]ar
        • API String ID: 503181555-2367164633
        • Opcode ID: 3bac956c55a2b6f5244e83ce75ebb5a3128b34eeb3c5ad197c5a3549458bdf3f
        • Instruction ID: cb6b69e789027cbee6d0cc13207e35e9e3b787b6a9abce0e090d3cef4927ce0f
        • Opcode Fuzzy Hash: 3bac956c55a2b6f5244e83ce75ebb5a3128b34eeb3c5ad197c5a3549458bdf3f
        • Instruction Fuzzy Hash: 69C1E9B4900208DFDB14DFA5DA48BDEBBB4FF48305F208169E506BB2A1DB785A85CF54
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004133C0, Relevance: 54.4, APIs: 23, Strings: 8, Instructions: 189COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1412 4133c0-41345a #591 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 1413 413460-4134a4 #648 __vbaFreeVar #690 1412->1413 1414 41352c 1412->1414 1415 4134a6-4134ac 1413->1415 1416 4134ae-4134ba _adj_fdiv_m64 1413->1416 1417 413532-413567 #670 __vbaVarTstEq __vbaFreeVar 1414->1417 1418 4134bf-4134ce 1415->1418 1416->1418 1419 413644-413684 __vbaFreeStr __vbaFreeObj 1417->1419 1420 41356d-413579 #598 1417->1420 1421 4134d4-413514 __vbaFpI4 1418->1421 1422 41369a 1418->1422 1424 41358b-41359f 1420->1424 1425 41357b-413585 __vbaNew2 1420->1425 1421->1414 1430 413516-41352a __vbaHresultCheckObj 1421->1430 1422->1422 1428 4135a1-4135aa __vbaHresultCheckObj 1424->1428 1429 4135ac-4135c2 1424->1429 1425->1424 1428->1429 1432 4135d2-413641 __vbaStrMove __vbaFreeObj __vbaLateMemCall 1429->1432 1433 4135c4-4135d0 __vbaHresultCheckObj 1429->1433 1430->1417 1432->1419 1433->1432
        APIs
        • #591.MSVBVM60(?), ref: 0041341C
        • __vbaStrMove.MSVBVM60 ref: 00413427
        • __vbaStrCmp.MSVBVM60(Double,00000000), ref: 00413433
        • __vbaFreeStr.MSVBVM60 ref: 00413446
        • __vbaFreeVar.MSVBVM60 ref: 00413455
        • #648.MSVBVM60(00000005), ref: 00413472
        • __vbaFreeVar.MSVBVM60 ref: 0041347B
        • #690.MSVBVM60(daffled,Galbanums5,syvendedagsadventistens,Passageres7), ref: 00413491
        • _adj_fdiv_m64.MSVBVM60 ref: 004134BA
        • __vbaFpI4.MSVBVM60(43180000,?,435A0000), ref: 004134EE
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403524,000002C0,?,435A0000), ref: 00413528
        • #670.MSVBVM60(00000005), ref: 00413536
        • __vbaVarTstEq.MSVBVM60(?,00000005), ref: 00413552
        • __vbaFreeVar.MSVBVM60(?,435A0000), ref: 0041355E
        • #598.MSVBVM60(?,435A0000), ref: 0041356D
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00413585
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 004135AA
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000110), ref: 004135D0
        • __vbaStrMove.MSVBVM60 ref: 004135DB
        • __vbaFreeObj.MSVBVM60 ref: 004135E4
        • __vbaLateMemCall.MSVBVM60(?,G4E8FWJ3IIVeaFpVOIxWSxnP80,00000002), ref: 0041363B
        • __vbaFreeStr.MSVBVM60(00413685), ref: 00413675
        • __vbaFreeObj.MSVBVM60 ref: 0041367E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$Free$CheckHresult$Move$#591#598#648#670#690CallLateNew2_adj_fdiv_m64
        • String ID: Double$Ekspansionskortenes8$G4E8FWJ3IIVeaFpVOIxWSxnP80$Galbanums5$Passageres7$daffled$slutelementet$syvendedagsadventistens
        • API String ID: 3544221442-1816252260
        • Opcode ID: 098f0951b3b60ccd8c6004ae787d18eec59032027e6ab3270e73cc57ed9e175f
        • Instruction ID: 548fe9952cd7500636d3c5cc782520cbeeb50a2181d9d33cb4762b376460d6be
        • Opcode Fuzzy Hash: 098f0951b3b60ccd8c6004ae787d18eec59032027e6ab3270e73cc57ed9e175f
