Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase Order AB013058.PDF.exe

Overview

General Information

Sample name:Purchase Order AB013058.PDF.exe
Analysis ID:1562343
MD5:117e72c314048bfd7264c1b83c1a9931
SHA1:a7a9d25a085f5e5a0ced2d86e798ab1bae6194c0
SHA256:bf1e5ff2ad400cc092cceafd720b1f0b9ae0a7391335d2445c65c78d0393e048
Tags:DarkCloudexeuser-threatcat_ch
Infos:

Detection

DarkCloud, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected DarkCloud
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Writes or reads registry keys via WMI
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase Order AB013058.PDF.exe (PID: 7716 cmdline: "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe" MD5: 117E72C314048BFD7264C1B83C1A9931)
    • Purchase Order AB013058.PDF.exe (PID: 7928 cmdline: "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe" MD5: 117E72C314048BFD7264C1B83C1A9931)
      • WmiPrvSE.exe (PID: 8040 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkCloud StealerStealer is written in Visual Basic.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "SMTP", "To Address": "zakirrome@ostdubai.com", "From Address": "zakirrome@ostdubai.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1480377578.0000000004ED0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000001.00000002.1478270364.000000000408A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
      00000001.00000002.1478270364.000000000408A000.00000004.00000800.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0x5794:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
        00000001.00000002.1478270364.0000000003581000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
          Click to see the 4 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.Purchase Order AB013058.PDF.exe.4ed0000.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            1.2.Purchase Order AB013058.PDF.exe.4ed0000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              1.2.Purchase Order AB013058.PDF.exe.408a920.3.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                1.2.Purchase Order AB013058.PDF.exe.366e170.4.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                  4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Double Extension File Execution
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe", CommandLine: "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe", CommandLine|base64offset|contains: :^, Image: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe, NewProcessName: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe, OriginalFileName: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe", ProcessId: 7716, ProcessName: Purchase Order AB013058.PDF.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-25T14:25:26.381872+010028032742Potentially Bad Traffic192.168.2.949712162.55.60.280TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: Purchase Order AB013058.PDF.exeAvira: detected
                    Found malware configuration
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackMalware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "To Address": "zakirrome@ostdubai.com", "From Address": "zakirrome@ostdubai.com"}
                    Multi AV Scanner detection for submitted file
                    Source: Purchase Order AB013058.PDF.exeReversingLabs: Detection: 36%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: Purchase Order AB013058.PDF.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Cookies
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: \Default\Login Data
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: \Login Data
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: //setting[@name='Password']/value
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Password :
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: SMTP Email Address
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: NNTP Email Address
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Email
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: HTTPMail User Name
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: HTTPMail Server
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Password
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^3[47][0-9]{13}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^(6541|6556)[0-9]{12}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^389[0-9]{11}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^63[7-9][0-9]{13}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^(?:2131|1800|35\\d{3})\\d{11}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^9[0-9]{15}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^(6304|6706|6709|6771)[0-9]{12,15}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Mastercard
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^(62[0-9]{14,17})$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Visa Card
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Visa Master Card
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: mail\
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: \logins.json
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: \signons.sqlite
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: Foxmail.exe
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: \AccCfg\Accounts.tdat
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: EnableSignature
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: encryptedUsername
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: logins
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: encryptedPassword
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: IPNJINrDdJmAil
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: mail.adityagroup.co
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: \global-messages-db.sqlite
                    Source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpackString decryptor: C:\\MailMasterData
                    Source: Purchase Order AB013058.PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Purchase Order AB013058.PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: W.pdb4 source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.0000000003581000.00000004.00000800.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.00000000040CD000.00000004.00000800.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\userJump to behavior
                    Source: Joe Sandbox ViewIP Address: 162.55.60.2 162.55.60.2
                    Source: unknownDNS query: name: showip.net
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49712 -> 162.55.60.2:80
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeCode function: 4_2_00438340 __vbaStrCopy,__vbaStrMove,__vbaFixstrConstruct,__vbaNew2,__vbaHresultCheckObj,__vbaHresultCheckObj,__vbaStrToAnsi,InternetOpenA,__vbaSetSystemError,__vbaFreeStrList,__vbaFreeStrList,__vbaFreeObj,__vbaStrToAnsi,InternetOpenUrlA,__vbaSetSystemError,__vbaStrToUnicode,__vbaFreeStr,__vbaStrToAnsi,__vbaSetSystemError,__vbaStrToUnicode,__vbaLsetFixstr,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,__vbaStrToAnsi,InternetReadFile,__vbaStrToUnicode,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,#631,__vbaStrMove,__vbaLsetFixstr,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaSetSystemError,#598,__vbaSetSystemError,__vbaStrCopy,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,4_2_00438340
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
                    Source: global trafficDNS traffic detected: DNS query: showip.net
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeCode function: 4_2_0040546C GetAsyncKeyState,4_2_0040546C

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000001.00000002.1478270364.000000000408A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Purchase Order AB013058.PDF.exe
                    Source: initial sampleStatic PE information: Filename: Purchase Order AB013058.PDF.exe
                    Writes or reads registry keys via WMI
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeCode function: 1_2_006ED51C1_2_006ED51C
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeCode function: 4_2_0040983E4_2_0040983E
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeCode function: 4_2_004099704_2_00409970
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeCode function: 4_2_0042B9204_2_0042B920
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegeometricist.exe vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1481147720.0000000006920000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1480377578.0000000004ED0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.0000000003581000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegeometricist.exe vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.0000000003581000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1476419605.00000000006FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.00000000040CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegeometricist.exe vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exeBinary or memory string: OriginalFilename vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegeometricist.exe vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exeBinary or memory string: OriginalFilenameQVpw.exeF vs Purchase Order AB013058.PDF.exe
                    Source: Purchase Order AB013058.PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 00000001.00000002.1478270364.000000000408A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Purchase Order AB013058.PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, Jl6HNfF8PPhskZKxnM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, P1hvZjf7ynjG3SjI7x.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, P1hvZjf7ynjG3SjI7x.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, P1hvZjf7ynjG3SjI7x.csSecurity API names: _0020.AddAccessRule
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, P1hvZjf7ynjG3SjI7x.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, P1hvZjf7ynjG3SjI7x.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, P1hvZjf7ynjG3SjI7x.csSecurity API names: _0020.AddAccessRule
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, Jl6HNfF8PPhskZKxnM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: K@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: Purchase Order AB013058.PDF.exeBinary or memory string: *\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.000000000408A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.0000000003581000.00000004.00000800.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: 5@ D*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: Purchase Order AB013058.PDF.exeBinary or memory string: D*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/116@1/1
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order AB013058.PDF.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DF567D41D4C00B0A5A.TMPJump to behavior
                    Source: Purchase Order AB013058.PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Purchase Order AB013058.PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Purchase Order AB013058.PDF.exeBinary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
                    Source: LogkinotKrAhRyjSfwLYIttQphGBONdeYquirinal.4.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Purchase Order AB013058.PDF.exeReversingLabs: Detection: 36%
                    Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess created: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess created: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess created: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess created: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: msvbvm60.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: vb6zz.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: zipfldr.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: duser.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: atlthunk.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: cdosys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: inetcomm.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: msoert2.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: inetres.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: activeds.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: adsldpc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Purchase Order AB013058.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Purchase Order AB013058.PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: W.pdb4 source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.0000000003581000.00000004.00000800.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000001.00000002.1478270364.00000000040CD000.00000004.00000800.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 1.2.Purchase Order AB013058.PDF.exe.4ed0000.6.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    .NET source code contains potential unpacker
                    Source: Purchase Order AB013058.PDF.exe, MainForm.cs.Net Code: InitializeComponent contains xor as well as GetObject
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, P1hvZjf7ynjG3SjI7x.cs.Net Code: MTx8Dwm1aKbBTp32EHT System.Reflection.Assembly.Load(byte[])
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, P1hvZjf7ynjG3SjI7x.cs.Net Code: MTx8Dwm1aKbBTp32EHT System.Reflection.Assembly.Load(byte[])
                    Source: Purchase Order AB013058.PDF.exeStatic PE information: section name: .text entropy: 7.9891120534403175
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, pxLscntoxkX4U42fwo.csHigh entropy of concatenated method names: 'fqf6CqMy41', 'U9368341uA', 'ba96p3BONt', 'gW26Tuxuj2', 'pEP61AIc8l', 'cyJ6yd5RwY', 'siE6JCpSP3', 'DlQ6mnvFAV', 'oGtoMja2YZvYT4cOrGW', 'KLbSZjaTUeDuo2cKuv9'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, HLawRkOWldfQ7S8dpc.csHigh entropy of concatenated method names: 'iarPXu1HJA', 'fv4P0TECD1', 'ToString', 'xZpP98bBCk', 'I1WPY4jcc8', 'ry3PNZ9Hcm', 'XiePik34IL', 'UIEP6OhHWI', 'IchPaxXY2v', 'QZCPfTXdjm'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, Ii7flQqsm0BMpQaK5P.csHigh entropy of concatenated method names: 'G5qENj6SBh', 'eIpEiKn4D2', 'bB2E6K4KL4', 'DvbEaytkAi', 'ufeEU1Sclb', 'BbhEfFK0D6', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, sP5fB6xLB9XDwf7gpt.csHigh entropy of concatenated method names: 'fxE5VUgfpA', 'IYF54vNMRX', 'wYY5xvqFjo', 'Fj85uQdJn1', 'RLb5c30U7k', 'nIE53UVGQ3', 'gby5tJ4Djo', 'tgN5S5O1S9', 'KUV5HdgFhQ', 'kLK5MNBJ0l'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, Oomw9RWp0l363oMkFR.csHigh entropy of concatenated method names: 'zfWa89yvAo', 'GnmaBioi6s', 'iVUapVmPBf', 'tvMaTZluhQ', 'iuYaA96A9g', 'tVga1JDR9B', 'NeTayVrh38', 'QyGaF9ZjYs', 'HrwaJW5PJ6', 'Q9oam0RvtN'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, v2jq5hNShuhZpKVNrI.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EeMIRVfWlN', 'djyIqWr4LO', 'wUcIzCvYnE', 'vWTgZ8rFSF', 'BZfg2aY7mm', 'YxCgIcBInJ', 'tYrggUS8y9', 'MT2Yy4m0MQj1tNcFpB8'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, l0a7eMIgLyYJVpvZV5.csHigh entropy of concatenated method names: 'ko1pT9H3S', 'BxeTW8I0D', 'gNE1InQyC', 'GqQyv7aBf', 'qGmJGh0Dq', 'kNdm1NuyK', 'enRX0lwPkDbvToHSbp', 'gAh5CkuE65Anptayvi', 'laFhsRK6w', 'QJjEFio9X'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, Jl6HNfF8PPhskZKxnM.csHigh entropy of concatenated method names: 'pV2Yx4UHG9', 'KA4YuSfHCU', 'w8rYl01j5j', 'sfkYOZtxMi', 'BoKYnChEqV', 'StLYDlHJGw', 'LXqYjOvgTW', 'KLkY7RKYqr', 'eXVYRf0adu', 'T0YYqAmWNf'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, AuXsJq2GfSakCHePmB2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TsgkUTVshG', 'qjCkEq3uGe', 'kqfkQuUK2l', 'I8xkkZ9sXf', 'lOhkvpm6sC', 'XGLks4Kwq4', 'hfpkCH5J4G'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, L5gr1aKu5BVtqShttf.csHigh entropy of concatenated method names: 'tZ26oIKZfv', 'HvA6YRfAIO', 'Teq6iTEtNO', 'tAk6a1yGk1', 'oiJ6fG1UyV', 'zYvinJnqtZ', 'ry1iD0imv2', 'Jn8ij98MMm', 'kRki7AqORD', 'eARiRkj1gE'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, I2ZEAuYt7R4lNEhBRB.csHigh entropy of concatenated method names: 'Dispose', 'jvg2RTHcQV', 'Ys7IcqThZm', 'E2Kj3WQ5di', 'PS22qtIwYd', 'pQ32zy12uD', 'ProcessDialogKey', 'E5fIZBGqIq', 'P52I26xs3e', 'Pd8IIti7fl'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, YXUSevmypaTHjG79yb.csHigh entropy of concatenated method names: 'iZdiA0B6vk', 'KXmiy4l9cw', 'rL4N3o226J', 'BaWNt1LY5x', 'AmBNSkQBOi', 'qi8NHiAkdk', 'PY4NM2pNvC', 'gY3NeRUAGe', 'PxXNWRUL7w', 'owRNVsNpJj'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, fCZgEW2Z3rdBLNfZhDW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TydELT1HtH', 'PXqE4FJByg', 'nfhEbRJC6R', 'IpgExvyMZs', 'E7REu1WO91', 'KqYElF7vfb', 'U05EObNYqH'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, Hh22SUGT0AkV43gZJu.csHigh entropy of concatenated method names: 'euS2al6HNf', 'xPP2fhskZK', 'C4J2XsFFxK', 'nFa20aqXUS', 'd7925ybM5g', 'p1a2ru5BVt', 'CKCNn5I28j4Mb9ZnSL', 'XZDCrwRLmDsk1Jk8fq', 'Dib22Aqs0W', 'TMG2g7IVCI'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, P1hvZjf7ynjG3SjI7x.csHigh entropy of concatenated method names: 'cV7goaWgua', 'VBFg9keFsf', 'rAegYYJBBj', 'ejagNK9f9P', 'xVZgiXtOjW', 'pYrg6rhuVJ', 'eeIgaxkw83', 'NongfJNhJc', 'xbagwwg5HW', 'lkUgXH7iZg'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, GhvFLpDt2XDLCxxlh4.csHigh entropy of concatenated method names: 'rcbP7QeSUY', 'mfZPqrwUOm', 'DUchZCxcJo', 'qeJh2189eX', 'dUBPLYaJes', 'OFuP4lsLKe', 'gpvPbIPX7q', 'btxPxEWxT4', 'zNWPuveT4t', 'Ms1PlJfYvf'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, XUhXt622Lu9TjRBW7ZW.csHigh entropy of concatenated method names: 'tV7Eq0KWIx', 'TmVEzrVg9q', 'QlIQZHfbnK', 'SiHQ2CUHLB', 'VuXQIFlZYQ', 'FlrQgm7VrJ', 'NHBQGXOvLH', 'dv5QocaVwR', 'lRxQ99M3H0', 'ajRQYfHPmG'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, ohlMs1J4JsFFxK0Faa.csHigh entropy of concatenated method names: 'JEbNT1IQCi', 'cbvN1RinXd', 'x8PNF666ow', 'iFCNJUdLGP', 'FMaN5UXQHp', 'nqENr3LkOD', 'wvINPXphmQ', 'z2INhIP7UG', 'kR6NUpvLdn', 'XTiNEeVOh3'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, kBGqIqR4526xs3e4d8.csHigh entropy of concatenated method names: 'lExUKZIGbN', 'biiUcu8Ldq', 'cVtU3BqRdC', 'MHmUtQcUd1', 'mMrUSGNZHU', 'WLtUHZ4uMc', 'CFxUMYnAlB', 'vVeUecu7cX', 'gvPUWlZA2D', 'qWqUVlAcVc'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, NPoOrRbWGJBZRxp0oW.csHigh entropy of concatenated method names: 'FxRdFLS0VM', 'FkSdJ7f2nR', 'gHldKSrsOe', 'xccdcZSuUe', 'UiWdtX3juc', 'FKPdSL7ldP', 'IpXdMrFBjg', 'NlsdeuCfBM', 'WSfdVLw8r3', 'h6BdLs6Huy'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, N5QESyjH1avgTHcQV4.csHigh entropy of concatenated method names: 'tdDU5yoHJD', 'mfKUPXoeLX', 'geAUUyjwyL', 'LRfUQJO2Eu', 'F3XUvZTdJE', 'lEZUCAgk43', 'Dispose', 'Dfph9atqM7', 'llnhYqoRPp', 'wkShN7T8OD'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.6920000.7.raw.unpack, DaAhL3zQmFwKlYKfHY.csHigh entropy of concatenated method names: 'VJAE1dFotQ', 'od6EFqtCvZ', 'xhLEJxv05F', 'twlEKqRvL1', 'fGAEcTy9d2', 'mCIEtKmp6b', 'XSgESm3rdk', 'QnTEC1dV9x', 'ixxE8B2FA9', 'x8cEBVRGED'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, pxLscntoxkX4U42fwo.csHigh entropy of concatenated method names: 'fqf6CqMy41', 'U9368341uA', 'ba96p3BONt', 'gW26Tuxuj2', 'pEP61AIc8l', 'cyJ6yd5RwY', 'siE6JCpSP3', 'DlQ6mnvFAV', 'oGtoMja2YZvYT4cOrGW', 'KLbSZjaTUeDuo2cKuv9'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, HLawRkOWldfQ7S8dpc.csHigh entropy of concatenated method names: 'iarPXu1HJA', 'fv4P0TECD1', 'ToString', 'xZpP98bBCk', 'I1WPY4jcc8', 'ry3PNZ9Hcm', 'XiePik34IL', 'UIEP6OhHWI', 'IchPaxXY2v', 'QZCPfTXdjm'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, Ii7flQqsm0BMpQaK5P.csHigh entropy of concatenated method names: 'G5qENj6SBh', 'eIpEiKn4D2', 'bB2E6K4KL4', 'DvbEaytkAi', 'ufeEU1Sclb', 'BbhEfFK0D6', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, sP5fB6xLB9XDwf7gpt.csHigh entropy of concatenated method names: 'fxE5VUgfpA', 'IYF54vNMRX', 'wYY5xvqFjo', 'Fj85uQdJn1', 'RLb5c30U7k', 'nIE53UVGQ3', 'gby5tJ4Djo', 'tgN5S5O1S9', 'KUV5HdgFhQ', 'kLK5MNBJ0l'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, Oomw9RWp0l363oMkFR.csHigh entropy of concatenated method names: 'zfWa89yvAo', 'GnmaBioi6s', 'iVUapVmPBf', 'tvMaTZluhQ', 'iuYaA96A9g', 'tVga1JDR9B', 'NeTayVrh38', 'QyGaF9ZjYs', 'HrwaJW5PJ6', 'Q9oam0RvtN'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, v2jq5hNShuhZpKVNrI.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EeMIRVfWlN', 'djyIqWr4LO', 'wUcIzCvYnE', 'vWTgZ8rFSF', 'BZfg2aY7mm', 'YxCgIcBInJ', 'tYrggUS8y9', 'MT2Yy4m0MQj1tNcFpB8'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, l0a7eMIgLyYJVpvZV5.csHigh entropy of concatenated method names: 'ko1pT9H3S', 'BxeTW8I0D', 'gNE1InQyC', 'GqQyv7aBf', 'qGmJGh0Dq', 'kNdm1NuyK', 'enRX0lwPkDbvToHSbp', 'gAh5CkuE65Anptayvi', 'laFhsRK6w', 'QJjEFio9X'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, Jl6HNfF8PPhskZKxnM.csHigh entropy of concatenated method names: 'pV2Yx4UHG9', 'KA4YuSfHCU', 'w8rYl01j5j', 'sfkYOZtxMi', 'BoKYnChEqV', 'StLYDlHJGw', 'LXqYjOvgTW', 'KLkY7RKYqr', 'eXVYRf0adu', 'T0YYqAmWNf'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, AuXsJq2GfSakCHePmB2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TsgkUTVshG', 'qjCkEq3uGe', 'kqfkQuUK2l', 'I8xkkZ9sXf', 'lOhkvpm6sC', 'XGLks4Kwq4', 'hfpkCH5J4G'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, L5gr1aKu5BVtqShttf.csHigh entropy of concatenated method names: 'tZ26oIKZfv', 'HvA6YRfAIO', 'Teq6iTEtNO', 'tAk6a1yGk1', 'oiJ6fG1UyV', 'zYvinJnqtZ', 'ry1iD0imv2', 'Jn8ij98MMm', 'kRki7AqORD', 'eARiRkj1gE'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, I2ZEAuYt7R4lNEhBRB.csHigh entropy of concatenated method names: 'Dispose', 'jvg2RTHcQV', 'Ys7IcqThZm', 'E2Kj3WQ5di', 'PS22qtIwYd', 'pQ32zy12uD', 'ProcessDialogKey', 'E5fIZBGqIq', 'P52I26xs3e', 'Pd8IIti7fl'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, YXUSevmypaTHjG79yb.csHigh entropy of concatenated method names: 'iZdiA0B6vk', 'KXmiy4l9cw', 'rL4N3o226J', 'BaWNt1LY5x', 'AmBNSkQBOi', 'qi8NHiAkdk', 'PY4NM2pNvC', 'gY3NeRUAGe', 'PxXNWRUL7w', 'owRNVsNpJj'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, fCZgEW2Z3rdBLNfZhDW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TydELT1HtH', 'PXqE4FJByg', 'nfhEbRJC6R', 'IpgExvyMZs', 'E7REu1WO91', 'KqYElF7vfb', 'U05EObNYqH'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, Hh22SUGT0AkV43gZJu.csHigh entropy of concatenated method names: 'euS2al6HNf', 'xPP2fhskZK', 'C4J2XsFFxK', 'nFa20aqXUS', 'd7925ybM5g', 'p1a2ru5BVt', 'CKCNn5I28j4Mb9ZnSL', 'XZDCrwRLmDsk1Jk8fq', 'Dib22Aqs0W', 'TMG2g7IVCI'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, P1hvZjf7ynjG3SjI7x.csHigh entropy of concatenated method names: 'cV7goaWgua', 'VBFg9keFsf', 'rAegYYJBBj', 'ejagNK9f9P', 'xVZgiXtOjW', 'pYrg6rhuVJ', 'eeIgaxkw83', 'NongfJNhJc', 'xbagwwg5HW', 'lkUgXH7iZg'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, GhvFLpDt2XDLCxxlh4.csHigh entropy of concatenated method names: 'rcbP7QeSUY', 'mfZPqrwUOm', 'DUchZCxcJo', 'qeJh2189eX', 'dUBPLYaJes', 'OFuP4lsLKe', 'gpvPbIPX7q', 'btxPxEWxT4', 'zNWPuveT4t', 'Ms1PlJfYvf'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, XUhXt622Lu9TjRBW7ZW.csHigh entropy of concatenated method names: 'tV7Eq0KWIx', 'TmVEzrVg9q', 'QlIQZHfbnK', 'SiHQ2CUHLB', 'VuXQIFlZYQ', 'FlrQgm7VrJ', 'NHBQGXOvLH', 'dv5QocaVwR', 'lRxQ99M3H0', 'ajRQYfHPmG'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, ohlMs1J4JsFFxK0Faa.csHigh entropy of concatenated method names: 'JEbNT1IQCi', 'cbvN1RinXd', 'x8PNF666ow', 'iFCNJUdLGP', 'FMaN5UXQHp', 'nqENr3LkOD', 'wvINPXphmQ', 'z2INhIP7UG', 'kR6NUpvLdn', 'XTiNEeVOh3'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, kBGqIqR4526xs3e4d8.csHigh entropy of concatenated method names: 'lExUKZIGbN', 'biiUcu8Ldq', 'cVtU3BqRdC', 'MHmUtQcUd1', 'mMrUSGNZHU', 'WLtUHZ4uMc', 'CFxUMYnAlB', 'vVeUecu7cX', 'gvPUWlZA2D', 'qWqUVlAcVc'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, NPoOrRbWGJBZRxp0oW.csHigh entropy of concatenated method names: 'FxRdFLS0VM', 'FkSdJ7f2nR', 'gHldKSrsOe', 'xccdcZSuUe', 'UiWdtX3juc', 'FKPdSL7ldP', 'IpXdMrFBjg', 'NlsdeuCfBM', 'WSfdVLw8r3', 'h6BdLs6Huy'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, N5QESyjH1avgTHcQV4.csHigh entropy of concatenated method names: 'tdDU5yoHJD', 'mfKUPXoeLX', 'geAUUyjwyL', 'LRfUQJO2Eu', 'F3XUvZTdJE', 'lEZUCAgk43', 'Dispose', 'Dfph9atqM7', 'llnhYqoRPp', 'wkShN7T8OD'
                    Source: 1.2.Purchase Order AB013058.PDF.exe.371e990.0.raw.unpack, DaAhL3zQmFwKlYKfHY.csHigh entropy of concatenated method names: 'VJAE1dFotQ', 'od6EFqtCvZ', 'xhLEJxv05F', 'twlEKqRvL1', 'fGAEcTy9d2', 'mCIEtKmp6b', 'XSgESm3rdk', 'QnTEC1dV9x', 'ixxE8B2FA9', 'x8cEBVRGED'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses an obfuscated file name to hide its real file extension (double extension)
                    Source: Possible double extension: pdf.exeStatic PE information: Purchase Order AB013058.PDF.exe
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeMemory allocated: 6E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeMemory allocated: 2580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeMemory allocated: 8660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeMemory allocated: 9660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeMemory allocated: 9860000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeMemory allocated: A860000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeWindow / User API: foregroundWindowGot 1772Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe TID: 7764Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\userJump to behavior
                    Source: WebData.4.drBinary or memory string: dev.azure.comVMware20,11696497155j
                    Source: WebData.4.drBinary or memory string: global block list test formVMware20,11696497155
                    Source: WebData.4.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                    Source: WebData.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: WebData.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                    Source: WebData.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                    Source: WebData.4.drBinary or memory string: tasks.office.comVMware20,11696497155o
                    Source: WebData.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                    Source: WebData.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP+c
                    Source: WebData.4.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                    Source: WebData.4.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                    Source: WebData.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                    Source: WebData.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                    Source: WebData.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                    Source: WebData.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                    Source: WebData.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                    Source: WebData.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                    Source: WebData.4.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                    Source: WebData.4.drBinary or memory string: AMC password management pageVMware20,11696497155
                    Source: WebData.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                    Source: WebData.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                    Source: WebData.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                    Source: WebData.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                    Source: WebData.4.drBinary or memory string: discord.comVMware20,11696497155f
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ctivebrokers.co.inVMware20,11696497155d
                    Source: WebData.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                    Source: WebData.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                    Source: WebData.4.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                    Source: WebData.4.drBinary or memory string: outlook.office.comVMware20,11696497155s
                    Source: WebData.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                    Source: WebData.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                    Source: WebData.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess created: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeProcess created: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe "C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"Jump to behavior
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDatanEJLoDah.txt.4.drBinary or memory string: [08:27:11]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:36]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [8:27:13]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:47]<<Program Manager>>
                    Source: KeyDatanalGguoZ.txt.4.dr, KeyDataXZhpIbSZ.txt.4.drBinary or memory string: [08:27:00]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, KeyDataqXbqGcYc.txt.4.drBinary or memory string: [08:25:58]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :25:41]<<Program Manager>>
                    Source: KeyDataKSoFzpEb.txt.4.drBinary or memory string: [08:26:57]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :59]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDataXgrVkoqQ.txt.4.dr, KeyDatawDraFhML.txt.4.drBinary or memory string: [08:26:35]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDataBNywPWgi.txt.4.drBinary or memory string: [08:26:46]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:55]<<Program Manager>>A
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:56<<Program Manager>>
                    Source: KeyDatapYdXvGwe.txt.4.dr, KeyDataKSoFzpEb.txt.4.drBinary or memory string: [08:26:56]<<Program Manager>>
                    Source: KeyDataBHhubaJn.txt.4.drBinary or memory string: [08:26:45]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDatawDraFhML.txt.4.drBinary or memory string: [08:26:34]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:12]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:43]<<Program Manager>>>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:02]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDataUiEkqQbS.txt.4.dr, KeyDatawwabBoFm.txt.4.drBinary or memory string: [08:26:23]<<Program Manager>>
                    Source: KeyDatavaTQcbhg.txt.4.drBinary or memory string: [08:26:12]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:01]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [8:25:52]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDatanalGguoZ.txt.4.dr, KeyDataKSoFzpEb.txt.4.drBinary or memory string: [08:26:58]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:00]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:10]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:35]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [8:27:17]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:17<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, KeyDataqXbqGcYc.txt.4.drBinary or memory string: [08:25:57]<<Program Manager>>
                    Source: KeyDatavIUMqkPL.txt.4.dr, KeyDatagOQjsWdE.txt.4.drBinary or memory string: [08:26:14]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDataXgrVkoqQ.txt.4.drBinary or memory string: [08:26:36]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:18<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [8:27:07]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertyagroup.co"
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:56]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:48]<<Program Manager>>
                    Source: KeyDatagOQjsWdE.txt.4.dr, KeyDatavaTQcbhg.txt.4.drBinary or memory string: [08:26:13]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 08:27:17]<<Program Manager>>
                    Source: KeyDatawwabBoFm.txt.4.drBinary or memory string: [08:26:22]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDataBHhubaJn.txt.4.dr, KeyDatanhwfjFGm.txt.4.drBinary or memory string: [08:26:44]<<Program Manager>>
                    Source: KeyDataXZhpIbSZ.txt.4.drBinary or memory string: [08:27:01]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:54]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]<<Program Manager>> L
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:00]<<Program Manager>>?
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:04]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:02]<<Program Manager>>Ma
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004814000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:01]<<Program Manager>>+
                    Source: KeyDatawwabBoFm.txt.4.dr, KeyDatalCuSXoHU.txt.4.drBinary or memory string: [08:26:21]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: KeyDataFqlKxCsi.txt.4.drBinary or memory string: [08:26:10]<<Program Manager>>
                    Source: KeyDataXgrVkoqQ.txt.4.dr, KeyDatadEHewopZ.txt.4.drBinary or memory string: [08:26:37]<<Program Manager>>
                    Source: KeyDataeXiFLZCi.txt.4.drBinary or memory string: [08:26:48]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:14]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:03]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:46]<<Program Manager>>am Man
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:38]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmp, KeyDataSfnEZGrO.txt.4.drBinary or memory string: [08:27:13]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, KeyDatarMlfenBQ.txt.4.drBinary or memory string: [08:27:02]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 08:26:04]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:07]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:50]<<Program Manager>>8
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:55]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:44]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:05]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDataeXiFLZCi.txt.4.dr, KeyDataBNywPWgi.txt.4.drBinary or memory string: [08:26:47]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:04]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:17]<<Program Manager-user\
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:54]<<Program Manager>>
                    Source: KeyDataFqlKxCsi.txt.4.dr, KeyDatavaTQcbhg.txt.4.drBinary or memory string: [08:26:11]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:37]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:18]<<Program Manager>>osoft
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004814000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:03]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:46]<<Program Manager>>
                    Source: KeyDatalCuSXoHU.txt.4.drBinary or memory string: [08:26:20]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:56]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:45]<<Program Manager>>
                    Source: KeyDatadEHewopZ.txt.4.drBinary or memory string: [08:26:38]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:18]<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:02]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:12]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDatapYdXvGwe.txt.4.drBinary or memory string: [08:26:55]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:18]<<Program Manager>>]
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:17]<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [8:26:04]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:55]<<Program Manager>in+
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:04]<<Program Manager>
                    Source: KeyDataJvcZurjh.txt.4.drBinary or memory string: [08:26:29]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:53]<<Program Manager>>
                    Source: KeyDatacacFLcgc.txt.4.dr, KeyDatauTPyLeaA.txt.4.drBinary or memory string: [08:26:18]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDataPFWgDmvC.txt.4.dr, KeyDataOPTPjuPV.txt.4.drBinary or memory string: [08:27:05]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager>>
                    Source: KeyDataYdvTFiBM.txt.4.dr, KeyDatadMIDEpTo.txt.4.drBinary or memory string: [08:26:40]<<Program Manager>>
                    Source: KeyDataKVUCBGvk.txt.4.dr, KeyDataqHSlOfnM.txt.4.drBinary or memory string: [08:26:51]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:19]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmp, KeyDataPnVjyjxR.txt.4.drBinary or memory string: [08:25:42]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:04]<<Program Manager>>:
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmp, KeyDataPnVjyjxR.txt.4.drBinary or memory string: [08:25:41]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 08:25:58]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :19]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:16]<<Program Manager>>
                    Source: KeyDatadEHewopZ.txt.4.dr, KeyDataYdvTFiBM.txt.4.drBinary or memory string: [08:26:39]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:02<<Program Manager>>
                    Source: KeyDatakaJTutTF.txt.4.dr, KeyDataJvcZurjh.txt.4.drBinary or memory string: [08:26:28]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertyagroup.co"U
                    Source: KeyDataTBNWyvUd.txt.4.drBinary or memory string: [08:26:06]<<Program Manager>>
                    Source: KeyDatauTPyLeaA.txt.4.drBinary or memory string: [08:26:17]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:15]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:43]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:00]<<Program Manager>>54]<
                    Source: KeyDatacacFLcgc.txt.4.dr, KeyDatalCuSXoHU.txt.4.drBinary or memory string: [08:26:19]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:04]<<Program Manager>>8
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:21]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDataQrkIZVBY.txt.4.drBinary or memory string: [08:26:53]<<Program Manager>>
                    Source: KeyDatabPyXNHlo.txt.4.drBinary or memory string: [08:26:31]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:52]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDataKVUCBGvk.txt.4.dr, KeyDataQrkIZVBY.txt.4.drBinary or memory string: [08:26:52]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:46]<<Program Managerty.call(d,e)&&(a[e]=d[e])}return a};ha("Object.assign",function(a){return a||na});
                    Source: KeyDataOPTPjuPV.txt.4.drBinary or memory string: [08:27:06]<<Program Manager>>
                    Source: KeyDataeXiFLZCi.txt.4.dr, KeyDataqHSlOfnM.txt.4.drBinary or memory string: [08:26:49]<<Program Manager>>
                    Source: KeyDatabPyXNHlo.txt.4.dr, KeyDataJvcZurjh.txt.4.drBinary or memory string: [08:26:30]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDatakaJTutTF.txt.4.drBinary or memory string: [08:26:27]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [8:25:45]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:51]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:05]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:46]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8:26:35]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:39]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 08:25:59]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 04]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:12]<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDataDMjonxKW.txt.4.drBinary or memory string: [08:27:08]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDatanhwfjFGm.txt.4.drBinary or memory string: [08:26:43]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:50]<<Program Manager>>
                    Source: KeyDatavIUMqkPL.txt.4.drBinary or memory string: [08:26:15]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDatakaJTutTF.txt.4.dr, KeyDatabEWlbtnk.txt.4.drBinary or memory string: [08:26:26]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 08:25:45]<<Program Manager>>
                    Source: KeyDatamEWnJiLB.txt.4.drBinary or memory string: [08:26:32]<<Program Manager>>
                    Source: KeyDataFqlKxCsi.txt.4.dr, KeyDatakxYghDeH.txt.4.drBinary or memory string: [08:26:09]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [8:25:59]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:17]<<Program Manager>>ina\#
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 08:27:15]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDatanalGguoZ.txt.4.drBinary or memory string: [08:26:59]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:18]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:59]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDataOPTPjuPV.txt.4.drBinary or memory string: [08:27:07]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:07<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:49]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:05<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :02]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:07]<Program Manager>>
                    Source: KeyDataqHSlOfnM.txt.4.drBinary or memory string: [08:26:50]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:17]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:16]<<Program Manager>
                    Source: KeyDatakxYghDeH.txt.4.drBinary or memory string: [08:26:08]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertyagroup.co"]
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:05]<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:56]<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:14]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:12<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDatadMIDEpTo.txt.4.dr, KeyDatanhwfjFGm.txt.4.drBinary or memory string: [08:26:42]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDatabEWlbtnk.txt.4.drBinary or memory string: [08:26:25]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:18]<<Program Manager>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 08:25:52]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, KeyDataDMjonxKW.txt.4.drBinary or memory string: [08:27:09]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertyagroup.co"p
                    Source: KeyDatadMIDEpTo.txt.4.drBinary or memory string: [08:26:41]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:02]<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDataUiEkqQbS.txt.4.dr, KeyDatabEWlbtnk.txt.4.drBinary or memory string: [08:26:24]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, KeyDataqXbqGcYc.txt.4.drBinary or memory string: [08:25:59]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:13]<<Program Manager>> TABLE credit_cards (guid VARCHAR PRIMARY KEY, name_on_card VARCHAR, expiration_month INTEGER, expiration_year INTEGER, card_number_encrypted BLOB, date_modified INTEGER NOT NULL DEFAULT 0, origin VARCHAR DEFAULT '', use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT
                    Source: KeyDatavIUMqkPL.txt.4.dr, KeyDatauTPyLeaA.txt.4.drBinary or memory string: [08:26:16]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.0000000004866000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmp, KeyDataPnVjyjxR.txt.4.drBinary or memory string: [08:25:40]<<Program Manager>>
                    Source: KeyDataTBNWyvUd.txt.4.drBinary or memory string: [08:26:07]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :46]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, KeyDatawDraFhML.txt.4.dr, KeyDatamEWnJiLB.txt.4.drBinary or memory string: [08:26:33]<<Program Manager>>
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:25:39]<<Program Manager>>2
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:26:05]<<Program Manager>>@
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.000000000481C000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2676881337.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [08:27:17]<<Program Manager>>
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWDRWEEARI.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWDRWEEARI.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DTBZGIOOSO.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DTBZGIOOSO.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DTBZGIOOSO.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DTBZGIOOSO.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\HTAGVDFUIE.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\HTAGVDFUIE.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\HTAGVDFUIE.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\HTAGVDFUIE.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KLIZUSIQEN.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KLIZUSIQEN.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KLIZUSIQEN.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KLIZUSIQEN.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NHPKIZUUSG.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NHPKIZUUSG.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NIKHQAIQAU.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NIKHQAIQAU.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NIKHQAIQAU.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NIKHQAIQAU.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\UOOJJOZIRH.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\UOOJJOZIRH.docx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\UOOJJOZIRH.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\UOOJJOZIRH.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VLZDGUKUTZ.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VLZDGUKUTZ.pdf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VLZDGUKUTZ.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VLZDGUKUTZ.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\XZXHAVGRAG.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\XZXHAVGRAG.xlsx VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.408a920.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.366e170.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.36b1a64.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.366e170.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.358a264.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.408a920.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.36b1a64.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1478270364.000000000408A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1478270364.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order AB013058.PDF.exe PID: 7716, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Purchase Order AB013058.PDF.exe PID: 7928, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.4ed0000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.4ed0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1480377578.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \C:\Users\user\AppData\Roaming\Electrum\wallets$
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: xC:\Users\user\AppData\Roamingcom.liberty.jaxx\IndexedDB\fil__0.indexeddb.leveldb
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ,\Exodus\exodus.wallet\p.co"x
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: $\Ethereum\keystoreRxmd
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ,\Exodus\exodus.wallet\p.co"x
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: $\Ethereum\keystoreRxmd
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001631000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: fC:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ,\Exodus\exodus.wallet\p.co"x
                    Source: Purchase Order AB013058.PDF.exe, 00000001.00000002.1480377578.0000000004ED0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order AB013058.PDF.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Jump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.408a920.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.366e170.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.36b1a64.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.366e170.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Purchase Order AB013058.PDF.exe.400000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.358a264.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.408a920.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.36b1a64.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1478270364.000000000408A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1478270364.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order AB013058.PDF.exe PID: 7716, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Purchase Order AB013058.PDF.exe PID: 7928, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.4ed0000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.Purchase Order AB013058.PDF.exe.4ed0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1480377578.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		12
                    Process Injection                    		11
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    Security Software Discovery                    		Remote Services11
                    Input Capture                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		11
                    Input Capture                    		2
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares3
                    Data from Local System                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                    Obfuscated Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                    Software Packing                    		Cached Domain Credentials2
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync12
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Purchase Order AB013058.PDF.exe37%ReversingLabsByteCode-MSIL.Trojan.Generic
                    Purchase Order AB013058.PDF.exe100%AviraHEUR/AGEN.1307446
                    Purchase Order AB013058.PDF.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    showip.net
                    		162.55.60.2
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.0000000001612000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://showip.net/Purchase Order AB013058.PDF.exe, 00000004.00000002.2674311739.00000000015D3000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          162.55.60.2
                          		showip.netUnited States
                          		35893ACPCAfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1562343
                          Start date and time:2024-11-25 14:24:11 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 8s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:11
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Purchase Order AB013058.PDF.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@6/116@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 55
                          • Number of non-executed functions: 50
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: Purchase Order AB013058.PDF.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          08:25:15API Interceptor19568x Sleep call for process: Purchase Order AB013058.PDF.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          162.55.60.2MSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                          • showip.net/
                          wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                          • showip.net/
                          8m65n7ieJC.exeGet hashmaliciousDarkCloudBrowse
                          • showip.net/
                          Factura modificada____678979879.exeGet hashmaliciousDarkCloudBrowse
                          • showip.net/
                          Pago SEPA.pdf.exeGet hashmaliciousGuLoaderBrowse
                          • showip.net/
                          Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                          • showip.net/
                          New Order___________pdf.exeGet hashmaliciousDarkCloudBrowse
                          • showip.net/
                          Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                          • showip.net/
                          Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                          • showip.net/
                          FCGF98760900.bat.exeGet hashmaliciousDarkCloudBrowse
                          • showip.net/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          showip.netMSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          8m65n7ieJC.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          Factura modificada____678979879.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          Pago SEPA.pdf.exeGet hashmaliciousGuLoaderBrowse
                          • 162.55.60.2
                          Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          New Order___________pdf.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                          • 162.55.60.2
                          Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                          • 162.55.60.2
                          FCGF98760900.bat.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ACPCAMSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          TAX INVOICE.exeGet hashmaliciousFormBookBrowse
                          • 162.0.209.213
                          yakuza.i586.elfGet hashmaliciousMiraiBrowse
                          • 162.36.0.12
                          x86.elfGet hashmaliciousMirai, MoobotBrowse
                          • 162.64.74.120
                          HXpVpoC9cr.exeGet hashmaliciousFormBookBrowse
                          • 162.0.211.143
                          meow.arm7.elfGet hashmaliciousUnknownBrowse
                          • 162.52.234.30
                          8m65n7ieJC.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          Factura modificada____678979879.exeGet hashmaliciousDarkCloudBrowse
                          • 162.55.60.2
                          dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                          • 162.0.215.33

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order AB013058.PDF.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Temp\7_a08184

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                          Category:dropped
                          Size (bytes):13714
                          Entropy (8bit):7.8332498416353475
                          Encrypted:false
                          SSDEEP:384:3VL38zFbUDrxyE+I433yE+I438PrjnjOm6mpr:3VL38VCrx8H8sqm6mpr
                          MD5:C0407EA9E8C6E776BEE355C354C9B992
                          SHA1:F5D321E70232BBB05888F25112EA39E6D5D3E5E9
                          SHA-256:80E88B449EE5797E7672C0278B859ACB2876DB94A5818A55A5203032192AF977
                          SHA-512:00E4A75D3D0A506705D27A16E2303786AC1E1CAAD9DE3C8C2BA64E4E960EC56D7AB959BDE73A1CAC96445F9AAF34104CB4FF014FD83D7725D472A1787386DC13
                          Malicious:false
                          Reputation:low
                          Preview:PK........."EWS..............Files/AIXACVYBSB.docx..Gn@1.D..r(.......$?.K..oF..~zj#6Ua....OSu..I.b.i.j...._".....5z]E...n..K...v...D8..<QHcl.r1...jJ..,2~xG..F.J..z..l...:..N8..b..66D... ....Wd.Z...x.eW.{.-...e....\&.|.$l$...}q.<.N..!=.s:W......J.......p.G..]......;$...NPN....\"..2....@.*VJ........0.T....B..)8.....>.z.2c...T..JV4...1....u)<g...j....E...{7lk.}.Q.^.5].......D.z.z..>..}U..F.Ro...2.;.K".;j...Jf5F2.+....T<Ck.|b.......%~..3.;..~.j...B...T.Qco5h;.9...O.(...s....&..5s..U..-.....c..[6.:..Yv.N.>#....N9._.............Qk.m...0/S=.g.kOI..R....c.1.L..k.x.6..e..k"..D...y...~..t....z.9m..Ny..%-..g........u. ||..!..e.....r+.k.[.....s..~...PK........."EWS..............Files/AIXACVYBSB.xlsx..Gn@1.D..r(.......$?.K..oF..~zj#6Ua....OSu..I.b.i.j...._".....5z]E...n..K...v...D8..<QHcl.r1...jJ..,2~xG..F.J..z..l...:..N8..b..66D... ....Wd.Z...x.eW.{.-...e....\&.|.$l$...}q.<.N..!=.s:W......J.......p.G..]......;$...NPN....\"..2....@.*VJ.

                          C:\Users\user\AppData\Local\Temp\~DF567D41D4C00B0A5A.TMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:Composite Document File V2 Document, Cannot read section info
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.7157885920629714
                          Encrypted:false
                          SSDEEP:12:rl3lKFQCb77G7yE4XVBFqXtLoKwPiHqb:rVeFo8KwPiH
                          MD5:9F004DFD0A12A867610BE1F7A66EEF2C
                          SHA1:115089AD537AEB6026740B0AA40E112E510E446E
                          SHA-256:DC31C9B9D4067BEAAB624951122B9ED423AAF0C084299F4E9A420CDBE0ADEE86
                          SHA-512:E01C3BA1CBBB346AC49D1C408714592C6BE5288392F7F9EA42BC64FFCDB82612CFF19DD18AFF21123805400D55ADE403FACC9D85341E7989B3F18A9C76FC0897
                          Malicious:false
                          Reputation:low
                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:Zip archive data (empty)
                          Category:dropped
                          Size (bytes):24
                          Entropy (8bit):1.4575187496394222
                          Encrypted:false
                          SSDEEP:3:pjt/lC:NtU
                          MD5:98A833E15D18697E8E56CDAFB0642647
                          SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                          SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                          SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:PK......................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip~RF4c0adb.TMP (copy)

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:Zip archive data (empty)
                          Category:dropped
                          Size (bytes):24
                          Entropy (8bit):1.4575187496394222
                          Encrypted:false
                          SSDEEP:3:pjt/lC:NtU
                          MD5:98A833E15D18697E8E56CDAFB0642647
                          SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                          SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                          SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                          Malicious:false
                          Preview:PK......................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.docx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.690067217069288
                          Encrypted:false
                          SSDEEP:12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
                          MD5:4E32787C3D6F915D3CB360878174E142
                          SHA1:57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
                          SHA-256:2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
                          SHA-512:CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
                          Malicious:false
                          Preview:AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\AIXACVYBSB.xlsx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.690067217069288
                          Encrypted:false
                          SSDEEP:12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
                          MD5:4E32787C3D6F915D3CB360878174E142
                          SHA1:57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
                          SHA-256:2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
                          SHA-512:CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
                          Malicious:false
                          Preview:AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWDRWEEARI.pdf

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.6921626779758165
                          Encrypted:false
                          SSDEEP:24:Ke7tAQxgl1jHMfrVZzUiHJpDZBZWUs0/0Mocs22ucxEhm:KOvxg7EpNTXZ0gs2+Wg
                          MD5:AB632FDEF472FE74FBB4E24FB5BA55CA
                          SHA1:28B6022CB24CC70D380876166272B312391413E4
                          SHA-256:4F1DE1A8A1A980599333DBEAEBA74C1B183842E42DEC0C3CE0EF57C471D0640D
                          SHA-512:B906BF2EC107A6A7ED2D0E5D0C8AD844F14B08CCEB7D9EC6EBD69A6BE37052A4FE295BF148A170F32780F902ED9468B12C115E488BB80C779067C91F9CAAF735
                          Malicious:false
                          Preview:BWDRWEEARIVCAXDZYFZKKDZROVEXHIWVCMTFOCQTVXZEXPMOUARELJDXJXCSHTPHYDFAQSKPCJXAVNOOSWGLMRRJSEIGOIXHRGVNUUPUMWIYZGMJEYRRCAEYIYIDAZFYDJJMSWJJVLHBGNHHQIAICZQWEBEGEFKVSBUZIDESVOAVZKKPVMUNNYYOCDVZVNLFVJIYNRQXCAYRLGKIDRJAHLNPQBHYCZTYTLUIERFSWFSAYSSBLMPPSQZAAYPORMHIGXFSVODXBYKSZDWLFIRXNFDVQZSZAWNVKBAOCVRUXWIGFEUANFJJZSUQWRBLHJRBTXYOWCBVEFELCWSYYNHPPIXZOEZBTJVVIJEEHIHGWHUPAAZVTZPXEFMEGBQIWJWERRCGRHDYFFLPODCMVBYCRJHEAPKMQTFBKHRVJIWMBUYWFJSKFKBIVGOEKQTPROWJLDILUCYKNSTOPVZEDOYJHFLFDPWAUBFZORWQNODGYAWRTUSFEFIGEXIWYKDNDXZDAITREIZQNGYJLFGAGEYCOTPSHBIHWNMFVBCPAMWVYKIETNGJXRDUTNEVIVXRZAFTNVOADQYFYDMVXJJENNFAZREEJMMAYLCEIOWNXYQQFQBZUDPOAUDJBTIBXIGLQAUADYGSNLFRPBKBPUUZAVBCBZQUROXOPVYHESORLOJFJWEPRXXGVEVNCAEAGPJZDVRSZRNGHPIXJOXXAOZXSKDCSULRFDCPIFAQWNFHMISELJLXJJEZJQFDAXWIIRQOXDDHVECMAOEMQPELDGEIMTWWPRGTZDPGWXXOMDIRFDLZTRSEWXFNUJGTQKFTJYBFZUIMRVUOYAYPMBHCLRBXRSFZXSFZBBCYPRSAKSKZYEIJUZVUGSEAREJOCEEMMPDKFUGGTJSKSZQXAPJJKVYYKBUNLSSHRUSLHBDFTWNYOCCWYVNQHNEHCHGINQIOTMAKGKPQWFFVYXKIIOJONVWAUPKQZAJUMMQGLLGAWEMDCPCF

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DTBZGIOOSO.docx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.705615236042988
                          Encrypted:false
                          SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                          MD5:159C7BA9D193731A3AAE589183A63B3F
                          SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                          SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                          SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                          Malicious:false
                          Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DTBZGIOOSO.pdf

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.705615236042988
                          Encrypted:false
                          SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                          MD5:159C7BA9D193731A3AAE589183A63B3F
                          SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                          SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                          SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                          Malicious:false
                          Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\HTAGVDFUIE.docx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.692693183518806
                          Encrypted:false
                          SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                          MD5:78F042E25B7FAF970F75DFAA81955268
                          SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                          SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                          SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                          Malicious:false
                          Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\HTAGVDFUIE.pdf

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.692693183518806
                          Encrypted:false
                          SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                          MD5:78F042E25B7FAF970F75DFAA81955268
                          SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                          SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                          SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                          Malicious:false
                          Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KLIZUSIQEN.pdf

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.696703751818505
                          Encrypted:false
                          SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                          MD5:19255ED5D4F37A096C105CEF82D0F5C0
                          SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                          SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                          SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                          Malicious:false
                          Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\KLIZUSIQEN.xlsx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.696703751818505
                          Encrypted:false
                          SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                          MD5:19255ED5D4F37A096C105CEF82D0F5C0
                          SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                          SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                          SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                          Malicious:false
                          Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NHPKIZUUSG.docx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.70435191336402
                          Encrypted:false
                          SSDEEP:24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
                          MD5:8C1F71001ABC7FCE68B3F15299553CE7
                          SHA1:382285FB69081EB79C936BC4E1BFFC9D4697D881
                          SHA-256:DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
                          SHA-512:8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
                          Malicious:false
                          Preview:NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NIKHQAIQAU.docx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.690394987545919
                          Encrypted:false
                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                          Malicious:false
                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NIKHQAIQAU.xlsx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.690394987545919
                          Encrypted:false
                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                          Malicious:false
                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.xlsx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.702247102869977
                          Encrypted:false
                          SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                          MD5:B734D7226D90E4FD8228EE89C7DD26DA
                          SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                          SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                          SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                          Malicious:false
                          Preview:QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\UOOJJOZIRH.docx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.694311754777018
                          Encrypted:false
                          SSDEEP:24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
                          MD5:61908250A5348CC047FF15260F730C2B
                          SHA1:CBCF34156EAE25B328A926E21008598EE8D1CBDE
                          SHA-256:8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
                          SHA-512:BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
                          Malicious:false
                          Preview:UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\UOOJJOZIRH.pdf

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.694311754777018
                          Encrypted:false
                          SSDEEP:24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
                          MD5:61908250A5348CC047FF15260F730C2B
                          SHA1:CBCF34156EAE25B328A926E21008598EE8D1CBDE
                          SHA-256:8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
                          SHA-512:BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
                          Malicious:false
                          Preview:UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VLZDGUKUTZ.pdf

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.701757898321461
                          Encrypted:false
                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                          MD5:520219000D5681B63804A2D138617B27
                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                          Malicious:false
                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VLZDGUKUTZ.xlsx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.701757898321461
                          Encrypted:false
                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                          MD5:520219000D5681B63804A2D138617B27
                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                          Malicious:false
                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\XZXHAVGRAG.xlsx

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                          Category:dropped
                          Size (bytes):1026
                          Entropy (8bit):4.69156792375111
                          Encrypted:false
                          SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                          MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                          SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                          SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                          SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                          Malicious:false
                          Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataBHhubaJn.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.381145066164251
                          Encrypted:false
                          SSDEEP:3:tPdRAdpE4v/dRAdpE4v/dRAdpE4v/dRAdpE4v/dRAdpE4v/dRAdpE4v/dQWE4v/1:tCWWWWWmWmWmWmWmWmWx
                          MD5:2A318A50570C3E8357ACB6984AF06035
                          SHA1:B4E5569B86DC11FF8980F30AD78ECF298340CF2F
                          SHA-256:9B4F3C83CB84F0150433A90DD7653973C63CCAD2C1B242D6ED6F73BB0627445A
                          SHA-512:6A561A59DBC80257C4AF0623578756C44A864A4DE95246E22F2C2B6E7411F51189F4FBA84500FBFD14AB797A2D497BB95EBE7C92788869CBB374955E6E9CEE29
                          Malicious:false
                          Preview:..[08:26:44]<<Program Manager>>....[08:26:44]<<Program Manager>>....[08:26:44]<<Program Manager>>....[08:26:44]<<Program Manager>>....[08:26:44]<<Program Manager>>....[08:26:44]<<Program Manager>>....[08:26:45]<<Program Manager>>....[08:26:45]<<Program Manager>>....[08:26:45]<<Program Manager>>....[08:26:45]<<Program Manager>>....[08:26:45]<<Program Manager>>....[08:26:45]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataBNywPWgi.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.366803100914466
                          Encrypted:false
                          SSDEEP:3:tPdT4nfE4v/dT4nfE4v/dT4nfE4v/dT4nfE4v/dT4nfE4v/dT4nfE4v/dT4nfE4W:t2fifififififififkUNkUNkUNx
                          MD5:742627C5AD7CF7045E0BCF014C1FF819
                          SHA1:A6CE073C9D5C4F0798AE0EC9891BBC52E9382BB2
                          SHA-256:CAB79E53BC9594ECDFA560D8FE7DD4FF2C011F1BAB87F7CB61CCF7563A9768C7
                          SHA-512:2B9A7E592416484578DE55A545E7558CB4F5347BD134D0C038979A20536B4A8AFCFDEA70955340F58D1B839A2585F355C84BD728A3B6D9371C12EE19B23F73B0
                          Malicious:false
                          Preview:..[08:26:46]<<Program Manager>>....[08:26:46]<<Program Manager>>....[08:26:46]<<Program Manager>>....[08:26:46]<<Program Manager>>....[08:26:46]<<Program Manager>>....[08:26:46]<<Program Manager>>....[08:26:46]<<Program Manager>>....[08:26:46]<<Program Manager>>....[08:26:47]<<Program Manager>>....[08:26:47]<<Program Manager>>....[08:26:47]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataDMjonxKW.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.358362839880336
                          Encrypted:false
                          SSDEEP:3:tPkAdpE4v/lUNE4v/lUNE4v/lUNE4v/lUNE4v/lUNE4v/lUNE4v/QZjKUE4v/QZh:tsW444444UZNUZNUZNUZNx
                          MD5:1DC761392F5D4438B3A743FA8B972484
                          SHA1:CD78362A3D5DE666DF2E85ACB6BDCAB5B02C84EE
                          SHA-256:6C7E627AB727BB04F308DAA685D56120AB9B1638C0CA1FA803A4D992723E47E4
                          SHA-512:BD034492B5B5A6505AA744890737B78FD4E49507DDDA5DD56E38AA9E5D92ECD82F67DF221FFAE9CD47FBDA010C769C0DDABD1C6FB255877D5140B401B26C0743
                          Malicious:false
                          Preview:..[08:27:08]<<Program Manager>>....[08:27:09]<<Program Manager>>....[08:27:09]<<Program Manager>>....[08:27:09]<<Program Manager>>....[08:27:09]<<Program Manager>>....[08:27:09]<<Program Manager>>....[08:27:09]<<Program Manager>>....[08:27:10]<<Program Manager>>....[08:27:10]<<Program Manager>>....[08:27:10]<<Program Manager>>....[08:27:10]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataFqlKxCsi.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.358612876010456
                          Encrypted:false
                          SSDEEP:6:tKAfmAfESfESfESfESfESfESfESfEVEVx:tznpfpfpfpfpfpfpf00x
                          MD5:700441FC3B5C3F68CCC2497CBF9C60BD
                          SHA1:07DBFA273BDDD3A99E54C68FFB6069D7E752C6DB
                          SHA-256:6DE146B95A2BED01934E4DC974F8DD2544F35E0975A9A883847908951E2D68ED
                          SHA-512:43D7CB39B2BD0EA83C23B4B20C07481AA4AF11A26FA4B7AAE41582FB7982ABC9FFE8316AB3A689F9721BA603D013A60714D85BDEDB8CEE7D3295F71D7AF438DB
                          Malicious:false
                          Preview:..[08:26:09]<<Program Manager>>....[08:26:09]<<Program Manager>>....[08:26:10]<<Program Manager>>....[08:26:10]<<Program Manager>>....[08:26:10]<<Program Manager>>....[08:26:10]<<Program Manager>>....[08:26:10]<<Program Manager>>....[08:26:10]<<Program Manager>>....[08:26:10]<<Program Manager>>....[08:26:11]<<Program Manager>>....[08:26:11]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataJvcZurjh.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.351017237349473
                          Encrypted:false
                          SSDEEP:3:tPbd4ZZ1XpE4v/bd4ZZ1XpE4v/bd4ZZ1XpE4v/bc4fE4v/bc4fE4v/bc4fE4v/bL:tuZLZaZLZaZLZ8W8W8W8W8W8WGsGsx
                          MD5:6A524A54CADEECB2E87F5BE12784F034
                          SHA1:07C0BB3A9B6E7FBD0ED505C4A040DA05312FD795
                          SHA-256:23A1C56F9CB98861CA141232B9FE76A23A9A75681083A4385BFA7FDA32BE3EA6
                          SHA-512:26F6CFF56DDAC24B6B3816F21E513B956D0BB9DEE70E49D9B18912D90256C5002F145C22E93AB7C9E5367D494BAADB9538FA10616DCFAB0D38AE667AE37AD491
                          Malicious:false
                          Preview:..[08:26:28]<<Program Manager>>....[08:26:28]<<Program Manager>>....[08:26:28]<<Program Manager>>....[08:26:29]<<Program Manager>>....[08:26:29]<<Program Manager>>....[08:26:29]<<Program Manager>>....[08:26:29]<<Program Manager>>....[08:26:29]<<Program Manager>>....[08:26:29]<<Program Manager>>....[08:26:30]<<Program Manager>>....[08:26:30]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataKSoFzpEb.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.384987116929987
                          Encrypted:false
                          SSDEEP:3:tPcc1XpE4v/cc1XpE4v/ctNE4v/ctNE4v/ctNE4v/ctNE4v/ctNE4v/ctNE4v/cm:tkqAqAbAbAbAbAbAbAUAUAUx
                          MD5:DC017D4BD08ADF7AA97D1050803B7835
                          SHA1:530A0922B687826A4345E34AFF9327459E8DA0CA
                          SHA-256:1B18541E3D2FCBA7AC19962AEA57B44B0B8D5E51FE6E1ED5AEB46B337BE8D181
                          SHA-512:06FE4AF0DA74D337BFEE4E4A99DDA519C68614F3FB4BD38F40D353DC81FE7B7EA7A8A96FD5863578B9A9FE2632D57487AA98428D31DC597CD8364EA2A150E5D7
                          Malicious:false
                          Preview:..[08:26:56]<<Program Manager>>....[08:26:56]<<Program Manager>>....[08:26:57]<<Program Manager>>....[08:26:57]<<Program Manager>>....[08:26:57]<<Program Manager>>....[08:26:57]<<Program Manager>>....[08:26:57]<<Program Manager>>....[08:26:57]<<Program Manager>>....[08:26:58]<<Program Manager>>....[08:26:58]<<Program Manager>>....[08:26:58]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataKVUCBGvk.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.383210085083239
                          Encrypted:false
                          SSDEEP:3:tPch1aUE4v/ch1aUE4v/ch1aUE4v/ch1aUE4v/ch1aUE4v/ch1aUE4v/cGE4v/cq:tkhfAhfAhfAhfAhfAhfAGAGAGAGAGx
                          MD5:8617971D96FAAA35C06A6EAA8CC482CA
                          SHA1:B60C851C197D3DBA08B1AE24387ADC0ABFCD288E
                          SHA-256:0C7C37E9D30BF98B788D1D20A0517CEC0A2519A1FE116DB61FBC0AC660C7FBD7
                          SHA-512:92CC6F36221C69C0043D791666425F3F111F178A80A35B67BA5D1DBBBAE2680C643F2B2987BEA75D39EA74AA4D59FA7A32172DCA071E4CC81E1EC2EAD5234AB8
                          Malicious:false
                          Preview:..[08:26:51]<<Program Manager>>....[08:26:51]<<Program Manager>>....[08:26:51]<<Program Manager>>....[08:26:51]<<Program Manager>>....[08:26:51]<<Program Manager>>....[08:26:51]<<Program Manager>>....[08:26:52]<<Program Manager>>....[08:26:52]<<Program Manager>>....[08:26:52]<<Program Manager>>....[08:26:52]<<Program Manager>>....[08:26:52]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataOPTPjuPV.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.359284695496803
                          Encrypted:false
                          SSDEEP:6:tedpSdpSdpSdpSdpGQZGQZGQZGQZGQZGQZgfx:tefSfSfSfSfGWGWGWGWGWGW2x
                          MD5:6DE57457EF9F02BB44F6C638DAB964BD
                          SHA1:4AAEDB6DB2F76EA0234397BD69325C7186649412
                          SHA-256:8A6758BF554507E2EF4291ED37435F2015E8FD3573D7AB6283D108431A94EFDD
                          SHA-512:C495DE4A5EE4C51FB7E1A3C647D23775E297F1B3BF997DCB7A663131B5E0FC564CF7D81AF5F45720B1907A8F7D1DC3C441BD3F8FE9577C5DEBB4F7C654818865
                          Malicious:false
                          Preview:..[08:27:05]<<Program Manager>>....[08:27:05]<<Program Manager>>....[08:27:05]<<Program Manager>>....[08:27:05]<<Program Manager>>....[08:27:05]<<Program Manager>>....[08:27:06]<<Program Manager>>....[08:27:06]<<Program Manager>>....[08:27:06]<<Program Manager>>....[08:27:06]<<Program Manager>>....[08:27:06]<<Program Manager>>....[08:27:06]<<Program Manager>>....[08:27:07]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataPFWgDmvC.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.375472797735653
                          Encrypted:false
                          SSDEEP:6:tQXp0XpEQZEQZEQZEQZEQZEQZSdpSdpSdpx:tCpupFFFFFFSfSfSfx
                          MD5:B0E2E7C6390F1785483171B216CD3262
                          SHA1:236AE4CA4242E83961D3A754F8DE09A2944F8783
                          SHA-256:1ECA0D395B52B6E7685FD4E07984D241FB57A87D54F673EE944FD7A953071842
                          SHA-512:BE12E4571099EC293D1EE019F11BEEB89364639DC2B40AD3F18A7F043EC529AF3562D20D413EDE36A8460AF5D04B1AFED502DC31FB99EBE988DA50AFFB39F9EF
                          Malicious:false
                          Preview:..[08:27:03]<<Program Manager>>....[08:27:03]<<Program Manager>>....[08:27:04]<<Program Manager>>....[08:27:04]<<Program Manager>>....[08:27:04]<<Program Manager>>....[08:27:04]<<Program Manager>>....[08:27:04]<<Program Manager>>....[08:27:04]<<Program Manager>>....[08:27:05]<<Program Manager>>....[08:27:05]<<Program Manager>>....[08:27:05]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataPnVjyjxR.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):2673
                          Entropy (8bit):4.4467958506486145
                          Encrypted:false
                          SSDEEP:12:tXcCp7cCp2fJNJNEEEEEEEMWMWMWMWMWMWMWaaaaaaaxpxpxpxpxpxpxpTTTTTTf:tXTRTW7FjjjjjjP
                          MD5:0BC996E5EED3521318A5CBF471EA8B17
                          SHA1:003BEE6A4EDDF97A443D8F7C099AEF226CDF6570
                          SHA-256:95E2F5054A50588D5AD56BF4B2D13E6B76B6C5BD24876BD39D855DFD605B2427
                          SHA-512:6B087CC50918465BB265EBAB17143D852598D4AE086AC95A27418BFC0483A8B2DC3BCB8E6EC58FA258CE45748A2A6384AE1812CA63C243DA48EE5F4DFBB99033
                          Malicious:false
                          Preview:..[08:25:19]<<Program Manager>>....[08:25:19]<<Program Manager>>....[08:25:21]<<Program Manager>>....[08:25:35]<<Program Manager>>....[08:25:35]<<Program Manager>>....[08:25:36]<<Program Manager>>....[08:25:36]<<Program Manager>>....[08:25:36]<<Program Manager>>....[08:25:36]<<Program Manager>>....[08:25:36]<<Program Manager>>....[08:25:36]<<Program Manager>>....[08:25:36]<<Program Manager>>....[08:25:37]<<Program Manager>>....[08:25:37]<<Program Manager>>....[08:25:37]<<Program Manager>>....[08:25:37]<<Program Manager>>....[08:25:37]<<Program Manager>>....[08:25:37]<<Program Manager>>....[08:25:37]<<Program Manager>>....[08:25:38]<<Program Manager>>....[08:25:38]<<Program Manager>>....[08:25:38]<<Program Manager>>....[08:25:38]<<Program Manager>>....[08:25:38]<<Program Manager>>....[08:25:38]<<Program Manager>>....[08:25:38]<<Program Manager>>....[08:25:39]<<Program Manager>>....[08:25:39]<<Program Manager>>....[08:25:39]<<Program Manager>>....[08:25:39]<<Program Manager>>....[08:25:3

