Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report VZghv7yI7g

Overview

General Information

Sample Name:VZghv7yI7g (renamed file extension from none to exe)
Analysis ID:450819
MD5:73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • VZghv7yI7g.exe (PID: 2256 cmdline: 'C:\Users\user\Desktop\VZghv7yI7g.exe' MD5: 73BB5C4B690B8D6DF88D6BC18FB3A553)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: VZghv7yI7g.exeVirustotal: Detection: 29%Perma Link
    Source: VZghv7yI7g.exeReversingLabs: Detection: 13%
    Source: VZghv7yI7g.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_004092BC0_2_004092BC
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225662B0_2_0225662B
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256E000_2_02256E00
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022516640_2_02251664
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022512760_2_02251276
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251A430_2_02251A43
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022562A30_2_022562A3
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256AAB0_2_02256AAB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225E2800_2_0225E280
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022566920_2_02256692
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022516E30_2_022516E3
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022512E80_2_022512E8
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022536FA0_2_022536FA
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022566C70_2_022566C7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256EC70_2_02256EC7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225C3290_2_0225C329
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256B6B0_2_02256B6B
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022567780_2_02256778
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225634E0_2_0225634E
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225DB550_2_0225DB55
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022517830_2_02251783
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256F9B0_2_02256F9B
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256BEB0_2_02256BEB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022563F70_2_022563F7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02255FF10_2_02255FF1
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225AFD70_2_0225AFD7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022570250_2_02257025
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022570220_2_02257022
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225681F0_2_0225681F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225684F0_2_0225684F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A4550_2_0225A455
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02257CAB0_2_02257CAB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256C930_2_02256C93
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225709F0_2_0225709F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022518FB0_2_022518FB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225AFD70_2_0225AFD7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225692D0_2_0225692D
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256D2C0_2_02256D2C
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022561380_2_02256138
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225156F0_2_0225156F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A9690_2_0225A969
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022511750_2_02251175
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022539710_2_02253971
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022569550_2_02256955
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022565540_2_02256554
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022555A60_2_022555A6
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022561DC0_2_022561DC
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225C5D90_2_0225C5D9
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022569D80_2_022569D8
    Source: VZghv7yI7g.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: VZghv7yI7g.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: VZghv7yI7g.exe, 00000000.00000002.756145297.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs VZghv7yI7g.exe
    Source: VZghv7yI7g.exe, 00000000.00000000.226808596.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
    Source: VZghv7yI7g.exeBinary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
    Source: VZghv7yI7g.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF815418FFB8C45D82.TMPJump to behavior
    Source: VZghv7yI7g.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: VZghv7yI7g.exeVirustotal: Detection: 29%
    Source: VZghv7yI7g.exeReversingLabs: Detection: 13%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0040C06E push 00000000h; retf 0_2_0040C0B0
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_00406625 push ebp; iretd 0_2_0040662F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02253429 push 84000002h; retf 0_2_0225342F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02250095 pushad ; retf 0_2_02250097
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225010B pushad ; retf 0_2_0225010D
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225662B 0_2_0225662B
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251664 0_2_02251664
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251276 0_2_02251276
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022562A3 0_2_022562A3
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256AAB 0_2_02256AAB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225E280 0_2_0225E280
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256692 0_2_02256692
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022516E3 0_2_022516E3
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022512E8 0_2_022512E8
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022536FA 0_2_022536FA
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022566C7 0_2_022566C7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256778 0_2_02256778
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225634E 0_2_0225634E
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251783 0_2_02251783
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022563F7 0_2_022563F7
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02255FF1 0_2_02255FF1
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225681F 0_2_0225681F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225684F 0_2_0225684F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A455 0_2_0225A455
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022518FB 0_2_022518FB
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225692D 0_2_0225692D
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256138 0_2_02256138
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225156F 0_2_0225156F
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A969 0_2_0225A969
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02251175 0_2_02251175
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02253971 0_2_02253971
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256955 0_2_02256955
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02256554 0_2_02256554
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022561DC 0_2_022561DC
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225C5D9 0_2_0225C5D9
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022569D8 0_2_022569D8
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeRDTSC instruction interceptor: First address: 000000000225E352 second address: 000000000225E352 instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeRDTSC instruction interceptor: First address: 000000000225E352 second address: 000000000225E352 instructions:
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02255623 rdtsc 0_2_02255623
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeAPI coverage: 9.9 %
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02255623 rdtsc 0_2_02255623
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02257AB1 mov eax, dword ptr fs:[00000030h]0_2_02257AB1
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225A900 mov eax, dword ptr fs:[00000030h]0_2_0225A900
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225B1FE mov eax, dword ptr fs:[00000030h]0_2_0225B1FE
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0225C5D9 mov eax, dword ptr fs:[00000030h]0_2_0225C5D9
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
    Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: VZghv7yI7g.exe, 00000000.00000002.755749327.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_022557A4 cpuid 0_2_022557A4

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    VZghv7yI7g.exe30%VirustotalBrowse
    VZghv7yI7g.exe13%ReversingLabsWin32.Backdoor.Remcos

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}0%VirustotalBrowse
    https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}true
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:450819
    Start date:19.07.2021
    Start time:18:34:13
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 8m 4s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:VZghv7yI7g (renamed file extension from none to exe)
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:28
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal84.troj.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 61.1% (good quality ratio 26.9%)
    • Quality average: 24.1%
    • Quality standard deviation: 32.8%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.2221702126738
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:VZghv7yI7g.exe
    File size:241664
    MD5:73bb5c4b690b8d6df88d6bc18fb3a553
    SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
    SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
    SHA512:9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567
    SSDEEP:3072:+3BepJlZa/xao5JKwI7V4R4iUW/qcijw2HJlZapGBR:EiUIo5JKPgU99vHP
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...WS.N................. ...................0....@................

    File Icon

    Icon Hash:f8fcd4ccf4e4e8d0

    Static PE Info

    General

    Entrypoint:0x4019b0
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4EA15357 [Fri Oct 21 11:11:19 2011 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:e9f7dd0da1a2a1266893e1ae4ef42b67

    Entrypoint Preview

    Instruction
    push 00408AA0h
    call 00007F7270A60685h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    outsd
    mul byte ptr [ebx+3Fh]
    dec esi
    outsb
    and al, 41h
    mov bl, 08h
    popad
    pop ds
    test al, CEh
    xchg eax, esi
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc edx
    add byte ptr [esi], al
    push eax
    add dword ptr [ecx], 56h
    jne 00007F7270A60704h
    cmp dword ptr fs:[eax], eax
    add al, byte ptr [eax]
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    xor esp, esp
    push cs
    xchg eax, edx
    test eax, 48C3D75Ah
    mov gs, bx
    test al, CAh
    xor esp, esp
    xor al, 88h
    jecxz 00007F7270A606BAh
    scasb
    and dword ptr [edi-40B94528h], 28h
    cmp dword ptr [edx-38D0AA14h], edi
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    out 6Fh, eax
    add byte ptr [eax], al
    lea ebp, dword ptr [eax+00h]
    add byte ptr [eax], al
    add al, 00h
    jnc 00007F7270A606FAh
    add byte ptr [41000401h], cl
    jc 00007F7270A606F9h
    jne 00007F7270A60692h
    sbb dword ptr [ecx], eax
    add byte ptr [edx+00h], al
    and al, byte ptr [ecx]
    and ecx, dword ptr [esi+68h]
    add byte ptr [eax], al
    insb

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x322340x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x6d0a.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a4.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x318a40x32000False0.39177734375data6.3764832494IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x330000x12900x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x350000x6d0a0x7000False0.481689453125data5.46300019784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x3ae620xea8data
    RT_ICON0x3a5ba0x8a8data
    RT_ICON0x39ef20x6c8data
    RT_ICON0x3998a0x568GLS_BINARY_LSB_FIRST
    RT_ICON0x373e20x25a8dBase III DBT, version number 0, next free block index 40
    RT_ICON0x3633a0x10a8data
    RT_ICON0x359b20x988data
    RT_ICON0x3554a0x468GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x354d40x76data
    RT_VERSION0x352400x294dataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    LegalCopyrightSocialbakers
    InternalNameIndtr8
    FileVersion1.00
    CompanyNameSocialbakers
    LegalTrademarksSocialbakers
    ProductNameVurd9
    ProductVersion1.00
    OriginalFilenameIndtr8.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    Analysis Process: VZghv7yI7g.exe PID: 2256 Parent PID: 5616

    General

    Start time:18:35:02
    Start date:19/07/2021
    Path:C:\Users\user\Desktop\VZghv7yI7g.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\VZghv7yI7g.exe'
    Imagebase:0x400000
    File size:241664 bytes
    MD5 hash:73BB5C4B690B8D6DF88D6BC18FB3A553
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Chronological Activities

    Disassembly

    Code Analysis

    Reset < >

      Analysis Process: VZghv7yI7g.exe PID: 2256 Parent PID: 5616 VZghv7yI7g.exeCOMMON

      Execution Graph

      Execution Coverage:0.4%
      Dynamic/Decrypted Code Coverage:71.6%
      Signature Coverage:56.7%
      Total number of Nodes:820
      Total number of Limit Nodes:10

