Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report VZghv7yI7g.exe

Overview

General Information

Sample Name:VZghv7yI7g.exe
Analysis ID:450819
MD5:73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • VZghv7yI7g.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\VZghv7yI7g.exe' MD5: 73BB5C4B690B8D6DF88D6BC18FB3A553)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: VZghv7yI7g.exeVirustotal: Detection: 29%Perma Link
Source: VZghv7yI7g.exeReversingLabs: Detection: 13%
Source: VZghv7yI7g.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_004092BC0_2_004092BC
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C3290_2_02A8C329
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CEAA0_2_02A8CEAA
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C6B40_2_02A8C6B4
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CEE60_2_02A8CEE6
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CAD70_2_02A8CAD7
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DE3B0_2_02A8DE3B
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C6650_2_02A8C665
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C7B80_2_02A8C7B8
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DBBF0_2_02A8DBBF
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DB8F0_2_02A8DB8F
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CF870_2_02A8CF87
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DF140_2_02A8DF14
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CB630_2_02A8CB63
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CB720_2_02A8CB72
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DB550_2_02A8DB55
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C8CA0_2_02A8C8CA
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DCC70_2_02A8DCC7
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8E0330_2_02A8E033
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C8160_2_02A8C816
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C9C10_2_02A8C9C1
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C5DB0_2_02A8C5DB
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DD3B0_2_02A8DD3B
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C90C0_2_02A8C90C
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8DD070_2_02A8DD07
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C5630_2_02A8C563
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C5670_2_02A8C567
Source: VZghv7yI7g.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VZghv7yI7g.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VZghv7yI7g.exe, 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
Source: VZghv7yI7g.exe, 00000000.00000002.826092877.0000000002920000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs VZghv7yI7g.exe
Source: VZghv7yI7g.exeBinary or memory string: OriginalFilenameIndtr8.exe vs VZghv7yI7g.exe
Source: VZghv7yI7g.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engineClassification label: mal60.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\VZghv7yI7g.exeFile created: C:\Users\user\AppData\Local\Temp\~DFEB0EEF351A7A5910.TMPJump to behavior
Source: VZghv7yI7g.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VZghv7yI7g.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\VZghv7yI7g.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: VZghv7yI7g.exeVirustotal: Detection: 29%
Source: VZghv7yI7g.exeReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_0040C06E push 00000000h; retf 0_2_0040C0B0
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_00406625 push ebp; iretd 0_2_0040662F
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8E73F push edi; ret 0_2_02A8E741
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8D1F3 push FFFFFFB9h; retf 0_2_02A8D1F5
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8D1CB push FFFFFFB9h; retf 0_2_02A8D1CD
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
Source: C:\Users\user\Desktop\VZghv7yI7g.exeRDTSC instruction interceptor: First address: 0000000002A8E352 second address: 0000000002A8E352 instructions:
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\VZghv7yI7g.exeRDTSC instruction interceptor: First address: 0000000002A8E352 second address: 0000000002A8E352 instructions:
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CEAA rdtsc 0_2_02A8CEAA
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)Show sources
Source: C:\Users\user\Desktop\VZghv7yI7g.exeProcess Stats: CPU usage > 90% for more than 60s
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CEAA rdtsc 0_2_02A8CEAA
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C5DB mov eax, dword ptr fs:[00000030h]0_2_02A8C5DB
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C563 mov eax, dword ptr fs:[00000030h]0_2_02A8C563
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8C567 mov eax, dword ptr fs:[00000030h]0_2_02A8C567
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\VZghv7yI7g.exeCode function: 0_2_02A8CD39 cpuid 0_2_02A8CD39

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionVirtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery211SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
VZghv7yI7g.exe30%VirustotalBrowse
VZghv7yI7g.exe13%ReversingLabsWin32.Backdoor.Remcos

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:450819
Start date:19.07.2021
Start time:18:43:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 18s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:VZghv7yI7g.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 60.9% (good quality ratio 25.5%)
  • Quality average: 22.8%
  • Quality standard deviation: 31.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.2221702126738
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.15%
  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:VZghv7yI7g.exe
File size:241664
MD5:73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
SHA512:9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567
SSDEEP:3072:+3BepJlZa/xao5JKwI7V4R4iUW/qcijw2HJlZapGBR:EiUIo5JKPgU99vHP
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...WS.N................. ...................0....@................

File Icon

Icon Hash:f8fcd4ccf4e4e8d0

Static PE Info

General

Entrypoint:0x4019b0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x4EA15357 [Fri Oct 21 11:11:19 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:e9f7dd0da1a2a1266893e1ae4ef42b67

Entrypoint Preview

Instruction
push 00408AA0h
call 00007F93148FE125h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
outsd
mul byte ptr [ebx+3Fh]
dec esi
outsb
and al, 41h
mov bl, 08h
popad
pop ds
test al, CEh
xchg eax, esi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 56h
jne 00007F93148FE1A4h
cmp dword ptr fs:[eax], eax
add al, byte ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
xor esp, esp
push cs
xchg eax, edx
test eax, 48C3D75Ah
mov gs, bx
test al, CAh
xor esp, esp
xor al, 88h
jecxz 00007F93148FE15Ah
scasb
and dword ptr [edi-40B94528h], 28h
cmp dword ptr [edx-38D0AA14h], edi
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
out 6Fh, eax
add byte ptr [eax], al
lea ebp, dword ptr [eax+00h]
add byte ptr [eax], al
add al, 00h
jnc 00007F93148FE19Ah
add byte ptr [41000401h], cl
jc 00007F93148FE199h
jne 00007F93148FE132h
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al
and al, byte ptr [ecx]
and ecx, dword ptr [esi+68h]
add byte ptr [eax], al
insb

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x322340x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x6d0a.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a4.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x318a40x32000False0.39177734375data6.3764832494IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x330000x12900x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x350000x6d0a0x7000False0.481689453125data5.46300019784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x3ae620xea8data
RT_ICON0x3a5ba0x8a8data
RT_ICON0x39ef20x6c8data
RT_ICON0x3998a0x568GLS_BINARY_LSB_FIRST
RT_ICON0x373e20x25a8dBase III DBT, version number 0, next free block index 40
RT_ICON0x3633a0x10a8data
RT_ICON0x359b20x988data
RT_ICON0x3554a0x468GLS_BINARY_LSB_FIRST
RT_GROUP_ICON0x354d40x76data
RT_VERSION0x352400x294dataEnglishUnited States

Imports

DLLImport
MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

DescriptionData
Translation0x0409 0x04b0
LegalCopyrightSocialbakers
InternalNameIndtr8
FileVersion1.00
CompanyNameSocialbakers
LegalTrademarksSocialbakers
ProductNameVurd9
ProductVersion1.00
OriginalFilenameIndtr8.exe

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: VZghv7yI7g.exe PID: 6992 Parent PID: 5956

General

Start time:18:44:02
Start date:19/07/2021
Path:C:\Users\user\Desktop\VZghv7yI7g.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\VZghv7yI7g.exe'
Imagebase:0x400000
File size:241664 bytes
MD5 hash:73BB5C4B690B8D6DF88D6BC18FB3A553
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Visual Basic
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: VZghv7yI7g.exe PID: 6992 Parent PID: 5956 VZghv7yI7g.exeCOMMON

    Execution Graph

    Execution Coverage:2%
    Dynamic/Decrypted Code Coverage:14%
    Signature Coverage:6.3%
    Total number of Nodes:271
    Total number of Limit Nodes:11