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQrkIZVBY.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.4164989364306395
                          Encrypted:false
                          SSDEEP:6:tkGA/dpA/dpA/dpA/dpA/dpA/dpA/dpAAAAAAx:tf8f8f8f8f8f8f8f111x
                          MD5:D4EC653008B590212F02CE9535533ABD
                          SHA1:6D5FCDE8A05A6AFB80B8BE7D2EC7B52FAB0EB8EC
                          SHA-256:A4AB1394DC292D22E69A6DB2DCAAB54014C0D4DA4C35A0D5C9C1610B5B8E405F
                          SHA-512:3FACFAD6E41104CDE758DAEBE2C5956DABDB46784CA9C5257D321CE811C78704FE322DF365C872B33B6688333E4DFDF524C8F419F389827F704F7CDE876D9D41
                          Malicious:false
                          Preview:..[08:26:52]<<Program Manager>>....[08:26:53]<<Program Manager>>....[08:26:53]<<Program Manager>>....[08:26:53]<<Program Manager>>....[08:26:53]<<Program Manager>>....[08:26:53]<<Program Manager>>....[08:26:53]<<Program Manager>>....[08:26:53]<<Program Manager>>....[08:26:54]<<Program Manager>>....[08:26:54]<<Program Manager>>....[08:26:54]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQzqISJlV.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.421239128457656
                          Encrypted:false
                          SSDEEP:3:tPcfE4v/cfE4v/cfE4v/cfE4v/cfE4v/cfE4v/cfE4v/zn1ZE4v/zn1ZE4v/zn1X:t0fIfIfIfIfIfIfffffffffx
                          MD5:D18FDFAEF740698CE110965283771E6E
                          SHA1:AA53544CF27D1F134F1F63BCC90ADA7114AD56C1
                          SHA-256:0735ABB588F572395E4E1594A454CDC67F1C5D4E05B7E0567AAE2E6B01083A65
                          SHA-512:8A094A2242DC22B9E93022B0118721C3B1C3E8E4F95D89C10A04CC683E5F2683FEDDC285654B65FA0525CA4E2F8A89B4284B83F8CED1EB17EFAFDD2A03A0CCFB
                          Malicious:false
                          Preview:..[08:27:14]<<Program Manager>>....[08:27:14]<<Program Manager>>....[08:27:14]<<Program Manager>>....[08:27:14]<<Program Manager>>....[08:27:14]<<Program Manager>>....[08:27:14]<<Program Manager>>....[08:27:14]<<Program Manager>>....[08:27:15]<<Program Manager>>....[08:27:15]<<Program Manager>>....[08:27:15]<<Program Manager>>....[08:27:15]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataSfnEZGrO.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.383210085083239
                          Encrypted:false
                          SSDEEP:3:tPUE4v/UE4v/UE4v/UE4v/UE4v/9E4v/9E4v/9E4v/9E4v/9E4v/9E4F:tsgggg555555x
                          MD5:F752C2E55821CC386517ED5F573CF6E0
                          SHA1:F5815DD665A0EB4D1E3FEF25E522C2C4A2CBAB4B
                          SHA-256:1F16D885DC1DBF78EF35878398048C650B2D6EFC728F0B484B869DECD7967194
                          SHA-512:16DAD87921949FD4CE2C405F2077179A8E6257E08107383BADC39CAE9F7160EDB7E1629F220D61F4A13E4E5D21949813115C6FED2EA82C73291793E22F1EA237
                          Malicious:false
                          Preview:..[08:27:12]<<Program Manager>>....[08:27:12]<<Program Manager>>....[08:27:12]<<Program Manager>>....[08:27:12]<<Program Manager>>....[08:27:12]<<Program Manager>>....[08:27:13]<<Program Manager>>....[08:27:13]<<Program Manager>>....[08:27:13]<<Program Manager>>....[08:27:13]<<Program Manager>>....[08:27:13]<<Program Manager>>....[08:27:13]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataTBNWyvUd.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):429
                          Entropy (8bit):4.318603957851097
                          Encrypted:false
                          SSDEEP:3:tPZTQXpE4v/ZTQXpE4v/ZTQXpE4v/ZTQXpE4v/ZTQXpE4v/ZTQXpE4v/ZTQXpE4p:tGZiZiZiZiZiZiZoWoWoWoWoWoWx
                          MD5:81FF47DC36027EBABDAF7B83335494AF
                          SHA1:513C2E47AF43A9F8FB73DB35ED40030F79629262
                          SHA-256:A5C113E1F8F8BAEDC6B6F7FE067FA9F52883CE4A10AF372382E9D4608FC4621A
                          SHA-512:12A4DDF29B30F26624FB757518C6711E46BA60D1124931F1C98192ECBBBF8CF54EC9C5DD84ACECC90A700AC9B1AC6F3F100765861ABFE46FCB1822D0CE8A14DF
                          Malicious:false
                          Preview:..[08:26:06]<<Program Manager>>....[08:26:06]<<Program Manager>>....[08:26:06]<<Program Manager>>....[08:26:06]<<Program Manager>>....[08:26:06]<<Program Manager>>....[08:26:06]<<Program Manager>>....[08:26:06]<<Program Manager>>....[08:26:07]<<Program Manager>>....[08:26:07]<<Program Manager>>....[08:26:07]<<Program Manager>>....[08:26:07]<<Program Manager>>....[08:26:07]<<Program Manager>>....[08:26:07]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataUiEkqQbS.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.362098822605423
                          Encrypted:false
                          SSDEEP:6:tqUjp2Ujp2Ujp2Ujp2Ujp2Ujp+f+f+f+f+fx:tZpVpVpVpVpVpgggggx
                          MD5:9A01D1B8CA6CCEA20ED7DA0F188B9C13
                          SHA1:B715183E3B4242E0E3EEDBC7F25B751564F5189A
                          SHA-256:81B4854AD236E81E0479185CB5D37C276F6300120A6B9DD23A52CFE010DBF046
                          SHA-512:5FC66F023DE8270290DFED74925D226D947B237F48006426E62523C478B6F4F1304C5B5F840876E45B1DB5D168E08CEC94C75811B2AA8197157F0101EB9E48F0
                          Malicious:false
                          Preview:..[08:26:23]<<Program Manager>>....[08:26:23]<<Program Manager>>....[08:26:23]<<Program Manager>>....[08:26:23]<<Program Manager>>....[08:26:23]<<Program Manager>>....[08:26:23]<<Program Manager>>....[08:26:24]<<Program Manager>>....[08:26:24]<<Program Manager>>....[08:26:24]<<Program Manager>>....[08:26:24]<<Program Manager>>....[08:26:24]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataWuOMomOy.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.407168848419861
                          Encrypted:false
                          SSDEEP:3:tPzn1ZE4v/zn1ZE4v/IE4v/IE4v/IE4v/IE4v/IE4v/IE4v/zZ1XpE4v/zZ1XpE4:trfffMMMMMMvZdpvZdpvZdpx
                          MD5:E4E8F4EC529FDB6F760B4572D2B57281
                          SHA1:4D1849CF4CFCE0F1F968F66BB45C74388ECC99CB
                          SHA-256:474E837951ACE70BEEF9F6C901F7FF31FDAC38D8A16FF1F981AA7DBCC6BB52ED
                          SHA-512:684E9FC6ABFA5A3E44EF865F67EF8456050DC9AD2B76597701D0AD55AFFC5FCD3A7394F6B1A7E3DCD1B9590CBD1FDF2D59514114ECC8DB7F1FFE73A0887F9C35
                          Malicious:false
                          Preview:..[08:27:15]<<Program Manager>>....[08:27:15]<<Program Manager>>....[08:27:16]<<Program Manager>>....[08:27:16]<<Program Manager>>....[08:27:16]<<Program Manager>>....[08:27:16]<<Program Manager>>....[08:27:16]<<Program Manager>>....[08:27:16]<<Program Manager>>....[08:27:17]<<Program Manager>>....[08:27:17]<<Program Manager>>....[08:27:17]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataXZhpIbSZ.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.304278802761717
                          Encrypted:false
                          SSDEEP:3:tPsU2UE4v/sU2UE4v/sU2UE4v/sU2UE4v/sU2UE4v/sU2UE4v/tQaUE4v/tQaUEL:tkWAWAWAWAWAWKZKZKZKZKZx
                          MD5:CB116F1350AF905BA63D97AC2B35231E
                          SHA1:F383ED3887F2A8A7BC83996EB3D5FAD109FCB2CF
                          SHA-256:56EFE9A97575A77680A883AD8244F56A97F4D6A9313F615E0C0B8C460767A776
                          SHA-512:BCA7586B6B37FDE09C1363A12C7CE38A7AA9C3536B4FA6612B06D340F98A735FDEDB25D9F514F4C8922515159CD9E9524E5DA0E0C0759D0EBA53799DCA8894EF
                          Malicious:false
                          Preview:..[08:27:00]<<Program Manager>>....[08:27:00]<<Program Manager>>....[08:27:00]<<Program Manager>>....[08:27:00]<<Program Manager>>....[08:27:00]<<Program Manager>>....[08:27:00]<<Program Manager>>....[08:27:01]<<Program Manager>>....[08:27:01]<<Program Manager>>....[08:27:01]<<Program Manager>>....[08:27:01]<<Program Manager>>....[08:27:01]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataXgrVkoqQ.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.374392322683511
                          Encrypted:false
                          SSDEEP:6:tiNfG0fG0fG0fG0fG0fG0fG0fG0fGrdpGrdpx:tiZGqGqGqGqGqGqGqGqGrfGrfx
                          MD5:3B50F1C762F93F22D8238F204D61037F
                          SHA1:D62906878113DEC0DC3DC763813BEAC669D0E125
                          SHA-256:6BAC1FCD493810C0FF06BE97E8A9CEB495B09C75CC2FE9C4FEB49C2091A129D1
                          SHA-512:2CC53E3B45994CED87B54934DD77F51546B8CDDB39621DC9FAF2B67AD93FECC6CAE95A5932573FBAE392F1DEB9389BA59C688B0EFF6D68B911716C313407300B
                          Malicious:false
                          Preview:..[08:26:35]<<Program Manager>>....[08:26:36]<<Program Manager>>....[08:26:36]<<Program Manager>>....[08:26:36]<<Program Manager>>....[08:26:36]<<Program Manager>>....[08:26:36]<<Program Manager>>....[08:26:36]<<Program Manager>>....[08:26:36]<<Program Manager>>....[08:26:36]<<Program Manager>>....[08:26:37]<<Program Manager>>....[08:26:37]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataXoudIfpC.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.278595783291166
                          Encrypted:false
                          SSDEEP:3:tPrUZfE4v/rUZfE4v/rUZfE4v/rUZfE4v/rUZfE4v/rUZfE4v/rUZfE4v/kAdpEs:tsfgfgfgfgfgfgfIWIWIWIWIWx
                          MD5:35AF483BB6644869472CAB1B9FE6F3B8
                          SHA1:551526C491332AD73AE442F09A64E893BA993251
                          SHA-256:640BA21D363312DA1D1517B39DBBBE76662E38834D2C092C5797F6793EAB4B11
                          SHA-512:29690AA7CCD4D0BB5FB7768E8773A8B438E756006989D8683CB5388FBF9CB1157397C81EEAE1B1663CD9AE24EF9D5B81F16BF6DC01256907B3C99C19D6D690FE
                          Malicious:false
                          Preview:..[08:27:07]<<Program Manager>>....[08:27:07]<<Program Manager>>....[08:27:07]<<Program Manager>>....[08:27:07]<<Program Manager>>....[08:27:07]<<Program Manager>>....[08:27:07]<<Program Manager>>....[08:27:07]<<Program Manager>>....[08:27:08]<<Program Manager>>....[08:27:08]<<Program Manager>>....[08:27:08]<<Program Manager>>....[08:27:08]<<Program Manager>>....[08:27:08]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataYdvTFiBM.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.411448096467281
                          Encrypted:false
                          SSDEEP:6:tiTpGTpGTpGTpGTpGTpwLZwLZwLZwLZwLZwLZx:tiTpGTpGTpGTpGTpGTp666666x
                          MD5:D5E12F720F06E31BB93555BF12716C1D
                          SHA1:BA1876443E3D4F6DC9ED25AF21781F9B9ABB40B0
                          SHA-256:A36EDA5AB78D66C00F05DBD4528BB262303ABFAB319FB6D3CA78CA9714A208F8
                          SHA-512:3F0C874563C52EE12BF7CE2480E7F50F3E8DF4FCFDE7BE07EC3B353E4FC2997E490A9E27855B0FE57B0BCBF93C0C2C8BF4F719B38B8518E0705CBFE4B97C27CF
                          Malicious:false
                          Preview:..[08:26:39]<<Program Manager>>....[08:26:39]<<Program Manager>>....[08:26:39]<<Program Manager>>....[08:26:39]<<Program Manager>>....[08:26:39]<<Program Manager>>....[08:26:39]<<Program Manager>>....[08:26:40]<<Program Manager>>....[08:26:40]<<Program Manager>>....[08:26:40]<<Program Manager>>....[08:26:40]<<Program Manager>>....[08:26:40]<<Program Manager>>....[08:26:40]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatabEWlbtnk.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.340662761780532
                          Encrypted:false
                          SSDEEP:6:tKfwUZ1XpwUZ1XpwUZ1XpwUZ1XpwUZ1XpwUZ1XpwUZ1XpANANANx:tkwQZwQZwQZwQZwQZwQZwQZANANANx
                          MD5:4814C2F076C5178F68CCC256F7E371F8
                          SHA1:807CFC03C3E8EE15116629B8217F064FF27127D3
                          SHA-256:1BED6761021818E6A1D9172951F106CE6EA879D0E42E58672C61C4CFCBE1B439
                          SHA-512:1E13CAF9F088EF0EC9648E82ED9C52F0F75655330E1F76C409D68735226DE275F7581C56B9A8130EEEA1A7836A00B3C67B4E628AEE1D83B0A6A4E7D6DA28C940
                          Malicious:false
                          Preview:..[08:26:24]<<Program Manager>>....[08:26:25]<<Program Manager>>....[08:26:25]<<Program Manager>>....[08:26:25]<<Program Manager>>....[08:26:25]<<Program Manager>>....[08:26:25]<<Program Manager>>....[08:26:25]<<Program Manager>>....[08:26:25]<<Program Manager>>....[08:26:26]<<Program Manager>>....[08:26:26]<<Program Manager>>....[08:26:26]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatabPyXNHlo.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.383210085083239
                          Encrypted:false
                          SSDEEP:3:tPaWXKUE4v/aWXKUE4v/aWXKUE4v/aWXKUE4v/aWXKUE4v/aeUE4v/aeUE4v/aeX:tisGsGsGsGsGVGVGVGVGVGVx
                          MD5:42D929366817D2D98984E9EB6C39A99D
                          SHA1:75CB54F9E04DBD3B69AE435CADF3A8B3CAB8851D
                          SHA-256:3A0B12DA10F61FD5F6DED5BB3BFD87B67E4885B00A35ED5B4A74C8FF26BFB0C7
                          SHA-512:0F97EA5F20A0A75179E7257AB212B48E4B37B0990420C674F3992AC5526D7427CC9871C5C5D2DE750C5FDC4864DC08D26B2B23FAF76CCF0988DDC057251B2041
                          Malicious:false
                          Preview:..[08:26:30]<<Program Manager>>....[08:26:30]<<Program Manager>>....[08:26:30]<<Program Manager>>....[08:26:30]<<Program Manager>>....[08:26:30]<<Program Manager>>....[08:26:31]<<Program Manager>>....[08:26:31]<<Program Manager>>....[08:26:31]<<Program Manager>>....[08:26:31]<<Program Manager>>....[08:26:31]<<Program Manager>>....[08:26:31]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatacacFLcgc.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.376721232326937
                          Encrypted:false
                          SSDEEP:6:tg6fE6fE6fE6fE6fE6fE6fEJdpEJdpEJdpEJdpEJdpx:tVfBfBfBfBfBfBfwpwpwpwpwpx
                          MD5:8E97C201665260482618C19A2F9A5BA8
                          SHA1:CB0181189E07C3585D1FED0B673BF54AF89B4E9B
                          SHA-256:1289098AB983F5208D0000910CE923E5028A8479146F1185FEEB4E325750C232
                          SHA-512:881CF4BBE4E84A70DD7B2750823F1249D3A11470C1C4192256D2DE8E4CF612736AA4E5670A0EF15CC11AA9B783E6201DC088586AFB5CFE47A3DCE97E46C9E77C
                          Malicious:false
                          Preview:..[08:26:18]<<Program Manager>>....[08:26:18]<<Program Manager>>....[08:26:18]<<Program Manager>>....[08:26:18]<<Program Manager>>....[08:26:18]<<Program Manager>>....[08:26:18]<<Program Manager>>....[08:26:18]<<Program Manager>>....[08:26:19]<<Program Manager>>....[08:26:19]<<Program Manager>>....[08:26:19]<<Program Manager>>....[08:26:19]<<Program Manager>>....[08:26:19]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatadEHewopZ.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.388782830821727
                          Encrypted:false
                          SSDEEP:6:tirdpGrdpGrdpGrdpGUGUGUGUGUGUGTpx:tirfGrfGrfGrfGUGUGUGUGUGUGTpx
                          MD5:749337790DC0A0C5AB901C93B064DBC4
                          SHA1:97549101D787F78767F5F797C16E19268439ACC9
                          SHA-256:BE3FF432DAF99F4D4D15151900A05EB9A4B6FEE086DE5F4E2B2721118EB338D6
                          SHA-512:E19B62C5749A8DC6B2406D80020F135DB71D8A6C140D4896AE8889F7A1540A8A196CDC7EC871052359E34B62FC31BDD2D2AD02AF0D5714821ABE6C0C3256CAD7
                          Malicious:false
                          Preview:..[08:26:37]<<Program Manager>>....[08:26:37]<<Program Manager>>....[08:26:37]<<Program Manager>>....[08:26:37]<<Program Manager>>....[08:26:38]<<Program Manager>>....[08:26:38]<<Program Manager>>....[08:26:38]<<Program Manager>>....[08:26:38]<<Program Manager>>....[08:26:38]<<Program Manager>>....[08:26:38]<<Program Manager>>....[08:26:39]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatadMIDEpTo.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.387588926508786
                          Encrypted:false
                          SSDEEP:6:t8LZiAdpiAdpiAdpiAdpiAdpiAdpiAdpu1Zu1Zu1Zx:t+rrrrrrrufufufx
                          MD5:8DA6025FB142BD8DE85B74AF0A82341F
                          SHA1:1098F7C9177046CED9A14299A3063253B731B1F2
                          SHA-256:A7BC45FA04E0F16432D712B84EE242D91E1C5AF28549F584B747DABFAAA94FA0
                          SHA-512:F77E5D426253F7B5FA4E87EA37B46F4B7105C14D1846697DA4794319A9BA4BB1C64D17EA7A0872BD307FBC42E86DD77968FB742BD9503B3265DB3C7467532D92
                          Malicious:false
                          Preview:..[08:26:40]<<Program Manager>>....[08:26:41]<<Program Manager>>....[08:26:41]<<Program Manager>>....[08:26:41]<<Program Manager>>....[08:26:41]<<Program Manager>>....[08:26:41]<<Program Manager>>....[08:26:41]<<Program Manager>>....[08:26:41]<<Program Manager>>....[08:26:42]<<Program Manager>>....[08:26:42]<<Program Manager>>....[08:26:42]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataeXiFLZCi.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.388980709529648
                          Encrypted:false
                          SSDEEP:3:tPdS4ZNE4v/dS4ZNE4v/dS4ZNE4v/ddWE4v/ddWE4v/ddWE4v/ddWE4v/ddWE4vf:tIUNkUNkUNiiiiiiiqULZqULZx
                          MD5:A6DC2714F24EE555BF4D9EAF5B0D5CBF
                          SHA1:3F93F81B30269F2B9171BA07C013427B1E391F74
                          SHA-256:B31F44CCE437A110F934230B78BCE282AB0C4D1322BF19B108DD477656B64FF1
                          SHA-512:41213FD17C39F53331A5538BFB87075A1705B881221E74896BE14616A270DD28205CB7FF87497FDC554F591CF7DA74A50D8AD1131CBEF7D59C2BC8F024F6A80D
                          Malicious:false
                          Preview:..[08:26:47]<<Program Manager>>....[08:26:47]<<Program Manager>>....[08:26:47]<<Program Manager>>....[08:26:48]<<Program Manager>>....[08:26:48]<<Program Manager>>....[08:26:48]<<Program Manager>>....[08:26:48]<<Program Manager>>....[08:26:48]<<Program Manager>>....[08:26:48]<<Program Manager>>....[08:26:48]<<Program Manager>>....[08:26:49]<<Program Manager>>....[08:26:49]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagOQjsWdE.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.422704883211484
                          Encrypted:false
                          SSDEEP:3:tPYXE4v/YXE4v/YXE4v/YXE4v/YXE4v/YXE4v/YeZNE4v/YeZNE4v/YeZNE4v/Y2:tgXEXEXEXEXEXEefEefEefEefEefx
                          MD5:BD585283671142D49DA34AAD11C1D4CF
                          SHA1:BA0A744084285462072EEA274F489F2EFB418DF4
                          SHA-256:76CB4D33961D03DF1064576A45A47211A2F8D85AA9A234775B0FBE589D8C374E
                          SHA-512:A60EC793C663F3EF61E079F6995730BD3F60D188F01B05F9DA2CD75398D3D309FA5944EB7315B2FFD6744B974E8388A04208FC0B592503C87154D8F264410983
                          Malicious:false
                          Preview:..[08:26:13]<<Program Manager>>....[08:26:13]<<Program Manager>>....[08:26:13]<<Program Manager>>....[08:26:13]<<Program Manager>>....[08:26:13]<<Program Manager>>....[08:26:13]<<Program Manager>>....[08:26:14]<<Program Manager>>....[08:26:14]<<Program Manager>>....[08:26:14]<<Program Manager>>....[08:26:14]<<Program Manager>>....[08:26:14]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatakaJTutTF.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.326982865902726
                          Encrypted:false
                          SSDEEP:6:tcNyA1ZyA1ZyA1ZyA1ZyA1ZyA1ZyA1ZaZLZaZLZaZLZx:tcNL1ZL1ZL1ZL1ZL1ZL1ZL1ZSLZSLZSP
                          MD5:BD6B1C2E4A19A977C57DD0E7CDFB4789
                          SHA1:B3E71EB9CFC5A28534922636B9497D75BE67E3D8
                          SHA-256:E706D31F891FB2DD0F8B7210C84BD5B33987E4A2BFC01559E0CBB65E405EFD95
                          SHA-512:4529B0629B6917E1D54652F199143A4F2A82DF31045DA53FD618788C6F4FC07158B5462F8461FFC7B88A49ABD9429C52ECD3D0F9C49534FEF2EB7EC3AB96B3DF
                          Malicious:false
                          Preview:..[08:26:26]<<Program Manager>>....[08:26:27]<<Program Manager>>....[08:26:27]<<Program Manager>>....[08:26:27]<<Program Manager>>....[08:26:27]<<Program Manager>>....[08:26:27]<<Program Manager>>....[08:26:27]<<Program Manager>>....[08:26:27]<<Program Manager>>....[08:26:28]<<Program Manager>>....[08:26:28]<<Program Manager>>....[08:26:28]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatakxYghDeH.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.3128275092660635
                          Encrypted:false
                          SSDEEP:3:tPZdCpE4v/ZdCpE4v/ZdCpE4v/ZdCpE4v/ZdCpE4v/ZdCpE4v/ZdCpE4v/ZcAfEm:tCWWWWWWmAfmAfmAfmAfx
                          MD5:E02967777F600400ED6D263E405FE8AF
                          SHA1:FF80D2425FA9840EBE0F5882ABD6E7EA5F898E03
                          SHA-256:DE5552EECDE297F963FE9B7185B02076FCDD2A4F0C9A7420166FF0131BD69373
                          SHA-512:98B6FD42B97BBEFA55C5EF839AB74877104E1FF6F4EE1AB0737A3E092056DD4212C94B7627C201D09E42D5EA84F06739818DD093A95572186AB29953EE01CEE2
                          Malicious:false
                          Preview:..[08:26:08]<<Program Manager>>....[08:26:08]<<Program Manager>>....[08:26:08]<<Program Manager>>....[08:26:08]<<Program Manager>>....[08:26:08]<<Program Manager>>....[08:26:08]<<Program Manager>>....[08:26:08]<<Program Manager>>....[08:26:09]<<Program Manager>>....[08:26:09]<<Program Manager>>....[08:26:09]<<Program Manager>>....[08:26:09]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatalCuSXoHU.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.328995084284429
                          Encrypted:false
                          SSDEEP:3:tPYJndpE4v/bV4IUE4v/bV4IUE4v/bV4IUE4v/bV4IUE4v/bV4IUE4v/bV4IUE4i:tgJdpyfyfyfyfyfyfyf0W0W0Wx
                          MD5:49562402D3C8BF244E059CD4703A5021
                          SHA1:928356A9369189B705667DE152B71303A2E9F4B7
                          SHA-256:157AA481D3ECAC50E65BD56D1A25D97E115799AC96CC99418ED4277A94A60001
                          SHA-512:27166B8BF80D79644034C129CDE4F9AAC2AE6F75B7D4B2E62A71D2F54E5B8340375F6DD7F095AA6CB907A88414810F07A058B0DEC3143B54D5B9E9198C67F8F7
                          Malicious:false
                          Preview:..[08:26:19]<<Program Manager>>....[08:26:20]<<Program Manager>>....[08:26:20]<<Program Manager>>....[08:26:20]<<Program Manager>>....[08:26:20]<<Program Manager>>....[08:26:20]<<Program Manager>>....[08:26:20]<<Program Manager>>....[08:26:20]<<Program Manager>>....[08:26:21]<<Program Manager>>....[08:26:21]<<Program Manager>>....[08:26:21]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatamEWnJiLB.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.339404346434502
                          Encrypted:false
                          SSDEEP:3:tPao1ZE4v/ao1ZE4v/ao1ZE4v/ao1ZE4v/ao1ZE4v/ao1ZE4v/a/ZNE4v/a/ZNEY:tiofGofGofGofGofGofGXGXGXGXGXGXx
                          MD5:F76E13C3D2001B79EAC7237AEFA1D95C
                          SHA1:030640DD1F47307D54AB7723B3BE047AE081224D
                          SHA-256:28DD6937CB575719AA4EB33CD68C3A5D05C9B1D8744FBD9E7AA0CC6C86DDA8A2
                          SHA-512:F8C4E81E8A9C35E03CB4E7ECA8A0D68D248230A115181AFE98C78762F302A35B99F38EF6175D232D80C4F6BC08C7F3A8C80A324F1DD6AFAA3237BBB6822A281F
                          Malicious:false
                          Preview:..[08:26:32]<<Program Manager>>....[08:26:32]<<Program Manager>>....[08:26:32]<<Program Manager>>....[08:26:32]<<Program Manager>>....[08:26:32]<<Program Manager>>....[08:26:32]<<Program Manager>>....[08:26:33]<<Program Manager>>....[08:26:33]<<Program Manager>>....[08:26:33]<<Program Manager>>....[08:26:33]<<Program Manager>>....[08:26:33]<<Program Manager>>....[08:26:33]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatanEJLoDah.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.341362000792605
                          Encrypted:false
                          SSDEEP:3:tPQZjKUE4v/QZjKUE4v/QZjKUE4v/QZjKUE4v/nIUE4v/nIUE4v/nIUE4v/nIUEW:toZNUZNUZNUZN777777ggx
                          MD5:4197889A41934F97F3C9C755C91C9ED0
                          SHA1:D22FA18BC992F99864DF428EB0EF4752C08E60A8
                          SHA-256:63BAA3001E43B236AD008D6659685AC3E9378D5459E91E7ABD00FA4EB01305AD
                          SHA-512:8D91C02C44DEB688ECFE31C30FF2D6A8662E6625A3F045C871A087AB19C42126D90497E84B3FFACA3DAF4208771524F84E6FD9D76D21538EE883A182C1CF0059
                          Malicious:false
                          Preview:..[08:27:10]<<Program Manager>>....[08:27:10]<<Program Manager>>....[08:27:10]<<Program Manager>>....[08:27:10]<<Program Manager>>....[08:27:11]<<Program Manager>>....[08:27:11]<<Program Manager>>....[08:27:11]<<Program Manager>>....[08:27:11]<<Program Manager>>....[08:27:11]<<Program Manager>>....[08:27:11]<<Program Manager>>....[08:27:12]<<Program Manager>>....[08:27:12]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatanalGguoZ.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.403034508075346
                          Encrypted:false
                          SSDEEP:3:tPcYpE4v/cYpE4v/cYpE4v/cXNE4v/cXNE4v/cXNE4v/cXNE4v/cXNE4v/cXNE4d:tkUAUAUA9A9A9A9A9A9AWAWx
                          MD5:939AB4B8F8DC814F03DD6CD1E9D51278
                          SHA1:EE2A0FECCAE18F9BDC82D4F437EBF3D9562CE625
                          SHA-256:5F3D8BD6A2B1F35A6183F3E666C093D9386C95B2AFF7CDEC4DAB94D46186077F
                          SHA-512:01F27B65190B798A32CEE4A14CC5135D39C73CD1185CB0259586F0A7A7EA0F73EA1A932F4B28C8CA8FD97630C12F7ED82FF3264DE36A2C92CD36EEA276835A8F
                          Malicious:false
                          Preview:..[08:26:58]<<Program Manager>>....[08:26:58]<<Program Manager>>....[08:26:58]<<Program Manager>>....[08:26:59]<<Program Manager>>....[08:26:59]<<Program Manager>>....[08:26:59]<<Program Manager>>....[08:26:59]<<Program Manager>>....[08:26:59]<<Program Manager>>....[08:26:59]<<Program Manager>>....[08:27:00]<<Program Manager>>....[08:27:00]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatanhwfjFGm.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.387588926508786
                          Encrypted:false
                          SSDEEP:6:tq1Zu1Zu1ZgAfgAfgAfgAfgAfgAfgAfWx:tqfufufgAfgAfgAfgAfgAfgAfgAfWx
                          MD5:5A92B08C22955F0C882F156726C125B4
                          SHA1:085895F7561690224F1C89CF9B11694D7554640F
                          SHA-256:F13E18C7FFE9D78B0F4C312872E3F447DB4DD4A0A560ADB0125C118891E11181
                          SHA-512:6EA15470F164C812CE2ABD941E195304E7F5F1CA30CE925442966EA2DFA3F22DBB5BF43E331C4DF4566B55A613868D9F03083A5E3C12F8C7FE2FF8E4D777C66A
                          Malicious:false
                          Preview:..[08:26:42]<<Program Manager>>....[08:26:42]<<Program Manager>>....[08:26:42]<<Program Manager>>....[08:26:43]<<Program Manager>>....[08:26:43]<<Program Manager>>....[08:26:43]<<Program Manager>>....[08:26:43]<<Program Manager>>....[08:26:43]<<Program Manager>>....[08:26:43]<<Program Manager>>....[08:26:43]<<Program Manager>>....[08:26:44]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatapOkRTXmq.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):792
                          Entropy (8bit):4.373056212683738
                          Encrypted:false
                          SSDEEP:12:twkksCpsCpsCpsCpsCpsCpsCpsCpiiiiiiTTTTTTTx:tI
                          MD5:760385EEA7C71C7757C320BC0EDE12CF
                          SHA1:50D5DF7B9AF8422ABFAE065605C50391393BCADC
                          SHA-256:A92C27CE0995733292AF5B6CCEF77DAAE0BC80E0AFB0E542F47B889C7C5C59C6
                          SHA-512:EB29BCB35612C0A09C475A9C1DF7ADFF9266C59E1F3C9CFA0884FF0CB292A0571D68FE075669FBF81A4B624C24FCB9CCF39FAFEE4370F0187760E14D1439AE70
                          Malicious:false
                          Preview:..[08:26:02]<<Program Manager>>....[08:26:02]<<Program Manager>>....[08:26:02]<<Program Manager>>....[08:26:03]<<Program Manager>>....[08:26:03]<<Program Manager>>....[08:26:03]<<Program Manager>>....[08:26:03]<<Program Manager>>....[08:26:03]<<Program Manager>>....[08:26:03]<<Program Manager>>....[08:26:03]<<Program Manager>>....[08:26:03]<<Program Manager>>....[08:26:04]<<Program Manager>>....[08:26:04]<<Program Manager>>....[08:26:04]<<Program Manager>>....[08:26:04]<<Program Manager>>....[08:26:04]<<Program Manager>>....[08:26:04]<<Program Manager>>....[08:26:05]<<Program Manager>>....[08:26:05]<<Program Manager>>....[08:26:05]<<Program Manager>>....[08:26:05]<<Program Manager>>....[08:26:05]<<Program Manager>>....[08:26:05]<<Program Manager>>....[08:26:05]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatapYdXvGwe.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.369393094536784
                          Encrypted:false
                          SSDEEP:3:tPcO1ZE4v/cO1ZE4v/cO1ZE4v/cXpE4v/cXpE4v/cXpE4v/cXpE4v/cXpE4v/ccp:tkAAAAAAXpAXpAXpAXpAXpAqAqAqAqx
                          MD5:A4800A44C8A82C2C80765E53588D4229
                          SHA1:BD7EA34C31F9B63C7FEC90059AA60BF3BBCC8E9E
                          SHA-256:E484B5ED8C1084E015E4B7DA6BF3B9F1845C82F0417C7622B0632F5599DD6339
                          SHA-512:F291199328C3CEDE83BD5BE98543308B64E2C0CEA6B725B747914E36050987BA2841C2D8D413F5311119A78D774A27FD9953A6A2E42BBD49181B8218F156E56A
                          Malicious:false
                          Preview:..[08:26:54]<<Program Manager>>....[08:26:54]<<Program Manager>>....[08:26:54]<<Program Manager>>....[08:26:55]<<Program Manager>>....[08:26:55]<<Program Manager>>....[08:26:55]<<Program Manager>>....[08:26:55]<<Program Manager>>....[08:26:55]<<Program Manager>>....[08:26:56]<<Program Manager>>....[08:26:56]<<Program Manager>>....[08:26:56]<<Program Manager>>....[08:26:56]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataqHSlOfnM.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.424076384962404
                          Encrypted:false
                          SSDEEP:6:tGULZqULZqULZqULZqULZAsAsAsAsAsAhfx:tBNFNFNFNFN55555gx
                          MD5:87C2E5A2078119F4FB58B9E3678ADE6E
                          SHA1:087636210858E4AE2FE2E1A517D9756EBD1CD7E9
                          SHA-256:08070A29D7C430C4902F8E44A8D5C8B15DF4FB3FD463B8EFB48E4A3C8C997F41
                          SHA-512:D87BC1B97735185C04054E6E3B03A0371D7CE2AB28CCD1DE13EDC99989BAA2BA1707725D5D1B57BDD5139FCFF07F40789FC96CCA56F8F0C0803E607CC2B022FF
                          Malicious:false
                          Preview:..[08:26:49]<<Program Manager>>....[08:26:49]<<Program Manager>>....[08:26:49]<<Program Manager>>....[08:26:49]<<Program Manager>>....[08:26:49]<<Program Manager>>....[08:26:50]<<Program Manager>>....[08:26:50]<<Program Manager>>....[08:26:50]<<Program Manager>>....[08:26:50]<<Program Manager>>....[08:26:50]<<Program Manager>>....[08:26:51]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataqXbqGcYc.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1353
                          Entropy (8bit):4.397105225905599
                          Encrypted:false
                          SSDEEP:12:tTq/q/b/b/b/b/b/b/b/b/6f/6f/6f/6f/6f/6f/6f/cAf/cAf/cAf/cAf/cAf/T:tpAcAcAcAcAcAcAP
                          MD5:C886E227F52087FA12548720D8180EFA
                          SHA1:4C2B47E052CDCFC84E4276EB4F704E4C2FB16D3F
                          SHA-256:050AED9189463449BD34740333C381C9288698B1FD63550F1A4D875A814B45B1
                          SHA-512:13B06C86406A8395CDBF0C5DC0525AC085E66849085880FF83633D70E8B5EE93F78F85B6B2DB92A7EDAD40CAF64E9D98BD71B760BE8605B5C80F54BA2F6B5559
                          Malicious:false
                          Preview:..[08:25:56]<<Program Manager>>....[08:25:56]<<Program Manager>>....[08:25:57]<<Program Manager>>....[08:25:57]<<Program Manager>>....[08:25:57]<<Program Manager>>....[08:25:57]<<Program Manager>>....[08:25:57]<<Program Manager>>....[08:25:57]<<Program Manager>>....[08:25:57]<<Program Manager>>....[08:25:57]<<Program Manager>>....[08:25:58]<<Program Manager>>....[08:25:58]<<Program Manager>>....[08:25:58]<<Program Manager>>....[08:25:58]<<Program Manager>>....[08:25:58]<<Program Manager>>....[08:25:58]<<Program Manager>>....[08:25:58]<<Program Manager>>....[08:25:59]<<Program Manager>>....[08:25:59]<<Program Manager>>....[08:25:59]<<Program Manager>>....[08:25:59]<<Program Manager>>....[08:25:59]<<Program Manager>>....[08:25:59]<<Program Manager>>....[08:25:59]<<Program Manager>>....[08:26:00]<<Program Manager>>....[08:26:00]<<Program Manager>>....[08:26:00]<<Program Manager>>....[08:26:00]<<Program Manager>>....[08:26:00]<<Program Manager>>....[08:26:00]<<Program Manager>>....[08:26:0

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatarMlfenBQ.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.3128275092660635
                          Encrypted:false
                          SSDEEP:3:tPuWE4v/uWE4v/uWE4v/uWE4v/uWE4v/uWE4v/uWE4v/vQXpE4v/vQXpE4v/vQXm:tmWCWCWCWCWCWCW0Xp0Xp0Xp0Xpx
                          MD5:037B19A8F1A17DCC8F68CC6E63C2990A
                          SHA1:96C96084C8BE42CB94F304FF506FB8E171CD27D4
                          SHA-256:68F69439845E179AA226EED1B79EAA28E0673E6BD36519F7DBDD24EB2AC665BB
                          SHA-512:9939582B6234E4FFF35B196AEBC7C38483F5892A148ED72F2A60DDE5DB886E359C49D188E96634D3ED3450A3BC7567F96673C45FEC4C9CC7495238AF1F92031A
                          Malicious:false
                          Preview:..[08:27:02]<<Program Manager>>....[08:27:02]<<Program Manager>>....[08:27:02]<<Program Manager>>....[08:27:02]<<Program Manager>>....[08:27:02]<<Program Manager>>....[08:27:02]<<Program Manager>>....[08:27:02]<<Program Manager>>....[08:27:03]<<Program Manager>>....[08:27:03]<<Program Manager>>....[08:27:03]<<Program Manager>>....[08:27:03]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatauTPyLeaA.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.384396969001224
                          Encrypted:false
                          SSDEEP:3:tPYqE4v/YqE4v/YqE4v/YqE4v/YhXpE4v/YhXpE4v/YhXpE4v/YhXpE4v/YhXpEV:tgqEqEqEqEBpEBpEBpEBpEBpEBpE6fx
                          MD5:4C650BEC48C98408944F7C3A2CC19660
                          SHA1:20ACDCBD656EA05D68702DD9E9A345E4827914CD
                          SHA-256:7F7E5AFAC65D306E6C2CC8A226D8A3510BB3F242A0415D8D25DDDA3C174EF1A3
                          SHA-512:AEFEDDB61C5E1B3000ECEB413DD1E9F81BD628EC7A794FBAEA86D337D0921443B337F6F62423ED347A83974781B04F8E8E676587A7F535E914C76E63AAF6FF95
                          Malicious:false
                          Preview:..[08:26:16]<<Program Manager>>....[08:26:16]<<Program Manager>>....[08:26:16]<<Program Manager>>....[08:26:16]<<Program Manager>>....[08:26:17]<<Program Manager>>....[08:26:17]<<Program Manager>>....[08:26:17]<<Program Manager>>....[08:26:17]<<Program Manager>>....[08:26:17]<<Program Manager>>....[08:26:17]<<Program Manager>>....[08:26:18]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatavIUMqkPL.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):363
                          Entropy (8bit):4.401268822386593
                          Encrypted:false
                          SSDEEP:3:tPYeZNE4v/Yt1ZE4v/Yt1ZE4v/Yt1ZE4v/Yt1ZE4v/Yt1ZE4v/Yt1ZE4v/Yt1ZE2:tgefEZEZEZEZEZEZEZEqEqEqx
                          MD5:3D9876D3E31785FDF002962EE6D004E3
                          SHA1:1A1C6EEFFCE355E1CBC8293B906C2CEE8B7E0041
                          SHA-256:6AE21F073829A0B03AF40CBDBAFA3F3BF2964022C7134611F0BB2185A9D53AA1
                          SHA-512:2AF3083FFE8C0BB3852461D0DD03D5DFAA2B79A51F97257931EFA50E431ACD2F8B7BE31F55492F6C10533FBA5C6AE4F2F8BE491AA4E461D9BFAFE3490EC492B0
                          Malicious:false
                          Preview:..[08:26:14]<<Program Manager>>....[08:26:15]<<Program Manager>>....[08:26:15]<<Program Manager>>....[08:26:15]<<Program Manager>>....[08:26:15]<<Program Manager>>....[08:26:15]<<Program Manager>>....[08:26:15]<<Program Manager>>....[08:26:15]<<Program Manager>>....[08:26:16]<<Program Manager>>....[08:26:16]<<Program Manager>>....[08:26:16]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatavaTQcbhg.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.353474502304971
                          Encrypted:false
                          SSDEEP:3:tPYhZ2UE4v/YhZ2UE4v/YhZ2UE4v/YhZ2UE4v/YhZ2UE4v/YEZfE4v/YEZfE4v/8:tgVEVEVEVEVEGEGEGEGEGEGEXx
                          MD5:24A0BE28D687FAF0114FE5E8FA6A6E79
                          SHA1:CD63E4C40FFC62D70C443080952FDF04DBDBD332
                          SHA-256:1CC9660823EEBCFDBBD201407849E6E12B0A4485644DBCD82269C4B4160DC76A
                          SHA-512:D20134560DF1941D657EF7E3125558C430223F9EC3586CA304C1A3C8785B1EEBA9AA861499A2F582A3884815E71DDA1F3C3F1EFE03FF30EC11E2716248FD7C17
                          Malicious:false
                          Preview:..[08:26:11]<<Program Manager>>....[08:26:11]<<Program Manager>>....[08:26:11]<<Program Manager>>....[08:26:11]<<Program Manager>>....[08:26:11]<<Program Manager>>....[08:26:12]<<Program Manager>>....[08:26:12]<<Program Manager>>....[08:26:12]<<Program Manager>>....[08:26:12]<<Program Manager>>....[08:26:12]<<Program Manager>>....[08:26:12]<<Program Manager>>....[08:26:13]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatawDraFhML.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.418547147578522
                          Encrypted:false
                          SSDEEP:3:tPa/ZNE4v/aAE4v/aAE4v/aAE4v/aAE4v/aAE4v/aAE4v/aAE4v/arZfE4v/arZv:tiXGAGAGAGAGAGAGAGNfGNfGNfGNfx
                          MD5:226C28D785863260395A2F76719D427D
                          SHA1:84877B86B2E953AA46AFBFAE02A1551CD7FAD803
                          SHA-256:AD23D6FDCFCA5B53143A05A0D7C79F424968DE557CC7F9ED06CBE0B0CED695B2
                          SHA-512:6D8DD20E4249DDF51A4ED8C0709A73A2F161B6F59E924DA80B63E43AFA1A143E3A1F6D86DAD633FE70E2C3A3F38A01B79BA04C4DD1052884F48F228547989926
                          Malicious:false
                          Preview:..[08:26:33]<<Program Manager>>....[08:26:34]<<Program Manager>>....[08:26:34]<<Program Manager>>....[08:26:34]<<Program Manager>>....[08:26:34]<<Program Manager>>....[08:26:34]<<Program Manager>>....[08:26:34]<<Program Manager>>....[08:26:34]<<Program Manager>>....[08:26:35]<<Program Manager>>....[08:26:35]<<Program Manager>>....[08:26:35]<<Program Manager>>....[08:26:35]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatawwabBoFm.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.31360214170664
                          Encrypted:false
                          SSDEEP:3:tPbU4IUE4v/bU4IUE4v/bU4IUE4v/bXWE4v/bXWE4v/bXWE4v/bXWE4v/bXWE4vj:toW0W0Wmmmmmmm2Ujp2Ujpx
                          MD5:083CE7152A58E9F63D1DA0284FB8D87B
                          SHA1:61B186685AEAAF9D991CCF8F67DDABAA0216E6FD
                          SHA-256:5B2C3BE90305C4A6E7EA76BB9A7D27A2416A680AB84346741F3FDC231F315850
                          SHA-512:735DD8F5DE2F6C3723B488810B1B3C609B6FA4894A18606151D09E0A91607027015626F56718673F73466105BE9BC214852C7397C55D4DEF82385022C97D4A19
                          Malicious:false
                          Preview:..[08:26:21]<<Program Manager>>....[08:26:21]<<Program Manager>>....[08:26:21]<<Program Manager>>....[08:26:22]<<Program Manager>>....[08:26:22]<<Program Manager>>....[08:26:22]<<Program Manager>>....[08:26:22]<<Program Manager>>....[08:26:22]<<Program Manager>>....[08:26:22]<<Program Manager>>....[08:26:22]<<Program Manager>>....[08:26:23]<<Program Manager>>....[08:26:23]<<Program Manager>>..

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatayfFxHMGX.txt

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):2376
                          Entropy (8bit):4.398280033635884
                          Encrypted:false
                          SSDEEP:12:tpNkkkkkkkrrrrrrrsfsfsfsfsfsfsf/SZN/SZN/SZN/SZN/SZN/SZN/SZN/SZNP:t6ffffffGeeeeeed
                          MD5:91FD6494C875F23CFE067CEF7269F9CF
                          SHA1:D9761F1A99B9201C0FBB01E8D226C60F48472051
                          SHA-256:187C5D5807A1B90AF0A0DD4892E867D44C319018ECF5FFAB3B890C41D33B75BE
                          SHA-512:B51BA9A60305133513469380679A6850AF3859B6EF2D6B32F7E3C86A527335F873494C1831AFE772F1BE6A8E23695784FE757DE286E7F794DBDB903076ED0118
                          Malicious:false
                          Preview:..[08:25:46]<<Program Manager>>....[08:25:46]<<Program Manager>>....[08:25:47]<<Program Manager>>....[08:25:47]<<Program Manager>>....[08:25:47]<<Program Manager>>....[08:25:47]<<Program Manager>>....[08:25:47]<<Program Manager>>....[08:25:47]<<Program Manager>>....[08:25:47]<<Program Manager>>....[08:25:48]<<Program Manager>>....[08:25:48]<<Program Manager>>....[08:25:48]<<Program Manager>>....[08:25:48]<<Program Manager>>....[08:25:48]<<Program Manager>>....[08:25:48]<<Program Manager>>....[08:25:48]<<Program Manager>>....[08:25:49]<<Program Manager>>....[08:25:49]<<Program Manager>>....[08:25:49]<<Program Manager>>....[08:25:49]<<Program Manager>>....[08:25:49]<<Program Manager>>....[08:25:49]<<Program Manager>>....[08:25:49]<<Program Manager>>....[08:25:50]<<Program Manager>>....[08:25:50]<<Program Manager>>....[08:25:50]<<Program Manager>>....[08:25:50]<<Program Manager>>....[08:25:50]<<Program Manager>>....[08:25:50]<<Program Manager>>....[08:25:50]<<Program Manager>>....[08:25:5

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogkinotKrAhRyjSfwLYIttQphGBONdeYquirinal

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):51200
                          Entropy (8bit):0.8746135976761988
                          Encrypted:false
                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotAEjrBVkw.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotAfYSzFti.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.76428381732902
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjB:FTevWDY9YBYe4quPzSHMIU4FtNyJAmOc
                          MD5:74C6BFF770F687F745C44FFCBC7C5587
                          SHA1:CD0388686E5F3B6F7DF77DEC2380CC292763EED5
                          SHA-256:5186530904135206FD2DEACDBD5AE0299C2DED57A1DE4A4A8B674D2EE5CF8FA4
                          SHA-512:5712E7320899FD552631532B32C2FF5247845B112D6E18CD57887DE04B88C115A2AEF0BDE9D5E3937F0B72F2CEBC959F20C366A5343CF98BBFEBE699C6C667D5
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotFSExpmee.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.75805260767013
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:FTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:BC295D43CA422D1897A173EBD133963D
                          SHA1:532705AEF15A2B7718AE9E35D197940D20A802C9
                          SHA-256:DB12C10C7A1FB68D8E5CD6FDDB268C66A5BB0EA854B58E63821281235C43C98D
                          SHA-512:9374F982C879D9468ED83508E31A4569331129C86B66DD92D31ECAB650ADE0471460D496D86ADE738966D11A1040886951AAC549CAB7C17A44E39F526D9E5381
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotFSHfYxVm.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotGruWYWXL.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.713594069305633
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjS:PTevWDY9YBYe4quPzS9zv53P9LN
                          MD5:744BF471E6DD219A9FEDB188E65DD592
                          SHA1:C6449EFBEAC67F431BFF21D555CA2BCE3125F2B8
                          SHA-256:31E5D8F92AFB0B36E5265A2FAA4BCC7569CB21A841019822C9C62D2B8872F8E1
                          SHA-512:A46F6E6BD82C3EF3C6C54419FDD2CEE49C158223889D3D710E547AD3AADCEBB54612327B28FF439B81B30FD7A44A72841DE7F0252DEC459B1D675FA29C8EA4E6
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotHyynqUdr.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotIIttyPnh.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.75805260767013
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:FTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:BC295D43CA422D1897A173EBD133963D
                          SHA1:532705AEF15A2B7718AE9E35D197940D20A802C9
                          SHA-256:DB12C10C7A1FB68D8E5CD6FDDB268C66A5BB0EA854B58E63821281235C43C98D
                          SHA-512:9374F982C879D9468ED83508E31A4569331129C86B66DD92D31ECAB650ADE0471460D496D86ADE738966D11A1040886951AAC549CAB7C17A44E39F526D9E5381
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotIRqladOv.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotJidKwmVi.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.713688721623392
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjk:PTevWDY9YBYe4quPzSgMit1/fFS
                          MD5:F36BC4141574671BAE391B81C7024445
                          SHA1:B98467C68A9A7E8CF326BF50369C1996FD1608E9
                          SHA-256:EACB211DC41BA70C8CE7D87F4A774A68E941567392370EA4731522F714C21A90
                          SHA-512:E6059C4BD92497E578635E7047492AC9E43458D9BF5015F2883B2CFF4056F7FC88F158E6D15303274D3C04DA9FCDDE3F0A9E91710141B7F0489105728060B717
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotKlzDuMri.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotLxUeJoHD.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.771797254668482
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUj4:FTevWDY9YBYe4quPzSRqa6YIf+P
                          MD5:47F7690651525646B4D83B7D47D854E2
                          SHA1:4117E9F7C8EBFD927C3FC6626480DD7677495111
                          SHA-256:454FF769056971E469A53A61E72C9D07204EDA64091FB9CA67A9E6FFAB2B446B
                          SHA-512:F89C373653EF3DC7254AC9BF130BB72330BBD2C391790E6358F6EA21EF5F2179146D4E62B7DC1321A4679C6B033AC7119A1C9119B01AE743D0A7DFD4A6A7F8CA
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotMfXXYMlS.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotMlktkEiM.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.763903103463999
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkk05S74RZO+PRMMUUUXZUjG:PTevWDY9YBYL4quPzSICaWaIXNd
                          MD5:A0053B8669C4E3CB6D99ABEB48BF990A
                          SHA1:8AB65A94092146DC501D65E16E2911AE13BA503D
                          SHA-256:94263BCE2FDB0711AB6F6B33DC27A390584850147010687872A1084C7ABB191A
                          SHA-512:21FEE08E53876DC0FBC3F041019DAEAC3E1F48EDA600D019F29D8C4020E9769596B7363A5D342F6466F90AEEAFD9491C1B1D6953A4F12A0354F0B23EF9CCFF66
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotMufoDlet.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.76303931903749
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjj:PTevWDY9YBYe4quPzSICaWaIXqp
                          MD5:9C8513F4EC0A919B027464142CAC37AB
                          SHA1:0BB004D82B6E81A337EDC24D56DB2ADFD6940A6F
                          SHA-256:1AEE763951DB3C631DB1A1EA2078F2C86A8E7D98F272CE5B9DCA25923669B1FE
                          SHA-512:66468E168283792AAFDBC39C7A150F56F8BBCEAA72E7DC4106F288D78A3F28D2B8C4F6C28CD0C59E85BDFD1B3C1B9902C4CB19B95C7FA2129D5B8D188C55665E
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotNytSKrXZ.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.767828139532375
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUj/:PTevWDY9YBYe4quPzSICaWaIcYiv
                          MD5:FABD99F99309CD5F078FB6D2CFCBD3D8
                          SHA1:33E218250BC0757C9C989D6FDEC99798B8427FB2
                          SHA-256:C2DE096260977A1711BADEE5F2A209CEE43CA9453CA4F14FC4F3438B53C69229
                          SHA-512:C3A8A7128B91144EBBF77494F04644A98E2EC6DA17472A1F254D0F103F58C2CB15E1E3E8D5CA23A12DBEC6E6398443CEB1A5AC3C7CBF0988551DF3EF257D27E7
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotPpiROXHs.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotRFZnQZiU.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.774949649713593
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjl:PTevWDY9YBYe4quPzS+nAb23Npj
                          MD5:937C571C2FB0B1D139AF1F32EC12D10A
                          SHA1:319B2D6607A471E4A53010575DFEDD80110362CD
                          SHA-256:038A655AB8D1BF3DD72581690DCDDB92F22538BFBB5330B49521664D14668B95
                          SHA-512:7A590B2A42EC46E6E681B44074A31670982FF067778C887D8E919FC68B63E71EA7EDB4FB043695F57A53A99EA44D192E11B2456BDDD697722E970DEAEFCFF6B5
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotRRGunYkX.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.767655650351431
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUj/:PTevWDY9YBYe4quPzSICaWaIIc2
                          MD5:A62987B2E86F208F66FCAE453C7507D9
                          SHA1:D730566837DBE6706BDB51345A6BAD82FD29A4A6
                          SHA-256:38711C732A51A1D0F582E3206454A420F72C86387835AAA579686CB8712E9B93
                          SHA-512:7B8AD6A668E2329FAE5CFD72812EFD908AF9B00707185A42743DA0E3D3EDE084D6826ABACD46D048CB57D1112B3ABA737871E4BA78DDAAA289D715E3E6EE5699
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotVokMbvFt.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.75805260767013
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:FTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:BC295D43CA422D1897A173EBD133963D
                          SHA1:532705AEF15A2B7718AE9E35D197940D20A802C9
                          SHA-256:DB12C10C7A1FB68D8E5CD6FDDB268C66A5BB0EA854B58E63821281235C43C98D
                          SHA-512:9374F982C879D9468ED83508E31A4569331129C86B66DD92D31ECAB650ADE0471460D496D86ADE738966D11A1040886951AAC549CAB7C17A44E39F526D9E5381
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotZCYXTxOe.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotalKpiwol.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotapoluNpn.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotasOHBtuS.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotbCGUoybr.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotcqJDQraL.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.75805260767013
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:FTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:BC295D43CA422D1897A173EBD133963D
                          SHA1:532705AEF15A2B7718AE9E35D197940D20A802C9
                          SHA-256:DB12C10C7A1FB68D8E5CD6FDDB268C66A5BB0EA854B58E63821281235C43C98D
                          SHA-512:9374F982C879D9468ED83508E31A4569331129C86B66DD92D31ECAB650ADE0471460D496D86ADE738966D11A1040886951AAC549CAB7C17A44E39F526D9E5381
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotcsCauLtc.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotdfNYDdVR.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758045275015649
                          Encrypted:false
                          SSDEEP:12288:bkaTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:ZTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:076E65983831E44B38BD4E2D35AADD42
                          SHA1:C66E99DA480B78D119EC1A4F5658D79AE3BDD1BA
                          SHA-256:513CD33D8D2377F456F002F4AA0C6614215BADF426F4F944734AFB2038CD0295
                          SHA-512:ECC0941A6F5BA9FE6777B9F94EC958EF268597D4514512C1585010E45B3758F9BBA35512B0A934508CF74BAB688715026DFD163973B2BE9FAEDF4CAEAA8B7206
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotfkYUfBps.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.75805260767013
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:FTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:BC295D43CA422D1897A173EBD133963D
                          SHA1:532705AEF15A2B7718AE9E35D197940D20A802C9
                          SHA-256:DB12C10C7A1FB68D8E5CD6FDDB268C66A5BB0EA854B58E63821281235C43C98D
                          SHA-512:9374F982C879D9468ED83508E31A4569331129C86B66DD92D31ECAB650ADE0471460D496D86ADE738966D11A1040886951AAC549CAB7C17A44E39F526D9E5381
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshothrNZFLJo.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotigNONNfq.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotixRzRMtS.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758045275015649
                          Encrypted:false
                          SSDEEP:12288:bkaTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:ZTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:076E65983831E44B38BD4E2D35AADD42
                          SHA1:C66E99DA480B78D119EC1A4F5658D79AE3BDD1BA
                          SHA-256:513CD33D8D2377F456F002F4AA0C6614215BADF426F4F944734AFB2038CD0295
                          SHA-512:ECC0941A6F5BA9FE6777B9F94EC958EF268597D4514512C1585010E45B3758F9BBA35512B0A934508CF74BAB688715026DFD163973B2BE9FAEDF4CAEAA8B7206
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotkOIFJHtM.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.77381006970663
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSlCXOl1XIdA
                          MD5:D0C60D7F797E866A79583BCF47CF17E5
                          SHA1:CE9BADE2408BE450A4E03E0D572621A2DCA2BC30
                          SHA-256:B21525D93AB2B4DB49C498496830D9F63D1C35E58893AB1C87E315E99EB1F163
                          SHA-512:7FB405925D6993D5F62C90EAA322B8D44F2BCFF48877CCC88233D08B8A398978F4FE909CF531EEDB5316749EA2F7B3B0490F6A5C2102E030EEFC47848C199F86
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotlvHawteV.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.7644735931495745
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMDUUUSJUjX:PTevWDY9YBYeSU5TXxSICaWaIXNd
                          MD5:C0AFD8BAECD7B7A9F12E939A84D7BF83
                          SHA1:B54EFAEAD73E335B254E7DDC209469165FD837B6
                          SHA-256:DD3905461A468A84B83C1F62366064CBAE32603D7E72763334844D447C0E1E08
                          SHA-512:D075CCF91AA00119A52287BF940A880666B6C652D86457D5B155988B03D74323059FDB33E285223BFA0ED5DF7EE62A9CEEBC3FF798FC258A59CF4CFD2362A279
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotmxjoVmQP.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotncEKSRHz.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:modified
                          Size (bytes):3932214
                          Entropy (8bit):6.75805260767013
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:FTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:BC295D43CA422D1897A173EBD133963D
                          SHA1:532705AEF15A2B7718AE9E35D197940D20A802C9
                          SHA-256:DB12C10C7A1FB68D8E5CD6FDDB268C66A5BB0EA854B58E63821281235C43C98D
                          SHA-512:9374F982C879D9468ED83508E31A4569331129C86B66DD92D31ECAB650ADE0471460D496D86ADE738966D11A1040886951AAC549CAB7C17A44E39F526D9E5381
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotpDdiEgqJ.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotpTmmFCTO.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotpYDCajje.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotpnScsCOl.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotqUPLOaqQ.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotsIYPKWCg.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotshSdizWO.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.75805260767013
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:FTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:BC295D43CA422D1897A173EBD133963D
                          SHA1:532705AEF15A2B7718AE9E35D197940D20A802C9
                          SHA-256:DB12C10C7A1FB68D8E5CD6FDDB268C66A5BB0EA854B58E63821281235C43C98D
                          SHA-512:9374F982C879D9468ED83508E31A4569331129C86B66DD92D31ECAB650ADE0471460D496D86ADE738966D11A1040886951AAC549CAB7C17A44E39F526D9E5381
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotvVZxzYbP.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.758053120816647
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:PTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:EA02DA433618E8D6FD24702FBE41456C
                          SHA1:ED7CDC2A9DEDBACAC932592F92CF75F53484B7FE
                          SHA-256:0BC9D11C6D0CD16A857E0E193A646792C4B55B21F375DFD9B8CDCCCD6B2FDF74
                          SHA-512:5785D38461E165CD25EB616DF79855DF9DAE0316FFE843B98875D042FBA808E3BE0FF9DAC8FF73315E8A28065F2AF981F7642690678F992EBD79A6042FEB7516
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotvvPUKXrf.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.75805260767013
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:FTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:BC295D43CA422D1897A173EBD133963D
                          SHA1:532705AEF15A2B7718AE9E35D197940D20A802C9
                          SHA-256:DB12C10C7A1FB68D8E5CD6FDDB268C66A5BB0EA854B58E63821281235C43C98D
                          SHA-512:9374F982C879D9468ED83508E31A4569331129C86B66DD92D31ECAB650ADE0471460D496D86ADE738966D11A1040886951AAC549CAB7C17A44E39F526D9E5381
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotyEsglIzb.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.713688721623392
                          Encrypted:false
                          SSDEEP:12288:be6TDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjk:PTevWDY9YBYe4quPzSgMit1/fFS
                          MD5:F36BC4141574671BAE391B81C7024445
                          SHA1:B98467C68A9A7E8CF326BF50369C1996FD1608E9
                          SHA-256:EACB211DC41BA70C8CE7D87F4A774A68E941567392370EA4731522F714C21A90
                          SHA-512:E6059C4BD92497E578635E7047492AC9E43458D9BF5015F2883B2CFF4056F7FC88F158E6D15303274D3C04DA9FCDDE3F0A9E91710141B7F0489105728060B717
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotzpUBgNMD.BMP

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                          Category:dropped
                          Size (bytes):3932214
                          Entropy (8bit):6.75805260767013
                          Encrypted:false
                          SSDEEP:12288:b1TTDU5vWDYdw0XLBQE8I3oJFJJzz6bj2BYtF9PFJkkJr+74RZO+PRMMUUUXZUjG:FTevWDY9YBYe4quPzSICaWaIXNd
                          MD5:BC295D43CA422D1897A173EBD133963D
                          SHA1:532705AEF15A2B7718AE9E35D197940D20A802C9
                          SHA-256:DB12C10C7A1FB68D8E5CD6FDDB268C66A5BB0EA854B58E63821281235C43C98D
                          SHA-512:9374F982C879D9468ED83508E31A4569331129C86B66DD92D31ECAB650ADE0471460D496D86ADE738966D11A1040886951AAC549CAB7C17A44E39F526D9E5381
                          Malicious:false
                          Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

                          Download File
                          Process:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                          Category:dropped
                          Size (bytes):196608
                          Entropy (8bit):1.1221538113908904
                          Encrypted:false
                          SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                          MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                          SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                          SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                          SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                          Malicious:false
                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.986436183247594
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:Purchase Order AB013058.PDF.exe
                          File size:935'936 bytes
                          MD5:117e72c314048bfd7264c1b83c1a9931
                          SHA1:a7a9d25a085f5e5a0ced2d86e798ab1bae6194c0
                          SHA256:bf1e5ff2ad400cc092cceafd720b1f0b9ae0a7391335d2445c65c78d0393e048
                          SHA512:81212351d94f6c458f2bf5a3b182e79f6b8bfdeddea537a9a515fed08d7940ddc026b18cae9ecd9e721f368ec4e3306d0ba2f4c2446339a69e64207c02a0fc00
                          SSDEEP:12288:y5beXOtX7f6dLk41ZDnwdSY+iuPbBDiaqsFvGncN16NQQ+UAKlZVoEDhLnz:yReXAXL6v0dSya9HrAcN9LKlZND5z
                          TLSH:03152331B75482BBD69F95FB4866878C03A1E61D0402C35D9DFDE98ABBF32215270B72
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Cg..............0..@..........*^... ...`....@.. ....................................@................................