      Graph

      execution_graph 13829 424840 #660 __vbaVarTstNe __vbaFreeVarList 13830 4248e8 13829->13830 13831 4248dd #532 13829->13831 13831->13830 14737 425240 14738 425277 #672 __vbaFpR8 14737->14738 14739 42535b __vbaFreeStr 14738->14739 14740 4252be 14738->14740 14742 4252c6 __vbaNew2 14740->14742 14743 4252d6 14740->14743 14742->14743 14744 4252fb 14743->14744 14745 4252ec __vbaHresultCheckObj 14743->14745 14746 425330 __vbaHresultCheckObj 14744->14746 14747 42533f __vbaStrMove __vbaFreeObj 14744->14747 14745->14744 14746->14747 14747->14739 14840 424ac0 14841 424af7 __vbaStrCopy __vbaStrCopy 14840->14841 14842 424b34 __vbaObjSet 14841->14842 14843 424b1f __vbaNew2 14841->14843 14845 424b73 14842->14845 14843->14842 14846 424b8b __vbaFreeObj 14845->14846 14847 424b79 __vbaHresultCheckObj 14845->14847 14848 424ba5 __vbaFreeStr __vbaFreeStr 14846->14848 14847->14846 13832 2255623 13834 22555a1 13832->13834 13833 225a9b8 13839 225aae8 13833->13839 13874 225b1fe GetPEB 13833->13874 13842 2250a80 13834->13842 13847 2250ae5 13834->13847 13876 22555a6 13834->13876 13838 225aa31 13838->13839 13840 225b1fe GetPEB 13838->13840 13841 225aa73 13840->13841 13841->13839 13843 225b1fe GetPEB 13841->13843 13843->13839 13845 225db0d GetPEB GetPEB GetPEB 13845->13847 13846 225a969 GetPEB GetPEB GetPEB 13846->13847 13847->13833 13847->13842 13847->13845 13847->13846 13848 225758d 13847->13848 13851 225c5d9 13847->13851 13870 225a900 GetPEB 13847->13870 13871 225db0d 13848->13871 13852 225c60f GetPEB 13851->13852 13865 2250ae5 13852->13865 13854 225a9b8 13855 225b1fe GetPEB 13854->13855 13858 225aae8 13854->13858 13857 225aa31 13855->13857 13856 225c5d9 2 API calls 13856->13865 13857->13858 13859 225b1fe GetPEB 13857->13859 13858->13847 13860 225aa73 13859->13860 13860->13858 13861 225b1fe GetPEB 13860->13861 13861->13858 13863 225a969 GetPEB GetPEB 13863->13865 13864 2250a80 13864->13847 13865->13854 13865->13856 13865->13863 13865->13864 13866 225db0d GetPEB GetPEB 13865->13866 13867 225758d 13865->13867 13895 225a900 GetPEB 13865->13895 13866->13865 13868 225db0d 2 API calls 13867->13868 13869 22575bf 13868->13869 13869->13847 13870->13847 13872 225db3b 13871->13872 13896 225db55 13872->13896 13875 225b225 13874->13875 13875->13838 13877 22555a1 13876->13877 13878 22555a6 3 API calls 13877->13878 13890 2250ae5 13877->13890 13878->13890 13879 225a9b8 13881 225b1fe GetPEB 13879->13881 13883 225aae8 13879->13883 13880 225c5d9 3 API calls 13880->13890 13882 225aa31 13881->13882 13882->13883 13884 225b1fe GetPEB 13882->13884 13883->13847 13885 225aa73 13884->13885 13885->13883 13887 225b1fe GetPEB 13885->13887 13886 2250a80 13886->13847 13887->13883 13889 225db0d GetPEB GetPEB GetPEB 13889->13890 13890->13879 13890->13880 13890->13886 13890->13889 13891 225a969 GetPEB GetPEB GetPEB 13890->13891 13892 225758d 13890->13892 13936 225a900 GetPEB 13890->13936 13891->13890 13893 225db0d 3 API calls 13892->13893 13894 22575bf 13893->13894 13894->13847 13895->13865 13898 225db91 13896->13898 13897 2250a80 13897->13872 13898->13897 13918 225e280 13898->13918 13900 225df54 13903 225e280 3 API calls 13900->13903 13912 2250ae5 13900->13912 13901 225c5d9 3 API calls 13901->13912 13902 225a9b8 13904 225b1fe GetPEB 13902->13904 13906 225aae8 13902->13906 13903->13912 13905 225aa31 13904->13905 13905->13906 13907 225b1fe GetPEB 13905->13907 13906->13872 13908 225aa73 13907->13908 13908->13906 13910 225b1fe GetPEB 13908->13910 13910->13906 13911 225db0d GetPEB GetPEB GetPEB 13911->13912 13912->13897 13912->13901 13912->13902 13912->13911 13913 225a969 GetPEB GetPEB GetPEB 13912->13913 13914 225758d 13912->13914 13917 225a900 GetPEB 13912->13917 13913->13912 13915 225db0d 3 API calls 13914->13915 13916 22575bf 13915->13916 13916->13872 13917->13912 13929 2250ae5 13918->13929 13919 225c5d9 3 API calls 13919->13929 13920 225a9b8 13921 225b1fe GetPEB 13920->13921 13923 225aae8 13920->13923 13922 225aa31 13921->13922 13922->13923 13924 225b1fe GetPEB 13922->13924 13923->13900 13925 225aa73 13924->13925 13925->13923 13928 225b1fe GetPEB 13925->13928 13926 2250a80 13926->13900 13928->13923 13929->13918 13929->13919 13929->13920 13929->13926 13930 225db0d GetPEB GetPEB GetPEB 13929->13930 13931 225a969 GetPEB GetPEB GetPEB 13929->13931 13932 225758d 13929->13932 13935 225a900 GetPEB 13929->13935 13930->13929 13931->13929 13933 225db0d 3 API calls 13932->13933 13934 22575bf 13933->13934 13934->13900 13935->13929 13936->13890 14427 40bd48 14428 4320b0 14427->14428 14429 432117 14428->14429 14430 432107 __vbaNew2 14428->14430 14431 432140 14429->14431 14432 43212d __vbaHresultCheckObj 14429->14432 14430->14429 14433 43215e __vbaHresultCheckObj 14431->14433 14434 43216c __vbaStrMove __vbaFreeObj #598 __vbaStrCopy 14431->14434 14432->14431 14433->14434 14435 4321ad 14434->14435 14436 4321b1 __vbaHresultCheckObj 14435->14436 14437 4321bf __vbaFreeStrList 14435->14437 14436->14437 14438 4321fd __vbaFreeStr 14437->14438 14849 4016cc 14850 40173e __vbaExceptHandler 14849->14850 14851 40175f _adj_fdiv_m64 14849->14851 14850->14851 14557 4259d0 14558 425a07 __vbaVarDup #687 __vbaDateVar __vbaFreeVarList 14557->14558 14559 425a7d 14558->14559 15171 42d3d0 15172 42d413 __vbaNew2 15171->15172 15173 42d428 __vbaObjSet 15171->15173 15172->15173 15175 42d463 __vbaObjSet 15173->15175 15176 42d44e __vbaNew2 15173->15176 15178 42d482 15175->15178 15176->15175 15179 42d49a __vbaLateIdCallLd __vbaStrVarMove __vbaStrMove 15178->15179 15180 42d488 __vbaHresultCheckObj 15178->15180 15181 42d4e6 15179->15181 15180->15179 15182 42d4fe __vbaFreeStr __vbaFreeObjList __vbaFreeVar 15181->15182 15183 42d4ec __vbaHresultCheckObj 15181->15183 15184 42d567 15182->15184 15183->15182 15185 424be0 15186 424c1a __vbaNew2 15185->15186 15187 424c2f __vbaObjSet 15185->15187 15186->15187 15189 424cb2 15187->15189 15190 424cca __vbaFreeObj 15189->15190 15191 424cb8 __vbaHresultCheckObj 15189->15191 15192 424cf3 __vbaObjSet 15190->15192 15193 424cde __vbaNew2 15190->15193 15191->15190 15195 424d16 15192->15195 15193->15192 15196 424d2e __vbaFreeObj 15195->15196 15197 424d1c __vbaHresultCheckObj 15195->15197 15198 424d4b 15196->15198 15197->15196 14852 225388f 14853 2253894 14852->14853 14854 2253971 3 API calls 14853->14854 14866 2250ae5 14853->14866 14854->14866 14855 225c5d9 3 API calls 14855->14866 14856 2250a80 14858 225db0d GetPEB GetPEB GetPEB 14858->14866 14859 225a9b8 14860 225b1fe GetPEB 14859->14860 14862 225aae8 14859->14862 14861 225aa31 14860->14861 14861->14862 14863 225b1fe GetPEB 14861->14863 14864 225aa73 14863->14864 14864->14862 14865 225b1fe GetPEB 14864->14865 14865->14862 14866->14855 14866->14856 14866->14858 14866->14859 14867 225a969 GetPEB GetPEB GetPEB 14866->14867 14868 225758d 14866->14868 14871 225a900 GetPEB 14866->14871 14867->14866 14869 225db0d 3 API calls 14868->14869 14870 22575bf 14869->14870 14871->14866 14178 225928b 14180 22592b7 14178->14180 14191 2250a80 14178->14191 14179 225a9b8 14181 225b1fe GetPEB 14179->14181 14187 225aae8 14179->14187 14182 225a969 3 API calls 14180->14182 14195 2250ae5 14180->14195 14184 225aa31 14181->14184 14185 225931e 14182->14185 14183 225c5d9 3 API calls 14183->14195 14184->14187 14188 225b1fe GetPEB 14184->14188 14186 225a969 3 API calls 14185->14186 14186->14195 14189 225aa73 14188->14189 14189->14187 14190 225b1fe GetPEB 14189->14190 14190->14187 14193 225a969 GetPEB GetPEB GetPEB 14193->14195 14194 225db0d GetPEB GetPEB GetPEB 14194->14195 14195->14179 14195->14183 14195->14191 14195->14193 14195->14194 14196 225758d 14195->14196 14199 225a900 GetPEB 14195->14199 14197 225db0d 3 API calls 14196->14197 14198 22575bf 14197->14198 14199->14195 14453 424d70 __vbaStrCopy #546 __vbaVarMove 14454 424de5 __vbaFreeVar __vbaFreeStr 14453->14454 15219 225e592 15221 2250a80 15219->15221 15223 2250ae5 15219->15223 15220 225c5d9 3 API calls 15220->15223 15223->15220 15223->15221 15224 225a9b8 15223->15224 15231 225a969 GetPEB GetPEB GetPEB 15223->15231 15232 225db0d GetPEB GetPEB GetPEB 15223->15232 15233 225758d 15223->15233 15236 225a900 GetPEB 15223->15236 15225 225b1fe GetPEB 15224->15225 15227 225aae8 15224->15227 15226 225aa31 15225->15226 15226->15227 15228 225b1fe GetPEB 15226->15228 15229 225aa73 15228->15229 15229->15227 15230 225b1fe GetPEB 15229->15230 15230->15227 15231->15223 15232->15223 15234 225db0d 3 API calls 15233->15234 15235 22575bf 15234->15235 15236->15223 15237 225559e 15238 22555a1 15237->15238 15239 22555a6 3 API calls 15238->15239 15245 2250ae5 15239->15245 15240 225c5d9 3 API calls 15240->15245 15241 2250a80 15243 225db0d GetPEB GetPEB GetPEB 15243->15245 15244 225a969 GetPEB GetPEB GetPEB 15244->15245 15245->15240 15245->15241 15245->15243 15245->15244 15246 225a9b8 15245->15246 15253 225758d 15245->15253 15256 225a900 GetPEB 15245->15256 15247 225b1fe GetPEB 15246->15247 15249 225aae8 15246->15249 15248 225aa31 15247->15248 15248->15249 15250 225b1fe GetPEB 15248->15250 15251 225aa73 15250->15251 15251->15249 15252 225b1fe GetPEB 15251->15252 15252->15249 15254 225db0d 3 API calls 15253->15254 15255 22575bf 15254->15255 15256->15245 13993 2256219 13994 2256226 13993->13994 13998 2250ae5 13993->13998 13996 2250a80 13997 225c5d9 3 API calls 13997->13998 13998->13996 13998->13997 13999 225a9b8 13998->13999 14006 225a969 GetPEB GetPEB GetPEB 13998->14006 14007 225db0d GetPEB GetPEB GetPEB 13998->14007 14008 225758d 13998->14008 14011 225a900 GetPEB 13998->14011 14000 225b1fe GetPEB 13999->14000 14002 225aae8 13999->14002 14001 225aa31 14000->14001 14001->14002 14003 225b1fe GetPEB 14001->14003 14004 225aa73 14003->14004 14004->14002 14005 225b1fe GetPEB 14004->14005 14005->14002 14006->13998 14007->13998 14009 225db0d 3 API calls 14008->14009 14010 22575bf 14009->14010 14011->13998 14012 2251664 14021 2251682 14012->14021 14014 2251906 14015 2251928 14014->14015 14034 2250ae5 14014->14034 14017 225a969 3 API calls 14015->14017 14016 225a9b8 14018 225b1fe GetPEB 14016->14018 14022 225aae8 14016->14022 14024 225193d 14017->14024 14020 225aa31 14018->14020 14019 225c5d9 3 API calls 14019->14034 14020->14022 14023 225b1fe GetPEB 14020->14023 14021->14034 14039 225a969 14021->14039 14025 225aa73 14023->14025 14026 225db0d 3 API calls 14024->14026 14033 2250a80 14024->14033 14025->14022 14027 225b1fe GetPEB 14025->14027 14029 2251ac3 14026->14029 14027->14022 14032 2251b9f 14029->14032 14056 2255f5a 14029->14056 14031 225a969 GetPEB GetPEB GetPEB 14031->14034 14034->14016 14034->14019 14034->14031 14034->14033 14035 225db0d GetPEB GetPEB GetPEB 14034->14035 14036 225758d 14034->14036 14073 225a900 GetPEB 14034->14073 14035->14034 14037 225db0d 3 API calls 14036->14037 14038 22575bf 14037->14038 14040 225a9b8 14039->14040 14048 2250ae5 14039->14048 14041 225b1fe GetPEB 14040->14041 14044 225aae8 14040->14044 14043 225aa31 14041->14043 14042 225c5d9 3 API calls 14042->14048 14043->14044 14045 225b1fe GetPEB 14043->14045 14044->14014 14046 225aa73 14045->14046 14046->14044 14047 225b1fe GetPEB 14046->14047 14047->14044 14048->14039 14048->14042 14049 2250a80 14048->14049 14051 225db0d GetPEB GetPEB GetPEB 14048->14051 14052 225a969 GetPEB GetPEB GetPEB 14048->14052 14053 225758d 14048->14053 14074 225a900 GetPEB 14048->14074 14049->14014 14051->14048 14052->14048 14054 225db0d 3 API calls 14053->14054 14055 22575bf 14054->14055 14055->14014 14060 2250ae5 14056->14060 14057 225c5d9 3 API calls 14057->14060 14058 2250a80 14058->14029 14060->14056 14060->14057 14060->14058 14061 225db0d GetPEB GetPEB GetPEB 14060->14061 14062 225a9b8 14060->14062 14069 225a969 GetPEB GetPEB GetPEB 14060->14069 14070 225758d 14060->14070 14075 225a900 GetPEB 14060->14075 14061->14060 14063 225b1fe GetPEB 14062->14063 14065 225aae8 14062->14065 14064 225aa31 14063->14064 14064->14065 14066 225b1fe GetPEB 14064->14066 14065->14029 14067 225aa73 14066->14067 14067->14065 14068 225b1fe GetPEB 14067->14068 14068->14065 14069->14060 14071 225db0d 3 API calls 14070->14071 14072 22575bf 14071->14072 14072->14029 14073->14034 14074->14048 14075->14060 14218 42d880 14219 42d8b7 __vbaStrCopy __vbaStrCopy 14218->14219 14220 42d8e8 __vbaNew2 14219->14220 14221 42d8fd __vbaObjSet 14219->14221 14220->14221 14223 42d91e 14221->14223 14224 42d936 __vbaFreeObj 14223->14224 14225 42d924 __vbaHresultCheckObj 14223->14225 14226 42d948 __vbaNew2 14224->14226 14227 42d95d __vbaObjSet 14224->14227 14225->14224 14226->14227 14229 42d97c 14227->14229 14230 42d982 __vbaHresultCheckObj 14229->14230 14231 42d994 __vbaLateIdCallLd __vbaI4Var __vbaFreeObjList __vbaFreeVar 14229->14231 14230->14231 14232 42d9f1 __vbaFreeStr __vbaFreeStr 14231->14232 14233 425c80 #706 __vbaStrMove __vbaFreeStr 14455 425d00 14456 425d3a __vbaOnError 14455->14456 14457 425d53 __vbaNew2 14456->14457 14458 425d68 __vbaObjSet 14456->14458 14457->14458 14460 425d8b 14458->14460 14461 425da3 __vbaFreeObj 14460->14461 14462 425d91 __vbaHresultCheckObj 14460->14462 14463 425dc3 14461->14463 14462->14461 14234 22516e3 14238 2251694 14234->14238 14235 225a969 GetPEB GetPEB GetPEB 14257 2250ae5 14235->14257 14236 225a969 3 API calls 14237 2251906 14236->14237 14239 2251928 14237->14239 14237->14257 14238->14236 14238->14257 14241 225a969 3 API calls 14239->14241 14240 225a9b8 14242 225b1fe GetPEB 14240->14242 14245 225aae8 14240->14245 14248 225193d 14241->14248 14244 225aa31 14242->14244 14243 225c5d9 3 API calls 14243->14257 14244->14245 14247 225b1fe GetPEB 14244->14247 14246 2250a80 14249 225aa73 14247->14249 14248->14246 14250 225db0d 3 API calls 14248->14250 14249->14245 14251 225b1fe GetPEB 14249->14251 14253 2251ac3 14250->14253 14251->14245 14254 2255f5a 3 API calls 14253->14254 14255 2251b9f 14253->14255 14254->14253 14256 225db0d GetPEB GetPEB GetPEB 14256->14257 14257->14235 14257->14240 14257->14243 14257->14246 14257->14256 14258 225758d 14257->14258 14261 225a900 GetPEB 14257->14261 14259 225db0d 3 API calls 14258->14259 14260 22575bf 14259->14260 14261->14257 15027 225156f 15028 2251573 15027->15028 15029 225db0d 3 API calls 15028->15029 15032 2251651 15028->15032 15029->15032 15030 225a969 3 API calls 15031 2251906 15030->15031 15033 2251928 15031->15033 15052 2250ae5 15031->15052 15032->15030 15032->15052 15035 225a969 3 API calls 15033->15035 15034 225a9b8 15036 225b1fe GetPEB 15034->15036 15039 225aae8 15034->15039 15040 225193d 15035->15040 15038 225aa31 15036->15038 15037 225c5d9 3 API calls 15037->15052 15038->15039 15041 225b1fe GetPEB 15038->15041 15043 225db0d 3 API calls 15040->15043 15051 2250a80 15040->15051 15042 225aa73 15041->15042 15042->15039 15044 225b1fe GetPEB 15042->15044 15047 2251ac3 15043->15047 15044->15039 15045 225a969 GetPEB GetPEB GetPEB 15045->15052 15048 2255f5a 3 API calls 15047->15048 15049 2251b9f 15047->15049 15048->15047 15050 225db0d GetPEB GetPEB GetPEB 15050->15052 15052->15034 15052->15037 15052->15045 15052->15050 15052->15051 15053 225758d 15052->15053 15056 225a900 GetPEB 15052->15056 15054 225db0d 3 API calls 15053->15054 15055 22575bf 15054->15055 15056->15052 14262 22512e8 14263 22512f0 14262->14263 14264 225db0d 3 API calls 14263->14264 14265 22513fb 14264->14265 14266 225a969 3 API calls 14265->14266 14288 2251651 14265->14288 14273 2251480 14266->14273 14267 225a969 3 API calls 14268 2251906 14267->14268 14269 2251928 14268->14269 14290 2250ae5 14268->14290 14271 225a969 3 API calls 14269->14271 14270 225a9b8 14274 225b1fe GetPEB 14270->14274 14277 225aae8 14270->14277 14280 225193d 14271->14280 14272 2250a80 14273->14272 14278 225db0d 3 API calls 14273->14278 14276 225aa31 14274->14276 14275 225c5d9 3 API calls 14275->14290 14276->14277 14279 225b1fe GetPEB 14276->14279 14278->14288 14281 225aa73 14279->14281 14280->14272 14282 225db0d 3 API calls 14280->14282 14281->14277 14283 225b1fe GetPEB 14281->14283 14285 2251ac3 14282->14285 14283->14277 14286 2255f5a 3 API