    Graph

    execution_graph 4345 2a8c468 4348 2a8c470 4345->4348 4346 2a8c496 4347 2a8c4a8 TerminateProcess 4346->4347 4348->4346 4348->4347 4350 2a8c4e4 4348->4350 4349 2a8c654 GetPEB 4351 2a8c511 4349->4351 4350->4349 4350->4351 4269 2a8c329 4270 2a8c386 4269->4270 4270->4270 4271 2a8c410 MessageBoxA 4270->4271 4272 2a8c454 4270->4272 4274 2a8c470 4270->4274 4271->4270 4273 2a8c4a8 TerminateProcess 4272->4273 4274->4272 4274->4273 4276 2a8c4e4 4274->4276 4275 2a8c654 GetPEB 4277 2a8c511 4275->4277 4276->4275 4276->4277 4107 424840 #660 __vbaVarTstNe __vbaFreeVarList 4108 4248e8 4107->4108 4109 4248dd #532 4107->4109 4109->4108 4131 42d880 4132 42d8b7 __vbaStrCopy __vbaStrCopy 4131->4132 4133 42d8e8 __vbaNew2 4132->4133 4134 42d8fd __vbaObjSet 4132->4134 4133->4134 4136 42d91e 4134->4136 4137 42d936 __vbaFreeObj 4136->4137 4138 42d924 __vbaHresultCheckObj 4136->4138 4139 42d948 __vbaNew2 4137->4139 4140 42d95d __vbaObjSet 4137->4140 4138->4137 4139->4140 4142 42d97c 4140->4142 4143 42d982 __vbaHresultCheckObj 4142->4143 4144 42d994 __vbaLateIdCallLd __vbaI4Var __vbaFreeObjList __vbaFreeVar 4142->4144 4143->4144 4145 42d9f1 __vbaFreeStr __vbaFreeStr 4144->4145 4146 425c80 #706 __vbaStrMove __vbaFreeStr 4224 425d00 4225 425d3a __vbaOnError 4224->4225 4226 425d53 __vbaNew2 4225->4226 4227 425d68 __vbaObjSet 4225->4227 4226->4227 4229 425d8b 4227->4229 4230 425da3 __vbaFreeObj 4229->4230 4231 425d91 __vbaHresultCheckObj 4229->4231 4232 425dc3 4230->4232 4231->4230 4302 425240 4303 425277 #672 __vbaFpR8 4302->4303 4304 42535b __vbaFreeStr 4303->4304 4305 4252be 4303->4305 4306 4252d6 4305->4306 4307 4252c6 __vbaNew2 4305->4307 4309 4252fb 4306->4309 4310 4252ec __vbaHresultCheckObj 4306->4310 4307->4306 4311 425330 __vbaHresultCheckObj 4309->4311 4312 42533f __vbaStrMove __vbaFreeObj 4309->4312 4310->4309 4311->4312 4312->4304 4333 424ac0 4334 424af7 __vbaStrCopy __vbaStrCopy 4333->4334 4335 424b34 __vbaObjSet 4334->4335 4336 424b1f __vbaNew2 4334->4336 4338 424b73 4335->4338 4336->4335 4339 424b8b __vbaFreeObj 4338->4339 4340 424b79 __vbaHresultCheckObj 4338->4340 4341 424ba5 __vbaFreeStr __vbaFreeStr 4339->4341 4340->4339 4196 40bd48 4197 4320b0 4196->4197 4198 432117 4197->4198 4199 432107 __vbaNew2 4197->4199 4200 43212d __vbaHresultCheckObj 4198->4200 4201 432140 4198->4201 4199->4198 4200->4201 4202 43215e __vbaHresultCheckObj 4201->4202 4203 43216c __vbaStrMove __vbaFreeObj #598 __vbaStrCopy 4201->4203 4202->4203 4204 4321ad 4203->4204 4205 4321b1 __vbaHresultCheckObj 4204->4205 4206 4321bf __vbaFreeStrList 4204->4206 4205->4206 4207 4321fd __vbaFreeStr 4206->4207 4435 2a8c563 4436 2a8c595 4435->4436 4437 2a8c654 GetPEB 4436->4437 4438 2a8c674 4437->4438 4342 4016cc 4343 40173e __vbaExceptHandler 4342->4343 4344 40175f _adj_fdiv_m64 4342->4344 4343->4344 4439 2a8c567 4441 2a8c56a 4439->4441 4440 2a8c654 GetPEB 4442 2a8c66c 4440->4442 4441->4440 4441->4442 4147 425490 4148 4254ca __vbaStrCopy #515 __vbaVarTstNe __vbaFreeVar 4147->4148 4149 425633 __vbaFreeObj __vbaFreeStr 4148->4149 4150 42554d 4148->4150 4152 425565 __vbaNew2 4150->4152 4153 42557a __vbaObjSet 4150->4153 4152->4153 4155 4255a0 4153->4155 4156 4255a6 __vbaHresultCheckObj 4155->4156 4157 4255b8 __vbaLateMemCall __vbaFreeObj 4155->4157 4156->4157 4157->4149 4233 42dd10 4234 42df0a __vbaFreeVar __vbaFreeStr 4233->4234 4235 42dd68 4233->4235 4237 42dd71 __vbaNew2 4235->4237 4238 42dd86 __vbaObjSet 4235->4238 4237->4238 4240 42dda9 4238->4240 4241 42ddc5 4240->4241 4242 42ddaf __vbaHresultCheckObj 4240->4242 4243 42ddcb __vbaStrToAnsi 4241->4243 4242->4243 4253 40958c 4243->4253 4254 409595 4253->4254 4278 4259d0 4279 425a07 __vbaVarDup #687 __vbaDateVar __vbaFreeVarList 4278->4279 4280 425a7d 4279->4280 4281 42d590 4282 42d5c7 __vbaCyStr __vbaFpCmpCy 4281->4282 4283 42d5f4 4282->4283 4284 42d6fe __vbaFreeStr __vbaFreeStr 4282->4284 4285 42d60c 4283->4285 4286 42d5fc __vbaNew2 4283->4286 4288 42d622 __vbaHresultCheckObj 4285->4288 4289 42d635 4285->4289 4286->4285 4288->4289 4290 42d653 __vbaHresultCheckObj 4289->4290 4291 42d661 __vbaStrMove __vbaFreeObj 4289->4291 4290->4291 4292 42d694 4291->4292 4293 42d684 __vbaNew2 4291->4293 4294 42d6b5 4292->4294 4295 42d6aa __vbaHresultCheckObj 4292->4295 4293->4292 4296 42d6db __vbaStrMove __vbaFreeObj #531 4294->4296 4297 42d6cd __vbaHresultCheckObj 4294->4297 4295->4294 4296->4284 4297->4296 4298 425190 4299 4251c7 #669 __vbaStrMove __vbaStrCmp __vbaFreeStr 4298->4299 4300 425206 4299->4300 4301 4251fe #568 4299->4301 4301->4300 4407 42d3d0 4408 42d413 __vbaNew2 4407->4408 4409 42d428 __vbaObjSet 4407->4409 4408->4409 4411 42d463 __vbaObjSet 4409->4411 4412 42d44e __vbaNew2 4409->4412 4414 42d482 4411->4414 4412->4411 4415 42d49a __vbaLateIdCallLd __vbaStrVarMove __vbaStrMove 4414->4415 4416 42d488 __vbaHresultCheckObj 4414->4416 4417 42d4e6 4415->4417 4416->4415 4418 42d4fe __vbaFreeStr __vbaFreeObjList __vbaFreeVar 4417->4418 4419 42d4ec __vbaHresultCheckObj 4417->4419 4420 42d567 4418->4420 4419->4418 4313 424e20 4314 424e57 __vbaStrCopy 4313->4314 4315 424e72 __vbaNew2 4314->4315 4316 424e87 __vbaObjSet 4314->4316 4315->4316 4318 424ec6 4316->4318 4319 424ede __vbaFreeObj 4318->4319 4320 424ecc __vbaHresultCheckObj 4318->4320 4321 424ef8 __vbaFreeStr 4319->4321 4320->4319 4352 4256a0 4353 4256d7 __vbaStrCopy __vbaStrCopy 4352->4353 4354 425717 4353->4354 4355 425707 __vbaNew2 4353->4355 4356 42572d __vbaHresultCheckObj 4354->4356 4357 425740 4354->4357 4355->4354 4356->4357 4358 42575e __vbaHresultCheckObj 4357->4358 4359 42576c __vbaI2I4 __vbaFreeObj 4357->4359 4358->4359 4360 425787 __vbaNew2 4359->4360 4361 42579c __vbaObjSet 4359->4361 4360->4361 4363 4257bf 4361->4363 4364 4257d3 __vbaFreeObj 4363->4364 4365 4257c5 __vbaHresultCheckObj 4363->4365 4366 4257f3 __vbaFreeStr __vbaFreeStr 4364->4366 4365->4364 4421 424be0 4422 424c1a __vbaNew2 4421->4422 4423 424c2f __vbaObjSet 4421->4423 4422->4423 4425 424cb2 4423->4425 4426 424cca __vbaFreeObj 4425->4426 4427 424cb8 __vbaHresultCheckObj 4425->4427 4428 424cf3 __vbaObjSet 4426->4428 4429 424cde __vbaNew2 4426->4429 4427->4426 4431 424d16 4428->4431 4429->4428 4432 424d2e __vbaFreeObj 4431->4432 4433 424d1c __vbaHresultCheckObj 4431->4433 4434 424d4b 4432->4434 4433->4432 4067 431ea0 4068 431ed7 7 API calls 4067->4068 4087 409490 4068->4087 4070 431f62 8 API calls 4071 43200b __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 4070->4071 4072 431fcb #537 __vbaStrMove __vbaInStr 4070->4072 4075 432073 4071->4075 4073 431ff0 #616 __vbaStrMove __vbaFreeStr 4072->4073 4074 43209b __vbaErrorOverflow 4072->4074 4073->4071 4076 4320b0 4074->4076 4077 432117 4076->4077 4078 432107 __vbaNew2 4076->4078 4079 432140 4077->4079 4080 43212d __vbaHresultCheckObj 4077->4080 4078->4077 4081 43215e __vbaHresultCheckObj 4079->4081 4082 43216c __vbaStrMove __vbaFreeObj #598 __vbaStrCopy 4079->4082 4080->4079 4081->4082 4083 4321ad 4082->4083 4084 4321b1 __vbaHresultCheckObj 4083->4084 4085 4321bf __vbaFreeStrList 4083->4085 4084->4085 4086 4321fd __vbaFreeStr 4085->4086 4088 409499 4087->4088 4089 2a8c3cf 4092 2a8c3d6 4089->4092 4090 2a8c410 MessageBoxA 4090->4092 4091 2a8c454 4093 2a8c4a8 TerminateProcess 4091->4093 4092->4090 4092->4091 4094 2a8c470 4092->4094 4094->4091 4094->4093 4096 2a8c4e4 4094->4096 4095 2a8c654 GetPEB 4097 2a8c511 4095->4097 4096->4095 4096->4097 4065 4019b0 #100 4066 4019ef 4065->4066 4119 425830 __vbaStrCopy __vbaStrCopy __vbaStrCopy __vbaCyStr __vbaFpCmpCy 4120 4258a7 __vbaFreeStr __vbaFreeStr __vbaFreeStr 4119->4120 4121 42589f #569 4119->4121 4121->4120 4222 424d70 __vbaStrCopy #546 __vbaVarMove 4223 424de5 __vbaFreeVar __vbaFreeStr 4222->4223 4255 424930 4256 424967 __vbaStrCopy 4255->4256 4257 424988 __vbaNew2 4256->4257 4258 42499d __vbaObjSet 4256->4258 4257->4258 4260 4249c3 __vbaNew2 4258->4260 4261 4249d8 __vbaObjSet 4258->4261 4260->4261 4263 4249f7 4261->4263 4264 424a0f 4263->4264 4265 4249fd __vbaHresultCheckObj 4263->4265 4266 424a4f __vbaFreeStr __vbaFreeObjList 4264->4266 4267 424a3d __vbaHresultCheckObj 4264->4267 4265->4264 4268 424a8f __vbaFreeStr 4266->4268 4267->4266 4322 42da30 4323 42da6a __vbaStrCopy __vbaLenBstrB 4322->4323 4324 42dbd1 __vbaFreeStr 4323->4324 4325 42daa5 #680 __vbaFreeVarList 4323->4325 4326 42db17 4325->4326 4327 42db07 __vbaNew2 4325->4327 4329 42db3c 4326->4329 4330 42db2d __vbaHresultCheckObj 4326->4330 4327->4326 4331 42db57 __vbaHresultCheckObj 4329->4331 4332 42db69 __vbaFreeObj __vbaVarDup #595 __vbaFreeVarList 4329->4332 4330->4329 4331->4332 4332->4324 4385 424f30 4386 424f67 4385->4386 4387 424f76 __vbaNew2 4386->4387 4388 424f8b __vbaObjSet 4386->4388 4387->4388 4390 424fcf 4388->4390 4391 424fe7 __vbaFreeObj 4390->4391 4392 424fd5 __vbaHresultCheckObj 4390->4392 4393 425008 4391->4393 4392->4391 4158 40bcb9 4159 42d010 #527 __vbaStrMove __vbaStrCmp __vbaFreeStr 4158->4159 4160 42d368 __vbaFreeStr 4159->4160 4161 42d09d 4159->4161 4162 42d0b5 __vbaHresultCheckObj 4161->4162 4163 42d0a5 __vbaNew2 4161->4163 4166 42d0e4 4162->4166 4163->4162 4167 42d10a __vbaFreeObj 4166->4167 4168 42d0fc __vbaHresultCheckObj 4166->4168 4169 42d12b 4167->4169 4170 42d11b __vbaNew2 4167->4170 4168->4167 4171 42d141 __vbaHresultCheckObj 4169->4171 4172 42d14c 4169->4172 4170->4169 4171->4172 4173 42d172 __vbaStrMove __vbaFreeObj 4172->4173 4174 42d164 __vbaHresultCheckObj 4172->4174 4175 42d193 __vbaNew2 4173->4175 4176 42d1a8 __vbaObjSet 4173->4176 4174->4173 4175->4176 4178 42d1cd 4176->4178 4179 42d1d3 __vbaHresultCheckObj 4178->4179 4180 42d1e1 __vbaLateIdCallLd 4178->4180 4179->4180 4181 42d201 __vbaNew2 4180->4181 4182 42d216 __vbaObjSet 4180->4182 4181->4182 4184 42d235 4182->4184 4185 42d23b __vbaHresultCheckObj 4184->4185 4186 42d24d __vbaLateIdCallLd 4184->4186 4185->4186 4187 42d267 __vbaNew2 4186->4187 4188 42d27c __vbaObjSet 4186->4188 4187->4188 4190 42d29b 4188->4190 4191 42d2b3 __vbaFpI4 __vbaI4Var __vbaI4Var 4190->4191 4192 42d2a1 __vbaHresultCheckObj 4190->4192 4193 42d321 4191->4193 4192->4191 4194 42d327 __vbaHresultCheckObj 4193->4194 4195 42d339 __vbaFreeObjList __vbaFreeVarList 4193->4195 4194->4195 4195->4160