        • Instruction Fuzzy Hash: 0F715B70900208EFCB04DFA5DE49ADEBBB8FB48705F20802AF545B72A1D7785A45CF58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411980, Relevance: 49.8, APIs: 33, Instructions: 309COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1434 411980-411b1d __vbaRedim __vbaVarMove * 4 #665 __vbaErase __vbaVarTstNe __vbaFreeVar 1436 411bf1 1434->1436 1437 411b23-411b29 1434->1437 1438 411bf7-411c5f __vbaVarDup #513 __vbaVarTstNe __vbaFreeVarList 1436->1438 1439 411b3b-411b4f 1437->1439 1440 411b2b-411b35 __vbaNew2 1437->1440 1441 411c65-411c73 #535 1438->1441 1442 411d8b-411df0 __vbaFreeObj __vbaFreeStr 1438->1442 1447 411b51-411b5a __vbaHresultCheckObj 1439->1447 1448 411b60-411b76 1439->1448 1440->1439 1443 411c85-411c99 1441->1443 1444 411c75-411c7f __vbaNew2 1441->1444 1450 411ca6-411cbf 1443->1450 1451 411c9b-411ca4 __vbaHresultCheckObj 1443->1451 1444->1443 1447->1448 1453 411b78-411b8c __vbaHresultCheckObj 1448->1453 1454 411b8e 1448->1454 1457 411cc1-411ccd __vbaHresultCheckObj 1450->1457 1458 411ccf-411cea __vbaI2I4 __vbaFreeObj 1450->1458 1451->1450 1456 411b94-411bbe __vbaStrMove __vbaFreeObj #598 1453->1456 1454->1456 1459 411bc4-411bdf 1456->1459 1460 411e1e 1456->1460 1457->1458 1461 411cfc-411d10 1458->1461 1462 411cec-411cf6 __vbaNew2 1458->1462 1459->1438 1464 411be1-411bef __vbaHresultCheckObj 1459->1464 1460->1460 1466 411d12-411d1b __vbaHresultCheckObj 1461->1466 1467 411d1d-411d5a 1461->1467 1462->1461 1464->1438 1466->1467 1469 411d71-411d85 __vbaObjSet __vbaFreeObj 1467->1469 1470 411d5c-411d6b __vbaHresultCheckObj 1467->1470 1469->1442 1470->1469
        APIs
        • __vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 00411A0D
        • __vbaVarMove.MSVBVM60 ref: 00411A3A
        • __vbaVarMove.MSVBVM60 ref: 00411A73
        • __vbaVarMove.MSVBVM60 ref: 00411A9C
        • __vbaVarMove.MSVBVM60 ref: 00411AC9
        • #665.MSVBVM60(?,3F800000,?), ref: 00411AD8
        • __vbaErase.MSVBVM60(00000000,?), ref: 00411AE3
        • __vbaVarTstNe.MSVBVM60(?,?), ref: 00411B08
        • __vbaFreeVar.MSVBVM60 ref: 00411B14
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00411B35
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 00411B5A
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000F0), ref: 00411B8A
        • __vbaStrMove.MSVBVM60 ref: 00411B9D
        • __vbaFreeObj.MSVBVM60 ref: 00411BA6
        • #598.MSVBVM60 ref: 00411BAC
        • __vbaHresultCheckObj.MSVBVM60(00000000,004012D0,00403524,00000084), ref: 00411BED
        • __vbaVarDup.MSVBVM60 ref: 00411C0B
        • #513.MSVBVM60(?,?,00000002), ref: 00411C1B
        • __vbaVarTstNe.MSVBVM60(00000002,?), ref: 00411C40
        • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00411C53
        • #535.MSVBVM60 ref: 00411C65
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00411C7F
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 00411CA4
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000118), ref: 00411CCD
        • __vbaI2I4.MSVBVM60 ref: 00411CD5
        • __vbaFreeObj.MSVBVM60 ref: 00411CDE
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00411CF6
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,0000004C), ref: 00411D1B
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A18,0000001C,?,?,?,?), ref: 00411D6B
        • __vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 00411D7C
        • __vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00411D85
        • __vbaFreeObj.MSVBVM60(00411DF1), ref: 00411DE1
        • __vbaFreeStr.MSVBVM60 ref: 00411DEA
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$CheckFreeHresult$Move$New2$#513#535#598#665EraseListRedim
        • String ID:
        • API String ID: 2655101863-0
        • Opcode ID: 89ba34b7280ad998c92aed117b9247b3f4b845d9375388a23a98620e89e3af17
        • Instruction ID: 6e8c0ad97856d1d08300fd93de8905f1475bcf00d8db2e9b5a6ec558083fdca7
        • Opcode Fuzzy Hash: 89ba34b7280ad998c92aed117b9247b3f4b845d9375388a23a98620e89e3af17