calls 14285->14286 14289 2251b9f 14285->14289 14286->14285 14287 225a969 GetPEB GetPEB GetPEB 14287->14290 14288->14267 14288->14290 14290->14270 14290->14272 14290->14275 14290->14287 14291 225db0d GetPEB GetPEB GetPEB 14290->14291 14292 225758d 14290->14292 14295 225a900 GetPEB 14290->14295 14291->14290 14293 225db0d 3 API calls 14292->14293 14294 22575bf 14293->14294 14295->14290 15057 2251175 15058 22511c7 15057->15058 15094 2257ab1 GetPEB 15058->15094 15060 22512c1 15061 225a969 3 API calls 15060->15061 15062 22512e1 15061->15062 15063 225db0d 3 API calls 15062->15063 15064 22513fb 15063->15064 15065 225a969 3 API calls 15064->15065 15078 2251651 15064->15078 15071 2251480 15065->15071 15066 225a969 3 API calls 15067 2251906 15066->15067 15068 2251928 15067->15068 15089 2250ae5 15067->15089 15070 225a969 3 API calls 15068->15070 15069 225a9b8 15072 225b1fe GetPEB 15069->15072 15075 225aae8 15069->15075 15080 225193d 15070->15080 15076 2250a80 15071->15076 15077 225db0d 3 API calls 15071->15077 15074 225aa31 15072->15074 15073 225c5d9 3 API calls 15073->15089 15074->15075 15079 225b1fe GetPEB 15074->15079 15077->15078 15078->15066 15078->15089 15081 225aa73 15079->15081 15080->15076 15082 225db0d 3 API calls 15080->15082 15081->15075 15083 225b1fe GetPEB 15081->15083 15085 2251ac3 15082->15085 15083->15075 15087 2255f5a 3 API calls 15085->15087 15088 2251b9f 15085->15088 15086 225a969 GetPEB GetPEB GetPEB 15086->15089 15087->15085 15089->15069 15089->15073 15089->15076 15089->15086 15090 225db0d GetPEB GetPEB GetPEB 15089->15090 15091 225758d 15089->15091 15095 225a900 GetPEB 15089->15095 15090->15089 15092 225db0d 3 API calls 15091->15092 15093 22575bf 15092->15093 15094->15060 15095->15089 14296 425490 14297 4254ca __vbaStrCopy #515 __vbaVarTstNe __vbaFreeVar 14296->14297 14298 425633 __vbaFreeObj __vbaFreeStr 14297->14298 14299 42554d 14297->14299 14300 425565 __vbaNew2 14299->14300 14301 42557a __vbaObjSet 14299->14301 14300->14301 14304 4255a0 14301->14304 14305 4255a6 __vbaHresultCheckObj 14304->14305 14306 4255b8 __vbaLateMemCall __vbaFreeObj 14304->14306 14305->14306 14306->14298 14482 42dd10 14483 42df0a __vbaFreeVar __vbaFreeStr 14482->14483 14484 42dd68 14482->14484 14485 42dd71 __vbaNew2 14484->14485 14486 42dd86 __vbaObjSet 14484->14486 14485->14486 14489 42dda9 14486->14489 14490 42ddc5 14489->14490 14491 42ddaf __vbaHresultCheckObj 14489->14491 14492 42ddcb __vbaStrToAnsi 14490->14492 14491->14492 14502 40958c 14492->14502 14503 409595 14502->14503 14680 42d590 14681 42d5c7 __vbaCyStr __vbaFpCmpCy 14680->14681 14682 42d5f4 14681->14682 14683 42d6fe __vbaFreeStr __vbaFreeStr 14681->14683 14684 42d5fc __vbaNew2 14682->14684 14686 42d60c 14682->14686 14684->14686 14687 42d622 __vbaHresultCheckObj 14686->14687 14688 42d635 14686->14688 14687->14688 14689 42d653 __vbaHresultCheckObj 14688->14689 14690 42d661 __vbaStrMove __vbaFreeObj 14688->14690 14689->14690 14691 42d694 14690->14691 14692 42d684 __vbaNew2 14690->14692 14693 42d6b5 14691->14693 14694 42d6aa __vbaHresultCheckObj 14691->14694 14692->14691 14695 42d6db __vbaStrMove __vbaFreeObj #531 14693->14695 14696 42d6cd __vbaHresultCheckObj 14693->14696 14694->14693 14695->14683 14696->14695 14697 425190 14698 4251c7 #669 __vbaStrMove __vbaStrCmp __vbaFreeStr 14697->14698 14699 425206 14698->14699 14700 4251fe #568 14698->14700 14700->14699 14076 2251276 14077 225127c 14076->14077 14079 22512e1 14077->14079 14113 2257ab1 GetPEB 14077->14113 14081 225db0d 3 API calls 14079->14081 14080 22512c1 14083 225a969 3 API calls 14080->14083 14082 22513fb 14081->14082 14084 225a969 3 API calls 14082->14084 14105 2251651 14082->14105 14083->14079 14090 2251480 14084->14090 14085 225a969 3 API calls 14086 2251906 14085->14086 14087 2251928 14086->14087 14108 2250ae5 14086->14108 14089 225a969 3 API calls 14087->14089 14088 225a9b8 14091 225b1fe GetPEB 14088->14091 14096 225aae8 14088->14096 14098 225193d 14089->14098 14094 2250a80 14090->14094 14095 225db0d 3 API calls 14090->14095 14093 225aa31 14091->14093 14092 225c5d9 3 API calls 14092->14108 14093->14096 14097 225b1fe GetPEB 14093->14097 14095->14105 14100 225aa73 14097->14100 14098->14094 14099 225db0d 3 API calls 14098->14099 14103 2251ac3 14099->14103 14100->14096 14101 225b1fe GetPEB 14100->14101 14101->14096 14104 2255f5a 3 API calls 14103->14104 14107 2251b9f 14103->14107 14104->14103 14105->14085 14105->14108 14106 225a969 GetPEB GetPEB GetPEB 14106->14108 14108->14088 14108->14092 14108->14094 14108->14106 14109 225db0d GetPEB GetPEB GetPEB 14108->14109 14110 225758d 14108->14110 14114 225a900 GetPEB 14108->14114 14109->14108 14111 225db0d 3 API calls 14110->14111 14112 22575bf 14111->14112 14113->14080 14114->14108 14701 2255ff1 14713 2250ae5 14701->14713 14702 225c5d9 3 API calls 14702->14713 14703 2250a80 14705 225db0d GetPEB GetPEB GetPEB 14705->14713 14706 225a9b8 14707 225b1fe GetPEB 14706->14707 14709 225aae8 14706->14709 14708 225aa31 14707->14708 14708->14709 14710 225b1fe GetPEB 14708->14710 14711 225aa73 14710->14711 14711->14709 14712 225b1fe GetPEB 14711->14712 14712->14709 14713->14702 14713->14703 14713->14705 14713->14706 14714 225a969 GetPEB GetPEB GetPEB 14713->14714 14715 225758d 14713->14715 14718 225a900 GetPEB 14713->14718 14714->14713 14716 225db0d 3 API calls 14715->14716 14717 22575bf 14716->14717 14718->14713 14908 22518fb 14909 22518fe 14908->14909 14910 225a969 3 API calls 14909->14910 14911 2251906 14910->14911 14912 2251928 14911->14912 14926 2250ae5 14911->14926 14914 225a969 3 API calls 14912->14914 14913 225a9b8 14915 225b1fe GetPEB 14913->14915 14918 225aae8 14913->14918 14920 225193d 14914->14920 14917 225aa31 14915->14917 14916 225c5d9 3 API calls 14916->14926 14917->14918 14919 225b1fe GetPEB 14917->14919 14921 225aa73 14919->14921 14922 225db0d 3 API calls 14920->14922 14924 2250a80 14920->14924 14921->14918 14923 225b1fe GetPEB 14921->14923 14927 2251ac3 14922->14927 14923->14918 14926->14913 14926->14916 14926->14924 14930 225a969 GetPEB GetPEB GetPEB 14926->14930 14931 225db0d GetPEB GetPEB GetPEB 14926->14931 14932 225758d 14926->14932 14935 225a900 GetPEB 14926->14935 14928 2255f5a 3 API calls 14927->14928 14929 2251b9f 14927->14929 14928->14927 14930->14926 14931->14926 14933 225db0d 3 API calls 14932->14933 14934 22575bf 14933->14934 14935->14926 14307 22536fa 14308 2253737 14307->14308 14314 2250ae5 14308->14314 14326 2253971 14308->14326 14310 225c5d9 3 API calls 14310->14314 14311 2250a80 14313 225db0d GetPEB GetPEB GetPEB 14313->14314 14314->14310 14314->14311 14314->14313 14315 225a9b8 14314->14315 14322 225a969 GetPEB GetPEB GetPEB 14314->14322 14323 225758d 14314->14323 14351 225a900 GetPEB 14314->14351 14316 225b1fe GetPEB 14315->14316 14318 225aae8 14315->14318 14317 225aa31 14316->14317 14317->14318 14319 225b1fe GetPEB 14317->14319 14320 225aa73 14319->14320 14320->14318 14321 225b1fe GetPEB 14320->14321 14321->14318 14322->14314 14324 225db0d 3 API calls 14323->14324 14325 22575bf 14324->14325 14327 22539bd 14326->14327 14328 225db0d 3 API calls 14327->14328 14331 2253b24 14328->14331 14329 225a9b8 14330 225b1fe GetPEB 14329->14330 14334 225aae8 14329->14334 14333 225aa31 14330->14333 14335 225db0d 3 API calls 14331->14335 14345 2250ae5 14331->14345 14332 225c5d9 3 API calls 14332->14345 14333->14334 14336 225b1fe GetPEB 14333->14336 14334->14314 14339 2253d54 14335->14339 14337 225aa73 14336->14337 14337->14334 14340 225b1fe GetPEB 14337->14340 14338 2253efd 14338->14314 14339->14338 14341 2253e83 14339->14341 14339->14345 14340->14334 14342 225db0d 3 API calls 14341->14342 14342->14338 14343 2250a80 14343->14314 14345->14314 14345->14329 14345->14332 14345->14343 14346 225db0d GetPEB GetPEB GetPEB 14345->14346 14347 225a969 GetPEB GetPEB GetPEB 14345->14347 14348 225758d 14345->14348 14352 225a900 GetPEB 14345->14352 14346->14345 14347->14345 14349 225db0d 3 API calls 14348->14349 14350 22575bf 14349->14350 14350->14314 14351->14314 14352->14345 14936 22508c5 14937 22508f7 14936->14937 14938 225a969 3 API calls 14937->14938 14939 2250906 14938->14939 14784 424e20 14785 424e57 __vbaStrCopy 14784->14785 14786 424e72 __vbaNew2 14785->14786 14787 424e87 __vbaObjSet 14785->14787 14786->14787 14789 424ec6 14787->14789 14790 424ede __vbaFreeObj 14789->14790 14791 424ecc __vbaHresultCheckObj 14789->14791 14792 424ef8 __vbaFreeStr 14790->14792 14791->14790 14940 4256a0 14941 4256d7 __vbaStrCopy __vbaStrCopy 14940->14941 14942 425717 14941->14942 14943 425707 __vbaNew2 14941->14943 14944 425740 14942->14944 14945 42572d __vbaHresultCheckObj 14942->14945 14943->14942 14946 42575e __vbaHresultCheckObj 14944->14946 14947 42576c __vbaI2I4 __vbaFreeObj 14944->14947 14945->14944 14946->14947 14948 425787 __vbaNew2 14947->14948 14949 42579c __vbaObjSet 14947->14949 14948->14949 14951 4257bf 14949->14951 14952 4257d3 __vbaFreeObj 14951->14952 14953 4257c5 __vbaHresultCheckObj 14951->14953 14954 4257f3 __vbaFreeStr __vbaFreeStr 14952->14954 14953->14952 13798 431ea0 13799 431ed7 7 API calls 13798->13799 13818 409490 13799->13818 13801 431f62 8 API calls 13802 43200b __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 13801->13802 13803 431fcb #537 __vbaStrMove __vbaInStr 13801->13803 13806 432073 13802->13806 13804 431ff0 #616 __vbaStrMove __vbaFreeStr 13803->13804 13805 43209b __vbaErrorOverflow 13803->13805 13804->13802 13807 4320b0 13805->13807 13808 432117 13807->13808 13809 432107 __vbaNew2 13807->13809 13810 43212d __vbaHresultCheckObj 13808->13810 13811 432140 13808->13811 13809->13808 13810->13811 13812 43215e __vbaHresultCheckObj 13811->13812 13813 43216c __vbaStrMove __vbaFreeObj #598 __vbaStrCopy 13811->13813 13812->13813 13814 4321ad 13813->13814 13815 4321b1 __vbaHresultCheckObj 13814->13815 13816 4321bf __vbaFreeStrList 13814->13816 13815->13816 13817 4321fd __vbaFreeStr 13816->13817 13819 409499 13818->13819 14115 2251a43 14117 2251a4c 14115->14117 14116 225db0d 3 API calls 14118 2251ac0 14116->14118 14117->14116 14117->14118 14119 2255f5a 3 API calls 14118->14119 14120 2251b9f 14118->14120 14119->14118 15266 2253dc3 15267 2253dc5 15266->15267 15268 2253e83 15267->15268 15283 2250ae5 15267->15283 15270 225db0d 3 API calls 15268->15270 15269 225a9b8 15272 225b1fe GetPEB 15269->15272 15275 225aae8 15269->15275 15271 2253efd 15270->15271 15274 225aa31 15272->15274 15273 225c5d9 3 API calls 15273->15283 15274->15275 15276 225b1fe GetPEB 15274->15276 15277 225aa73 15276->15277 15277->15275 15278 225b1fe GetPEB 15277->15278 15278->15275 15279 2250a80 15281 225a969 GetPEB GetPEB GetPEB 15281->15283 15282 225db0d GetPEB GetPEB GetPEB 15282->15283 15283->15269 15283->15273 15283->15279 15283->15281 15283->15282 15284 225758d 15283->15284 15287 225a900 GetPEB 15283->15287 15285 225db0d 3 API calls 15284->15285 15286 22575bf 15285->15286 15287->15283 14522 225634e 14523 2256354 14522->14523 14536 2250ae5 14523->14536 14542 225a900 GetPEB 14523->14542 14525 225c5d9 3 API calls 14525->14536 14526 2250a80 14528 225a9b8 14529 225b1fe GetPEB 14528->14529 14531 225aae8 14528->14531 14530 225aa31 14529->14530 14530->14531 14532 225b1fe GetPEB 14530->14532 14533 225aa73 14532->14533 14533->14531 14534 225b1fe GetPEB 14533->14534 14534->14531 14535 225a969 GetPEB GetPEB GetPEB 14535->14536 14536->14525 14536->14526 14536->14528 14536->14535 14537 225db0d GetPEB GetPEB GetPEB 14536->14537 14538 225758d 14536->14538 14541 225a900 GetPEB 14536->14541 14537->14536 14539 225db0d 3 API calls 14538->14539 14540 22575bf 14539->14540 14541->14536 14542->14536 13796 4019b0 #100 13797 4019ef 13796->13797 15096 2256955 15097 225db0d 3 API calls 15096->15097 15099 2250ae5 15096->15099 15097->15099 15098 225c5d9 3 API calls 15098->15099 15099->15098 15100 2250a80 15099->15100 15102 225a9b8 15099->15102 15105 225a969 GetPEB GetPEB GetPEB 15099->15105 15110 225db0d GetPEB GetPEB GetPEB 15099->15110 15111 225758d 15099->15111 15114 225a900 GetPEB 15099->15114 15103 225b1fe GetPEB 15102->15103 15106 225aae8 15102->15106 15104 225aa31 15103->15104 15104->15106 15107 225b1fe GetPEB 15104->15107 15105->15099 15108 225aa73 15107->15108 15108->15106 15109 225b1fe GetPEB 15108->15109 15109->15106 15110->15099 15112 225db0d 3 API calls 15111->15112 15113 22575bf 15112->15113 15114->15099 14130 425830 __vbaStrCopy __vbaStrCopy __vbaStrCopy __vbaCyStr __vbaFpCmpCy 14131 4258a7 __vbaFreeStr __vbaFreeStr __vbaFreeStr 14130->14131 14132 42589f #569 14130->14132 14132->14131 14543 424930 14544 424967 __vbaStrCopy 14543->14544 14545 424988 __vbaNew2 14544->14545 14546 42499d __vbaObjSet 14544->14546 14545->14546 14548 4249c3 __vbaNew2 14546->14548 14549 4249d8 __vbaObjSet 14546->14549 14548->14549 14551 4249f7 14549->14551 14552 424a0f 14551->14552 14553 4249fd __vbaHresultCheckObj 14551->14553 14554 424a4f __vbaFreeStr __vbaFreeObjList 14552->14554 14555 424a3d __vbaHresultCheckObj 14552->14555 14553->14552 14556 424a8f __vbaFreeStr 14554->14556 14555->14554 14829 42da30 14830 42da6a __vbaStrCopy __vbaLenBstrB 14829->14830 14831 42dbd1 __vbaFreeStr 14830->14831 14832 42daa5 #680 __vbaFreeVarList 14830->14832 14834 42db17 14832->14834 14835 42db07 __vbaNew2 14832->14835 14836 42db3c 14834->14836 14837 42db2d __vbaHresultCheckObj 14834->14837 14835->14834 14838 42db57 __vbaHresultCheckObj 14836->14838 14839 42db69 __vbaFreeObj __vbaVarDup #595 __vbaFreeVarList 14836->14839 14837->14836 14838->14839 14839->14831 15133 424f30 15134 424f67 15133->15134 15135 424f76 __vbaNew2 15134->15135 15136 424f8b __vbaObjSet 15134->15136 15135->15136 15138 424fcf 15136->15138 15139 424fe7 __vbaFreeObj 15138->15139 15140 424fd5 __vbaHresultCheckObj 15138->15140 15141 425008 15139->15141 15140->15139 14389 40bcb9 14390 42d010 #527 __vbaStrMove __vbaStrCmp __vbaFreeStr 14389->14390 14391 42d368 __vbaFreeStr 14390->14391 14392 42d09d 14390->14392 14393 42d0b5 __vbaHresultCheckObj 14392->14393 14394 42d0a5 __vbaNew2 14392->14394 14397 42d0e4 14393->14397 14394->14393 14398 42d10a __vbaFreeObj 14397->14398 14399 42d0fc __vbaHresultCheckObj 14397->14399 14400 42d12b 14398->14400 14401 42d11b __vbaNew2 14398->14401 14399->14398 14402 42d141 __vbaHresultCheckObj 14400->14402 14403 42d14c 14400->14403 14401->14400 14402->14403 14404 42d172 __vbaStrMove __vbaFreeObj 14403->14404 14405 42d164 __vbaHresultCheckObj 14403->14405 14406 42d193 __vbaNew2 14404->14406 14407 42d1a8 __vbaObjSet 14404->14407 14405->14404 14406->14407 14409 42d1cd 14407->14409 14410 42d1d3 __vbaHresultCheckObj 14409->14410 14411 42d1e1 __vbaLateIdCallLd 14409->14411 14410->14411 14412 42d201 __vbaNew2 14411->14412 14413 42d216 __vbaObjSet 14411->14413 14412->14413 14415 42d235 14413->14415 14416 42d23b __vbaHresultCheckObj 14415->14416 14417 42d24d __vbaLateIdCallLd 14415->14417 14416->14417 14418 42d267 __vbaNew2 14417->14418 14419 42d27c __vbaObjSet 14417->14419 14418->14419 14421 42d29b 14419->14421 14422 42d2b3 __vbaFpI4 __vbaI4Var __vbaI4Var 14421->14422 14423 42d2a1 __vbaHresultCheckObj 14421->14423 14424 42d321 14422->14424 14423->14422 14425 42d327 __vbaHresultCheckObj 14424->14425 14426 42d339 __vbaFreeObjList __vbaFreeVarList 14424->14426 14425->14426 14426->14391 15142 225555e 15143 2255564 15142->15143 15144 22555a6 3 API calls 15143->15144 15153 2250a80 15143->15153 15155 2250ae5 15143->15155 15144->15155 15145 225a9b8 15147 225b1fe GetPEB 15145->15147 15149 225aae8 15145->15149 15146 225c5d9 3 API calls 15146->15155 15148 225aa31 15147->15148 15148->15149 15150 225b1fe GetPEB 15148->15150 15151 225aa73 15150->15151 15151->15149 15152 225b1fe GetPEB 15151->15152 15152->15149 15155->15145 15155->15146 15155->15153 15156 225a969 GetPEB GetPEB GetPEB 15155->15156 15157 225db0d GetPEB GetPEB GetPEB 15155->15157 15158 225758d 15155->15158 15161 225a900 GetPEB 15155->15161 15156->15155 15157->15155 15159 225db0d 3 API calls 15158->15159 15160 22575bf 15159->15160 15161->15155