    Executed Functions

    Function 02A8C329, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32 ref: 02A8C43A
    • TerminateProcess.KERNELBASE(FEF26C0F), ref: 02A8C4CB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID: MessageProcessTerminate
    • String ID: }l"
    • API String ID: 638435245-1801363258
    • Opcode ID: c0c1371e75c0c4eb2be54967499c36de73620895459e52f20f45b668775828e7
    • Instruction ID: 12ea6ade686a68867f0d0d7e048f8527c33d14c90fa606fd2f9c368e49ed5c91
    • Opcode Fuzzy Hash: c0c1371e75c0c4eb2be54967499c36de73620895459e52f20f45b668775828e7
    • Instruction Fuzzy Hash: A52102306093868FDFA8AE7499A57EB77B2EF02350F42401FCD8A96111DB350685CE12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00431EA0, Relevance: 68.5, APIs: 37, Strings: 2, Instructions: 263COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • #607.MSVBVM60(?,000000FF,?), ref: 00431F02
    • __vbaStrVarMove.MSVBVM60(?), ref: 00431F0C
    • __vbaStrMove.MSVBVM60 ref: 00431F1D
    • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00431F29
    • __vbaLenBstr.MSVBVM60(?), ref: 00431F36
    • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431F45
    • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431F56
    • __vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 00431F62
    • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00431F6D
    • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00431F7B
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00431F8B
    • #537.MSVBVM60(00000000,?,00000001), ref: 00431F9B
    • __vbaStrMove.MSVBVM60 ref: 00431FA6
    • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00431FAA
    • __vbaFreeStr.MSVBVM60 ref: 00431FBF
    • #537.MSVBVM60(00000000,?,00000001), ref: 00431FD2
    • __vbaStrMove.MSVBVM60 ref: 00431FDD
    • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00431FE1
    • #616.MSVBVM60(?,-00000001), ref: 00431FF5
    • __vbaStrMove.MSVBVM60 ref: 00432000
    • __vbaFreeStr.MSVBVM60 ref: 00432005
    • __vbaStrCat.MSVBVM60(00409DE8), ref: 00432019
    • __vbaStrMove.MSVBVM60 ref: 00432020
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00432027
    • __vbaStrMove.MSVBVM60 ref: 0043202E
    • __vbaFreeStr.MSVBVM60 ref: 00432033
    • __vbaErrorOverflow.MSVBVM60 ref: 0043209B
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 00432111
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,00000014), ref: 0043213C
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000110), ref: 0043216A
    • __vbaStrMove.MSVBVM60 ref: 00432179
    • __vbaFreeObj.MSVBVM60 ref: 00432182
    • #598.MSVBVM60 ref: 00432188
    • __vbaStrCopy.MSVBVM60 ref: 00432196
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Move$Free$#537AnsiCheckErrorHresultListUnicode$#598#607#616BstrCopyNew2OverflowSystem
    • String ID: USERNAME$t C
    • API String ID: 840069314-3777059254
    • Opcode ID: a3b342e919a1a8fd3be96d1848f7520cde65d15482966a36ab44b11bbf525f84
    • Instruction ID: 0fd07a5d85aa539f9dcc35f6e74ce1594001623a02bd67e862191e9ac8a6b72a
    • Opcode Fuzzy Hash: a3b342e919a1a8fd3be96d1848f7520cde65d15482966a36ab44b11bbf525f84
    • Instruction Fuzzy Hash: 2091FF75900209AFDB04DFA5DD89DEFBBB8FF48700F10812AF606A72A1DB785945CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040BD48, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 103COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 00432111
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,00000014), ref: 0043213C
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000110), ref: 0043216A
    • __vbaStrMove.MSVBVM60 ref: 00432179
    • __vbaFreeObj.MSVBVM60 ref: 00432182
    • #598.MSVBVM60 ref: 00432188
    • __vbaStrCopy.MSVBVM60 ref: 00432196
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401730,00409170,0000074C), ref: 004321BD
    • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 004321C9
    • __vbaFreeStr.MSVBVM60(00432207), ref: 00432200
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult$#598CopyListMoveNew2
    • String ID: USERNAME$t C
    • API String ID: 3664798572-3777059254
    • Opcode ID: 858f92683e44d0dc6cc16bfa29d9c46ee83fc77c8eccd6d67cfc9bcc3fa9043b
    • Instruction ID: 18268ceef7ea8d5db972a31579656051c38a42b16de85e26249653c6171c7fb3
    • Opcode Fuzzy Hash: 858f92683e44d0dc6cc16bfa29d9c46ee83fc77c8eccd6d67cfc9bcc3fa9043b
    • Instruction Fuzzy Hash: A8312171900205ABCB04DF95CE89EEEBBB8FF4C704F10802AF615B72A1D7789945CB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004019B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 272 4019b0-4019ed #100 273 401a61-401a66 272->273 274 4019ef-401a5c 272->274 276 401a68-401ac4 273->276 277 401acf-401b57 273->277 278 401ac6-401ace 274->278 279 401a5e 274->279 276->278 278->277 279->273
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: #100
    • String ID: VB5!6&*
    • API String ID: 1341478452-3593831657
    • Opcode ID: 2fb44b72d09ffa27c32171e0fc52d0d431592fcaf87a363624572772ce90319e
    • Instruction ID: ad801f70b52ee9f0e04a4ebe2be78aa6aa79ec8a422af9bdad6e4a896755102e
    • Opcode Fuzzy Hash: 2fb44b72d09ffa27c32171e0fc52d0d431592fcaf87a363624572772ce90319e
    • Instruction Fuzzy Hash: 945194A258E3C25FD7038BB488651827FB0AE1326430B85EBC4C0DF4B3E2694D5AD776
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C3CF, Relevance: 3.1, APIs: 2, Instructions: 143windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxA.USER32 ref: 02A8C43A
    • TerminateProcess.KERNELBASE(FEF26C0F), ref: 02A8C4CB
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID: MessageProcessTerminate
    • String ID:
    • API String ID: 638435245-0
    • Opcode ID: 1104f2b87edbe06212549aaf9335c0fc60a3c5c1f2504024de6504119d7a537c
    • Instruction ID: 71c76a66a9b90e58dd04fced8b42b03a215bd45d71b6f1c01d6d3c7a4694b408
    • Opcode Fuzzy Hash: 1104f2b87edbe06212549aaf9335c0fc60a3c5c1f2504024de6504119d7a537c
    • Instruction Fuzzy Hash: 714125328883854ACF1CBF35929A3A977A3FF42634F05648FD89647062CF355284CE7A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C468, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 509 2a8c468-2a8c46e 510 2a8c470 509->510 511 2a8c484-2a8c486 509->511 512 2a8c472 510->512 513 2a8c4e4-2a8c4eb 510->513 514 2a8c488 511->514 515 2a8c49c-2a8c4a3 511->515 516 2a8c474 512->516 517 2a8c476-2a8c47a 512->517 519 2a8c4ed-2a8c4ee 513->519 520 2a8c54e 513->520 521 2a8c48a 514->521 522 2a8c4fc-2a8c503 514->522 518 2a8c4a8-2a8c4cd TerminateProcess 515->518 516->517 525 2a8c47c 517->525 526 2a8c490-2a8c492 517->526 527 2a8c4f0-2a8c4f9 519->527 523 2a8c48c 521->523 524 2a8c48e 521->524 529 2a8c56e 522->529 530 2a8c505-2a8c507 522->530 523->524 524->526 525->527 532 2a8c47e 525->532 526->518 531 2a8c494 526->531 534 2a8c570 527->534 540 2a8c4fb 527->540 529->534 536 2a8c508-2a8c50f 530->536 543 2a8c56a 530->543 531->536 537 2a8c496 531->537 538 2a8c480 532->538 539 2a8c482 532->539 541 2a8c572 534->541 542 2a8c5e4-2a8c5ee 534->542 550 2a8c580 536->550 551 2a8c511-2a8c518 536->551 545 2a8c498 537->545 546 2a8c49a 537->546 538->539 539->511 540->522 548 2a8c574 541->548 549 2a8c576-2a8c57c 541->549 558 2a8c5f0 542->558 562 2a8c5f2-2a8c5f8 542->562 543->529 545->546 546->515 548->549 557 2a8c57e 549->557 549->558 555 2a8c582-2a8c588 550->555 559 2a8c53a 551->559 560 2a8c51a-2a8c530 551->560 564 2a8c58a 555->564 565 2a8c5fc 555->565 557->550 557->555 558->562 559->520 560->559 576 2a8c5fa 562->576 577 2a8c66c-2a8c673 562->577 569 2a8c58c 564->569 570 2a8c58e-2a8c592 564->570 568 2a8c5fe-2a8c606 565->568 582 2a8c608 568->582 583 2a8c60a 568->583 569->570 573 2a8c5a8 570->573 574 2a8c594-2a8c599 570->574 575 2a8c5aa-2a8c5b2 573->575 584 2a8c59b-2a8c5a6 574->584 585 2a8c60e 574->585 592 2a8c5b4 575->592 593 2a8c5b6-2a8c5be 575->593 576->565 576->568 590 2a8c674-2a8c6ea 577->590 582->583 583->585 584->573 584->575 587 2a8c648-2a8c663 GetPEB 585->587 588 2a8c610-2a8c614 585->588 587->590 596 2a8c61e-2a8c644 call 2a8e513 588->596 598 2a8e47b-2a8e47f 590->598 599 2a8c6f0-2a8c76b call 2a8d4fd 590->599 592->593 605 2a8c5c0 593->605 606 2a8c5c2-2a8c614 593->606 596->587 600 2a8e480-2a8e4dc 598->600 617 2a8cee1-2a8cee3 599->617 618 2a8c771-2a8c9e7 599->618 609 2a8e4de-2a8e4e3 600->609 605->606 606->596 627 2a8c9eb-2a8c9f8 618->627 628 2a8cee8-2a8cef5 627->628 629 2a8c9fe-2a8ca3f 627->629 630 2a8cef9-2a8cf15 628->630 629->627 634 2a8ca41-2a8ca5a 629->634 632 2a8cf1b-2a8cf2b 630->632 633 2a8d266-2a8d270 630->633 632->630 639 2a8cf2d-2a8cf43 632->639 635 2a8d274-2a8d2bc 633->635 634->627 637 2a8ca5c-2a8ca6f 634->637 642 2a8d2c2-2a8d2da 635->642 643 2a8d476-2a8d4ef call 2a8d4fd 635->643 637->627 640 2a8ca75-2a8cada 637->640 639->630 653 2a8cf45-2a8cfae 639->653 645 2a8cadd-2a8cafb 640->645 642->635 646 2a8d2dc-2a8d303 642->646 650 2a8cafd-2a8cb70 645->650 651 2a8cb77-2a8cb91 645->651 646->635 652 2a8d309-2a8d33d 646->652 657 2a8cbc8-2a8cbdb 650->657 651->657 658 2a8cb93-2a8cba6 651->658 652->635 656 2a8d343-2a8d3a0 652->656 653->630 667 2a8cfb4-2a8d039 653->667 665 2a8d3a5-2a8d3bd 656->665 660 2a8cbe1-2a8cc23 657->660 661 2a8cd22-2a8cd9b 657->661 658->657 660->661 669 2a8cc29-2a8cc72 660->669 683 2a8cda1-2a8cdc0 661->683 684 2a8ce32-2a8ce64 661->684 670 2a8d41e-2a8d470 665->670 671 2a8d3bf-2a8d41d 665->671 674 2a8d03c-2a8d04e 667->674 675 2a8cc74-2a8ccc0 669->675 670->643 670->665 671->670 679 2a8d054-2a8d079 674->679 680 2a8d165-2a8d22f call 2a8d1e0 674->680 688 2a8ccc2-2a8ccd8 675->688 685 2a8d07b-2a8d095 679->685 686 2a8d097-2a8d0f3 679->686 680->674 704 2a8d235-2a8d261 call 2a8d4fd 680->704 683->684 689 2a8cdc2-2a8cdcd 683->689 684->645 696 2a8ce6a-2a8cedc call 2a8d4fd 684->696 685->686 686->680 688->675 694 2a8ccda-2a8cd18 688->694 689->598 699 2a8cdd3-2a8ce2f 689->699 694->675 698 2a8cd1e-2a8cd21 694->698 696->617 698->661 699->684
    APIs
    • TerminateProcess.KERNELBASE(FEF26C0F), ref: 02A8C4CB
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID: ProcessTerminate
    • String ID:
    • API String ID: 560597551-0
    • Opcode ID: 974e7ede5296b5660af7651036e87fd1e502acba16f0f76fc9f04f3ee8c6542f
    • Instruction ID: 1ee7d3965bed905d23f4edabd8de4d1c1ee54d7f5214bdc07713e908795ebcc6
    • Opcode Fuzzy Hash: 974e7ede5296b5660af7651036e87fd1e502acba16f0f76fc9f04f3ee8c6542f
    • Instruction Fuzzy Hash: 5FF05E709803496ADF287D76998ABF92363BB05E31F0199439E1E170459E7A13E48E3A
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 02A8C567, Relevance: 1.7, Strings: 1, Instructions: 469COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: 4d5c258f2dd478084ddb09f5bd9c44f55891ba5d8c6c77b04a3bfcbacd4fa83d
    • Instruction ID: 031da2b3b9f1b9b10da949ba3aa4ebd23d0c3bb1cbcf93a6ff8e3a2db3319dc9
    • Opcode Fuzzy Hash: 4d5c258f2dd478084ddb09f5bd9c44f55891ba5d8c6c77b04a3bfcbacd4fa83d
    • Instruction Fuzzy Hash: BE0268716483858EDF25AF38C8A87D67BA35F13370F89829BCC994F196D7358145CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C5DB, Relevance: 1.7, Strings: 1, Instructions: 446COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: ae550bfa664e127c511bc1040c9bb78f51758a26c7df27274ba55ff234bcf0da
    • Instruction ID: 8dfbd331f06f616aff1c8be11d3f7f07dc35cc4cc348fac2cf5f6056f482d4ca
    • Opcode Fuzzy Hash: ae550bfa664e127c511bc1040c9bb78f51758a26c7df27274ba55ff234bcf0da
    • Instruction Fuzzy Hash: 8DF178716083858EDB25EF38C8A87D67BA35F13370F8982AACCD94F196D7358545CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C563, Relevance: 1.7, Strings: 1, Instructions: 433COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: b3725a10b904f13755f30532e8b2017032da6e0018237e5705d17ab0bbd67c45
    • Instruction ID: 407bf0226f1d394d7f3c0ea4acef273e5102d47b139dc2d09a8de389dd22e38a
    • Opcode Fuzzy Hash: b3725a10b904f13755f30532e8b2017032da6e0018237e5705d17ab0bbd67c45