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x4e5e2a
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6743E4B8 [Mon Nov 25 02:45:12 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe5dd80x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe60000x388.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe80000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xe3e300xe400005f4bfa515fc66b26586de27ccd4e3feFalse0.9694524396929824data7.9891120534403175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xe60000x3880x4000c1e532bc4d8a930d48642527e7fb485False0.3779296875data2.873725469366483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xe80000xc0x2001d04ea5512dd2e943d059719f27ba066False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xe60580x32cdata0.43472906403940886

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-11-25T14:25:26.381872+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949712162.55.60.280TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 25, 2024 14:25:24.981843948 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:25.102082014 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:25.102165937 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:25.102519989 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:25.222763062 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.381805897 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.381871939 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.381901026 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.381933928 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.381948948 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.381967068 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.381970882 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.381995916 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.382016897 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.382059097 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.382075071 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.382091999 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.382095098 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.382138968 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.382169008 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.382183075 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.382224083 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.503415108 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.503484011 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.503740072 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.503885984 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.507242918 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.507309914 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.573750973 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.573852062 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.573913097 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.578039885 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.578167915 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.578257084 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.587027073 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.587088108 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.587208033 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.587421894 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.595057011 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.595110893 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.595165968 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.595221996 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.603106976 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.603260994 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:25:26.603271008 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:25:26.603828907 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:27:14.620898008 CET4971280192.168.2.9162.55.60.2
                          Nov 25, 2024 14:27:14.743328094 CET8049712162.55.60.2192.168.2.9
                          Nov 25, 2024 14:27:14.743537903 CET4971280192.168.2.9162.55.60.2

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 25, 2024 14:25:24.666637897 CET4998153192.168.2.91.1.1.1
                          Nov 25, 2024 14:25:24.975039005 CET53499811.1.1.1192.168.2.9

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 25, 2024 14:25:24.666637897 CET192.168.2.91.1.1.10xf4c2Standard query (0)showip.netA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 25, 2024 14:25:24.975039005 CET1.1.1.1192.168.2.90xf4c2No error (0)showip.net162.55.60.2A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • showip.net

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.949712162.55.60.2807928C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          TimestampBytes transferredDirectionData
                          Nov 25, 2024 14:25:25.102519989 CET58OUTGET / HTTP/1.1
                          User-Agent: Project1
                          Host: showip.net
                          Nov 25, 2024 14:25:26.381805897 CET1236INHTTP/1.1 200 OK
                          Access-Control-Allow-Headers: *
                          Access-Control-Allow-Methods: *
                          Access-Control-Allow-Origin: *
                          Content-Type: text/html;charset=utf-8
                          Date: Mon, 25 Nov 2024 13:25:26 GMT
                          Server: Caddy
                          Transfer-Encoding: chunked
                          Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED]
                          Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
                          Nov 25, 2024 14:25:26.381901026 CET1236INData Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f
                          Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;
                          Nov 25, 2024 14:25:26.381933928 CET1236INData Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72
                          Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
                          Nov 25, 2024 14:25:26.381948948 CET1236INData Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20
                          Data Ascii: ge"))||(C()?A("Microsoft Edge"):B("Edg/"))||C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
                          Nov 25, 2024 14:25:26.381967068 CET1236INData Raw: 61 79 28 61 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 29 3b 64 3d 48 28 61 29 3b 69 66 28 64 26 36 34 29 72 65 74 75 72 6e 20 61 3b 64 7c 3d 36 34 3b 69 66 28 63 26 26 28 64 7c 3d 35 31 32 2c 63 21 3d 3d 61 5b 30 5d 29 29 74 68 72 6f 77 20 45 72
                          Data Ascii: ay(a))throw Error();d=H(a);if(d&64)return a;d|=64;if(c&&(d|=512,c!==a[0]))throw Error();a:{c=a;var e=c.length;if(e){var f=e-1,g=c[f];if(N(g)){d|=256;b=(d>>9&1)-1;e=f-b;1024<=e&&(za(c,b,g),e=1023);d=d&-2095105|(e&1023)<<11;break a}}b&&(g=(d>>9&
                          Nov 25, 2024 14:25:26.382059097 CET1236INData Raw: 3d 62 5b 28 77 26 31 35 29 3c 3c 32 7c 68 3e 3e 36 5d 3b 68 3d 62 5b 68 26 36 33 5d 3b 63 5b 65 2b 2b 5d 3d 67 2b 6b 2b 77 2b 68 7d 67 3d 30 3b 68 3d 64 3b 73 77 69 74 63 68 28 61 2e 6c 65 6e 67 74 68 2d 66 29 7b 63 61 73 65 20 32 3a 67 3d 61 5b
                          Data Ascii: =b[(w&15)<<2|h>>6];h=b[h&63];c[e++]=g+k+w+h}g=0;h=d;switch(a.length-f){case 2:g=a[f+1],h=b[(g&15)<<2]||d;case 1:a=a[f],c[e]=b[a>>2]+b[(a&3)<<4|g>>4]+h+d}a=c.join("")}return a}}return a};function Ba(a,b,c){a=Array.prototype.slice.call(a);var d=
                          Nov 25, 2024 14:25:26.382075071 CET1236INData Raw: 75 72 6e 20 61 7d 7d 66 75 6e 63 74 69 6f 6e 20 48 61 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 63 7c 7c 62 26 32 3f 4b 3a 78 61 2c 65 3d 21 21 28 62 26 33 32 29 3b 61 3d 42 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 72 65 74 75 72 6e
                          Data Ascii: urn a}}function Ha(a,b,c){var d=c||b&2?K:xa,e=!!(b&32);a=Ba(a,b,function(f){return Ga(f,e,d)});G(a,32|(c?2:0));return a};function Ia(a,b){a=a.h;return Ja(a,J(a),b)}function Ja(a,b,c,d){if(-1===c)return null;if(c>=L(b)){if(b&256)return a[a.leng
                          Nov 25, 2024 14:25:26.382091999 CET1236INData Raw: 74 6f 4a 53 4f 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 45 61 28 74 68 69 73 2e 68 2c 46 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 2c 21 31 29 3b 72 65 74 75 72 6e 20 50 61 28 74 68 69 73 2c 61 2c 21 30 29 7d 3b 54 2e
                          Data Ascii: toJSON=function(){var a=Ea(this.h,Fa,void 0,void 0,!1,!1);return Pa(this,a,!0)};T.prototype.s=M;T.prototype.toString=function(){return Pa(this,this.h,!1).toString()}; function Pa(a,b,c){var d=a.constructor.v,e=L(J(c?a.h:b)),f=!1;if(d){if
                          Nov 25, 2024 14:25:26.382169008 CET48INData Raw: 28 61 29 7b 74 68 69 73 2e 68 3d 52 28 61 29 7d 6e 28 52 61 2c 54 29 3b 76 61 72 20 53 61 3d 51 61 28 52 61 29 3b 76 61 72 20 55 3b 66 75 6e 63
                          Data Ascii: (a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;func
                          Nov 25, 2024 14:25:26.382183075 CET1236INData Raw: 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 74 72 69 6e 67 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 67 2b 22 22 7d 3b 76 61 72 20 54 61 3d 7b 7d 3b 66 75 6e
                          Data Ascii: tion V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648*Math.random()).toString(36)+Math.abs(Math.floor(2147483648*Math.random())^Date.now()).toString(36)};function Va(a,b){b=St
                          Nov 25, 2024 14:25:26.503415108 CET1236INData Raw: 70 62 6d 63 67 64 47 68 70 63 79 42 74 5a 58 4e 7a 59 57 64 6c 49 47 4a 6c 59 32 46 31 63 32 55 67 59 57 51 67 62 33 49 67 63 32 4e 79 61 58 42 30 49 47 4a 73 62 32 4e 72 61 57 35 6e 49 48 4e 76 5a 6e 52 33 59 58 4a 6c 49 47 6c 7a 49 47 6c 75 64
                          Data Ascii: pbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg=="),bb=p.atob("RGlzYWJsZSBhbnkgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlLCB0aGVuIHJlbG9hZCB0aGlzIHBhZ2Uu");function db(a,b,c){th


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:08:25:12
                          Start date:25/11/2024
                          Path:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"
                          Imagebase:0xc0000
                          File size:935'936 bytes
                          MD5 hash:117E72C314048BFD7264C1B83C1A9931
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1480377578.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000001.00000002.1478270364.000000000408A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000001.00000002.1478270364.000000000408A000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000001.00000002.1478270364.0000000003581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000001.00000002.1478270364.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:08:25:18
                          Start date:25/11/2024
                          Path:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"
                          Imagebase:0xf0000
                          File size:935'936 bytes
                          MD5 hash:117E72C314048BFD7264C1B83C1A9931
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:4
                          Start time:08:25:18
                          Start date:25/11/2024
                          Path:C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Purchase Order AB013058.PDF.exe"
                          Imagebase:0xf80000
                          File size:935'936 bytes
                          MD5 hash:117E72C314048BFD7264C1B83C1A9931
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:5
                          Start time:08:25:21
                          Start date:25/11/2024
                          Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x930000
                          File size:418'304 bytes
                          MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:8.5%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:39
                            Total number of Limit Nodes:3
                            execution_graph 16343 6e4668 16344 6e4672 16343->16344 16346 6e4758 16343->16346 16347 6e477d 16346->16347 16351 6e4868 16347->16351 16355 6e4858 16347->16355 16353 6e488f 16351->16353 16352 6e496c 16352->16352 16353->16352 16359 6e44b0 16353->16359 16357 6e488f 16355->16357 16356 6e496c 16356->16356 16357->16356 16358 6e44b0 CreateActCtxA 16357->16358 16358->16356 16360 6e58f8 CreateActCtxA 16359->16360 16362 6e59bb 16360->16362 16373 b260670 CloseHandle 16374 b2606d7 16373->16374 16363 6ecfa0 16364 6ecfe6 GetCurrentProcess 16363->16364 16366 6ed038 GetCurrentThread 16364->16366 16367 6ed031 16364->16367 16368 6ed06e 16366->16368 16369 6ed075 GetCurrentProcess 16366->16369 16367->16366 16368->16369 16372 6ed0ab 16369->16372 16370 6ed0d3 GetCurrentThreadId 16371 6ed104 16370->16371 16372->16370 16375 6ed5f0 DuplicateHandle 16376 6ed686 16375->16376 16377 6eac10 16378 6eac1f 16377->16378 16381 6eacf8 16377->16381 16386 6ead08 16377->16386 16382 6ead3c 16381->16382 16383 6ead19 16381->16383 16382->16378 16383->16382 16384 6eaf40 GetModuleHandleW 16383->16384 16385 6eaf6d 16384->16385 16385->16378 16387 6ead3c 16386->16387 16388 6ead19 16386->16388 16387->16378 16388->16387 16389 6eaf40 GetModuleHandleW 16388->16389 16390 6eaf6d 16389->16390 16390->16378

                            Executed Functions

                            Function 006ECF90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 006ED01E
                            • GetCurrentThread.KERNEL32 ref: 006ED05B
                            • GetCurrentProcess.KERNEL32 ref: 006ED098
                            • GetCurrentThreadId.KERNEL32 ref: 006ED0F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID: u\
                            • API String ID: 2063062207-337357461
                            • Opcode ID: cc3825a562e39bc483c3e7994dc4b0435bed832ca3cf02a03bae433980866ead
                            • Instruction ID: 6e6ed6bf52d774c2c4a71238895c2639fa3ff6243ef28f424d58e0354d607220
                            • Opcode Fuzzy Hash: cc3825a562e39bc483c3e7994dc4b0435bed832ca3cf02a03bae433980866ead
                            • Instruction Fuzzy Hash: 205154B090174ACFDB14CFAAD948BDEBBF1EF48304F248059E409A73A1DB749945CB66
                            Function 006ECFA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 006ED01E
                            • GetCurrentThread.KERNEL32 ref: 006ED05B
                            • GetCurrentProcess.KERNEL32 ref: 006ED098
                            • GetCurrentThreadId.KERNEL32 ref: 006ED0F1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID: u\
                            • API String ID: 2063062207-337357461
                            • Opcode ID: 2709a74f517c9d3c694426b8af71582220202d56cf8b65493b58b2cce3a25c7f
                            • Instruction ID: 423ecbf50336acc7fd12e6f77a81eb1fdf810679bc590a35c0e3666d1188d82c
                            • Opcode Fuzzy Hash: 2709a74f517c9d3c694426b8af71582220202d56cf8b65493b58b2cce3a25c7f
                            • Instruction Fuzzy Hash: 5D5154B090174A8FDB14DFAAD948BDEBBF1EB88304F24C059E409A73A0DB749945CB65
                            Function 006EAD08 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 44 6ead08-6ead17 45 6ead19-6ead26 call 6ea02c 44->45 46 6ead43-6ead47 44->46 53 6ead3c 45->53 54 6ead28 45->54 47 6ead5b-6ead9c 46->47 48 6ead49-6ead53 46->48 55 6ead9e-6eada6 47->55 56 6eada9-6eadb7 47->56 48->47 53->46 101 6ead2e call 6eafa0 54->101 102 6ead2e call 6eaf90 54->102 55->56 57 6eaddb-6eaddd 56->57 58 6eadb9-6eadbe 56->58 62 6eade0-6eade7 57->62 60 6eadc9 58->60 61 6eadc0-6eadc7 call 6ea038 58->61 59 6ead34-6ead36 59->53 63 6eae78-6eaf38 59->63 64 6eadcb-6eadd9 60->64 61->64 66 6eade9-6eadf1 62->66 67 6eadf4-6eadfb 62->67 94 6eaf3a-6eaf3d 63->94 95 6eaf40-6eaf6b GetModuleHandleW 63->95 64->62 66->67 69 6eadfd-6eae05 67->69 70 6eae08-6eae11 call 6ea048 67->70 69->70 75 6eae1e-6eae23 70->75 76 6eae13-6eae1b 70->76 78 6eae25-6eae2c 75->78 79 6eae41-6eae45 75->79 76->75 78->79 80 6eae2e-6eae3e call 6ea058 call 6ea068 78->80 99 6eae48 call 6eb270 79->99 100 6eae48 call 6eb2a0 79->100 80->79 83 6eae4b-6eae4e 84 6eae50-6eae6e 83->84 85 6eae71-6eae77 83->85 84->85 94->95 96 6eaf6d-6eaf73 95->96 97 6eaf74-6eaf88 95->97 96->97 99->83 100->83 101->59 102->59
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 006EAF5E
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID: u\
                            • API String ID: 4139908857-337357461
                            • Opcode ID: 943bde4b24c448e919f549400902f0e14a43a86b599ff4d510ee95d508d9ad87
                            • Instruction ID: 50c3bab8287af430d2a219ade8ad9f93ae89eac3f441147d20e8b2b2725cd3e9
                            • Opcode Fuzzy Hash: 943bde4b24c448e919f549400902f0e14a43a86b599ff4d510ee95d508d9ad87
                            • Instruction Fuzzy Hash: 5F713470A01B458FDB24DF6AD44079ABBF2FF48304F108A2DE48A97B50D774E84ACB91
                            Function 006E44B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 103 6e44b0-6e59b9 CreateActCtxA 107 6e59bb-6e59c1 103->107 108 6e59c2-6e5a1c 103->108 107->108 115 6e5a1e-6e5a21 108->115 116 6e5a2b-6e5a2f 108->116 115->116 117 6e5a40 116->117 118 6e5a31-6e5a3d 116->118 120 6e5a41 117->120 118->117 120->120
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 006E59A9
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: Create
                            • String ID: u\
                            • API String ID: 2289755597-337357461
                            • Opcode ID: 9b396b96da6965726d5a3111b046d5fd8f5c24889a1cd09957fc864832428001
                            • Instruction ID: 59b018588006ff0dcd2a92aed22882afddabab82f1d94b38e8591f7eca231817
                            • Opcode Fuzzy Hash: 9b396b96da6965726d5a3111b046d5fd8f5c24889a1cd09957fc864832428001
                            • Instruction Fuzzy Hash: 3741D0B0C05759CBDB24CFAAC844BCEBBB6BF49704F20816AD409AB251DB756945CF90
                            Function 006E58EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 121 6e58ec-6e596c 122 6e596f-6e59b9 CreateActCtxA 121->122 124 6e59bb-6e59c1 122->124 125 6e59c2-6e5a1c 122->125 124->125 132 6e5a1e-6e5a21 125->132 133 6e5a2b-6e5a2f 125->133 132->133 134 6e5a40 133->134 135 6e5a31-6e5a3d 133->135 137 6e5a41 134->137 135->134 137->137
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 006E59A9
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: Create
                            • String ID: u\
                            • API String ID: 2289755597-337357461
                            • Opcode ID: dcded21f914194fdea0d26b68ee6515418abe3daab8384d7be7b950bb011d459
                            • Instruction ID: 1166f20d72fb8709be10c60f008f7e88b07bb02ec4d9f109ba3bc093ef89d3ed
                            • Opcode Fuzzy Hash: dcded21f914194fdea0d26b68ee6515418abe3daab8384d7be7b950bb011d459
                            • Instruction Fuzzy Hash: D141E1B0D00759CFDB24CFAAC8847DEBBB2BF89304F20816AD409AB291DB755946CF50
                            Function 006ED5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 138 6ed5e9-6ed684 DuplicateHandle 139 6ed68d-6ed6aa 138->139 140 6ed686-6ed68c 138->140 140->139
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 006ED677
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID: u\
                            • API String ID: 3793708945-337357461
                            • Opcode ID: c27fe91b21ca2bf51df16e4143b5a75817b232b05af192085d7fe10d9adb867a
                            • Instruction ID: 15c6c359c053f700f021fa9cdd7eb2f051957028896d9dd342ef3931d21a98ec
                            • Opcode Fuzzy Hash: c27fe91b21ca2bf51df16e4143b5a75817b232b05af192085d7fe10d9adb867a
                            • Instruction Fuzzy Hash: FC21E3B5901349AFDB10CFAAD485ADEBFF5EB48310F14842AE918A3350D378A951CF61
                            Function 006ED5F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 143 6ed5f0-6ed684 DuplicateHandle 144 6ed68d-6ed6aa 143->144 145 6ed686-6ed68c 143->145 145->144
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 006ED677
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID: u\
                            • API String ID: 3793708945-337357461
                            • Opcode ID: b9ddc2792e3855b157f6c36a8c7a4353a9178599358a92a466e488ab4d49017f
                            • Instruction ID: 25a1492fdb1e103e1243cc5aabb1bb7ce3d0b850b5ad15edf11b8e0bed04e5d8
                            • Opcode Fuzzy Hash: b9ddc2792e3855b157f6c36a8c7a4353a9178599358a92a466e488ab4d49017f
                            • Instruction Fuzzy Hash: B621E3B59003499FDB10CF9AD484ADEBBF5EB48310F14801AE918A3350D374A940CF64
                            Function 006EAEF8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 148 6eaef8-6eaf38 149 6eaf3a-6eaf3d 148->149 150 6eaf40-6eaf6b GetModuleHandleW 148->150 149->150 151 6eaf6d-6eaf73 150->151 152 6eaf74-6eaf88 150->152 151->152
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 006EAF5E
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID: u\
                            • API String ID: 4139908857-337357461
                            • Opcode ID: 4165a6161dcacbcdacbc4028842da8f19fcd571bb65425ea2e9bc2b089a0bde8
                            • Instruction ID: 597d45cde0afe825012412ef2d717cc493fe72ae4f990e861d4235938d9504f5
                            • Opcode Fuzzy Hash: 4165a6161dcacbcdacbc4028842da8f19fcd571bb65425ea2e9bc2b089a0bde8
                            • Instruction Fuzzy Hash: 15110FB5C003498FDB10CF9AC444ADEFBF5AB88314F10842AD428A7710C379A945CFA1
                            Function 0B260668 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 154 b260668-b2606d5 CloseHandle 155 b2606d7-b2606dd 154->155 156 b2606de-b260706 154->156 155->156
                            APIs
                            • CloseHandle.KERNELBASE(?), ref: 0B2606C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1488829342.000000000B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B260000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b260000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: CloseHandle
                            • String ID: u\
                            • API String ID: 2962429428-337357461
                            • Opcode ID: 32ea64d69fd55c288ffb2715fb112293b9febf54ec870df82c8cc94ef72d039a
                            • Instruction ID: 98e6880c0e429fa6f0bf5f03964ad7e1a4e240b2a53939260bfb2e01910c8094
                            • Opcode Fuzzy Hash: 32ea64d69fd55c288ffb2715fb112293b9febf54ec870df82c8cc94ef72d039a
                            • Instruction Fuzzy Hash: 2F1125B5800249CFDB10DF9AD485BEEFBF4EB88320F10845AD558A7640D778A585CFA4
                            Function 0B260670 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 159 b260670-b2606d5 CloseHandle 160 b2606d7-b2606dd 159->160 161 b2606de-b260706 159->161 160->161
                            APIs
                            • CloseHandle.KERNELBASE(?), ref: 0B2606C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1488829342.000000000B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B260000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b260000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID: CloseHandle
                            • String ID: u\
                            • API String ID: 2962429428-337357461
                            • Opcode ID: b9407caad6caa1fdf1e71f1509e78810b1013db335a447d82bd3bf8f15a1f515
                            • Instruction ID: 311ee8af3a9d5f16e19a6bf7c5888c002a71ebc8996559dfeef30fbbe4260c61
                            • Opcode Fuzzy Hash: b9407caad6caa1fdf1e71f1509e78810b1013db335a447d82bd3bf8f15a1f515
                            • Instruction Fuzzy Hash: 0F11F2B580024ACFDB10DF9AD585BDEBBF4EB48320F10846AD558A7680D778A984CFA5
                            Function 006E5A64 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 164 6e5a64-6e5af4
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f7cee538080c40ef40c13f3f7b720f9dcff8b93e4c2c701f871b2bfbbd29b98f
                            • Instruction ID: 6f0eb2e204d67c9c526452c42320ea286e26f19f651fbe86645661f0238a2060
                            • Opcode Fuzzy Hash: f7cee538080c40ef40c13f3f7b720f9dcff8b93e4c2c701f871b2bfbbd29b98f
                            • Instruction Fuzzy Hash: AE41247080ABC8CFDF11CFA9C8447DDBBB2AF42328F14429AC056AB296C775594ACB11
                            Function 0068D3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476184480.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_68d000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e79f3cfeefd17ab85461a646cc5c714a048b419fa4be93f65c8071c15d2c460
                            • Instruction ID: 7800be050bc67b9f6e7d4da3b43b347e8c4b26c99e89e9f791fb68c0dba2b94d
                            • Opcode Fuzzy Hash: 9e79f3cfeefd17ab85461a646cc5c714a048b419fa4be93f65c8071c15d2c460
                            • Instruction Fuzzy Hash: 9F212871500344DFDB04EF10D9C0B5ABBA6FB98324F24C269D9094B396C336E856CBB2
                            Function 0069D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476241334.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_69d000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b20a33d7033e7fbed171166e2698774be50cb3cc9e623b32f1a539975700b48d
                            • Instruction ID: 5583b87d90a68187f2131dc29b101c2df2a8bc4bcf55c0c6720fd838b85319bf
                            • Opcode Fuzzy Hash: b20a33d7033e7fbed171166e2698774be50cb3cc9e623b32f1a539975700b48d
                            • Instruction Fuzzy Hash: CF21CF716043449FDF14DF24D984B26BB6AEB84314F24C569D80A4B786C33AD847CA62
                            Function 0069D1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476241334.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_69d000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d49e861bf3beeb12765cb296b75348dcebbf0bae991ad56a3321e495a1dc3c3a
                            • Instruction ID: e41da51da43fffbf46978a428eab3f5c0818227fe742caf71326b91ff2624539
                            • Opcode Fuzzy Hash: d49e861bf3beeb12765cb296b75348dcebbf0bae991ad56a3321e495a1dc3c3a
                            • Instruction Fuzzy Hash: BC21D071504344AFDF05DF10D9C0B26BBAAFB84314F24C5B9EA094B796C336D946CA61
                            Function 0069D006 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476241334.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_69d000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a10ad7fc0029822d1044e458cc0bb1cb4523f3b945dc16b68114cde6c3527f1
                            • Instruction ID: d0c4d99fbc8ff8ab2742cb616eb83ffdc1f471001df6e36f4a696a864d6afa99
                            • Opcode Fuzzy Hash: 8a10ad7fc0029822d1044e458cc0bb1cb4523f3b945dc16b68114cde6c3527f1
                            • Instruction Fuzzy Hash: FC219F755083809FCB02CF14D994B51BFB6FB46314F28C5EAD8498F6A7C33A9846CB62
                            Function 0068D3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476184480.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_68d000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction ID: a200652cdabf216bd2f2b6bc3c217922b599f3a04b264d117cb6bd00a61c3dbb
                            • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction Fuzzy Hash: 0C11D376504240DFCB15DF10D5C4B56BFB2FB94324F24C6A9D8090B796C33AE85ACBA1
                            Function 0069D1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476241334.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_69d000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction ID: f3ede276e38ce68de2d206ce9b0c94129192bc342e0f8118b467bd0f3140560f
                            • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction Fuzzy Hash: F111BB75504280DFCF01CF10C5C0B55BBA2FB84324F28C6AAD9494BB96C33AD84ACB61
                            Function 0068D759 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476184480.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_68d000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5915378793380481aacb68104dcd57e87bee61ee09e785481d37394d9aae9135
                            • Instruction ID: 64f40c4aecb557a8e8390e08aa9aab51b61c9594362a5b9fb62e7c905a8a9c89
                            • Opcode Fuzzy Hash: 5915378793380481aacb68104dcd57e87bee61ee09e785481d37394d9aae9135
                            • Instruction Fuzzy Hash: E401A271104340AFE710AA66CD84BA6BB99DF41320F18865AED094A2C6C7799840CBB2
                            Function 0068D758 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476184480.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_68d000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 296df6b1e41cdb655668e8051ca179acd1f2598fa5bd47e4fe97a713ba011a18
                            • Instruction ID: e7349ead240c6a807124d44138b6890a09c9b6c23d8f65ffba296e6fedab5778
                            • Opcode Fuzzy Hash: 296df6b1e41cdb655668e8051ca179acd1f2598fa5bd47e4fe97a713ba011a18
                            • Instruction Fuzzy Hash: F7F06D72404344AFEB209A16DD84BA6FFA8EF51725F18C55AED084A3C6C379AC44CBB1

                            Non-executed Functions

                            Function 006ED51C Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1476386879.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6e0000_Purchase Order AB013058.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 523c22c8002a15b469168d721973417e42c233b23973821fd812e355fe2e1049
                            • Instruction ID: 52b231e163785e44c60894b00e195be9138e92c731602f3f59967bed3748086c
                            • Opcode Fuzzy Hash: 523c22c8002a15b469168d721973417e42c233b23973821fd812e355fe2e1049
                            • Instruction Fuzzy Hash: 7EA12736A01349CFCF05DFA6D8449DEB7B3FF85300B1585BAE805AB265EB71A916CB40