        • Instruction Fuzzy Hash: 6CD138B1900219EFDB14DF94D988FDDBBB8FF48700F1081AAE245A72A1D7745984CFA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411750, Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 168COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1471 411750-4117bb __vbaStrCopy __vbaInStrB 1473 4117c1-4117c7 1471->1473 1474 41191f-411955 __vbaFreeStr * 3 1471->1474 1475 4117d9-4117ed 1473->1475 1476 4117c9-4117d3 __vbaNew2 1473->1476 1479 411802 1475->1479 1480 4117ef-411800 __vbaHresultCheckObj 1475->1480 1476->1475 1481 411808-41181e 1479->1481 1480->1481 1483 411820-41182c __vbaHresultCheckObj 1481->1483 1484 41182e-41184f __vbaStrMove __vbaFreeObj 1481->1484 1483->1484 1485 411861-411875 1484->1485 1486 411851-41185b __vbaNew2 1484->1486 1488 411882-411891 1485->1488 1489 411877-411880 __vbaHresultCheckObj 1485->1489 1486->1485 1491 411893-41189c __vbaHresultCheckObj 1488->1491 1492 41189e-4118aa __vbaFreeObj 1488->1492 1489->1488 1491->1492 1493 4118bc-4118d0 1492->1493 1494 4118ac-4118b6 __vbaNew2 1492->1494 1496 4118d2-4118db __vbaHresultCheckObj 1493->1496 1497 4118dd-4118fa 1493->1497 1494->1493 1496->1497 1499 411907-41191d __vbaStrMove __vbaFreeObj 1497->1499 1500 4118fc-411905 __vbaHresultCheckObj 1497->1500 1499->1474 1500->1499
        APIs
        • __vbaStrCopy.MSVBVM60 ref: 0041179F
        • __vbaInStrB.MSVBVM60(00000000,00403A40,ABC,00000002), ref: 004117B2
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004117D3
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 004117FE
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000F8), ref: 0041182C
        • __vbaStrMove.MSVBVM60 ref: 00411837
        • __vbaFreeObj.MSVBVM60 ref: 00411846
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 0041185B
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,0000004C), ref: 00411880
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A18,00000028), ref: 0041189C
        • __vbaFreeObj.MSVBVM60 ref: 004118A1
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004118B6
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,0000004C), ref: 004118DB
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A18,00000024), ref: 00411905
        • __vbaStrMove.MSVBVM60 ref: 00411914
        • __vbaFreeObj.MSVBVM60 ref: 0041191D
        • __vbaFreeStr.MSVBVM60(00411956), ref: 00411949
        • __vbaFreeStr.MSVBVM60 ref: 0041194E
        • __vbaFreeStr.MSVBVM60 ref: 00411953
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$CheckFreeHresult$New2$Move$Copy
        • String ID: ABC$NONEPIGRAMMATICALLY$inductothermy
        • API String ID: 338840774-1393017364
        • Opcode ID: 06e49aeb2e4993f8e787206ea25cd6bdbf1cf6d0444385783dfdc84a5f80086e
        • Instruction ID: 117e1252ff0c6b4d1b62bccbc48f142dd918b167b5160f97e35b0bb3e240817a
        • Opcode Fuzzy Hash: 06e49aeb2e4993f8e787206ea25cd6bdbf1cf6d0444385783dfdc84a5f80086e
        • Instruction Fuzzy Hash: 4E5178B0A40209ABCB00EF65DD49EDEBBB8FF58711F10806AF541B32A1D7789945CF68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004136A0, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 166COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1501 4136a0-413731 __vbaAryConstruct2 #684 __vbaFpR8 1502 413737-41373d 1501->1502 1503 41388f-4138c5 __vbaFreeStr __vbaAryDestruct 1501->1503 1505 41374f-413763 1502->1505 1506 41373f-413749 __vbaNew2 1502->1506 1508 413765-41376e __vbaHresultCheckObj 1505->1508 1509 413774-4137ab 1505->1509 1506->1505 1508->1509 1511 4137c3 1509->1511 1512 4137ad-4137c1 __vbaHresultCheckObj 1509->1512 1513 4137c9-4137db __vbaFreeObj 1511->1513 1512->1513 1514 4137ed-413801 1513->1514 1515 4137dd-4137e7 __vbaNew2 1513->1515 1517 413803-41380c __vbaHresultCheckObj 1514->1517 1518 41380e-413824 1514->1518 1515->1514 1517->1518 1520 413834-41387f __vbaStrMove __vbaFreeObj __vbaFpI4 1518->1520 1521 413826-413832 __vbaHresultCheckObj 1518->1521 1520->1503 1523 413881-41388d __vbaHresultCheckObj 1520->1523 1521->1520 1523->1503