    • Instruction Fuzzy Hash: 8BF136716083868EDB25AF3888A87D67BA35F13260F89829ACCD94F196D7358545CB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C665, Relevance: 1.7, Strings: 1, Instructions: 404COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: a42ab56047daf9073013e796891c344e56b16e61a56b45463527d5c99e2eb9c9
    • Instruction ID: 79c32ec31d4e9e5efc661886e584d5699af366aa417f79be374870fbc7892db7
    • Opcode Fuzzy Hash: a42ab56047daf9073013e796891c344e56b16e61a56b45463527d5c99e2eb9c9
    • Instruction Fuzzy Hash: F9E155616083C58EDB36AF38C8A87D67BA25F13270F89829ACCD94F197D7358545CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C6B4, Relevance: 1.6, Strings: 1, Instructions: 398COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: 380289ea8f84b054e152c759fc88f4b0a9b60657cfd90ad5bf0663a0ab31e752
    • Instruction ID: 272da437dfba24f02e850c749c60a109e7826d8b247d46fa8aa56acdec89302e
    • Opcode Fuzzy Hash: 380289ea8f84b054e152c759fc88f4b0a9b60657cfd90ad5bf0663a0ab31e752
    • Instruction Fuzzy Hash: B9E156715083C58EDB36AF3889A83DA7BA35F13270F8982AACCD94F197D7354145CB26
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C7B8, Relevance: 1.6, Strings: 1, Instructions: 339COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: b25a534f5b9214c2817e7620e6382805fae853fed1ab59ab2ba3402608c1874a
    • Instruction ID: 39e58794778b680cd064844a41d0e96f79fad67ee479e763a8e7a7ced3007256
    • Opcode Fuzzy Hash: b25a534f5b9214c2817e7620e6382805fae853fed1ab59ab2ba3402608c1874a
    • Instruction Fuzzy Hash: 7BC113616083C68EDB329F3888A83DA6FA25F13270F89829ACCD94F1D7D7754546C726
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C816, Relevance: 1.6, Strings: 1, Instructions: 338COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: 2da94bdcd89fbcae93bda9b060fc782d60619ea4fad40c09f4a60303b47df5a8
    • Instruction ID: 73a0cb10c99b441900e67f2af83730ad3a53c03ec0f7b0141d55dc45d05092c5
    • Opcode Fuzzy Hash: 2da94bdcd89fbcae93bda9b060fc782d60619ea4fad40c09f4a60303b47df5a8
    • Instruction Fuzzy Hash: 63C126215483C68EDF35AF3888A87DA7BA39F13270F89829ACCD94F197D7354145CB26
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C8CA, Relevance: 1.6, Strings: 1, Instructions: 325COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: 5ec51e70e2b36b8aa4d0caca0e51567a3e2a3ab54cc2030c596ca127eda93005
    • Instruction ID: d3961edf6348f893fc50140b73ebd5b4e23d80fd4f4e95ad705b830a7c611f9e
    • Opcode Fuzzy Hash: 5ec51e70e2b36b8aa4d0caca0e51567a3e2a3ab54cc2030c596ca127eda93005
    • Instruction Fuzzy Hash: 26C148315483C58ACF35EF3889A93DA7BA39F13270F8882AACCC94F196D7354145CB26
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8DB55, Relevance: 1.6, Strings: 1, Instructions: 303COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: %zON
    • API String ID: 0-155931339
    • Opcode ID: c577a2ef2c583530dbdff264c8412ded062f077bad9651234135bbd75d98bdaa
    • Instruction ID: 17b998ed1745720bafc19810a98d2f522eb4a4226ae500c0ddaf49af9826ab80
    • Opcode Fuzzy Hash: c577a2ef2c583530dbdff264c8412ded062f077bad9651234135bbd75d98bdaa
    • Instruction Fuzzy Hash: 56A1B171A44746CFDF35AE388AE43EA37A3AF56350F95422BDC4A9B284DB308985C741
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C90C, Relevance: 1.5, Strings: 1, Instructions: 286COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: 2c6a1d27dd513809076cd936d568b28e341f823f1c9d5525a9e882b3d926fcf8
    • Instruction ID: 6981da0e8d50f73e2b4109fa2821af30201aabba4d632274729e6688912673e6
    • Opcode Fuzzy Hash: 2c6a1d27dd513809076cd936d568b28e341f823f1c9d5525a9e882b3d926fcf8
    • Instruction Fuzzy Hash: 14A128756083C58ADF35DF3888A83DA7BA39F13260F8982AACCC94F196D7354545CB26
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8DB8F, Relevance: 1.5, Strings: 1, Instructions: 275COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: %zON
    • API String ID: 0-155931339
    • Opcode ID: dc228dc4d0276c36d89be8373c20e4bd16cc821adb96a77cae6338412e17be2f
    • Instruction ID: ca3a77bc5dad9af4064eff052f788eef0fb108246a9650598d2b4d3240b4aa18
    • Opcode Fuzzy Hash: dc228dc4d0276c36d89be8373c20e4bd16cc821adb96a77cae6338412e17be2f
    • Instruction Fuzzy Hash: E991AF71A44746CFDF35AE38C9E43EA3363AF56350F95422BDC4A9B284DB308946C746
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8DBBF, Relevance: 1.5, Strings: 1, Instructions: 272COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: %zON
    • API String ID: 0-155931339
    • Opcode ID: 2463f4bfb8a384ecd21ffa25c46958cebeaae82997f994568e85fdd3a50c5fa3
    • Instruction ID: c345907b55166aa8c2d880092a5ec45e1942ccfa8cf7e1582adcaf955240631d
    • Opcode Fuzzy Hash: 2463f4bfb8a384ecd21ffa25c46958cebeaae82997f994568e85fdd3a50c5fa3
    • Instruction Fuzzy Hash: 20918071A44746CFDF35AE38C9A43DA3363AF56350F85426BDC4A9B284DB30C946CB46
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8DCC7, Relevance: 1.5, Strings: 1, Instructions: 251COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: %zON
    • API String ID: 0-155931339
    • Opcode ID: 56aa99add52aa84526c28ec2b0e379e95999a39d4d48f43f1bb94b0e2960a343
    • Instruction ID: b2e51aa7e49ecd90d29c0182d6a32f3228a61ccba490f8378b1780109d7f29bc
    • Opcode Fuzzy Hash: 56aa99add52aa84526c28ec2b0e379e95999a39d4d48f43f1bb94b0e2960a343
    • Instruction Fuzzy Hash: E8819D71A44746CFDF35AE38CAA43DA33A3AF56350F85426BDC4A9B244DB30C985CB46
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8DD07, Relevance: 1.5, Strings: 1, Instructions: 246COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: %zON
    • API String ID: 0-155931339
    • Opcode ID: ea3cb688e5a8a9f64d500e4409b376189da565c60a4276f4ba690f3c4eba0cb4
    • Instruction ID: bd3d704a8966c69558d14facd19274967d278133cb9070a7660ba37608ad23d9
    • Opcode Fuzzy Hash: ea3cb688e5a8a9f64d500e4409b376189da565c60a4276f4ba690f3c4eba0cb4
    • Instruction Fuzzy Hash: 7781BD71A44746CFDF35AE38CAA43DA37A3AF56350FC5426BDC4A9B244DB308981CB42
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8DD3B, Relevance: 1.5, Strings: 1, Instructions: 245COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: %zON
    • API String ID: 0-155931339
    • Opcode ID: ded65f571beeb144b28ea19604bb1f53ee8ea1e81cfd96d4f97a3ede8451d8ce
    • Instruction ID: 07ab64864df11200d032d76297ead4ad5fdd5d1c59680d1fae70ccc8f15b5609
    • Opcode Fuzzy Hash: ded65f571beeb144b28ea19604bb1f53ee8ea1e81cfd96d4f97a3ede8451d8ce
    • Instruction Fuzzy Hash: 5381BD71A40746CFDF35AE38CAA43DA33A3AF56350F95422BDC499B244DB308982CB46
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8C9C1, Relevance: 1.5, Strings: 1, Instructions: 240COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID: VP\
    • API String ID: 0-1961738816
    • Opcode ID: 346f72f716024ae4e3204f67710f03b574956fa03ff1e76c30fa81441fecd629
    • Instruction ID: f93e83633467cec2de74add0858bb7887d0b1c3030ce4e5bc69cbd192a57079d
    • Opcode Fuzzy Hash: 346f72f716024ae4e3204f67710f03b574956fa03ff1e76c30fa81441fecd629
    • Instruction Fuzzy Hash: 85912B755043D68ACF35EF3889E83DA7BA29F13360F8882AACCD94F186D7354545CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004092BC, Relevance: .2, Instructions: 209COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 185096e82220389d440197759049318995404c5f3eb2576f04f255bb6df4cd8b
    • Instruction ID: 992d4d05e47c6351acade839198ce7097935a98e3cce3de93b14edbbf24b760f
    • Opcode Fuzzy Hash: 185096e82220389d440197759049318995404c5f3eb2576f04f255bb6df4cd8b
    • Instruction Fuzzy Hash: E5716D6404E3D15FE7039B7489A5196BFB0AE0724475E40EFC8C4CF0E3D2286D5AD76A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8DE3B, Relevance: .2, Instructions: 203COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2a7098fb7f5412e11688d64c6d654ae6a51271bdadcfea09ffed7bec019c023c
    • Instruction ID: 5998a52ee2ecf7a5dfd28aa5a62a667da32e3addb8cbe46e667e72bb41fe9811
    • Opcode Fuzzy Hash: 2a7098fb7f5412e11688d64c6d654ae6a51271bdadcfea09ffed7bec019c023c
    • Instruction Fuzzy Hash: CF61AB71A44706CFDF35AE388AA03DA77A39F56310FC5426BDC49AB254DB30C986CB46
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8CAD7, Relevance: .2, Instructions: 187COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ba324c6cc56897e63da32e43aad982e7fea6845164c174aac7891ad6e49c0c91
    • Instruction ID: 6fecb00b3c4ad7e989f0a898c4f9877bfcfa3c254059791abbd997bdd18c31f2
    • Opcode Fuzzy Hash: ba324c6cc56897e63da32e43aad982e7fea6845164c174aac7891ad6e49c0c91
    • Instruction Fuzzy Hash: 11613F759043D68ADF35EF3889E83DB7BA29F16360F88826ACCD94F189D7314541CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8CEAA, Relevance: .2, Instructions: 175COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bd7bfb45d90703d887922e1799159278ace097ec3ed8e09e09e8dbc9abb4ff92
    • Instruction ID: 872d5893828d650679fad2a3ad2cadb485ba74560c91231c3c384c632d4dff6d
    • Opcode Fuzzy Hash: bd7bfb45d90703d887922e1799159278ace097ec3ed8e09e09e8dbc9abb4ff92
    • Instruction Fuzzy Hash: CE5139355483869FDF35AE3489A43EA7B63AF52320F84846FC8C60B589DB304586CF27
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8CB72, Relevance: .2, Instructions: 166COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d8ec10d83222d57c6161704f9dda4a454bc37d590b78802ca0f717e306b7e1a5
    • Instruction ID: 2863f832faf1dee4a0ed1ab5c69c248e1958247e07c0b9fc891588b08a1c63ac
    • Opcode Fuzzy Hash: d8ec10d83222d57c6161704f9dda4a454bc37d590b78802ca0f717e306b7e1a5
    • Instruction Fuzzy Hash: D4515D75A0439A8ACF35EF3889E43EA77A39F56360FC9C16ACC894F149E7314545CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8CB63, Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9682196b1a9a67b4e2f32787c594c5b0373292ed9a2b153ee093c0e59ceaa2bc
    • Instruction ID: 7a86b8228b4d55542d67d89c734ca4cb3ad197b60da2e9753ab123296e36572b
    • Opcode Fuzzy Hash: 9682196b1a9a67b4e2f32787c594c5b0373292ed9a2b153ee093c0e59ceaa2bc
    • Instruction Fuzzy Hash: C3513C75A043968ACF35EF3889B43EA3BA39F56360F88816BCCCA4F145E7314545CB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8DF14, Relevance: .2, Instructions: 157COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6570d4340dae8b7278590176ce7b71bb3589fafd31e7a355d479c9be10ccca46
    • Instruction ID: ddd18a5e9625aa0cc1e71985cd2b7abca96f818966e7db7ce574737ceab8ca72
    • Opcode Fuzzy Hash: 6570d4340dae8b7278590176ce7b71bb3589fafd31e7a355d479c9be10ccca46
    • Instruction Fuzzy Hash: AE516771A44305CFDF35AE24CAA43DA73A39F66310FD6826BDC45AB248DB30C986C746
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8CEE6, Relevance: .1, Instructions: 139COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b18f4e48aa8d9dca0b448ee2ca05da661aecc8bc0f36a9f2bbd0223fa0c90e7b
    • Instruction ID: 1bd3fd2792f7969ff18f3a6a0f24d5639916d3fee5de7a8fa3a704b654a35d78
    • Opcode Fuzzy Hash: b18f4e48aa8d9dca0b448ee2ca05da661aecc8bc0f36a9f2bbd0223fa0c90e7b
    • Instruction Fuzzy Hash: FC4128355082869FDF34AE748DA83EA7BA3DF56310FC4816ACCCA4B289D7304586CF12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8CF87, Relevance: .1, Instructions: 109COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e13132ad9eb2b2fd064b282c9b74c8968ae2e54ace0d4313421733df9e5ddff1
    • Instruction ID: dfac29d2202084583bec32365487f1adbdc7886006c93ab4722c5aeb5f9ed714
    • Opcode Fuzzy Hash: e13132ad9eb2b2fd064b282c9b74c8968ae2e54ace0d4313421733df9e5ddff1
    • Instruction Fuzzy Hash: 153124351082869BDF34AA749CA83EBBB63DF55360F85812AC8C74B189DB30058ACB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8E033, Relevance: .1, Instructions: 108COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 16492d7607dcf67557cbb3845277381e400d91ba56cb2b878af44ad1a401b499
    • Instruction ID: f283632d07a19ed306d169618eb576d11fe558d20095b55fff31085a7597f2a2
    • Opcode Fuzzy Hash: 16492d7607dcf67557cbb3845277381e400d91ba56cb2b878af44ad1a401b499
    • Instruction Fuzzy Hash: 74316831A49305CFDF39AF2086B43DA3353AF16320FD6816BDC4A6B204DB308A85C746
    Uniqueness