                            Execution Graph

                            Execution Coverage:19.7%
                            Dynamic/Decrypted Code Coverage:0.1%
                            Signature Coverage:0%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:203
                            execution_graph 10388 414841 10389 417877 __vbaErrorOverflow 10388->10389 10394 414854 10388->10394 10390 416047 10391 416074 __vbaNew2 10390->10391 10392 41608e 10390->10392 10391->10392 10402 4160f2 10392->10402 10403 4160cf __vbaHresultCheckObj 10392->10403 10393 4148ea __vbaGenerateBoundsError 10395 4148f6 __vbaStrCat __vbaStrMove 10393->10395 10394->10390 10394->10393 10396 41489a 10394->10396 10399 433f70 10395->10399 10397 4148c1 10396->10397 10398 4148cd __vbaGenerateBoundsError 10396->10398 10397->10395 10398->10397 10400 414933 __vbaAryMove __vbaFreeStr 10399->10400 10400->10390 10401 41496c __vbaUbound __vbaI2I4 10400->10401 10404 4149be 10401->10404 10402->10389 10405 41610b __vbaVarForInit 10402->10405 10403->10402 10404->10390 10406 4149d2 __vbaStrCopy 10404->10406 10414 416167 10405->10414 10407 4338e0 124 API calls 10406->10407 10409 4149f6 __vbaStrMove __vbaStrCopy __vbaStrMove 10407->10409 10408 416665 10410 4166a0 10408->10410 10411 416686 __vbaNew2 10408->10411 10413 4329f0 20 API calls 10409->10413 10420 4166e1 __vbaHresultCheckObj 10410->10420 10421 416704 10410->10421 10411->10410 10412 416187 __vbaNew2 10412->10414 10415 414a50 __vbaStrMove 10413->10415 10414->10408 10414->10412 10422 4161e2 __vbaHresultCheckObj 10414->10422 10428 41620f __vbaChkstk __vbaVarIndexLoad __vbaStrCopy 10414->10428 10416 414ac1 __vbaGenerateBoundsError 10415->10416 10417 414a67 10415->10417 10418 414acd 7 API calls 10416->10418 10417->10416 10419 414a72 10417->10419 10425 414f16 10418->10425 10426 414bae 10418->10426 10423 414aa4 __vbaGenerateBoundsError 10419->10423 10424 414a98 10419->10424 10420->10421 10421->10389 10432 41671d __vbaVarForInit 10421->10432 10422->10428 10423->10424 10424->10418 10427 414f82 __vbaGenerateBoundsError 10425->10427 10430 414f32 10425->10430 10429 414c1a __vbaGenerateBoundsError 10426->10429 10435 414bca 10426->10435 10431 414f8e 6 API calls 10427->10431 10433 4338e0 124 API calls 10428->10433 10434 414c26 #712 __vbaStrMove __vbaLenBstr #709 10429->10434 10439 414f65 __vbaGenerateBoundsError 10430->10439 10440 414f59 10430->10440 10441 41501b 10431->10441 10442 41537a __vbaStrCopy 10431->10442 10537 416779 10432->10537 10443 416274 __vbaStrMove __vbaStrCopy __vbaStrMove 10433->10443 10434->10389 10438 414ca3 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 10434->10438 10436 414bf1 10435->10436 10437 414bfd __vbaGenerateBoundsError 10435->10437 10436->10434 10437->10436 10444 4338e0 124 API calls 10438->10444 10439->10440 10440->10431 10446 415087 __vbaGenerateBoundsError 10441->10446 10452 415037 10441->10452 10445 4338e0 124 API calls 10442->10445 10447 4329f0 20 API calls 10443->10447 10450 414d02 __vbaStrMove __vbaStrCopy __vbaStrMove 10444->10450 10451 41539e __vbaStrMove __vbaStrCopy __vbaStrMove 10445->10451 10455 41505e 10446->10455 10454 4162ce 9 API calls 10447->10454 10448 416a3d __vbaStrCopy 10449 4338e0 124 API calls 10448->10449 10456 416a61 __vbaStrMove __vbaStrCopy __vbaStrMove 10449->10456 10457 4329f0 20 API calls 10450->10457 10458 4329f0 20 API calls 10451->10458 10452->10455 10459 41506a __vbaGenerateBoundsError 10452->10459 10453 416799 __vbaNew2 10453->10537 10460 4163dd __vbaNew2 10454->10460 10517 4163f7 10454->10517 10461 4150f8 __vbaGenerateBoundsError 10455->10461 10462 4150a8 10455->10462 10463 416ac7 __vbaGenerateBoundsError 10456->10463 10464 416abb 10456->10464 10466 414d5c __vbaStrMove 10457->10466 10467 4153f8 __vbaStrMove 10458->10467 10459->10455 10460->10517 10465 415104 __vbaAryLock 10461->10465 10468 4150db __vbaGenerateBoundsError 10462->10468 10469 4150cf 10462->10469 10463->10464 10477 4329f0 20 API calls 10464->10477 10470 41511b 10465->10470 10471 41516e __vbaGenerateBoundsError 10465->10471 10472 414d70 __vbaNew2 10466->10472 10473 414d8a 10466->10473 10474 41546b __vbaGenerateBoundsError 10467->10474 10475 41540f 10467->10475 10468->10469 10469->10465 10470->10471 10478 415124 10470->10478 10481 41517a __vbaLenBstr #709 10471->10481 10472->10473 10488 414e1a __vbaGenerateBoundsError 10473->10488 10498 414dca 10473->10498 10479 415477 7 API calls 10474->10479 10475->10474 10480 41541b 10475->10480 10476 4167f4 __vbaHresultCheckObj 10482 416821 __vbaChkstk __vbaVarIndexLoad 10476->10482 10484 416ae6 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10477->10484 10485 415151 __vbaGenerateBoundsError 10478->10485 10486 415145 10478->10486 10491 415557 10479->10491 10492 4158be 10479->10492 10489 415442 10480->10489 10490 41544e __vbaGenerateBoundsError 10480->10490 10481->10389 10487 4151da #619 __vbaAryUnlock __vbaStrVarMove __vbaStrMove __vbaFreeVar 10481->10487 10499 416882 __vbaNew2 10482->10499 10482->10537 10483 416438 __vbaHresultCheckObj 10500 416465 __vbaChkstk __vbaVarIndexLoad 10483->10500 10494 4338e0 124 API calls 10484->10494 10485->10486 10486->10481 10495 415246 10487->10495 10496 41522c __vbaNew2 10487->10496 10497 414e26 __vbaStrMove __vbaStrCat 10488->10497 10489->10479 10490->10489 10493 4155c2 __vbaGenerateBoundsError 10491->10493 10502 415573 10491->10502 10501 415929 __vbaGenerateBoundsError 10492->10501 10509 4158da 10492->10509 10507 4155ce #712 __vbaStrMove __vbaLenBstr #709 10493->10507 10503 416b5a __vbaStrMove __vbaStrCopy __vbaStrMove 10494->10503 10515 4152d6 __vbaGenerateBoundsError 10495->10515 10523 415286 10495->10523 10496->10495 10516 414e97 10497->10516 10504 414df1 10498->10504 10505 414dfd __vbaGenerateBoundsError 10498->10505 10499->10537 10508 4164c6 __vbaNew2 10500->10508 10500->10517 10506 415935 __vbaInStr 10501->10506 10510 4155a5 __vbaGenerateBoundsError 10502->10510 10511 415599 10502->10511 10513 416bc0 __vbaGenerateBoundsError 10503->10513 10514 416bb4 10503->10514 10504->10497 10505->10504 10520 415bdb 10506->10520 10521 41595f 10506->10521 10507->10389 10512 41564b #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 10507->10512 10508->10517 10518 415900 10509->10518 10519 41590c __vbaGenerateBoundsError 10509->10519 10510->10511 10511->10507 10522 4338e0 124 API calls 10512->10522 10513->10514 10530 4329f0 20 API calls 10514->10530 10527 4152e2 __vbaStrCat 10515->10527 10525 414ea8 __vbaHresultCheckObj 10516->10525 10526 414ecb 10516->10526 10517->10483 10517->10500 10549 416521 __vbaHresultCheckObj 10517->10549 10560 41654e 6 API calls 10517->10560 10518->10506 10519->10518 10524 415c46 __vbaGenerateBoundsError 10520->10524 10534 415bf7 10520->10534 10528 4159cb __vbaGenerateBoundsError 10521->10528 10539 41597b 10521->10539 10529 4156aa __vbaStrMove __vbaStrCopy __vbaStrMove 10522->10529 10532 4152b9 __vbaGenerateBoundsError 10523->10532 10533 4152ad 10523->10533 10531 415c52 6 API calls 10524->10531 10535 414ed5 __vbaFreeStrList __vbaFreeVar 10525->10535 10526->10535 10545 415330 10527->10545 10536 4159d7 #712 __vbaStrMove __vbaLenBstr #709 10528->10536 10541 4329f0 20 API calls 10529->10541 10542 416bdf __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10530->10542 10546 41603b 10531->10546 10547 415cdf 10531->10547 10532->10533 10533->10527 10543 415c29 __vbaGenerateBoundsError 10534->10543 10544 415c1d 10534->10544 10535->10425 10536->10389 10540 415a54 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar 10536->10540 10537->10448 10537->10453 10537->10476 10537->10482 10538 4168dd __vbaHresultCheckObj 10537->10538 10548 41690a 8 API calls 10537->10548 10538->10548 10550 4159a2 10539->10550 10551 4159ae __vbaGenerateBoundsError 10539->10551 10552 415ab6 10540->10552 10553 415a9c __vbaNew2 10540->10553 10554 415704 __vbaStrMove 10541->10554 10555 4338e0 124 API calls 10542->10555 10543->10544 10544->10531 10556 415341 __vbaHresultCheckObj 10545->10556 10557 415364 10545->10557 10558 415d4a __vbaGenerateBoundsError 10547->10558 10565 415cfb 10547->10565 10808 4258c0 __vbaChkstk __vbaOnError 10548->10808 10549->10560 10550->10536 10551->10550 10561 415abf __vbaAryLock 10552->10561 10553->10561 10562 415718 __vbaNew2 10554->10562 10577 415732 10554->10577 10563 416c53 __vbaStrMove __vbaStrCopy __vbaStrMove 10555->10563 10564 41536e __vbaFreeVar 10556->10564 10557->10564 10579 415d21 10558->10579 10665 420f00 20 API calls 10560->10665 10568 415af8 10561->10568 10569 415b4b __vbaGenerateBoundsError 10561->10569 10562->10577 10570 416cb9 __vbaGenerateBoundsError 10563->10570 10578 416cad 10563->10578 10564->10442 10571 415d2d __vbaGenerateBoundsError 10565->10571 10565->10579 10566 4169af __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaVarForNext 10566->10537 10568->10569 10575 415b01 10568->10575 10574 415b22 10569->10574 10570->10578 10571->10579 10572 415dba __vbaGenerateBoundsError 10581 415dc6 __vbaAryLock 10572->10581 10598 415ba4 __vbaHresultCheckObj 10574->10598 10599 415bc7 10574->10599 10575->10574 10583 415b2e __vbaGenerateBoundsError 10575->10583 10576 4157c1 __vbaGenerateBoundsError 10582 4157cd __vbaStrMove __vbaStrCat 10576->10582 10577->10576 10584 415772 10577->10584 10585 4329f0 20 API calls 10578->10585 10579->10572 10580 415d6b 10579->10580 10586 415d91 10580->10586 10587 415d9d __vbaGenerateBoundsError 10580->10587 10588 415e30 __vbaGenerateBoundsError 10581->10588 10589 415ddd 10581->10589 10600 41583f 10582->10600 10583->10574 10591 4157a4 __vbaGenerateBoundsError 10584->10591 10592 415798 10584->10592 10593 416cd8 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10585->10593 10586->10581 10587->10586 10589->10588 10591->10592 10592->10582 10601 4338e0 124 API calls 10593->10601 10607 416d4c __vbaStrMove __vbaStrCopy __vbaStrMove 10601->10607 10609 416db2 __vbaGenerateBoundsError 10607->10609 10610 416da6 10607->10610 10609->10610 10614 4329f0 20 API calls 10610->10614 10617 416dd1 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10614->10617 10619 4338e0 124 API calls 10617->10619 10622 416e45 __vbaStrMove __vbaStrCopy __vbaStrMove 10619->10622 10624 416eab __vbaGenerateBoundsError 10622->10624 10625 416e9f 10622->10625 10624->10625 10626 4329f0 20 API calls 10625->10626 10666 421e33 __vbaStrCopy __vbaStrToAnsi 10665->10666 10667 4211dd 10665->10667 11865 409168 10666->11865 11615 43dac0 __vbaStrToAnsi 10667->11615 10809 433f70 10808->10809 10810 425939 __vbaAryMove __vbaUbound __vbaI2I4 10809->10810 10811 4259a1 10810->10811 10812 4259b5 __vbaStrCopy 10811->10812 10813 4260b9 6 API calls 10811->10813 10815 4338e0 124 API calls 10812->10815 10813->10566 10816 4259d3 __vbaStrMove __vbaStrCopy __vbaStrMove 10815->10816 10817 4329f0 20 API calls 10816->10817 10818 425a18 __vbaStrMove 10817->10818 10819 425a29 10818->10819 10820 425a7c __vbaGenerateBoundsError 10818->10820 10819->10820 10821 425a32 10819->10821 10822 425a88 __vbaStrMove __vbaStrCat 10820->10822 10823 425a53 10821->10823 10824 425a5f __vbaGenerateBoundsError 10821->10824 10825 425b21 __vbaGenerateBoundsError 10822->10825 10826 425ace 10822->10826 10823->10822 10824->10823 10828 425b2d 9 API calls 10825->10828 10826->10825 10827 425ad7 10826->10827 10829 425b04 __vbaGenerateBoundsError 10827->10829 10830 425af8 10827->10830 10831 425f2c __vbaStrCopy 10828->10831 10832 425c0d #716 __vbaVarZero 10828->10832 10829->10830 10830->10828 10835 4338e0 124 API calls 10831->10835 10833 425ca0 __vbaGenerateBoundsError 10832->10833 10834 425c4d 10832->10834 10837 425cac 8 API calls 10833->10837 10834->10833 10836 425c56 10834->10836 10838 425f4a __vbaStrMove __vbaStrCopy __vbaStrMove 10835->10838 10839 425c83 __vbaGenerateBoundsError 10836->10839 10840 425c77 10836->10840 10841 4338e0 124 API calls 10837->10841 10842 4329f0 20 API calls 10838->10842 10839->10840 10840->10837 10843 425da8 __vbaStrMove __vbaStrCopy __vbaStrMove 10841->10843 10844 425f8f 11 API calls 10842->10844 10845 4329f0 20 API calls 10843->10845 10844->10566 10846 425ded __vbaStrMove __vbaStrCat __vbaStrMove 10845->10846 10847 425e1b 10846->10847 10848 425e6e __vbaGenerateBoundsError 10846->10848 10847->10848 10849 425e24 10847->10849 10850 425e7a __vbaStrMove __vbaStrCat __vbaStrMove 10848->10850 10851 425e51 __vbaGenerateBoundsError 10849->10851 10852 425e45 10849->10852 12186 428470 __vbaOnError 10850->12186 10851->10852 10852->10850 11867 4092e0 11615->11867 11866 409171 11865->11866 11868 4092e9 11867->11868 12187 4286ab __vbaStrToAnsi 12186->12187 12188 428598 12186->12188 13189 4139d8 13190 417877 __vbaErrorOverflow 13189->13190 13191 4139e9 13189->13191 13192 4147f0 __vbaUbound __vbaI2I4 13191->13192 13193 4139fe __vbaStrCopy 13191->13193 13199 41485a 13192->13199 13194 4338e0 124 API calls 13193->13194 13195 413a22 __vbaStrMove __vbaStrCopy __vbaStrMove 13194->13195 13196 4329f0 20 API calls 13195->13196 13198 413a7c __vbaStrMove 13196->13198 13200 413ae0 __vbaGenerateBoundsError 13198->13200 13201 413a90 13198->13201 13202 416047 13199->13202 13209 4148ea __vbaGenerateBoundsError 13199->13209 13214 41489a 13199->13214 13204 413aec 7 API calls 13200->13204 13201->13200 13203 413a99 13201->13203 13207 416074 __vbaNew2 13202->13207 13208 41608e 13202->13208 13210 413ac3 __vbaGenerateBoundsError 13203->13210 13211 413ab7 13203->13211 13205 4147e4 13204->13205 13206 413bca __vbaStrCopy 13204->13206 13205->13190 13212 4338e0 124 API calls 13206->13212 13207->13208 13223 4160f2 13208->13223 13224 4160cf __vbaHresultCheckObj 13208->13224 13213 4148f6 __vbaStrCat __vbaStrMove 13209->13213 13210->13211 13211->13204 13215 413bee __vbaStrMove __vbaStrCopy __vbaStrMove 13212->13215 13218 433f70 13213->13218 13216 4148c1 13214->13216 13217 4148cd __vbaGenerateBoundsError 13214->13217 13220 4329f0 20 API calls 13215->13220 13216->13213 13217->13216 13219 414933 __vbaAryMove __vbaFreeStr 13218->13219 13219->13202 13221 41496c __vbaUbound __vbaI2I4 13219->13221 13222 413c48 __vbaStrMove 13220->13222 13225 4149be 13221->13225 13226 413c76 13222->13226 13227 413c5c __vbaNew2 13222->13227 13223->13190 13228 41610b __vbaVarForInit 13223->13228 13224->13223 13225->13202 13229 4149d2 __vbaStrCopy 13225->13229 13231 413ce3 __vbaGenerateBoundsError 13226->13231 13235 413c9c 13226->13235 13227->13226 13242 416167 13228->13242 13230 4338e0 124 API calls 13229->13230 13233 4149f6 __vbaStrMove __vbaStrCopy __vbaStrMove 13230->13233 13234 413cef __vbaStrMove __vbaStrCat __vbaChkstk 13231->13234 13232 416665 13236 4166a0 13232->13236 13237 416686 __vbaNew2 13232->13237 13239 4329f0 20 API calls 13233->13239 13244 413d89 13234->13244 13240 413cc6 __vbaGenerateBoundsError 13235->13240 13241 413cba 13235->13241 13253 4166e1 __vbaHresultCheckObj 13236->13253 13254 416704 13236->13254 13237->13236 13238 416187 __vbaNew2 13238->13242 13243 414a50 __vbaStrMove 13239->13243 13240->13241 13241->13234 13242->13232 13242->13238 13255 4161e2 __vbaHresultCheckObj 13242->13255 13262 41620f __vbaChkstk __vbaVarIndexLoad __vbaStrCopy 13242->13262 13245 414ac1 __vbaGenerateBoundsError 13243->13245 13246 414a67 13243->13246 13247 413dc0 13244->13247 13248 413d9a __vbaHresultCheckObj 13244->13248 13250 414acd 7 API calls 13245->13250 13246->13245 13251 414a72 13246->13251 13249 413dca __vbaFreeStrList __vbaFreeVar __vbaStrCopy 13247->13249 13248->13249 13252 4338e0 124 API calls 13249->13252 13258 414f16 13250->13258 13259 414bae 13250->13259 13256 414aa4 __vbaGenerateBoundsError 13251->13256 13257 414a98 13251->13257 13260 413e2f __vbaStrMove __vbaStrCopy __vbaStrMove 13252->13260 13253->13254 13254->13190 13267 41671d __vbaVarForInit 13254->13267 13255->13262 13256->13257 13257->13250 13261 414f82 __vbaGenerateBoundsError 13258->13261 13265 414f32 13258->13265 13263 414c1a __vbaGenerateBoundsError 13259->13263 13270 414bca 13259->13270 13264 4329f0 20 API calls 13260->13264 13266 414f8e 6 API calls 13261->13266 13268 4338e0 124 API calls 13262->13268 13269 414c26 #712 __vbaStrMove __vbaLenBstr #709 13263->13269 13274 413e89 __vbaStrMove 13264->13274 13275 414f65 __vbaGenerateBoundsError 13265->13275 13281 414f59 13265->13281 13276 41537a __vbaStrCopy 13266->13276 13284 41501b 13266->13284 13384 416779 13267->13384 13277 416274 __vbaStrMove __vbaStrCopy __vbaStrMove 13268->13277 13269->13190 13273 414ca3 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 13269->13273 13271 414bf1 13270->13271 13272 414bfd __vbaGenerateBoundsError 13270->13272 13271->13269 13272->13271 13278 4338e0 124 API calls 13273->13278 13279 413eb7 13274->13279 13280 413e9d __vbaNew2 13274->13280 13275->13281 13282 4338e0 124 API calls 13276->13282 13285 4329f0 20 API calls 13277->13285 13288 414d02 __vbaStrMove __vbaStrCopy __vbaStrMove 13278->13288 13289 413ec0 __vbaStrMove 13279->13289 13280->13289 13281->13266 13290 41539e __vbaStrMove __vbaStrCopy __vbaStrMove 13282->13290 13283 415087 __vbaGenerateBoundsError 13294 41505e 13283->13294 13284->13283 13291 415037 13284->13291 13293 4162ce 9 API calls 13285->13293 13286 416a3d __vbaStrCopy 13287 4338e0 124 API calls 13286->13287 13295 416a61 __vbaStrMove __vbaStrCopy __vbaStrMove 13287->13295 13296 4329f0 20 API calls 13288->13296 13306 413f13 13289->13306 13297 4329f0 20 API calls 13290->13297 13291->13294 13298 41506a __vbaGenerateBoundsError 13291->13298 13292 416799 __vbaNew2 13292->13384 13299 4163dd __vbaNew2 13293->13299 13362 4163f7 13293->13362 13300 4150f8 __vbaGenerateBoundsError 13294->13300 13301 4150a8 13294->13301 13302 416ac7 __vbaGenerateBoundsError 13295->13302 13303 416abb 13295->13303 13305 414d5c __vbaStrMove 13296->13305 13307 4153f8 __vbaStrMove 13297->13307 13298->13294 13299->13362 13304 415104 __vbaAryLock 13300->13304 13308 4150db __vbaGenerateBoundsError 13301->13308 13309 4150cf 13301->13309 13302->13303 13318 4329f0 20 API calls 13303->13318 13310 41511b 13304->13310 13311 41516e __vbaGenerateBoundsError 13304->13311 13312 414d70 __vbaNew2 13305->13312 13313 414d8a 13305->13313 13314 413f24 __vbaHresultCheckObj 13306->13314 13315 413f4a 13306->13315 13316 41546b __vbaGenerateBoundsError 13307->13316 13317 41540f 13307->13317 13308->13309 13309->13304 13310->13311 13319 415124 13310->13319 13321 41517a __vbaLenBstr #709 13311->13321 13312->13313 13330 414e1a __vbaGenerateBoundsError 13313->13330 13340 414dca 13313->13340 13314->13315 13352 413f8a __vbaHresultCheckObj 13315->13352 13353 413fad 13315->13353 13320 415477 7 API calls 13316->13320 13317->13316 13323 41541b 13317->13323 13326 416ae6 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 13318->13326 13327 415151 __vbaGenerateBoundsError 13319->13327 13328 415145 13319->13328 13333 415557 13320->13333 13334 4158be 13320->13334 13321->13190 13329 4151da #619 __vbaAryUnlock __vbaStrVarMove __vbaStrMove __vbaFreeVar 13321->13329 13322 4167f4 __vbaHresultCheckObj 13324 416821 __vbaChkstk __vbaVarIndexLoad 13322->13324 13331 415442 13323->13331 13332 41544e __vbaGenerateBoundsError 13323->13332 13341 416882 __vbaNew2 13324->13341 13324->13384 13325 416438 __vbaHresultCheckObj 13342 416465 __vbaChkstk __vbaVarIndexLoad 13325->13342 13336 4338e0 124 API calls 13326->13336 13327->13328 13328->13321 13337 415246 13329->13337 13338 41522c __vbaNew2 13329->13338 13339 414e26 __vbaStrMove __vbaStrCat 13330->13339 13331->13320 13332->13331 13335 4155c2 __vbaGenerateBoundsError 13333->13335 13344 415573 13333->13344 13343 415929 __vbaGenerateBoundsError 13334->13343 13351 4158da 13334->13351 13349 4155ce #712 __vbaStrMove __vbaLenBstr #709 13335->13349 13345 416b5a __vbaStrMove __vbaStrCopy __vbaStrMove 13336->13345 13359 4152d6 __vbaGenerateBoundsError 13337->13359 13368 415286 13337->13368 13338->13337 13360 414e97 13339->13360 13346 414df1 13340->13346 13347 414dfd __vbaGenerateBoundsError 13340->13347 13341->13384 13350 4164c6 __vbaNew2 13342->13350 13342->13362 13348 415935 __vbaInStr 13343->13348 13354 4155a5 __vbaGenerateBoundsError 13344->13354 13355 415599 13344->13355 13357 416bc0 __vbaGenerateBoundsError 13345->13357 13358 416bb4 13345->13358 13346->13339 13347->13346 13365 415bdb 13348->13365 13366 41595f 13348->13366 13349->13190 13356 41564b #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 13349->13356 13350->13362 13363 415900 13351->13363 13364 41590c __vbaGenerateBoundsError 13351->13364 13361 413fb7 __vbaStrMove 13352->13361 13353->13361 13354->13355 13355->13349 13367 4338e0 124 API calls 13356->13367 13357->13358 13377 4329f0 20 API calls 13358->13377 13372 4152e2 __vbaStrCat 13359->13372 13370 414ea8 __vbaHresultCheckObj 13360->13370 13371 414ecb 13360->13371 13374 434240 13361->13374 13362->13325 13362->13342 13397 416521 __vbaHresultCheckObj 13362->13397 13409 41654e 6 API calls 13362->13409 13363->13348 13364->13363 13369 415c46 __vbaGenerateBoundsError 13365->13369 13381 415bf7 13365->13381 13373 4159cb __vbaGenerateBoundsError 13366->13373 13386 41597b 13366->13386 13376 4156aa __vbaStrMove __vbaStrCopy __vbaStrMove 13367->13376 13379 4152b9 __vbaGenerateBoundsError 13368->13379 13380 4152ad 13368->13380 13378 415c52 6 API calls 13369->13378 13382 414ed5 __vbaFreeStrList __vbaFreeVar 13370->13382 13371->13382 13393 415330 13372->13393 13383 4159d7 #712 __vbaStrMove __vbaLenBstr #709 13373->13383 13375 413feb __vbaAryMove __vbaStrCopy __vbaAryMove 13374->13375 13387 432bc0 67 API calls 13375->13387 13389 4329f0 20 API calls 13376->13389 13390 416bdf __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 13377->13390 13394 41603b 13378->13394 13395 415cdf 13378->13395 13379->13380 13380->13372 13391 415c29 __vbaGenerateBoundsError 13381->13391 13392 415c1d 13381->13392 13382->13258 13383->13190 13388 415a54 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar 13383->13388 13384->13286 13384->13292 13384->13322 13384->13324 13385 4168dd __vbaHresultCheckObj 13384->13385 13396 41690a 8 API calls 13384->13396 13385->13396 13398 4159a2 13386->13398 13399 4159ae __vbaGenerateBoundsError 13386->13399 13400 414064 6 API calls 13387->13400 13401 415ab6 13388->13401 13402 415a9c __vbaNew2 13388->13402 13403 415704 __vbaStrMove 13389->13403 13404 4338e0 124 API calls 13390->13404 13391->13392 13392->13378 13405 415341 __vbaHresultCheckObj 13393->13405 13406 415364 13393->13406 13407 415d4a __vbaGenerateBoundsError 13395->13407 13417 415cfb 13395->13417 13408 4258c0 1241 API calls 13396->13408 13397->13409 13398->13383 13399->13398 13410 4338e0 124 API calls 13400->13410 13411 415abf __vbaAryLock 13401->13411 13402->13411 13412 415732 13403->13412 13413 415718 __vbaNew2 13403->13413 13414 416c53 __vbaStrMove __vbaStrCopy __vbaStrMove 13404->13414 13415 41536e __vbaFreeVar 13405->13415 13406->13415 13416 415d21 13407->13416 13418 4169af __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaVarForNext 13408->13418 13419 420f00 1284 API calls 13409->13419 13420 41410c __vbaStrMove __vbaStrCopy __vbaStrMove 13410->13420 13421 415af8 13411->13421 13422 415b4b __vbaGenerateBoundsError 13411->13422 13431 4157c1 __vbaGenerateBoundsError 13412->13431 13437 415772 13412->13437 13413->13412 13423 416cb9 __vbaGenerateBoundsError 13414->13423 13424 416cad 13414->13424 13415->13276 13426 415dba __vbaGenerateBoundsError 13416->13426 13432 415d6b 13416->13432 13417->13416 13425 415d2d __vbaGenerateBoundsError 13417->13425 13418->13384 13427 4165de __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaVarForNext 13419->13427 13429 4329f0 20 API calls 13420->13429 13421->13422 13423->13424 13438 4329f0 20 API calls 13424->13438 13425->13416 13427->13242 13448 416cd8 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 13438->13448 13457 4338e0 124 API calls 13448->13457 13463 416d4c __vbaStrMove __vbaStrCopy __vbaStrMove 13457->13463 13466 416db2 __vbaGenerateBoundsError 13463->13466 13467 416da6 13463->13467 13466->13467 13473 4329f0 20 API calls 13467->13473 13476 416dd1 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 13473->13476 13478 4338e0 124 API calls 13476->13478 13483 416e45 __vbaStrMove __vbaStrCopy __vbaStrMove 13478->13483 13548 421fd9 13549 423917 __vbaErrorOverflow 13548->13549 13550 421fea 13548->13550 13551 422a0e 13550->13551 13552 421fff 17 API calls 13550->13552 13555 422a1e __vbaSetSystemError #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 13551->13555 13553 422a02 13552->13553 13554 422294 6 API calls 13552->13554 13556 4338e0 124 API calls 13554->13556 13557 422a94 __vbaStrCopy __vbaStrToAnsi 13555->13557 13558 42372b #529 13555->13558 13559 422373 __vbaStrMove __vbaStrCopy 13556->13559 13561 409168 13557->13561 13560 42382d 17 API calls 13558->13560 13562 4338e0 124 API calls 13559->13562 13560->13549 13563 422ace __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 13561->13563 13564 42239e __vbaStrMove __vbaStrCopy __vbaStrMove 13562->13564 13565 422b02 __vbaStrToAnsi __vbaStrToAnsi 13563->13565 13566 4236ee 13563->13566 13567 4329f0 20 API calls 13564->13567 13569 4091fc 13565->13569 13572 4236fe __vbaSetSystemError #529 13566->13572 13568 4223f8 __vbaStrCopy __vbaStrMove 13567->13568 13570 4329f0 20 API calls 13568->13570 13571 422b50 __vbaSetSystemError __vbaStrToUnicode __vbaStrToUnicode __vbaVarMove __vbaFreeStrList 13569->13571 13573 422454 6 API calls 13570->13573 13629 409298 13571->13629 13572->13558 13573->13553 13576 422532 13573->13576 13576->13549 13578 422552 __vbaStrErrVarCopy __vbaStrMove 13576->13578 13621 436fa0 __vbaRedim __vbaI2I4 __vbaI2I4 13578->13621 13581 42258a __vbaAryMove __vbaFreeStr 13583 4309e0 530 API calls 13581->13583 13585 4225c1 __vbaStrMove __vbaStrCopy 13583->13585 13586 4338e0 124 API calls 13585->13586 13588 4225f0 __vbaStrMove __vbaStrCopy 13586->13588 13591 4338e0 124 API calls 13588->13591 13594 42261b __vbaStrMove __vbaStrCat __vbaStrCopy __vbaStrMove 13591->13594 13596 4329f0 20 API calls 13594->13596 13598 4226ab __vbaStrCopy __vbaStrMove 13596->13598 13600 4329f0 20 API calls 13598->13600 13601 42271b 13 API calls 13600->13601 13603 4338e0 124 API calls 13601->13603 13605 4228cd __vbaStrMove __vbaStrCopy __vbaStrMove 13603->13605 13608 4329f0 20 API calls 13605->13608 13610 42292d 12 API calls 13608->13610 13610->13553 13623 437011 13621->13623 13622 4370bc __vbaAryMove 13625 4370f6 __vbaAryDestruct 13622->13625 13623->13622 13624 43704d __vbaGenerateBoundsError 13623->13624 13626 437045 __vbaGenerateBoundsError 13623->13626 13627 437119 __vbaErrorOverflow 13623->13627 13628 437069 6 API calls 13623->13628 13624->13623 13625->13581 13626->13623 13628->13623 13628->13627 13630 4092a1 13629->13630 13659 41bc6f 13660 41bc80 13659->13660 13661 41fd23 __vbaErrorOverflow 13659->13661 13662 41bc95 __vbaVarCopy __vbaChkstk __vbaVarIndexLoad __vbaVarMove __vbaVarTstEq 13660->13662 13663 41f3a4 __vbaChkstk __vbaChkstk __vbaChkstk __vbaLateMemCall #560 13660->13663 13664 41bd69 10 API calls 13662->13664 13665 41bf28 __vbaVarTstEq 13662->13665 13670 41fa18 __vbaForEachVar 13663->13670 13671 41face 28 API calls 13663->13671 13667 41d3e1 __vbaStrCat 13664->13667 13668 41c121 __vbaVarTstEq 13665->13668 13669 41bf62 10 API calls 13665->13669 13672 41d413 13667->13672 13673 41d46b __vbaGenerateBoundsError 13667->13673 13674 41cf38 __vbaVarTstEq 13668->13674 13675 41c15b 11 API calls 13668->13675 13669->13667 13676 41fa57 13670->13676 13671->13661 13672->13673 13678 41d41f 13672->13678 13679 41d477 __vbaVarCat __vbaChkstk __vbaVarLateMemSt __vbaFreeVarList 13673->13679 13681 41d131 __vbaVarTstEq 13674->13681 13682 41cf72 10 API calls 13674->13682 13680 4338e0 124 API calls 13675->13680 13676->13671 13688 419f50 1124 API calls 13676->13688 13684 41d442 13678->13684 13685 41d44e __vbaGenerateBoundsError 13678->13685 13686 41d565 __vbaGenerateBoundsError 13679->13686 13687 41d50d 13679->13687 13689 41c339 __vbaStrMove __vbaStrCopy 13680->13689 13681->13667 13683 41d16b 16 API calls 13681->13683 13682->13667 13683->13667 13684->13679 13685->13684 13690 41d571 __vbaChkstk __vbaVarIndexLoad __vbaChkstk __vbaVarLateMemSt __vbaFreeVar 13686->13690 13687->13686 13691 41d519 13687->13691 13692 41fa75 __vbaStrMove __vbaFreeStr __vbaNextEachVar 13688->13692 13693 4338e0 124 API calls 13689->13693 13694 41d625 13690->13694 13695 41d67d __vbaGenerateBoundsError 13690->13695 13696 41d548 __vbaGenerateBoundsError 13691->13696 13697 41d53c 13691->13697 13692->13676 13698 41c364 __vbaStrMove __vbaStrCopy __vbaStrMove 13693->13698 13694->13695 13699 41d631 13694->13699 13700 41d689 __vbaVarCat __vbaChkstk __vbaVarLateMemSt __vbaFreeVar 13695->13700 13696->13697 13697->13690 13701 4329f0 20 API calls 13698->13701 13703 41d660 __vbaGenerateBoundsError 13699->13703 13704 41d654 13699->13704 13700->13661 13705 41d702 __vbaVarTstEq 13700->13705 13702 41c3c6 __vbaStrMove __vbaInStr __vbaStrCopy __vbaStrMove 13701->13702 13706 4329f0 20 API calls 13702->13706 13703->13704 13704->13700 13707 41d731 13705->13707 13708 41d736 __vbaStrCopy 13705->13708 13709 41c44c 12 API calls 13706->13709 13710 4338e0 124 API calls 13708->13710 13711 41c606 __vbaRefVarAry __vbaUbound 13709->13711 13712 41cb38 __vbaChkstk __vbaVarIndexLoadRefLock 13709->13712 13713 41d75a __vbaStrMove __vbaStrCopy __vbaStrMove 13710->13713 13711->13661 13714 41c630 __vbaRedim __vbaRefVarAry __vbaUbound 13711->13714 13715 437530 18 API calls 13712->13715 13716 4329f0 20 API calls 13713->13716 13714->13661 13717 41c676 __vbaI2I4 13714->13717 13718 41cbd9 __vbaAryUnlock __vbaFreeVar 13715->13718 13719 41d7e8 11 API calls 13716->13719 13720 41c6b2 13717->13720 13721 41cc16 __vbaRefVarAry __vbaUbound 13718->13721 13748 41cb33 13718->13748 13722 41d931 9 API calls 13719->13722 13723 41da64 __vbaStrCopy 13719->13723 13725 41c7d6 __vbaStrCopy 13720->13725 13726 41c6c6 13720->13726 13721->13661 13727 41cc40 __vbaRedim __vbaRefVarAry __vbaUbound 13721->13727 13722->13723 13724 4338e0 124 API calls 13723->13724 13729 41da88 __vbaStrMove __vbaStrCopy 13724->13729 13730 432bc0 67 API calls 13725->13730 13726->13661 13734 41c751 __vbaGenerateBoundsError 13726->13734 13740 41c704 13726->13740 13727->13661 13728 41cc83 __vbaI2I4 13727->13728 13731 41ccbf 13728->13731 13732 4338e0 124 API calls 13729->13732 13733 41c806 __vbaAryMove __vbaFreeStr __vbaUbound 13730->13733 13737 41ccd3 13731->13737 13738 41cdc8 __vbaUbound 13731->13738 13735 41dab3 __vbaStrMove __vbaStrCopy __vbaStrMove 13732->13735 13736 4334f0 15 API calls 13733->13736 13739 41c75d __vbaChkstk __vbaVarIndexLoad __vbaUI1Var __vbaFreeVar 13734->13739 13743 4329f0 20 API calls 13735->13743 13744 41c85b __vbaStrMove __vbaLenBstrB 13736->13744 13746 41cd46 __vbaGenerateBoundsError 13737->13746 13752 41ccff 13737->13752 13745 4334f0 15 API calls 13738->13745 13739->13661 13741 41c737 __vbaGenerateBoundsError 13740->13741 13742 41c72b 13740->13742 13741->13742 13742->13739 13747 41db20 __vbaStrCopy __vbaStrMove 13743->13747 13744->13748 13749 41c885 __vbaStrCopy 13744->13749 13751 41ce2d 9 API calls 13745->13751 13750 41cd52 __vbaChkstk __vbaVarIndexLoad __vbaUI1Var __vbaFreeVar 13746->13750 13753 4329f0 20 API calls 13747->13753 13748->13667 13754 4338e0 124 API calls 13749->13754 13750->13661 13751->13748 13755 41cd20 13752->13755 13756 41cd2c __vbaGenerateBoundsError 13752->13756 13757 41db84 9 API calls 13753->13757 13758 41c8a9 __vbaStrMove __vbaStrCopy __vbaStrMove 13754->13758 13755->13750 13756->13755 13759 41dca5 __vbaStrCopy 13757->13759 13760 41dddd __vbaStrCopy 13757->13760 13761 4329f0 20 API calls 13758->13761 13762 4338e0 124 API calls 13759->13762 13764 4338e0 124 API calls 13760->13764 13763 41c96a 18 API calls 13761->13763 13765 41dcc9 __vbaStrMove __vbaStrCopy __vbaStrMove 13762->13765 13763->13748 13766 41de01 __vbaStrMove __vbaStrCopy 13764->13766 13768 4329f0 20 API calls 13765->13768 13767 4338e0 124 API calls 13766->13767 13769 41de2c __vbaStrMove __vbaStrCopy __vbaStrMove 13767->13769 13770 41dd2a 10 API calls 13768->13770 13771 4329f0 20 API calls 13769->13771 13770->13760 13772 41de99 __vbaStrCopy __vbaStrMove 13771->13772 13773 4329f0 20 API calls 13772->13773 13774 41defd 9 API calls 13773->13774 13775 41e013 10 API calls 13774->13775 13776 41e169 __vbaStrCopy 13774->13776 13775->13776 13777 4338e0 124 API calls 13776->13777 10180 40e8f0 __vbaChkstk 10181 40e945 __vbaOnError 10180->10181 10205 40e975 10181->10205 10206 410be0 __vbaChkstk 10181->10206 10182 40e99e 10184 40e9a8 __vbaFreeVar 10182->10184 10183 40e97e __vbaHresultCheckObj 10183->10184 10185 40e9c1 __vbaNew2 10184->10185 10186 40e9dd 10184->10186 10185->10186 10187 40ea33 10186->10187 10188 40ea13 __vbaHresultCheckObj 10186->10188 10189 40ea3d __vbaChkstk 10187->10189 10188->10189 10190 40ea8d 10189->10190 10191 40eac1 10190->10191 10192 40ea9e __vbaHresultCheckObj 10190->10192 10193 40eacb __vbaStrMove __vbaFreeObj __vbaStrCmp 10191->10193 10192->10193 10194 40eb17 __vbaStrCopy 10193->10194 10195 40ecba 10193->10195 10308 4338e0 __vbaLenBstr 10194->10308 10197 40eb35 __vbaStrMove __vbaStrCopy 10198 4338e0 124 API calls 10197->10198 10199 40eb57 7 API calls 10198->10199 10377 4329f0 __vbaLenBstr 10199->10377 10201 40ebe6 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 10202 4329f0 20 API calls 10201->10202 10203 40ec29 7 API calls 10202->10203 10203->10195 10205->10182 10205->10183 10207 410c2a __vbaOnError __vbaStrCopy 10206->10207 10384 405924 10207->10384 10309 433948 10308->10309 10310 4339f6 10309->10310 10311 433954 9 API calls 10309->10311 10310->10197 10311->10309 10312 433a44 __vbaErrorOverflow 10311->10312 10313 433a50 __vbaChkstk __vbaOnError __vbaVarVargNofree __vbaVarSub __vbaI2Var 10312->10313 10314 433af3 10313->10314 10315 433bf7 10314->10315 10316 433c1c __vbaErrorOverflow 10314->10316 10317 433b4b 6 API calls 10314->10317 10315->10197 10318 433c30 __vbaChkstk __vbaOnError 10316->10318 10317->10314 10319 433c93 10318->10319 10320 433ca4 __vbaLbound 10318->10320 10321 433cdc __vbaUbound 10319->10321 10322 433ccb 10319->10322 10320->10319 10321->10322 10323 433f65 __vbaErrorOverflow 10322->10323 10325 433d19 #525 __vbaStrMove 10322->10325 10324 433f70 __vbaChkstk __vbaOnError #645 __vbaStrMove 10323->10324 10326 434003 __vbaStrCmp 10324->10326 10327 433d71 10325->10327 10328 434021 __vbaStrCmp __vbaStrCmp 10326->10328 10329 4341bc __vbaAryMove 10326->10329 10330 433efb __vbaStrCopy 10327->10330 10331 433d7d __vbaAryLock 10327->10331 10333 434182 #645 __vbaStrMove __vbaFreeVar 10328->10333 10334 43405c __vbaStrCat __vbaStrMove #579 __vbaFreeStr 10328->10334 10332 434201 __vbaAryDestruct __vbaFreeStr 10329->10332 10335 433f3c __vbaFreeStr __vbaFreeStr 10330->10335 10336 433d9a 10331->10336 10337 433ddd __vbaGenerateBoundsError 10331->10337 10332->10197 10333->10326 10334->10333 10338 4340ab __vbaRedimPreserve 10334->10338 10335->10197 10336->10337 10339 433da3 10336->10339 10340 433de9 #572 __vbaStrMove __vbaAryUnlock __vbaStrMove __vbaLenBstr 10337->10340 10341 4340de 10338->10341 10342 43411c __vbaGenerateBoundsError 10338->10342 10344 433dc6 __vbaGenerateBoundsError 10339->10344 10345 433dba 10339->10345 10346 433e6e 10340->10346 10347 433e4d __vbaStrCat __vbaStrMove 10340->10347 10341->10333 10341->10342 10343 434125 __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStr 10341->10343 10349 434108 __vbaGenerateBoundsError 10341->10349 10342->10343 10343->10341 10348 43422d __vbaErrorOverflow 10343->10348 10344->10345 10345->10340 10350 433ed2 __vbaMidStmtBstr 10346->10350 10351 433e7d __vbaStrCat __vbaStrMove __vbaMidStmtBstr __vbaFreeStr 10346->10351 10347->10346 10353 434240 __vbaChkstk __vbaOnError __vbaNew __vbaObjSet __vbaStrCopy 10348->10353 10349->10341 10352 433ecd 10350->10352 10351->10323 10351->10352 10352->10330 10354 4338e0 20 API calls 10353->10354 10355 4342cf __vbaStrMove __vbaStrCopy __vbaStrMove 10354->10355 10356 4329f0 20 API calls 10355->10356 10357 43430e __vbaStrMove __vbaStrMove 10356->10357 10358 434346 10357->10358 10378 432a47 10377->10378 10379 432b53 __vbaStrCopy 10378->10379 10380 432a50 6 API calls 10378->10380 10383 432b92 __vbaFreeStr 10379->10383 10381 432bb2 __vbaErrorOverflow 10380->10381 10382 432abf 10 API calls 10380->10382 10382->10378 10382->10381 10383->10201 10385 40592d 10384->10385 13958 412182 13959 417877 __vbaErrorOverflow 13958->13959 13960 412196 13958->13960 13961 4121b0 __vbaStrCopy 13960->13961 13962 4147f0 __vbaUbound __vbaI2I4 13960->13962 13963 4338e0 124 API calls 13961->13963 13966 41485a 13962->13966 13965 4121d4 __vbaStrMove __vbaStrCopy __vbaStrMove 13963->13965 13967 4329f0 20 API calls 13965->13967 13968 416047 13966->13968 13974 4148ea __vbaGenerateBoundsError 13966->13974 13978 41489a 13966->13978 13969 41222e __vbaStrMove 13967->13969 13972 416074 __vbaNew2 13968->13972 13973 41608e 13968->13973 13970 4122a1 __vbaGenerateBoundsError 13969->13970 13971 412245 13969->13971 13977 4122ad 7 API calls 13970->13977 13971->13970 13975 412251 13971->13975 13972->13973 13994 4160f2 13973->13994 13995 4160cf __vbaHresultCheckObj 13973->13995 13976 4148f6 __vbaStrCat __vbaStrMove 13974->13976 13979 412284 __vbaGenerateBoundsError 13975->13979 13980 412278 13975->13980 13985 433f70 13976->13985 13981 4126f4 13977->13981 13982 41238d 13977->13982 13983 4148c1 13978->13983 13984 4148cd __vbaGenerateBoundsError 13978->13984 13979->13980 13980->13977 13988 41275f __vbaGenerateBoundsError 13981->13988 13993 412710 13981->13993 13987 4123f8 __vbaGenerateBoundsError 13982->13987 13990 4123a9 13982->13990 13983->13976 13984->13983 13986 414933 __vbaAryMove __vbaFreeStr 13985->13986 13986->13968 13989 41496c __vbaUbound __vbaI2I4 13986->13989 13992 412404 #712 __vbaStrMove __vbaLenBstr #709 13987->13992 13991 41276b 6 API calls 13988->13991 13998 4149be 13989->13998 13999 4123db __vbaGenerateBoundsError 13990->13999 14000 4123cf 13990->14000 13996 412b54 __vbaStrCopy 13991->13996 13997 4127f8 13991->13997 13992->13959 14001 412481 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 13992->14001 14002 412742 __vbaGenerateBoundsError 13993->14002 14003 412736 13993->14003 13994->13959 14004 41610b __vbaVarForInit 13994->14004 13995->13994 14008 4338e0 124 API calls 13996->14008 14005 412863 __vbaGenerateBoundsError 13997->14005 14010 412814 13997->14010 13998->13968 14006 4149d2 __vbaStrCopy 13998->14006 13999->14000 14000->13992 14007 4338e0 124 API calls 14001->14007 14002->14003 14003->13991 14032 416167 14004->14032 14009 41283a 14005->14009 14011 4338e0 124 API calls 14006->14011 14012 4124e0 __vbaStrMove __vbaStrCopy __vbaStrMove 14007->14012 14013 412b78 __vbaStrMove __vbaStrCopy __vbaStrMove 14008->14013 14018 4128d3 __vbaGenerateBoundsError 14009->14018 14026 412884 14009->14026 14010->14009 14016 412846 __vbaGenerateBoundsError 14010->14016 14017 4149f6 __vbaStrMove __vbaStrCopy __vbaStrMove 14011->14017 14019 4329f0 20 API calls 14012->14019 14014 4329f0 20 API calls 14013->14014 14020 412bd2 __vbaStrMove 14014->14020 14015 416665 14021 4166a0 14015->14021 14022 416686 __vbaNew2 14015->14022 14016->14009 14024 4329f0 20 API calls 14017->14024 14025 4128df __vbaAryLock 14018->14025 14027 41253a __vbaStrMove 14019->14027 14030 412c44 __vbaGenerateBoundsError 14020->14030 14031 412be9 14020->14031 14057 4166e1 __vbaHresultCheckObj 14021->14057 14058 416704 14021->14058 14022->14021 14023 416187 __vbaNew2 14023->14032 14033 414a50 __vbaStrMove 14024->14033 14036 4128f6 14025->14036 14037 412949 __vbaGenerateBoundsError 14025->14037 14034 4128b6 __vbaGenerateBoundsError 14026->14034 14035 4128aa 14026->14035 14028 412568 14027->14028 14029 41254e __vbaNew2 14027->14029 14045 4125f7 __vbaGenerateBoundsError 14028->14045 14056 4125a8 14028->14056 14029->14028 14041 412c50 7 API calls 14030->14041 14031->14030 14038 412bf5 14031->14038 14032->14015 14032->14023 14059 4161e2 __vbaHresultCheckObj 14032->14059 14070 41620f __vbaChkstk __vbaVarIndexLoad __vbaStrCopy 14032->14070 14039 414ac1 __vbaGenerateBoundsError 14033->14039 14040 414a67 14033->14040 14034->14035 14035->14025 14036->14037 14042 4128ff 14036->14042 14043 412955 __vbaLenBstr #709 14037->14043 14047 412c27 __vbaGenerateBoundsError 14038->14047 14048 412c1b 14038->14048 14046 414acd 7 API calls 14039->14046 14040->14039 14051 414a72 14040->14051 14049 412d31 14041->14049 14050 413096 14041->14050 14052 412920 14042->14052 14053 41292c __vbaGenerateBoundsError 14042->14053 14043->13959 14044 4129b5 #619 __vbaAryUnlock __vbaStrVarMove __vbaStrMove __vbaFreeVar 14043->14044 14054 412a21 14044->14054 14055 412a07 __vbaNew2 14044->14055 14064 412603 __vbaStrMove __vbaStrCat 14045->14064 14065 414f16 14046->14065 14066 414bae 14046->14066 14047->14048 14048->14041 14061 412d9b __vbaGenerateBoundsError 14049->14061 14073 412d4c 14049->14073 14060 413100 __vbaGenerateBoundsError 14050->14060 14071 4130b1 14050->14071 14062 414aa4 __vbaGenerateBoundsError 14051->14062 14063 414a98 14051->14063 14052->14043 14053->14052 14076 412ab0 __vbaGenerateBoundsError 14054->14076 14094 412a61 14054->14094 14055->14054 14068 4125da __vbaGenerateBoundsError 14056->14068 14069 4125ce 14056->14069 14057->14058 14058->13959 14078 41671d __vbaVarForInit 14058->14078 14059->14070 14074 41310c __vbaInStr 14060->14074 14067 412da7 #712 __vbaStrMove __vbaLenBstr #709 14061->14067 14062->14063 14063->14046 14077 412675 14064->14077 14072 414f82 __vbaGenerateBoundsError 14065->14072 14084 414f32 14065->14084 14075 414c1a __vbaGenerateBoundsError 14066->14075 14090 414bca 14066->14090 14067->13959 14089 412e24 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 14067->14089 14068->14069 14069->14064 14079 4338e0 124 API calls 14070->14079 14080 4130e3 __vbaGenerateBoundsError 14071->14080 14081 4130d7 14071->14081 14085 414f8e 6 API calls 14072->14085 14086 412d72 14073->14086 14087 412d7e __vbaGenerateBoundsError 14073->14087 14082 413135 14074->14082 14083 4133af 14074->14083 14088 414c26 #712 __vbaStrMove __vbaLenBstr #709 14075->14088 14096 412abc __vbaStrCat 14076->14096 14097 412686 __vbaHresultCheckObj 14077->14097 14098 4126a9 14077->14098 14142 416779 14078->14142 14099 416274 __vbaStrMove __vbaStrCopy __vbaStrMove 14079->14099 14080->14081 14081->14074 14100 4131a0 __vbaGenerateBoundsError 14082->14100 14113 413151 14082->14113 14095 413419 __vbaGenerateBoundsError 14083->14095 14111 4133ca 14083->14111 14101 414f65 __vbaGenerateBoundsError 14084->14101 14102 414f59 14084->14102 14103 41501b 14085->14103 14104 41537a __vbaStrCopy 14085->14104 14086->14067 14087->14086 14088->13959 14093 414ca3 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 14088->14093 14105 4338e0 124 API calls 14089->14105 14091 414bf1 14090->14091 14092 414bfd __vbaGenerateBoundsError 14090->14092 14091->14088 14092->14091 14107 4338e0 124 API calls 14093->14107 14108 412a93 __vbaGenerateBoundsError 14094->14108 14109 412a87 14094->14109 14116 413425 6 API calls 14095->14116 14124 412b0a 14096->14124 14106 4126b3 __vbaFreeStrList __vbaFreeVar 14097->14106 14098->14106 14112 4329f0 20 API calls 14099->14112 14110 4131ac #712 __vbaStrMove __vbaLenBstr #709 14100->14110 14101->14102 14102->14085 14115 415087 __vbaGenerateBoundsError 14103->14115 14133 415037 14103->14133 14114 4338e0 124 API calls 14104->14114 14118 412e83 __vbaStrMove __vbaStrCopy __vbaStrMove 14105->14118 14106->13981 14121 414d02 __vbaStrMove __vbaStrCopy __vbaStrMove 14107->14121 14108->14109 14109->14096 14110->13959 14132 413229 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar 14110->14132 14122 4133f0 14111->14122 14123 4133fc __vbaGenerateBoundsError 14111->14123 14128 4162ce 9 API calls 14112->14128 14129 413183 __vbaGenerateBoundsError 14113->14129 14130 413177 14113->14130 14131 41539e __vbaStrMove __vbaStrCopy __vbaStrMove 14114->14131 14134 41505e 14115->14134 14125 4134b1 14116->14125 14126 413809 14116->14126 14117 416a3d __vbaStrCopy 14119 4338e0 124 API calls 14117->14119 14120 4329f0 20 API calls 14118->14120 14135 416a61 __vbaStrMove __vbaStrCopy __vbaStrMove 14119->14135 14136 412edd __vbaStrMove 14120->14136 14137 4329f0 20 API calls 14121->14137 14122->14116 14123->14122 14139 412b1b __vbaHresultCheckObj 14124->14139 14140 412b3e 14124->14140 14141 41351b __vbaGenerateBoundsError 14125->14141 14161 4134cc 14125->14161 14138 413875 __vbaGenerateBoundsError 14126->14138 14157 413825 14126->14157 14127 416799 __vbaNew2 14127->14142 14143 4163dd __vbaNew2 14128->14143 14291 4163f7 14128->14291 14129->14130 14130->14110 14144 4329f0 20 API calls 14131->14144 14145 413271 __vbaNew2 14132->14145 14146 41328b 14132->14146 14133->14134 14147 41506a __vbaGenerateBoundsError 14133->14147 14148 4150f8 __vbaGenerateBoundsError 14134->14148 14149 4150a8 14134->14149 14150 416ac7 __vbaGenerateBoundsError 14135->14150 14151 416abb 14135->14151 14152 412ef1 __vbaNew2 14136->14152 14153 412f0b 14136->14153 14156 414d5c __vbaStrMove 14137->14156 14159 413881 __vbaInStr 14138->14159 14160 412b48 __vbaFreeVar 14139->14160 14140->14160 14154 4134f2 14141->14154 14142->14117 14142->14127 14184 4167f4 __vbaHresultCheckObj 14142->14184 14197 416821 __vbaChkstk __vbaVarIndexLoad 14142->14197 14276 4168dd __vbaHresultCheckObj 14142->14276 14286 41690a 8 API calls 14142->14286 14143->14291 14162 4153f8 __vbaStrMove 14144->14162 14158 413294 __vbaAryLock 14145->14158 14146->14158 14147->14134 14155 415104 __vbaAryLock 14148->14155 14163 4150db __vbaGenerateBoundsError 14149->14163 14164 4150cf 14149->14164 14150->14151 14178 4329f0 20 API calls 14151->14178 14152->14153 14177 412f99 __vbaGenerateBoundsError 14153->14177 14188 412f4a 14153->14188 14172 41358a __vbaGenerateBoundsError 14154->14172 14185 41353b 14154->14185 14165 41511b 14155->14165 14166 41516e __vbaGenerateBoundsError 14155->14166 14167 414d70 __vbaNew2 14156->14167 14194 414d8a 14156->14194 14168 413858 __vbaGenerateBoundsError 14157->14168 14169 41384c 14157->14169 14175 4132cc 14158->14175 14176 41331f __vbaGenerateBoundsError 14158->14176 14159->13962 14170 4138ab 14159->14170 14160->13996 14161->14154 14171 4134fe __vbaGenerateBoundsError 14161->14171 14173 41546b __vbaGenerateBoundsError 14162->14173 14174 41540f 14162->14174 14163->14164 14164->14155 14165->14166 14179 415124 14165->14179 14181 41517a __vbaLenBstr #709 14166->14181 14167->14194 14168->14169 14169->14159 14183 413925 __vbaGenerateBoundsError 14170->14183 14195 4138d6 14170->14195 14171->14154 14182 413596 __vbaAryLock 14172->14182 14180 415477 7 API calls 14173->14180 14174->14173 14186 41541b 14174->14186 14175->14176 14187 4132d5 14175->14187 14210 4132f6 14176->14210 14196 412fa5 __vbaStrMove __vbaStrCat 14177->14196 14189 416ae6 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 14178->14189 14190 415151 __vbaGenerateBoundsError 14179->14190 14191 415145 14179->14191 14207 415557 14180->14207 14208 4158be 14180->14208 14181->13959 14192 4151da #619 __vbaAryUnlock __vbaStrVarMove __vbaStrMove __vbaFreeVar 14181->14192 14202 4135ac 14182->14202 14203 4135ff __vbaGenerateBoundsError 14182->14203 14201 413931 __vbaStrCat __vbaStrMove 14183->14201 14184->14197 14198 413561 14185->14198 14199 41356d __vbaGenerateBoundsError 14185->14199 14204 415442 14186->14204 14205 41544e __vbaGenerateBoundsError 14186->14205 14206 413302 __vbaGenerateBoundsError 14187->14206 14187->14210 14211 412f70 14188->14211 14212 412f7c __vbaGenerateBoundsError 14188->14212 14213 4338e0 124 API calls 14189->14213 14190->14191 14191->14181 14214 415246 14192->14214 14215 41522c __vbaNew2 14192->14215 14193 414e1a __vbaGenerateBoundsError 14216 414e26 __vbaStrMove __vbaStrCat 14193->14216 14194->14193 14217 414dca 14194->14217 14218 413908 __vbaGenerateBoundsError 14195->14218 14219 4138fc 14195->14219 14226 413017 14196->14226 14197->14142 14221 416882 __vbaNew2 14197->14221 14198->14182 14199->14198 14200 416438 __vbaHresultCheckObj 14222 416465 __vbaChkstk __vbaVarIndexLoad 14200->14222 14220 433f70 14201->14220 14202->14203 14225 4135b5 14202->14225 14223 41360b __vbaLenBstr #709 14203->14223 14204->14180 14205->14204 14206->14210 14209 4155c2 __vbaGenerateBoundsError 14207->14209 14229 415573 14207->14229 14224 415929 __vbaGenerateBoundsError 14208->14224 14237 4158da 14208->14237 14235 4155ce #712 __vbaStrMove __vbaLenBstr #709 14209->14235 14230 413378 __vbaHresultCheckObj 14210->14230 14231 41339b 14210->14231 14211->14196 14212->14211 14232 416b5a __vbaStrMove __vbaStrCopy __vbaStrMove 14213->14232 14249 4152d6 __vbaGenerateBoundsError 14214->14249 14259 415286 14214->14259 14215->14214 14250 414e97 14216->14250 14233 414df1 14217->14233 14234 414dfd __vbaGenerateBoundsError 14217->14234 14218->14219 14219->14201 14228 41396d __vbaAryMove __vbaFreeStr 14220->14228 14221->14142 14236 4164c6 __vbaNew2 14222->14236 14222->14291 14223->13959 14240 41366c #619 __vbaAryUnlock __vbaStrVarMove __vbaStrMove __vbaFreeVar 14223->14240 14227 415935 __vbaInStr 14224->14227 14238 4135e2 __vbaGenerateBoundsError 14225->14238 14239 4135d6 14225->14239 14247 413028 __vbaHresultCheckObj 14226->14247 14248 41304b 14226->14248 14254 415bdb 14227->14254 14255 41595f 14227->14255 14228->13962 14251 4139a5 __vbaUbound __vbaI2I4 14228->14251 14241 4155a5 __vbaGenerateBoundsError 14229->14241 14242 415599 14229->14242 14243 4133a5 __vbaAryUnlock 14230->14243 14231->14243 14245 416bc0 __vbaGenerateBoundsError 14232->14245 14246 416bb4 14232->14246 14233->14216 14234->14233 14235->13959 14244 41564b #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 14235->14244 14236->14291 14252 415900 14237->14252 14253 41590c __vbaGenerateBoundsError 14237->14253 14238->14239 14239->14223 14256 4136d8 14240->14256 14257 4136be __vbaNew2 14240->14257 14241->14242 14242->14235 14243->14083 14263 4338e0 124 API calls 14244->14263 14245->14246 14268 4329f0 20 API calls 14246->14268 14258 413055 __vbaFreeStrList __vbaFreeVar 14247->14258 14248->14258 14262 4152e2 __vbaStrCat 14249->14262 14264 414ea8 __vbaHresultCheckObj 14250->14264 14265 414ecb 14250->14265 14261 4139ed 14251->14261 14252->14227 14253->14252 14260 415c46 __vbaGenerateBoundsError 14254->14260 14272 415bf7 14254->14272 14266 4159cb __vbaGenerateBoundsError 14255->14266 14277 41597b 14255->14277 14278 413766 __vbaGenerateBoundsError 14256->14278 14294 413717 14256->14294 14257->14256 14258->14050 14270 4152b9 __vbaGenerateBoundsError 14259->14270 14271 4152ad 14259->14271 14269 415c52 6 API calls 14260->14269 14261->13962 14275 4139fe __vbaStrCopy 14261->14275 14282 415330 14262->14282 14267 4156aa __vbaStrMove __vbaStrCopy __vbaStrMove 14263->14267 14273 414ed5 __vbaFreeStrList __vbaFreeVar 14264->14273 14265->14273 14274 4159d7 #712 __vbaStrMove __vbaLenBstr #709 14266->14274 14288 4329f0 20 API calls 14267->14288 14289 416bdf __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 14268->14289 14283 41603b 14269->14283 14284 415cdf 14269->14284 14270->14271 14271->14262 14280 415c29 __vbaGenerateBoundsError 14272->14280 14281 415c1d 14272->14281 14273->14065 14274->13959 14279 415a54 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar 14274->14279 14285 4338e0 124 API calls 14275->14285 14276->14286 14292 4159a2 14277->14292 14293 4159ae __vbaGenerateBoundsError 14277->14293 14287 413772 __vbaStrCat 14278->14287 14297 415ab6 14279->14297 14298 415a9c __vbaNew2 14279->14298 14280->14281 14281->14269 14301 415341 __vbaHresultCheckObj 14282->14301 14302 415364 14282->14302 14303 415d4a __vbaGenerateBoundsError 14284->14303 14310 415cfb 14284->14310 14304 413a22 __vbaStrMove __vbaStrCopy __vbaStrMove 14285->14304 14305 4258c0 1241 API calls 14286->14305 14308 4137bf 14287->14308 14299 415704 __vbaStrMove 14288->14299 14300 4338e0 124 API calls 14289->14300 14290 416521 __vbaHresultCheckObj 14306 41654e 6 API calls 14290->14306 14291->14200 14291->14222 14291->14290 14291->14306 14292->14274 14293->14292 14295 413749 __vbaGenerateBoundsError 14294->14295 14296 41373d 14294->14296 14295->14296 14296->14287 14307 415abf __vbaAryLock 14297->14307 14298->14307 14313 415732 14299->14313 14314 415718 __vbaNew2 14299->14314 14315 416c53 __vbaStrMove __vbaStrCopy __vbaStrMove 14300->14315 14309 41536e __vbaFreeVar 14301->14309 14302->14309 14316 415d21 14303->14316 14312 4169af __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaVarForNext 14305->14312 14317 420f00 1284 API calls 14306->14317 14318 415af8 14307->14318 14319 415b4b __vbaGenerateBoundsError 14307->14319 14320 4137d0 __vbaHresultCheckObj 14308->14320 14321 4137f3 14308->14321 14309->14104 14310->14316 14324 415d2d __vbaGenerateBoundsError 14310->14324 14312->14142 14334 4157c1 __vbaGenerateBoundsError 14313->14334 14338 415772 14313->14338 14314->14313 14322 416cb9 __vbaGenerateBoundsError 14315->14322 14323 416cad 14315->14323 14325 415dba __vbaGenerateBoundsError 14316->14325 14330 415d6b 14316->14330 14327 4165de __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaVarForNext 14317->14327 14318->14319 14328 415b01 14318->14328 14322->14323 14339 4329f0 20 API calls 14323->14339 14324->14316 14335 415dc6 __vbaAryLock 14325->14335 14327->14032 14340 415d91 14330->14340 14341 415d9d __vbaGenerateBoundsError 14330->14341 14352 4157a4 __vbaGenerateBoundsError 14338->14352 14353 415798 14338->14353 14354 416cd8 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 14339->14354 14340->14335 14341->14340 14352->14353 14362 4338e0 124 API calls 14354->14362 14369 416d4c __vbaStrMove __vbaStrCopy __vbaStrMove 14362->14369 14372 416db2 __vbaGenerateBoundsError 14369->14372 14373 416da6 14369->14373 14372->14373 14380 4329f0 20 API calls 14373->14380 14383 416dd1 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 14380->14383 14386 4338e0 124 API calls 14383->14386 14391 416e45 __vbaStrMove __vbaStrCopy __vbaStrMove 14386->14391 14395 416eab __vbaGenerateBoundsError 14391->14395 14396 416e9f 14391->14396 14395->14396 14491 425986 14492 42599a 14491->14492 14493 426178 __vbaErrorOverflow 14491->14493 14494 4259b5 __vbaStrCopy 14492->14494 14495 4260b9 6 API calls 14492->14495 14497 4338e0 124 API calls 14494->14497 14498 4259d3 __vbaStrMove __vbaStrCopy __vbaStrMove 14497->14498 14499 4329f0 20 API calls 14498->14499 14500 425a18 __vbaStrMove 14499->14500 14501 425a29 14500->14501 14502 425a7c __vbaGenerateBoundsError 14500->14502 14501->14502 14503 425a32 14501->14503 14504 425a88 __vbaStrMove __vbaStrCat 14502->14504 14505 425a53 14503->14505 14506 425a5f __vbaGenerateBoundsError 14503->14506 14507 425b21 __vbaGenerateBoundsError 14504->14507 14508 425ace 14504->14508 14505->14504 14506->14505 14510 425b2d 9 API calls 14507->14510 14508->14507 14509 425ad7 14508->14509 14511 425b04 __vbaGenerateBoundsError 14509->14511 14512 425af8 14509->14512 14513 425f2c __vbaStrCopy 14510->14513 14514 425c0d #716 __vbaVarZero 14510->14514 14511->14512 14512->14510 14517 4338e0 124 API calls 14513->14517 14515 425ca0 __vbaGenerateBoundsError 14514->14515 14516 425c4d 14514->14516 14519 425cac 8 API calls 14515->14519 14516->14515 14518 425c56 14516->14518 14520 425f4a __vbaStrMove __vbaStrCopy __vbaStrMove 14517->14520 14521 425c83 __vbaGenerateBoundsError 14518->14521 14522 425c77 14518->14522 14523 4338e0 124 API calls 14519->14523 14524 4329f0 20 API calls 14520->14524 14521->14522 14522->14519 14525 425da8 __vbaStrMove __vbaStrCopy __vbaStrMove 14523->14525 14526 425f8f 11 API calls 14524->14526 14527 4329f0 20 API calls 14525->14527 14528 425ded __vbaStrMove __vbaStrCat __vbaStrMove 14527->14528 14529 425e1b 14528->14529 14530 425e6e __vbaGenerateBoundsError 14528->14530 14529->14530 14531 425e24 14529->14531 14532 425e7a __vbaStrMove __vbaStrCat __vbaStrMove 14530->14532 14533 425e51 __vbaGenerateBoundsError 14531->14533 14534 425e45 14531->14534 14535 428470 1168 API calls 14532->14535 14533->14534 14534->14532 14536 425ecc __vbaFreeStrList __vbaStrCat #529 __vbaFreeVar 14535->14536 14536->14513 14540 41790c 14541 417920 14540->14541 14542 419f3d __vbaErrorOverflow 14540->14542 14543 41793b 14541->14543 14544 419dfa 8 API calls 14541->14544 14546 4179a5 __vbaGenerateBoundsError 14543->14546 14548 417956 14543->14548 14547 4179b1 6 API calls 14546->14547 14549 417a37 14547->14549 14550 41841b 14547->14550 14551 417988 __vbaGenerateBoundsError 14548->14551 14552 41797c 14548->14552 14554 417a44 __vbaNew2 14549->14554 14555 417a5e 14549->14555 14553 418487 __vbaGenerateBoundsError 14550->14553 14556 418437 14550->14556 14551->14552 14552->14547 14557 418493 6 API calls 14553->14557 14554->14555 14560 417ada __vbaGenerateBoundsError 14555->14560 14563 417a8a 14555->14563 14558 41846a __vbaGenerateBoundsError 14556->14558 14559 41845e 14556->14559 14561 419141 14557->14561 14562 41851a 14557->14562 14558->14559 14559->14557 14567 417ae6 __vbaStrCat __vbaChkstk 14560->14567 14566 4191ab __vbaGenerateBoundsError 14561->14566 14571 41915c 14561->14571 14564 418541 14562->14564 14565 418527 __vbaNew2 14562->14565 14569 417ab1 14563->14569 14570 417abd __vbaGenerateBoundsError 14563->14570 14575 4185bc __vbaGenerateBoundsError 14564->14575 14583 41856d 14564->14583 14565->14564 14568 4191b7 6 API calls 14566->14568 14572 417b5f 14567->14572 14573 41923d 14568->14573 14574 419dee 14568->14574 14569->14567 14570->14569 14576 419182 14571->14576 14577 41918e __vbaGenerateBoundsError 14571->14577 14578 417b70 __vbaHresultCheckObj 14572->14578 14579 417b96 14572->14579 14581 419264 14573->14581 14582 41924a __vbaNew2 14573->14582 14580 4185c8 __vbaStrCat __vbaChkstk 14575->14580 14576->14568 14577->14576 14584 417ba0 __vbaFreeVar 14578->14584 14579->14584 14589 418641 14580->14589 14590 4192e0 __vbaGenerateBoundsError 14581->14590 14593 419290 14581->14593 14582->14581 14585 418593 14583->14585 14586 41859f __vbaGenerateBoundsError 14583->14586 14587 417bd3 14584->14587 14588 417bb9 __vbaNew2 14584->14588 14585->14580 14586->14585 14603 417c17 __vbaHresultCheckObj 14587->14603 14604 417c3d 14587->14604 14588->14587 14591 418652 __vbaHresultCheckObj 14589->14591 14592 418678 14589->14592 14594 4192ec __vbaStrCat __vbaChkstk 14590->14594 14595 418682 __vbaFreeVar 14591->14595 14592->14595 14596 4192c3 __vbaGenerateBoundsError 14593->14596 14597 4192b7 14593->14597 14599 419365 14594->14599 14598 41869b __vbaNew2 14595->14598 14602 4186b5 14595->14602 14596->14597 14597->14594 14598->14602 14600 419376 __vbaHresultCheckObj 14599->14600 14601 41939c 14599->14601 14605 4193a6 __vbaFreeVar 14600->14605 14601->14605 14608 418724 14602->14608 14609 4186fe __vbaHresultCheckObj 14602->14609 14603->14604 14610 417ca0 14604->14610 14611 417c7d __vbaHresultCheckObj 14604->14611 14606 4193d9 14605->14606 14607 4193bf __vbaNew2 14605->14607 14618 419422 __vbaHresultCheckObj 14606->14618 14619 419448 14606->14619 14607->14606 14612 41872e __vbaObjSet __vbaForEachCollObj 14608->14612 14609->14612 14613 417caa __vbaObjSet __vbaForEachCollObj __vbaFreeObj 14610->14613 14611->14613 14614 418f50 14612->14614 14615 41840e 14613->14615 14616 41877a __vbaStrCopy 14614->14616 14617 418f5d __vbaStrCopy 14614->14617 14615->14550 14620 417d02 __vbaStrCopy 14615->14620 14621 4338e0 124 API calls 14616->14621 14622 4338e0 124 API calls 14617->14622 14623 419452 __vbaObjSet __vbaForEachCollObj 14618->14623 14619->14623 14624 4338e0 124 API calls 14620->14624 14625 418798 __vbaStrMove __vbaStrCopy __vbaStrMove 14621->14625 14626 418f7b __vbaStrMove __vbaStrCopy 14622->14626 14627 419c74 14623->14627 14628 417d20 __vbaStrMove __vbaStrCopy 14624->14628 14629 4329f0 20 API calls 14625->14629 14630 4338e0 124 API calls 14626->14630 14631 419c81 __vbaStrCopy 14627->14631 14632 41949e __vbaStrCopy 14627->14632 14633 4338e0 124 API calls 14628->14633 14634 4187dd __vbaStrMove __vbaStrCopy 14629->14634 14635 418f9d __vbaStrMove __vbaStrCopy __vbaStrMove __vbaStrCopy __vbaStrMove 14630->14635 14637 4338e0 124 API calls 14631->14637 14636 4338e0 124 API calls 14632->14636 14638 417d42 __vbaStrMove __vbaStrCopy __vbaStrMove 14633->14638 14639 4338e0 124 API calls 14634->14639 14640 4329f0 20 API calls 14635->14640 14641 4194bc __vbaStrMove __vbaStrCopy __vbaStrMove 14636->14641 14642 419c9f __vbaStrMove __vbaStrCopy __vbaStrMove 14637->14642 14678 417d8d 14638->14678 14644 4187ff __vbaStrMove __vbaStrCopy __vbaStrMove 14639->14644 14645 419015 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 14640->14645 14646 4329f0 20 API calls 14641->14646 14643 4329f0 20 API calls 14642->14643 14647 419ceb 18 API calls 14643->14647 14648 4329f0 20 API calls 14644->14648 14649 4329f0 20 API calls 14645->14649 14650 419501 __vbaStrMove __vbaStrCopy 14646->14650 14647->14574 14653 418844 __vbaStrMove __vbaStrMove 14648->14653 14654 41905b 14 API calls 14649->14654 14651 4338e0 124 API calls 14650->14651 14655 419523 __vbaStrMove __vbaStrCopy __vbaStrMove 14651->14655 14652 417d9e __vbaHresultCheckObj 14652->14678 14670 418888 14653->14670 14654->14561 14656 4329f0 20 API calls 14655->14656 14657 419568 __vbaStrMove __vbaStrMove 14656->14657 14674 4195ac 14657->14674 14658 418899 __vbaHresultCheckObj 14658->14670 14659 417e00 __vbaHresultCheckObj 14659->14678 14660 4195bd __vbaHresultCheckObj 14660->14674 14661 4188f9 __vbaHresultCheckObj 14662 418926 __vbaStrMove 14661->14662 14662->14670 14663 417e60 __vbaHresultCheckObj 14664 417e8d __vbaStrCopy __vbaStrMove 14663->14664 14664->14678 14665 41961d __vbaHresultCheckObj 14667 41964a __vbaStrMove 14665->14667 14666 418973 __vbaHresultCheckObj 14666->14670 14667->14674 14668 417ede __vbaHresultCheckObj 14668->14678 14669 419697 __vbaHresultCheckObj 14669->14674 14670->14658 14670->14661 14670->14662 14670->14666 14671 4189d3 __vbaHresultCheckObj 14670->14671 14672 418a00 15 API calls 14670->14672 14671->14672 14675 4338e0 124 API calls 14672->14675 14673 417f40 __vbaHresultCheckObj 14673->14678 14674->14660 14674->14665 14674->14667 14674->14669 14676 4196f7 __vbaHresultCheckObj 14674->14676 14679 419724 15 API calls 14674->14679 14677 418b20 __vbaStrMove __vbaStrCopy 14675->14677 14676->14679 14680 4338e0 124 API calls 14677->14680 14678->14652 14678->14659 14678->14663 14678->14664 14678->14668 14678->14673 14682 417fa0 __vbaHresultCheckObj 14678->14682 14687 4329f0 20 API calls 14678->14687 14683 4338e0 124 API calls 14679->14683 14681 418b42 __vbaStrMove __vbaStrCopy __vbaStrMove 14680->14681 14684 4329f0 20 API calls 14681->14684 14682->14678 14685 419845 __vbaStrMove __vbaStrCopy 14683->14685 14686 418b87 __vbaStrMove __vbaStrCopy __vbaStrMove __vbaStrMove 14684->14686 14688 4338e0 124 API calls 14685->14688 14699 418bf5 14686->14699 14689 417fe1 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 14687->14689 14690 419867 __vbaStrMove __vbaStrCopy __vbaStrMove 14688->14690 14691 4329f0 20 API calls 14689->14691 14694 418027 12 API calls 14691->14694 14696 4338e0 124 API calls 14694->14696 14697 418119 __vbaStrMove __vbaStrCopy 14696->14697 14700 4338e0 124 API calls 14697->14700 14702 41813b __vbaStrMove __vbaStrCopy __vbaStrMove 14700->14702 14719 418186 14702->14719 14707 418197 __vbaHresultCheckObj 14707->14719 14714 4181f9 __vbaHresultCheckObj 14714->14719 14719->14707 14719->14714 14721 418259 __vbaHresultCheckObj 14719->14721 14722 418286 __vbaStrCopy __vbaStrMove 14719->14722 14721->14722 14724 4329f0 20 API calls 14722->14724 14726 4182c7 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 14724->14726 14728 4329f0 20 API calls 14726->14728 14730 41830d 14 API calls 14728->14730 14730->14615 14940 41201e 14941 417877 __vbaErrorOverflow 14940->14941 14944 412032 14940->14944 14942 414808 __vbaUbound __vbaI2I4 14945 41485a 14942->14945 14943 4120c7 __vbaGenerateBoundsError 14947 4120d3 __vbaStrCat __vbaStrMove 14943->14947 14944->14942 14944->14943 14946 412078 14944->14946 14948 416047 14945->14948 14954 4148ea __vbaGenerateBoundsError 14945->14954 14957 41489a 14945->14957 14949 4120aa __vbaGenerateBoundsError 14946->14949 14950 41209e 14946->14950 14951 433f70 14947->14951 14952 416074 __vbaNew2 14948->14952 14953 41608e 14948->14953 14949->14950 14950->14947 14956 412110 __vbaAryMove __vbaFreeStr 14951->14956 14952->14953 14967 4160f2 14953->14967 14968 4160cf __vbaHresultCheckObj 14953->14968 14955 4148f6 __vbaStrCat __vbaStrMove 14954->14955 14962 433f70 14955->14962 14958 412149 __vbaUbound __vbaI2I4 14956->14958 14959 4147f0 14956->14959 14960 4148c1 14957->14960 14961 4148cd __vbaGenerateBoundsError 14957->14961 14964 41219d 14958->14964 14959->14942 14960->14955 14961->14960 14963 414933 __vbaAryMove __vbaFreeStr 14962->14963 14963->14948 14965 41496c __vbaUbound __vbaI2I4 14963->14965 14964->14959 14966 4121b0 __vbaStrCopy 14964->14966 14969 4149be 14965->14969 14970 4338e0 124 API calls 14966->14970 14967->14941 14971 41610b __vbaVarForInit 14967->14971 14968->14967 14969->14948 14972 4149d2 __vbaStrCopy 14969->14972 14973 4121d4 __vbaStrMove __vbaStrCopy __vbaStrMove 14970->14973 14986 416167 14971->14986 14974 4338e0 124 API calls 14972->14974 14975 4329f0 20 API calls 14973->14975 14977 4149f6 __vbaStrMove __vbaStrCopy __vbaStrMove 14974->14977 14978 41222e __vbaStrMove 14975->14978 14976 416665 14981 4166a0 14976->14981 14982 416686 __vbaNew2 14976->14982 14984 4329f0 20 API calls 14977->14984 14979 4122a1 __vbaGenerateBoundsError 14978->14979 14980 412245 14978->14980 14987 4122ad 7 API calls 14979->14987 14980->14979 14985 412251 14980->14985 14999 4166e1 __vbaHresultCheckObj 14981->14999 15000 416704 14981->15000 14982->14981 14983 416187 __vbaNew2 14983->14986 14988 414a50 __vbaStrMove 14984->14988 14989 412284 __vbaGenerateBoundsError 14985->14989 14990 412278 14985->14990 14986->14976 14986->14983 15001 4161e2 __vbaHresultCheckObj 14986->15001 15013 41620f __vbaChkstk __vbaVarIndexLoad __vbaStrCopy 14986->15013 14991 4126f4 14987->14991 14992 41238d 14987->14992 14993 414ac1 __vbaGenerateBoundsError 14988->14993 14994 414a67 14988->14994 14989->14990 14990->14987 14998 41275f __vbaGenerateBoundsError 14991->14998 15009 412710 14991->15009 14996 4123f8 __vbaGenerateBoundsError 14992->14996 15002 4123a9 14992->15002 14995 414acd 7 API calls 14993->14995 14994->14993 14997 414a72 14994->14997 15007 414f16 14995->15007 15008 414bae 14995->15008 15006 412404 #712 __vbaStrMove __vbaLenBstr #709 14996->15006 15004 414aa4 __vbaGenerateBoundsError 14997->15004 15005 414a98 14997->15005 15003 41276b 6 API calls 14998->15003 14999->15000 15000->14941 15020 41671d __vbaVarForInit 15000->15020 15001->15013 15014 4123db __vbaGenerateBoundsError 15002->15014 15015 4123cf 15002->15015 15010 412b54 __vbaStrCopy 15003->15010 15011 4127f8 15003->15011 15004->15005 15005->14995 15006->14941 15016 412481 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 15006->15016 15012 414f82 __vbaGenerateBoundsError 15007->15012 15024 414f32 15007->15024 15017 414c1a __vbaGenerateBoundsError 15008->15017 15028 414bca 15008->15028 15018 412742 __vbaGenerateBoundsError 15009->15018 15019 412736 15009->15019 15022 4338e0 124 API calls 15010->15022 15023 412863 __vbaGenerateBoundsError 15011->15023 15032 412814 15011->15032 15025 414f8e 6 API calls 15012->15025 15021 4338e0 124 API calls 15013->15021 15014->15015 15015->15006 15027 4338e0 124 API calls 15016->15027 15026 414c26 #712 __vbaStrMove __vbaLenBstr #709 15017->15026 15018->15019 15019->15003 15212 416779 15020->15212 15038 416274 __vbaStrMove __vbaStrCopy __vbaStrMove 15021->15038 15040 412b78 __vbaStrMove __vbaStrCopy __vbaStrMove 15022->15040 15029 41283a 15023->15029 15034 414f65 __vbaGenerateBoundsError 15024->15034 15035 414f59 15024->15035 15036 41501b 15025->15036 15037 41537a __vbaStrCopy 15025->15037 15026->14941 15033 414ca3 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 15026->15033 15039 4124e0 __vbaStrMove __vbaStrCopy __vbaStrMove 15027->15039 15030 414bf1 15028->15030 15031 414bfd __vbaGenerateBoundsError 15028->15031 15046 4128d3 __vbaGenerateBoundsError 15029->15046 15057 412884 15029->15057 15030->15026 15031->15030 15032->15029 15044 412846 __vbaGenerateBoundsError 15032->15044 15041 4338e0 124 API calls 15033->15041 15034->15035 15035->15025 15047 415087 __vbaGenerateBoundsError 15036->15047 15058 415037 15036->15058 15045 4338e0 124 API calls 15037->15045 15042 4329f0 20 API calls 15038->15042 15048 4329f0 20 API calls 15039->15048 15043 4329f0 20 API calls 15040->15043 15051 414d02 __vbaStrMove __vbaStrCopy __vbaStrMove 15041->15051 15053 4162ce 9 API calls 15042->15053 15054 412bd2 __vbaStrMove 15043->15054 15044->15029 15055 41539e __vbaStrMove __vbaStrCopy __vbaStrMove 15045->15055 15056 4128df __vbaAryLock 15046->15056 15059 41505e 15047->15059 15060 41253a __vbaStrMove 15048->15060 15049 416a3d __vbaStrCopy 15050 4338e0 124 API calls 15049->15050 15063 416a61 __vbaStrMove __vbaStrCopy __vbaStrMove 15050->15063 15064 4329f0 20 API calls 15051->15064 15052 416799 __vbaNew2 15052->15212 15065 4163dd __vbaNew2 15053->15065 15176 4163f7 15053->15176 15066 412c44 __vbaGenerateBoundsError 15054->15066 15067 412be9 15054->15067 15068 4329f0 20 API calls 15055->15068 15071 4128f6 15056->15071 15072 412949 __vbaGenerateBoundsError 15056->15072 15069 4128b6 __vbaGenerateBoundsError 15057->15069 15070 4128aa 15057->15070 15058->15059 15073 41506a __vbaGenerateBoundsError 15058->15073 15074 4150f8 __vbaGenerateBoundsError 15059->15074 15075 4150a8 15059->15075 15061 412568 15060->15061 15062 41254e __vbaNew2 15060->15062 15088 4125f7 __vbaGenerateBoundsError 15061->15088 15103 4125a8 15061->15103 15062->15061 15076 416ac7 __vbaGenerateBoundsError 15063->15076 15077 416abb 15063->15077 15079 414d5c __vbaStrMove 15064->15079 15065->15176 15082 412c50 7 API calls 15066->15082 15067->15066 15080 412bf5 15067->15080 15081 4153f8 __vbaStrMove 15068->15081 15069->15070 15070->15056 15071->15072 15083 4128ff 15071->15083 15084 412955 __vbaLenBstr #709 15072->15084 15073->15059 15078 415104 __vbaAryLock 15074->15078 15085 4150db __vbaGenerateBoundsError 15075->15085 15086 4150cf 15075->15086 15076->15077 15104 4329f0 20 API calls 15077->15104 15089 41511b 15078->15089 15090 41516e __vbaGenerateBoundsError 15078->15090 15091 414d70 __vbaNew2 15079->15091 15092 414d8a 15079->15092 15093 412c27 __vbaGenerateBoundsError 15080->15093 15094 412c1b 15080->15094 15097 41546b __vbaGenerateBoundsError 15081->15097 15098 41540f 15081->15098 15095 412d31 15082->15095 15096 413096 15082->15096 15099 412920 15083->15099 15100 41292c __vbaGenerateBoundsError 15083->15100 15084->14941 15087 4129b5 #619 __vbaAryUnlock __vbaStrVarMove __vbaStrMove __vbaFreeVar 15084->15087 15085->15086 15086->15078 15101 412a21 15087->15101 15102 412a07 __vbaNew2 15087->15102 15111 412603 __vbaStrMove __vbaStrCat 15088->15111 15089->15090 15105 415124 15089->15105 15107 41517a __vbaLenBstr #709 15090->15107 15091->15092 15120 414e1a __vbaGenerateBoundsError 15092->15120 15137 414dca 15092->15137 15093->15094 15094->15082 15110 412d9b __vbaGenerateBoundsError 15095->15110 15124 412d4c 15095->15124 15108 413100 __vbaGenerateBoundsError 15096->15108 15121 4130b1 15096->15121 15106 415477 7 API calls 15097->15106 15098->15097 15112 41541b 15098->15112 15099->15084 15100->15099 15131 412ab0 __vbaGenerateBoundsError 15101->15131 15153 412a61 15101->15153 15102->15101 15114 4125da __vbaGenerateBoundsError 15103->15114 15115 4125ce 15103->15115 15116 416ae6 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 15104->15116 15117 415151 __vbaGenerateBoundsError 15105->15117 15118 415145 15105->15118 15128 415557 15106->15128 15129 4158be 15106->15129 15107->14941 15119 4151da #619 __vbaAryUnlock __vbaStrVarMove __vbaStrMove __vbaFreeVar 15107->15119 15127 41310c __vbaInStr 15108->15127 15109 4167f4 __vbaHresultCheckObj 15122 416821 __vbaChkstk __vbaVarIndexLoad 15109->15122 15113 412da7 #712 __vbaStrMove __vbaLenBstr #709 15110->15113 15133 412675 15111->15133 15125 415442 15112->15125 15126 41544e __vbaGenerateBoundsError 15112->15126 15113->14941 15147 412e24 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 15113->15147 15114->15115 15115->15111 15132 4338e0 124 API calls 15116->15132 15117->15118 15118->15107 15134 415246 15119->15134 15135 41522c __vbaNew2 15119->15135 15136 414e26 __vbaStrMove __vbaStrCat 15120->15136 15138 4130e3 __vbaGenerateBoundsError 15121->15138 15139 4130d7 15121->15139 15142 416882 __vbaNew2 15122->15142 15122->15212 15123 416438 __vbaHresultCheckObj 15143 416465 __vbaChkstk __vbaVarIndexLoad 15123->15143 15145 412d72 15124->15145 15146 412d7e __vbaGenerateBoundsError 15124->15146 15125->15106 15126->15125 15140 413135 15127->15140 15141 4133af 15127->15141 15130 4155c2 __vbaGenerateBoundsError 15128->15130 15152 415573 15128->15152 15144 415929 __vbaGenerateBoundsError 15129->15144 15161 4158da 15129->15161 15159 4155ce #712 __vbaStrMove __vbaLenBstr #709 15130->15159 15156 412abc __vbaStrCat 15131->15156 15155 416b5a __vbaStrMove __vbaStrCopy __vbaStrMove 15132->15155 15148 412686 __vbaHresultCheckObj 15133->15148 15149 4126a9 15133->15149 15173 4152d6 __vbaGenerateBoundsError 15134->15173 15184 415286 15134->15184 15135->15134 15174 414e97 15136->15174 15157 414df1 15137->15157 15158 414dfd __vbaGenerateBoundsError 15137->15158 15138->15139 15139->15127 15151 4131a0 __vbaGenerateBoundsError 15140->15151 15175 413151 15140->15175 15154 413419 __vbaGenerateBoundsError 15141->15154 15170 4133ca 15141->15170 15142->15212 15160 4164c6 __vbaNew2 15143->15160 15143->15176 15150 415935 __vbaInStr 15144->15150 15145->15113 15146->15145 15162 4338e0 124 API calls 15147->15162 15163 4126b3 __vbaFreeStrList __vbaFreeVar 15148->15163 15149->15163 15179 415bdb 15150->15179 15180 41595f 15150->15180 15167 4131ac #712 __vbaStrMove __vbaLenBstr #709 15151->15167 15164 4155a5 __vbaGenerateBoundsError 15152->15164 15165 415599 15152->15165 15168 412a93 __vbaGenerateBoundsError 15153->15168 15169 412a87 15153->15169 15181 413425 6 API calls 15154->15181 15171 416bc0 __vbaGenerateBoundsError 15155->15171 15172 416bb4 15155->15172 15193 412b0a 15156->15193 15157->15136 15158->15157 15159->14941 15166 41564b #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 15159->15166 15160->15176 15177 415900 15161->15177 15178 41590c __vbaGenerateBoundsError 15161->15178 15182 412e83 __vbaStrMove __vbaStrCopy __vbaStrMove 15162->15182 15163->14991 15164->15165 15165->15159 15190 4338e0 124 API calls 15166->15190 15167->14941 15189 413229 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar 15167->15189 15168->15169 15169->15156 15191 4133f0 15170->15191 15192 4133fc __vbaGenerateBoundsError 15170->15192 15171->15172 15204 4329f0 20 API calls 15172->15204 15188 4152e2 __vbaStrCat 15173->15188 15196 414ea8 __vbaHresultCheckObj 15174->15196 15197 414ecb 15174->15197 15186 413183 __vbaGenerateBoundsError 15175->15186 15187 413177 15175->15187 15176->15123 15176->15143 15234 416521 __vbaHresultCheckObj 15176->15234 15252 41654e 6 API calls 15176->15252 15177->15150 15178->15177 15185 415c46 __vbaGenerateBoundsError 15179->15185 15209 415bf7 15179->15209 15198 4159cb __vbaGenerateBoundsError 15180->15198 15216 41597b 15180->15216 15194 4134b1 15181->15194 15195 413809 15181->15195 15183 4329f0 20 API calls 15182->15183 15199 412edd __vbaStrMove 15183->15199 15207 4152b9 __vbaGenerateBoundsError 15184->15207 15208 4152ad 15184->15208 15206 415c52 6 API calls 15185->15206 15186->15187 15187->15167 15224 415330 15188->15224 15214 413271 __vbaNew2 15189->15214 15215 41328b 15189->15215 15200 4156aa __vbaStrMove __vbaStrCopy __vbaStrMove 15190->15200 15191->15181 15192->15191 15202 412b1b __vbaHresultCheckObj 15193->15202 15203 412b3e 15193->15203 15205 41351b __vbaGenerateBoundsError 15194->15205 15233 4134cc 15194->15233 15201 413875 __vbaGenerateBoundsError 15195->15201 15221 413825 15195->15221 15210 414ed5 __vbaFreeStrList __vbaFreeVar 15196->15210 15197->15210 15211 4159d7 #712 __vbaStrMove __vbaLenBstr #709 15198->15211 15218 412ef1 __vbaNew2 15199->15218 15219 412f0b 15199->15219 15229 4329f0 20 API calls 15200->15229 15230 413881 __vbaInStr 15201->15230 15231 412b48 __vbaFreeVar 15202->15231 15203->15231 15232 416bdf __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 15204->15232 15220 4134f2 15205->15220 15225 41603b 15206->15225 15226 415cdf 15206->15226 15207->15208 15208->15188 15222 415c29 __vbaGenerateBoundsError 15209->15222 15223 415c1d 15209->15223 15210->15007 15211->14941 15217 415a54 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar 15211->15217 15212->15049 15212->15052 15212->15109 15212->15122 15213 4168dd __vbaHresultCheckObj 15212->15213 15227 41690a 8 API calls 15212->15227 15213->15227 15228 413294 __vbaAryLock 15214->15228 15215->15228 15235 4159a2 15216->15235 15236 4159ae __vbaGenerateBoundsError 15216->15236 15237 415ab6 15217->15237 15238 415a9c __vbaNew2 15217->15238 15218->15219 15254 412f99 __vbaGenerateBoundsError 15219->15254 15267 412f4a 15219->15267 15245 41358a __vbaGenerateBoundsError 15220->15245 15263 41353b 15220->15263 15240 413858 __vbaGenerateBoundsError 15221->15240 15241 41384c 15221->15241 15222->15223 15223->15206 15246 415341 __vbaHresultCheckObj 15224->15246 15247 415364 15224->15247 15248 415d4a __vbaGenerateBoundsError 15226->15248 15258 415cfb 15226->15258 15249 4258c0 1241 API calls 15227->15249 15250 4132cc 15228->15250 15251 41331f __vbaGenerateBoundsError 15228->15251 15239 415704 __vbaStrMove 15229->15239 15230->14959 15242 4138ab 15230->15242 15231->15010 15243 4338e0 124 API calls 15232->15243 15233->15220 15244 4134fe __vbaGenerateBoundsError 15233->15244 15234->15252 15235->15211 15236->15235 15253 415abf __vbaAryLock 15237->15253 15238->15253 15261 415718 __vbaNew2 15239->15261 15291 415732 15239->15291 15240->15241 15241->15230 15256 413925 __vbaGenerateBoundsError 15242->15256 15268 4138d6 15242->15268 15262 416c53 __vbaStrMove __vbaStrCopy __vbaStrMove 15243->15262 15244->15220 15255 413596 __vbaAryLock 15245->15255 15257 41536e __vbaFreeVar 15246->15257 15247->15257 15286 415d21 15248->15286 15259 4169af __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaVarForNext 15249->15259 15250->15251 15260 4132d5 15250->15260 15288 4132f6 15251->15288 15264 420f00 1284 API calls 15252->15264 15265 415af8 15253->15265 15266 415b4b __vbaGenerateBoundsError 15253->15266 15270 412fa5 __vbaStrMove __vbaStrCat 15254->15270 15274 4135ac 15255->15274 15275 4135ff __vbaGenerateBoundsError 15255->15275 15273 413931 __vbaStrCat __vbaStrMove 15256->15273 15257->15037 15276 415d2d __vbaGenerateBoundsError 15258->15276 15258->15286 15259->15212 15278 413302 __vbaGenerateBoundsError 15260->15278 15260->15288 15261->15291 15269 416cb9 __vbaGenerateBoundsError 15262->15269 15292 416cad 15262->15292 15271 413561 15263->15271 15272 41356d __vbaGenerateBoundsError 15263->15272 15279 4165de __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaVarForNext 15264->15279 15265->15266 15281 412f7c __vbaGenerateBoundsError 15267->15281 15299 412f70 15267->15299 15282 413908 __vbaGenerateBoundsError 15268->15282 15283 4138fc 15268->15283 15269->15292 15300 413017 15270->15300 15271->15255 15272->15271 15274->15275 15276->15286 15277 415dba __vbaGenerateBoundsError 15278->15288 15279->14986 15281->15299 15282->15283 15283->15273 15286->15277 15287 415d6b 15286->15287 15296 413378 __vbaHresultCheckObj 15288->15296 15297 41339b 15288->15297 15290 4157c1 __vbaGenerateBoundsError 15291->15290 15301 415772 15291->15301 15302 4329f0 20 API calls 15292->15302 15299->15270 15319 416cd8 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 15302->15319 15329 4338e0 124 API calls 15319->15329 15337 416d4c __vbaStrMove __vbaStrCopy __vbaStrMove 15329->15337 15340 416db2 __vbaGenerateBoundsError 15337->15340 15341 416da6 15337->15341 15340->15341 15353 4329f0 20 API calls 15341->15353 15359 416dd1 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 15353->15359 15364 4338e0 124 API calls 15359->15364 15368 416e45 __vbaStrMove __vbaStrCopy __vbaStrMove 15364->15368 10386 403aa0 #100 10387 403aba 10386->10387 10387->10387 15482 4149a5 15483 417877 __vbaErrorOverflow 15482->15483 15484 4149b8 15482->15484 15485 4149d2 __vbaStrCopy 15484->15485 15486 416047 15484->15486 15487 4338e0 124 API calls 15485->15487 15490 416074 __vbaNew2 15486->15490 15491 41608e 15486->15491 15488 4149f6 __vbaStrMove __vbaStrCopy __vbaStrMove 15487->15488 15489 4329f0 20 API calls 15488->15489 15492 414a50 __vbaStrMove 15489->15492 15490->15491 15501 4160f2 15491->15501 15502 4160cf __vbaHresultCheckObj 15491->15502 15493 414ac1 __vbaGenerateBoundsError 15492->15493 15494 414a67 15492->15494 15495 414acd 7 API calls 15493->15495 15494->15493 15496 414a72 15494->15496 15499 414f16 15495->15499 15500 414bae 15495->15500 15497 414aa4 __vbaGenerateBoundsError 15496->15497 15498 414a98 15496->15498 15497->15498 15498->15495 15503 414f82 __vbaGenerateBoundsError 15499->15503 15506 414f32 15499->15506 15504 414c1a __vbaGenerateBoundsError 15500->15504 15509 414bca 15500->15509 15501->15483 15505 41610b __vbaVarForInit 15501->15505 15502->15501 15507 414f8e 6 API calls 15503->15507 15508 414c26 #712 __vbaStrMove __vbaLenBstr #709 15504->15508 15512 416167 15505->15512 15514 414f65 __vbaGenerateBoundsError 15506->15514 15515 414f59 15506->15515 15516 41501b 15507->15516 15517 41537a __vbaStrCopy 15507->15517 15508->15483 15513 414ca3 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 15508->15513 15510 414bf1 15509->15510 15511 414bfd __vbaGenerateBoundsError 15509->15511 15510->15508 15511->15510 15518 416665 15512->15518 15523 416187 __vbaNew2 15512->15523 15548 4161e2 __vbaHresultCheckObj 15512->15548 15554 41620f __vbaChkstk __vbaVarIndexLoad __vbaStrCopy 15512->15554 15519 4338e0 124 API calls 15513->15519 15514->15515 15515->15507 15521 415087 __vbaGenerateBoundsError 15516->15521 15526 415037 15516->15526 15520 4338e0 124 API calls 15517->15520 15522 416686 __vbaNew2 15518->15522 15528 4166a0 15518->15528 15524 414d02 __vbaStrMove __vbaStrCopy __vbaStrMove 15519->15524 15525 41539e __vbaStrMove __vbaStrCopy __vbaStrMove 15520->15525 15527 41505e 15521->15527 15522->15528 15523->15512 15529 4329f0 20 API calls 15524->15529 15530 4329f0 20 API calls 15525->15530 15526->15527 15531 41506a __vbaGenerateBoundsError 15526->15531 15532 4150f8 __vbaGenerateBoundsError 15527->15532 15533 4150a8 15527->15533 15546 4166e1 __vbaHresultCheckObj 15528->15546 15547 416704 15528->15547 15535 414d5c __vbaStrMove 15529->15535 15536 4153f8 __vbaStrMove 15530->15536 15531->15527 15534 415104 __vbaAryLock 15532->15534 15537 4150db __vbaGenerateBoundsError 15533->15537 15538 4150cf 15533->15538 15539 41511b 15534->15539 15540 41516e __vbaGenerateBoundsError 15534->15540 15541 414d70 __vbaNew2 15535->15541 15542 414d8a 15535->15542 15543 41546b __vbaGenerateBoundsError 15536->15543 15544 41540f 15536->15544 15537->15538 15538->15534 15539->15540 15545 415124 15539->15545 15551 41517a __vbaLenBstr #709 15540->15551 15541->15542 15556 414e1a __vbaGenerateBoundsError 15542->15556 15568 414dca 15542->15568 15549 415477 7 API calls 15543->15549 15544->15543 15550 41541b 15544->15550 15552 415151 __vbaGenerateBoundsError 15545->15552 15553 415145 15545->15553 15546->15547 15547->15483 15563 41671d __vbaVarForInit 15547->15563 15548->15554 15559 415557 15549->15559 15560 4158be 15549->15560 15557 415442 15550->15557 15558 41544e __vbaGenerateBoundsError 15550->15558 15551->15483 15555 4151da #619 __vbaAryUnlock __vbaStrVarMove __vbaStrMove __vbaFreeVar 15551->15555 15552->15553 15553->15551 15564 4338e0 124 API calls 15554->15564 15565 415246 15555->15565 15566 41522c __vbaNew2 15555->15566 15567 414e26 __vbaStrMove __vbaStrCat 15556->15567 15557->15549 15558->15557 15561 4155c2 __vbaGenerateBoundsError 15559->15561 15570 415573 15559->15570 15562 415929 __vbaGenerateBoundsError 15560->15562 15571 4158da 15560->15571 15569 4155ce #712 __vbaStrMove __vbaLenBstr #709 15561->15569 15575 415935 __vbaInStr 15562->15575 15675 416779 15563->15675 15572 416274 __vbaStrMove __vbaStrCopy __vbaStrMove 15564->15572 15584 4152d6 __vbaGenerateBoundsError 15565->15584 15590 415286 15565->15590 15566->15565 15576 414e97 15567->15576 15573 414df1 15568->15573 15574 414dfd __vbaGenerateBoundsError 15568->15574 15569->15483 15579 41564b #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy 15569->15579 15577 4155a5 __vbaGenerateBoundsError 15570->15577 15578 415599 15570->15578 15580 415900 15571->15580 15581 41590c __vbaGenerateBoundsError 15571->15581 15585 4329f0 20 API calls 15572->15585 15573->15567 15574->15573 15582 415bdb 15575->15582 15583 41595f 15575->15583 15593 414ea8 __vbaHresultCheckObj 15576->15593 15594 414ecb 15576->15594 15577->15578 15578->15569 15588 4338e0 124 API calls 15579->15588 15580->15575 15581->15580 15592 415c46 __vbaGenerateBoundsError 15582->15592 15603 415bf7 15582->15603 15596 4159cb __vbaGenerateBoundsError 15583->15596 15606 41597b 15583->15606 15595 4152e2 __vbaStrCat 15584->15595 15591 4162ce 9 API calls 15585->15591 15586 416a3d __vbaStrCopy 15587 4338e0 124 API calls 15586->15587 15597 416a61 __vbaStrMove __vbaStrCopy __vbaStrMove 15587->15597 15598 4156aa __vbaStrMove __vbaStrCopy __vbaStrMove 15588->15598 15589 416799 __vbaNew2 15589->15675 15600 4152b9 __vbaGenerateBoundsError 15590->15600 15601 4152ad 15590->15601 15602 4163dd __vbaNew2 15591->15602 15661 4163f7 15591->15661 15599 415c52 6 API calls 15592->15599 15604 414ed5 __vbaFreeStrList __vbaFreeVar 15593->15604 15594->15604 15613 415330 15595->15613 15605 4159d7 #712 __vbaStrMove __vbaLenBstr #709 15596->15605 15608 416ac7 __vbaGenerateBoundsError 15597->15608 15609 416abb 15597->15609 15610 4329f0 20 API calls 15598->15610 15614 41603b 15599->15614 15615 415cdf 15599->15615 15600->15601 15601->15595 15602->15661 15611 415c29 __vbaGenerateBoundsError 15603->15611 15612 415c1d 15603->15612 15604->15499 15605->15483 15607 415a54 #619 __vbaStrVarMove __vbaStrMove __vbaFreeVar 15605->15607 15616 4159a2 15606->15616 15617 4159ae __vbaGenerateBoundsError 15606->15617 15618 415ab6 15607->15618 15619 415a9c __vbaNew2 15607->15619 15608->15609 15625 4329f0 20 API calls 15609->15625 15620 415704 __vbaStrMove 15610->15620 15611->15612 15612->15599 15621 415341 __vbaHresultCheckObj 15613->15621 15622 415364 15613->15622 15623 415d4a __vbaGenerateBoundsError 15615->15623 15631 415cfb 15615->15631 15616->15605 15617->15616 15624 415abf __vbaAryLock 15618->15624 15619->15624 15626 415732 15620->15626 15627 415718 __vbaNew2 15620->15627 15629 41536e __vbaFreeVar 15621->15629 15622->15629 15630 415d21 15623->15630 15632 415af8 15624->15632 15633 415b4b __vbaGenerateBoundsError 15624->15633 15634 416ae6 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 15625->15634 15642 4157c1 __vbaGenerateBoundsError 15626->15642 15650 415772 15626->15650 15627->15626 15628 4167f4 __vbaHresultCheckObj 15635 416821 __vbaChkstk __vbaVarIndexLoad 15628->15635 15629->15517 15638 415dba __vbaGenerateBoundsError 15630->15638 15645 415d6b 15630->15645 15631->15630 15637 415d2d __vbaGenerateBoundsError 15631->15637 15632->15633 15640 415b01 15632->15640 15639 415b22 15633->15639 15641 4338e0 124 API calls 15634->15641 15643 416882 __vbaNew2 15635->15643 15635->15675 15636 416438 __vbaHresultCheckObj 15644 416465 __vbaChkstk __vbaVarIndexLoad 15636->15644 15637->15630 15646 415dc6 __vbaAryLock 15638->15646 15666 415ba4 __vbaHresultCheckObj 15639->15666 15667 415bc7 15639->15667 15640->15639 15648 415b2e __vbaGenerateBoundsError 15640->15648 15649 416b5a __vbaStrMove __vbaStrCopy __vbaStrMove 15641->15649 15647 4157cd __vbaStrMove __vbaStrCat 15642->15647 15643->15675 15651 4164c6 __vbaNew2 15644->15651 15644->15661 15652 415d91 15645->15652 15653 415d9d __vbaGenerateBoundsError 15645->15653 15654 415e30 __vbaGenerateBoundsError 15646->15654 15655 415ddd 15646->15655 15668 41583f 15647->15668 15648->15639 15657 416bc0 __vbaGenerateBoundsError 15649->15657 15658 416bb4 15649->15658 15659 4157a4 __vbaGenerateBoundsError 15650->15659 15660 415798 15650->15660 15651->15661 15652->15646 15653->15652 15656 415e3c __vbaLenBstr #709 15654->15656 15655->15654 15662 415de6 15655->15662 15656->15483 15665 415e9c #619 __vbaAryUnlock __vbaStrVarMove __vbaStrMove __vbaFreeVar 15656->15665 15657->15658 15672 4329f0 20 API calls 15658->15672 15659->15660 15660->15647 15661->15636 15661->15644 15680 416521 __vbaHresultCheckObj 15661->15680 15684 41654e 6 API calls 15661->15684 15663 415e13 __vbaGenerateBoundsError 15662->15663 15664 415e07 15662->15664 15663->15664 15664->15656 15669 415f08 15665->15669 15670 415eee __vbaNew2 15665->15670 15671 415bd1 __vbaAryUnlock 15666->15671 15667->15671 15673 415850 __vbaHresultCheckObj 15668->15673 15674 415873 15668->15674 15681 415f97 __vbaGenerateBoundsError 15669->15681 15685 415f48 15669->15685 15670->15669 15671->15582 15678 416bdf __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 15672->15678 15677 41587d __vbaFreeStrList __vbaFreeVar 15673->15677 15674->15677 15675->15586 15675->15589 15675->15628 15675->15635 15676 4168dd __vbaHresultCheckObj 15675->15676 15679 41690a 8 API calls 15675->15679 15676->15679 15677->15560 15682 4338e0 124 API calls 15678->15682 15683 4258c0 1241 API calls 15679->15683 15680->15684 15686 415fa3 __vbaStrCat 15681->15686 15687 416c53 __vbaStrMove __vbaStrCopy __vbaStrMove 15682->15687 15688 4169af __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaVarForNext 15683->15688 15689 420f00 1284 API calls 15684->15689 15690 415f7a __vbaGenerateBoundsError 15685->15690 15691 415f6e 15685->15691 15695 415ff1 15686->15695 15692 416cb9 __vbaGenerateBoundsError 15687->15692 15693 416cad 15687->15693 15688->15675 15694 4165de __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaVarForNext 15689->15694 15690->15691 15691->15686 15692->15693 15698 4329f0 20 API calls 15693->15698 15694->15512 15700 416cd8 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 15698->15700 15701 4338e0 124 API calls 15700->15701 15702 416d4c __vbaStrMove __vbaStrCopy __vbaStrMove 15701->15702 15703 416db2 __vbaGenerateBoundsError 15702->15703 15704 416da6 15702->15704 15703->15704 15705 4329f0 20 API calls 15704->15705 15706 416dd1 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 15705->15706 15707 4338e0 124 API calls 15706->15707 15708 416e45 __vbaStrMove __vbaStrCopy __vbaStrMove 15707->15708 15709 416eab __vbaGenerateBoundsError 15708->15709 15710 416e9f 15708->15710 15709->15710 15711 4329f0 20 API calls 15710->15711 15967 422c34 15968 423917 __vbaErrorOverflow 15967->15968 15969 422c45 15967->15969 15970 422c5a 26 API calls 15969->15970 15971 4236ee 15969->15971 15972 423046 15970->15972 15973 42304b __vbaStrCopy 15970->15973 15975 4236fe __vbaSetSystemError #529 15971->15975 15974 4338e0 124 API calls 15973->15974 15977 42306f __vbaStrMove __vbaStrCopy 15974->15977 15976 42372b #529 15975->15976 15978 42382d 17 API calls 15976->15978 15979 4338e0 124 API calls 15977->15979 15978->15968 15980 42309a __vbaStrMove __vbaStrCopy __vbaStrMove 15979->15980 15981 4329f0 20 API calls 15980->15981 15982 4230f4 __vbaStrCopy __vbaStrMove 15981->15982 15983 4329f0 20 API calls 15982->15983 15984 423150 6 API calls 15983->15984 15984->15972 15985 42322e __vbaChkstk __vbaChkstk __vbaVarIndexLoad __vbaI4Var __vbaFreeVar 15984->15985 15985->15968 15986 423309 __vbaStrErrVarCopy __vbaStrMove 15985->15986 15987 436fa0 14 API calls 15986->15987 15988 423341 __vbaAryMove __vbaFreeStr 15987->15988 15989 4309e0 530 API calls 15988->15989 15990 423378 18 API calls 15989->15990 15991 423920 448 API calls 15990->15991 15992 423518 7 API calls 15991->15992 15993 4338e0 124 API calls 15992->15993 15994 4235ad __vbaStrMove __vbaStrCopy __vbaStrMove 15993->15994 15995 4329f0 20 API calls 15994->15995 15996 42360d 12 API calls 15995->15996 15996->15972