      Executed Functions

      Function 00431EA0, Relevance: 68.5, APIs: 37, Strings: 2, Instructions: 263COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • #607.MSVBVM60(?,000000FF,?), ref: 00431F02
      • __vbaStrVarMove.MSVBVM60(?), ref: 00431F0C
      • __vbaStrMove.MSVBVM60 ref: 00431F1D
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00431F29
      • __vbaLenBstr.MSVBVM60(?), ref: 00431F36
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431F45
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431F56
      • __vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 00431F62
      • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00431F6D
      • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00431F7B
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00431F8B
      • #537.MSVBVM60(00000000,?,00000001), ref: 00431F9B
      • __vbaStrMove.MSVBVM60 ref: 00431FA6
      • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00431FAA
      • __vbaFreeStr.MSVBVM60 ref: 00431FBF
      • #537.MSVBVM60(00000000,?,00000001), ref: 00431FD2
      • __vbaStrMove.MSVBVM60 ref: 00431FDD
      • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00431FE1
      • #616.MSVBVM60(?,-00000001), ref: 00431FF5
      • __vbaStrMove.MSVBVM60 ref: 00432000
      • __vbaFreeStr.MSVBVM60 ref: 00432005
      • __vbaStrCat.MSVBVM60(00409DE8), ref: 00432019
      • __vbaStrMove.MSVBVM60 ref: 00432020
      • __vbaStrCat.MSVBVM60(?,00000000), ref: 00432027
      • __vbaStrMove.MSVBVM60 ref: 0043202E
      • __vbaFreeStr.MSVBVM60 ref: 00432033
      • __vbaErrorOverflow.MSVBVM60 ref: 0043209B
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 00432111
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,00000014), ref: 0043213C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000110), ref: 0043216A
      • __vbaStrMove.MSVBVM60 ref: 00432179
      • __vbaFreeObj.MSVBVM60 ref: 00432182
      • #598.MSVBVM60 ref: 00432188
      • __vbaStrCopy.MSVBVM60 ref: 00432196
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Move$Free$#537AnsiCheckErrorHresultListUnicode$#598#607#616BstrCopyNew2OverflowSystem
      • String ID: USERNAME$t C
      • API String ID: 840069314-3777059254
      • Opcode ID: a3b342e919a1a8fd3be96d1848f7520cde65d15482966a36ab44b11bbf525f84
      • Instruction ID: 0fd07a5d85aa539f9dcc35f6e74ce1594001623a02bd67e862191e9ac8a6b72a
      • Opcode Fuzzy Hash: a3b342e919a1a8fd3be96d1848f7520cde65d15482966a36ab44b11bbf525f84
      • Instruction Fuzzy Hash: 2091FF75900209AFDB04DFA5DD89DEFBBB8FF48700F10812AF606A72A1DB785945CB64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040BD48, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 103COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 00432111
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,00000014), ref: 0043213C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000110), ref: 0043216A
      • __vbaStrMove.MSVBVM60 ref: 00432179
      • __vbaFreeObj.MSVBVM60 ref: 00432182
      • #598.MSVBVM60 ref: 00432188
      • __vbaStrCopy.MSVBVM60 ref: 00432196
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401730,00409170,0000074C), ref: 004321BD
      • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 004321C9
      • __vbaFreeStr.MSVBVM60(00432207), ref: 00432200
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$#598CopyListMoveNew2
      • String ID: USERNAME$t C
      • API String ID: 3664798572-3777059254
      • Opcode ID: 858f92683e44d0dc6cc16bfa29d9c46ee83fc77c8eccd6d67cfc9bcc3fa9043b
      • Instruction ID: 18268ceef7ea8d5db972a31579656051c38a42b16de85e26249653c6171c7fb3
      • Opcode Fuzzy Hash: 858f92683e44d0dc6cc16bfa29d9c46ee83fc77c8eccd6d67cfc9bcc3fa9043b
      • Instruction Fuzzy Hash: A8312171900205ABCB04DF95CE89EEEBBB8FF4C704F10802AF615B72A1D7789945CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004019B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 44 4019b0-4019ed #100 45 401a61-401a66 44->45 46 4019ef-401a5c 44->46 48 401a68-401ac4 45->48 49 401acf-401b57 45->49 50 401ac6-401ace 46->50 51 401a5e 46->51 48->50 50->49 51->45
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: 2fb44b72d09ffa27c32171e0fc52d0d431592fcaf87a363624572772ce90319e
      • Instruction ID: ad801f70b52ee9f0e04a4ebe2be78aa6aa79ec8a422af9bdad6e4a896755102e
      • Opcode Fuzzy Hash: 2fb44b72d09ffa27c32171e0fc52d0d431592fcaf87a363624572772ce90319e
      • Instruction Fuzzy Hash: 945194A258E3C25FD7038BB488651827FB0AE1326430B85EBC4C0DF4B3E2694D5AD776
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 0225C5D9, Relevance: 3.9, Strings: 2, Instructions: 1378COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: e0de672362a19d7f5503ab6e0b78947c165cccb85d86460c24bb57534dbac1d1
      • Instruction ID: 8d18849581d120c80595e188b7beb4d51cdcb52a4907af1ac3f1ab25a201ad6f
      • Opcode Fuzzy Hash: e0de672362a19d7f5503ab6e0b78947c165cccb85d86460c24bb57534dbac1d1
      • Instruction Fuzzy Hash: 9EB2957161435ACFDF309E78CD947EA77A2BF55390F85822EDC8A9B258D3708985CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225E280, Relevance: 3.7, Strings: 2, Instructions: 1237COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: a49317c65aeeb0a8b4524d47a20a91b947bfda74c3934b54b325a56edebda9f8
      • Instruction ID: b2411a679658b820fa1d11be10e1f5d836ba702019464c14b64344f52bff29c4
      • Opcode Fuzzy Hash: a49317c65aeeb0a8b4524d47a20a91b947bfda74c3934b54b325a56edebda9f8
      • Instruction Fuzzy Hash: 9CA2957161035A9FDF309E78CD947EA77B2FF55350F95822ADC8A8B248D3708A85CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022536FA, Relevance: 3.6, Strings: 2, Instructions: 1090COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: b27c0c7694497a618a10e3ff329e4852fef52dcf52642ceb0068104807df2f64
      • Instruction ID: 38d95624c31287b5424b008cfc1d9e57ff3c3334a7ae6d2ad7a92405bf32cb93
      • Opcode Fuzzy Hash: b27c0c7694497a618a10e3ff329e4852fef52dcf52642ceb0068104807df2f64
      • Instruction Fuzzy Hash: 0892847161435A9FDF309E78CD943EA77A2FF45350F95822EDC8A8B254D3708A85CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225A455, Relevance: 3.6, Strings: 2, Instructions: 1067COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: 891528f9cf02c6dfa83151a5cca361f6fe25bda99f8cafcc4f4fb99bdbb487da
      • Instruction ID: 2141d860ed3ec7736471521fe59d709bb262c1311f63bd34efaa841b6cf43b9c
      • Opcode Fuzzy Hash: 891528f9cf02c6dfa83151a5cca361f6fe25bda99f8cafcc4f4fb99bdbb487da
      • Instruction Fuzzy Hash: 2F82737161031A9FDF309E78CD957EA77A2FF55350F95822EDC8A8B258D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225A969, Relevance: 3.6, Strings: 2, Instructions: 1059COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: 80de261d89df52d2cecd2b30b8b450accee83e06c6042be196991cc7c79d6ad8
      • Instruction ID: bdb7a62a251849b0de140f7d22cc7bcd94dc5b0e8fca59cf66627eba6bbbcac0
      • Opcode Fuzzy Hash: 80de261d89df52d2cecd2b30b8b450accee83e06c6042be196991cc7c79d6ad8
      • Instruction Fuzzy Hash: 2782847161435A9FDF309E78CD957EA77B2FF45350F91822ADC8A8B258D3708A81CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02255FF1, Relevance: 3.5, Strings: 2, Instructions: 957COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: 5c8e6841d2d309028c618326282f3a09822d6804ea7186d867a8d56d0e4f22e2
      • Instruction ID: 3eecba9904d9fa7849103a640a215664985ba2c418589449f9671362a3855087
      • Opcode Fuzzy Hash: 5c8e6841d2d309028c618326282f3a09822d6804ea7186d867a8d56d0e4f22e2
      • Instruction Fuzzy Hash: 8A72737161435A9FDF349E78CD903EA77B2FF45350F95822ADC8A8B258D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022561DC, Relevance: 3.4, Strings: 2, Instructions: 940COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: bb5ca35f6ba4dbf4a154445314d8c205dabb5a175c22b546c97856498d54d14f
      • Instruction ID: 631fc33f04df8d304aec8f8521a88c9c1bc9abc8e9ffd57cdd894b39982f86dd
      • Opcode Fuzzy Hash: bb5ca35f6ba4dbf4a154445314d8c205dabb5a175c22b546c97856498d54d14f
      • Instruction Fuzzy Hash: 7072827161435A9FDF309EB4CD917EA7BB6FF41350F95812ADC8A8B258D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256138, Relevance: 3.4, Strings: 2, Instructions: 913COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: 79e20fbd3aa2ee065ca9caaa2bf27fe42a22674dda74b0cc892414bb87823cbe
      • Instruction ID: e924b92f5d7fc9bd8b3a508b245e4ab26a962f678b0c7bf6abeaa926554c383c
      • Opcode Fuzzy Hash: 79e20fbd3aa2ee065ca9caaa2bf27fe42a22674dda74b0cc892414bb87823cbe
      • Instruction Fuzzy Hash: 4372737161435A9FDF348E74C9917EABBB2BF45350F95812EDC8A8B258D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022562A3, Relevance: 3.3, Strings: 2, Instructions: 845COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: 4dacd18990d5430c86e630a95cde4b7202a16a657dbd51463fe8f50d9d860cdf
      • Instruction ID: 45b2ffcfd22710521822ded1f312db275811125ba991ffedb2bc0b7bad582b2d
      • Opcode Fuzzy Hash: 4dacd18990d5430c86e630a95cde4b7202a16a657dbd51463fe8f50d9d860cdf
      • Instruction Fuzzy Hash: 6462837161035A9FDF309EB4CD957EA7BB2FF45350F95812ADC8A8B258D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225634E, Relevance: 3.3, Strings: 2, Instructions: 838COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: 3c0149179d1a8ffd7ec1d11edb63213be24cc954d443b689c1f9e8c64043dae2
      • Instruction ID: 78e74b424fe280252e1a29f9472fd51094c37cc42fb01905c0a44bfeec51ac81
      • Opcode Fuzzy Hash: 3c0149179d1a8ffd7ec1d11edb63213be24cc954d443b689c1f9e8c64043dae2
      • Instruction Fuzzy Hash: 9F62817161435A9FDF309EB4C9953EA7BB2FF51350F94812EDC8A8B258D3748A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022563F7, Relevance: 3.3, Strings: 2, Instructions: 835COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: fdb46e067e6a54e79e8639f9c0055b2686836b3eecfd6e862a15d0bb947d1094
      • Instruction ID: c036c113418a6f9677bd367b1b2f0028e577efb23690a69157e3731ddaa5ccb5
      • Opcode Fuzzy Hash: fdb46e067e6a54e79e8639f9c0055b2686836b3eecfd6e862a15d0bb947d1094
      • Instruction Fuzzy Hash: ED62A57161035A9FDF309EB4C9913EA7BB6FF01350F95812EDC8A8B258D3348A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256554, Relevance: 3.2, Strings: 2, Instructions: 721COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: 170242063381e6734096f945e2ddc1980a40236ad168ece239723c5d465ec055
      • Instruction ID: 3fa3a52da76361d22121b8269fde9bad206ce06c088b86b9970be42ab02142ad
      • Opcode Fuzzy Hash: 170242063381e6734096f945e2ddc1980a40236ad168ece239723c5d465ec055
      • Instruction Fuzzy Hash: AF42707161435A9FDF349E74C9917EA7BB2FF11350F91822EDC8A8B258D3708A85CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225662B, Relevance: 3.2, Strings: 2, Instructions: 665COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: (B$Ne
      • API String ID: 0-228057021
      • Opcode ID: 95bad5d43318c7b63a586a2313f3697118682afcc6a66a974753b0987558d05a
      • Instruction ID: 7fde56a2200ec51dfff0029c125f90412837b5afd2c76b22c13c16f609481ebc
      • Opcode Fuzzy Hash: 95bad5d43318c7b63a586a2313f3697118682afcc6a66a974753b0987558d05a
      • Instruction Fuzzy Hash: 7B427F7161034A9FDF349E74CD957EA7BB2FF15350F91822ADC8A8B258D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022566C7, Relevance: 1.9, Strings: 1, Instructions: 655COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 5e95c1e7d26bbf24c14f724fdd0eced9152ddce2b7ed517f7aba46873c36b064
      • Instruction ID: 9480eb92c74124e3cce5c0d6f140c84a5d94fd8ddb3e44ea2eb616148f0722fb
      • Opcode Fuzzy Hash: 5e95c1e7d26bbf24c14f724fdd0eced9152ddce2b7ed517f7aba46873c36b064
      • Instruction Fuzzy Hash: E432707161434A9FDF349EB4C9957EA7BB2FF15350F85812EDC8A8B258D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256778, Relevance: 1.9, Strings: 1, Instructions: 647COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 4d10d3b66c3f02e74d86907f3de3b7b6de0dd2d2c0719aecaf9255bcd9bdb3ec
      • Instruction ID: 40ea09e6e375594532d4a466669c7794b90add1b391ad9f3dd0a11c698e7bae3
      • Opcode Fuzzy Hash: 4d10d3b66c3f02e74d86907f3de3b7b6de0dd2d2c0719aecaf9255bcd9bdb3ec
      • Instruction Fuzzy Hash: E33261316143598FDF349EB4CD957EA7BB2FF55360F85812ADC8A8B258D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256692, Relevance: 1.9, Strings: 1, Instructions: 639COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: d35224fab3201168bd212ac51cb752ad52c31f8bb6967393161b2d7ccba74462
      • Instruction ID: 41d13313345f91c8225e6ffbc10f8a89afa37d94a3b0475536656752eeba05de
      • Opcode Fuzzy Hash: d35224fab3201168bd212ac51cb752ad52c31f8bb6967393161b2d7ccba74462
      • Instruction Fuzzy Hash: 7F326E7161434A9FDF348E74CD957EA7BB2BF15350F95822ADC8A8B258D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225684F, Relevance: 1.8, Strings: 1, Instructions: 593COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 55bbc755c4753b520ac9b6d4a68261c44c5602e9305d448aa9dbc9b451c300c5
      • Instruction ID: 41a8bc4f9850f8b434cc834a8a77fc208de0be224806267dd657cdb673a499f2
      • Opcode Fuzzy Hash: 55bbc755c4753b520ac9b6d4a68261c44c5602e9305d448aa9dbc9b451c300c5
      • Instruction Fuzzy Hash: AB2271316143599FDF349EB4CD957EA37B2FF15360F85812ADC8A8B298D3748A81CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225681F, Relevance: 1.8, Strings: 1, Instructions: 581COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: f7f438a114a1e0b7b60880947977abcbfbac7a2bea161204e18488c353c312a1
      • Instruction ID: d214accdd0c718057326937b79527146c05321863d851e2278dcf6c0ac47ede9
      • Opcode Fuzzy Hash: f7f438a114a1e0b7b60880947977abcbfbac7a2bea161204e18488c353c312a1
      • Instruction Fuzzy Hash: 42226F71614359DFDF349E74CDA57EA7BB2EF15350F85812ADC8A8B298D3708A81CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02251175, Relevance: 1.8, Strings: 1, Instructions: 566COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: rHGk
      • API String ID: 0-4221766241
      • Opcode ID: 8f5dcdd2a68b82b82170d256bf187d49b554a4a7083f94f5c82d78760b8d09a5
      • Instruction ID: ac8678488f89ea8d88132e74c88b22efbb8b273c52972921054ef3a397a14cfa
      • Opcode Fuzzy Hash: 8f5dcdd2a68b82b82170d256bf187d49b554a4a7083f94f5c82d78760b8d09a5
      • Instruction Fuzzy Hash: CE129C716143969FDF349EBC8CA53EE37A2AF56360F95822ECC89D7548D3358981CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02251276, Relevance: 1.8, Strings: 1, Instructions: 564COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: rHGk
      • API String ID: 0-4221766241
      • Opcode ID: 92e81d11c4a1a8b6644aeded290574d6490a2f9e8813d7143c98a37ab15caec3
      • Instruction ID: 1a07f3035af35d9c3cd49f16cf3eb02dbd9d1475393d975be72c903e1fe890dd
      • Opcode Fuzzy Hash: 92e81d11c4a1a8b6644aeded290574d6490a2f9e8813d7143c98a37ab15caec3
      • Instruction Fuzzy Hash: 7912AC316143969FDF349EB88CA57EE37A2AF51360F85862ECC8EDB548D3358581CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225692D, Relevance: 1.8, Strings: 1, Instructions: 532COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: c7b7d8c46d413ed082aef1a46a9080cc24efd0799bbb12f43eb1bbebd93f96c3
      • Instruction ID: f1710d41f97ae9073cbc2c5cc83c464b4a2e9261dded776c4f847b99387cb3cd
      • Opcode Fuzzy Hash: c7b7d8c46d413ed082aef1a46a9080cc24efd0799bbb12f43eb1bbebd93f96c3
      • Instruction Fuzzy Hash: C8126031614359CFDF349EB4CD917EA7BB2AF55350F95812ADC8A8B298D3708A81CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256955, Relevance: 1.8, Strings: 1, Instructions: 529COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 665ee4f0c7bbeecf1fbc03b698a6364950912f05124e6672cc5960c38ba9b42d
      • Instruction ID: fb54a8b9abebe6379d60b0e02855f74e40f300effbc28c30ef81d8cec1b7ea84
      • Opcode Fuzzy Hash: 665ee4f0c7bbeecf1fbc03b698a6364950912f05124e6672cc5960c38ba9b42d
      • Instruction Fuzzy Hash: 75126031614359CFDF349EB4CD957EA7BB2BF15350F95812ADC8A8B298D3708A81CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022569D8, Relevance: 1.8, Strings: 1, Instructions: 526COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 6476056fe3ef61e7b5474bdd8f9ff487e51d2866b66486b2f6fbc85e0585e3c0
      • Instruction ID: bdee118da81ced795e3f264d3e26e774d12a6adee691ab4194c7145875fd0359
      • Opcode Fuzzy Hash: 6476056fe3ef61e7b5474bdd8f9ff487e51d2866b66486b2f6fbc85e0585e3c0
      • Instruction Fuzzy Hash: DF1262316143598FDF349EB4CD917EA77B2BF55360F85812ADC8A8B298D3704A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256BEB, Relevance: 1.8, Strings: 1, Instructions: 507COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 6702b45cbe6bc57745dcb2c151cb6d1845aab9b6d0e5249840c3a4c2ebc8d62a
      • Instruction ID: c9f06310e3842e83299549ba1ad2fa6cc03dd45bb3954a5125cff61e584d9a51
      • Opcode Fuzzy Hash: 6702b45cbe6bc57745dcb2c151cb6d1845aab9b6d0e5249840c3a4c2ebc8d62a
      • Instruction Fuzzy Hash: 2B12A6316243599FDF349FB4C9957EA77B6FF05320F85812ADC8A8B298D3704A85CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022512E8, Relevance: 1.8, Strings: 1, Instructions: 505COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: rHGk
      • API String ID: 0-4221766241
      • Opcode ID: cf2427ad01ca7a1b8bb511525b4948c0adcba319838faa32993f76ae21d61b75
      • Instruction ID: d8219eacbc834a1ad394be3167f29ad47c20ddb62a8d274cdd5a69c536fed219
      • Opcode Fuzzy Hash: cf2427ad01ca7a1b8bb511525b4948c0adcba319838faa32993f76ae21d61b75