    Uniqueness Score: -1.00%

    Function 02A8CD39, Relevance: .1, Instructions: 100COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.826151264.0000000002A8C000.00000040.00000001.sdmp, Offset: 02A8C000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2a8c000_VZghv7yI7g.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fffc01bc4ab247598dc2b81ab3b6a9029fc819213efb50d575d47ce9e27c4a31
    • Instruction ID: 5a573ba40119d066aacdd74966d2de3eddc233d778416acd59f15f1409394879
    • Opcode Fuzzy Hash: fffc01bc4ab247598dc2b81ab3b6a9029fc819213efb50d575d47ce9e27c4a31
    • Instruction Fuzzy Hash: 63314672A443458EDF28BE348A907DA7B73AFA1620F48846BCC4A1B109E63496458F66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040BCB9, Relevance: 46.8, APIs: 31, Instructions: 287COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • #527.MSVBVM60(00409D58), ref: 0042D064
    • __vbaStrMove.MSVBVM60 ref: 0042D06F
    • __vbaStrCmp.MSVBVM60(00409D60,00000000), ref: 0042D07B
    • __vbaFreeStr.MSVBVM60 ref: 0042D08E
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042D0AF
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,00000014), ref: 0042D0DA
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,000000B8), ref: 0042D108
    • __vbaFreeObj.MSVBVM60 ref: 0042D10D
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042D125
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,00000014), ref: 0042D14A
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000110), ref: 0042D170
    • __vbaStrMove.MSVBVM60 ref: 0042D17B
    • __vbaFreeObj.MSVBVM60 ref: 0042D184
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D19D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D1BC
    • __vbaFreeStr.MSVBVM60(0042D3B3), ref: 0042D3AC
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult$New2$Move$#527
    • String ID:
    • API String ID: 487870899-0
    • Opcode ID: ed5b95a907725d5e5d85eed6ae036352f52c7a607ee42a1811b1e5d38ade5951
    • Instruction ID: 92f7f0afaf7bc07c64b2733a2fa2e68ed615c7a18529395273badbd0e8724bfd
    • Opcode Fuzzy Hash: ed5b95a907725d5e5d85eed6ae036352f52c7a607ee42a1811b1e5d38ade5951
    • Instruction Fuzzy Hash: 65A18E75A00218ABCB14DFA5DD49FEEBBB8FF48701F10406AF541B72A1DB789905CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042DD10, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 163COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042DD7B
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042DD94
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,00000150), ref: 0042DDC1
    • __vbaStrToAnsi.MSVBVM60(?,?,008039A4), ref: 0042DDD8
    • __vbaSetSystemError.MSVBVM60(003989DE,00000000), ref: 0042DDEC
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042DE0E
    • __vbaFreeObj.MSVBVM60 ref: 0042DE1A
    • #702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042DE43
    • __vbaStrMove.MSVBVM60 ref: 0042DE4E
    • __vbaFreeVar.MSVBVM60 ref: 0042DE5D
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042DE72
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,00000014), ref: 0042DE97
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000118), ref: 0042DEBD
    • __vbaI2I4.MSVBVM60 ref: 0042DEC2
    • __vbaFreeObj.MSVBVM60 ref: 0042DECB
    • __vbaVarDup.MSVBVM60 ref: 0042DEE5
    • #666.MSVBVM60(?,00000002), ref: 0042DEF3
    • __vbaVarMove.MSVBVM60 ref: 0042DEFF
    • __vbaFreeVar.MSVBVM60 ref: 0042DF08
    • __vbaFreeVar.MSVBVM60(0042DF5B), ref: 0042DF4B
    • __vbaFreeStr.MSVBVM60 ref: 0042DF54
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresult$MoveNew2$#666#702AnsiErrorListSystem
    • String ID: HENRIVENDE$zS
    • API String ID: 309366762-2729703279
    • Opcode ID: 216e54dbeaf471ba5b17d8cac72228c7cd8614cad387034a75f263e2b6876084
    • Instruction ID: 3e14bf423051b26a42ba2d0effce5ddad7d42201ab6809a6a67660b805aab55e
    • Opcode Fuzzy Hash: 216e54dbeaf471ba5b17d8cac72228c7cd8614cad387034a75f263e2b6876084
    • Instruction Fuzzy Hash: 275149B1900219ABCB04DFA5DD88EDEBBB8FF48705F10412AF516BB2A0DB745945CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042D590, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 127COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaCyStr.MSVBVM60(00409AC0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D5D8
    • __vbaFpCmpCy.MSVBVM60(00000000), ref: 0042D5E6
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042D606
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,00000014), ref: 0042D631
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000130), ref: 0042D65F
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D670
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D675
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042D68E
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,00000014), ref: 0042D6B3
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,000000D0), ref: 0042D6D9
    • __vbaStrMove.MSVBVM60 ref: 0042D6E8
    • __vbaFreeObj.MSVBVM60 ref: 0042D6ED
    • #531.MSVBVM60(kantatens), ref: 0042D6F8
    • __vbaFreeStr.MSVBVM60(0042D72A), ref: 0042D722
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D727
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult$MoveNew2$#531
    • String ID: kantatens
    • API String ID: 1829431787-1394988495
    • Opcode ID: 414f5a4bf40c4a587bffe813d154f81d700dcda894200565b30c0b3f8284b3cd
    • Instruction ID: 268b9603d49f8c2ef21a02505bbce2dda6b3253113ac13d7225f482d9f4950ea
    • Opcode Fuzzy Hash: 414f5a4bf40c4a587bffe813d154f81d700dcda894200565b30c0b3f8284b3cd
    • Instruction Fuzzy Hash: 1A414570A00219AFCB04DF95DD89EDEBBB8FF48704F10406AE505B72A1D7789905CFA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00425490, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 130COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaStrCopy.MSVBVM60 ref: 004254F9
    • #515.MSVBVM60(?,?,00000002), ref: 00425516
    • __vbaVarTstNe.MSVBVM60(?,?), ref: 00425532
    • __vbaFreeVar.MSVBVM60 ref: 0042553E
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042556F
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00425588
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,000000C0), ref: 004255B2
    • __vbaLateMemCall.MSVBVM60(?,bJwKrGImpGgg9mRQCArwzZIt8,00000003), ref: 00425621
    • __vbaFreeObj.MSVBVM60 ref: 0042562D
    • __vbaFreeObj.MSVBVM60(00425671), ref: 00425661
    • __vbaFreeStr.MSVBVM60 ref: 0042566A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$#515CallCheckCopyHresultLateNew2
    • String ID: Kricketbold2$bJwKrGImpGgg9mRQCArwzZIt8$var
    • API String ID: 3144308283-2350849782
    • Opcode ID: c6dedcd5aced9654c1b7c320c669f933d9882481dd532e55ad32b74f70e2c0c5
    • Instruction ID: 5bf5bcfe2e29984776ee71421b15d1d75e55c59fa0ceca583787bb4a02caaa91
    • Opcode Fuzzy Hash: c6dedcd5aced9654c1b7c320c669f933d9882481dd532e55ad32b74f70e2c0c5
    • Instruction Fuzzy Hash: 195148B4E10218DFCB14DF98DA48A9DFBB8FF48B00F10816AE509BB294D7785A45CF84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042DA30, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaStrCopy.MSVBVM60 ref: 0042DA8B
    • __vbaLenBstrB.MSVBVM60(00409D90), ref: 0042DA96
    • #680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,?,?,?), ref: 0042DADF
    • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0042DAF5
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 0042DB11
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,00000014), ref: 0042DB36
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,000000C8), ref: 0042DB63
    • __vbaFreeObj.MSVBVM60 ref: 0042DB6C
    • __vbaVarDup.MSVBVM60 ref: 0042DB98
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 0042DBB0
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042DBC8
    • __vbaFreeStr.MSVBVM60(0042DC08), ref: 0042DC01
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresultList$#595#680BstrCopyNew2
    • String ID: hjrekant
    • API String ID: 4058102471-1475739938
    • Opcode ID: 95959a06098993a4faac7d9b790f2a6ac580e100fe50f20baf233002aa7f2173
    • Instruction ID: fc690ee695db8f231962780ffe65343825b843d53d00f0c3d3a69cc7e01f37d1
    • Opcode Fuzzy Hash: 95959a06098993a4faac7d9b790f2a6ac580e100fe50f20baf233002aa7f2173
    • Instruction Fuzzy Hash: 0251E2B1D00219ABDB10DF94D889EDEBFB8BF48700F10412AF505B72A5D7B46585CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042D880, Relevance: 22.6, APIs: 15, Instructions: 117COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D8D5
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D8DD
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D8F2
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D911
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B10,000001C8), ref: 0042D930
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D939
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D952
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D96B
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409D7C,00000100), ref: 0042D98E
    • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042D99E
    • __vbaI4Var.MSVBVM60(00000000), ref: 0042D9A8
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042D9BB
    • __vbaFreeVar.MSVBVM60 ref: 0042D9C7
    • __vbaFreeStr.MSVBVM60(0042DA02), ref: 0042D9FA
    • __vbaFreeStr.MSVBVM60 ref: 0042D9FF
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$CheckCopyHresultNew2$CallLateList
    • String ID:
    • API String ID: 244069345-0
    • Opcode ID: 5c39a2e577768568b9bfa8c430774f7e118b74792861e76bd2736f80affe6c9b
    • Instruction ID: 3037e0fc402dac870a1d28fe1070c936b1b5d65c79530787229ec8e5e835481f
    • Opcode Fuzzy Hash: 5c39a2e577768568b9bfa8c430774f7e118b74792861e76bd2736f80affe6c9b
    • Instruction Fuzzy Hash: 5A413CB5D00218ABCB04DF94DD89EDEBBB8FB08304F10442AF555B72A4D678A945CFA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004256A0, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004256F5
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004256FD
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 00425711
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,00000014), ref: 0042573C
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00409AAC,00000118), ref: 0042576A
    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042576F
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425778