                            Executed Functions

                            Function 00438340 Relevance: 54.2, APIs: 36, Instructions: 236filenetworkCOMMON
                            Download Yara Rule
                            APIs
                            • __vbaFixstrConstruct.MSVBVM60(00000100,?,6D10D8B1,6D10D83C,00000000), ref: 0043838C
                            • __vbaNew2.MSVBVM60(00404FCC,004426B4), ref: 004383A4
                            • __vbaHresultCheckObj.MSVBVM60(00000000,0324004C,00404FBC,00000014), ref: 004383C9
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040CB38,00000060), ref: 004383ED
                            • __vbaStrToAnsi.MSVBVM60(?,?,00000001,00000000,00000000,00000000), ref: 00438400
                            • __vbaSetSystemError.MSVBVM60(00000000), ref: 00438414
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00438426
                            • __vbaFreeObj.MSVBVM60 ref: 0043842E
                            • __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,04000000,00000000), ref: 0043844D
                            • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000000,00000000,04000000,00000000), ref: 0043845C
                            • __vbaStrToUnicode.MSVBVM60(00402FA8,?,?,00000000,00000000,04000000,00000000), ref: 00438466
                            • __vbaFreeStr.MSVBVM60(?,00000000,00000000,04000000,00000000), ref: 00438472
                            • __vbaStrToAnsi.MSVBVM60(?,?,00000100,?), ref: 00438494
                            • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004384A1
                            • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004384AB
                            • __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 004384BE
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004384CA
                            • __vbaStrCopy.MSVBVM60(?,04000000,00000000), ref: 004384D5
                            • __vbaStrToAnsi.MSVBVM60(?,?,00000100,?), ref: 004384F7
                            • InternetReadFile.WININET(?,00000000), ref: 00438507
                            • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00438511
                            • __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0043851E
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043852A
                            • __vbaStrCopy.MSVBVM60(00000001,?), ref: 00438548
                            • #631.MSVBVM60(00000000), ref: 0043854F
                            • __vbaStrMove.MSVBVM60 ref: 0043855A
                            • __vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0043856A
                            • __vbaStrCat.MSVBVM60(?,?), ref: 00438574
                            • __vbaStrMove.MSVBVM60 ref: 0043857F
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043858F
                            • __vbaSetSystemError.MSVBVM60 ref: 0043859C
                            • #598.MSVBVM60 ref: 004385A9
                            • __vbaSetSystemError.MSVBVM60(?), ref: 004385BD
                            • __vbaStrCopy.MSVBVM60 ref: 004385C5
                            • __vbaFreeStr.MSVBVM60(0043860F), ref: 00438607
                            • __vbaFreeStr.MSVBVM60 ref: 0043860C
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$ErrorSystem$AnsiFixstrList$CopyLsetUnicode$CheckHresultMove$#598#631ConstructFileInternetNew2Read
                            • String ID:
                            • API String ID: 2099816023-0
                            • Opcode ID: b5c99fae3a503cca8b7282d40add123e69482d3adb3ee91ce2b224dc4cd393e2
                            • Instruction ID: 51269e8d0714ad81996f35decc733862ab31aa31cb472ac0760fc07b6e3ddb29
                            • Opcode Fuzzy Hash: b5c99fae3a503cca8b7282d40add123e69482d3adb3ee91ce2b224dc4cd393e2
                            • Instruction Fuzzy Hash: 5781EE71900209BFDB04EBA5ED85EEEBBBDEF98704F104119F501B72A0DA749945CFA4
                            Function 00419F50 Relevance: 1436.8, APIs: 730, Strings: 88, Instructions: 5257COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596), ref: 00419F6E
                            • __vbaAryConstruct2.MSVBVM60(?,00408EE8,00000008,?,00000000,?,?,00403596), ref: 00419FA3
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 00419FB2
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 00419FCA
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,00000000,?,?,00403596), ref: 00419FE4
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 00419FF5
                            • __vbaStrMove.MSVBVM60 ref: 0041A01D
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041A042
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A069
                            • __vbaStrCopy.MSVBVM60 ref: 0041A080
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A0AB
                            • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,00403596), ref: 0041A0C6
                            • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,?,00403596), ref: 0041A0E0
                            • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,00403596), ref: 0041A0F1
                            • __vbaStrMove.MSVBVM60 ref: 0041A119
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041A13E
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A165
                            • __vbaStrCopy.MSVBVM60 ref: 0041A17C
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A1A7
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 0041A1C2
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 0041A1DC
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 0041A1ED
                            • __vbaStrMove.MSVBVM60 ref: 0041A215
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A261
                            • __vbaStrCopy.MSVBVM60 ref: 0041A278
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A2A3
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041A2BE
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041A2D8
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041A2E9
                            • __vbaStrMove.MSVBVM60 ref: 0041A311
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041A336
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A35D
                            • __vbaStrCopy.MSVBVM60 ref: 0041A374
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A39F
                            • __vbaStrCopy.MSVBVM60 ref: 0041A3BA
                            • __vbaStrMove.MSVBVM60(?), ref: 0041A3D4
                            • __vbaStrCopy.MSVBVM60 ref: 0041A3E5
                            • __vbaStrMove.MSVBVM60 ref: 0041A40D
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041A432
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A459
                            • __vbaStrCopy.MSVBVM60 ref: 0041A470
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A49B
                            • __vbaStrCopy.MSVBVM60 ref: 0041A4B6
                            • __vbaStrMove.MSVBVM60(?), ref: 0041A4D0
                            • __vbaStrCopy.MSVBVM60 ref: 0041A4E1
                            • __vbaStrMove.MSVBVM60 ref: 0041A509
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A555
                            • __vbaStrCopy.MSVBVM60 ref: 0041A56C
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A597
                            • __vbaStrCopy.MSVBVM60 ref: 0041A5B2
                            • __vbaStrMove.MSVBVM60(?), ref: 0041A5CC
                            • __vbaStrCopy.MSVBVM60 ref: 0041A5DD
                            • __vbaStrMove.MSVBVM60 ref: 0041A605
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041A62A
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A651
                            • __vbaStrCopy.MSVBVM60 ref: 0041A668
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A693
                            • __vbaStrCopy.MSVBVM60 ref: 0041A6AE
                            • __vbaStrMove.MSVBVM60(?), ref: 0041A6C8
                            • __vbaStrCopy.MSVBVM60 ref: 0041A6D9
                            • __vbaStrMove.MSVBVM60 ref: 0041A701
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041A726
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A74D
                            • __vbaStrCopy.MSVBVM60 ref: 0041A764
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A78F
                            • __vbaStrCopy.MSVBVM60 ref: 0041A7AA
                            • __vbaStrMove.MSVBVM60(?), ref: 0041A7C4
                            • __vbaStrCopy.MSVBVM60 ref: 0041A7D5
                            • __vbaStrMove.MSVBVM60 ref: 0041A7FD
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A849
                            • __vbaStrCopy.MSVBVM60 ref: 0041A860
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A88B
                            • __vbaStrCopy.MSVBVM60 ref: 0041A8A6
                            • __vbaStrMove.MSVBVM60(?), ref: 0041A8C0
                            • __vbaStrCopy.MSVBVM60 ref: 0041A8D1
                            • __vbaStrMove.MSVBVM60 ref: 0041A8F9
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041A91E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041A945
                            • __vbaStrCopy.MSVBVM60 ref: 0041A95C
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041A987
                            • __vbaStrCopy.MSVBVM60 ref: 0041A9A2
                            • __vbaStrMove.MSVBVM60(?), ref: 0041A9BC
                            • __vbaStrCopy.MSVBVM60 ref: 0041A9CD
                            • __vbaStrMove.MSVBVM60 ref: 0041A9F5
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041AA1A
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041AA41
                            • __vbaStrCopy.MSVBVM60 ref: 0041AA58
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041AA83
                            • __vbaStrCopy.MSVBVM60 ref: 0041AA9E
                            • __vbaStrMove.MSVBVM60(?), ref: 0041AAB8
                            • __vbaStrCopy.MSVBVM60 ref: 0041AAC9
                            • __vbaStrMove.MSVBVM60 ref: 0041AAF1
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041AB3D
                            • __vbaStrCopy.MSVBVM60 ref: 0041AB54
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041AB7F
                            • __vbaStrCopy.MSVBVM60 ref: 0041AB9A
                            • __vbaStrMove.MSVBVM60(?), ref: 0041ABB4
                            • __vbaStrCopy.MSVBVM60 ref: 0041ABC5
                            • __vbaStrMove.MSVBVM60 ref: 0041ABED
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041AC12
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041AC39
                            • __vbaStrCopy.MSVBVM60 ref: 0041AC50
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041AC7B
                            • __vbaStrCopy.MSVBVM60 ref: 0041AC96
                            • __vbaStrMove.MSVBVM60(?), ref: 0041ACB0
                            • __vbaStrCopy.MSVBVM60 ref: 0041ACC1
                            • __vbaStrMove.MSVBVM60 ref: 0041ACE9
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041AD0E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041AD35
                            • __vbaStrCopy.MSVBVM60 ref: 0041AD4C
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041AD77
                            • __vbaStrCopy.MSVBVM60 ref: 0041AD92
                            • __vbaStrMove.MSVBVM60(?), ref: 0041ADAC
                            • __vbaStrCopy.MSVBVM60 ref: 0041ADBD
                            • __vbaStrMove.MSVBVM60 ref: 0041ADE5
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041AE31
                            • __vbaStrCopy.MSVBVM60 ref: 0041AE48
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041AE73
                            • __vbaStrCopy.MSVBVM60 ref: 0041AE8E
                            • __vbaStrMove.MSVBVM60(?), ref: 0041AEA8
                            • __vbaStrCopy.MSVBVM60 ref: 0041AEB9
                            • __vbaStrMove.MSVBVM60 ref: 0041AEE1
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041AF06
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041AF2D
                            • __vbaStrCopy.MSVBVM60 ref: 0041AF44
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041AF6F
                            • __vbaStrCopy.MSVBVM60 ref: 0041AF8A
                            • __vbaStrMove.MSVBVM60(?), ref: 0041AFA4
                            • __vbaStrCopy.MSVBVM60 ref: 0041AFB5
                            • __vbaStrMove.MSVBVM60 ref: 0041AFDD
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041B002
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041B029
                            • __vbaStrCopy.MSVBVM60 ref: 0041B040
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041B06B
                            • __vbaStrCopy.MSVBVM60 ref: 0041B086
                            • __vbaStrMove.MSVBVM60(?), ref: 0041B0A0
                            • __vbaStrCopy.MSVBVM60 ref: 0041B0B1
                            • __vbaStrMove.MSVBVM60 ref: 0041B0D9
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041B125
                            • __vbaStrCopy.MSVBVM60 ref: 0041B13C
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041B167
                            • __vbaStrCopy.MSVBVM60 ref: 0041B182
                            • __vbaStrMove.MSVBVM60(?), ref: 0041B19C
                            • __vbaStrCopy.MSVBVM60 ref: 0041B1AD
                            • __vbaStrMove.MSVBVM60 ref: 0041B1D5
                            • __vbaVarMove.MSVBVM60(?,?), ref: 0041B207
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041B22B
                            • __vbaStrCopy.MSVBVM60 ref: 0041B246
                            • __vbaStrMove.MSVBVM60(?), ref: 0041B260
                            • __vbaStrCopy.MSVBVM60 ref: 0041B271
                            • __vbaStrMove.MSVBVM60 ref: 0041B299
                            • __vbaVarMove.MSVBVM60(?,?), ref: 0041B2CE
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041B2F2
                            • __vbaStrCopy.MSVBVM60 ref: 0041B30D
                            • __vbaStrMove.MSVBVM60(?), ref: 0041B327
                            • __vbaStrCopy.MSVBVM60 ref: 0041B338
                            • __vbaStrMove.MSVBVM60 ref: 0041B360
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041B381
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0041B3AB
                            • #716.MSVBVM60(00000008,00000000), ref: 0041B3B9
                            • __vbaObjVar.MSVBVM60(00000008), ref: 0041B3C6
                            • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041B3D4
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,00000000,00000000,00000000), ref: 0041B406
                            • __vbaFreeVar.MSVBVM60 ref: 0041B415
                            • __vbaStrCopy.MSVBVM60 ref: 0041B42D
                            • __vbaStrMove.MSVBVM60(?), ref: 0041B447
                            • __vbaStrCopy.MSVBVM60 ref: 0041B458
                            • __vbaStrMove.MSVBVM60 ref: 0041B480
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041B4A1
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0041B4CB
                            • #716.MSVBVM60(00000008,00000000), ref: 0041B4D9
                            • __vbaObjVar.MSVBVM60(00000008), ref: 0041B4E6
                            • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041B4F4
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,00000000,00000000,00000000), ref: 0041B526
                            • __vbaFreeVar.MSVBVM60 ref: 0041B535
                            • __vbaChkstk.MSVBVM60 ref: 0041B55B
                            • __vbaLateMemSt.MSVBVM60(?,Global), ref: 0041B591
                            • __vbaChkstk.MSVBVM60 ref: 0041B5B7
                            • __vbaLateMemSt.MSVBVM60(?,IgnoreCase), ref: 0041B5ED
                            • __vbaChkstk.MSVBVM60 ref: 0041B5FF
                            • __vbaLateMemSt.MSVBVM60(?,Pattern), ref: 0041B629
                            • __vbaChkstk.MSVBVM60 ref: 0041B63B
                            • __vbaLateMemSt.MSVBVM60(?,Pattern), ref: 0041B671
                            • __vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,00000000,00000000), ref: 0041B69B
                            • __vbaStrCopy.MSVBVM60 ref: 0041B6B6
                            • __vbaStrCopy.MSVBVM60 ref: 0041B6DC
                            • __vbaStrMove.MSVBVM60(?), ref: 0041B6F6
                            • __vbaStrCopy.MSVBVM60 ref: 0041B707
                            • __vbaStrMove.MSVBVM60 ref: 0041B72F
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041B750
                            • __vbaStrCopy.MSVBVM60 ref: 0041B761
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0041B77B
                            • __vbaStrCopy.MSVBVM60 ref: 0041B78C
                            • __vbaStrMove.MSVBVM60 ref: 0041B7B4
                            • __vbaStrMove.MSVBVM60(00000000,?), ref: 0041B7D5
                            • __vbaStrMove.MSVBVM60 ref: 0041B827
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041B835
                            • __vbaStrMove.MSVBVM60 ref: 0041B843
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0041B856
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0041B85D
                            • #626.MSVBVM60(?,00000008,0000000A), ref: 0041B888
                            • __vbaObjVar.MSVBVM60(?), ref: 0041B895
                            • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041B8A0
                            • __vbaFreeStrList.MSVBVM60(0000000D,?,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 0041B903
                            • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 0041B923
                            • #598.MSVBVM60 ref: 0041B933
                            • __vbaStrCopy.MSVBVM60 ref: 0041B94B
                            • __vbaLenBstr.MSVBVM60(00000000), ref: 0041B972
                            • __vbaVarVargNofree.MSVBVM60 ref: 0041B99C
                            • __vbaLenVar.MSVBVM60(00000008,00000000), ref: 0041B9AA
                            • __vbaVarCmpEq.MSVBVM60(0000000A,00008002,00000000), ref: 0041B9BF
                            • __vbaVarNot.MSVBVM60(?,00000000), ref: 0041B9CD
                            • __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 0041B9E2
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041B9E9
                            • __vbaFreeVar.MSVBVM60 ref: 0041B9FC
                            • __vbaStrCat.MSVBVM60(00405AFC,00000000), ref: 0041BA1F
                            • __vbaStrMove.MSVBVM60 ref: 0041BA2D
                            • __vbaVarVargNofree.MSVBVM60(00000008), ref: 0041BA60
                            • __vbaVarCat.MSVBVM60(00000008,00000000), ref: 0041BA6E
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041BA75
                            • __vbaStrMove.MSVBVM60 ref: 0041BA83
                            • __vbaFreeVar.MSVBVM60 ref: 0041BA8F
                            • __vbaChkstk.MSVBVM60 ref: 0041BAF0
                            • __vbaChkstk.MSVBVM60 ref: 0041BB1F
                            • __vbaChkstk.MSVBVM60 ref: 0041BB4E
                            • __vbaChkstk.MSVBVM60 ref: 0041BB7D
                            • __vbaLateMemCall.MSVBVM60(?,enumvalues,00000004), ref: 0041BBB2
                            • #560.MSVBVM60(?), ref: 0041BBC6
                            • __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 0041BBE9
                            • __vbaRefVarAry.MSVBVM60(?), ref: 0041BBF5
                            • __vbaUbound.MSVBVM60(00000001), ref: 0041BC00
                            • __vbaRedimPreserve.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000002), ref: 0041BC2A
                            • __vbaRefVarAry.MSVBVM60(?), ref: 0041BC3E
                            • __vbaUbound.MSVBVM60(00000001), ref: 0041BC49
                            • __vbaI2I4.MSVBVM60 ref: 0041BC51
                            • __vbaVarCopy.MSVBVM60 ref: 0041BCBC
                            • __vbaChkstk.MSVBVM60 ref: 0041BCE1
                            • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 0041BD18
                            • __vbaVarMove.MSVBVM60 ref: 0041BD29
                            • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 0041BD58
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041BD8F
                            • __vbaChkstk.MSVBVM60 ref: 0041BDBD
                            • __vbaVarIndexLoadRef.MSVBVM60(?,?,00000001), ref: 0041BDF4
                            • __vbaChkstk.MSVBVM60 ref: 0041BE28
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041BE67
                            • __vbaChkstk.MSVBVM60 ref: 0041BE74
                            • __vbaChkstk.MSVBVM60 ref: 0041BE96
                            • __vbaChkstk.MSVBVM60 ref: 0041BEC5
                            • __vbaLateMemCall.MSVBVM60(?,getstringvalue,00000004), ref: 0041BEFA
                            • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 0041BF1A
                            • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 0041BF51
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041BF88
                            • __vbaChkstk.MSVBVM60 ref: 0041BFB6
                            • __vbaVarIndexLoadRef.MSVBVM60(?,?,00000001), ref: 0041BFED
                            • __vbaChkstk.MSVBVM60 ref: 0041C021
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041C060
                            • __vbaChkstk.MSVBVM60 ref: 0041C06D
                            • __vbaChkstk.MSVBVM60 ref: 0041C08F
                            • __vbaChkstk.MSVBVM60 ref: 0041C0BE
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041D3F4
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D44E
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D46B
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041D48C
                            • __vbaChkstk.MSVBVM60 ref: 0041D499
                            • __vbaVarLateMemSt.MSVBVM60(?,frolickedYAvkfGKWrNQBejXLqblENOHOKnKXbDNjQCmpuddlings), ref: 0041D4CB
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0041D4E1
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D548
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D565
                            • __vbaChkstk.MSVBVM60 ref: 0041D576
                            • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 0041D5AD
                            • __vbaChkstk.MSVBVM60 ref: 0041D5BD
                            • __vbaVarLateMemSt.MSVBVM60(?,firebasehdvlYdKMJEZpxQfirehall), ref: 0041D5EF
                            • __vbaFreeVar.MSVBVM60 ref: 0041D5FB
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D660
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D67D
                            • __vbaVarCat.MSVBVM60(00000008,00000008,?), ref: 0041D69E
                            • __vbaChkstk.MSVBVM60 ref: 0041D6AB
                            • __vbaVarLateMemSt.MSVBVM60(?,tattlesNIjTrKGrYbXCRYBposifriezer), ref: 0041D6DD
                            • __vbaFreeVar.MSVBVM60 ref: 0041D6E9
                            • __vbaVarTstEq.MSVBVM60(00000001,?), ref: 0041D724
                            • __vbaStrCopy.MSVBVM60 ref: 0041D748
                            • __vbaStrMove.MSVBVM60(?), ref: 0041D762
                            • __vbaStrCopy.MSVBVM60 ref: 0041D79F
                            • __vbaStrMove.MSVBVM60 ref: 0041D7C7
                            • __vbaStrMove.MSVBVM60(?,?,?,00000001), ref: 0041D7F0
                            • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 0041D7F9
                            • __vbaChkstk.MSVBVM60(?,00000001), ref: 0041D814
                            • __vbaLateMemCallLd.MSVBVM60(00000008,?,test,00000001,?,00000001), ref: 0041D853
                            • __vbaChkstk.MSVBVM60(00000000), ref: 0041D862
                            • __vbaLateMemCallLd.MSVBVM60(0000000A,?,test,00000001,00000000), ref: 0041D8A1
                            • __vbaVarOr.MSVBVM60(?,00000000), ref: 0041D8B2
                            • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041D8C7
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041D8CE
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0041D900
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0041D919
                            • __vbaChkstk.MSVBVM60(00000008), ref: 0041D995
                            • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001,00000008), ref: 0041D9CC
                            • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 0041D9DD
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041D9F2
                            • __vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0041DA07
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041DA1C
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041DA23
                            • __vbaStrMove.MSVBVM60 ref: 0041DA30
                            • __vbaFreeVarList.MSVBVM60(00000005,00000008,0000000A,?,?,?), ref: 0041DA5B
                            • __vbaStrCopy.MSVBVM60 ref: 0041DA76
                            • __vbaStrMove.MSVBVM60(?), ref: 0041DA90
                            • __vbaStrCopy.MSVBVM60 ref: 0041DAA1
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0041DABB
                            • __vbaStrCopy.MSVBVM60 ref: 0041DADF
                            • __vbaStrMove.MSVBVM60 ref: 0041DB07
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0041DB3B
                            • __vbaStrMove.MSVBVM60 ref: 0041DB63
                            • __vbaStrMove.MSVBVM60(00000000,00000000,?,00000001), ref: 0041DB8C
                            • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 0041DB95
                            • __vbaChkstk.MSVBVM60(00000001,?,00000001), ref: 0041DBB2
                            • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001,00000001,?,00000001), ref: 0041DBE9
                            • __vbaInStrVar.MSVBVM60(?,00000000,00000008,00000000), ref: 0041DC03
                            • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041DC18
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041DC1F
                            • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041DC6D
                            • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 0041DC8D
                            • __vbaStrCopy.MSVBVM60 ref: 0041DCB7
                            • __vbaStrMove.MSVBVM60(?), ref: 0041DCD1
                            • __vbaStrCopy.MSVBVM60 ref: 0041DCE2
                            • __vbaStrMove.MSVBVM60 ref: 0041DD0A
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0041DD32
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0041DD39
                            • __vbaStrMove.MSVBVM60 ref: 0041DD47
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0041DD53
                            • __vbaStrMove.MSVBVM60 ref: 0041DD61
                            • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 0041DD6D
                            • __vbaStrMove.MSVBVM60 ref: 0041DD7B
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0041DD87
                            • __vbaStrMove.MSVBVM60 ref: 0041DD94
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,00000000,00000000,00000000,?,00000000), ref: 0041DDD4
                            • __vbaStrCopy.MSVBVM60 ref: 0041DDEF
                            • __vbaStrMove.MSVBVM60(?), ref: 0041DE09
                            • __vbaStrCopy.MSVBVM60 ref: 0041DE1A
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0041DE34
                            • __vbaStrCopy.MSVBVM60 ref: 0041DE58
                            • __vbaStrMove.MSVBVM60 ref: 0041DE80
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0041DEB4
                            • __vbaStrMove.MSVBVM60 ref: 0041DEDC
                            • __vbaStrMove.MSVBVM60(00000000,00000000,00000000,00000001), ref: 0041DF05
                            • __vbaInStr.MSVBVM60(00000000,00000000), ref: 0041DF0E
                            • __vbaChkstk.MSVBVM60 ref: 0041DF29
                            • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001), ref: 0041DF60
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 0041DF78
                            • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041DF8D
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041DF94
                            • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041DFE2
                            • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 0041DFFB
                            • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0041E05D
                            • __vbaChkstk.MSVBVM60(00000008), ref: 0041E093
                            • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008), ref: 0041E0CA
                            • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 0041E0DB
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041E0F0
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041E105
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041E11A
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041E121
                            • __vbaStrMove.MSVBVM60 ref: 0041E12E
                            • __vbaFreeVarList.MSVBVM60(00000006,00008008,0000000A,?,00000008,?,?), ref: 0041E160
                            • __vbaStrCopy.MSVBVM60 ref: 0041E17B
                            • __vbaStrMove.MSVBVM60(?), ref: 0041E195
                            • __vbaStrCopy.MSVBVM60 ref: 0041E1A6
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0041E1C0
                            • __vbaStrCopy.MSVBVM60 ref: 0041E1E4
                            • __vbaStrMove.MSVBVM60 ref: 0041E20C
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0041E240
                            • __vbaStrMove.MSVBVM60 ref: 0041E268
                            • __vbaStrMove.MSVBVM60(00000000,00000000,00000000,00000001), ref: 0041E291
                            • __vbaInStr.MSVBVM60(00000000,00000000), ref: 0041E29A
                            • __vbaChkstk.MSVBVM60 ref: 0041E2B5
                            • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001), ref: 0041E2EC
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 0041E304
                            • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041E319
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041E320
                            • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E36E
                            • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 0041E387
                            • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0041E3E9
                            • __vbaChkstk.MSVBVM60(00000008), ref: 0041E41F
                            • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008), ref: 0041E456
                            • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 0041E467
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041E47C
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041E491
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041E4A6
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041E4AD
                            • __vbaStrMove.MSVBVM60 ref: 0041E4BA
                            • __vbaFreeVarList.MSVBVM60(00000006,00008008,0000000A,?,00000008,?,?), ref: 0041E4EC
                            • __vbaStrCopy.MSVBVM60 ref: 0041E507
                            • __vbaStrMove.MSVBVM60(?), ref: 0041E521
                            • __vbaStrCopy.MSVBVM60 ref: 0041E532
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0041E54C
                            • __vbaStrCopy.MSVBVM60 ref: 0041E570
                            • __vbaStrMove.MSVBVM60 ref: 0041E598
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0041E5CC
                            • __vbaStrMove.MSVBVM60 ref: 0041E5F4
                            • __vbaStrMove.MSVBVM60(00000000,00000000,00000000,00000001), ref: 0041E61D
                            • __vbaInStr.MSVBVM60(00000000,00000000), ref: 0041E626
                            • __vbaChkstk.MSVBVM60 ref: 0041E641
                            • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001), ref: 0041E678
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 0041E690
                            • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041E6A5
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041E6AC
                            • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E6FA
                            • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 0041E713
                            • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0041E775
                            • __vbaStrMove.MSVBVM60 ref: 0041E783
                              • Part of subcall function 004336B0: __vbaLenBstr.MSVBVM60(00000000,x*@,00000000,6D10D8B1), ref: 004336F9
                              • Part of subcall function 004336B0: __vbaLenBstr.MSVBVM60 ref: 00433707
                              • Part of subcall function 004336B0: __vbaFpI4.MSVBVM60 ref: 00433741
                              • Part of subcall function 004336B0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 00433761
                              • Part of subcall function 004336B0: __vbaUbound.MSVBVM60(00000001,?), ref: 00433770
                              • Part of subcall function 004336B0: __vbaGenerateBoundsError.MSVBVM60 ref: 004337B0
                              • Part of subcall function 004336B0: #631.MSVBVM60(?,?,?,0040BA58), ref: 004337E4
                              • Part of subcall function 004336B0: __vbaStrMove.MSVBVM60 ref: 004337EF
                              • Part of subcall function 004336B0: __vbaStrCat.MSVBVM60(00000000), ref: 004337F2
                              • Part of subcall function 004336B0: __vbaStrMove.MSVBVM60 ref: 004337FD
                            • __vbaAryMove.MSVBVM60(?,?,?), ref: 0041E7A9
                              • Part of subcall function 0041FD30: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0041FD4E
                              • Part of subcall function 0041FD30: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 0041FD7E
                              • Part of subcall function 0041FD30: #716.MSVBVM60(?,System.Security.Cryptography.RijndaelManaged,00000000,?,00000000,?,00000000,00403596), ref: 0041FD9D
                              • Part of subcall function 0041FD30: __vbaVarSetVar.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0041FDAB
                              • Part of subcall function 0041FD30: __vbaChkstk.MSVBVM60 ref: 0041FDCE
                              • Part of subcall function 0041FD30: __vbaVarLateMemSt.MSVBVM60(?,keySize), ref: 0041FDF8
                              • Part of subcall function 0041FD30: __vbaChkstk.MSVBVM60 ref: 0041FE1B
                              • Part of subcall function 0041FD30: __vbaVarLateMemSt.MSVBVM60(?,Padding), ref: 0041FE45
                              • Part of subcall function 0041FD30: __vbaChkstk.MSVBVM60 ref: 0041FE68
                              • Part of subcall function 0041FD30: __vbaVarLateMemSt.MSVBVM60(?,Mode), ref: 0041FE92
                              • Part of subcall function 0041FD30: __vbaStrCopy.MSVBVM60 ref: 0041FEA7
                              • Part of subcall function 0041FD30: __vbaStrMove.MSVBVM60(?), ref: 0041FEBB
                              • Part of subcall function 0041FD30: __vbaStrCopy.MSVBVM60 ref: 0041FEC9
                            • __vbaChkstk.MSVBVM60(00000008,?), ref: 0041E7EB
                            • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008,?), ref: 0041E822
                            • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 0041E833
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041E848
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041E85D
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041E872
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041E879
                            • __vbaStrMove.MSVBVM60 ref: 0041E886
                            • __vbaFreeStr.MSVBVM60 ref: 0041E892
                            • __vbaFreeVarList.MSVBVM60(00000006,00008008,0000000A,?,00000008,?,?), ref: 0041E8C4
                            • __vbaErase.MSVBVM60(00000000,?), ref: 0041E8D6
                            • __vbaStrCopy.MSVBVM60 ref: 0041E8EE
                            • __vbaStrMove.MSVBVM60(?), ref: 0041E908
                            • __vbaStrCopy.MSVBVM60 ref: 0041E919
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0041E933
                            • __vbaStrCopy.MSVBVM60 ref: 0041E957
                            • __vbaStrMove.MSVBVM60 ref: 0041E97F
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0041E9B3
                            • __vbaStrMove.MSVBVM60 ref: 0041E9DB
                            • __vbaStrMove.MSVBVM60(00000000,00000000,?,00000001), ref: 0041EA04
                            • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 0041EA0D
                            • __vbaChkstk.MSVBVM60(?,00000001), ref: 0041EA28
                            • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001,?,00000001), ref: 0041EA5F
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 0041EA77
                            • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041EA8C
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041EA93
                            • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041EAE1
                            • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 0041EAFA
                            • __vbaStrCopy.MSVBVM60 ref: 0041EB24
                            • __vbaStrMove.MSVBVM60(?), ref: 0041EB3E
                            • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0041EB87
                            • __vbaStrCopy.MSVBVM60 ref: 0041EBBC
                            • __vbaStrMove.MSVBVM60 ref: 0041EBE4
                            • __vbaChkstk.MSVBVM60(00000008,?,?), ref: 0041EC2D
                            • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008,?,?), ref: 0041EC64
                            • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 0041EC75
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041EC8A
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041EC9F
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041ECB4
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041ECC9
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041ECDE
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041ECE5
                            • __vbaStrMove.MSVBVM60 ref: 0041ECF2
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041ED16
                            • __vbaFreeVarList.MSVBVM60(00000009,00008008,0000000A,?,00000008,?,?,00000008,?,?), ref: 0041ED60
                            • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 0041ED7B
                            • __vbaStrMove.MSVBVM60 ref: 0041ED89
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0041ED95
                            • __vbaStrMove.MSVBVM60 ref: 0041EDA2
                            • __vbaFreeStr.MSVBVM60 ref: 0041EDAE
                            • __vbaInStr.MSVBVM60(00000000,WinSCP 2,00000000,00000001), ref: 0041EDF1
                            • __vbaChkstk.MSVBVM60 ref: 0041EE0C
                            • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001), ref: 0041EE43
                            • __vbaVarCmpEq.MSVBVM60(0000000A,00008008,00000000), ref: 0041EE5B
                            • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041EE70
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041EE77
                            • __vbaFreeVar.MSVBVM60 ref: 0041EE8A
                            • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0041EEA9
                            • __vbaStrMove.MSVBVM60 ref: 0041EEB7
                            • __vbaInStr.MSVBVM60(00000000,WinSCP 2,?,00000001), ref: 0041EEFA
                            • __vbaChkstk.MSVBVM60(?,00000001), ref: 0041EF15
                            • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,?,00000001), ref: 0041EF4C
                            • __vbaVarCmpEq.MSVBVM60(0000000A,00008008,00000000), ref: 0041EF64
                            • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041EF79
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041EF80
                            • __vbaFreeVar.MSVBVM60 ref: 0041EF93
                            • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0041EFB2
                            • __vbaStrMove.MSVBVM60 ref: 0041EFC0
                            • __vbaStrCopy.MSVBVM60 ref: 0041EFD8
                            • __vbaStrMove.MSVBVM60(?), ref: 0041EFF2
                            • __vbaStrCopy.MSVBVM60 ref: 0041F016
                            • __vbaStrMove.MSVBVM60 ref: 0041F03E
                            • __vbaInStr.MSVBVM60(00000000,WinSCP 2,?,00000001,?,?), ref: 0041F076
                            • __vbaChkstk.MSVBVM60(?,00000001,?,?), ref: 0041F091
                            • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001,?,00000001,?,?), ref: 0041F0C8
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 0041F0E0
                            • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041F0F5
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041F0FC
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041F127
                            • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 0041F140
                            • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0041F166
                            • __vbaStrMove.MSVBVM60 ref: 0041F174
                            • __vbaStrCat.MSVBVM60(Url: ,00000000), ref: 0041F18D
                            • __vbaStrMove.MSVBVM60 ref: 0041F19B
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041F1A9
                            • __vbaStrMove.MSVBVM60 ref: 0041F1B7
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0041F1C3
                            • __vbaStrMove.MSVBVM60 ref: 0041F1D0
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F1E6
                            • __vbaStrCat.MSVBVM60(Username: ,00000000), ref: 0041F201
                            • __vbaStrMove.MSVBVM60 ref: 0041F20F
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041F21D
                            • __vbaStrMove.MSVBVM60 ref: 0041F22B
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0041F237
                            • __vbaStrMove.MSVBVM60 ref: 0041F244
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F25A
                            • __vbaStrCat.MSVBVM60(Password: ,00000000), ref: 0041F276
                            • __vbaStrMove.MSVBVM60 ref: 0041F284
                              • Part of subcall function 00420330: __vbaChkstk.MSVBVM60(00000000,00403596,?,?,?,?,00000000), ref: 0042034E
                              • Part of subcall function 00420330: __vbaOnError.MSVBVM60(000000FF,00401D38,-00000001,6D1DEC2C,00000000,00403596), ref: 0042037E
                              • Part of subcall function 00420330: __vbaStrCat.MSVBVM60(00000000), ref: 0042039E
                              • Part of subcall function 00420330: __vbaVarMove.MSVBVM60 ref: 004203BD
                              • Part of subcall function 00420330: __vbaLenBstr.MSVBVM60 ref: 004203D0
                              • Part of subcall function 00420330: __vbaStrCat.MSVBVM60(00409030,?), ref: 00420440
                              • Part of subcall function 00420330: __vbaStrMove.MSVBVM60 ref: 0042044E
                              • Part of subcall function 00420330: #631.MSVBVM60(00000002,-00000001,00000002,00000000), ref: 0042046F
                              • Part of subcall function 00420330: __vbaStrMove.MSVBVM60 ref: 0042047D
                              • Part of subcall function 00420330: __vbaStrCat.MSVBVM60(00000000), ref: 00420484
                              • Part of subcall function 00420330: __vbaStrMove.MSVBVM60 ref: 00420492
                              • Part of subcall function 00420330: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004204A8
                              • Part of subcall function 00420330: __vbaFreeVar.MSVBVM60 ref: 004204B7
                            • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 0041F2AD
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0041F2B4
                            • __vbaStrMove.MSVBVM60 ref: 0041F2C2
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0041F2CE
                            • __vbaStrMove.MSVBVM60 ref: 0041F2DB
                            • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041F2F8
                            • __vbaStrCat.MSVBVM60(Application: WinSCP,00000000), ref: 0041F314
                            • __vbaStrMove.MSVBVM60 ref: 0041F322
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0041F32E
                            • __vbaStrMove.MSVBVM60 ref: 0041F33B
                            • __vbaFreeStr.MSVBVM60 ref: 0041F347
                            • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 0041F35F
                            • __vbaStrMove.MSVBVM60 ref: 0041F36D
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0041F379
                            • __vbaStrMove.MSVBVM60 ref: 0041F386
                            • __vbaFreeStr.MSVBVM60 ref: 0041F392
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041F3CF
                            • __vbaChkstk.MSVBVM60 ref: 0041F427
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041F466
                            • __vbaChkstk.MSVBVM60 ref: 0041F473
                            • __vbaChkstk.MSVBVM60 ref: 0041F495
                            • __vbaChkstk.MSVBVM60 ref: 0041F4C4
                            • __vbaChkstk.MSVBVM60 ref: 0041F4F3
                            • __vbaLateMemCall.MSVBVM60(?,getstringvalue,00000005), ref: 0041F528
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0041F541
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 0041F55A
                            • __vbaRedimPreserve.MSVBVM60(00000880,00000010,?,0000000C,00000001,00000000,00000000), ref: 0041F584
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041F5A0
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F5FA
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F617
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041F638
                            • __vbaChkstk.MSVBVM60 ref: 0041F645
                            • __vbaVarLateMemSt.MSVBVM60(?,frolickedYAvkfGKWrNQBejXLqblENOHOKnKXbDNjQCmpuddlings), ref: 0041F677
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0041F68D
                            • __vbaStrCopy.MSVBVM60 ref: 0041F6A8
                            • __vbaStrMove.MSVBVM60(?), ref: 0041F6C2
                            • __vbaStrCopy.MSVBVM60 ref: 0041F6D3
                            • __vbaStrMove.MSVBVM60 ref: 0041F6FB
                            • __vbaGenerateBoundsError.MSVBVM60(?,?), ref: 0041F768
                            • __vbaChkstk.MSVBVM60 ref: 0041F796
                            • __vbaVarLateMemSt.MSVBVM60(?,firebasehdvlYdKMJEZpxQfirehall), ref: 0041F7D5
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041F7F9
                            • __vbaFreeVar.MSVBVM60 ref: 0041F808
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F86D
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F88A
                            • __vbaVarCat.MSVBVM60(00000008,00000008,?), ref: 0041F8AB
                            • __vbaChkstk.MSVBVM60 ref: 0041F8B8
                            • __vbaVarLateMemSt.MSVBVM60(?,tattlesNIjTrKGrYbXCRYBposifriezer), ref: 0041F8EA
                            • __vbaFreeVar.MSVBVM60 ref: 0041F8F6
                            • __vbaChkstk.MSVBVM60 ref: 0041F95D
                            • __vbaChkstk.MSVBVM60 ref: 0041F98C
                            • __vbaChkstk.MSVBVM60 ref: 0041F9BB
                            • __vbaLateMemCall.MSVBVM60(?,EnumKey,00000003), ref: 0041F9F0
                            • #560.MSVBVM60(?), ref: 0041FA07
                            • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?), ref: 0041FA49
                            • __vbaStrMove.MSVBVM60(?,?,?), ref: 0041FA7D
                            • __vbaFreeStr.MSVBVM60 ref: 0041FA89
                            • __vbaNextEachVar.MSVBVM60(?,?,?,?,?), ref: 0041FAB9
                            • __vbaAryUnlock.MSVBVM60(?,0041FD0A), ref: 0041FBB3
                            • __vbaFreeObj.MSVBVM60 ref: 0041FBBF
                            • __vbaFreeVar.MSVBVM60 ref: 0041FBCB
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041FBDA
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041FBE9
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041FBF8
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041FC04
                            • __vbaErrorOverflow.MSVBVM60 ref: 0041FD23
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Copy$Free$List$Chkstk$Error$BoundsGenerate$Late$IndexLoad$BoolNull$Bstr$Call$Ubound$#631DestructRedim$#716Addref$#516#560EachNofreePreserveVarg$#537#598#608#626#632Construct2EraseNextOverflowUnlock
                            • String ID: 000613357A3B1533351700$003E3C2914163D3570271807375525342414$011A21030C3D1B070E$02370F3876163C3D1F5A22300B28$03073D19$062B050A130E1A16$063E272072381E33366C2B2E3426$073F$0A0A2D3B4331262A18172B$0A2C041315$0E173432$102326333B30042F69341115152C28$111E192C300232$13070F02682532063D$166D6969680D4912695F7C0E045A0330431365467D42130D7C3D414F330448341B651F66656B0C3D2F6B0C15783F47544843160840184117317A1B2E4B32381E7C$1821111D$1D220D366A3215153E3C5325351C3B2C1119$20231133420B22260C2A5730001E0A141815$22011C087423082237003A4A001A14$2323221742031C312768382A3824$240732614B1A3419130939$241F221A4F0B171F260420$260F04315201040B00$271D18084B0C212839$272D06153F0229257B30361220091F$3013083F070F3C143E301E29026907070615092E3D2A0317$31023C2F310107021E2D0B4F533F07382F370D0D$330B057D4E25353D23$34351A2030302B322A22165D63362A18291F071A$350C33594E3D162E135421313735$366F1925471C3777145C75512D2542065919456E25593D367E1336650C766F7E371B6F18443B5D73124270331354151B5A1E333C575D532A7A4D$3C261E15310B33235511083A1C221F22372A19032D172001101E0A247B0D0236303F3E0621272036307B3129$===============DARKCLOUD===============$Application: WinSCP$BOAezyQgIspGLVNiHNHvleLmQsVUunyK$CuEjLYSJFCMxg$DWhowwyQAEnhKHugPsvLp$EXwrcvQmCIgtgcIZZKsmrwaVOdEfOMVsvJEdzkbVIRYP$EnumKey$FKzNhVCOXmzlQfMsjcfUTqvLoIgQFjp$GetDWORDValue$GetExpandedStringValue$GetMultiStringValue$GhGBDjfvZNlXhryoZwDnGeqfWSiwHVFB$Global$HjUHXTpmPAe$HostName$IgnoreCase$IuBParTwnrSQtDMLopCINkbPHWejeXejs$McDUNnpFXQv$Password: $Pattern$PoILXkYRMKpJTFUiSATwFLe$PtHbRkIQkelKh$QAoTbJBakCdqGCAWtLTuuIuYBbkbggxXKP$SZJNRHpAcOJnvdVBXNpkzEK$Url: $UserName$Username: $WVJvydahrJTTBnULzcOJhQue$WinSCP 2$XlagPsSXqXQkEvSTsbGlIm$YsnEcbNOGeFwqdzxqkfaUeRREMdUtIBfq$ZHEVHRQfNFvTUewyqnIUkDoLPWaofheeN$aIKReZhpACrrETWkwkzflHceIFHcNDnhW$bHjhyYwTYPrkbEukUIqiVgIk$bShOmYRRVFjmEpscrKsTJAMGjYFvPsZ$eMRtovlciuBGmeetKHUPp$eRQKivVbIQwHBwepViuhjozNacKRVlQTWZpmEgYscq$enumvalues$eqoUvMkYQUbSu$firebasehdvlYdKMJEZpxQfirehall$frolickedYAvkfGKWrNQBejXLqblENOHOKnKXbDNjQCmpuddlings$getbinaryvalue$getstringvalue$jHpspRmmVDLeOYCEKtkqHqmJrjZQeMqeG$lwRvJoXrmPaRifdTDKpsMuPpQGTgEWvryMMAatrnosp$meCcjnheKatoPZPmGKzVuiVvSdIkOTPs$nFxGFnGaeaYriQLRLpeIQFGW$qSlYfJwxtWPsdQxIIbjGyDPvwQVMSUaJFlIeAqdVbXRX$sprLCXbfvwBeu$tattlesNIjTrKGrYbXCRYBposifriezer$test$uKOpxVfGPojaWlGmQXDxwDxNMuhoHFdoFUMMiOFTSMZm$wDDykcbCXnrYPHQkvVHWVPuILCRIifGdVrNnNFTGRqd$wLsBqcNtazgrd$ypnvGbVoTUHvKUAzLwrRxmd$~
                            • API String ID: 1663364662-4101321872
                            • Opcode ID: c5ba4d1887c0eb86d4531afa8609dbc242b0f526cbb1f447cb0af8262493cae0
                            • Instruction ID: 2ccf745da71a2ff615d988deb0bbde57cc6cf3b303b7cb18257f15236e9a2da0
                            • Opcode Fuzzy Hash: c5ba4d1887c0eb86d4531afa8609dbc242b0f526cbb1f447cb0af8262493cae0
                            • Instruction Fuzzy Hash: B6C305B59002199FDB64DF54CD88BDEB7B4BB48304F1081EAE50AA72A0DB749BC5CF94
                            Function 00411F80 Relevance: 1163.4, APIs: 621, Strings: 41, Instructions: 4925COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00411F9E
                            • __vbaAryConstruct2.MSVBVM60(?,00407A10,00000008,?,00000000,?,00000000,00403596), ref: 00411FD0
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 00411FDF
                            • __vbaUbound.MSVBVM60(00000001,01590768,?,00000000,?,00000000,00403596), ref: 00411FF5
                            • __vbaI2I4.MSVBVM60(?,00000000,?,00000000,00403596), ref: 00411FFD
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004120AA
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004120C7
                            • __vbaStrCat.MSVBVM60(00405AFC,01590768), ref: 004120EB
                            • __vbaStrMove.MSVBVM60 ref: 004120F9
                            • __vbaAryMove.MSVBVM60(00442068,?,?,00442064), ref: 00412122
                            • __vbaFreeStr.MSVBVM60 ref: 0041212E
                            • __vbaUbound.MSVBVM60(00000001,01590A98), ref: 00412159
                            • __vbaI2I4.MSVBVM60 ref: 00412161
                            • __vbaStrCopy.MSVBVM60 ref: 004121C2
                            • __vbaStrMove.MSVBVM60(?), ref: 004121DC
                            • __vbaStrCopy.MSVBVM60 ref: 004121ED
                            • __vbaStrMove.MSVBVM60 ref: 00412215
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00412236
                            • __vbaStrMove.MSVBVM60(01590A98), ref: 004122E1
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004122E8
                            • __vbaUbound.MSVBVM60(00000001,01590A08), ref: 00414818
                            • __vbaI2I4.MSVBVM60 ref: 00414820
                            • __vbaStrCat.MSVBVM60(00405AFC,01590A08), ref: 0041490E
                            • __vbaStrMove.MSVBVM60 ref: 0041491C
                            • __vbaAryMove.MSVBVM60(00442068,?,?,00442064), ref: 00414945
                            • __vbaFreeStr.MSVBVM60 ref: 00414951
                            • __vbaUbound.MSVBVM60(00000001,01590A98), ref: 0041497C
                            • __vbaI2I4.MSVBVM60 ref: 00414984
                            • __vbaStrCopy.MSVBVM60 ref: 004149E4
                            • __vbaStrMove.MSVBVM60(?), ref: 004149FE
                            • __vbaStrCopy.MSVBVM60 ref: 00414A0F
                            • __vbaStrMove.MSVBVM60 ref: 00414A37
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$CopyUbound$Error$BoundsFreeGenerate$ChkstkConstruct2
                            • String ID: 0B1D1C120557322E2B08012C$10160C230B2D341F414845$15233B37023F3D21577745$1820160C21073535332708341E281E3E3E3024202D162A22021B4F0612382C33273F28073B1031213E33021B17181916320930234F2704241F260A383623582431$1839241B383413283F093438332626671A042F013C1A2F17012B011C16316D5118062F343C21282405$1B2A303C2530142B1A3B3D3617180A1E083D092422092533323D5E53465539012F3C293927390D363C29103D390004253E1B3D39042B04106964565A252E23557A$1E1C352A18270A15$231D2A372F0314132B043125241100291F1B2D3433311635292019062930$251D08123A181D112D252913$2A22203D2119071E31293967544536013B05112226$2C0F16001B075814362331$2F08313F160C35261400380F1B396407162235$353D2336182D2A263F290D3514251B01202C2516133E11133416786741742F183618023A38122905250D003B29271C10173617080B390D16515D716D3A1F33684C$3F0E012404322A14041C0226043C271C0433301E0436080E1023531E3D022B300C2C1834742017251F301E2C090C3B00013C3E18343418194F60634621012A7959$56321433$5A6A19292D27232824163809221820576B0C202F342D2C150264286A1C2D35262F$7D5D183D37193A1F2D322D3C0D2B074569332E1F3D021620164C056C1B321D3F0C$===============DARKCLOUD===============$CKVBoOUaMcDUJGOHGJvFjNc$CuEjLYSJFCMxg$DC-Creds$DWhowwyQAEnhKHugPsvLp$IpCygrixPWWPfkNPcOapTAzeevxvMTdR$LxFlGmSSPNEhJ$NordVPN$Profiles$XlagPsSXqXQkEvSTsbGlIm$ZHEVHRQfNFvTUewyqnIUkDoLPWaofheeN$\Default$\Profiles$\User Data$\User Data\Default\Login Data$bfREBoLXCcddVfJhnFXyYuXxpQJIQoDsWClnUWyuUW$dsLTYwyYRHLWhrWDCwVTfAIhaTFvmqcbQLVEXeGdOWt$fEBHDuPOEwMevLOFkJgcMNhE$r$sprLCXbfvwBeu$tkRPQHzfjXFWGnexnIaGrh$uKOpxVfGPojaWlGmQXDxwDxNMuhoHFdoFUMMiOFTSMZm$vEeiQeLYzaresWrkYxPTlpQBojgRRwVez$yRrkXCmSqJimRlFbxNcOlNu
                            • API String ID: 410742324-734712145
                            • Opcode ID: 5f6d47359c19f1ac2a4a3c44784ab295b3fd6b4507a44b77c298761e8d2cdf85
                            • Instruction ID: e550955a3dd369c460b5a89d42e68f0903d12adcf84ad0c184b11aa674f4a9cb
                            • Opcode Fuzzy Hash: 5f6d47359c19f1ac2a4a3c44784ab295b3fd6b4507a44b77c298761e8d2cdf85
                            • Instruction Fuzzy Hash: 86C31874900219DFDB24DF64DE88BDAB7B5FB49300F1081EAE50AA7260DB745AC9CF58
                            Function 00420F00 Relevance: 669.1, APIs: 353, Strings: 28, Instructions: 2376COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1043 420f00-4211d7 __vbaChkstk __vbaOnError __vbaStrCat __vbaStrMove #712 __vbaStrMove __vbaStrCat __vbaStrMove #716 __vbaVarZero __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall #716 __vbaVarZero __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall 1044 421e33-421ea1 __vbaStrCopy __vbaStrToAnsi call 409168 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 1043->1044 1045 4211dd-421227 call 43dac0 __vbaStrCopy call 43d900 __vbaFreeStr 1043->1045 1051 421ea7-421f8a __vbaStrToAnsi * 2 call 4091fc __vbaSetSystemError __vbaStrToUnicode * 2 __vbaVarMove __vbaFreeStrList call 409298 __vbaSetSystemError #558 1044->1051 1052 422a0e-422a8e call 4091b0 __vbaSetSystemError #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1044->1052 1058 42122d-421253 call 409410 __vbaSetSystemError 1045->1058 1051->1052 1068 421f90-421fb5 call 409298 __vbaSetSystemError 1051->1068 1060 422a94-422afc __vbaStrCopy __vbaStrToAnsi call 409168 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 1052->1060 1061 42372b-42375a #529 1052->1061 1070 421799-421838 call 4093c8 __vbaSetSystemError call 43db50 #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1058->1070 1071 421259-42133a call 43d6f0 __vbaVarMove call 43d6f0 __vbaVarMove call 43d780 __vbaAryMove __vbaVarCmpEq __vbaVarNot __vbaBoolVarNull 1058->1071 1075 422b02-422be5 __vbaStrToAnsi * 2 call 4091fc __vbaSetSystemError __vbaStrToUnicode * 2 __vbaVarMove __vbaFreeStrList call 409298 __vbaSetSystemError #558 1060->1075 1076 4236ee-423725 call 4091b0 __vbaSetSystemError #529 1060->1076 1063 42382d-4238fd __vbaFreeVarList __vbaAryDestruct * 4 __vbaFreeVar * 2 __vbaFreeStr __vbaAryDestruct __vbaFreeStr __vbaFreeVar * 2 __vbaFreeStr * 5 1061->1063 1067 423917-42391f __vbaErrorOverflow 1063->1067 1068->1067 1083 421fbb-421ff9 __vbaI2I4 1068->1083 1094 421e2e 1070->1094 1095 42183e-421885 call 43dac0 __vbaStrCopy call 43d900 __vbaFreeStr 1070->1095 1102 421340-421791 call 4309e0 __vbaVarMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCat __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarCat * 8 __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1071->1102 1103 421794 1071->1103 1075->1076 1096 422beb-422c10 call 409298 __vbaSetSystemError 1075->1096 1076->1061 1083->1052 1093 421fff-42228e __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq * 2 __vbaVarOr __vbaVarNot __vbaBoolVarNull 1083->1093 1098 422a02-422a09 1093->1098 1099 422294-42252c __vbaChkstk * 2 __vbaVarIndexLoad __vbaI4Var __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove call 4329f0 __vbaInStrVar * 2 __vbaVarOr __vbaBoolVarNull __vbaFreeStrList __vbaFreeVarList 1093->1099 1094->1061 1114 42188b-4218b1 call 409410 __vbaSetSystemError 1095->1114 1096->1067 1110 422c16-422c54 __vbaI2I4 1096->1110 1099->1098 1138 422532-42254c 1099->1138 1102->1103 1103->1058 1110->1076 1119 422c5a-423044 __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarCat __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarCat __vbaVarMove __vbaFreeVarList __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq * 2 __vbaVarOr __vbaVarCmpEq __vbaVarOr __vbaVarCmpEq __vbaVarOr __vbaBoolVarNull 1110->1119 1128 421dd2-421e28 call 4093c8 __vbaSetSystemError call 43db50 #529 1114->1128 1129 4218b7-421a04 call 43d6f0 __vbaVarMove call 43d6f0 __vbaStrMove __vbaStrCat __vbaStrMove call 43d6f0 __vbaStrMove __vbaStrCat __vbaVarMove __vbaFreeStrList call 43d780 __vbaAryMove __vbaVarCmpEq __vbaVarNot __vbaBoolVarNull 1114->1129 1124 423046 1119->1124 1125 42304b-423228 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove call 4329f0 __vbaInStrVar * 2 __vbaVarOr __vbaBoolVarNull __vbaFreeStrList __vbaFreeVarList 1119->1125 1131 4236e2-4236e9 1124->1131 1125->1131 1165 42322e-423303 __vbaChkstk * 2 __vbaVarIndexLoad __vbaI4Var __vbaFreeVar 1125->1165 1128->1094 1171 421a0a-421dc7 call 4309e0 __vbaVarMove __vbaStrCat __vbaVarCat * 8 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrErrVarCopy __vbaStrMove __vbaStrCopy __vbaStrMove __vbaStrCat __vbaStrMove call 423920 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 1129->1171 1172 421dcd 1129->1172 1138->1067 1143 422552-4229ff __vbaStrErrVarCopy __vbaStrMove call 436fa0 __vbaAryMove __vbaFreeStr call 4309e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCat __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarCat * 8 __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1138->1143 1143->1098 1165->1067 1169 423309-4236df __vbaStrErrVarCopy __vbaStrMove call 436fa0 __vbaAryMove __vbaFreeStr call 4309e0 __vbaStrMove __vbaStrCat __vbaVarCat * 5 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 423920 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1165->1169 1169->1131 1171->1172 1172->1114
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596,?,?,004165DE,?,00442040,?), ref: 00420F1E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 00420F4E
                            • __vbaStrCat.MSVBVM60(\LogkinotKrAhRyjSfwLYIttQphGBONdeYquirinal,015AC8B4), ref: 00420F74
                            • __vbaStrMove.MSVBVM60 ref: 00420F82
                            • #712.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00420FA5
                            • __vbaStrMove.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00420FB3
                            • __vbaStrCat.MSVBVM60(\WebData,015AC8B4,?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00420FCB
                            • __vbaStrMove.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00420FD6
                            • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00420FF1
                            • __vbaVarZero.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00421003
                            • __vbaChkstk.MSVBVM60 ref: 0042104A
                            • __vbaChkstk.MSVBVM60 ref: 00421079
                            • __vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 004210B1
                            • __vbaLateMemCall.MSVBVM60(00000000), ref: 004210B8
                            • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 004210E7
                            • __vbaVarZero.MSVBVM60 ref: 004210F9
                            • __vbaChkstk.MSVBVM60 ref: 00421140
                            • __vbaChkstk.MSVBVM60 ref: 0042116F
                            • __vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 004211A7
                            • __vbaLateMemCall.MSVBVM60(00000000), ref: 004211AE
                            • __vbaStrCopy.MSVBVM60(?), ref: 00421205
                              • Part of subcall function 0043D900: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,?,00000000), ref: 0043D94E
                              • Part of subcall function 0043D900: __vbaAryMove.MSVBVM60(?,?,00403596), ref: 0043D96B
                              • Part of subcall function 0043D900: __vbaLbound.MSVBVM60(00000001,?), ref: 0043D977
                              • Part of subcall function 0043D900: __vbaUbound.MSVBVM60(00000001,?), ref: 0043D985
                              • Part of subcall function 0043D900: __vbaAryLock.MSVBVM60(?,?), ref: 0043D9A6
                              • Part of subcall function 0043D900: __vbaGenerateBoundsError.MSVBVM60 ref: 0043D9C5
                              • Part of subcall function 0043D900: #644.MSVBVM60(00000000), ref: 0043D9E7
                              • Part of subcall function 0043D900: __vbaAryUnlock.MSVBVM60(?), ref: 0043D9F0
                              • Part of subcall function 0043D900: __vbaSetSystemError.MSVBVM60(?,?,-00000001,?,?), ref: 0043DA0E
                              • Part of subcall function 0043D900: __vbaAryLock.MSVBVM60(?,?), ref: 0043DA1C
                            • __vbaFreeStr.MSVBVM60(?,?), ref: 00421227
                            • __vbaSetSystemError.MSVBVM60(?), ref: 00421246
                            • __vbaVarMove.MSVBVM60(?,00000000), ref: 00421287
                            • __vbaAryMove.MSVBVM60(?,00000064,?,00000002), ref: 004212E7
                            • __vbaVarCmpEq.MSVBVM60(00000008,00008008,?), ref: 0042131A
                            • __vbaVarNot.MSVBVM60(?,00000000), ref: 00421328
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0042132F
                            • __vbaVarMove.MSVBVM60(?,00000000), ref: 0042136D
                            • __vbaStrCopy.MSVBVM60 ref: 00421385
                            • __vbaStrMove.MSVBVM60(?), ref: 0042139F
                            • __vbaStrCopy.MSVBVM60 ref: 004213B0
                            • __vbaStrMove.MSVBVM60(?), ref: 004213CA
                            • __vbaStrCat.MSVBVM60(Url : ,00000000), ref: 004213DC
                            • __vbaStrCopy.MSVBVM60 ref: 00421411
                            • __vbaStrMove.MSVBVM60 ref: 00421439
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 00421481
                            • __vbaStrMove.MSVBVM60 ref: 004214A9
                            • __vbaVarCat.MSVBVM60(?,?,00000008,?,?), ref: 004214F8
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0042150D
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00421522
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00421534
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00421549
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0042155E
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00421570
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00421585
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0042158C
                            • __vbaStrMove.MSVBVM60 ref: 00421599
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000), ref: 004215D9
                            • __vbaFreeVarList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?), ref: 00421631
                            • __vbaStrMove.MSVBVM60(?), ref: 00421666
                            • __vbaStrCopy.MSVBVM60 ref: 00421677
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004216C7
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004216CE
                            • __vbaStrMove.MSVBVM60 ref: 004216DC
                            • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 004216E9
                            • __vbaStrMove.MSVBVM60 ref: 004216F7
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00421703
                            • __vbaStrMove.MSVBVM60 ref: 00421711
                            • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 0042171D
                            • __vbaStrMove.MSVBVM60 ref: 0042172B
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00421737
                            • __vbaStrMove.MSVBVM60 ref: 00421744
                            • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,00000000), ref: 0042178B
                            • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00421982
                              • Part of subcall function 0043D780: __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043D86C
                              • Part of subcall function 0043D780: __vbaAryMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403596,004219A0), ref: 0043D899
                              • Part of subcall function 0043D780: __vbaAryDestruct.MSVBVM60(00000000,?,0043D8DC,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403596), ref: 0043D8D5
                            • __vbaAryMove.MSVBVM60(?,?,?,00000003), ref: 004219B1
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 004219E4
                            • __vbaVarNot.MSVBVM60(?,00000000), ref: 004219F2
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 004219F9
                            • __vbaVarMove.MSVBVM60(?,00000000), ref: 00421A37
                            • __vbaStrCat.MSVBVM60(Name on Card: ,00000000), ref: 00421A4F
                            • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00421ADB
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00421AF0
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00421B05
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00421B17
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00421B2C
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00421B41
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00421B53
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00421B68
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00421B6F
                            • __vbaStrMove.MSVBVM60 ref: 00421B7C
                            • __vbaFreeVarList.MSVBVM60(00000009,00000008,?,?,?,?,?,?,?,?), ref: 00421BC3
                            • __vbaStrCopy.MSVBVM60 ref: 00421BDE
                            • __vbaStrMove.MSVBVM60(?), ref: 00421BF8
                            • __vbaStrErrVarCopy.MSVBVM60(?), ref: 00421C02
                            • __vbaStrMove.MSVBVM60 ref: 00421C10
                            • __vbaStrCopy.MSVBVM60 ref: 00421C21
                            • __vbaStrMove.MSVBVM60 ref: 00421C49
                            • __vbaStrCat.MSVBVM60(Card Type: ,00000000), ref: 00421C5A
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 00421C83
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00421C8A
                            • __vbaStrMove.MSVBVM60 ref: 00421C98
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00421CA4
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00421CD4
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00421CDB
                            • __vbaStrMove.MSVBVM60 ref: 00421CE9
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00421CF6
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 00421D04
                            • __vbaStrCat.MSVBVM60(004059B4,00000000,?,00000000), ref: 00421D10
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 00421D1D
                            • __vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00421D79
                            • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 00421D94
                            • __vbaStrMove.MSVBVM60 ref: 00421DA2
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00421DAE
                            • __vbaStrMove.MSVBVM60 ref: 00421DBB
                            • __vbaFreeStr.MSVBVM60 ref: 00421DC7
                            • __vbaSetSystemError.MSVBVM60(?), ref: 00421DE5
                              • Part of subcall function 0043DB50: __vbaSetSystemError.MSVBVM60(?,004217CE,00000064), ref: 0043DB5C
                            • #529.MSVBVM60(00004008,00000064), ref: 00421E28
                            • __vbaStrMove.MSVBVM60 ref: 00421CB2
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60 ref: 00421C68
                              • Part of subcall function 00423920: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0042393E
                              • Part of subcall function 00423920: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 0042396E
                              • Part of subcall function 00423920: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0042398A
                              • Part of subcall function 00423920: __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,00403596), ref: 0042399E
                              • Part of subcall function 00423920: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 004239AC
                              • Part of subcall function 00423920: __vbaStrMove.MSVBVM60 ref: 004239CB
                              • Part of subcall function 00423920: __vbaStrMove.MSVBVM60(?,?), ref: 004239E3
                              • Part of subcall function 00423920: __vbaStrMove.MSVBVM60(00000000), ref: 00423A04
                              • Part of subcall function 00423920: #716.MSVBVM60(?,00000000), ref: 00423A0F
                              • Part of subcall function 00423920: __vbaObjVar.MSVBVM60(?), ref: 00423A19
                              • Part of subcall function 00423920: __vbaObjSetAddref.MSVBVM60(00000000,00000000), ref: 00423A24
                              • Part of subcall function 00423920: __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,?), ref: 00423A44
                              • Part of subcall function 00423920: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,00403596), ref: 00423A50
                              • Part of subcall function 00423920: __vbaChkstk.MSVBVM60 ref: 00423A70
                            • __vbaStrMove.MSVBVM60 ref: 0042169F
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrCopy.MSVBVM60 ref: 0042164C
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaVarMove.MSVBVM60(?,00000001), ref: 004212BB
                              • Part of subcall function 0043D780: __vbaStr2Vec.MSVBVM60(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403596,004219A0), ref: 0043D7C2
                              • Part of subcall function 0043D780: __vbaAryMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403596,004219A0), ref: 0043D7D2
                              • Part of subcall function 0043D780: __vbaStr2Vec.MSVBVM60(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403596,004219A0), ref: 0043D7D9
                              • Part of subcall function 0043D780: __vbaAryMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403596,004219A0), ref: 0043D7E3
                              • Part of subcall function 0043D780: __vbaSetSystemError.MSVBVM60(00403238,004219A0,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403596,004219A0), ref: 0043D7F4
                              • Part of subcall function 0043D780: __vbaSetSystemError.MSVBVM60(00403238,004219A0,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403596,004219A0), ref: 0043D80C
                              • Part of subcall function 0043D780: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000), ref: 0043D82F
                              • Part of subcall function 0043D780: __vbaAryLock.MSVBVM60(?,?), ref: 0043D840
                              • Part of subcall function 0043D780: __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043D85F
                              • Part of subcall function 0043D780: __vbaSetSystemError.MSVBVM60(00000000,00000000,?), ref: 0043D885
                              • Part of subcall function 0043D780: __vbaAryUnlock.MSVBVM60(?), ref: 0043D88B
                            • __vbaSetSystemError.MSVBVM60(?), ref: 004217AC
                            • #645.MSVBVM60(00004008,00000000,00000064), ref: 004217F4
                            • __vbaStrMove.MSVBVM60 ref: 00421802
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0042180E
                            • __vbaFreeStr.MSVBVM60 ref: 00421829
                            • __vbaStrCopy.MSVBVM60(?), ref: 00421863
                            • __vbaFreeStr.MSVBVM60(?,?), ref: 00421885
                            • __vbaSetSystemError.MSVBVM60(?), ref: 004218A4
                            • __vbaVarMove.MSVBVM60(?,00000000), ref: 004218E5
                            • __vbaStrMove.MSVBVM60(?,00000001), ref: 00421908
                            • __vbaStrCat.MSVBVM60(00405AFC,00000000), ref: 00421914
                            • __vbaStrMove.MSVBVM60 ref: 00421922
                            • __vbaStrMove.MSVBVM60(?,00000002,00000000), ref: 0042193F
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00421946
                            • __vbaVarMove.MSVBVM60 ref: 00421965
                              • Part of subcall function 0043D6F0: __vbaSetSystemError.MSVBVM60(?,00403596,?,00000000,?,?,?,00000000,00403596), ref: 0043D730
                              • Part of subcall function 0043D6F0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?,?,00000000,00403596), ref: 0043D747
                            • __vbaStrCopy.MSVBVM60 ref: 00421E45
                            • __vbaStrToAnsi.MSVBVM60(?,?,?), ref: 00421E64
                            • __vbaSetSystemError.MSVBVM60(00000000), ref: 00421E70
                            • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00421E84
                            • __vbaFreeStr.MSVBVM60 ref: 00421E90
                            • __vbaStrToAnsi.MSVBVM60(?,?), ref: 00421EBC
                            • __vbaStrToAnsi.MSVBVM60(?,?,?,?), ref: 00421EDE
                            • __vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00421EF5
                            • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00421F09
                            • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00421F1D
                            • __vbaVarMove.MSVBVM60 ref: 00421F2C
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00421F42
                            • __vbaSetSystemError.MSVBVM60(?), ref: 00421F61
                            • #558.MSVBVM60(?), ref: 00421F6B
                            • __vbaSetSystemError.MSVBVM60(?), ref: 00421FA6
                            • __vbaI2I4.MSVBVM60 ref: 00421FBB
                              • Part of subcall function 0043DAC0: __vbaStrToAnsi.MSVBVM60(?,?,?,?,00000000,?,?,?,?,00000000,00403596), ref: 0043DAFF
                              • Part of subcall function 0043DAC0: __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,00000000,00403596), ref: 0043DB0B
                              • Part of subcall function 0043DAC0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00403596), ref: 0043DB16
                              • Part of subcall function 0043DAC0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00403596), ref: 0043DB1F
                            • #529.MSVBVM60(00004008), ref: 0042374F
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?,004238FE), ref: 0042383D
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042384F
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042385E
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042386D
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042387C
                            • __vbaFreeVar.MSVBVM60 ref: 00423885
                            • __vbaFreeVar.MSVBVM60 ref: 0042388E
                            • __vbaFreeStr.MSVBVM60 ref: 00423897
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004238A3
                            • __vbaFreeStr.MSVBVM60 ref: 004238AC
                            • __vbaFreeVar.MSVBVM60 ref: 004238B5
                            • __vbaFreeVar.MSVBVM60 ref: 004238BE
                            • __vbaFreeStr.MSVBVM60 ref: 004238C7
                            • __vbaFreeStr.MSVBVM60 ref: 004238D3
                            • __vbaFreeStr.MSVBVM60 ref: 004238DF
                            • __vbaFreeStr.MSVBVM60 ref: 004238EB
                            • __vbaFreeStr.MSVBVM60 ref: 004238F7
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Error$CopySystem$List$Chkstk$Destruct$AnsiUnicode$#716BoundsBstrGenerateLock$#516#529#631BoolCallLateNullRedimStr2UnlockZero$#537#558#608#632#644#645#712AddrefLboundUbound
                            • String ID: 10160C230B2D341F414845$15233B37023F3D21577745$1E4861$2C7043$33203C09200C070303040748717A$===============DARKCLOUD===============$Card Number: $Card Type: $CopyFile$Expiry Date; $Login Data$Name on Card: $SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$SELECT origin_url, username_value, password_value FROM logins$SELECT origin_url, username_value, password_value, length(password_value) FROM logins$Scripting.FileSystemObject$ShyQWHarfaxHKhJpViVbMVflZQLWIMCXu$Url : $Web Data$\LogkinotKrAhRyjSfwLYIttQphGBONdeYquirinal$\WebData$b$card_number_encrypted$d$fEBHDuPOEwMevLOFkJgcMNhE$qrPLeIofwjkihKZcaTwXMGKcgFyKwiHUZ$rZArGHyTUuEGOFKvdTHAu$vEeiQeLYzaresWrkYxPTlpQBojgRRwVez