      • Instruction Fuzzy Hash: CE02AE716143969FDF349EB88CA57EE37A3AF45360F95822ECC89DB548D3358981CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256B6B, Relevance: 1.7, Strings: 1, Instructions: 486COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: e740c24697e0da3cbec17db0e3ba3ced8b0d68d5408840dd28be5f74401a0d10
      • Instruction ID: 21388597c6104d8b82f768a9b359708f3d3c8516a963baec4c98e2b2a6a2f19e
      • Opcode Fuzzy Hash: e740c24697e0da3cbec17db0e3ba3ced8b0d68d5408840dd28be5f74401a0d10
      • Instruction Fuzzy Hash: 940283316243598FDF349EB4CD957EA77B6FF15360F85812ADC8A8B298D3708A81CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256AAB, Relevance: 1.7, Strings: 1, Instructions: 477COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 3da874ba65b221c9e9e783761d6cc5ba3f0c6a7380ebb487618923827953d8fa
      • Instruction ID: b3d413707531ff4f08dff5042d6e4ea480cb60ac9128d9d00cdc21ee68d912a3
      • Opcode Fuzzy Hash: 3da874ba65b221c9e9e783761d6cc5ba3f0c6a7380ebb487618923827953d8fa
      • Instruction Fuzzy Hash: 7B027231614359CFDF349EB4CDA47EA77B2BF55350F95812ADC8A8B298D3708A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225156F, Relevance: 1.7, Strings: 1, Instructions: 432COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: rHGk
      • API String ID: 0-4221766241
      • Opcode ID: a3af0f323a257d6eea527e2c5fa6f760e9e7a2c6f6aee9960611b21763882342
      • Instruction ID: 36745ad59e8863e84c267ef170f80e8c827c64926e5bf81022425c9299faf735
      • Opcode Fuzzy Hash: a3af0f323a257d6eea527e2c5fa6f760e9e7a2c6f6aee9960611b21763882342
      • Instruction Fuzzy Hash: F4E1AD316143968FDF349EB888A53EE37A2BF42360F85861ECCCA9B55DD3358591CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256C93, Relevance: 1.7, Strings: 1, Instructions: 403COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: d6c17aa13e8ccce6959b0e5e867c979c3ba7e11f8a782471a04df1ae8c1bc632
      • Instruction ID: fba9064670248825b6fafcf277999d24322479568225343aeda8bca93571a160
      • Opcode Fuzzy Hash: d6c17aa13e8ccce6959b0e5e867c979c3ba7e11f8a782471a04df1ae8c1bc632
      • Instruction Fuzzy Hash: 23E153316203599FDF349EB4CD957EA77B6FF55360F84812ADC8A8B298D3708A81CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225DB55, Relevance: 1.6, Strings: 1, Instructions: 385COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: %zON
      • API String ID: 0-155931339
      • Opcode ID: af468ccef6fe5a89a8470d6fc4021183e8ae685bd3a3a3fd8b096450fcd41729
      • Instruction ID: a24e48f24d097ebfc626499d33732f3e9e6c709ec0f245e0559f2bbcede6bf82
      • Opcode Fuzzy Hash: af468ccef6fe5a89a8470d6fc4021183e8ae685bd3a3a3fd8b096450fcd41729
      • Instruction Fuzzy Hash: 57D19D71624356CFDF349EB8C9A57DA33A3AF55350F91822BCC4ADB24CD7708A85CA41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256D2C, Relevance: 1.6, Strings: 1, Instructions: 379COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 8a12010bd5166ae8b8f89351bcde9588aa43d3f7b0d6822d01fc32ce208f9921
      • Instruction ID: 0003bd9b1a77fdf367d7fa9ca44a767fc15717784d01101490602c7b235b34cf
      • Opcode Fuzzy Hash: 8a12010bd5166ae8b8f89351bcde9588aa43d3f7b0d6822d01fc32ce208f9921
      • Instruction Fuzzy Hash: D0E164316243599FDF349FB4CC957EA77B6BF15360F84811AED8A8B298D3708A81CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256E00, Relevance: 1.6, Strings: 1, Instructions: 340COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 1ba75c70dbc5a660e86e3775cdf950b25aa92323cf5db06528898d553879fa68
      • Instruction ID: f8a51a60a07134319c863529a57faee99fde7e653726a3c56e8f330ffe635059
      • Opcode Fuzzy Hash: 1ba75c70dbc5a660e86e3775cdf950b25aa92323cf5db06528898d553879fa68
      • Instruction Fuzzy Hash: BDD143316243599FDF359FB4CD95BEA7BB2BF09360F84811ADC899B198D3708A81CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022555A6, Relevance: 1.6, Strings: 1, Instructions: 309COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Npl~
      • API String ID: 0-1888215250
      • Opcode ID: 364a2d7ba856c4deb6f6b7c14159a1cc20f19d2ba781003c8fc1ddaebc7b1d5a
      • Instruction ID: 30d87c80c69a209622b5905b1e6746f88404f38696c3df8b2e45a0cf99f94960
      • Opcode Fuzzy Hash: 364a2d7ba856c4deb6f6b7c14159a1cc20f19d2ba781003c8fc1ddaebc7b1d5a
      • Instruction Fuzzy Hash: FEB195B06103169FDB348E78C9997DA37E2FF513A0F85822DDC8A8B258D771CA85CB11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256EC7, Relevance: 1.6, Strings: 1, Instructions: 302COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 07994ce73cd14df2aa0322717dabe424738f254ef46185214d69cc2e21e83b34
      • Instruction ID: 7a88dc846efdafa0c3468bcff4936670a9085bf6e89a4136de847d47d57573bf
      • Opcode Fuzzy Hash: 07994ce73cd14df2aa0322717dabe424738f254ef46185214d69cc2e21e83b34
      • Instruction Fuzzy Hash: 82C120316243598FDF359F74CC95BEABBA6BF15350F84812ADD8A8B198D3708A81CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02256F9B, Relevance: 1.5, Strings: 1, Instructions: 283COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: b0d09ab89e1726fde1303c43d0806a2615042f7c3213d9afa109daa6fe72d1e2
      • Instruction ID: 7fa50e6388651ef02ee01a049c36b106ac4f35d4a8920eb5ba65dc6c604aff1b
      • Opcode Fuzzy Hash: b0d09ab89e1726fde1303c43d0806a2615042f7c3213d9afa109daa6fe72d1e2
      • Instruction Fuzzy Hash: 05B142716243598FDF349FB4CC94BEAB7B6BF19310F84812ADD898B198D3708A85CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02257025, Relevance: 1.5, Strings: 1, Instructions: 231COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 2c2ebe50c9a1648470ab6acbd76aaa3dc6c97b8330945af896029941cf17c113
      • Instruction ID: 6d65d3a8bbd7754ee909b404a537c61a40b22c8836b67d17635b535e6e55fff4
      • Opcode Fuzzy Hash: 2c2ebe50c9a1648470ab6acbd76aaa3dc6c97b8330945af896029941cf17c113
      • Instruction Fuzzy Hash: DF910F71610359DFDF359E74CC98BEA7BB2BF59350F84812ADD898B294C3B08A85CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02257022, Relevance: 1.5, Strings: 1, Instructions: 226COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 3c218b26a3f2cabc67345031962fe04de5dd2e6d0421c1d9e3b83e8b5dd815f7
      • Instruction ID: 27666e70f3c44aba29eb5397285c824fda3bff80023a2050af1d639bb6e73b2d
      • Opcode Fuzzy Hash: 3c218b26a3f2cabc67345031962fe04de5dd2e6d0421c1d9e3b83e8b5dd815f7
      • Instruction Fuzzy Hash: B8911070610358DFDF759E74CC947EABBB2BF59350F84812ADD898B254D3B08A85CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225709F, Relevance: 1.5, Strings: 1, Instructions: 207COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Ne
      • API String ID: 0-3071501248
      • Opcode ID: 3a35facedac706550916afd13204ef39bb3c4176edb6977ac4cee9354872133c
      • Instruction ID: e6e87db4741453fa8a27cf73934a3a02ed1748847ca4aff66dde4a06af668835
      • Opcode Fuzzy Hash: 3a35facedac706550916afd13204ef39bb3c4176edb6977ac4cee9354872133c
      • Instruction Fuzzy Hash: F481FD71610398DFDF359E74CC98BEA7BB2BF59350F84812ADD898B254D3B08A85CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225AFD7, Relevance: 1.3, Strings: 1, Instructions: 84COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Au
      • API String ID: 0-2295654664
      • Opcode ID: 3a708b75aafa5b23e02fc66e30ce95064bbfdaf8c93049324ab50f567cecb7e0
      • Instruction ID: a9ba84e8cf32e3c6468e7b45a179c785e62fe33778c4cc17aff5656b4ba3e789
      • Opcode Fuzzy Hash: 3a708b75aafa5b23e02fc66e30ce95064bbfdaf8c93049324ab50f567cecb7e0
      • Instruction Fuzzy Hash: FC219D3862131BCADBA09EAC85E13E76253BF62794F96C229CD868710CE374488AC305
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225C329, Relevance: 1.3, Strings: 1, Instructions: 63COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: }l"
      • API String ID: 0-1801363258
      • Opcode ID: c0c1371e75c0c4eb2be54967499c36de73620895459e52f20f45b668775828e7
      • Instruction ID: cdaadb89d6b78263c04662703e7e87f98e3d3f99ff9a2bd15d0c5f8f2264fbfa
      • Opcode Fuzzy Hash: c0c1371e75c0c4eb2be54967499c36de73620895459e52f20f45b668775828e7
      • Instruction Fuzzy Hash: A22102306193969FDF689E7499A57EB37B1EF02350F42402FCD8A96115D7350685CA02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02253971, Relevance: .4, Instructions: 375COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d1566bc312810779d07a6c1c52c0ab0b813be1a20a60112f1ffbcbd4ec1e7fca
      • Instruction ID: e493e5e050cb9d03f3853011954649973c077c153b67a94ed7f7d9e321258966
      • Opcode Fuzzy Hash: d1566bc312810779d07a6c1c52c0ab0b813be1a20a60112f1ffbcbd4ec1e7fca
      • Instruction Fuzzy Hash: BFD175716143599FDF309E68CDA57EF37A3BF51390F918029EC8A97248D3358A85CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022516E3, Relevance: .4, Instructions: 351COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a97c448e346a40a6c3605b1e137fe482188c79f52dba1642c1a6e34aa2a4a53f
      • Instruction ID: 96951d38011ac71146832ace17ca6d0b0c1ebb27457139699cd6e9fa662cdd89
      • Opcode Fuzzy Hash: a97c448e346a40a6c3605b1e137fe482188c79f52dba1642c1a6e34aa2a4a53f
      • Instruction Fuzzy Hash: D0C17C716143968FDF349ABC88A93EE77A2AF42360F85C61ECC89DB54CD3358581CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02251664, Relevance: .3, Instructions: 338COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0c397f13a59b89ba883fe81ed23dfa693a69a03831823c9c1e9b1f2e7fa836c7
      • Instruction ID: 96ed8f795a52d179b1dc2fb05d6b58e6c7ac931b50cf4a3f06141f391456c6c8
      • Opcode Fuzzy Hash: 0c397f13a59b89ba883fe81ed23dfa693a69a03831823c9c1e9b1f2e7fa836c7
      • Instruction Fuzzy Hash: 40C16C702143969FEF359ABC8CA93EE77A2AF46360F85861ECCC9D7549D3358581CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02251783, Relevance: .3, Instructions: 316COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9997645ff1a5e7f7d5c2349586b7f0237ae9ac26ea2654f895dde5be52bc1714
      • Instruction ID: e649db46398d6f1b46b729444c6e7f10449c3af31ed5ced1009861131c8eca86
      • Opcode Fuzzy Hash: 9997645ff1a5e7f7d5c2349586b7f0237ae9ac26ea2654f895dde5be52bc1714
      • Instruction Fuzzy Hash: A1B18C702143969FEF359ABC8C693EA37A2AF42360F85C61ECCD9CB14DD3398591C646
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022518FB, Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ef6fe78f21805b408a4639dd55c6f5150dc96ac983eebd2497c0267dcca75615
      • Instruction ID: ae35b1167b4f736da6bf669124e5efe576a0f878cb3eeddb803700a2e2727310
      • Opcode Fuzzy Hash: ef6fe78f21805b408a4639dd55c6f5150dc96ac983eebd2497c0267dcca75615
      • Instruction Fuzzy Hash: 75714A702187969FDF31AA788C653EE7BA2BF52360FC5861DCCC99B549C3368581CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004092BC, Relevance: .2, Instructions: 209COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 185096e82220389d440197759049318995404c5f3eb2576f04f255bb6df4cd8b
      • Instruction ID: 992d4d05e47c6351acade839198ce7097935a98e3cce3de93b14edbbf24b760f
      • Opcode Fuzzy Hash: 185096e82220389d440197759049318995404c5f3eb2576f04f255bb6df4cd8b
      • Instruction Fuzzy Hash: E5716D6404E3D15FE7039B7489A5196BFB0AE0724475E40EFC8C4CF0E3D2286D5AD76A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02251A43, Relevance: .2, Instructions: 171COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 597fa7291f7be4ba6204663066e8681cbe0f414b50b5db112764f9572ff81ac0
      • Instruction ID: 35505ac6b5d6fdb7b29f03a6eb22751143173d75a410617797df94c994145fd7
      • Opcode Fuzzy Hash: 597fa7291f7be4ba6204663066e8681cbe0f414b50b5db112764f9572ff81ac0
      • Instruction Fuzzy Hash: 9D61AB311187C69FDB219E788C653EE7BA2BF13320F85869DDCC94B499C3394295CB12
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02255623, Relevance: .2, Instructions: 165COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3a163f3c1c92a7acab5d9efc9d1f1a8459c1d007782a1988ef78c03386c9ff82
      • Instruction ID: ddd4d47c5cef55b14a8a59235d0a03e208db10889a73415a85ad402f0fbac835
      • Opcode Fuzzy Hash: 3a163f3c1c92a7acab5d9efc9d1f1a8459c1d007782a1988ef78c03386c9ff82
      • Instruction Fuzzy Hash: 5051BC715043829FDB258F34C9643D937E2FF52364F888299DC894F19AE7318958CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02257CAB, Relevance: .1, Instructions: 92COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9efd0254604b1a41c8047e55e4140cbfe758d005e9f6f018415f8df0354d061e
      • Instruction ID: be0497aa56b3119cb8c980d98d757bd58840b729ac6e57a05333dbcc920eed31
      • Opcode Fuzzy Hash: 9efd0254604b1a41c8047e55e4140cbfe758d005e9f6f018415f8df0354d061e
      • Instruction Fuzzy Hash: B93178329443548FDB204E248ED17DBBBA2AF537A0F57006DECC967201D7760A88CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 022557A4, Relevance: .1, Instructions: 73COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f0fdfd482556695e9de27958abe71f3d9039bf84faf73b5de585c3db42b28c27
      • Instruction ID: fc7c50b69853dab2badb07801a8366f3694d359bb7afd19b6651b7630379f75b
      • Opcode Fuzzy Hash: f0fdfd482556695e9de27958abe71f3d9039bf84faf73b5de585c3db42b28c27
      • Instruction Fuzzy Hash: 6D219A72510705DEDB248EB4894E7CD77B7BFA1724FC4C988EC160F09CD37895A48A85
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225B1FE, Relevance: .1, Instructions: 57COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8f6bb017e0690756ae00abca25f8b3465c9e8236de97cfbeb24ab277d4ea1e47
      • Instruction ID: 004ef0666d069c52d88e2c40ebb28341fb1525ac65fc39674f05c764155d4aa7
      • Opcode Fuzzy Hash: 8f6bb017e0690756ae00abca25f8b3465c9e8236de97cfbeb24ab277d4ea1e47
      • Instruction Fuzzy Hash: 5B114F35624386DFD720DE99CAE4BEA33A1AF19394F45813ADD49CF658D7309E40CB24
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02257AB1, Relevance: .0, Instructions: 8COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5cfa1b81e5e6b8521a695c5cbe7955c913c12d579af09626da4d4acb450cc619
      • Instruction ID: 488bba241ecf19b7151fcdb51e34d71170deab17b067d1bc7bdc15f395225192
      • Opcode Fuzzy Hash: 5cfa1b81e5e6b8521a695c5cbe7955c913c12d579af09626da4d4acb450cc619
      • Instruction Fuzzy Hash: 6FC092BB2026808FFB92CF08C4C2B8073A0FF12A88B880490E802DB712C328E904CA40
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0225A900, Relevance: .0, Instructions: 6COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.756540382.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2250000_VZghv7yI7g.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ab663452f0a2796c9079eca4e1be35edd25b93dc44dc8bfe7ee36f5e29c49297
      • Instruction ID: a5b43a31bea2b0e3e3bea9ac211744203edd9aa7b5d9faf59a5332fa483cdd54
      • Opcode Fuzzy Hash: ab663452f0a2796c9079eca4e1be35edd25b93dc44dc8bfe7ee36f5e29c49297
      • Instruction Fuzzy Hash: 40B092316106808FCA51CE0EC2C0E48B3B4BB44A00B8204A4E8119BB11C764EC00CA00
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040BCB9, Relevance: 46.8, APIs: 31, Instructions: 287COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • #527.MSVBVM60(00409D58), ref: 0042D064
      • __vbaStrMove.MSVBVM60 ref: 0042D06F
      • __vbaStrCmp.MSVBVM60(00409D60,00000000), ref: 0042D07B
      • __vbaFreeStr.MSVBVM60 ref: 0042D08E
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042D0AF
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,00000014), ref: 0042D0DA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,000000B8), ref: 0042D108
      • __vbaFreeObj.MSVBVM60 ref: 0042D10D
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042D125
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,00000014), ref: 0042D14A
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000110), ref: 0042D170
      • __vbaStrMove.MSVBVM60 ref: 0042D17B
      • __vbaFreeObj.MSVBVM60 ref: 0042D184
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D19D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D1BC
      • __vbaFreeStr.MSVBVM60(0042D3B3), ref: 0042D3AC
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$New2$Move$#527
      • String ID:
      • API String ID: 487870899-0
      • Opcode ID: ed5b95a907725d5e5d85eed6ae036352f52c7a607ee42a1811b1e5d38ade5951
      • Instruction ID: 92f7f0afaf7bc07c64b2733a2fa2e68ed615c7a18529395273badbd0e8724bfd
      • Opcode Fuzzy Hash: ed5b95a907725d5e5d85eed6ae036352f52c7a607ee42a1811b1e5d38ade5951
      • Instruction Fuzzy Hash: 65A18E75A00218ABCB14DFA5DD49FEEBBB8FF48701F10406AF541B72A1DB789905CB68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042DD10, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 163COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042DD7B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042DD94
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,00000150), ref: 0042DDC1
      • __vbaStrToAnsi.MSVBVM60(?,?,008039A4), ref: 0042DDD8
      • __vbaSetSystemError.MSVBVM60(003989DE,00000000), ref: 0042DDEC
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042DE0E
      • __vbaFreeObj.MSVBVM60 ref: 0042DE1A
      • #702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042DE43
      • __vbaStrMove.MSVBVM60 ref: 0042DE4E
      • __vbaFreeVar.MSVBVM60 ref: 0042DE5D
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042DE72
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,00000014), ref: 0042DE97
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000118), ref: 0042DEBD
      • __vbaI2I4.MSVBVM60 ref: 0042DEC2
      • __vbaFreeObj.MSVBVM60 ref: 0042DECB
      • __vbaVarDup.MSVBVM60 ref: 0042DEE5
      • #666.MSVBVM60(?,00000002), ref: 0042DEF3
      • __vbaVarMove.MSVBVM60 ref: 0042DEFF
      • __vbaFreeVar.MSVBVM60 ref: 0042DF08
      • __vbaFreeVar.MSVBVM60(0042DF5B), ref: 0042DF4B
      • __vbaFreeStr.MSVBVM60 ref: 0042DF54
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$MoveNew2$#666#702AnsiErrorListSystem