        APIs
        • __vbaAryConstruct2.MSVBVM60(?,00403C20,00000005), ref: 004136E5
        • #684.MSVBVM60(00000000,3FF00000,?), ref: 0041371A
        • __vbaFpR8.MSVBVM60 ref: 00413720
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00413749
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 0041376E
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,0000013C), ref: 004137BF
        • __vbaFreeObj.MSVBVM60 ref: 004137D2
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004137E7
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 0041380C
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000E0), ref: 00413832
        • __vbaStrMove.MSVBVM60 ref: 00413841
        • __vbaFreeObj.MSVBVM60 ref: 0041384A
        • __vbaFpI4.MSVBVM60 ref: 00413857
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403524,000002C8), ref: 0041388D
        • __vbaFreeStr.MSVBVM60(004138C6), ref: 004138AD
        • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004138BF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$CheckHresult$Free$New2$#684Construct2DestructMove
        • String ID: glow
        • API String ID: 1593299173-3934040341
        • Opcode ID: 1069b5b895946aed9e00207bdc8b942d46cd9863ef7ce8f99bfff9e64d5d1113
        • Instruction ID: c034a8e2628488464dc3ecc1f11a6c19abc3ae93189819cb385677796b3c0737
        • Opcode Fuzzy Hash: 1069b5b895946aed9e00207bdc8b942d46cd9863ef7ce8f99bfff9e64d5d1113
        • Instruction Fuzzy Hash: F2514EB0900208ABDB04EF55DD48FDEBBB8FF48701F10846AF505B72A5D778A945CB69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00412290, Relevance: 28.7, APIs: 19, Instructions: 152COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1524 412290-4122e5 1526 4122f7-41230b 1524->1526 1527 4122e7-4122f1 __vbaNew2 1524->1527 1529 412320 1526->1529 1530 41230d-41231e __vbaHresultCheckObj 1526->1530 1527->1526 1531 412326-412339 1529->1531 1530->1531 1533 412346-41236c __vbaFreeObj __vbaFPInt __vbaFpR8 1531->1533 1534 41233b-412344 __vbaHresultCheckObj 1531->1534 1535 412372-4123b4 #611 __vbaStrMove #705 __vbaStrMove __vbaFreeVar 1533->1535 1536 412449-412487 __vbaFreeObj __vbaFreeStr * 2 1533->1536 1534->1533 1538 4123c6-4123da 1535->1538 1539 4123b6-4123c0 __vbaNew2 1535->1539 1541 4123e7-41241a 1538->1541 1542 4123dc-4123e5 __vbaHresultCheckObj 1538->1542 1539->1538 1544 41242b-412443 __vbaObjSet __vbaFreeObj 1541->1544 1545 41241c-412425 __vbaHresultCheckObj 1541->1545 1542->1541 1544->1536 1545->1544
        APIs
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004122F1
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 0041231C
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000078), ref: 00412344
        • __vbaFreeObj.MSVBVM60 ref: 00412349
        • __vbaFPInt.MSVBVM60 ref: 00412355
        • __vbaFpR8.MSVBVM60 ref: 0041235B
        • #611.MSVBVM60 ref: 00412372
        • __vbaStrMove.MSVBVM60 ref: 00412383
        • #705.MSVBVM60(?,00000000), ref: 00412398
        • __vbaStrMove.MSVBVM60 ref: 004123A3
        • __vbaFreeVar.MSVBVM60 ref: 004123A8
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004123C0
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,0000004C), ref: 004123E5
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A18,0000001C), ref: 00412425
        • __vbaObjSet.MSVBVM60(?,?), ref: 0041243A
        • __vbaFreeObj.MSVBVM60 ref: 00412443
        • __vbaFreeObj.MSVBVM60(00412488), ref: 00412471
        • __vbaFreeStr.MSVBVM60 ref: 00412480