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 00425791
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004257AA
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,000000C8), ref: 004257D1
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004257DC
    • __vbaFreeStr.MSVBVM60(00425804), ref: 004257FC
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425801
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresult$CopyNew2
    • String ID:
    • API String ID: 336985134-0
    • Opcode ID: 262861fa027554f53a9023cd1df400ece65399482f6a254a919458dfeeb17009
    • Instruction ID: 00a320610a2f3e0550b02398e2007c94e90aa8d7e9ada67d49e3611233cf5d10
    • Opcode Fuzzy Hash: 262861fa027554f53a9023cd1df400ece65399482f6a254a919458dfeeb17009
    • Instruction Fuzzy Hash: 24415D74A40218EBCB04DF95DD84EEEBBB8FF98700F14802AE505B72A0C6785901CFA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042D3D0, Relevance: 18.1, APIs: 12, Instructions: 117COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D41D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D43C
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D458
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D471
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,00000130), ref: 0042D494
    • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042D4C3
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 0042D4CD
    • __vbaStrMove.MSVBVM60 ref: 0042D4D8
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409964,000001EC), ref: 0042D4F8
    • __vbaFreeStr.MSVBVM60 ref: 0042D501
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0042D515
    • __vbaFreeVar.MSVBVM60 ref: 0042D521
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresultMoveNew2$CallLateList
    • String ID:
    • API String ID: 3081447974-0
    • Opcode ID: d41607fada56a4b3720f887fbf58355d561b35123c612f0d49bfdf02f3c889a5
    • Instruction ID: 1e67fcaa09465789bc4eb783a7e738a20273f9ac9e7247e845b252cccaf01c55
    • Opcode Fuzzy Hash: d41607fada56a4b3720f887fbf58355d561b35123c612f0d49bfdf02f3c889a5
    • Instruction Fuzzy Hash: 56414DB4A00204AFDB04DFA4DD49F9EBBB8FB48701F14442AF545F7261D638A945CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424930, Relevance: 15.1, APIs: 10, Instructions: 107COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __vbaStrCopy.MSVBVM60 ref: 00424979
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 00424992
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004249B1
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 004249CD
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004249E6
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,000000F0), ref: 00424A09
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409964,000001EC), ref: 00424A49
    • __vbaFreeStr.MSVBVM60 ref: 00424A52
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00424A62
    • __vbaFreeStr.MSVBVM60(00424A99), ref: 00424A92
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresultNew2$CopyList
    • String ID:
    • API String ID: 4130517723-0
    • Opcode ID: 8f5ba0aae027e5ade5a35dc241098c9ecd1dea7dc7e6ebd4f45459564aea2035
    • Instruction ID: 8ab0ce02fd4ad78d60563386b133b7b716cd360f17da3511743dd23085d2e806
    • Opcode Fuzzy Hash: 8f5ba0aae027e5ade5a35dc241098c9ecd1dea7dc7e6ebd4f45459564aea2035
    • Instruction Fuzzy Hash: 314181B4A40215AFCB04DFA8DD49FAEBBB8FB48701F10406AF505F7251D7789905CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00425830, Relevance: 13.5, APIs: 9, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 885 425830-42589d __vbaStrCopy * 3 __vbaCyStr __vbaFpCmpCy 886 4258a7-4258c2 __vbaFreeStr * 3 885->886 887 42589f-4258a1 #569 885->887 887->886
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425870
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425878
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425880
    • __vbaCyStr.MSVBVM60(00409AC0,?,?,?,?,?,?,?,00401746), ref: 00425887
    • __vbaFpCmpCy.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425895
    • #569.MSVBVM60(0000002F,?,?,?,?,?,?,?,?,00401746), ref: 004258A1
    • __vbaFreeStr.MSVBVM60(004258C3,?,?,?,?,?,?,?,?,00401746), ref: 004258B6
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 004258BB
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 004258C0
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CopyFree$#569
    • String ID:
    • API String ID: 3911904416-0
    • Opcode ID: 5edaf88591391681e2145a8739ccb91f35755f997f98929e0ecf3979915413c6
    • Instruction ID: d6ef5a4df48c5f6f6e330365a7503caf813aa0cdbaaf88e781f996121f92ec88
    • Opcode Fuzzy Hash: 5edaf88591391681e2145a8739ccb91f35755f997f98929e0ecf3979915413c6
    • Instruction Fuzzy Hash: 86111B70D0025EDBCB00EFA4EE45AEEBBB8EF48700F10416AA505B31A4DB746A45CFE5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424BE0, Relevance: 12.1, APIs: 8, Instructions: 114COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 00424C24
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00424C3D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409974,000001CC), ref: 00424CC4
    • __vbaFreeObj.MSVBVM60 ref: 00424CD3
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 00424CE8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00424D01
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,000001C8), ref: 00424D28
    • __vbaFreeObj.MSVBVM60 ref: 00424D37
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: 82f292988a600778a974090e1fa1679200118610c53313007266a650490cac74
    • Instruction ID: d1ecdfbbf56c062021e6928b3cd5bc998c80f1fdfa5d5ae707005e099290dd8c
    • Opcode Fuzzy Hash: 82f292988a600778a974090e1fa1679200118610c53313007266a650490cac74
    • Instruction Fuzzy Hash: CF4160B4A012049FCB08DFA9D989A9ABBF4FF4C701F10846AE505EB365D7389901CFA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00425240, Relevance: 12.1, APIs: 8, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • #672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 004252A1
    • __vbaFpR8.MSVBVM60 ref: 004252A7
    • __vbaNew2.MSVBVM60(004099E4,004333CC), ref: 004252D0
    • __vbaHresultCheckObj.MSVBVM60(00000000,0297E9C4,004099D4,0000001C), ref: 004252F5
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004099F4,0000005C), ref: 00425339
    • __vbaStrMove.MSVBVM60 ref: 0042534C
    • __vbaFreeObj.MSVBVM60 ref: 00425355
    • __vbaFreeStr.MSVBVM60(0042538E), ref: 00425387
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult$#672MoveNew2
    • String ID:
    • API String ID: 2213023555-0
    • Opcode ID: d03bc499453449d9573a4e8ef43a5397d45b3028cbeedebbf62b4f665515c7fc
    • Instruction ID: a290a1b5633ba569a80f4364f7eb58ab6e41390aae3439afe5c06b49b155ed99
    • Opcode Fuzzy Hash: d03bc499453449d9573a4e8ef43a5397d45b3028cbeedebbf62b4f665515c7fc
    • Instruction Fuzzy Hash: 24314EB0900609ABCB10DF95DD88B9EBBB8FF48740F20805AE905B72A4C7785941CFA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00431D50, Relevance: 12.1, APIs: 8, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D94
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431DB3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409974,000001C8), ref: 00431DF2
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431E01
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431E16
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431E2F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,00000088), ref: 00431E52
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431E61
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: 2f3f9f7953b95640d5d1df3913257cee278f01467711dc498cf2c8fcb9e06386
    • Instruction ID: 116ad077078038e6493d67b0fe859829927b69f7f06258b5196f1853de7dd26e
    • Opcode Fuzzy Hash: 2f3f9f7953b95640d5d1df3913257cee278f01467711dc498cf2c8fcb9e06386
    • Instruction Fuzzy Hash: AE316274A40304ABCB14DFA9C989F9ABBB8FF4C701F108529F545E73A5D7389901CBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424AC0, Relevance: 12.1, APIs: 8, Instructions: 75COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B0C
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B14
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B29
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B42
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,00000220), ref: 00424B85
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B8E
    • __vbaFreeStr.MSVBVM60(00424BB6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424BAE
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424BB3
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$Copy$CheckHresultNew2
    • String ID:
    • API String ID: 1874231197-0
    • Opcode ID: b3de2741a884ba66c6e0dc536366742fc49d0bd61385298be0de65dd2914f2d8
    • Instruction ID: 5322bd1987205389bf6d946a79716689a0e8260190b249c2e899f9ee9d0b38b0
    • Opcode Fuzzy Hash: b3de2741a884ba66c6e0dc536366742fc49d0bd61385298be0de65dd2914f2d8
    • Instruction Fuzzy Hash: 6F215175E00219DFCB04DFA9D989A9EBFB8FF4C300F10816AE515A72A5C778A941CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424F30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON
    Download Yara Rule
    C-Code - Quality: 20%
    			E00424F30(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _t19;
				intOrPtr* _t21;
				intOrPtr* _t23;
				void* _t26;
				intOrPtr* _t28;
				intOrPtr* _t38;
				void* _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				_t43 = _t42 - 0x28;
				_v16 = _t43;
				_v12 = 0x401208;
				_v8 = 0;
				_t19 = _a4;
				 *((intOrPtr*)( *_t19 + 4))(_t19, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t39);
				_t21 =  *0x433010; // 0x5cfe18
				_v28 = 0;
				_v32 = 0;
				if(_t21 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t21 =  *0x433010; // 0x5cfe18
				}
				_t23 =  &_v32;
				__imp____vbaObjSet(_t23,  *((intOrPtr*)( *_t21 + 0x354))(_t21));
				_t28 = _t43 - 0x10;
				 *_t28 = 0xa;
				_t38 = _t23;
				 *((intOrPtr*)(_t28 + 4)) = _v44;
				 *((intOrPtr*)(_t28 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t28 + 0xc)) = _v36;
				_t26 =  *((intOrPtr*)( *_t38 + 0x1ec))(_t38, L"PHACOCELE");
				asm("fclex");
				if(_t26 < 0) {
					__imp____vbaHresultCheckObj(_t26, _t38, 0x409964, 0x1ec);
				}
				__imp____vbaFreeObj();
				_v28 = 0x2be5;
				_push(0x425009);
				return _t26;
			}




