      • String ID: HENRIVENDE$zS
      • API String ID: 309366762-2729703279
      • Opcode ID: 216e54dbeaf471ba5b17d8cac72228c7cd8614cad387034a75f263e2b6876084
      • Instruction ID: 3e14bf423051b26a42ba2d0effce5ddad7d42201ab6809a6a67660b805aab55e
      • Opcode Fuzzy Hash: 216e54dbeaf471ba5b17d8cac72228c7cd8614cad387034a75f263e2b6876084
      • Instruction Fuzzy Hash: 275149B1900219ABCB04DFA5DD88EDEBBB8FF48705F10412AF516BB2A0DB745945CB68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D590, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 127COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaCyStr.MSVBVM60(00409AC0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D5D8
      • __vbaFpCmpCy.MSVBVM60(00000000), ref: 0042D5E6
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042D606
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,00000014), ref: 0042D631
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000130), ref: 0042D65F
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D670
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D675
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042D68E
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,00000014), ref: 0042D6B3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,000000D0), ref: 0042D6D9
      • __vbaStrMove.MSVBVM60 ref: 0042D6E8
      • __vbaFreeObj.MSVBVM60 ref: 0042D6ED
      • #531.MSVBVM60(kantatens), ref: 0042D6F8
      • __vbaFreeStr.MSVBVM60(0042D72A), ref: 0042D722
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D727
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$MoveNew2$#531
      • String ID: kantatens
      • API String ID: 1829431787-1394988495
      • Opcode ID: 414f5a4bf40c4a587bffe813d154f81d700dcda894200565b30c0b3f8284b3cd
      • Instruction ID: 268b9603d49f8c2ef21a02505bbce2dda6b3253113ac13d7225f482d9f4950ea
      • Opcode Fuzzy Hash: 414f5a4bf40c4a587bffe813d154f81d700dcda894200565b30c0b3f8284b3cd
      • Instruction Fuzzy Hash: 1A414570A00219AFCB04DF95DD89EDEBBB8FF48704F10406AE505B72A1D7789905CFA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00425490, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 130COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 004254F9
      • #515.MSVBVM60(?,?,00000002), ref: 00425516
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 00425532
      • __vbaFreeVar.MSVBVM60 ref: 0042553E
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042556F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00425588
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,000000C0), ref: 004255B2
      • __vbaLateMemCall.MSVBVM60(?,bJwKrGImpGgg9mRQCArwzZIt8,00000003), ref: 00425621
      • __vbaFreeObj.MSVBVM60 ref: 0042562D
      • __vbaFreeObj.MSVBVM60(00425671), ref: 00425661
      • __vbaFreeStr.MSVBVM60 ref: 0042566A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$#515CallCheckCopyHresultLateNew2
      • String ID: Kricketbold2$bJwKrGImpGgg9mRQCArwzZIt8$var
      • API String ID: 3144308283-2350849782
      • Opcode ID: c6dedcd5aced9654c1b7c320c669f933d9882481dd532e55ad32b74f70e2c0c5
      • Instruction ID: 5bf5bcfe2e29984776ee71421b15d1d75e55c59fa0ceca583787bb4a02caaa91
      • Opcode Fuzzy Hash: c6dedcd5aced9654c1b7c320c669f933d9882481dd532e55ad32b74f70e2c0c5
      • Instruction Fuzzy Hash: 195148B4E10218DFCB14DF98DA48A9DFBB8FF48B00F10816AE509BB294D7785A45CF84
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042DA30, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 0042DA8B
      • __vbaLenBstrB.MSVBVM60(00409D90), ref: 0042DA96
      • #680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,?,?,?), ref: 0042DADF
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0042DAF5
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042DB11
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,00000014), ref: 0042DB36
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,000000C8), ref: 0042DB63
      • __vbaFreeObj.MSVBVM60 ref: 0042DB6C
      • __vbaVarDup.MSVBVM60 ref: 0042DB98
      • #595.MSVBVM60(?,00000000,?,?,?), ref: 0042DBB0
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042DBC8
      • __vbaFreeStr.MSVBVM60(0042DC08), ref: 0042DC01
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresultList$#595#680BstrCopyNew2
      • String ID: hjrekant
      • API String ID: 4058102471-1475739938
      • Opcode ID: 95959a06098993a4faac7d9b790f2a6ac580e100fe50f20baf233002aa7f2173
      • Instruction ID: fc690ee695db8f231962780ffe65343825b843d53d00f0c3d3a69cc7e01f37d1
      • Opcode Fuzzy Hash: 95959a06098993a4faac7d9b790f2a6ac580e100fe50f20baf233002aa7f2173
      • Instruction Fuzzy Hash: 0251E2B1D00219ABDB10DF94D889EDEBFB8BF48700F10412AF505B72A5D7B46585CBA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D880, Relevance: 22.6, APIs: 15, Instructions: 117COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D8D5
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D8DD
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D8F2
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D911
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B10,000001C8), ref: 0042D930
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D939
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D952
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D96B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409D7C,00000100), ref: 0042D98E
      • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042D99E
      • __vbaI4Var.MSVBVM60(00000000), ref: 0042D9A8
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042D9BB
      • __vbaFreeVar.MSVBVM60 ref: 0042D9C7
      • __vbaFreeStr.MSVBVM60(0042DA02), ref: 0042D9FA
      • __vbaFreeStr.MSVBVM60 ref: 0042D9FF
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$CheckCopyHresultNew2$CallLateList
      • String ID:
      • API String ID: 244069345-0
      • Opcode ID: 5c39a2e577768568b9bfa8c430774f7e118b74792861e76bd2736f80affe6c9b
      • Instruction ID: 3037e0fc402dac870a1d28fe1070c936b1b5d65c79530787229ec8e5e835481f
      • Opcode Fuzzy Hash: 5c39a2e577768568b9bfa8c430774f7e118b74792861e76bd2736f80affe6c9b
      • Instruction Fuzzy Hash: 5A413CB5D00218ABCB04DF94DD89EDEBBB8FB08304F10442AF555B72A4D678A945CFA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004256A0, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004256F5
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004256FD
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 00425711
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,00000014), ref: 0042573C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000118), ref: 0042576A
      • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042576F
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425778
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 00425791
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004257AA
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,000000C8), ref: 004257D1
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004257DC
      • __vbaFreeStr.MSVBVM60(00425804), ref: 004257FC
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425801
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$CopyNew2
      • String ID:
      • API String ID: 336985134-0
      • Opcode ID: 262861fa027554f53a9023cd1df400ece65399482f6a254a919458dfeeb17009
      • Instruction ID: 00a320610a2f3e0550b02398e2007c94e90aa8d7e9ada67d49e3611233cf5d10
      • Opcode Fuzzy Hash: 262861fa027554f53a9023cd1df400ece65399482f6a254a919458dfeeb17009
      • Instruction Fuzzy Hash: 24415D74A40218EBCB04DF95DD84EEEBBB8FF98700F14802AE505B72A0C6785901CFA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D3D0, Relevance: 18.1, APIs: 12, Instructions: 117COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D41D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D43C
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D458
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D471
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,00000130), ref: 0042D494
      • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042D4C3
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0042D4CD
      • __vbaStrMove.MSVBVM60 ref: 0042D4D8
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409964,000001EC), ref: 0042D4F8
      • __vbaFreeStr.MSVBVM60 ref: 0042D501
      • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0042D515
      • __vbaFreeVar.MSVBVM60 ref: 0042D521
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresultMoveNew2$CallLateList
      • String ID:
      • API String ID: 3081447974-0
      • Opcode ID: d41607fada56a4b3720f887fbf58355d561b35123c612f0d49bfdf02f3c889a5
      • Instruction ID: 1e67fcaa09465789bc4eb783a7e738a20273f9ac9e7247e845b252cccaf01c55
      • Opcode Fuzzy Hash: d41607fada56a4b3720f887fbf58355d561b35123c612f0d49bfdf02f3c889a5
      • Instruction Fuzzy Hash: 56414DB4A00204AFDB04DFA4DD49F9EBBB8FB48701F14442AF545F7261D638A945CBA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00424930, Relevance: 15.1, APIs: 10, Instructions: 107COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 00424979
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 00424992
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004249B1
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 004249CD
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004249E6
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,000000F0), ref: 00424A09
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409964,000001EC), ref: 00424A49
      • __vbaFreeStr.MSVBVM60 ref: 00424A52
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00424A62
      • __vbaFreeStr.MSVBVM60(00424A99), ref: 00424A92
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresultNew2$CopyList
      • String ID:
      • API String ID: 4130517723-0
      • Opcode ID: 8f5ba0aae027e5ade5a35dc241098c9ecd1dea7dc7e6ebd4f45459564aea2035
      • Instruction ID: 8ab0ce02fd4ad78d60563386b133b7b716cd360f17da3511743dd23085d2e806
      • Opcode Fuzzy Hash: 8f5ba0aae027e5ade5a35dc241098c9ecd1dea7dc7e6ebd4f45459564aea2035
      • Instruction Fuzzy Hash: 314181B4A40215AFCB04DFA8DD49FAEBBB8FB48701F10406AF505F7251D7789905CBA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00425830, Relevance: 13.5, APIs: 9, Instructions: 47COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 231 425830-42589d __vbaStrCopy * 3 __vbaCyStr __vbaFpCmpCy 232 4258a7-4258c2 __vbaFreeStr * 3 231->232 233 42589f-4258a1 #569 231->233 233->232
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425870
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425878
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425880
      • __vbaCyStr.MSVBVM60(00409AC0,?,?,?,?,?,?,?,00401746), ref: 00425887
      • __vbaFpCmpCy.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425895
      • #569.MSVBVM60(0000002F,?,?,?,?,?,?,?,?,00401746), ref: 004258A1
      • __vbaFreeStr.MSVBVM60(004258C3,?,?,?,?,?,?,?,?,00401746), ref: 004258B6
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 004258BB
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 004258C0
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CopyFree$#569
      • String ID:
      • API String ID: 3911904416-0
      • Opcode ID: 5edaf88591391681e2145a8739ccb91f35755f997f98929e0ecf3979915413c6
      • Instruction ID: d6ef5a4df48c5f6f6e330365a7503caf813aa0cdbaaf88e781f996121f92ec88
      • Opcode Fuzzy Hash: 5edaf88591391681e2145a8739ccb91f35755f997f98929e0ecf3979915413c6
      • Instruction Fuzzy Hash: 86111B70D0025EDBCB00EFA4EE45AEEBBB8EF48700F10416AA505B31A4DB746A45CFE5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00424BE0, Relevance: 12.1, APIs: 8, Instructions: 114COMMON
      Download Yara Rule
      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 00424C24
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00424C3D
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409974,000001CC), ref: 00424CC4
      • __vbaFreeObj.MSVBVM60 ref: 00424CD3
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 00424CE8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00424D01
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,000001C8), ref: 00424D28
      • __vbaFreeObj.MSVBVM60 ref: 00424D37
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID:
      • API String ID: 1645334062-0
      • Opcode ID: 82f292988a600778a974090e1fa1679200118610c53313007266a650490cac74
      • Instruction ID: d1ecdfbbf56c062021e6928b3cd5bc998c80f1fdfa5d5ae707005e099290dd8c
      • Opcode Fuzzy Hash: 82f292988a600778a974090e1fa1679200118610c53313007266a650490cac74
      • Instruction Fuzzy Hash: CF4160B4A012049FCB08DFA9D989A9ABBF4FF4C701F10846AE505EB365D7389901CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00425240, Relevance: 12.1, APIs: 8, Instructions: 97COMMON
      Download Yara Rule
      APIs
      • #672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 004252A1
      • __vbaFpR8.MSVBVM60 ref: 004252A7
      • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 004252D0
      • __vbaHresultCheckObj.MSVBVM60(00000000,0221E9C4,004099D4,0000001C), ref: 004252F5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004099F4,0000005C), ref: 00425339
      • __vbaStrMove.MSVBVM60 ref: 0042534C
      • __vbaFreeObj.MSVBVM60 ref: 00425355
      • __vbaFreeStr.MSVBVM60(0042538E), ref: 00425387
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$#672MoveNew2
      • String ID:
      • API String ID: 2213023555-0
      • Opcode ID: d03bc499453449d9573a4e8ef43a5397d45b3028cbeedebbf62b4f665515c7fc
      • Instruction ID: a290a1b5633ba569a80f4364f7eb58ab6e41390aae3439afe5c06b49b155ed99
      • Opcode Fuzzy Hash: d03bc499453449d9573a4e8ef43a5397d45b3028cbeedebbf62b4f665515c7fc
      • Instruction Fuzzy Hash: 24314EB0900609ABCB10DF95DD88B9EBBB8FF48740F20805AE905B72A4C7785941CFA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00431D50, Relevance: 12.1, APIs: 8, Instructions: 92COMMON
      Download Yara Rule
      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D94
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431DB3
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409974,000001C8), ref: 00431DF2
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431E01
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431E16
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431E2F
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,00000088), ref: 00431E52
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431E61
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID:
      • API String ID: 1645334062-0
      • Opcode ID: 2f3f9f7953b95640d5d1df3913257cee278f01467711dc498cf2c8fcb9e06386
      • Instruction ID: 116ad077078038e6493d67b0fe859829927b69f7f06258b5196f1853de7dd26e
      • Opcode Fuzzy Hash: 2f3f9f7953b95640d5d1df3913257cee278f01467711dc498cf2c8fcb9e06386
      • Instruction Fuzzy Hash: AE316274A40304ABCB14DFA9C989F9ABBB8FF4C701F108529F545E73A5D7389901CBA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00424AC0, Relevance: 12.1, APIs: 8, Instructions: 75COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B0C
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B14
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B29
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B42
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,00000220), ref: 00424B85
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B8E
      • __vbaFreeStr.MSVBVM60(00424BB6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424BAE
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424BB3
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$Copy$CheckHresultNew2
      • String ID:
      • API String ID: 1874231197-0
      • Opcode ID: b3de2741a884ba66c6e0dc536366742fc49d0bd61385298be0de65dd2914f2d8
      • Instruction ID: 5322bd1987205389bf6d946a79716689a0e8260190b249c2e899f9ee9d0b38b0
      • Opcode Fuzzy Hash: b3de2741a884ba66c6e0dc536366742fc49d0bd61385298be0de65dd2914f2d8
      • Instruction Fuzzy Hash: 6F215175E00219DFCB04DFA9D989A9EBFB8FF4C300F10816AE515A72A5C778A941CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00424F30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON
      Download Yara Rule
      C-Code - Quality: 20%
      			E00424F30(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _t19;
				intOrPtr* _t21;
				intOrPtr* _t23;
				void* _t26;
				intOrPtr* _t28;
				intOrPtr* _t38;
				void* _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				_t43 = _t42 - 0x28;
				_v16 = _t43;
				_v12 = 0x401208;
				_v8 = 0;
				_t19 = _a4;
				 *((intOrPtr*)( *_t19 + 4))(_t19, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t39);
				_t21 =  *0x433010; // 0x71fc98
				_v28 = 0;
				_v32 = 0;
				if(_t21 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t21 =  *0x433010; // 0x71fc98
				}
				_t23 =  &_v32;
				__imp____vbaObjSet(_t23,  *((intOrPtr*)( *_t21 + 0x354))(_t21));
				_t28 = _t43 - 0x10;
				 *_t28 = 0xa;
				_t38 = _t23;
				 *((intOrPtr*)(_t28 + 4)) = _v44;
				 *((intOrPtr*)(_t28 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t28 + 0xc)) = _v36;
				_t26 =  *((intOrPtr*)( *_t38 + 0x1ec))(_t38, L"PHACOCELE");
				asm("fclex");
				if(_t26 < 0) {
					__imp____vbaHresultCheckObj(_t26, _t38, 0x409964, 0x1ec);
				}
				__imp____vbaFreeObj();
				_v28 = 0x2be5;
				_push(0x425009);
				return _t26;
			}




