        • __vbaFreeStr.MSVBVM60 ref: 00412485
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$Free$CheckHresult$MoveNew2$#611#705
        • String ID:
        • API String ID: 2896190466-0
        • Opcode ID: 49b4630a707f2342a5147045990a43e246b65d8b4f866a1460666ae8fd124f8c
        • Instruction ID: d391a4a05813d196f3b41ef2035d3b77a2e093932f057023da1d2159a1cef24c
        • Opcode Fuzzy Hash: 49b4630a707f2342a5147045990a43e246b65d8b4f866a1460666ae8fd124f8c
        • Instruction Fuzzy Hash: E4514FB1900208EBCB04DFA5DE48ADEBBB8FF58710F10806AE501B7274DB785945CF68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00413A40, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 88COMMON
        Download Yara Rule
        APIs
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 00413A8D
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 00413AB2
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000058), ref: 00413AD6
        • __vbaVarLateMemCallLd.MSVBVM60(?,?,Value,00000000), ref: 00413AEA
        • __vbaStrVarVal.MSVBVM60(?,00000000), ref: 00413AF8
        • #690.MSVBVM60(?,Options,Show Tips at Startup,00000000), ref: 00413B0D
        • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00413B1D
        • __vbaFreeObj.MSVBVM60 ref: 00413B29
        • __vbaFreeVar.MSVBVM60 ref: 00413B32
        • __vbaFreeVar.MSVBVM60(00413B6F), ref: 00413B68
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$Free$CheckHresult$#690CallLateListNew2
        • String ID: Options$Show Tips at Startup$Value
        • API String ID: 2162649039-3815377432
        • Opcode ID: 4347d6c4b5b30a5c06aec14edad1a7f80699f515177ff788989ab784d0581473
        • Instruction ID: a8408c5436f1b12e350c5f191b60db2351e4512d3e6f363a3fe7afd0b48ebf4c
        • Opcode Fuzzy Hash: 4347d6c4b5b30a5c06aec14edad1a7f80699f515177ff788989ab784d0581473
        • Instruction Fuzzy Hash: 263170B1D40204ABCB04DF95DD49EDEBBBCFF58742F10846AF501B31A1D678AA44CB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004114C0, Relevance: 19.6, APIs: 13, Instructions: 128COMMON
        Download Yara Rule
        APIs
        • #648.MSVBVM60(0000000A), ref: 00411518
        • __vbaFreeVar.MSVBVM60 ref: 00411521
        • #614.MSVBVM60(00000000,40220000), ref: 0041152D
        • __vbaFpR8.MSVBVM60 ref: 00411533
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 0041155C
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 00411587
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000078), ref: 004115AF
        • __vbaFreeObj.MSVBVM60 ref: 004115B4
        • __vbaOnError.MSVBVM60(00000000), ref: 004115BB
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004115D3
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,0000004C), ref: 004115F8
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403A18,0000002C), ref: 00411634
        • __vbaFreeObj.MSVBVM60 ref: 0041163D
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$CheckHresult$Free$New2$#614#648Error
        • String ID:
        • API String ID: 2064784593-0
        • Opcode ID: 01413c3588145e15ec4fe22b9e713819eaf2490bde00e0c87a8d04d01bfc6253
        • Instruction ID: da50b38853fb2f0f83049d9bb978b7cc823b8940e72d00507ba35c6545f4d0dd
        • Opcode Fuzzy Hash: 01413c3588145e15ec4fe22b9e713819eaf2490bde00e0c87a8d04d01bfc6253
        • Instruction Fuzzy Hash: 804140B1900204EBCB00EF55DE89ADEBBB9FF48701F20846AF605B72A1D7789941CF58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004138E0, Relevance: 18.1, APIs: 12, Instructions: 89COMMON
        Download Yara Rule
        APIs
        • #648.MSVBVM60(?), ref: 00413938
        • __vbaFreeVar.MSVBVM60 ref: 00413943
        • __vbaStrCmp.MSVBVM60(00403C3C,00000000), ref: 00413954
        • #645.MSVBVM60(?,00000000), ref: 00413975