    0x00424f33
    0x00424f42
    0x00424f49
    0x00424f4f
    0x00424f52
    0x00424f5b
    0x00424f5e
    0x00424f64
    0x00424f67
    0x00424f6e
    0x00424f71
    0x00424f74
    0x00424f80
    0x00424f86
    0x00424f86
    0x00424f95
    0x00424f99
    0x00424fa2
    0x00424fa9
    0x00424fae
    0x00424fb2
    0x00424fba
    0x00424fc6
    0x00424fc9
    0x00424fcf
    0x00424fd3
    0x00424fe1
    0x00424fe1
    0x00424fea
    0x00424ff0
    0x00424ff7
    0x00000000

    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424F80
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424F99
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409964,000001EC), ref: 00424FE1
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424FEA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID: PHACOCELE$+
    • API String ID: 1645334062-1228347243
    • Opcode ID: 12b9ce720c898f97ba00850c8f5fb71147afbdd739971cbbb8621d5f4e07d0e8
    • Instruction ID: d59e37c62d2e5d766b26790879dabc63d50207eaaf69630922185673f52cbc59
    • Opcode Fuzzy Hash: 12b9ce720c898f97ba00850c8f5fb71147afbdd739971cbbb8621d5f4e07d0e8
    • Instruction Fuzzy Hash: 972180B4A00304ABCB04DF99DD89B9ABBB8FB49701F10856AF505E7291C3789901CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004259D0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • __vbaVarDup.MSVBVM60 ref: 00425A27
    • #687.MSVBVM60(?,?), ref: 00425A35
    • __vbaDateVar.MSVBVM60(?), ref: 00425A3F
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00425A51
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$#687DateFreeList
    • String ID: 7-7-7$Lu
    • API String ID: 3303533072-1249225327
    • Opcode ID: facbad71416659fbb2e9bc7a4ffa1e8d0139a3acc9ad01944beeb1cc8f9dcaa8
    • Instruction ID: 8ca2dbe8ab4f1f5649ded12f3ea8614846f4dd31889bb755d75bc59398dcdd18
    • Opcode Fuzzy Hash: facbad71416659fbb2e9bc7a4ffa1e8d0139a3acc9ad01944beeb1cc8f9dcaa8
    • Instruction Fuzzy Hash: 22110AB1C10228EBCB00DFD4DD89ADEBBB8FB48B04F04415AF501A7650D7B85505CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00425190, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
    • #669.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004251CA
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004251D5
    • __vbaStrCmp.MSVBVM60(Distriktsbladet6,00000000,?,?,?,?,?,?,?,00401746), ref: 004251E1
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004251F3
    • #568.MSVBVM60(0000003C,?,?,?,?,?,?,?,00401746), ref: 00425200
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$#568#669FreeMove
    • String ID: Distriktsbladet6
    • API String ID: 2447501155-846783287
    • Opcode ID: 966450b06de21ed9c13c1a808149436ab6664e89ca7304e9e6358e800033aaaf
    • Instruction ID: 61cd527bcf450c51f942b67c3faaedb5405b7962db3e9bdf1a35c1bc71e14c92
    • Opcode Fuzzy Hash: 966450b06de21ed9c13c1a808149436ab6664e89ca7304e9e6358e800033aaaf
    • Instruction Fuzzy Hash: 3201A275D00614EBC700AFA4DD49AAFBBB8EB45B00F908166F942F36A0C7385945CF95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00425040, Relevance: 9.1, APIs: 6, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 00425083
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042509C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004250B5
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409974,000001CC), ref: 0042513C
    • __vbaFreeObj.MSVBVM60 ref: 00425145
    • __vbaFreeStr.MSVBVM60(00425167), ref: 00425160
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$CheckCopyHresultNew2
    • String ID:
    • API String ID: 4138333463-0
    • Opcode ID: 36e19c643a749de4c9f98f0f26e3ef9345445dc7676fee39b65dcd88194fdefe
    • Instruction ID: a776cf2307da792f29ced093327e8248e37be5dbc0af261043c53f96bb4853c4
    • Opcode Fuzzy Hash: 36e19c643a749de4c9f98f0f26e3ef9345445dc7676fee39b65dcd88194fdefe
    • Instruction Fuzzy Hash: 7E3108B4E002149FCB04DFA9D989A9ABBF4FF49700F10C06AE509AB365D7389902CF95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424E20, Relevance: 9.1, APIs: 6, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E63
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E7C
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E95
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409974,000001C8), ref: 00424ED8
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424EE1
    • __vbaFreeStr.MSVBVM60(00424F02,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424EFB
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$CheckCopyHresultNew2
    • String ID:
    • API String ID: 4138333463-0
    • Opcode ID: 14df62b4e661472db2697c04a30383ec9d51b0f6c21ff4f63978a15009101c4f
    • Instruction ID: e93f92d18b185c2069a199da7afe3e2a4c956638d36d99257852b577961b8e79
    • Opcode Fuzzy Hash: 14df62b4e661472db2697c04a30383ec9d51b0f6c21ff4f63978a15009101c4f
    • Instruction Fuzzy Hash: 87217174A40204DFCB04DFA9D989EAABBB8FF49301F10806AF515E72A5C7389941CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00425B90, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425BD3
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425BEC
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425C05
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,000001AC,?,?,?,?,?,?,?,?,00401746), ref: 00425C28
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425C31
    • __vbaFreeStr.MSVBVM60(00425C52,?,?,?,?,?,?,?,?,00401746), ref: 00425C4B
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$CheckCopyHresultNew2
    • String ID:
    • API String ID: 4138333463-0
    • Opcode ID: 756f6b035e32b18ac07c3f37c8a7dece15b309214154d09f0be6497812d20786
    • Instruction ID: 5e3db1a9c3429f9f3288b209a0862c076ad3080f2d8b6768de989c50c96a5040
    • Opcode Fuzzy Hash: 756f6b035e32b18ac07c3f37c8a7dece15b309214154d09f0be6497812d20786
    • Instruction Fuzzy Hash: BA118E74A00204EFCB04DFA5DA49EAEBBB8FF49701F104466F555E72A0D7385902CF98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004258E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    C-Code - Quality: 19%
    			E004258E0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _t17;
				intOrPtr* _t19;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t41;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				_t41 = _t40 - 0x24;
				_v16 = _t41;
				_v12 = 0x401290;
				_v8 = 0;
				_t17 = _a4;
				 *((intOrPtr*)( *_t17 + 4))(_t17, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t37);
				_t19 =  *0x433010; // 0x5cfe18
				_v28 = 0;
				if(_t19 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t19 =  *0x433010; // 0x5cfe18
				}
				_t21 =  &_v28;
				__imp____vbaObjSet(_t21,  *((intOrPtr*)( *_t19 + 0x358))(_t19));
				_t26 = _t41 - 0x10;
				 *_t26 = 0xa;
				_t36 = _t21;
				 *((intOrPtr*)(_t26 + 4)) = _v40;
				 *((intOrPtr*)(_t26 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t26 + 0xc)) = _v32;
				_t24 =  *((intOrPtr*)( *_t36 + 0x1ec))(_t36, L"Rubedity");
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t36, 0x409adc, 0x1ec);
				}
				__imp____vbaFreeObj();
				_push(0x4259af);
				return _t24;
			}



















    0x004258e3
    0x004258f2
    0x004258f9
    0x004258ff
    0x00425902
    0x0042590b
    0x0042590e
    0x00425914
    0x00425917
    0x0042591e
    0x00425921
    0x0042592d
    0x00425933
    0x00425933
    0x00425942
    0x00425946
    0x0042594f
    0x00425956
    0x0042595b
    0x0042595f
    0x00425967
    0x00425973
    0x00425976
    0x0042597c
    0x00425980
    0x0042598e
    0x0042598e
    0x00425997
    0x0042599d
    0x00000000