      0x00424f33
      0x00424f42
      0x00424f49
      0x00424f4f
      0x00424f52
      0x00424f5b
      0x00424f5e
      0x00424f64
      0x00424f67
      0x00424f6e
      0x00424f71
      0x00424f74
      0x00424f80
      0x00424f86
      0x00424f86
      0x00424f95
      0x00424f99
      0x00424fa2
      0x00424fa9
      0x00424fae
      0x00424fb2
      0x00424fba
      0x00424fc6
      0x00424fc9
      0x00424fcf
      0x00424fd3
      0x00424fe1
      0x00424fe1
      0x00424fea
      0x00424ff0
      0x00424ff7
      0x00000000

      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424F80
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424F99
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409964,000001EC), ref: 00424FE1
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424FEA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID: PHACOCELE$+
      • API String ID: 1645334062-1228347243
      • Opcode ID: 12b9ce720c898f97ba00850c8f5fb71147afbdd739971cbbb8621d5f4e07d0e8
      • Instruction ID: d59e37c62d2e5d766b26790879dabc63d50207eaaf69630922185673f52cbc59
      • Opcode Fuzzy Hash: 12b9ce720c898f97ba00850c8f5fb71147afbdd739971cbbb8621d5f4e07d0e8
      • Instruction Fuzzy Hash: 972180B4A00304ABCB04DF99DD89B9ABBB8FB49701F10856AF505E7291C3789901CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004259D0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
      Download Yara Rule
      APIs
      • __vbaVarDup.MSVBVM60 ref: 00425A27
      • #687.MSVBVM60(?,?), ref: 00425A35
      • __vbaDateVar.MSVBVM60(?), ref: 00425A3F
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00425A51
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$#687DateFreeList
      • String ID: 7-7-7$Lu
      • API String ID: 3303533072-1249225327
      • Opcode ID: facbad71416659fbb2e9bc7a4ffa1e8d0139a3acc9ad01944beeb1cc8f9dcaa8
      • Instruction ID: 8ca2dbe8ab4f1f5649ded12f3ea8614846f4dd31889bb755d75bc59398dcdd18
      • Opcode Fuzzy Hash: facbad71416659fbb2e9bc7a4ffa1e8d0139a3acc9ad01944beeb1cc8f9dcaa8
      • Instruction Fuzzy Hash: 22110AB1C10228EBCB00DFD4DD89ADEBBB8FB48B04F04415AF501A7650D7B85505CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00425190, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMON
      Download Yara Rule
      APIs
      • #669.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004251CA
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004251D5
      • __vbaStrCmp.MSVBVM60(Distriktsbladet6,00000000,?,?,?,?,?,?,?,00401746), ref: 004251E1
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004251F3
      • #568.MSVBVM60(0000003C,?,?,?,?,?,?,?,00401746), ref: 00425200
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$#568#669FreeMove
      • String ID: Distriktsbladet6
      • API String ID: 2447501155-846783287
      • Opcode ID: 966450b06de21ed9c13c1a808149436ab6664e89ca7304e9e6358e800033aaaf
      • Instruction ID: 61cd527bcf450c51f942b67c3faaedb5405b7962db3e9bdf1a35c1bc71e14c92
      • Opcode Fuzzy Hash: 966450b06de21ed9c13c1a808149436ab6664e89ca7304e9e6358e800033aaaf
      • Instruction Fuzzy Hash: 3201A275D00614EBC700AFA4DD49AAFBBB8EB45B00F908166F942F36A0C7385945CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00425040, Relevance: 9.1, APIs: 6, Instructions: 91COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60 ref: 00425083
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042509C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004250B5
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409974,000001CC), ref: 0042513C
      • __vbaFreeObj.MSVBVM60 ref: 00425145
      • __vbaFreeStr.MSVBVM60(00425167), ref: 00425160
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$CheckCopyHresultNew2
      • String ID:
      • API String ID: 4138333463-0
      • Opcode ID: 36e19c643a749de4c9f98f0f26e3ef9345445dc7676fee39b65dcd88194fdefe
      • Instruction ID: a776cf2307da792f29ced093327e8248e37be5dbc0af261043c53f96bb4853c4
      • Opcode Fuzzy Hash: 36e19c643a749de4c9f98f0f26e3ef9345445dc7676fee39b65dcd88194fdefe
      • Instruction Fuzzy Hash: 7E3108B4E002149FCB04DFA9D989A9ABBF4FF49700F10C06AE509AB365D7389902CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00424E20, Relevance: 9.1, APIs: 6, Instructions: 67COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E63
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E7C
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E95
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409974,000001C8), ref: 00424ED8
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424EE1
      • __vbaFreeStr.MSVBVM60(00424F02,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424EFB
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$CheckCopyHresultNew2
      • String ID:
      • API String ID: 4138333463-0
      • Opcode ID: 14df62b4e661472db2697c04a30383ec9d51b0f6c21ff4f63978a15009101c4f
      • Instruction ID: e93f92d18b185c2069a199da7afe3e2a4c956638d36d99257852b577961b8e79
      • Opcode Fuzzy Hash: 14df62b4e661472db2697c04a30383ec9d51b0f6c21ff4f63978a15009101c4f
      • Instruction Fuzzy Hash: 87217174A40204DFCB04DFA9D989EAABBB8FF49301F10806AF515E72A5C7389941CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00425B90, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425BD3
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425BEC
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425C05
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,000001AC,?,?,?,?,?,?,?,?,00401746), ref: 00425C28
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425C31
      • __vbaFreeStr.MSVBVM60(00425C52,?,?,?,?,?,?,?,?,00401746), ref: 00425C4B
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$CheckCopyHresultNew2
      • String ID:
      • API String ID: 4138333463-0
      • Opcode ID: 756f6b035e32b18ac07c3f37c8a7dece15b309214154d09f0be6497812d20786
      • Instruction ID: 5e3db1a9c3429f9f3288b209a0862c076ad3080f2d8b6768de989c50c96a5040
      • Opcode Fuzzy Hash: 756f6b035e32b18ac07c3f37c8a7dece15b309214154d09f0be6497812d20786
      • Instruction Fuzzy Hash: BA118E74A00204EFCB04DFA5DA49EAEBBB8FF49701F104466F555E72A0D7385902CF98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004258E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
      Download Yara Rule
      C-Code - Quality: 19%
      			E004258E0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _t17;
				intOrPtr* _t19;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t41;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				_t41 = _t40 - 0x24;
				_v16 = _t41;
				_v12 = 0x401290;
				_v8 = 0;
				_t17 = _a4;
				 *((intOrPtr*)( *_t17 + 4))(_t17, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t37);
				_t19 =  *0x433010; // 0x71fc98
				_v28 = 0;
				if(_t19 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t19 =  *0x433010; // 0x71fc98
				}
				_t21 =  &_v28;
				__imp____vbaObjSet(_t21,  *((intOrPtr*)( *_t19 + 0x358))(_t19));
				_t26 = _t41 - 0x10;
				 *_t26 = 0xa;
				_t36 = _t21;
				 *((intOrPtr*)(_t26 + 4)) = _v40;
				 *((intOrPtr*)(_t26 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t26 + 0xc)) = _v32;
				_t24 =  *((intOrPtr*)( *_t36 + 0x1ec))(_t36, L"Rubedity");
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t36, 0x409adc, 0x1ec);
				}
				__imp____vbaFreeObj();
				_push(0x4259af);
				return _t24;
			}



