                            • API String ID: 102252830-1525381772
                            • Opcode ID: 032cc61195c807e447572be640397fe629059f2f8eb9a7f9d9e6fa267482e34a
                            • Instruction ID: bb752d8a5fa72fed3c3c008ba37fca633aac3e8fe2df96bcba4f60170acdbf61
                            • Opcode Fuzzy Hash: 032cc61195c807e447572be640397fe629059f2f8eb9a7f9d9e6fa267482e34a
                            • Instruction Fuzzy Hash: 463308B5900218DFDB15DF90CD58BDEB7B9BB48304F0085EAE60AA7260EB745B88CF55
                            Function 00426180 Relevance: 617.9, APIs: 308, Strings: 44, Instructions: 1933COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1201 426180-426273 __vbaChkstk __vbaAryConstruct2 * 2 __vbaOnError __vbaStrCopy call 433f70 __vbaAryMove __vbaFreeStr __vbaForEachAry 1204 426345-42634c 1201->1204 1205 426352-42636a __vbaStrCmp 1204->1205 1206 426278-4262cb __vbaStrErrVarCopy __vbaStrMove __vbaInStr __vbaFreeStr 1204->1206 1209 426370-42653d __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 #716 __vbaVarZero __vbaFreeStrList __vbaChkstk __vbaVarLateMemCallLd __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy call 4338e0 1205->1209 1210 4266ba-4266cd __vbaLenBstrB 1205->1210 1207 42631e-42633f __vbaNextEachAry 1206->1207 1208 4262cd-42631c __vbaStrErrVarCopy __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr __vbaExitEachAry 1206->1208 1207->1204 1208->1205 1227 426542-42667b __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 #712 __vbaStrMove __vbaFreeStrList #712 __vbaStrMove __vbaLenBstr 1209->1227 1211 4266d4-4266f0 __vbaInStr 1210->1211 1212 4266cf 1210->1212 1215 4266f2-426702 1211->1215 1216 426704-42670b 1211->1216 1214 4282a8-428450 __vbaAryUnlock * 2 __vbaFreeVarList __vbaAryDestruct * 2 __vbaFreeStr __vbaFreeVar __vbaAryDestruct * 2 __vbaFreeStr * 4 __vbaAryDestruct * 2 __vbaFreeStr 1212->1214 1222 428468-42846f __vbaErrorOverflow 1214->1222 1218 426714-4267da __vbaStrCopy call 4338e0 __vbaStrMove #520 __vbaStrCopy __vbaStrMove call 4329f0 1215->1218 1216->1218 1230 4267e8-4267ee __vbaGenerateBoundsError 1218->1230 1231 4267dc-4267e6 1218->1231 1227->1222 1234 426681-4266b4 #617 __vbaStrVarMove __vbaStrMove __vbaFreeVar 1227->1234 1233 4267f4-42694c __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove #520 __vbaStrCopy __vbaStrMove call 4329f0 1230->1233 1231->1233 1239 42695a-426960 __vbaGenerateBoundsError 1233->1239 1240 42694e-426958 1233->1240 1234->1210 1241 426966-426abe __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove #520 __vbaStrCopy __vbaStrMove call 4329f0 1239->1241 1240->1241 1246 426ac0-426aca 1241->1246 1247 426acc-426ad2 __vbaGenerateBoundsError 1241->1247 1248 426ad8-426be6 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove 1246->1248 1247->1248 1251 426bf4-426bfa __vbaGenerateBoundsError 1248->1251 1252 426be8-426bf2 1248->1252 1253 426c00-426cdf call 4329f0 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove 1251->1253 1252->1253 1258 426ce1-426ceb 1253->1258 1259 426ced-426cf3 __vbaGenerateBoundsError 1253->1259 1260 426cf9-426dd8 call 4329f0 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove 1258->1260 1259->1260 1265 426de6-426dec __vbaGenerateBoundsError 1260->1265 1266 426dda-426de4 1260->1266 1267 426df2-426e96 call 4329f0 __vbaStrMove __vbaStrCopy __vbaFreeStrList 1265->1267 1266->1267 1267->1214 1271 426e9c-426eb4 1267->1271 1272 426ec2-426ec8 __vbaGenerateBoundsError 1271->1272 1273 426eb6-426ec0 1271->1273 1274 426ece-426f36 #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1272->1274 1273->1274 1275 426f38 1274->1275 1276 426f3d-426f65 1274->1276 1279 42829c-4282a3 1275->1279 1277 426f73-426f79 __vbaGenerateBoundsError 1276->1277 1278 426f67-426f71 1276->1278 1280 426f7f-426fbc call 433f70 __vbaAryMove 1277->1280 1278->1280 1283 426fc2-426fed __vbaForEachAry 1280->1283 1284 4281ab-428296 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat #529 __vbaFreeStrList __vbaFreeVar 1280->1284 1286 42819e-4281a5 1283->1286 1284->1279 1286->1284 1287 426ff2-42700a 1286->1287 1290 427018-42701e __vbaGenerateBoundsError 1287->1290 1291 42700c-427016 1287->1291 1293 427024-427427 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeVar #716 __vbaVarZero __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove call 429130 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaInStrVar __vbaBoolVarNull __vbaFreeStrList __vbaFreeVarList 1290->1293 1291->1293 1308 4274d9-4277a8 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 call 429470 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 #712 __vbaStrMove call 437120 __vbaStrMove __vbaFreeStrList 1293->1308 1309 42742d-4274d4 __vbaStrVarVal #709 __vbaLenVar __vbaVarSub __vbaI4Var #619 __vbaStrVarMove __vbaStrMove __vbaFreeStr __vbaFreeVar 1293->1309 1310 4277ab-427db9 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 call 429470 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 call 429470 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 #712 __vbaStrMove call 437120 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 #712 __vbaStrMove call 437120 __vbaStrMove __vbaFreeStrList call 429690 __vbaStrMove __vbaStrCmp * 2 1308->1310 1309->1310 1361 428177-428198 __vbaNextEachAry 1310->1361 1362 427dbf-428174 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove __vbaStrCopy __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1310->1362 1361->1286 1362->1361
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0042619E
                            • __vbaAryConstruct2.MSVBVM60(?,0040B5D4,00000008,?,00000000,?,00000000,00403596), ref: 004261D0
                            • __vbaAryConstruct2.MSVBVM60(?,0040B5D4,00000008,?,00000000,?,00000000,00403596), ref: 004261E1
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 004261F0
                            • __vbaAryMove.MSVBVM60(?,?,?,00442064,?,00000000,?,00000000,00403596), ref: 00426233
                            • __vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0042623F
                            • __vbaForEachAry.MSVBVM60(00000008,?,?,?,?,?,00000000,?,00000000,00403596), ref: 00426267
                            • __vbaStrErrVarCopy.MSVBVM60(?,00000001), ref: 00426285
                            • __vbaStrMove.MSVBVM60 ref: 00426293
                            • __vbaInStr.MSVBVM60(00000000,Foxmail,00000000), ref: 004262A1
                            • __vbaFreeStr.MSVBVM60 ref: 004262BC
                            • __vbaStrErrVarCopy.MSVBVM60(?), ref: 004262D8
                            • __vbaStrMove.MSVBVM60 ref: 004262E6
                            • __vbaStrCat.MSVBVM60(00405AFC,00000000), ref: 004262F2
                            • __vbaStrMove.MSVBVM60 ref: 004262FD
                            • __vbaFreeStr.MSVBVM60 ref: 00426309
                            • __vbaExitEachAry.MSVBVM60(?), ref: 00426316
                            • __vbaStrCmp.MSVBVM60(00405BB8,?), ref: 00426362
                            • __vbaStrCopy.MSVBVM60 ref: 00426382
                            • __vbaStrMove.MSVBVM60(?), ref: 0042639C
                            • __vbaStrCopy.MSVBVM60 ref: 004263AD
                            • __vbaStrMove.MSVBVM60 ref: 004263D5
                            • __vbaStrMove.MSVBVM60(?,?), ref: 004263F6
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00426420
                            • #716.MSVBVM60(?,00000000), ref: 0042642E
                            • __vbaVarZero.MSVBVM60 ref: 00426440
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0042647E
                            • __vbaChkstk.MSVBVM60 ref: 004264A7
                            • __vbaVarLateMemCallLd.MSVBVM60(?,?,RegRead,00000001), ref: 004264E6
                            • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00403596), ref: 004264F0
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00403596), ref: 004264FB
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00403596), ref: 00426507
                            • __vbaStrMove.MSVBVM60(?), ref: 0042654A
                            • __vbaStrCopy.MSVBVM60 ref: 0042655B
                            • __vbaStrMove.MSVBVM60(?,?), ref: 004265A4
                            • __vbaStrMove.MSVBVM60(00405BB8,00000001,000000FF,00000000), ref: 004265D7
                            • #712.MSVBVM60(?,00000000), ref: 004265E2
                            • __vbaStrMove.MSVBVM60 ref: 004265ED
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0042661F
                            • #712.MSVBVM60(?,00405AF4,00405BB8,00000001,000000FF,00000000), ref: 00426643
                            • __vbaStrMove.MSVBVM60 ref: 0042664E
                            • __vbaLenBstr.MSVBVM60(?), ref: 00426672
                            • #617.MSVBVM60(?,00004008,-00000002), ref: 00426690
                            • __vbaStrVarMove.MSVBVM60(?), ref: 0042669D
                            • __vbaStrMove.MSVBVM60 ref: 004266A8
                            • __vbaFreeVar.MSVBVM60 ref: 004266B4
                            • __vbaLenBstrB.MSVBVM60(?), ref: 004266C5
                            • __vbaInStr.MSVBVM60(00000000,0040B250,?,00000001), ref: 004266E8
                            • __vbaStrCopy.MSVBVM60 ref: 00426726
                            • __vbaStrMove.MSVBVM60(?), ref: 00426740
                            • #520.MSVBVM60(?,00004008), ref: 00426767
                            • __vbaStrCopy.MSVBVM60 ref: 00426778
                            • __vbaStrMove.MSVBVM60 ref: 004267A0
                            • __vbaStrMove.MSVBVM60 ref: 00426583
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrCopy.MSVBVM60 ref: 00426530
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 00426208
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00433F8E
                              • Part of subcall function 004338E0: __vbaOnError.MSVBVM60(000000FF,6D10D8B1,?,6D0FA323,00000000,00403596), ref: 00433FBE
                              • Part of subcall function 004338E0: #645.MSVBVM60(00004008,00000010), ref: 00433FE5
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00433FF0
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00405BB8,?), ref: 00434013
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00406074,?), ref: 00434031
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(0040C3B4,?), ref: 00434047
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043406D
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00434078
                              • Part of subcall function 004338E0: #579.MSVBVM60(00000000), ref: 0043407F
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60 ref: 00434099
                              • Part of subcall function 004338E0: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 004340C8
                            • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00426809
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00426810
                            • __vbaStrMove.MSVBVM60 ref: 0042681E
                            • __vbaStrCopy.MSVBVM60 ref: 00426832
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0042685D
                            • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,00000000,?,00000000,00403596), ref: 0042687D
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00403596), ref: 00426898
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00403596), ref: 004268B2
                            • __vbaAryUnlock.MSVBVM60(?,00428451), ref: 00428379
                            • __vbaAryUnlock.MSVBVM60(?), ref: 00428386
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042839C
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283AE
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283BD
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 004283C6
                            • __vbaFreeVar.MSVBVM60(?,00000000,00403596), ref: 004283CF
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283DB
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283F3
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 004283FC
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 00428405
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 0042840E
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 00428417
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042842F
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042843E
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 0042844A
                            • __vbaErrorOverflow.MSVBVM60 ref: 00428468
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$DestructList$Bstr$ChkstkError$#516#631#712Construct2EachUnlock$#520#537#579#608#617#632#645#716CallExitLateOverflowPreserveRedimZero
                            • String ID: 00173F2B0F2E0D4B042117$021F0D352C24022D050D342F2818$043238281C332E311E220B56766F0004322A022422$0502281B1F261667021F2D2E1B$062B050A130E1A16$0A2C041315$0D0D121120300D2631063B$0E33083B2C183D0539352C310F2917163A4D3D092D45$10160C230B2D341F414845$15233B37023F3D21577745$19240A320A39370E4F011114$1C203D0323342620083936060E05231713$1E261B1D170B0635$2A1D0F093E1502240F0F02053E3436$2C2B1627023C001B590234157F$31241E2D05$371333320B1C0136192534281B0B0C1D671523131C$3A09061B2B$===============DARKCLOUD===============$@$BOAezyQgIspGLVNiHNHvleLmQsVUunyK$C:\\$CopyFile$CuEjLYSJFCMxg$DWhowwyQAEnhKHugPsvLp$Foxmail$HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command\$IosnkRpQMhacqKFSvcUfCvS$MBxfvOYcAbUwbyKNnGbQjQQJ$OpjuDmInowpQv$QAoTbJBakCdqGCAWtLTuuIuYBbkbggxXKP$RegRead$Scripting.FileSystemObject$Url : $WVJvydahrJTTBnULzcOJhQue$YMjyRCMlJVhF$eMRtovlciuBGmeetKHUPp$eRQKivVbIQwHBwepViuhjozNacKRVlQTWZpmEgYscq$fEBHDuPOEwMevLOFkJgcMNhE$nFxGFnGaeaYriQLRLpeIQFGW$oLEOjLPOCKQSeeQJzvururZPJRZPVDEUoMBQuXtaM$tkRPQHzfjXFWGnexnIaGrh$vEeiQeLYzaresWrkYxPTlpQBojgRRwVez$yRrkXCmSqJimRlFbxNcOlNu
                            • API String ID: 3369885347-2208504800
                            • Opcode ID: 8c1c35434445281867d6b2f62259cd5b6bdc53d65bc2a8a50232e7d938938d63
                            • Instruction ID: a62c52b899afb70366edaad1d072b09fb32ff2f8bb17dbc693aaaa36ec1ca051
                            • Opcode Fuzzy Hash: 8c1c35434445281867d6b2f62259cd5b6bdc53d65bc2a8a50232e7d938938d63
                            • Instruction Fuzzy Hash: C213FA71900219DFDB24DF60DD88BDEB779BB49300F1081EAE50AB6260EB745B89CF95
                            Function 00417880 Relevance: 594.0, APIs: 312, Strings: 26, Instructions: 2467COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596,?,?,00000000,?,00000000,00403596), ref: 0041789E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 004178CE
                            • __vbaUbound.MSVBVM60(00000001,01590A08,?,00000000,?,00000000,00403596), ref: 004178E3
                            • __vbaI2I4.MSVBVM60(?,00000000,?,00000000,00403596), ref: 004178EB
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00417988
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004179A5
                            • __vbaStrCat.MSVBVM60(\accounts.xml,01590A08), ref: 004179C8
                            • #645.MSVBVM60(00000008,00000000), ref: 004179E7
                            • __vbaStrMove.MSVBVM60 ref: 004179F2
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 004179FE
                            • __vbaFreeStr.MSVBVM60 ref: 00417A16
                            • __vbaFreeVar.MSVBVM60 ref: 00417A22
                            • __vbaNew2.MSVBVM60(00406D98,00000000), ref: 00417A4D
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00417ABD
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00417ADA
                            • __vbaStrCat.MSVBVM60(\accounts.xml,01590A08), ref: 00417AFE
                            • __vbaChkstk.MSVBVM60(?), ref: 00417B20
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406DA8,000000E8), ref: 00417B88
                            • __vbaFreeVar.MSVBVM60 ref: 00417BA6
                            • __vbaNew2.MSVBVM60(00406D98,00000000), ref: 00417BC2
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406DA8,000000B4), ref: 00417C2F
                            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406E88,00000030), ref: 00417C92
                            • __vbaObjSet.MSVBVM60(?,?), ref: 00417CCE
                            • __vbaForEachCollObj.MSVBVM60(00406E88,?,?,00000000), ref: 00417CE5
                            • __vbaFreeObj.MSVBVM60 ref: 00417CF7
                            • __vbaStrCopy.MSVBVM60 ref: 00417D11
                            • __vbaStrMove.MSVBVM60(?), ref: 00417D25
                            • __vbaStrCopy.MSVBVM60 ref: 00417D33
                            • __vbaStrMove.MSVBVM60(?), ref: 00417D47
                            • __vbaStrCopy.MSVBVM60 ref: 00417D55
                            • __vbaStrMove.MSVBVM60 ref: 00417D74
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000030), ref: 00417DB0
                            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407AA0,0000001C), ref: 00417E15
                            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406E88,00000068), ref: 00417E75
                            • __vbaStrCopy.MSVBVM60 ref: 00417E95
                            • __vbaStrMove.MSVBVM60 ref: 00417EB4
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000030), ref: 00417EF0
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407AA0,0000001C), ref: 00417F55
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000068), ref: 00417FB5
                            • __vbaStrMove.MSVBVM60(?,?,015B1C0C), ref: 00417FE6
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00417FED
                            • __vbaStrMove.MSVBVM60 ref: 00417FF8
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00418003
                            • __vbaStrMove.MSVBVM60 ref: 0041800E
                            • __vbaStrMove.MSVBVM60(?,?,004059B4,00000000), ref: 0041802C
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00418033
                            • __vbaStrMove.MSVBVM60 ref: 0041803E
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00418045
                            • __vbaStrMove.MSVBVM60 ref: 00418050
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041805B
                            • __vbaStrMove.MSVBVM60 ref: 00418066
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00418072
                            • __vbaStrMove.MSVBVM60 ref: 0041807F
                            • __vbaFreeStrList.MSVBVM60(00000011,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004180CB
                            • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 004180F2
                            • __vbaStrMove.MSVBVM60(?), ref: 0041811E
                            • __vbaStrCopy.MSVBVM60 ref: 0041812C
                            • __vbaStrMove.MSVBVM60(?), ref: 00418140
                            • __vbaStrCopy.MSVBVM60 ref: 0041814E
                            • __vbaStrMove.MSVBVM60 ref: 0041816D
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000030), ref: 004181A9
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407AA0,0000001C), ref: 0041820E
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000068), ref: 0041826E
                            • __vbaStrCopy.MSVBVM60 ref: 0041828E
                            • __vbaStrMove.MSVBVM60 ref: 004182AD
                            • __vbaStrMove.MSVBVM60(?,?,015B1C0C), ref: 004182CC
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004182D3
                            • __vbaStrMove.MSVBVM60 ref: 004182DE
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 004182E9
                            • __vbaStrMove.MSVBVM60 ref: 004182F4
                            • __vbaStrMove.MSVBVM60(?,?,004059B4,00000000), ref: 00418312
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00418319
                            • __vbaStrMove.MSVBVM60 ref: 00418324
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0041832B
                            • __vbaStrMove.MSVBVM60 ref: 00418336
                            • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,004059B4,00000000), ref: 00418347
                            • __vbaStrMove.MSVBVM60 ref: 00418352
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00418359
                            • __vbaStrMove.MSVBVM60 ref: 00418364
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00418370
                            • __vbaStrMove.MSVBVM60 ref: 0041837D
                            • __vbaFreeStrList.MSVBVM60(00000011,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004183C9
                            • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004183E2
                            • __vbaNextEachCollObj.MSVBVM60(00406E88,?,?), ref: 00418402
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041846A
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00418487
                            • __vbaStrCat.MSVBVM60(\recentservers.xml,01590A08), ref: 004184AB
                            • #645.MSVBVM60(00000008,00000000), ref: 004184CA
                            • __vbaStrMove.MSVBVM60 ref: 004184D5
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 004184E1
                            • __vbaFreeStr.MSVBVM60 ref: 004184F9
                            • __vbaFreeVar.MSVBVM60 ref: 00418505
                            • __vbaNew2.MSVBVM60(00406D98,00000000), ref: 00418530
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041859F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004185BC
                            • __vbaStrCat.MSVBVM60(\recentservers.xml,01590A08), ref: 004185E0
                            • __vbaChkstk.MSVBVM60(?), ref: 00418602
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406DA8,000000E8), ref: 0041866A
                            • __vbaFreeVar.MSVBVM60 ref: 00418688
                            • __vbaNew2.MSVBVM60(00406D98,00000000), ref: 004186A4
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406DA8,000000DC), ref: 00418716
                            • __vbaObjSet.MSVBVM60(?,?), ref: 00418752
                            • __vbaForEachCollObj.MSVBVM60(00406E88,?,?,00000000), ref: 00418769
                            • __vbaStrCopy.MSVBVM60 ref: 00418789
                            • __vbaStrMove.MSVBVM60(?), ref: 0041879D
                            • __vbaStrCopy.MSVBVM60 ref: 004187AB
                            • __vbaStrMove.MSVBVM60(?,?), ref: 004187E2
                            • __vbaStrCopy.MSVBVM60 ref: 004187F0
                            • __vbaStrMove.MSVBVM60(?), ref: 00418804
                            • __vbaStrCopy.MSVBVM60 ref: 00418812
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041884C
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00418872
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000094), ref: 004188AE
                            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406E88,00000068), ref: 0041890E
                            • __vbaStrMove.MSVBVM60(?), ref: 0041894C
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000094), ref: 00418988
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000068), ref: 004189E8
                            • __vbaStrCat.MSVBVM60(Url : ftp://,015B1C0C), ref: 00418A0B
                            • __vbaStrMove.MSVBVM60 ref: 00418A16
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00418A21
                            • __vbaStrMove.MSVBVM60 ref: 00418A2C
                            • __vbaStrCat.MSVBVM60(004063CC,00000000), ref: 00418A38
                            • __vbaStrMove.MSVBVM60 ref: 00418A43
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00418A4E
                            • __vbaStrMove.MSVBVM60 ref: 00418A59
                            • __vbaStrCat.MSVBVM60(00405E94,00000000), ref: 00418A65
                            • __vbaStrMove.MSVBVM60 ref: 00418A70
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00418A7C
                            • __vbaStrMove.MSVBVM60 ref: 00418A89
                            • __vbaFreeStrList.MSVBVM60(00000013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00418AE0
                            • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00418AF9
                            • __vbaStrCopy.MSVBVM60 ref: 00418B11
                            • __vbaStrMove.MSVBVM60(?), ref: 00418B25
                            • __vbaStrCopy.MSVBVM60 ref: 00418B33
                            • __vbaStrMove.MSVBVM60(?), ref: 00418B47
                            • __vbaStrCopy.MSVBVM60 ref: 00418B55
                            • __vbaStrMove.MSVBVM60 ref: 00418B74
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00418B8C
                            • __vbaStrCopy.MSVBVM60 ref: 00418B9A
                            • __vbaStrMove.MSVBVM60 ref: 00418BB9
                            • __vbaStrMove.MSVBVM60(?), ref: 00418BDF
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000094), ref: 00418C1B
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000068), ref: 00418C7B
                            • __vbaStrMove.MSVBVM60(?,?,015B1C0C), ref: 00418CAC
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00418CB3
                            • __vbaStrMove.MSVBVM60 ref: 00418CBE
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00418CC9
                            • __vbaStrMove.MSVBVM60 ref: 00418CD4
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00418CE0
                            • __vbaStrMove.MSVBVM60 ref: 00418CED
                            • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00418D2D
                            • __vbaFreeObj.MSVBVM60 ref: 00418D3C
                            • __vbaStrCopy.MSVBVM60 ref: 00418D51
                            • __vbaStrMove.MSVBVM60(?), ref: 00418D65
                            • __vbaStrCopy.MSVBVM60 ref: 00418D73
                            • __vbaStrMove.MSVBVM60 ref: 00418D92
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00418DAA
                            • __vbaStrMove.MSVBVM60(?), ref: 00418DD0
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000094), ref: 00418E0C
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000068), ref: 00418E6C
                            • __vbaStrMove.MSVBVM60 ref: 00418E9D
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 00418EBD
                            • __vbaFreeObj.MSVBVM60 ref: 00418ECC
                            • __vbaAryMove.MSVBVM60(?,?,00000000), ref: 00418EF3
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 00418F06
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00418F27
                            • __vbaNextEachCollObj.MSVBVM60(00406E88,?,?), ref: 00418F44
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00419037
                            • __vbaStrMove.MSVBVM60 ref: 00419042
                            • __vbaStrMove.MSVBVM60(00000000,?,004059B4,00000000), ref: 00419060
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00419067
                            • __vbaStrMove.MSVBVM60 ref: 00419072
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00419079
                            • __vbaStrMove.MSVBVM60 ref: 00419084
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00419090
                            • __vbaStrMove.MSVBVM60 ref: 0041909D
                            • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 004190DD
                            • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,015B1C0C), ref: 004190F9
                            • __vbaStrMove.MSVBVM60 ref: 00419104
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00419110
                            • __vbaStrMove.MSVBVM60 ref: 0041911D
                            • __vbaFreeStr.MSVBVM60 ref: 00419126
                            • __vbaStrCopy.MSVBVM60 ref: 0041913B
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041918E
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004191AB
                            • __vbaStrCat.MSVBVM60(\sitemanager.xml,01590A08), ref: 004191CE
                            • #645.MSVBVM60(00000008,00000000), ref: 004191ED
                            • __vbaStrMove.MSVBVM60 ref: 004191F8
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00419204
                            • __vbaFreeStr.MSVBVM60 ref: 0041921C
                            • __vbaFreeVar.MSVBVM60 ref: 00419228
                            • __vbaNew2.MSVBVM60(00406D98,00000000), ref: 00419253
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004192C3
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004192E0
                            • __vbaStrCat.MSVBVM60(\sitemanager.xml,01590A08), ref: 00419304
                            • __vbaChkstk.MSVBVM60(?), ref: 00419326
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406DA8,000000E8), ref: 0041938E
                            • __vbaFreeVar.MSVBVM60 ref: 004193AC
                            • __vbaNew2.MSVBVM60(00406D98,00000000), ref: 004193C8
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406DA8,000000DC), ref: 0041943A
                            • __vbaObjSet.MSVBVM60(?,?), ref: 00419476
                            • __vbaForEachCollObj.MSVBVM60(00406E88,?,?,00000000), ref: 0041948D
                            • __vbaStrCopy.MSVBVM60 ref: 004194AD
                            • __vbaStrMove.MSVBVM60(?), ref: 004194C1
                            • __vbaStrCopy.MSVBVM60 ref: 004194CF
                            • __vbaStrMove.MSVBVM60 ref: 004194EE
                            • __vbaStrMove.MSVBVM60 ref: 00418831
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60 ref: 004187CA
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrCopy.MSVBVM60 ref: 00418F6C
                            • __vbaStrMove.MSVBVM60(?), ref: 00418F80
                            • __vbaStrCopy.MSVBVM60 ref: 00418F8E
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00418FA2
                            • __vbaStrCopy.MSVBVM60 ref: 00418FB0
                            • __vbaStrMove.MSVBVM60 ref: 00418FCF
                            • __vbaStrCopy.MSVBVM60 ref: 00418FDD
                            • __vbaStrMove.MSVBVM60 ref: 00418FFC
                            • __vbaStrMove.MSVBVM60(?,?,015B1C0C), ref: 0041901A
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00419021
                            • __vbaStrMove.MSVBVM60 ref: 0041902C
                            • __vbaStrCopy.MSVBVM60 ref: 0041810A
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00419506
                            • __vbaStrCopy.MSVBVM60 ref: 00419514
                            • __vbaStrMove.MSVBVM60(?), ref: 00419528
                            • __vbaStrCopy.MSVBVM60 ref: 00419536
                            • __vbaStrMove.MSVBVM60 ref: 00419555
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00419570
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00419596
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000094), ref: 004195D2
                            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406E88,00000068), ref: 00419632
                            • __vbaStrMove.MSVBVM60(?), ref: 00419670
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000094), ref: 004196AC
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000068), ref: 0041970C
                            • __vbaStrCat.MSVBVM60(Url : ftp://,015B1C0C), ref: 00419730
                            • __vbaStrMove.MSVBVM60 ref: 0041973B
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00419746
                            • __vbaStrMove.MSVBVM60 ref: 00419751
                            • __vbaStrCat.MSVBVM60(004063CC,00000000), ref: 0041975D
                            • __vbaStrMove.MSVBVM60 ref: 00419768
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00419773
                            • __vbaStrMove.MSVBVM60 ref: 0041977E
                            • __vbaStrCat.MSVBVM60(00405E94,00000000), ref: 0041978A
                            • __vbaStrMove.MSVBVM60 ref: 00419795
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 004197A1
                            • __vbaStrMove.MSVBVM60 ref: 004197AE
                            • __vbaFreeStrList.MSVBVM60(00000013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00419805
                            • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041981E
                            • __vbaStrCopy.MSVBVM60 ref: 00419836
                            • __vbaStrMove.MSVBVM60(?), ref: 0041984A
                            • __vbaStrCopy.MSVBVM60 ref: 00419858
                            • __vbaStrMove.MSVBVM60(?), ref: 0041986C
                            • __vbaStrCopy.MSVBVM60 ref: 0041987A
                            • __vbaStrMove.MSVBVM60 ref: 00419899
                            • __vbaStrMove.MSVBVM60(?,?), ref: 004198B1
                            • __vbaStrCopy.MSVBVM60 ref: 004198BF
                            • __vbaStrMove.MSVBVM60 ref: 004198DE
                            • __vbaStrMove.MSVBVM60(?), ref: 00419904
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000094), ref: 00419940
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000068), ref: 004199A0
                            • __vbaStrMove.MSVBVM60(?,?,015B1C0C), ref: 004199D0
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004199D7
                            • __vbaStrMove.MSVBVM60 ref: 004199E2
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 004199ED
                            • __vbaStrMove.MSVBVM60 ref: 004199F8
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00419A04
                            • __vbaStrMove.MSVBVM60 ref: 00419A11
                            • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00419A51
                            • __vbaFreeObj.MSVBVM60 ref: 00419A60
                            • __vbaStrCopy.MSVBVM60 ref: 00419A75
                            • __vbaStrMove.MSVBVM60(?), ref: 00419A89
                            • __vbaStrCopy.MSVBVM60 ref: 00419A97
                            • __vbaStrMove.MSVBVM60 ref: 00419AB6
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00419ACE
                            • __vbaStrMove.MSVBVM60(?), ref: 00419AF4
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000094), ref: 00419B30
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000068), ref: 00419B90
                            • __vbaStrMove.MSVBVM60 ref: 00419BC1
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 00419BE1
                            • __vbaFreeObj.MSVBVM60 ref: 00419BF0
                            • __vbaAryMove.MSVBVM60(?,?,00000000), ref: 00419C17
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 00419C2A
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00419C4B
                            • __vbaNextEachCollObj.MSVBVM60(00406E88,?,?), ref: 00419C68
                            • __vbaStrCopy.MSVBVM60 ref: 00419C90
                            • __vbaStrMove.MSVBVM60(?), ref: 00419CA4
                            • __vbaStrCopy.MSVBVM60 ref: 00419CB2
                            • __vbaStrMove.MSVBVM60 ref: 00419CD1
                            • __vbaStrMove.MSVBVM60(?,?,015B1C0C), ref: 00419CF0
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00419CF7
                            • __vbaStrMove.MSVBVM60 ref: 00419D02
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00419D0D
                            • __vbaStrMove.MSVBVM60 ref: 00419D18
                            • __vbaStrCat.MSVBVM60(Application : FileZilla,004059B4,00000000), ref: 00419D29
                            • __vbaStrMove.MSVBVM60 ref: 00419D34
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00419D3B
                            • __vbaStrMove.MSVBVM60 ref: 00419D46
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00419D52
                            • __vbaStrMove.MSVBVM60 ref: 00419D5F
                            • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,00000000,00000000,00000000,?,00000000), ref: 00419D8B
                            • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,015B1C0C), ref: 00419DA6
                            • __vbaStrMove.MSVBVM60 ref: 00419DB1
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 00419DBD
                            • __vbaStrMove.MSVBVM60 ref: 00419DCA
                            • __vbaFreeStr.MSVBVM60 ref: 00419DD3
                            • __vbaStrCopy.MSVBVM60 ref: 00419DE8
                            • __vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,00419F29), ref: 00419ED1
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,00403596), ref: 00419EE3
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,00403596), ref: 00419EF2
                            • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 00419EFB
                            • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 00419F04
                            • __vbaFreeObj.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 00419F0D
                            • __vbaFreeObj.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 00419F16
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,00403596), ref: 00419F22
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$CheckHresult$List$Error$BoundsGenerate$CollEachNew2$Chkstk$#645BstrDestructNextUbound$#516#631$#537#608#632
                            • String ID: %$03073D19$0E173432$10160C230B2D341F414845$11063A1D060E23121E2D28524D67240D0A080027$13213B051F35033D381826624D45363F0510320303162F$15233B37023F3D21577745$1821111D$190B1A01192E000A584E52$200B0637$===============DARKCLOUD===============$Application : FileZilla$EIyuuvMofxtrqX$LPvJqomBfwBFrwGtdnoiIVtTJIZWhECCPAwdOaOQEN$OpjuDmInowpQv$Server$Url : ftp://$\accounts.xml$\recentservers.xml$\sitemanager.xml$bShOmYRRVFjmEpscrKsTJAMGjYFvPsZ$eMRtovlciuBGmeetKHUPp$eRQKivVbIQwHBwepViuhjozNacKRVlQTWZpmEgYscq$fEBHDuPOEwMevLOFkJgcMNhE$nFxGFnGaeaYriQLRLpeIQFGW$vEeiQeLYzaresWrkYxPTlpQBojgRRwVez
                            • API String ID: 2863888553-1582059690
                            • Opcode ID: 5c923ce19d5a848d1f0b0731e7e7301965bdb63dbfbefee74258da941578466a
                            • Instruction ID: ec8ef39d752c77f8585ba7e02c22cab714663abd670f4e3d00eeaba223ee7e5d
                            • Opcode Fuzzy Hash: 5c923ce19d5a848d1f0b0731e7e7301965bdb63dbfbefee74258da941578466a
                            • Instruction Fuzzy Hash: 5243F675900218DFDB14DFA0DD98BDEB7B5FB48300F1081AAE50AB72A4DB746A89CF54
                            Function 0043A300 Relevance: 535.5, APIs: 271, Strings: 34, Instructions: 1724COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1658 43a300-43a4da __vbaChkstk __vbaAryConstruct2 __vbaOnError __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove 1669 43a4e8-43a4ee __vbaGenerateBoundsError 1658->1669 1670 43a4dc-43a4e6 1658->1670 1671 43a4f4-43a65e #667 __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove 1669->1671 1670->1671 1680 43a660-43a66a 1671->1680 1681 43a66c-43a672 __vbaGenerateBoundsError 1671->1681 1682 43a678-43a7e2 #667 __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove 1680->1682 1681->1682 1691 43a7f0-43a7f6 __vbaGenerateBoundsError 1682->1691 1692 43a7e4-43a7ee 1682->1692 1693 43a7fc-43a966 #667 __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove 1691->1693 1692->1693 1702 43a974-43a97a __vbaGenerateBoundsError 1693->1702 1703 43a968-43a972 1693->1703 1704 43a980-43aaea #667 __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove 1702->1704 1703->1704 1713 43aaf8-43aafe __vbaGenerateBoundsError 1704->1713 1714 43aaec-43aaf6 1704->1714 1715 43ab04-43ac6e #667 __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove 1713->1715 1714->1715 1724 43ac70-43ac7a 1715->1724 1725 43ac7c-43ac82 __vbaGenerateBoundsError 1715->1725 1726 43ac88-43adf2 #667 __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove 1724->1726 1725->1726 1735 43ae00-43ae06 __vbaGenerateBoundsError 1726->1735 1736 43adf4-43adfe 1726->1736 1737 43ae0c-43af76 #667 __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove 1735->1737 1736->1737 1746 43af84-43af8a __vbaGenerateBoundsError 1737->1746 1747 43af78-43af82 1737->1747 1748 43af90-43b0fa #667 __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove 1746->1748 1747->1748 1757 43b108-43b10e __vbaGenerateBoundsError 1748->1757 1758 43b0fc-43b106 1748->1758 1759 43b114-43b2af #667 __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaStrCopy __vbaStrMove call 4329f0 1757->1759 1758->1759 1770 43b2b1-43b2bb 1759->1770 1771 43b2bd-43b2c3 __vbaGenerateBoundsError 1759->1771 1772 43b2c9-43b409 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 1770->1772 1771->1772 1777 43b417-43b41d __vbaGenerateBoundsError 1772->1777 1778 43b40b-43b415 1772->1778 1779 43b423-43b54c __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 1777->1779 1778->1779 1784 43b55a-43b560 __vbaGenerateBoundsError 1779->1784 1785 43b54e-43b558 1779->1785 1786 43b566-43b627 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList 1784->1786 1785->1786 1788 43b920-43b952 __vbaStrCat __vbaStrMove 1786->1788 1789 43b62d-43b645 1786->1789 1792 43b960-43b966 __vbaGenerateBoundsError 1788->1792 1793 43b954-43b95e 1788->1793 1790 43b653-43b659 __vbaGenerateBoundsError 1789->1790 1791 43b647-43b651 1789->1791 1794 43b65f-43b6c2 #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1790->1794 1791->1794 1795 43b96c-43b9d2 call 43bed0 __vbaStrMove __vbaFreeStrList __vbaStrCat __vbaStrMove 1792->1795 1793->1795 1796 43b914 1794->1796 1797 43b6c8-43b728 #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1794->1797 1802 43b9e0-43b9e6 __vbaGenerateBoundsError 1795->1802 1803 43b9d4-43b9de 1795->1803 1796->1788 1800 43b73b-43b753 1797->1800 1801 43b72a-43b735 #531 1797->1801 1804 43b761-43b767 __vbaGenerateBoundsError 1800->1804 1805 43b755-43b75f 1800->1805 1801->1800 1806 43b9ec-43ba81 call 43bed0 __vbaStrMove __vbaFreeStrList #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1802->1806 1803->1806 1807 43b76d-43b77e 1804->1807 1805->1807 1813 43ba83-43bab7 __vbaStrCat __vbaStrMove call 437990 __vbaFreeStr 1806->1813 1814 43babd-43bbed call 405618 Sleep __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVar 1806->1814 1809 43b780-43b78a 1807->1809 1810 43b78c-43b792 __vbaGenerateBoundsError 1807->1810 1812 43b798-43b7a9 1809->1812 1810->1812 1815 43b7b7-43b7bd __vbaGenerateBoundsError 1812->1815 1816 43b7ab-43b7b5 1812->1816 1813->1814 1834 43bbf3-43bce3 call 437f00 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy * 2 call 43c240 __vbaFreeStrList 1814->1834 1835 43bce6-43bd6d __vbaAryDestruct __vbaFreeStr 1814->1835 1817 43b7c3-43b812 __vbaLenBstr #709 1815->1817 1816->1817 1820 43bd83-43bd89 __vbaErrorOverflow 1817->1820 1821 43b818-43b8c8 #619 __vbaStrCat __vbaVarAdd #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVarList 1817->1821 1824 43b8ca 1821->1824 1825 43b8cc-43b8e4 1821->1825 1824->1796 1827 43b8f2-43b8f8 __vbaGenerateBoundsError 1825->1827 1828 43b8e6-43b8f0 1825->1828 1830 43b8fe-43b90f call 43bd90 1827->1830 1828->1830 1830->1796 1834->1835
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0043A31E
                            • __vbaAryConstruct2.MSVBVM60(?,0040D4CC,00000008,?,00000000,?,00000000,00403596), ref: 0043A350
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 0043A35F
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043A374
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,00403596), ref: 0043A388
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043A396
                            • __vbaStrMove.MSVBVM60 ref: 0043A3B5
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?,015AC8B4), ref: 0043A3D3
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043A3DA
                            • __vbaStrMove.MSVBVM60 ref: 0043A3E5
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043A401
                            • __vbaStrCopy.MSVBVM60(?,?,00000000,?,00000000,00403596), ref: 0043A419
                            • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0043A42D
                            • __vbaStrCopy.MSVBVM60(?,?,00000000,?,00000000,00403596), ref: 0043A43B
                            • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0043A44F
                            • __vbaStrCopy.MSVBVM60(?,?,00000000,?,00000000,00403596), ref: 0043A45D
                            • __vbaStrMove.MSVBVM60 ref: 0043A47C
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?), ref: 0043A4A4
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 0043A4C3
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043A4E8
                            • #667.MSVBVM60(00000008), ref: 0043A4FB
                            • __vbaStrMove.MSVBVM60 ref: 0043A506
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043A51F
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043A526
                            • __vbaStrMove.MSVBVM60 ref: 0043A531
                            • __vbaStrCopy.MSVBVM60 ref: 0043A545
                            • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043A579
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043A588
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043A59D
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043A5B1
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043A5BF
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043A5D3
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043A5E1
                            • __vbaStrMove.MSVBVM60 ref: 0043A600
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?), ref: 0043A628
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 0043A647
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043A66C
                            • #667.MSVBVM60(00000008), ref: 0043A67F
                            • __vbaStrMove.MSVBVM60 ref: 0043A68A
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043A6A3
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043A6AA
                            • __vbaStrMove.MSVBVM60 ref: 0043A6B5
                            • __vbaStrCopy.MSVBVM60 ref: 0043A6C9
                            • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043A6FD
                            • __vbaFreeVar.MSVBVM60 ref: 0043A70C
                            • __vbaStrCopy.MSVBVM60 ref: 0043A721
                            • __vbaStrMove.MSVBVM60(?), ref: 0043A735
                            • __vbaStrCopy.MSVBVM60 ref: 0043A743
                            • __vbaStrMove.MSVBVM60(?), ref: 0043A757
                            • __vbaStrCopy.MSVBVM60 ref: 0043A765
                            • __vbaStrMove.MSVBVM60 ref: 0043A784
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043A7AC
                            • __vbaStrMove.MSVBVM60 ref: 0043A7CB
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043A7F0
                            • #667.MSVBVM60(00000008), ref: 0043A803
                            • __vbaStrMove.MSVBVM60 ref: 0043A80E
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043A827
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043A82E
                            • __vbaStrMove.MSVBVM60 ref: 0043A839
                            • __vbaStrCopy.MSVBVM60 ref: 0043A84D
                            • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043A881
                            • __vbaFreeVar.MSVBVM60 ref: 0043A890
                            • __vbaStrCopy.MSVBVM60 ref: 0043A8A5
                            • __vbaStrMove.MSVBVM60(?), ref: 0043A8B9
                            • __vbaStrCopy.MSVBVM60 ref: 0043A8C7
                            • __vbaStrMove.MSVBVM60(?), ref: 0043A8DB
                            • __vbaStrCopy.MSVBVM60 ref: 0043A8E9
                            • __vbaStrMove.MSVBVM60 ref: 0043A908
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043A930
                            • __vbaStrMove.MSVBVM60 ref: 0043A94F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043A974
                            • #667.MSVBVM60(00000008), ref: 0043A987
                            • __vbaStrMove.MSVBVM60 ref: 0043A992
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043A9AB
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043A9B2
                            • __vbaStrMove.MSVBVM60 ref: 0043A9BD
                            • __vbaStrCopy.MSVBVM60 ref: 0043A9D1
                            • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043AA05
                            • __vbaFreeVar.MSVBVM60 ref: 0043AA14
                            • __vbaStrCopy.MSVBVM60 ref: 0043AA29
                            • __vbaStrMove.MSVBVM60(?), ref: 0043AA3D
                            • __vbaStrCopy.MSVBVM60 ref: 0043AA4B
                            • __vbaStrMove.MSVBVM60(?), ref: 0043AA5F
                            • __vbaStrCopy.MSVBVM60 ref: 0043AA6D
                            • __vbaStrMove.MSVBVM60 ref: 0043AA8C
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043AAB4
                            • __vbaStrMove.MSVBVM60 ref: 0043AAD3
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043AAF8
                            • #667.MSVBVM60(00000008), ref: 0043AB0B
                            • __vbaStrMove.MSVBVM60 ref: 0043AB16
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043AB2F
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043AB36
                            • __vbaStrMove.MSVBVM60 ref: 0043AB41
                            • __vbaStrCopy.MSVBVM60 ref: 0043AB55
                            • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043AB89
                            • __vbaFreeVar.MSVBVM60 ref: 0043AB98
                            • __vbaStrCopy.MSVBVM60 ref: 0043ABAD
                            • __vbaStrMove.MSVBVM60(?), ref: 0043ABC1
                            • __vbaStrCopy.MSVBVM60 ref: 0043ABCF
                            • __vbaStrMove.MSVBVM60(?), ref: 0043ABE3
                            • __vbaStrCopy.MSVBVM60 ref: 0043ABF1
                            • __vbaStrMove.MSVBVM60 ref: 0043AC10
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043AC38
                            • __vbaStrMove.MSVBVM60 ref: 0043AC57
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043AC7C
                            • #667.MSVBVM60(00000008), ref: 0043AC8F
                            • __vbaStrMove.MSVBVM60 ref: 0043AC9A
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043ACB3
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043ACBA
                            • __vbaStrMove.MSVBVM60 ref: 0043ACC5
                            • __vbaStrCopy.MSVBVM60 ref: 0043ACD9
                            • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043AD0D
                            • __vbaFreeVar.MSVBVM60 ref: 0043AD1C
                            • __vbaStrCopy.MSVBVM60 ref: 0043AD31
                            • __vbaStrMove.MSVBVM60(?), ref: 0043AD45
                            • __vbaStrCopy.MSVBVM60 ref: 0043AD53
                            • __vbaStrMove.MSVBVM60(?), ref: 0043AD67
                            • __vbaStrCopy.MSVBVM60 ref: 0043AD75
                            • __vbaStrMove.MSVBVM60 ref: 0043AD94
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043ADBC
                            • __vbaStrMove.MSVBVM60 ref: 0043ADDB
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043AE00
                            • #667.MSVBVM60(00000008), ref: 0043AE13
                            • __vbaStrMove.MSVBVM60 ref: 0043AE1E
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043AE37
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043AE3E
                            • __vbaStrMove.MSVBVM60 ref: 0043AE49
                            • __vbaStrCopy.MSVBVM60 ref: 0043AE5D
                            • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043AE91
                            • __vbaFreeVar.MSVBVM60 ref: 0043AEA0
                            • __vbaStrCopy.MSVBVM60 ref: 0043AEB5
                            • __vbaStrMove.MSVBVM60(?), ref: 0043AEC9
                            • __vbaStrCopy.MSVBVM60 ref: 0043AED7
                            • __vbaStrMove.MSVBVM60(?), ref: 0043AEEB
                            • __vbaStrCopy.MSVBVM60 ref: 0043AEF9
                            • __vbaStrMove.MSVBVM60 ref: 0043AF18
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043AF40
                            • __vbaStrMove.MSVBVM60 ref: 0043AF5F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043AF84
                            • #667.MSVBVM60(00000008), ref: 0043AF97
                            • __vbaStrMove.MSVBVM60 ref: 0043AFA2
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043AFBB
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043AFC2
                            • __vbaStrMove.MSVBVM60 ref: 0043AFCD
                            • __vbaStrCopy.MSVBVM60 ref: 0043AFE1
                            • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043B015
                            • __vbaFreeVar.MSVBVM60 ref: 0043B024
                            • __vbaStrCopy.MSVBVM60 ref: 0043B039
                            • __vbaStrMove.MSVBVM60(?), ref: 0043B04D
                            • __vbaStrCopy.MSVBVM60 ref: 0043B05B
                            • __vbaStrMove.MSVBVM60(?), ref: 0043B06F
                            • __vbaStrCopy.MSVBVM60 ref: 0043B07D
                            • __vbaStrMove.MSVBVM60 ref: 0043B09C
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043B0C4
                            • __vbaStrMove.MSVBVM60 ref: 0043B0E3
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043B108
                            • #667.MSVBVM60(00000008), ref: 0043B11B
                            • __vbaStrMove.MSVBVM60 ref: 0043B126
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043B13F
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043B146
                            • __vbaStrMove.MSVBVM60 ref: 0043B151
                            • __vbaStrCopy.MSVBVM60 ref: 0043B165
                            • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043B199
                            • __vbaFreeVar.MSVBVM60 ref: 0043B1A8
                            • __vbaStrCopy.MSVBVM60 ref: 0043B1BD
                            • __vbaStrMove.MSVBVM60(?), ref: 0043B1D1
                            • __vbaStrCopy.MSVBVM60 ref: 0043B1DF
                            • __vbaStrMove.MSVBVM60(?), ref: 0043B1F3
                            • __vbaStrCopy.MSVBVM60 ref: 0043B201
                            • __vbaStrMove.MSVBVM60 ref: 0043B220
                            • #666.MSVBVM60(?,00000008,?,?), ref: 0043B24E
                            • __vbaStrCopy.MSVBVM60 ref: 0043B25C
                            • __vbaStrMove.MSVBVM60 ref: 0043B27B
                            • __vbaGenerateBoundsError.MSVBVM60(?,?), ref: 0043B2BD
                            • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0043B2DE
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043B2E5
                            • __vbaStrMove.MSVBVM60 ref: 0043B2F0
                            • __vbaStrCopy.MSVBVM60 ref: 0043B304
                            • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,00000000,00000000), ref: 0043B330
                            • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,00000008,?), ref: 0043B357
                            • __vbaStrCopy.MSVBVM60 ref: 0043B36F
                            • __vbaStrMove.MSVBVM60(?), ref: 0043B383
                            • __vbaStrCopy.MSVBVM60 ref: 0043B391
                            • __vbaStrMove.MSVBVM60 ref: 0043B3B0
                            • #666.MSVBVM60(?,00000008,?,?), ref: 0043B3DE
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043B417
                            • __vbaVarAdd.MSVBVM60(00000008,00000008,?), ref: 0043B438
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043B43F
                            • __vbaStrMove.MSVBVM60 ref: 0043B44A
                            • __vbaStrCopy.MSVBVM60 ref: 0043B45E
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043B47A
                            • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,00000008), ref: 0043B49A
                            • __vbaStrCopy.MSVBVM60 ref: 0043B4B2
                            • __vbaStrMove.MSVBVM60(?), ref: 0043B4C6
                            • __vbaStrCopy.MSVBVM60 ref: 0043B4D4
                            • __vbaStrMove.MSVBVM60 ref: 0043B4F3
                            • #666.MSVBVM60(?,00000008,?,?), ref: 0043B521
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043B55A
                            • __vbaVarAdd.MSVBVM60(00000008,00000008,?), ref: 0043B57B
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043B582
                            • __vbaStrMove.MSVBVM60 ref: 0043B58D
                            • __vbaStrCopy.MSVBVM60 ref: 0043B5A1
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043B5BD
                            • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,00000008), ref: 0043B5DD
                            • #645.MSVBVM60(00004008,00000010), ref: 0043B684
                            • __vbaStrMove.MSVBVM60 ref: 0043B68F
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0043B69B
                            • __vbaFreeStr.MSVBVM60 ref: 0043B6B3
                            • #645.MSVBVM60(00004008,00000010), ref: 0043B6EB
                            • __vbaStrMove.MSVBVM60 ref: 0043B6F6
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0043B702
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Copy$Free$List$Error$BoundsGenerate$#667$#666Bstr$#516#631#645$#537#608#632ChkstkConstruct2
                            • String ID: #$0A14130E2D140E1E1B14023F01393F2A0310$0A3704072206313525182628$13021B1C221932$14351F1531191F232910122E352F203F07$150C2704280C111D0F1D1124387738030408070B2D3F092C302D0F2A26$17392101382C22313139033808221E033F1134381D13381C$18250D040E0B2004221D3A3124713802393A3631352925293537250D04$282A1B260E2A3E020B$2B130427002A0B$2C2B0E2806231C083030192F2032543B161E3E1D1938$2F3426021126$3116220D241D21142A0F050B2514$330A3E211B2D3D1A2A1C2631322647292824$39200C0740040C2904061B29743A0C3F33261F1B0D330E36000D291332391F083A1C53440706012E19110B34387E01223D1F3A110B$DC-CWs$FKzNhVCOXmzlQfMsjcfUTqvLoIgQFjp$KVQgfHfkkvHiZxJKEquVbZFZenLhuofSSt$PoILXkYRMKpJTFUiSATwFLe$PtHbRkIQkelKh$YsnEcbNOGeFwqdzxqkfaUeRREMdUtIBfq$\ChromeMetaMaskVaultData.txt$\EdgeMetaMaskVaultData.txt$\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn$\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm$aIKReZhpACrrETWkwkzflHceIFHcNDnhW$hmUPtTiNCKcinQgVrSoTveyLLPOUrODL$jHpspRmmVDLeOYCEKtkqHqmJrjZQeMqeG$lwRvJoXrmPaRifdTDKpsMuPpQGTgEWvryMMAatrnosp$meCcjnheKatoPZPmGKzVuiVvSdIkOTPs$nFxGFnGaeaYriQLRLpeIQFGW$wDDykcbCXnrYPHQkvVHWVPuILCRIifGdVrNnNFTGRqd$yRrkXCmSqJimRlFbxNcOlNu$ypnvGbVoTUHvKUAzLwrRxmd
                            • API String ID: 566692647-2793011459
                            • Opcode ID: 7727b5ffa8ed716cead4e8fad70bd89df6cc0273b04fd6ca67c8c087626c22dd
                            • Instruction ID: ca65e2e4560e87108208ee7dadd446a5f2010d1f0742302f143cd0fd36dcae9b
                            • Opcode Fuzzy Hash: 7727b5ffa8ed716cead4e8fad70bd89df6cc0273b04fd6ca67c8c087626c22dd
                            • Instruction Fuzzy Hash: 9303F7B5D00219DBDB14DFE0DE48ADEB7B8FB48301F1081AAE506B7264EB745A49CF94
                            Function 00438630 Relevance: 470.7, APIs: 238, Strings: 30, Instructions: 1669COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1845 438630-4387ac __vbaChkstk __vbaAryConstruct2 __vbaOnError __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVar 1850 438862-43891f __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 1845->1850 1851 4387b2-43885f __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove #531 __vbaFreeStrList 1845->1851 1860 438921-43892b 1850->1860 1861 43892d-438933 __vbaGenerateBoundsError 1850->1861 1851->1850 1862 438939-438a7e __vbaVarAdd * 2 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 1860->1862 1861->1862 1867 438a80-438a8a 1862->1867 1868 438a8c-438a92 __vbaGenerateBoundsError 1862->1868 1869 438a98-438bd5 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 1867->1869 1868->1869 1874 438be3-438be9 __vbaGenerateBoundsError 1869->1874 1875 438bd7-438be1 1869->1875 1876 438bef-438d48 __vbaVarAdd * 2 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 1874->1876 1875->1876 1881 438d56-438d5c __vbaGenerateBoundsError 1876->1881 1882 438d4a-438d54 1876->1882 1883 438d62-438e3f __vbaVarAdd * 2 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList 1881->1883 1882->1883 1885 439ab6-439ac5 1883->1885 1886 438e45-438f62 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 1883->1886 1887 439bc5-439cf4 call 405618 Sleep __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVar 1885->1887 1888 439acb-439b95 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove * 2 __vbaStrCat __vbaStrMove call 437990 1885->1888 1912 438f70-438f76 __vbaGenerateBoundsError 1886->1912 1913 438f64-438f6e 1886->1913 1909 439cfa-439e58 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove call 437f00 __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy * 2 call 43c240 1887->1909 1910 439e8c-439f0e __vbaAryDestruct 1887->1910 1907 439b9a-439bc2 __vbaFreeStrList 1888->1907 1907->1887 1936 439e5d-439e89 __vbaFreeStrList 1909->1936 1915 438f7c-4390ef call 439f30 __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 1912->1915 1913->1915 1937 4390f1-4390fb 1915->1937 1938 4390fd-439103 __vbaGenerateBoundsError 1915->1938 1936->1910 1939 439109-43927c call 439f30 __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 1937->1939 1938->1939 1950 43928a-439290 __vbaGenerateBoundsError 1939->1950 1951 43927e-439288 1939->1951 1952 439296-439408 call 439f30 __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 1950->1952 1951->1952 1963 439416-43941c __vbaGenerateBoundsError 1952->1963 1964 43940a-439414 1952->1964 1965 439422-439595 call 439f30 __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 1963->1965 1964->1965 1976 4395a3-4395a9 __vbaGenerateBoundsError 1965->1976 1977 439597-4395a1 1965->1977 1978 4395af-439722 call 439f30 __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 1976->1978 1977->1978 1989 439730-439736 __vbaGenerateBoundsError 1978->1989 1990 439724-43972e 1978->1990 1991 43973c-4398ae call 439f30 __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 1989->1991 1990->1991 2002 4398b0-4398ba 1991->2002 2003 4398bc-4398c2 __vbaGenerateBoundsError 1991->2003 2004 4398c8-439a3b call 439f30 __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 2002->2004 2003->2004 2015 439a49-439a4f __vbaGenerateBoundsError 2004->2015 2016 439a3d-439a47 2004->2016 2017 439a55-439a6a call 439f30 2015->2017 2016->2017 2019 439a6f-439aaa __vbaFreeStrList 2017->2019 2019->1885
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0043864E
                            • __vbaAryConstruct2.MSVBVM60(?,0040CDA0,00000008,?,00000000,?,00000000,00403596), ref: 00438680
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 0043868F
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 004386A4
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,00403596), ref: 004386B8
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 004386C6
                            • __vbaStrMove.MSVBVM60 ref: 004386E5
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 004386FD
                            • __vbaStrMove.MSVBVM60(015AC8B4), ref: 00438722
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00438729
                            • #645.MSVBVM60(00000008,00000010), ref: 00438745
                            • __vbaStrMove.MSVBVM60 ref: 00438750
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0043875C
                            • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,00000000,?), ref: 0043878E
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 0043879D
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 004387C1
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000,?,00000000,00403596), ref: 004387D5
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 004387E3
                            • __vbaStrMove.MSVBVM60 ref: 00438802
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60(?,?,015AC8B4), ref: 00438820
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00438827
                            • __vbaStrMove.MSVBVM60 ref: 00438832
                            • #531.MSVBVM60(00000000), ref: 00438839
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,00000000), ref: 00438859
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 00438871
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000,?,00000000,00403596), ref: 00438885
                            • __vbaStrCopy.MSVBVM60 ref: 004388A7
                            • __vbaStrMove.MSVBVM60 ref: 004388C6
                            • #666.MSVBVM60(?,00000008,?,?), ref: 004388F4
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043892D
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0043894E
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00438963
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043896A
                            • __vbaStrMove.MSVBVM60 ref: 00438975
                            • __vbaStrCopy.MSVBVM60 ref: 00438989
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004389A5
                            • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004389CC
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004389E4
                            • __vbaStrMove.MSVBVM60(?), ref: 004389F8
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00438A06
                            • __vbaStrMove.MSVBVM60 ref: 00438A25
                            • #666.MSVBVM60(?,00000008), ref: 00438A53
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00438A8C
                            • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 00438AAD
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00438AB4
                            • __vbaStrMove.MSVBVM60 ref: 00438ABF
                            • __vbaStrCopy.MSVBVM60 ref: 00438AD3
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00438AEF
                            • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?), ref: 00438B0F
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00438B27
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 00438B3B
                            • __vbaStrCopy.MSVBVM60 ref: 00438B5D
                            • __vbaStrMove.MSVBVM60 ref: 00438B7C
                            • #666.MSVBVM60(?,00000008,?,?), ref: 00438BAA
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00438BE3
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00438C04
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00438C19
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00438C20
                            • __vbaStrMove.MSVBVM60 ref: 00438C2B
                            • __vbaStrCopy.MSVBVM60 ref: 00438C3F
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00438C5B
                            • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00438C82
                            • __vbaStrCopy.MSVBVM60 ref: 00438C9A
                            • __vbaStrMove.MSVBVM60(?), ref: 00438CAE
                            • __vbaStrCopy.MSVBVM60 ref: 00438CD0
                            • __vbaStrMove.MSVBVM60 ref: 00438CEF
                            • #666.MSVBVM60(?,00000008,?,?), ref: 00438D1D
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00438D56
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00438D77
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00438D8C
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00438D93
                            • __vbaStrMove.MSVBVM60 ref: 00438D9E
                            • __vbaStrCopy.MSVBVM60 ref: 00438DB2
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00438DCE
                            • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00438DF5
                            • __vbaStrCopy.MSVBVM60 ref: 00438E54
                            • __vbaStrMove.MSVBVM60(?), ref: 00438E68
                            • __vbaStrCopy.MSVBVM60 ref: 00438E76
                            • __vbaStrMove.MSVBVM60 ref: 00438E95
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00438EAD
                            • __vbaStrCopy.MSVBVM60 ref: 00438EBB
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00438ECF
                            • __vbaStrCopy.MSVBVM60 ref: 00438EDD
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Copy$Free$List$Error$#666BoundsGenerate$Bstr$#516#631$#531#537#608#632#645ChkstkConstruct2
                            • String ID: 0D2919$101933$11141D03131F3F$13021B1C221932$18212E$1A3D2F$1A3E2E2A0B34$1E1C352A18270A15$23101B$2A1E1820$2C21301B$3E2E0E$3F023C220B0368223806$C:\Users\$CuEjLYSJFCMxg$DC-FG$DWhowwyQAEnhKHugPsvLp$HjUHXTpmPAe$McDUNnpFXQv$PoILXkYRMKpJTFUiSATwFLe$THNSchqcZYfeRN$XtvPYCGvJUBjfEItYVlkmix$\Documents$\Favorites$\Microsoft\Windows\Recent$aNJhYZRoZXnsSmVgILaxfqFOkfnQfHnzrw$eMRtovlciuBGmeetKHUPp$nFxGFnGaeaYriQLRLpeIQFGW$uKOpxVfGPojaWlGmQXDxwDxNMuhoHFdoFUMMiOFTSMZm$yRrkXCmSqJimRlFbxNcOlNu
                            • API String ID: 3302702686-4136045262
                            • Opcode ID: 6164029a8e2fd4eca431a495f8fd332f28126423982c2f922ff63a2d672a8065
                            • Instruction ID: 0ba195c7ee51c64c6ae8dc449dd40356d1c2c3a3563cfe6a6de6b8336ce0c719
                            • Opcode Fuzzy Hash: 6164029a8e2fd4eca431a495f8fd332f28126423982c2f922ff63a2d672a8065
                            • Instruction Fuzzy Hash: 60F2F9B1D00219DBDB14DFD0DD98ADEB7B9BF48300F1081AAE506BB164EB746A49CF94
                            Function 0041201E Relevance: 444.9, APIs: 230, Strings: 23, Instructions: 2110COMMON
                            Download Yara Rule
                            APIs
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004120AA
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004120C7
                            • __vbaStrCat.MSVBVM60(00405AFC,01590768), ref: 004120EB
                            • __vbaStrMove.MSVBVM60 ref: 004120F9
                            • __vbaAryMove.MSVBVM60(00442068,?,?,00442064), ref: 00412122
                            • __vbaFreeStr.MSVBVM60 ref: 0041212E
                            • __vbaUbound.MSVBVM60(00000001,01590A98), ref: 00412159
                            • __vbaI2I4.MSVBVM60 ref: 00412161
                            • __vbaStrCopy.MSVBVM60 ref: 004121C2
                            • __vbaStrMove.MSVBVM60(?), ref: 004121DC
                            • __vbaStrCopy.MSVBVM60 ref: 004121ED
                            • __vbaStrMove.MSVBVM60 ref: 00412215
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00412236
                            • __vbaStrMove.MSVBVM60(01590A98), ref: 004122E1
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004122E8
                            • __vbaUbound.MSVBVM60(00000001,01590A08), ref: 00414818
                            • __vbaI2I4.MSVBVM60 ref: 00414820
                            • __vbaStrCat.MSVBVM60(00405AFC,01590A08), ref: 0041490E
                            • __vbaStrMove.MSVBVM60 ref: 0041491C
                            • __vbaAryMove.MSVBVM60(00442068,?,?,00442064), ref: 00414945
                            • __vbaFreeStr.MSVBVM60 ref: 00414951
                            • __vbaUbound.MSVBVM60(00000001,01590A98), ref: 0041497C
                            • __vbaI2I4.MSVBVM60 ref: 00414984
                            • __vbaStrCopy.MSVBVM60 ref: 004149E4
                            • __vbaStrMove.MSVBVM60(?), ref: 004149FE
                            • __vbaStrCopy.MSVBVM60 ref: 00414A0F
                            • __vbaStrMove.MSVBVM60 ref: 00414A37
                            • __vbaErrorOverflow.MSVBVM60 ref: 00417877
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Copy$ErrorUbound$BoundsFreeGenerate$Overflow
                            • String ID: 0B1D1C120557322E2B08012C$1$10160C230B2D341F414845$15233B37023F3D21577745$2A22203D2119071E31293967544536013B05112226$2C0F16001B075814362331$2F08313F160C35261400380F1B396407162235$5A6A19292D27232824163809221820576B0C202F342D2C150264286A1C2D35262F$7D5D183D37193A1F2D322D3C0D2B074569332E1F3D021620164C056C1B321D3F0C$===============DARKCLOUD===============$CuEjLYSJFCMxg$DWhowwyQAEnhKHugPsvLp$IpCygrixPWWPfkNPcOapTAzeevxvMTdR$NordVPN$Profiles$\Profiles$\User Data$\User Data\Default\Login Data$dsLTYwyYRHLWhrWDCwVTfAIhaTFvmqcbQLVEXeGdOWt$fEBHDuPOEwMevLOFkJgcMNhE$tkRPQHzfjXFWGnexnIaGrh$vEeiQeLYzaresWrkYxPTlpQBojgRRwVez$yRrkXCmSqJimRlFbxNcOlNu
                            • API String ID: 2627448202-3308014715
                            • Opcode ID: ab0feb16fa07771f8cef7d1586e5cae035c4590b89a76927b2d3b39152b40ccb
                            • Instruction ID: 820eb550d869cfb9b2f08044c9643a9ceceae14bbc8876351db2e6afaf2d57c9
                            • Opcode Fuzzy Hash: ab0feb16fa07771f8cef7d1586e5cae035c4590b89a76927b2d3b39152b40ccb
                            • Instruction Fuzzy Hash: AC33F974A00218DFDB24DF54DE88BDAB7B5BB49300F1081EAE54AA7260DB745EC9CF58
                            Function 00412182 Relevance: 434.3, APIs: 224, Strings: 23, Instructions: 2050COMMON
                            Download Yara Rule
                            APIs
                            • __vbaStrCopy.MSVBVM60 ref: 004121C2
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?), ref: 004121DC
                            • __vbaStrCopy.MSVBVM60 ref: 004121ED
                            • __vbaStrMove.MSVBVM60 ref: 00412215
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00412236
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00412284
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004122A1
                            • __vbaStrMove.MSVBVM60(01590A98), ref: 004122E1
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004122E8
                            • #645.MSVBVM60(00000008,00000000), ref: 00412307
                            • __vbaStrMove.MSVBVM60 ref: 00412315
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00412321
                            • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,00000000,00000000), ref: 00412369
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 00412378
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 004123DB
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 004123F8
                            • #712.MSVBVM60(01590A98,\User Data,00405BB8,00000001,000000FF,00000000,?,?,?,?,00000000,?,00000000,00403596), ref: 00412427
                            • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 00412434
                            • __vbaLenBstr.MSVBVM60(015A51AC), ref: 0041245C
                            • #709.MSVBVM60(015A51AC,00405AFC,000000FF,00000000), ref: 00412473
                            • #619.MSVBVM60(?,00004008,00000000), ref: 00412490
                            • __vbaStrVarMove.MSVBVM60(?), ref: 0041249D
                            • __vbaStrMove.MSVBVM60 ref: 004124AA
                            • __vbaFreeVar.MSVBVM60 ref: 004124B6
                            • __vbaStrCopy.MSVBVM60 ref: 004124CE
                            • __vbaStrMove.MSVBVM60(?), ref: 004124E8
                            • __vbaStrCopy.MSVBVM60 ref: 004124F9
                            • __vbaStrMove.MSVBVM60 ref: 00412521
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00412542
                            • __vbaNew2.MSVBVM60(00406A28,00000000), ref: 00412557
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004125DA
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004125F7
                            • __vbaStrMove.MSVBVM60(01590A98), ref: 00412638
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0041263F
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406BFC,00000028), ref: 0041269B
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 004126DF
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00403596), ref: 004126EE
                            • __vbaStrCat.MSVBVM60(\User Data\Default\Login Data,01590A98,?,?,?,?,00000000,?,00000000,00403596), ref: 00412783
                            • #645.MSVBVM60(00000008,00000000), ref: 004127A2
                            • __vbaStrMove.MSVBVM60 ref: 004127B0
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 004127BC
                            • __vbaFreeStr.MSVBVM60 ref: 004127D7
                            • __vbaFreeVar.MSVBVM60 ref: 004127E3
                            • __vbaErrorOverflow.MSVBVM60 ref: 00417877
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Error$BoundsGenerate$BstrCopy$List$#516#631#645$#537#608#619#632#709#712CheckHresultNew2Overflow
                            • String ID: 0B1D1C120557322E2B08012C$1$10160C230B2D341F414845$15233B37023F3D21577745$2A22203D2119071E31293967544536013B05112226$2C0F16001B075814362331$2F08313F160C35261400380F1B396407162235$5A6A19292D27232824163809221820576B0C202F342D2C150264286A1C2D35262F$7D5D183D37193A1F2D322D3C0D2B074569332E1F3D021620164C056C1B321D3F0C$===============DARKCLOUD===============$CuEjLYSJFCMxg$DWhowwyQAEnhKHugPsvLp$IpCygrixPWWPfkNPcOapTAzeevxvMTdR$NordVPN$Profiles$\Profiles$\User Data$\User Data\Default\Login Data$dsLTYwyYRHLWhrWDCwVTfAIhaTFvmqcbQLVEXeGdOWt$fEBHDuPOEwMevLOFkJgcMNhE$tkRPQHzfjXFWGnexnIaGrh$vEeiQeLYzaresWrkYxPTlpQBojgRRwVez$yRrkXCmSqJimRlFbxNcOlNu
                            • API String ID: 3691625242-3308014715
                            • Opcode ID: 25bfc656fed931a4ad186d14e4d17fbf36a622e3fb97491e593620631cc40ab3
                            • Instruction ID: c7e8687ced11fec1613adea29352e60a707118cc0912a9f23401abbe66924958
                            • Opcode Fuzzy Hash: 25bfc656fed931a4ad186d14e4d17fbf36a622e3fb97491e593620631cc40ab3
                            • Instruction Fuzzy Hash: FE230974A00228DFDB24DF54DE88BDAB7B5BB49300F1081E9E54AB7260DB745AC9CF58
                            Function 0040ED50 Relevance: 430.7, APIs: 210, Strings: 35, Instructions: 1951COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596), ref: 0040ED6E
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00403596), ref: 0040EDB5
                            • __vbaLenBstrB.MSVBVM60(0162B774,?,?,?,?,00403596), ref: 0040EDDE
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,00403596), ref: 0040EE0F
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,00403596), ref: 0040EE1D
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,00403596), ref: 0040EE31
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,00403596), ref: 0040EE3F
                            • __vbaStrMove.MSVBVM60 ref: 0040EE58
                            • __vbaStrCopy.MSVBVM60 ref: 0040EE66
                            • __vbaStrCopy.MSVBVM60 ref: 0040EE74
                            • __vbaStrMove.MSVBVM60(00000008,?,00000000), ref: 0040EEC3
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0040EECA
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040EEEE
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0040EEF5
                            • __vbaStrMove.MSVBVM60 ref: 0040EF00
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0040EF07
                            • __vbaStrMove.MSVBVM60 ref: 0040EF12
                            • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040EF52
                              • Part of subcall function 00437430: __vbaChkstk.MSVBVM60(?,00403596,?,?,?,0041759F,?,00442038), ref: 0043744E
                              • Part of subcall function 00437430: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 0043747E
                              • Part of subcall function 00437430: #648.MSVBVM60(0000000A), ref: 004374A4
                              • Part of subcall function 00437430: __vbaFreeVar.MSVBVM60 ref: 004374B1
                              • Part of subcall function 00437430: __vbaFileOpen.MSVBVM60(00000220,000000FF,?), ref: 004374D0
                              • Part of subcall function 00437430: __vbaPut3.MSVBVM60(00000000,00000000,?), ref: 004374E8
                              • Part of subcall function 00437430: __vbaFileClose.MSVBVM60(?), ref: 004374FA
                            • __vbaStrCopy.MSVBVM60(?,00442084), ref: 0040EF7F
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?), ref: 0040EFB2
                            • __vbaStrCopy.MSVBVM60 ref: 0040EFE4
                            • __vbaStrCat.MSVBVM60(\KeyData.Log,015AC8B4), ref: 0040EFFF
                            • __vbaStrMove.MSVBVM60 ref: 0040F00A
                            • __vbaFreeStr.MSVBVM60(?,00442084), ref: 0040F021