    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042592D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425946
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409ADC,000001EC), ref: 0042598E
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425997
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID: Rubedity
    • API String ID: 1645334062-1230464931
    • Opcode ID: 989ac7d9801ea6c6c6b649e1053860ae0993d9f268a224562a69b06ed4e314cf
    • Instruction ID: 8edafd98880e749bae474b2feedee2ec17763cbba996a59d16f38de0083cf79d
    • Opcode Fuzzy Hash: 989ac7d9801ea6c6c6b649e1053860ae0993d9f268a224562a69b06ed4e314cf
    • Instruction Fuzzy Hash: 6A2193B4A40204EFCB04DF99D989B9ABFF8FB49701F108066F545E7291C6789941CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424840, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • #660.MSVBVM60(?,?,?,00000001,00000001), ref: 004248A1
    • __vbaVarTstNe.MSVBVM60(?,?), ref: 004248B9
    • __vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 004248CF
    • #532.MSVBVM60(RESTARTED), ref: 004248E2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$#532#660FreeList
    • String ID: RESTARTED
    • API String ID: 675845651-3446605417
    • Opcode ID: 6b6f602c2639db14cfcaccee84e22537d62f5a5f5ad6ee7c47f007c81d70a7a4
    • Instruction ID: d30b72e28953de9f2be757b277d73411f24bdd109367d15f8962842fe040ad4f
    • Opcode Fuzzy Hash: 6b6f602c2639db14cfcaccee84e22537d62f5a5f5ad6ee7c47f007c81d70a7a4
    • Instruction Fuzzy Hash: 1C1129B5D40228EBDB00DF94DD89FDEBBB8FB48B00F50421AF505B2290D7B81548CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00425D00, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D44
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D5D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D76
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,00000140,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D9D
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425DAC
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckErrorFreeHresultNew2
    • String ID:
    • API String ID: 3750743295-0
    • Opcode ID: b14b221676cf48712972c40fd7c865dc5584e7cbc0213bc3e250b950899d8b99
    • Instruction ID: aebd9c64966058db610805d6956d2aca9fa7e8320958a7938f1e966658d03e7a
    • Opcode Fuzzy Hash: b14b221676cf48712972c40fd7c865dc5584e7cbc0213bc3e250b950899d8b99
    • Instruction Fuzzy Hash: 75215C74A40214ABCB10DF96CA49E9EBBF8FF89701F10446AF551F72A0C77859018FA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424D70, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DAA
    • #546.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DB4
    • __vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DC0
    • __vbaFreeVar.MSVBVM60(00424DF8), ref: 00424DE8
    • __vbaFreeStr.MSVBVM60 ref: 00424DF1
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$Free$#546CopyMove
    • String ID:
    • API String ID: 2278598164-0
    • Opcode ID: 7a11eb6d7ed8b28ed0475e178c5beb416b3c73dd893bc135aea1a441c7e50e83
    • Instruction ID: 48cc0dd06087de835e62770d10066453df31cd834c61ba1c00de49ae01419032
    • Opcode Fuzzy Hash: 7a11eb6d7ed8b28ed0475e178c5beb416b3c73dd893bc135aea1a441c7e50e83
    • Instruction Fuzzy Hash: 14010870D00209ABCF04DFA4DA88ADEBBB8FB08701F108426E511B6164EB386505CF68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042D750, Relevance: 6.1, APIs: 4, Instructions: 85COMMON
    Download Yara Rule
    C-Code - Quality: 19%
    			E0042D750(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t43;
				intOrPtr* _t47;
				intOrPtr* _t60;
				void* _t61;
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;

				_t64 = _t63 - 0xc;
				 *[fs:0x0] = _t64;
				_t65 = _t64 - 0x44;
				_v16 = _t65;
				_v12 = 0x4016a8;
				_v8 = 0;
				_t31 = _a4;
				 *((intOrPtr*)( *_t31 + 4))(_t31, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t61);
				_t33 =  *0x433010; // 0x5cfe18
				_v28 = 0;
				if(_t33 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t33 =  *0x433010; // 0x5cfe18
				}
				_t35 =  &_v28;
				__imp____vbaObjSet(_t35,  *((intOrPtr*)( *_t33 + 0x3b4))(_t33));
				_t66 = _t65 - 0x10;
				_t60 = _t35;
				_t43 = _t66;
				 *_t43 = 0xa;
				_v44 = 0xa;
				 *((intOrPtr*)(_t43 + 4)) = _v72;
				 *((intOrPtr*)(_t43 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t43 + 0xc)) = _v64;
				_t67 = _t66 - 0x10;
				_t47 = _t67;
				 *_t47 = 0xa;
				 *((intOrPtr*)(_t47 + 4)) = _v56;
				 *((intOrPtr*)(_t47 + 8)) = 0x80020004;
				_v36 = 0x80020004;
				 *((intOrPtr*)(_t47 + 0xc)) = _v48;
				_t40 = _t67 - 0x10;
				 *_t40 = _v44;
				 *((intOrPtr*)(_t40 + 4)) = _v40;
				 *((intOrPtr*)(_t40 + 8)) = _v36;
				 *((intOrPtr*)(_t40 + 0xc)) = _v32;
				_t41 =  *((intOrPtr*)( *_t60 + 0x1d0))(_t60, 0x46e36000);
				asm("fclex");
				if(_t41 < 0) {
					__imp____vbaHresultCheckObj(_t41, _t60, 0x409b10, 0x1d0);
				}
				__imp____vbaFreeObj();
				asm("wait");
				_push(0x42d85f);
				return _t41;
			}





























    0x0042d753
    0x0042d762
    0x0042d769
    0x0042d76f
    0x0042d772
    0x0042d77b
    0x0042d77e
    0x0042d784
    0x0042d787
    0x0042d78e
    0x0042d791
    0x0042d79d
    0x0042d7a3
    0x0042d7a3
    0x0042d7b2
    0x0042d7b6
    0x0042d7bc
    0x0042d7bf
    0x0042d7c1
    0x0042d7ca
    0x0042d7cc
    0x0042d7d2
    0x0042d7dc
    0x0042d7e2
    0x0042d7e5
    0x0042d7e8
    0x0042d7ef
    0x0042d7f4
    0x0042d7f7
    0x0042d7fa
    0x0042d800
    0x0042d80c
    0x0042d80e
    0x0042d813
    0x0042d81e
    0x0042d822
    0x0042d825
    0x0042d82b
    0x0042d82f
    0x0042d83d
    0x0042d83d
    0x0042d846
    0x0042d84c
    0x0042d84d
    0x00000000

    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010), ref: 0042D79D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042D7B6
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B10,000001D0), ref: 0042D83D
    • __vbaFreeObj.MSVBVM60 ref: 0042D846
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: 7318501d0b8fdda0203af5e902a68bcf169e8258f1a52df0951113e99549986f
    • Instruction ID: 70f56478985c9cd3eb8c434365a541da73a9ac384ad3b08b42247f68221efb92
    • Opcode Fuzzy Hash: 7318501d0b8fdda0203af5e902a68bcf169e8258f1a52df0951113e99549986f
    • Instruction Fuzzy Hash: 14311AB4E002049FCB04DFA8D985A9ABBF8FF48700F20C46AE409AB355D7399801CF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042DC30, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,00401746), ref: 0042DC80
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 0042DC99
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,000001A8,?,?,?,?,?,?,?,?,00401746), ref: 0042DCBC
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 0042DCC5
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: 3d57fab9576f8edc24bb3d88d15002d814a24de4e89215d3f0bad1a7daa73ffa
    • Instruction ID: 64216d29a521869ad124ed06d40b43ff42c95b0837524ed37390eafe3a59424f
    • Opcode Fuzzy Hash: 3d57fab9576f8edc24bb3d88d15002d814a24de4e89215d3f0bad1a7daa73ffa
    • Instruction Fuzzy Hash: 11114FB4E40204ABC700DF96DD49B9ABBBCFF59701F604426F551E72A0C7785941CA99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00425AB0, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
    Download Yara Rule
    C-Code - Quality: 18%
    			E00425AB0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t28;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				_v16 = _t32 - 0x18;
				_v12 = 0x4012b0;
				_v8 = 0;
				_t14 = _a4;
				 *((intOrPtr*)( *_t14 + 4))(_t14, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t29);
				_t16 =  *0x433010; // 0x5cfe18
				_v28 = 0;
				_v32 = 0;
				if(_t16 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t16 =  *0x433010; // 0x5cfe18
				}
				_t18 =  &_v32;
				__imp____vbaObjSet(_t18,  *((intOrPtr*)( *_t16 + 0x378))(_t16));
				_t28 = _t18;
				_t19 =  *((intOrPtr*)( *_t28 + 0x21c))(_t28);
				asm("fclex");
				if(_t19 < 0) {
					__imp____vbaHresultCheckObj(_t19, _t28, 0x409954, 0x21c);
				}
				__imp____vbaFreeObj();
				_v28 = 0x4c22e;
				_push(0x425b64);
				return _t19;
			}
















    0x00425ab3
    0x00425ac2
    0x00425acf
    0x00425ad2
    0x00425adb
    0x00425ade
    0x00425ae4
    0x00425ae7
    0x00425aee
    0x00425af1
    0x00425af4
    0x00425b00
    0x00425b06
    0x00425b06
    0x00425b15
    0x00425b19
    0x00425b1f
    0x00425b24
    0x00425b2a
    0x00425b2e
    0x00425b3c
    0x00425b3c
    0x00425b45
    0x00425b4b
    0x00425b52
    0x00000000

    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425B00
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425B19
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409954,0000021C,?,?,?,?,?,?,?,?,00401746), ref: 00425B3C
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425B45
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: c0adb74df300532787617fb9f7d3334b1765759aff83d8e8979fb064e4e6de2c
    • Instruction ID: 42bfde65fcf0389ef10ed57bcc65d986bcef6efdfb101c90a025bbd7737f0359
    • Opcode Fuzzy Hash: c0adb74df300532787617fb9f7d3334b1765759aff83d8e8979fb064e4e6de2c
    • Instruction Fuzzy Hash: C0119EB8E40604ABC710DFA5DA89F9AFFB8FF58701F204466F551E72A1C77859018B98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004253C0, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
    Download Yara Rule
    C-Code - Quality: 17%
    			E004253C0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				void* _t17;
				intOrPtr* _t26;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				_v16 = _t30 - 0x14;
				_v12 = 0x401250;
				_v8 = 0;
				_t12 = _a4;
				 *((intOrPtr*)( *_t12 + 4))(_t12, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t27);
				_t14 =  *0x433010; // 0x5cfe18
				_v28 = 0;
				if(_t14 == 0) {
					__imp____vbaNew2(0x40a14c, 0x433010);
					_t14 =  *0x433010; // 0x5cfe18
				}
				_t16 =  &_v28;
				__imp____vbaObjSet(_t16,  *((intOrPtr*)( *_t14 + 0x338))(_t14));
				_t26 = _t16;
				_t17 =  *((intOrPtr*)( *_t26 + 0x1ac))(_t26);
				asm("fclex");
				if(_t17 < 0) {
					__imp____vbaHresultCheckObj(_t17, _t26, 0x409a04, 0x1ac);
				}
				__imp____vbaFreeObj();
				_push(0x42546a);
				return _t17;
			}















    0x004253c3
    0x004253d2
    0x004253df
    0x004253e2
    0x004253eb
    0x004253ee
    0x004253f4
    0x004253f7
    0x004253fe
    0x00425401
    0x0042540d
    0x00425413
    0x00425413
    0x00425422
    0x00425426
    0x0042542c
    0x00425431
    0x00425437
    0x0042543b
    0x00425449
    0x00425449
    0x00425452
    0x00425458
    0x00000000

    APIs
    • __vbaNew2.MSVBVM60(0040A14C,00433010,?,?,?,?,?,?,?,00401746), ref: 0042540D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401746), ref: 00425426
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A04,000001AC,?,?,?,?,?,?,?,00401746), ref: 00425449
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425452
    Memory Dump Source
    • Source File: 00000000.00000002.824841593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.824834909.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.824878790.0000000000433000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.824891384.0000000000435000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_VZghv7yI7g.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: 15066cf2bc776ccd6f280a9b0d227e33fa94bddf631f485540b6e2bf07da5dc4
    • Instruction ID: 76f6a4e4ac2d6c6b8d4e0d48d8693851c14c2989a070a5c6ca1b50774761b537
    • Opcode Fuzzy Hash: 15066cf2bc776ccd6f280a9b0d227e33fa94bddf631f485540b6e2bf07da5dc4
    • Instruction Fuzzy Hash: 2A117C74A40604ABC700EFA5DD89B9ABBB8FB49701F104466F542E72A1C77899418AA9
    Uniqueness

    Uniqueness Score: -1.00%