      0x004258e3
      0x004258f2
      0x004258f9
      0x004258ff
      0x00425902
      0x0042590b
      0x0042590e
      0x00425914
      0x00425917
      0x0042591e
      0x00425921
      0x0042592d
      0x00425933
      0x00425933
      0x00425942
      0x00425946
      0x0042594f
      0x00425956
      0x0042595b
      0x0042595f
      0x00425967
      0x00425973
      0x00425976
      0x0042597c
      0x00425980
      0x0042598e
      0x0042598e
      0x00425997
      0x0042599d
      0x00000000

      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042592D
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425946
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409ADC,000001EC), ref: 0042598E
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425997
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID: Rubedity
      • API String ID: 1645334062-1230464931
      • Opcode ID: 989ac7d9801ea6c6c6b649e1053860ae0993d9f268a224562a69b06ed4e314cf
      • Instruction ID: 8edafd98880e749bae474b2feedee2ec17763cbba996a59d16f38de0083cf79d
      • Opcode Fuzzy Hash: 989ac7d9801ea6c6c6b649e1053860ae0993d9f268a224562a69b06ed4e314cf
      • Instruction Fuzzy Hash: 6A2193B4A40204EFCB04DF99D989B9ABFF8FB49701F108066F545E7291C6789941CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00424840, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • #660.MSVBVM60(?,?,?,00000001,00000001), ref: 004248A1
      • __vbaVarTstNe.MSVBVM60(?,?), ref: 004248B9
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 004248CF
      • #532.MSVBVM60(RESTARTED), ref: 004248E2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$#532#660FreeList
      • String ID: RESTARTED
      • API String ID: 675845651-3446605417
      • Opcode ID: 6b6f602c2639db14cfcaccee84e22537d62f5a5f5ad6ee7c47f007c81d70a7a4
      • Instruction ID: d30b72e28953de9f2be757b277d73411f24bdd109367d15f8962842fe040ad4f
      • Opcode Fuzzy Hash: 6b6f602c2639db14cfcaccee84e22537d62f5a5f5ad6ee7c47f007c81d70a7a4
      • Instruction Fuzzy Hash: 1C1129B5D40228EBDB00DF94DD89FDEBBB8FB48B00F50421AF505B2290D7B81548CB65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00425D00, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • __vbaOnError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D44
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D5D
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D76
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,00000140,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D9D
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425DAC
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckErrorFreeHresultNew2
      • String ID:
      • API String ID: 3750743295-0
      • Opcode ID: b14b221676cf48712972c40fd7c865dc5584e7cbc0213bc3e250b950899d8b99
      • Instruction ID: aebd9c64966058db610805d6956d2aca9fa7e8320958a7938f1e966658d03e7a
      • Opcode Fuzzy Hash: b14b221676cf48712972c40fd7c865dc5584e7cbc0213bc3e250b950899d8b99
      • Instruction Fuzzy Hash: 75215C74A40214ABCB10DF96CA49E9EBBF8FF89701F10446AF551F72A0C77859018FA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00424D70, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DAA
      • #546.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DB4
      • __vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DC0
      • __vbaFreeVar.MSVBVM60(00424DF8), ref: 00424DE8
      • __vbaFreeStr.MSVBVM60 ref: 00424DF1
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$Free$#546CopyMove
      • String ID:
      • API String ID: 2278598164-0
      • Opcode ID: 7a11eb6d7ed8b28ed0475e178c5beb416b3c73dd893bc135aea1a441c7e50e83
      • Instruction ID: 48cc0dd06087de835e62770d10066453df31cd834c61ba1c00de49ae01419032
      • Opcode Fuzzy Hash: 7a11eb6d7ed8b28ed0475e178c5beb416b3c73dd893bc135aea1a441c7e50e83
      • Instruction Fuzzy Hash: 14010870D00209ABCF04DFA4DA88ADEBBB8FB08701F108426E511B6164EB386505CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D750, Relevance: 6.1, APIs: 4, Instructions: 85COMMON
      Download Yara Rule
      C-Code - Quality: 19%
      			E0042D750(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t43;
				intOrPtr* _t47;
				intOrPtr* _t60;
				void* _t61;
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;

				_t64 = _t63 - 0xc;
				 *[fs:0x0] = _t64;
				_t65 = _t64 - 0x44;
				_v16 = _t65;
				_v12 = 0x4016a8;
				_v8 = 0;
				_t31 = _a4;
				 *((intOrPtr*)( *_t31 + 4))(_t31, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t61);
				_t33 =  *0x433010; // 0x71fc98
				_v28 = 0;
				if(_t33 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t33 =  *0x433010; // 0x71fc98
				}
				_t35 =  &_v28;
				__imp____vbaObjSet(_t35,  *((intOrPtr*)( *_t33 + 0x3b4))(_t33));
				_t66 = _t65 - 0x10;
				_t60 = _t35;
				_t43 = _t66;
				 *_t43 = 0xa;
				_v44 = 0xa;
				 *((intOrPtr*)(_t43 + 4)) = _v72;
				 *((intOrPtr*)(_t43 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t43 + 0xc)) = _v64;
				_t67 = _t66 - 0x10;
				_t47 = _t67;
				 *_t47 = 0xa;
				 *((intOrPtr*)(_t47 + 4)) = _v56;
				 *((intOrPtr*)(_t47 + 8)) = 0x80020004;
				_v36 = 0x80020004;
				 *((intOrPtr*)(_t47 + 0xc)) = _v48;
				_t40 = _t67 - 0x10;
				 *_t40 = _v44;
				 *((intOrPtr*)(_t40 + 4)) = _v40;
				 *((intOrPtr*)(_t40 + 8)) = _v36;
				 *((intOrPtr*)(_t40 + 0xc)) = _v32;
				_t41 =  *((intOrPtr*)( *_t60 + 0x1d0))(_t60, 0x46e36000);
				asm("fclex");
				if(_t41 < 0) {
					__imp____vbaHresultCheckObj(_t41, _t60, 0x409b10, 0x1d0);
				}
				__imp____vbaFreeObj();
				asm("wait");
				_push(0x42d85f);
				return _t41;
			}





























      0x0042d753
      0x0042d762
      0x0042d769
      0x0042d76f
      0x0042d772
      0x0042d77b
      0x0042d77e
      0x0042d784
      0x0042d787
      0x0042d78e
      0x0042d791
      0x0042d79d
      0x0042d7a3
      0x0042d7a3
      0x0042d7b2
      0x0042d7b6
      0x0042d7bc
      0x0042d7bf
      0x0042d7c1
      0x0042d7ca
      0x0042d7cc
      0x0042d7d2
      0x0042d7dc
      0x0042d7e2
      0x0042d7e5
      0x0042d7e8
      0x0042d7ef
      0x0042d7f4
      0x0042d7f7
      0x0042d7fa
      0x0042d800
      0x0042d80c
      0x0042d80e
      0x0042d813
      0x0042d81e
      0x0042d822
      0x0042d825
      0x0042d82b
      0x0042d82f
      0x0042d83d
      0x0042d83d
      0x0042d846
      0x0042d84c
      0x0042d84d
      0x00000000

      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D79D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D7B6
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B10,000001D0), ref: 0042D83D
      • __vbaFreeObj.MSVBVM60 ref: 0042D846
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID:
      • API String ID: 1645334062-0
      • Opcode ID: 7318501d0b8fdda0203af5e902a68bcf169e8258f1a52df0951113e99549986f
      • Instruction ID: 70f56478985c9cd3eb8c434365a541da73a9ac384ad3b08b42247f68221efb92
      • Opcode Fuzzy Hash: 7318501d0b8fdda0203af5e902a68bcf169e8258f1a52df0951113e99549986f
      • Instruction Fuzzy Hash: 14311AB4E002049FCB04DFA8D985A9ABBF8FF48700F20C46AE409AB355D7399801CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042DC30, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,00401746), ref: 0042DC80
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 0042DC99
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,000001A8,?,?,?,?,?,?,?,?,00401746), ref: 0042DCBC
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 0042DCC5
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID:
      • API String ID: 1645334062-0
      • Opcode ID: 3d57fab9576f8edc24bb3d88d15002d814a24de4e89215d3f0bad1a7daa73ffa
      • Instruction ID: 64216d29a521869ad124ed06d40b43ff42c95b0837524ed37390eafe3a59424f
      • Opcode Fuzzy Hash: 3d57fab9576f8edc24bb3d88d15002d814a24de4e89215d3f0bad1a7daa73ffa
      • Instruction Fuzzy Hash: 11114FB4E40204ABC700DF96DD49B9ABBBCFF59701F604426F551E72A0C7785941CA99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00425AB0, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
      Download Yara Rule
      C-Code - Quality: 18%
      			E00425AB0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t28;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				_v16 = _t32 - 0x18;
				_v12 = 0x4012b0;
				_v8 = 0;
				_t14 = _a4;
				 *((intOrPtr*)( *_t14 + 4))(_t14, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t29);
				_t16 =  *0x433010; // 0x71fc98
				_v28 = 0;
				_v32 = 0;
				if(_t16 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t16 =  *0x433010; // 0x71fc98
				}
				_t18 =  &_v32;
				__imp____vbaObjSet(_t18,  *((intOrPtr*)( *_t16 + 0x378))(_t16));
				_t28 = _t18;
				_t19 =  *((intOrPtr*)( *_t28 + 0x21c))(_t28);
				asm("fclex");
				if(_t19 < 0) {
					__imp____vbaHresultCheckObj(_t19, _t28, 0x409954, 0x21c);
				}
				__imp____vbaFreeObj();
				_v28 = 0x4c22e;
				_push(0x425b64);
				return _t19;
			}
















      0x00425ab3
      0x00425ac2
      0x00425acf
      0x00425ad2
      0x00425adb
      0x00425ade
      0x00425ae4
      0x00425ae7
      0x00425aee
      0x00425af1
      0x00425af4
      0x00425b00
      0x00425b06
      0x00425b06
      0x00425b15
      0x00425b19
      0x00425b1f
      0x00425b24
      0x00425b2a
      0x00425b2e
      0x00425b3c
      0x00425b3c
      0x00425b45
      0x00425b4b
      0x00425b52
      0x00000000

      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425B00
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425B19
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,0000021C,?,?,?,?,?,?,?,?,00401746), ref: 00425B3C
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425B45
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID:
      • API String ID: 1645334062-0
      • Opcode ID: c0adb74df300532787617fb9f7d3334b1765759aff83d8e8979fb064e4e6de2c
      • Instruction ID: 42bfde65fcf0389ef10ed57bcc65d986bcef6efdfb101c90a025bbd7737f0359
      • Opcode Fuzzy Hash: c0adb74df300532787617fb9f7d3334b1765759aff83d8e8979fb064e4e6de2c
      • Instruction Fuzzy Hash: C0119EB8E40604ABC710DFA5DA89F9AFFB8FF58701F204466F551E72A1C77859018B98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004253C0, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
      Download Yara Rule
      C-Code - Quality: 17%
      			E004253C0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				void* _t17;
				intOrPtr* _t26;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				_v16 = _t30 - 0x14;
				_v12 = 0x401250;
				_v8 = 0;
				_t12 = _a4;
				 *((intOrPtr*)( *_t12 + 4))(_t12, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t27);
				_t14 =  *0x433010; // 0x71fc98
				_v28 = 0;
				if(_t14 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t14 =  *0x433010; // 0x71fc98
				}
				_t16 =  &_v28;
				__imp____vbaObjSet(_t16,  *((intOrPtr*)( *_t14 + 0x338))(_t14));
				_t26 = _t16;
				_t17 =  *((intOrPtr*)( *_t26 + 0x1ac))(_t26);
				asm("fclex");
				if(_t17 < 0) {
					__imp____vbaHresultCheckObj(_t17, _t26, 0x409a04, 0x1ac);
				}
				__imp____vbaFreeObj();
				_push(0x42546a);
				return _t17;
			}















      0x004253c3
      0x004253d2
      0x004253df
      0x004253e2
      0x004253eb
      0x004253ee
      0x004253f4
      0x004253f7
      0x004253fe
      0x00425401
      0x0042540d
      0x00425413
      0x00425413
      0x00425422
      0x00425426
      0x0042542c
      0x00425431
      0x00425437
      0x0042543b
      0x00425449
      0x00425449
      0x00425452
      0x00425458
      0x00000000

      APIs
      • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,00401746), ref: 0042540D
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401746), ref: 00425426
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,000001AC,?,?,?,?,?,?,?,00401746), ref: 00425449
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425452
      Memory Dump Source
      • Source File: 00000000.00000002.754425016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.754277267.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.755474724.0000000000433000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.755514879.0000000000435000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultNew2
      • String ID:
      • API String ID: 1645334062-0
      • Opcode ID: 15066cf2bc776ccd6f280a9b0d227e33fa94bddf631f485540b6e2bf07da5dc4
      • Instruction ID: 76f6a4e4ac2d6c6b8d4e0d48d8693851c14c2989a070a5c6ca1b50774761b537
      • Opcode Fuzzy Hash: 15066cf2bc776ccd6f280a9b0d227e33fa94bddf631f485540b6e2bf07da5dc4
      • Instruction Fuzzy Hash: 2A117C74A40604ABC700EFA5DD89B9ABBB8FB49701F104466F542E72A1C77899418AA9
      Uniqueness

      Uniqueness Score: -1.00%