        • __vbaStrMove.MSVBVM60 ref: 00413980
        • __vbaStrCmp.MSVBVM60(00403C3C,00000000), ref: 0041398C
        • __vbaFreeStr.MSVBVM60 ref: 0041399E
        • __vbaFreeStr.MSVBVM60(00413A0D), ref: 00413A06
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$Free$#645#648Move
        • String ID:
        • API String ID: 2957232524-0
        • Opcode ID: ebe22848a62cf22a25969e5cdfaa40b8b8b7ae6c178ee6de00196ca89a46cc6f
        • Instruction ID: cd3ab74b771bb31ff8d342aba5171423bd133d89f5bceeabd156280509dc92c1
        • Opcode Fuzzy Hash: ebe22848a62cf22a25969e5cdfaa40b8b8b7ae6c178ee6de00196ca89a46cc6f
        • Instruction Fuzzy Hash: 853181B4D00249EBCB00DFA5DA45AEEBBB8EF48701F20811AE955B3260D7745A41CFA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402D41, Relevance: 16.6, APIs: 11, Instructions: 97COMMON
        Download Yara Rule
        APIs
        • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000013F6), ref: 0041139C
        • #696.MSVBVM60(00403A2C), ref: 004113A7
        • __vbaNew2.MSVBVM60(00403850,00415D3C), ref: 004113C9
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014), ref: 004113F4
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,000000D0), ref: 00411422
        • __vbaStrMove.MSVBVM60 ref: 00411431
        • __vbaFreeObj.MSVBVM60 ref: 0041143A
        • #535.MSVBVM60 ref: 00411440
        • __vbaHresultCheckObj.MSVBVM60(00000000,00401280,00403554,0000071C), ref: 00411461
        • __vbaFreeStr.MSVBVM60(00411496), ref: 0041148E
        • __vbaFreeStr.MSVBVM60 ref: 00411493
        Memory Dump Source
        • Source File: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$CheckFreeHresult$#535#696CopyMoveNew2
        • String ID:
        • API String ID: 4004134498-0
        • Opcode ID: 1651e6fb6217797b40c9043a7beff3e763d77e1a96279e5c9f086e7c6975c4dd
        • Instruction ID: e343998909d23fd7468c35b6fa02ca0f31ec44f9ae87d6ea46fdba3e8aac8156
        • Opcode Fuzzy Hash: 1651e6fb6217797b40c9043a7beff3e763d77e1a96279e5c9f086e7c6975c4dd
        • Instruction Fuzzy Hash: 34315370900209EBCB00DFA5DD89EDEBBB8FF48705F10806AE505B76A0D7785945CF69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411680, Relevance: 6.1, APIs: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        • __vbaNew2.MSVBVM60(00403850,00415D3C,?,?,?,?,?,?,?,?,?,?,004013F6), ref: 004116C4
        • __vbaHresultCheckObj.MSVBVM60(00000000,02DFED94,00403840,00000014,?,?,?,?,?,?,?,?,?,?,004013F6), ref: 004116E9
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403860,00000078,?,?,?,?,?,?,?,?,?,?,004013F6), ref: 0041170D
        • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004013F6), ref: 00411716
        Memory Dump Source
        • Source File: 00000000.00000002.577257628.000000000040F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.577240940.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.577248237.0000000000401000.00000020.00020000.sdmp Download File
        • Associated: 00000000.00000002.577264856.0000000000415000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.577272086.0000000000417000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_OFFER-8768777765554-PDF.jbxd
        Similarity
        • API ID: __vba$CheckHresult$FreeNew2
        • String ID:
        • API String ID: 4261391273-0
        • Opcode ID: d6c556cfac8697e8f7986d476c3bca482dc4f093a247e28c14d290621612ff89
        • Instruction ID: fb602fee9238e94c5567c4f06410567dccd99697fd43e6dfed162ecb77ac7b0d
        • Opcode Fuzzy Hash: d6c556cfac8697e8f7986d476c3bca482dc4f093a247e28c14d290621612ff89
        • Instruction Fuzzy Hash: 331191B1940605ABCB109F95CD4AFEFBBB8FF58701F108466F601B32B0D67C65818BA9
        Uniqueness

        Uniqueness Score: -1.00%