                            • __vbaStrCopy.MSVBVM60 ref: 0040F038
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403596), ref: 0040EF8D
                              • Part of subcall function 0043C240: __vbaOnError.MSVBVM60(00000001), ref: 0043C2DC
                              • Part of subcall function 0043C240: __vbaStrCopy.MSVBVM60 ref: 0043C2F0
                              • Part of subcall function 0043C240: __vbaStrMove.MSVBVM60(?), ref: 0043C306
                              • Part of subcall function 0043C240: __vbaStrCopy.MSVBVM60 ref: 0043C310
                              • Part of subcall function 0043C240: __vbaStrMove.MSVBVM60 ref: 0043C31B
                              • Part of subcall function 0043C240: __vbaStrMove.MSVBVM60(?,?), ref: 0043C32F
                              • Part of subcall function 0043C240: __vbaStrMove.MSVBVM60(00000000), ref: 0043C33B
                              • Part of subcall function 0043C240: #716.MSVBVM60(?,00000000), ref: 0043C342
                              • Part of subcall function 0043C240: __vbaVarSetVar.MSVBVM60(?,?), ref: 0043C350
                              • Part of subcall function 0043C240: __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0043C370
                              • Part of subcall function 0043C240: __vbaStrCopy.MSVBVM60 ref: 0043C381
                            • __vbaStrMove.MSVBVM60 ref: 0040EED5
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60(?,?,015AC8B4), ref: 0040EEAC
                              • Part of subcall function 00437750: __vbaStrCopy.MSVBVM60 ref: 00437795
                              • Part of subcall function 00437750: #594.MSVBVM60(?), ref: 004377B8
                              • Part of subcall function 00437750: __vbaFreeVar.MSVBVM60 ref: 004377C1
                              • Part of subcall function 00437750: __vbaStr2Vec.MSVBVM60(?), ref: 004377D1
                              • Part of subcall function 00437750: __vbaAryMove.MSVBVM60(?,?), ref: 004377DF
                              • Part of subcall function 00437750: __vbaLenBstr.MSVBVM60 ref: 004377E8
                              • Part of subcall function 00437750: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00402EF7,00000000), ref: 00437820
                              • Part of subcall function 00437750: #593.MSVBVM60(0000000A), ref: 00437843
                              • Part of subcall function 00437750: __vbaFpI4.MSVBVM60 ref: 0043786F
                              • Part of subcall function 00437750: __vbaGenerateBoundsError.MSVBVM60 ref: 0043788F
                            • __vbaStrMove.MSVBVM60 ref: 0040EE8D
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,00403596), ref: 0040EDFB
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaFreeStr.MSVBVM60(0040F0B9,?,?,?,?,00403596), ref: 0040F0B2
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$BstrList$Error$#516#631ChkstkFile$#537#593#594#608#632#648#716BoundsCloseGenerateOpenPut3RedimStr2
                            • String ID: .BMP$08392D04263012$0C28632139303A31350934193B$0C331C0A0D3E30281F1C223825$10110A17200A1319$1624061621$1D0D3A3424310B1D$1E1C352A18270A15$223F0231170F233A1B123033$251D08123A181D112D252913$31240401170C2703131D1C$32003B022C082D22$3A213536071329$3C0C3E3C281D0A0C2410$56321433$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$Add$BOAezyQgIspGLVNiHNHvleLmQsVUunyK$CKVBoOUaMcDUJGOHGJvFjNc$DC-KL$DC-SC$FooLYMsydKdRNBihulsNisUDLbnJcmksK$LxFlGmSSPNEhJ$Remove$TPhIGEVnnDAcxBmquNLKnxUzhkIueKypvOtCpKegGKCE$ZRVaerbSjrqolGOtJhLqYsgeQEuJfMgr$\KeyData.Log$\Screenshot$bZjMqPSNDGlvvCdoXVxTd$bfREBoLXCcddVfJhnFXyYuXxpQJIQoDsWClnUWyuUW$eqoUvMkYQUbSu$fPMjsRvSvSZvbiRQuLuLkdqnSERSXTtkj$rqDLrfgHeMXtBIJNQMVTnpL$tLZondkgxEG$uKOpxVfGPojaWlGmQXDxwDxNMuhoHFdoFUMMiOFTSMZm
                            • API String ID: 130171941-1378242600
                            • Opcode ID: 57add1465d1f9d373afbb8a3d50a572fedabde4a6a06b4703fe9a06f7630b232
                            • Instruction ID: bb112831dedae74da4df7ac30fef1a23e5e68131a816cff9cd201a8bf64513aa
                            • Opcode Fuzzy Hash: 57add1465d1f9d373afbb8a3d50a572fedabde4a6a06b4703fe9a06f7630b232
                            • Instruction Fuzzy Hash: FB130CB5900218DFDB14DFA4D948BDEBBB5FF48304F1081AAE50AB72A0DB745A89CF54
                            Function 0043DD00 Relevance: 342.4, APIs: 176, Strings: 19, Instructions: 1182COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3636 43dd00-43dee5 __vbaChkstk __vbaOnError __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 3641 43f0e6-43f1c7 __vbaAryUnlock __vbaFreeVar __vbaAryDestruct __vbaFreeVar __vbaFreeStr __vbaFreeVar * 4 __vbaFreeStr 3636->3641 3642 43deeb-43df64 __vbaStrCat __vbaStrMove call 433f70 __vbaAryMove __vbaFreeStr 3636->3642 3646 43df66 3642->3646 3647 43df6b-43df99 __vbaForEachAry 3642->3647 3646->3641 3648 43f0d9-43f0e0 3647->3648 3648->3641 3649 43df9e-43e0f7 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaVarCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 3648->3649 3654 43f0b2-43f0d3 __vbaNextEachAry 3649->3654 3655 43e0fd-43e2d5 #716 __vbaVarZero __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCat __vbaVarCat __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeStrList __vbaFreeVarList 3649->3655 3654->3648 3660 43e644-43e6b4 __vbaStrCat __vbaStrMove __vbaStrToAnsi call 409168 __vbaSetSystemError __vbaFreeStrList 3655->3660 3661 43e2db-43e357 __vbaStrCat __vbaStrMove call 43dac0 __vbaFreeStr __vbaStrCopy call 43d900 __vbaFreeStr 3655->3661 3667 43f05a-43f06a call 4091b0 __vbaSetSystemError 3660->3667 3668 43e6ba-43e787 __vbaStrToAnsi * 2 call 4091fc __vbaSetSystemError __vbaStrToUnicode __vbaVarMove __vbaFreeStrList call 409298 __vbaSetSystemError #558 3660->3668 3674 43e35d-43e383 call 409410 __vbaSetSystemError 3661->3674 3676 43f070-43f0ac __vbaStrCat #529 __vbaFreeVar 3667->3676 3680 43e98e-43ea5b __vbaStrToAnsi * 2 call 4091fc __vbaSetSystemError __vbaStrToUnicode __vbaVarMove __vbaFreeStrList call 409298 __vbaSetSystemError #558 3668->3680 3681 43e78d-43e7b2 call 409298 __vbaSetSystemError 3668->3681 3682 43e3f6-43e42d __vbaStrCopy call 43d900 __vbaFreeStr 3674->3682 3683 43e385-43e3f1 call 43d6f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 3674->3683 3676->3654 3699 43ec62-43ed2f __vbaStrToAnsi * 2 call 4091fc __vbaSetSystemError __vbaStrToUnicode __vbaVarMove __vbaFreeStrList call 409298 __vbaSetSystemError #558 3680->3699 3700 43ea61-43ea86 call 409298 __vbaSetSystemError 3680->3700 3693 43e7b8-43e7f6 __vbaI2I4 3681->3693 3694 43f1dc-43f1e2 __vbaErrorOverflow 3681->3694 3692 43e433-43e459 call 409410 __vbaSetSystemError 3682->3692 3683->3674 3704 43e531-43e568 __vbaStrCopy call 43d900 __vbaFreeStr 3692->3704 3705 43e45f-43e52c call 43d6f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 43d6f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 3692->3705 3693->3680 3702 43e7fc-43e8f6 __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq __vbaVarNot __vbaBoolVarNull 3693->3702 3699->3667 3724 43ed35-43ed5a call 409298 __vbaSetSystemError 3699->3724 3700->3694 3713 43ea8c-43eaca __vbaI2I4 3700->3713 3706 43e982 3702->3706 3707 43e8fc-43e97f __vbaVarAdd __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaFreeVarList 3702->3707 3717 43e56e-43e594 call 409410 __vbaSetSystemError 3704->3717 3705->3692 3706->3680 3707->3706 3713->3699 3722 43ead0-43ebca __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq __vbaVarNot __vbaBoolVarNull 3713->3722 3730 43e607-43e63f call 4093c8 __vbaSetSystemError call 43db50 3717->3730 3731 43e596-43e602 call 43d6f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 3717->3731 3727 43ebd0-43ec53 __vbaVarAdd __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaFreeVarList 3722->3727 3728 43ec56 3722->3728 3724->3694 3732 43ed60-43ed9e __vbaI2I4 3724->3732 3727->3728 3728->3699 3730->3676 3731->3717 3732->3667 3738 43eda4-43ef78 __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq * 2 __vbaVarOr __vbaBoolVarNull 3732->3738 3740 43ef7a 3738->3740 3741 43ef7f-43f04b __vbaVarAdd * 3 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaFreeVarList 3738->3741 3743 43f04e 3740->3743 3741->3743 3743->3667
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596,0043DBD0,?,00000000,?,00000000,00403596), ref: 0043DD1E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DD4E
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DD66
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DD80
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DD91
                            • __vbaStrMove.MSVBVM60 ref: 0043DDB9
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • #666.MSVBVM60(?,00000008,?,?,?,?,?,?), ref: 0043DDF0
                            • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0043DE1F
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043DE26
                            • __vbaStrMove.MSVBVM60 ref: 0043DE31
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0043DE55
                            • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DE75
                            • #645.MSVBVM60(00004008,00000010), ref: 0043DEA1
                            • __vbaStrMove.MSVBVM60 ref: 0043DEAF
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0043DEBB
                            • __vbaFreeStr.MSVBVM60 ref: 0043DED6
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0043DF0B
                            • __vbaStrMove.MSVBVM60 ref: 0043DF19
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00433F8E
                              • Part of subcall function 004338E0: __vbaOnError.MSVBVM60(000000FF,6D10D8B1,?,6D0FA323,00000000,00403596), ref: 00433FBE
                              • Part of subcall function 004338E0: #645.MSVBVM60(00004008,00000010), ref: 00433FE5
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00433FF0
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00405BB8,?), ref: 00434013
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00406074,?), ref: 00434031
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(0040C3B4,?), ref: 00434047
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043406D
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00434078
                              • Part of subcall function 004338E0: #579.MSVBVM60(00000000), ref: 0043407F
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60 ref: 00434099
                              • Part of subcall function 004338E0: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 004340C8
                            • __vbaAryMove.MSVBVM60(00442070,?,?,00442064), ref: 0043DF42
                            • __vbaFreeStr.MSVBVM60 ref: 0043DF4E
                            • __vbaForEachAry.MSVBVM60(00000008,?,?,?,00000000), ref: 0043DF8D
                            • __vbaAryUnlock.MSVBVM60(?,0043F1C8), ref: 0043F164
                            • __vbaFreeVar.MSVBVM60 ref: 0043F170
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0043F17F
                            • __vbaFreeVar.MSVBVM60 ref: 0043F188
                            • __vbaFreeStr.MSVBVM60 ref: 0043F191
                            • __vbaFreeVar.MSVBVM60 ref: 0043F19A
                            • __vbaFreeVar.MSVBVM60 ref: 0043F1A3
                            • __vbaFreeVar.MSVBVM60 ref: 0043F1AC
                            • __vbaFreeVar.MSVBVM60 ref: 0043F1B5
                            • __vbaFreeStr.MSVBVM60 ref: 0043F1C1
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$Move$BstrList$#516#631#645ChkstkCopyError$#537#579#608#632#666DestructEachPreserveRedimUnlock
                            • String ID: 06370E1604003D4826142A3F32300D065D0B1143012B3C0B0D03$13021B1C221932$CopyFile$E$SELECT c3author, c4recipients FROM messagesText_content$SELECT name FROM contacts$SELECT name FROM contacts$SELECT value FROM identities$SELECT value FROM identities$Scripting.FileSystemObject$\LogkinotKrAhRyjSfwLYIttQphGBONdeYquirinal$\Thunderbird\Profiles$c3author$c4recipients$d$name$rZPbyfaQeKqYLSWhuposm$value$yRrkXCmSqJimRlFbxNcOlNu
                            • API String ID: 1793064488-3712724257
                            • Opcode ID: 8a56edba40a4459730b96c67e894e26e377107718caaf1d4659a04656b9df2e3
                            • Instruction ID: c8bf94cb550e7aae0d970b66ec5e4067dd3e22dedd54732706e22d2feb2a5d5e
                            • Opcode Fuzzy Hash: 8a56edba40a4459730b96c67e894e26e377107718caaf1d4659a04656b9df2e3
                            • Instruction Fuzzy Hash: 3BC21BB1900219DFDB24DFA0DD48BEEB779BF48304F0085E9E50AA7261EB745A89CF54
                            Function 0043C240 Relevance: 291.5, APIs: 134, Strings: 32, Instructions: 1049COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3744 43c240-43c387 __vbaOnError __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 #716 __vbaVarSetVar __vbaFreeStrList __vbaStrCopy call 4338e0 3750 43c38c-43c773 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaVarLateMemSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarLateMemSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCat __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaVarCat * 5 __vbaVarLateMemSt __vbaFreeStrList __vbaFreeVarList __vbaVarLateMemSt #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 3744->3750 3765 43cc0b-43d330 __vbaVarLateMemCallLd __vbaVarSetVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove call 4329f0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVarList __vbaVarLateMemCallLdRf __vbaObjVar __vbaLateMemCall __vbaFreeVar __vbaObjVar __vbaLateMemCall #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 3750->3765 3766 43c779-43cc08 __vbaObjVar __vbaLateMemCall 3750->3766 3808 43d332-43d371 __vbaVarDup #529 __vbaFreeVar __vbaExitProc 3765->3808 3809 43d38f-43d39a __vbaExitProc 3765->3809 3766->3765 3810 43d410-43d420 __vbaFreeVar * 2 3808->3810 3809->3810
                            APIs
                            • __vbaOnError.MSVBVM60(00000001), ref: 0043C2DC
                            • __vbaStrCopy.MSVBVM60 ref: 0043C2F0
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?), ref: 0043C306
                            • __vbaStrCopy.MSVBVM60 ref: 0043C310
                            • __vbaStrMove.MSVBVM60 ref: 0043C31B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0043C32F
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0043C33B
                            • #716.MSVBVM60(?,00000000), ref: 0043C342
                            • __vbaVarSetVar.MSVBVM60(?,?), ref: 0043C350
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0043C370
                            • __vbaStrCopy.MSVBVM60 ref: 0043C381
                            • __vbaStrMove.MSVBVM60(?), ref: 0043C391
                            • __vbaStrCopy.MSVBVM60 ref: 0043C39B
                            • __vbaStrMove.MSVBVM60 ref: 0043C3A6
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60(?,?,00405AF4), ref: 0043C3BF
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0043C3C2
                            • __vbaStrMove.MSVBVM60 ref: 0043C3CD
                            • __vbaStrCat.MSVBVM60(00405AF4,00000000), ref: 0043C3D5
                            • __vbaVarLateMemSt.MSVBVM60(?,From), ref: 0043C405
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0043C425
                            • __vbaFreeVar.MSVBVM60 ref: 0043C431
                            • __vbaStrCopy.MSVBVM60 ref: 0043C43F
                            • __vbaStrMove.MSVBVM60(?), ref: 0043C44F
                            • __vbaStrCopy.MSVBVM60 ref: 0043C459
                            • __vbaStrMove.MSVBVM60 ref: 0043C464
                            • __vbaVarLateMemSt.MSVBVM60(?,0040D68C), ref: 0043C49D
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0043C4B5
                            • __vbaFreeVar.MSVBVM60 ref: 0043C4C1
                            • __vbaStrCopy.MSVBVM60 ref: 0043C4CF
                            • __vbaStrMove.MSVBVM60(?), ref: 0043C4DF
                            • __vbaStrCopy.MSVBVM60 ref: 0043C4E9
                            • __vbaStrMove.MSVBVM60(?), ref: 0043C4F9
                            • __vbaStrCat.MSVBVM60(:::,00000000), ref: 0043C506
                            • __vbaStrCopy.MSVBVM60 ref: 0043C524
                            • __vbaStrMove.MSVBVM60 ref: 0043C52F
                            • #666.MSVBVM60(?,00000008,?,?), ref: 0043C550
                            • __vbaStrCopy.MSVBVM60 ref: 0043C572
                            • __vbaStrMove.MSVBVM60 ref: 0043C57D
                            • #666.MSVBVM60(?,00000008,?,?), ref: 0043C5AA
                            • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 0043C5E9
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0043C5FE
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 0043C613
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 0043C628
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 0043C63D
                            • __vbaVarLateMemSt.MSVBVM60(?,Subject), ref: 0043C667
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0043C68F
                            • __vbaFreeVarList.MSVBVM60(0000000A,00000008,00000008,?,?,00000008,?,?,?,?,?), ref: 0043C6D7
                            • __vbaVarLateMemSt.MSVBVM60(?,TextBody), ref: 0043C71B
                            • #645.MSVBVM60(00004008,00000000), ref: 0043C73C
                            • __vbaStrMove.MSVBVM60 ref: 0043C747
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0043C74F
                            • __vbaFreeStr.MSVBVM60 ref: 0043C766
                            • __vbaObjVar.MSVBVM60(?,AddAttachment,00000001), ref: 0043CBFB
                            • __vbaLateMemCall.MSVBVM60(00000000), ref: 0043CC02
                            • __vbaVarLateMemCallLd.MSVBVM60(00000008,?,Configuration,00000000), ref: 0043CC19
                            • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 0043CC27
                            • __vbaStrCopy.MSVBVM60 ref: 0043CC35
                            • __vbaStrMove.MSVBVM60(?), ref: 0043CC45
                            • __vbaStrCopy.MSVBVM60 ref: 0043CC4F
                            • __vbaStrMove.MSVBVM60 ref: 0043CC5A
                            • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 0043CCCE
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0043CCE6
                            • __vbaFreeVar.MSVBVM60 ref: 0043CCF2
                            • __vbaStrCopy.MSVBVM60 ref: 0043CD00
                            • __vbaStrMove.MSVBVM60(?), ref: 0043CD10
                            • __vbaStrCopy.MSVBVM60 ref: 0043CD1A
                            • __vbaStrMove.MSVBVM60 ref: 0043CD25
                            • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 0043CD9C
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0043CDB4
                            • __vbaFreeVar.MSVBVM60 ref: 0043CDC0
                            • __vbaStrCopy.MSVBVM60 ref: 0043CDCE
                            • __vbaStrMove.MSVBVM60(?), ref: 0043CDDE
                            • __vbaStrCopy.MSVBVM60 ref: 0043CDE8
                            • __vbaStrMove.MSVBVM60(?), ref: 0043CDF8
                            • __vbaStrCopy.MSVBVM60 ref: 0043CE02
                            • __vbaStrMove.MSVBVM60 ref: 0043CE0D
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043CE2E
                            • __vbaStrMove.MSVBVM60 ref: 0043CE39
                            • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 0043CE92
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0043CEBA
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,00000008), ref: 0043CECD
                            • __vbaStrCopy.MSVBVM60 ref: 0043CEDE
                            • __vbaStrMove.MSVBVM60(?), ref: 0043CEEE
                            • __vbaStrCopy.MSVBVM60 ref: 0043CEF8
                            • __vbaStrMove.MSVBVM60 ref: 0043CF03
                            • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 0043CF7A
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0043CF92
                            • __vbaFreeVar.MSVBVM60 ref: 0043CF9E
                            • __vbaStrCopy.MSVBVM60 ref: 0043CFAC
                            • __vbaStrMove.MSVBVM60(?), ref: 0043CFBC
                            • __vbaStrCopy.MSVBVM60 ref: 0043CFC6
                            • __vbaStrMove.MSVBVM60 ref: 0043CFD1
                            • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 0043D048
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0043D060
                            • __vbaFreeVar.MSVBVM60 ref: 0043D06C
                            • __vbaStrCopy.MSVBVM60 ref: 0043D07A
                            • __vbaStrMove.MSVBVM60(?), ref: 0043D08A
                            • __vbaStrCopy.MSVBVM60 ref: 0043D094
                            • __vbaStrMove.MSVBVM60(?), ref: 0043D0A4
                            • __vbaStrCopy.MSVBVM60 ref: 0043D0AE
                            • __vbaStrMove.MSVBVM60 ref: 0043D0B9
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043D0DA
                            • __vbaStrMove.MSVBVM60 ref: 0043D0E5
                            • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 0043D13E
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0043D166
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,00000008), ref: 0043D179
                            • __vbaStrCopy.MSVBVM60 ref: 0043D18A
                            • __vbaStrMove.MSVBVM60(?), ref: 0043D19A
                            • __vbaStrCopy.MSVBVM60 ref: 0043D1A4
                            • __vbaStrMove.MSVBVM60(?), ref: 0043D1B4
                            • __vbaStrCopy.MSVBVM60 ref: 0043D1BE
                            • __vbaStrMove.MSVBVM60 ref: 0043D1C9
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0043D1EA
                            • __vbaStrMove.MSVBVM60 ref: 0043D1F5
                            • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 0043D24C
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0043D274
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,00000008), ref: 0043D287
                            • __vbaVarLateMemCallLdRf.MSVBVM60(00000008,?,Fields,00000000,Update,00000000), ref: 0043D2A4
                            • __vbaObjVar.MSVBVM60(00000000), ref: 0043D2AE
                            • __vbaLateMemCall.MSVBVM60(00000000), ref: 0043D2BB
                            • __vbaFreeVar.MSVBVM60 ref: 0043D2C3
                            • __vbaObjVar.MSVBVM60(?,Send,00000000), ref: 0043D2D3
                            • __vbaLateMemCall.MSVBVM60(00000000), ref: 0043D2DA
                            • #645.MSVBVM60(00004008,00000000), ref: 0043D301
                            • __vbaStrMove.MSVBVM60 ref: 0043D30C
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0043D314
                            • __vbaFreeStr.MSVBVM60 ref: 0043D327
                            • __vbaVarDup.MSVBVM60 ref: 0043D34D
                            • #529.MSVBVM60(00000008), ref: 0043D357
                            • __vbaFreeVar.MSVBVM60 ref: 0043D360
                            • __vbaExitProc.MSVBVM60 ref: 0043D366
                            • __vbaExitProc.MSVBVM60 ref: 0043D38F
                            • __vbaFreeVar.MSVBVM60(0043D421), ref: 0043D419
                            • __vbaFreeVar.MSVBVM60 ref: 0043D41E
                            Strings
                            • 0F221A145F2206263B14303530190408540D3F, xrefs: 0043CDE0
                            • 251D08123A181D112D252913, xrefs: 0043C4C7
                            • BbCsxqCbOOmQRBvqxznPzuLdSRhaLFc, xrefs: 0043C393, 0043C451, 0043CE26, 0043D0D2, 0043D1E2
                            • 0A26160A106D00263C0525122312180C030F37081A39147D3107, xrefs: 0043C379, 0043D08C
                            • TextBody, xrefs: 0043C712
                            • From, xrefs: 0043C3FC
                            • Subject, xrefs: 0043C65E
                            • Fields, xrefs: 0043CCC5, 0043CD93, 0043CE89, 0043CF71, 0043D03F, 0043D135, 0043D243, 0043D297
                            • 20312238687E493D251E31380404571C072A270437002A247902000B47060121752B2A382E3B36133C27023D3A0B580A14002D2018211D22313A04, xrefs: 0043D072
                            • ZHEVHRQfNFvTUewyqnIUkDoLPWaofheeN, xrefs: 0043C308, 0043D0A6
                            • 09352E1D574746380C05212136005F1E1C34243C072B0735740E020546280B026B2F381D171A12222432002D0E2F751E001C19380A1F322925031E0101, xrefs: 0043CED6
                            • AddAttachment, xrefs: 0043CBF2
                            • :::, xrefs: 0043C501
                            • pXfsCBQmftOVIuXROGSNsiENhHVMDDSZ, xrefs: 0043CDFA
                            • Send, xrefs: 0043D2CA
                            • XlagPsSXqXQkEvSTsbGlIm, xrefs: 0043CC47
                            • GhGBDjfvZNlXhryoZwDnGeqfWSiwHVFB, xrefs: 0043CFBE
                            • uKOpxVfGPojaWlGmQXDxwDxNMuhoHFdoFUMMiOFTSMZm, xrefs: 0043C56A
                            • Configuration, xrefs: 0043CC0C
                            • 30120733787E421517273324142B7C222E303C1C1A2A281C663522296B303E1F77051C2D24380A13062E22201A367D3C2A273E000C37380D3A, xrefs: 0043CDC6
                            • DaAZmmhiKomDLWsqsuWVSt, xrefs: 0043CEF0
                            • sprLCXbfvwBeu, xrefs: 0043CD12
                            • 04151320497C77023B390E2817207A1E0B241E261E370A1549331C3E77123C3E4426193D321A05321E281931030F4823163D3C042B380522, xrefs: 0043CC2D
                            • 18063833624D4905142A001812035C212A3B1009051824115B101F1F63203C0D4915182C031C1405002D37310D0859042F1105120506242636160F15163600, xrefs: 0043CCF8
                            • 1822181103310D222A2D3E213612041A1B077E191A21, xrefs: 0043C437
                            • 0B0119661F34153D271131, xrefs: 0043C2E2
                            • 0E26313255637730000C013B073946032F3B0B3606371E047F29263C402717386C0F013B311012202503123B2A2C403F3D2D07140525153D071C22, xrefs: 0043D182
                            • Update, xrefs: 0043D291
                            • 1E1C352A18270A15, xrefs: 0043C4E1
                            • 23271A0C0822430F6C49740C, xrefs: 0043D19C
                            • 00333634504959292D043D05130A41371E271C28161E00237D0A18257925262847242D2A0C0F112F3C0D2C011D1740291A301E32161415243F, xrefs: 0043CFA4
                            • bfREBoLXCcddVfJhnFXyYuXxpQJIQoDsWClnUWyuUW, xrefs: 0043C51C, 0043D1B6
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$List$Late$Call$Bstr$#516#631#645#666ExitProc$#529#537#608#632#716Error
                            • String ID: 00333634504959292D043D05130A41371E271C28161E00237D0A18257925262847242D2A0C0F112F3C0D2C011D1740291A301E32161415243F$04151320497C77023B390E2817207A1E0B241E261E370A1549331C3E77123C3E4426193D321A05321E281931030F4823163D3C042B380522$09352E1D574746380C05212136005F1E1C34243C072B0735740E020546280B026B2F381D171A12222432002D0E2F751E001C19380A1F322925031E0101$0A26160A106D00263C0525122312180C030F37081A39147D3107$0B0119661F34153D271131$0E26313255637730000C013B073946032F3B0B3606371E047F29263C402717386C0F013B311012202503123B2A2C403F3D2D07140525153D071C22$0F221A145F2206263B14303530190408540D3F$18063833624D4905142A001812035C212A3B1009051824115B101F1F63203C0D4915182C031C1405002D37310D0859042F1105120506242636160F15163600$1822181103310D222A2D3E213612041A1B077E191A21$1E1C352A18270A15$20312238687E493D251E31380404571C072A270437002A247902000B47060121752B2A382E3B36133C27023D3A0B580A14002D2018211D22313A04$23271A0C0822430F6C49740C$251D08123A181D112D252913$30120733787E421517273324142B7C222E303C1C1A2A281C663522296B303E1F77051C2D24380A13062E22201A367D3C2A273E000C37380D3A$:::$AddAttachment$BbCsxqCbOOmQRBvqxznPzuLdSRhaLFc$Configuration$DaAZmmhiKomDLWsqsuWVSt$Fields$From$GhGBDjfvZNlXhryoZwDnGeqfWSiwHVFB$Send$Subject$TextBody$Update$XlagPsSXqXQkEvSTsbGlIm$ZHEVHRQfNFvTUewyqnIUkDoLPWaofheeN$bfREBoLXCcddVfJhnFXyYuXxpQJIQoDsWClnUWyuUW$pXfsCBQmftOVIuXROGSNsiENhHVMDDSZ$sprLCXbfvwBeu$uKOpxVfGPojaWlGmQXDxwDxNMuhoHFdoFUMMiOFTSMZm
                            • API String ID: 3321761847-1716265538
                            • Opcode ID: 3d1c0e817f442548618be1c65e7e66b24798dd943fccbed992ce42eab7e281de
                            • Instruction ID: e2fcb6069368450c42ea45a66b3f672eefec9df8ba84c420a81826d29726419b
                            • Opcode Fuzzy Hash: 3d1c0e817f442548618be1c65e7e66b24798dd943fccbed992ce42eab7e281de
                            • Instruction Fuzzy Hash: 7DA2EBB1D002189BCB14DFE4CD849DEBBB9FF48300F14866EE506AB255EB746A49CF94
                            Function 00410BE0 Relevance: 289.8, APIs: 156, Strings: 9, Instructions: 1024COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3811 410be0-410d17 __vbaChkstk __vbaOnError __vbaStrCopy call 405924 __vbaSetSystemError call 4058d8 __vbaSetSystemError #537 #607 __vbaStrVarMove __vbaStrMove __vbaFreeVarList 3817 411f70-411f76 __vbaErrorOverflow 3811->3817 3818 410d1d-410d96 __vbaStrToAnsi call 405888 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr __vbaStrCmp * 2 3811->3818 3821 410f17-410f3b call 40546c __vbaSetSystemError 3818->3821 3822 410d9c-410f14 __vbaStrCat __vbaStrMove __vbaStrCat #612 __vbaVarCat * 6 __vbaStrVarMove __vbaStrMove __vbaFreeStr __vbaFreeVarList 3818->3822 3825 410f74-410f98 call 40546c __vbaSetSystemError 3821->3825 3826 410f3d-410f53 __vbaLenBstr 3821->3826 3822->3821 3830 410fc0-410fe4 call 40546c __vbaSetSystemError 3825->3830 3831 410f9a-410fba __vbaStrCat __vbaStrMove 3825->3831 3826->3817 3827 410f59-410f6e #616 __vbaStrMove 3826->3827 3827->3825 3834 410fe6-411005 __vbaStrCat __vbaStrMove 3830->3834 3835 41100b-41102f call 40546c __vbaSetSystemError 3830->3835 3831->3830 3834->3835 3838 411041-411065 call 40546c __vbaSetSystemError 3835->3838 3839 411031-411038 3835->3839 3842 411112-411136 call 40546c __vbaSetSystemError 3838->3842 3843 41106b-41110f __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 3838->3843 3839->3838 3849 411138-411147 3842->3849 3850 41116b-4111b5 3842->3850 3843->3842 3852 411149-411159 3849->3852 3853 41115b-411162 3849->3853 3855 411308-411351 3850->3855 3856 4111bb-4111e4 call 40546c __vbaSetSystemError 3850->3856 3852->3850 3853->3850 3859 411793-4117b8 3855->3859 3860 411357-411380 call 40546c __vbaSetSystemError 3855->3860 3862 4111ea-4111f9 3856->3862 3863 4112fc-411303 3856->3863 3865 4117d2-4117de 3859->3865 3873 411787 3860->3873 3874 411386-411395 3860->3874 3866 411205-41127e #608 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeVarList 3862->3866 3867 4111fb-411203 3862->3867 3869 411884-4118cd 3865->3869 3870 4117e4-41180c call 40546c __vbaSetSystemError 3865->3870 3866->3863 3867->3866 3872 411280-4112f9 #608 #518 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeVarList 3867->3872 3876 4118d3-4118fc call 40546c __vbaSetSystemError 3869->3876 3877 411bba-411c04 3869->3877 3885 411878-41187f 3870->3885 3886 41180e-411875 #608 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeVarList 3870->3886 3872->3863 3873->3817 3878 41139b-4113cf 3874->3878 3879 41171e-411784 #608 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeVarList 3874->3879 3905 411902-411911 3876->3905 3906 411bae 3876->3906 3888 411e47-411ebb 3877->3888 3889 411c0a-411c33 call 40546c __vbaSetSystemError 3877->3889 3883 4113d5-4113db 3878->3883 3884 41170c-41171c 3878->3884 3879->3873 3891 411412-411438 __vbaStrCat __vbaStrMove 3883->3891 3892 4115c2-41166a __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 3883->3892 3893 411515-4115bd __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 3883->3893 3894 4113e7-41140d __vbaStrCat __vbaStrMove 3883->3894 3895 411697-4116bd __vbaStrCat __vbaStrMove 3883->3895 3896 4116e6-411706 __vbaStrCat __vbaStrMove 3883->3896 3897 4114ea-411510 __vbaStrCat __vbaStrMove 3883->3897 3898 41143d-4114e5 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 3883->3898 3899 41166f-411695 __vbaStrCat __vbaStrMove 3883->3899 3900 4116bf-4116e4 __vbaStrCat __vbaStrMove 3883->3900 3884->3873 3885->3817 3907 4117cc 3885->3907 3886->3885 3888->3817 3919 411c39-411c48 3889->3919 3920 411e3b-411e42 3889->3920 3891->3884 3892->3884 3893->3884 3894->3884 3895->3884 3896->3884 3897->3884 3898->3884 3899->3884 3900->3884 3912 411917-41194e 3905->3912 3913 411a6d-411aa4 3905->3913 3917 411c9e-411cc3 __vbaStrCat __vbaStrMove 3906->3917 3907->3865 3921 411954-41195a 3912->3921 3922 411a58-411a68 3912->3922 3913->3906 3918 411aaa-411ab0 3913->3918 3941 411d3a-411d4a 3917->3941 3918->3917 3924 411b61-411b86 __vbaStrCat __vbaStrMove 3918->3924 3925 411cc5-411ceb __vbaStrCat __vbaStrMove 3918->3925 3926 411ae7-411b0c __vbaStrCat __vbaStrMove 3918->3926 3927 411dc6-411deb __vbaStrCat __vbaStrMove 3918->3927 3928 411b88-411ba8 __vbaStrCat __vbaStrMove 3918->3928 3929 411ced-411d13 __vbaStrCat __vbaStrMove 3918->3929 3930 411ded-411e13 __vbaStrCat __vbaStrMove 3918->3930 3931 411b11-411b37 __vbaStrCat __vbaStrMove 3918->3931 3932 411d15-411d34 __vbaStrCat __vbaStrMove 3918->3932 3933 411e15-411e35 __vbaStrCat __vbaStrMove 3918->3933 3934 411b39-411b5f __vbaStrCat __vbaStrMove 3918->3934 3935 411abc-411ae2 __vbaStrCat __vbaStrMove 3918->3935 3936 411d9e-411dc4 __vbaStrCat __vbaStrMove 3918->3936 3938 411d4f-411d86 3919->3938 3939 411c4e-411c86 3919->3939 3920->3817 3921->3917 3921->3924 3921->3925 3921->3926 3921->3928 3921->3929 3921->3931 3921->3932 3921->3934 3921->3935 3942 4119e3-411a09 __vbaStrCat __vbaStrMove 3921->3942 3943 411966-41198c __vbaStrCat __vbaStrMove 3921->3943 3944 411a0b-411a31 __vbaStrCat __vbaStrMove 3921->3944 3945 411991-4119b7 __vbaStrCat __vbaStrMove 3921->3945 3946 411a33-411a52 __vbaStrCat __vbaStrMove 3921->3946 3947 4119bc-4119e1 __vbaStrCat __vbaStrMove 3921->3947 3922->3906 3924->3906 3925->3941 3926->3906 3927->3920 3928->3906 3929->3941 3930->3920 3931->3906 3932->3941 3933->3920 3934->3906 3935->3906 3936->3920 3938->3920 3951 411d8c-411d92 3938->3951 3939->3941 3950 411c8c-411c92 3939->3950 3941->3920 3942->3922 3943->3922 3944->3922 3945->3922 3946->3922 3947->3922 3950->3917 3950->3925 3950->3927 3950->3929 3950->3930 3950->3932 3950->3933 3950->3936 3951->3927 3951->3930 3951->3933 3951->3936
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596), ref: 00410BFE
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00403596), ref: 00410C43
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,00403596), ref: 00410C5B
                            • __vbaSetSystemError.MSVBVM60(?,?,?,?,00403596), ref: 00410C73
                            • __vbaSetSystemError.MSVBVM60(00010010,?,?,?,?,00403596), ref: 00410C9E
                            • #537.MSVBVM60(00000000,?,?,?,?,00403596), ref: 00410CB8
                            • #607.MSVBVM60(?,00000000,00000008), ref: 00410CD7
                            • __vbaStrVarMove.MSVBVM60(?), ref: 00410CE1
                            • __vbaStrMove.MSVBVM60 ref: 00410CEE
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00410CFE
                            • __vbaStrToAnsi.MSVBVM60(?,0481DD0C,-00000001,?,?,00403596), ref: 00410D29
                            • __vbaSetSystemError.MSVBVM60(00010010,00000000,?,?,00403596), ref: 00410D3C
                            • __vbaStrToUnicode.MSVBVM60(00442088,?,?,?,00403596), ref: 00410D4B
                            • __vbaFreeStr.MSVBVM60(?,?,00403596), ref: 00410D54
                            • __vbaStrCmp.MSVBVM60(047FD0AC,0481DD0C,?,?,00403596), ref: 00410D6E
                            • __vbaStrCmp.MSVBVM60(00405BB8,047FD0AC,?,?,00403596), ref: 00410D87
                            • __vbaStrCat.MSVBVM60(004059B4,0162B774,?,?,00403596), ref: 00410DAE
                            • __vbaStrMove.MSVBVM60(?,?,00403596), ref: 00410DB9
                            • __vbaStrCat.MSVBVM60(004061A4,00000000,?,?,00403596), ref: 00410DC5
                            • #612.MSVBVM60(?), ref: 00410DD9
                            • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00410E51
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00410E66
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00410E7B
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00410E90
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00410EA5
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00410EBA
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00410EC1
                            • __vbaStrMove.MSVBVM60 ref: 00410ECE
                            • __vbaFreeStr.MSVBVM60 ref: 00410ED7
                            • __vbaFreeVarList.MSVBVM60(00000008,00000008,?,?,?,?,?,?,?), ref: 00410F0E
                            • __vbaSetSystemError.MSVBVM60(00000008,?,?,00403596), ref: 00410F2C
                            • __vbaLenBstr.MSVBVM60(0162B774), ref: 00410F4A
                            • #616.MSVBVM60(0162B774,-00000001), ref: 00410F61
                            • __vbaStrMove.MSVBVM60 ref: 00410F6E
                            • __vbaSetSystemError.MSVBVM60(0000000D), ref: 00410F89
                            • __vbaStrCat.MSVBVM60(004059B4,0162B774), ref: 00410FAD
                            • __vbaStrMove.MSVBVM60 ref: 00410FBA
                            • __vbaSetSystemError.MSVBVM60(00000020), ref: 00410FD5
                            • __vbaStrCat.MSVBVM60(004061CC,0162B774), ref: 00410FF8
                            • __vbaStrMove.MSVBVM60 ref: 00411005
                            • __vbaSetSystemError.MSVBVM60(00000010), ref: 00411020
                            • __vbaSetSystemError.MSVBVM60(00000011), ref: 00411056
                            • __vbaStrCopy.MSVBVM60 ref: 0041107A
                            • __vbaStrMove.MSVBVM60(?), ref: 0041108E
                            • __vbaStrCopy.MSVBVM60 ref: 0041109C
                            • __vbaStrMove.MSVBVM60 ref: 004110BB
                            • __vbaStrMove.MSVBVM60(?,?,0162B774), ref: 004110D9
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004110E0
                            • __vbaStrMove.MSVBVM60 ref: 004110ED
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00411109
                            • __vbaSetSystemError.MSVBVM60(00000014), ref: 00411127
                            • __vbaSetSystemError.MSVBVM60(000000DF), ref: 004111D5
                            • #608.MSVBVM60(?,000000DF), ref: 0041122C
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00411241
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00411248
                            • __vbaStrMove.MSVBVM60 ref: 00411255
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00411265
                            • __vbaErrorOverflow.MSVBVM60(?,?,00403596), ref: 00411F70
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Error$System$Free$List$Copy$#537#607#608#612#616AnsiBstrChkstkOverflowUnicode
                            • String ID: 29263506$9$KbdkGQkDIOpBlYohKEFaeUAbarLXUZiM$QAoTbJBakCdqGCAWtLTuuIuYBbkbggxXKP$QuoDhKRbMgipsjBaijsdAYTnYBEnOcwFomViTRySYmp$Z$o$qjrgJjucTVyiJvErYpTTyKcvNsXsobrkciYwgMZBOuv$v
                            • API String ID: 1749692130-1928549272
                            • Opcode ID: df35137fe5f25b81916ea3c800b35fc8d59330de162712a65584a57489eb6b6f
                            • Instruction ID: ffcd86c9b44d511000ae6fdcdd33247bfd1246b280d88347bdb2db08a0dd7fb9
                            • Opcode Fuzzy Hash: df35137fe5f25b81916ea3c800b35fc8d59330de162712a65584a57489eb6b6f
                            • Instruction Fuzzy Hash: 35A23B75900209DFDB14DFA0DE48BDE77B5FB44300F1081AAF606A72A0DBB85A89CF59
                            Function 00431BE0 Relevance: 233.6, APIs: 118, Strings: 15, Instructions: 863COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3952 431be0-431f6a __vbaChkstk __vbaOnError __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaVarAdd __vbaStrVarMove __vbaStrMove call 433f70 __vbaAryMove __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaVarAdd __vbaStrVarMove __vbaStrMove call 433f70 __vbaAryMove __vbaFreeStrList __vbaFreeVarList #526 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrToAnsi call 405420 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr #616 __vbaStrMove __vbaLenBstr #709 3967 4329e2-4329e8 __vbaErrorOverflow 3952->3967 3968 431f70-4320ae #619 __vbaStrVarVal #712 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat #645 __vbaStrMove __vbaStrCmp #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 3952->3968 3969 4320b0-4320c0 3968->3969 3970 4320c5-43213b __vbaVarDup #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 3968->3970 3971 432363-432658 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaVarAdd * 2 __vbaVarCat * 2 __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 3969->3971 3970->3971 3972 432141-4321bd __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove 3970->3972 3996 43265a-432667 #531 3971->3996 3997 43266d-4326ac call 411f80 call 440080 __vbaStrMove call 43db70 3971->3997 3982 4321db 3972->3982 3983 4321bf-4321d9 __vbaNew2 3972->3983 3985 4321e5-43229e __vbaChkstk * 2 3982->3985 3983->3985 3989 4322c3 3985->3989 3990 4322a0-4322c1 __vbaHresultCheckObj 3985->3990 3992 4322cd-43235d __vbaVar2Vec __vbaAryMove __vbaFreeStrList __vbaFreeVarList __vbaFileOpen __vbaPutOwner3 __vbaFileClose 3989->3992 3990->3992 3992->3971 3996->3997 4004 4326ca 3997->4004 4005 4326ae-4326c8 __vbaNew2 3997->4005 4006 4326d4-432724 __vbaObjSet 4004->4006 4005->4006 4009 432726-432747 __vbaHresultCheckObj 4006->4009 4010 432749 4006->4010 4011 432753-43276a __vbaFreeObj 4009->4011 4010->4011 4012 432788 4011->4012 4013 43276c-432786 __vbaNew2 4011->4013 4014 432792-4327e2 __vbaObjSet 4012->4014 4013->4014 4017 432807 4014->4017 4018 4327e4-432805 __vbaHresultCheckObj 4014->4018 4019 432811-43282d __vbaFreeObj call 438630 call 43a300 4017->4019 4018->4019 4023 432832-432850 4019->4023 4024 432852-43286c __vbaNew2 4023->4024 4025 43286e 4023->4025 4026 432878-4328c5 __vbaObjSet 4024->4026 4025->4026 4029 4328c7-4328e8 __vbaHresultCheckObj 4026->4029 4030 4328ea 4026->4030 4031 4328f4-4329d0 __vbaFreeObj __vbaAryDestruct * 3 4029->4031 4030->4031
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596,0040F7A3), ref: 00431BFE
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00403596,0040F7A3), ref: 00431C2E
                            • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00403596,0040F7A3), ref: 00431C43
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00403596,0040F7A3), ref: 00431C57
                            • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00403596,0040F7A3), ref: 00431C65
                            • __vbaStrMove.MSVBVM60 ref: 00431C84
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • #666.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00431CA9
                            • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00431CDE
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00431CE5
                            • __vbaStrMove.MSVBVM60 ref: 00431CF0
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00433F8E
                              • Part of subcall function 004338E0: __vbaOnError.MSVBVM60(000000FF,6D10D8B1,?,6D0FA323,00000000,00403596), ref: 00433FBE
                              • Part of subcall function 004338E0: #645.MSVBVM60(00004008,00000010), ref: 00433FE5
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00433FF0
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00405BB8,?), ref: 00434013
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00406074,?), ref: 00434031
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(0040C3B4,?), ref: 00434047
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043406D
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00434078
                              • Part of subcall function 004338E0: #579.MSVBVM60(00000000), ref: 0043407F
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60 ref: 00434099
                              • Part of subcall function 004338E0: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 004340C8
                            • __vbaAryMove.MSVBVM60(0044205C,?,?,0000FFFF), ref: 00431D18
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00431D34
                            • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,00000000,00403596,0040F7A3), ref: 00431D4E
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00403596,0040F7A3), ref: 00431D66
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00403596,0040F7A3), ref: 00431D7A
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00403596,0040F7A3), ref: 00431D88
                            • __vbaStrMove.MSVBVM60 ref: 00431DA7
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • #666.MSVBVM60(?,00000008), ref: 00431DCC
                            • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00431E01
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00431E08
                            • __vbaStrMove.MSVBVM60 ref: 00431E13
                              • Part of subcall function 004338E0: __vbaGenerateBoundsError.MSVBVM60 ref: 00434108
                              • Part of subcall function 004338E0: __vbaGenerateBoundsError.MSVBVM60 ref: 0043411C
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(?), ref: 0043412F
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 0043413A
                              • Part of subcall function 004338E0: __vbaStrCopy.MSVBVM60 ref: 0043414B
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60 ref: 00434154
                              • Part of subcall function 004338E0: #645.MSVBVM60(0000000A,00000000), ref: 0043419D
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 004341A8
                              • Part of subcall function 004338E0: __vbaFreeVar.MSVBVM60 ref: 004341B1
                              • Part of subcall function 004338E0: __vbaAryMove.MSVBVM60(?,?), ref: 004341CB
                              • Part of subcall function 004338E0: __vbaAryDestruct.MSVBVM60(00000000,?,00434217), ref: 00434207
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60 ref: 00434210
                            • __vbaAryMove.MSVBVM60(00442060,?,?,0000FFFF), ref: 00431E3B
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00431E57
                            • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?), ref: 00431E71
                            • #526.MSVBVM60(?,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 00431E8A
                            • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 00431E94
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00431EA1
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00431EAA
                            • __vbaStrToAnsi.MSVBVM60(?,015A818C,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 00431EC6
                            • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00431ED8
                            • __vbaStrToUnicode.MSVBVM60(00442028,?,?,?,?,?,?,?,?,?,?,?), ref: 00431EE7
                            • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00431EFB
                            • #616.MSVBVM60(015A818C,00000013,?,?,?,?,?,?,?,?,?,?), ref: 00431F16
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00431F23
                            • __vbaLenBstr.MSVBVM60(015A818C), ref: 00431F4A
                            • #709.MSVBVM60(015A818C,00405AFC,000000FF,00000000), ref: 00431F62
                            • #619.MSVBVM60(?,00004008,00000000), ref: 00431F7C
                            • __vbaStrVarVal.MSVBVM60(?,?,00405BB8,00000001,000000FF,00000000), ref: 00431F95
                            • #712.MSVBVM60(015A818C,00000000), ref: 00431FA2
                            • __vbaStrMove.MSVBVM60 ref: 00431FAD
                            • __vbaStrCat.MSVBVM60(\winsqlite3.dll,015A818C), ref: 00431FBF
                            • __vbaStrMove.MSVBVM60 ref: 00431FE8
                            • __vbaStrCat.MSVBVM60(SysWOW64\winsqlite3.dll,00000000), ref: 00431FF4
                            • #645.MSVBVM60(00000008,00000000), ref: 0043200D
                            • __vbaStrMove.MSVBVM60 ref: 00432018
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00432024
                            • #645.MSVBVM60(00000008,00000000), ref: 0043203D
                            • __vbaStrMove.MSVBVM60 ref: 00432048
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00432054
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00432082
                            • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 0043209C
                            • __vbaVarDup.MSVBVM60 ref: 004320E9
                            • #645.MSVBVM60(00000008,00000000), ref: 004320F5
                            • __vbaStrMove.MSVBVM60 ref: 00432100
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0043210C
                            • __vbaFreeStr.MSVBVM60 ref: 00432123
                            • __vbaFreeVar.MSVBVM60 ref: 0043212C
                            • __vbaStrCopy.MSVBVM60 ref: 00432157
                            • __vbaStrMove.MSVBVM60(?), ref: 0043216B
                            • __vbaStrCopy.MSVBVM60 ref: 00432179
                            • __vbaStrMove.MSVBVM60 ref: 00432198
                            • __vbaStrMove.MSVBVM60(?,?), ref: 004321B0
                            • __vbaNew2.MSVBVM60(00404FCC,004426B4), ref: 004321C9
                            • __vbaChkstk.MSVBVM60(?), ref: 00432230
                            • __vbaChkstk.MSVBVM60(?), ref: 00432253
                            • __vbaStrCopy.MSVBVM60 ref: 00432372
                            • __vbaStrMove.MSVBVM60(?), ref: 00432386
                            • __vbaStrCopy.MSVBVM60 ref: 00432394
                            • __vbaStrMove.MSVBVM60(?), ref: 004323A8
                            • __vbaStrCopy.MSVBVM60 ref: 004323B6
                            • __vbaStrMove.MSVBVM60(?), ref: 004323CA
                            • __vbaStrCopy.MSVBVM60 ref: 004323D8
                            • __vbaStrMove.MSVBVM60 ref: 004323F7
                            • #666.MSVBVM60(?,00000008,?,?), ref: 0043241C
                            • __vbaStrCopy.MSVBVM60 ref: 0043243E
                            • __vbaStrMove.MSVBVM60 ref: 0043245D
                            • #666.MSVBVM60(?,00000008,00000000,?), ref: 0043248E
                            • __vbaStrCopy.MSVBVM60 ref: 004324B0
                            • __vbaStrMove.MSVBVM60 ref: 004324CF
                            • #666.MSVBVM60(?,00000008,?,?), ref: 00432500
                            • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00432518
                            • __vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0043252D
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00432542
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00432557
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043255E
                            • __vbaStrMove.MSVBVM60 ref: 0043256B
                            • __vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 004325A3
                            • __vbaFreeVarList.MSVBVM60(0000000A,00000008,?,00000008,?,?,?,?,?,?,?), ref: 004325EE
                            • #645.MSVBVM60(00004008,00000010), ref: 0043261B
                            • __vbaStrMove.MSVBVM60 ref: 00432626
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00432632
                            • __vbaFreeStr.MSVBVM60 ref: 00432649
                            • #531.MSVBVM60(015AC8B4), ref: 00432667
                            • __vbaStrMove.MSVBVM60 ref: 0043268C
                            • __vbaNew2.MSVBVM60(004048D0,00442010), ref: 004326B8
                            • __vbaObjSet.MSVBVM60(?,00000000), ref: 004326F2
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C7F0,00000064), ref: 0043273B
                            • __vbaFreeObj.MSVBVM60 ref: 00432756
                            • __vbaNew2.MSVBVM60(004048D0,00442010), ref: 00432776
                            • __vbaObjSet.MSVBVM60(?,00000000), ref: 004327B0
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C7F0,00000064), ref: 004327F9
                            • __vbaFreeObj.MSVBVM60 ref: 00432814
                            • __vbaNew2.MSVBVM60(004048D0,00442010), ref: 0043285C
                            • __vbaObjSet.MSVBVM60(?,00000000), ref: 00432896
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C7F0,0000005C), ref: 004328DC
                            • __vbaFreeObj.MSVBVM60 ref: 004328F7
                            • __vbaAryDestruct.MSVBVM60(00000000,?,004329D1), ref: 004329AF
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004329BE
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004329CA
                            • __vbaErrorOverflow.MSVBVM60 ref: 004329E2
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$List$#645Error$#666$BstrChkstkDestructNew2$CheckHresult$#516#631BoundsGenerate$#526#531#537#579#608#616#619#632#709#712AnsiOverflowPreserveRedimSystemUnicode
                            • String ID: 0A3704072206313525182628$13021B1C221932$1E1C352A18270A15$221409392225$251D08123A181D112D252913$C:\Users\Public\Libraries\vbsqlite3.dll$DaAZmmhiKomDLWsqsuWVSt$SysWOW64\winsqlite3.dll$\Microsoft\Windows\Templates\$\winsqlite3.dll$bfREBoLXCcddVfJhnFXyYuXxpQJIQoDsWClnUWyuUW$g$nFxGFnGaeaYriQLRLpeIQFGW$uKOpxVfGPojaWlGmQXDxwDxNMuhoHFdoFUMMiOFTSMZm$yRrkXCmSqJimRlFbxNcOlNu
                            • API String ID: 3803378301-2091883943
                            • Opcode ID: 8f292c9e0b6b9051c11d128ee429706019258346eacacf04fc788213385864d7
                            • Instruction ID: 5bd9e7e253bc56efadc243a18d6a95e1e500a2de0a5757efd988287ebcd978e4
                            • Opcode Fuzzy Hash: 8f292c9e0b6b9051c11d128ee429706019258346eacacf04fc788213385864d7
                            • Instruction Fuzzy Hash: D9821B75900218DFDB14DFA0DD88BDEBBB8BF48305F1081AAE506B72A0DB745A89CF54
                            Function 00414841 Relevance: 223.5, APIs: 118, Strings: 9, Instructions: 1228COMMON
                            Download Yara Rule
                            APIs
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004148CD
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004148EA
                            • __vbaStrCat.MSVBVM60(00405AFC,01590A08), ref: 0041490E
                            • __vbaStrMove.MSVBVM60 ref: 0041491C
                            • __vbaAryMove.MSVBVM60(00442068,?,?,00442064), ref: 00414945
                            • __vbaFreeStr.MSVBVM60 ref: 00414951
                            • __vbaUbound.MSVBVM60(00000001,01590A98), ref: 0041497C
                            • __vbaI2I4.MSVBVM60 ref: 00414984
                            • __vbaStrCopy.MSVBVM60 ref: 004149E4
                            • __vbaStrMove.MSVBVM60(?), ref: 004149FE
                            • __vbaStrCopy.MSVBVM60 ref: 00414A0F
                            • __vbaStrMove.MSVBVM60 ref: 00414A37
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00414A58
                            • __vbaStrMove.MSVBVM60(01590A98), ref: 00414B02
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00414B09
                            • __vbaNew2.MSVBVM60(00406A28,00000000), ref: 0041607D
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406BFC,0000002C), ref: 004160E4
                            • __vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002), ref: 00416156
                            • __vbaNew2.MSVBVM60(00406A28,00000000), ref: 0041668F
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406BFC,0000002C), ref: 004166F6
                            • __vbaErrorOverflow.MSVBVM60 ref: 00417877
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Error$BoundsCheckCopyGenerateHresultNew2$FreeInitOverflowUbound
                            • String ID: 2C0F16001B075814362331$2F08313F160C35261400380F1B396407162235$IpCygrixPWWPfkNPcOapTAzeevxvMTdR$Profiles$S$\Profiles$\User Data$\User Data\Default\Login Data$dsLTYwyYRHLWhrWDCwVTfAIhaTFvmqcbQLVEXeGdOWt
                            • API String ID: 206581572-3333644439
                            • Opcode ID: 5d9d29d8fa063b325cc79996b26a24b865a6634bb51e7259aec3940e473fcdbd
                            • Instruction ID: 6335b712a974d4dc95b29b54ecf11ed45f1b7a36053a51c2549482bb99afe58b
                            • Opcode Fuzzy Hash: 5d9d29d8fa063b325cc79996b26a24b865a6634bb51e7259aec3940e473fcdbd
                            • Instruction Fuzzy Hash: 43D21974A01218CFDB24CF54DE84BE9B7B5FB89300F5081EAE50AA7260DB745AC9CF59
                            Function 004149A5 Relevance: 212.9, APIs: 112, Strings: 9, Instructions: 1168COMMON
                            Download Yara Rule
                            APIs
                            • __vbaStrCopy.MSVBVM60 ref: 004149E4
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?), ref: 004149FE
                            • __vbaStrCopy.MSVBVM60 ref: 00414A0F
                            • __vbaStrMove.MSVBVM60 ref: 00414A37
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00414A58
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00414AA4
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00414AC1
                            • __vbaStrMove.MSVBVM60(01590A98), ref: 00414B02
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00414B09
                            • #645.MSVBVM60(00000008,00000000), ref: 00414B28
                            • __vbaStrMove.MSVBVM60 ref: 00414B36
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00414B42
                            • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,00000000,00000000), ref: 00414B8A
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 00414B99
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 00414BFD
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 00414C1A
                            • #712.MSVBVM60(01590A98,\User Data,00405BB8,00000001,000000FF,00000000,?,?,?,?,00000000,?,00000000,00403596), ref: 00414C49
                            • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,00000000,00403596), ref: 00414C56
                            • __vbaLenBstr.MSVBVM60(015A51AC), ref: 00414C7D
                            • #709.MSVBVM60(015A51AC,00405AFC,000000FF,00000000), ref: 00414C95
                            • #619.MSVBVM60(?,00004008,00000000), ref: 00414CB2
                            • __vbaStrVarMove.MSVBVM60(?), ref: 00414CBF
                            • __vbaStrMove.MSVBVM60 ref: 00414CCC
                            • __vbaFreeVar.MSVBVM60 ref: 00414CD8
                            • __vbaStrCopy.MSVBVM60 ref: 00414CF0
                            • __vbaStrMove.MSVBVM60(?), ref: 00414D0A
                            • __vbaStrCopy.MSVBVM60 ref: 00414D1B
                            • __vbaStrMove.MSVBVM60 ref: 00414D43
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00414D64
                            • __vbaNew2.MSVBVM60(00406A28,00000000), ref: 00414D79
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00414DFD
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00414E1A
                            • __vbaStrMove.MSVBVM60(01590A98), ref: 00414E5A
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00414E61
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406BFC,00000028), ref: 00414EBD
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 00414F01
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00403596), ref: 00414F10
                            • __vbaStrCat.MSVBVM60(\User Data\Default\Login Data,01590A98,?,?,?,?,00000000,?,00000000,00403596), ref: 00414FA6
                            • #645.MSVBVM60(00000008,00000000), ref: 00414FC5
                            • __vbaStrMove.MSVBVM60 ref: 00414FD3
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00414FDF
                            • __vbaFreeStr.MSVBVM60 ref: 00414FFA
                            • __vbaFreeVar.MSVBVM60 ref: 00415006
                            • __vbaErrorOverflow.MSVBVM60 ref: 00417877
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Error$BoundsGenerate$BstrCopy$List$#516#631#645$#537#608#619#632#709#712CheckHresultNew2Overflow
                            • String ID: 2C0F16001B075814362331$2F08313F160C35261400380F1B396407162235$IpCygrixPWWPfkNPcOapTAzeevxvMTdR$Profiles$S$\Profiles$\User Data$\User Data\Default\Login Data$dsLTYwyYRHLWhrWDCwVTfAIhaTFvmqcbQLVEXeGdOWt
                            • API String ID: 3691625242-3333644439
                            • Opcode ID: fb1ada6eb763cf80059cb1e2b364eab7e0efe90a0e5cc0be217239e142dbf609
                            • Instruction ID: a55aceebb8ddcec1964cbf9a6493431f2df3d9904015b0a81379b19bd1947555
                            • Opcode Fuzzy Hash: fb1ada6eb763cf80059cb1e2b364eab7e0efe90a0e5cc0be217239e142dbf609
                            • Instruction Fuzzy Hash: 45C21974A01218CFDB24CF54DE84BE9B7B5FB89300F5081EAE50AA7260DB745AC9CF59
                            Function 004338E0 Relevance: 189.9, APIs: 104, Strings: 4, Instructions: 853COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4741 4338e0-433943 __vbaLenBstr 4742 433948-43394e 4741->4742 4743 4339f6-433a2d 4742->4743 4744 433954-4339e8 #632 __vbaVarCat __vbaI4ErrVar #537 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr __vbaFreeVarList 4742->4744 4745 433a44-433af1 __vbaErrorOverflow __vbaChkstk __vbaOnError __vbaVarVargNofree __vbaVarSub __vbaI2Var 4744->4745 4746 4339ea-4339f1 4744->4746 4749 433b08-433b13 4745->4749 4746->4742 4750 433bf7-433c08 4749->4750 4751 433b19-433b2a 4749->4751 4752 433b30-433b45 4751->4752 4753 433c1c-433c91 __vbaErrorOverflow __vbaChkstk __vbaOnError 4751->4753 4752->4753 4755 433b4b-433bf2 __vbaChkstk * 2 __vbaVarIndexLoad __vbaChkstk __vbaVarIndexStore __vbaFreeVar 4752->4755 4758 433c93-433ca2 4753->4758 4759 433ca4-433cb9 __vbaLbound 4753->4759 4755->4753 4760 433b04 4755->4760 4761 433cbc-433cc9 4758->4761 4759->4761 4760->4749 4762 433ccb-433cda 4761->4762 4763 433cdc-433cf1 __vbaUbound 4761->4763 4764 433cf4-433d01 4762->4764 4763->4764 4765 433d07-433d0a 4764->4765 4766 433f65-433ffd __vbaErrorOverflow __vbaChkstk __vbaOnError #645 __vbaStrMove 4764->4766 4765->4766 4767 433d10-433d13 4765->4767 4770 434003-43401b __vbaStrCmp 4766->4770 4767->4766 4769 433d19-433d77 #525 __vbaStrMove 4767->4769 4774 433efb-433f4e __vbaStrCopy __vbaFreeStr * 2 4769->4774 4775 433d7d-433d98 __vbaAryLock 4769->4775 4772 434021-434056 __vbaStrCmp * 2 4770->4772 4773 4341bc-434216 __vbaAryMove __vbaAryDestruct __vbaFreeStr 4770->4773 4777 434182-4341b7 #645 __vbaStrMove __vbaFreeVar 4772->4777 4778 43405c-4340a5 __vbaStrCat __vbaStrMove #579 __vbaFreeStr 4772->4778 4780 433d9a-433da1 4775->4780 4781 433ddd-433de3 __vbaGenerateBoundsError 4775->4781 4777->4770 4778->4777 4782 4340ab-4340dc __vbaRedimPreserve 4778->4782 4780->4781 4783 433da3-433db8 4780->4783 4784 433de9-433e4b #572 __vbaStrMove __vbaAryUnlock __vbaStrMove __vbaLenBstr 4781->4784 4785 4340de-4340e5 4782->4785 4786 43411c-434122 __vbaGenerateBoundsError 4782->4786 4788 433dc6-433dcc __vbaGenerateBoundsError 4783->4788 4789 433dba-433dc4 4783->4789 4790 433e6e-433e7b 4784->4790 4791 433e4d-433e68 __vbaStrCat __vbaStrMove 4784->4791 4785->4786 4792 4340e7-4340fd 4785->4792 4787 434125-434178 __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStr 4786->4787 4793 43417e 4787->4793 4794 43422d-43434f __vbaErrorOverflow __vbaChkstk __vbaOnError __vbaNew __vbaObjSet __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove * 2 4787->4794 4795 433dd2-433ddb 4788->4795 4789->4795 4798 433ed2-433ee9 __vbaMidStmtBstr 4790->4798 4799 433e7d-433ec7 __vbaStrCat __vbaStrMove __vbaMidStmtBstr __vbaFreeStr 4790->4799 4791->4790 4796 434108-43410e __vbaGenerateBoundsError 4792->4796 4797 4340ff-434106 4792->4797 4793->4777 4809 434371 4794->4809 4810 434351-43436f __vbaHresultCheckObj 4794->4810 4795->4784 4800 434111-43411a 4796->4800 4797->4800 4802 433eef 4798->4802 4799->4766 4801 433ecd-433ed0 4799->4801 4800->4787 4801->4802 4802->4774 4811 43437b-434440 __vbaObjSet __vbaFreeStrList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove 4809->4811 4810->4811 4817 434462 4811->4817 4818 434442-434460 __vbaHresultCheckObj 4811->4818 4819 43446c-4344ad __vbaFreeStrList 4817->4819 4818->4819 4821 4344af-4344ca __vbaHresultCheckObj 4819->4821 4822 4344cc 4819->4822 4823 4344d6-4344f6 4821->4823 4822->4823 4825 434515 4823->4825 4826 4344f8-434513 __vbaHresultCheckObj 4823->4826 4827 43451f-4345f3 __vbaVar2Vec __vbaAryMove __vbaFreeVar __vbaCastObj __vbaObjSet __vbaCastObj __vbaObjSet __vbaFreeObj * 2 4825->4827 4826->4827
                            APIs
                            • __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                            • #632.MSVBVM60(?,?,?,?), ref: 00433982
                            • __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                            • __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                            • #537.MSVBVM60(00000000), ref: 004339A6
                            • __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                            • __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                            • __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                            • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaErrorOverflow.MSVBVM60 ref: 00433A44
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00433A6E
                            • __vbaOnError.MSVBVM60(000000FF,6D10D8B1,?,6D0FA323,00000000,00403596), ref: 00433A9E
                            • __vbaVarVargNofree.MSVBVM60 ref: 00433ABF
                            • __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00433ACE
                            • __vbaI2Var.MSVBVM60(00000000), ref: 00433AD5
                            • __vbaChkstk.MSVBVM60 ref: 00433B5B
                            • __vbaChkstk.MSVBVM60 ref: 00433B7E
                            • __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00433BA6
                            • __vbaChkstk.MSVBVM60 ref: 00433BB6
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Chkstk$ErrorFreeMove$#537#632BstrIndexListLoadNofreeOverflowVarg
                            • String ID: 125C41$272B266A17313C204179$OpjuDmInowpQv$fEBHDuPOEwMevLOFkJgcMNhE
                            • API String ID: 2129149374-3819594282
                            • Opcode ID: 60919d384da33084d31e02d128287785602ddc879e636079274162eb60edc1b3
                            • Instruction ID: 59f0ed98bb5d1274efdda4bf804b31d6cbf44fcdea57acbb4352cbbf748b9f67
                            • Opcode Fuzzy Hash: 60919d384da33084d31e02d128287785602ddc879e636079274162eb60edc1b3
                            • Instruction Fuzzy Hash: B882F8B5900208EFDB04DFA4DA88BDEBBB5FF48705F108169E506B72A0DB746A85CF54
                            Function 0041790C Relevance: 189.8, APIs: 97, Strings: 11, Instructions: 816COMMON
                            Download Yara Rule
                            APIs
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00417988
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004179A5
                            • __vbaStrCat.MSVBVM60(\accounts.xml,01590A08), ref: 004179C8
                            • #645.MSVBVM60(00000008,00000000), ref: 004179E7
                            • __vbaStrMove.MSVBVM60 ref: 004179F2
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 004179FE
                            • __vbaFreeStr.MSVBVM60 ref: 00417A16
                            • __vbaFreeVar.MSVBVM60 ref: 00417A22
                            • __vbaNew2.MSVBVM60(00406D98,00000000), ref: 00417A4D
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00417ABD
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00417ADA
                            • __vbaStrCat.MSVBVM60(\accounts.xml,01590A08), ref: 00417AFE
                            • __vbaChkstk.MSVBVM60(?), ref: 00417B20
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406DA8,000000E8), ref: 00417B88
                            • __vbaFreeVar.MSVBVM60 ref: 00417BA6
                            • __vbaNew2.MSVBVM60(00406D98,00000000), ref: 00417BC2
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406DA8,000000B4), ref: 00417C2F
                            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406E88,00000030), ref: 00417C92
                            • __vbaObjSet.MSVBVM60(?,?), ref: 00417CCE
                            • __vbaForEachCollObj.MSVBVM60(00406E88,?,?,00000000), ref: 00417CE5
                            • __vbaFreeObj.MSVBVM60 ref: 00417CF7
                            • __vbaStrCopy.MSVBVM60 ref: 00417D11
                            • __vbaStrMove.MSVBVM60(?), ref: 00417D25
                            • __vbaStrCopy.MSVBVM60 ref: 00417D33
                            • __vbaStrMove.MSVBVM60(?), ref: 00417D47
                            • __vbaStrCopy.MSVBVM60 ref: 00417D55
                            • __vbaStrMove.MSVBVM60 ref: 00417D74
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406E88,00000030), ref: 00417DB0
                            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407AA0,0000001C), ref: 00417E15
                            • __vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,00419F29), ref: 00419ED1
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,00403596), ref: 00419EE3
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,00403596), ref: 00419EF2
                            • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 00419EFB
                            • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 00419F04
                            • __vbaFreeObj.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 00419F0D
                            • __vbaFreeObj.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 00419F16
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,00403596), ref: 00419F22
                            • __vbaErrorOverflow.MSVBVM60 ref: 00419F3D
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$CheckErrorHresult$BoundsGenerateMove$CopyDestruct$New2$#645ChkstkCollEachListOverflow
                            • String ID: %$13213B051F35033D381826624D45363F0510320303162F$15233B37023F3D21577745$===============DARKCLOUD===============$Application : FileZilla$Server$\accounts.xml$\recentservers.xml$\sitemanager.xml$eRQKivVbIQwHBwepViuhjozNacKRVlQTWZpmEgYscq$fEBHDuPOEwMevLOFkJgcMNhE
                            • API String ID: 1698869595-1131604002
                            • Opcode ID: 399a3241d6925a38a03284a8c1ae36c878930a1c0c800784fc06cdb94f50ca3e
                            • Instruction ID: 8fbe97cbb6be96117ae2009dd600dffa7a05010395e4a123f35eb122d866b559
                            • Opcode Fuzzy Hash: 399a3241d6925a38a03284a8c1ae36c878930a1c0c800784fc06cdb94f50ca3e
                            • Instruction Fuzzy Hash: DB820974A00218DFDB14DF94DD98BEEB7B5FF48300F1081AAE50AA72A0DB745A85CF59
                            Function 00404BC1 Relevance: 166.8, APIs: 74, Strings: 21, Instructions: 542COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5114 404bc1-40f85b __vbaChkstk __vbaOnError 5117 40f861-40ff06 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove call 431900 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove call 431900 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove call 431900 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove call 431900 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaStrCopy __vbaStrMove call 4329f0 #666 __vbaVarCat * 2 __vbaStrVarMove __vbaStrMove call 431900 __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove call 431900 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove call 431900 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove call 431900 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove call 431900 5114->5117 5118 40ff45-40ff57 5114->5118 5235 40ff0b-40ff43 __vbaFreeStrList __vbaFreeVar 5117->5235 5119 40fff8-4100cd __vbaErrorOverflow __vbaChkstk __vbaStrCopy __vbaOnError #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 5118->5119 5120 40ff5d 5118->5120 5129 4100f6-4101eb __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove call 4329f0 5119->5129 5130 4100cf-4100f0 #529 5119->5130 5122 40ff64-40ffd5 5120->5122 5151 410210 5129->5151 5152 4101ed-41020e __vbaHresultCheckObj 5129->5152 5130->5129 5154 41021a-41032c __vbaChkstk * 2 __vbaLateMemCallLd __vbaCastObjVar __vbaObjSet __vbaFreeStrList __vbaFreeObj __vbaFreeVarList __vbaObjSetAddref __vbaI2I4 5151->5154 5152->5154 5159 410354 5154->5159 5160 41032e-410352 __vbaHresultCheckObj 5154->5160 5162 41035e-41038a 5159->5162 5160->5162 5168 41038c-4103ad __vbaHresultCheckObj 5162->5168 5169 4103af 5162->5169 5171 4103b9-410478 __vbaChkstk * 2 5168->5171 5169->5171 5176 41047a-41049b __vbaHresultCheckObj 5171->5176 5177 41049d 5171->5177 5179 4104a7-4104cc 5176->5179 5177->5179 5184 4104f1 5179->5184 5185 4104ce-4104ef __vbaHresultCheckObj 5179->5185 5187 4104fb-4105ba __vbaChkstk * 2 5184->5187 5185->5187 5191 4105bc-4105dd __vbaHresultCheckObj 5187->5191 5192 4105df 5187->5192 5194 4105e9-4106dc __vbaChkstk * 3 5191->5194 5192->5194 5200 410704 5194->5200 5201 4106de-410702 __vbaHresultCheckObj 5194->5201 5203 41070e-41073b 5200->5203 5201->5203 5208 410763 5203->5208 5209 41073d-410761 __vbaHresultCheckObj 5203->5209 5211 41076d-4107f5 __vbaObjSetAddref call 405704 __vbaSetSystemError call 405744 __vbaSetSystemError 5208->5211 5209->5211 5223 4107f7-410818 __vbaHresultCheckObj 5211->5223 5224 41081a 5211->5224 5226 410824-410874 call 4057e4 __vbaSetSystemError 5223->5226 5224->5226 5236 410876-410897 __vbaHresultCheckObj 5226->5236 5237 410899 5226->5237 5235->5122 5238 4108a3-4108cc 5236->5238 5237->5238 5240 4108f1 5238->5240 5241 4108ce-4108ef __vbaHresultCheckObj 5238->5241 5242 4108fb-410902 5240->5242 5241->5242 5243 410920 5242->5243 5244 410904-41091e __vbaNew2 5242->5244 5245 41092a-41097f __vbaObjSet 5243->5245 5244->5245 5247 410981-4109a2 __vbaHresultCheckObj 5245->5247 5248 4109a4 5245->5248 5249 4109ae-410a46 __vbaFreeObj __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 5247->5249 5248->5249 5255 410a48-410a69 __vbaHresultCheckObj 5249->5255 5256 410a6b 5249->5256 5257 410a75-410b22 __vbaChkstk __vbaLateMemCall __vbaFreeStrList __vbaFreeObj __vbaFreeVar call 405794 __vbaSetSystemError __vbaStrCopy * 2 call 43c240 5255->5257 5256->5257 5261 410b27-410bb9 __vbaFreeStrList __vbaFreeObj * 2 __vbaFreeStr 5257->5261
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0040F7FE
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00403596), ref: 0040F845
                            • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00403596), ref: 0040F870
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00403596), ref: 0040F884
                            • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00403596), ref: 0040F892
                            • __vbaStrMove.MSVBVM60 ref: 0040F8B1
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0040F8C9
                              • Part of subcall function 00431900: __vbaChkstk.MSVBVM60(?,00403596,?,?,?,?,00000000,00403596), ref: 0043191E
                              • Part of subcall function 00431900: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00403596), ref: 0043194E
                              • Part of subcall function 00431900: __vbaStrCat.MSVBVM60(00405AFC,015AC8B4,?,?,?,?,00403596), ref: 0043196D
                              • Part of subcall function 00431900: #645.MSVBVM60(00000008,00000000), ref: 00431983
                              • Part of subcall function 00431900: __vbaVarMove.MSVBVM60 ref: 00431999
                              • Part of subcall function 00431900: __vbaFreeVar.MSVBVM60 ref: 004319A2
                              • Part of subcall function 00431900: __vbaVarTstGt.MSVBVM60(00008008,?), ref: 004319CE
                              • Part of subcall function 00431900: __vbaInStrVar.MSVBVM60(00000008,00000000,00000008,?,00000001), ref: 00431A0E
                              • Part of subcall function 00431900: __vbaBoolVarNull.MSVBVM60(00000000), ref: 00431A15
                              • Part of subcall function 00431900: __vbaFreeVar.MSVBVM60 ref: 00431A25
                              • Part of subcall function 00431900: __vbaStrCat.MSVBVM60(00405AFC,015AC8B4), ref: 00431A4D
                              • Part of subcall function 00431900: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00431A69
                              • Part of subcall function 00431900: __vbaStrVarMove.MSVBVM60(00000000), ref: 00431A70
                              • Part of subcall function 00431900: __vbaStrMove.MSVBVM60 ref: 00431A7B
                              • Part of subcall function 00431900: __vbaVarAdd.MSVBVM60(0000000A,?,00000008), ref: 00431AA4
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040F8F2
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00403596), ref: 0040F8FE
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00403596), ref: 0040F913
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00403596), ref: 0040F927
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00403596), ref: 0040F935
                            • __vbaStrMove.MSVBVM60 ref: 0040F954
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0040F96C
                              • Part of subcall function 00431900: __vbaStrVarMove.MSVBVM60(00000000), ref: 00431AAB
                              • Part of subcall function 00431900: __vbaStrMove.MSVBVM60 ref: 00431AB6
                              • Part of subcall function 00431900: __vbaStrCopy.MSVBVM60 ref: 00431AC4
                              • Part of subcall function 00431900: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?), ref: 00431AE9
                              • Part of subcall function 00431900: __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,00403596), ref: 00431B00
                              • Part of subcall function 00431900: #645.MSVBVM60(0000000A,00000000), ref: 00431B24
                              • Part of subcall function 00431900: __vbaVarMove.MSVBVM60 ref: 00431B3A
                              • Part of subcall function 00431900: __vbaFreeVar.MSVBVM60 ref: 00431B43
                              • Part of subcall function 00431900: __vbaFreeVar.MSVBVM60(00431BA1), ref: 00431B9A
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040F995
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00403596), ref: 0040F9A1
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00403596), ref: 0040F9B6
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00403596), ref: 0040F9CA
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00403596), ref: 0040F9D8
                            • __vbaStrMove.MSVBVM60 ref: 0040F9F7
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0040FA0F
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040FA38
                            • __vbaFreeVar.MSVBVM60 ref: 0040FA44
                            • __vbaStrCopy.MSVBVM60 ref: 0040FA59
                            • __vbaStrMove.MSVBVM60(?), ref: 0040FA6D
                            • __vbaStrCopy.MSVBVM60 ref: 0040FA7B
                            • __vbaStrMove.MSVBVM60 ref: 0040FA9A
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0040FAB2
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040FADB
                            • __vbaFreeVar.MSVBVM60 ref: 0040FAE7
                            • __vbaStrCopy.MSVBVM60 ref: 0040FAFC
                            • __vbaStrMove.MSVBVM60(?), ref: 0040FB10
                            • __vbaStrCopy.MSVBVM60 ref: 0040FB1E
                            • __vbaStrMove.MSVBVM60(?), ref: 0040FB32
                            • __vbaStrCopy.MSVBVM60 ref: 0040FB40
                            • __vbaStrMove.MSVBVM60 ref: 0040FB5F
                            • #666.MSVBVM60(?,00000008,?,?), ref: 0040FB84
                            • __vbaStrCopy.MSVBVM60 ref: 0040FBA6
                            • __vbaStrMove.MSVBVM60 ref: 0040FBC5
                            • #666.MSVBVM60(?,00000008,00000000,?), ref: 0040FBF3
                            • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 0040FC08
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 0040FC1D
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0040FC24
                            • __vbaStrMove.MSVBVM60 ref: 0040FC2F
                            • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,00000000,?,?,00000000,00000000,?,?), ref: 0040FC6B
                            • __vbaFreeVarList.MSVBVM60(00000007,00000008,?,00000008,?,?,?,?), ref: 0040FC9E
                            • __vbaStrCopy.MSVBVM60 ref: 0040FCB6
                            • __vbaStrMove.MSVBVM60(?), ref: 0040FCCA
                            • __vbaStrCopy.MSVBVM60 ref: 0040FCD8
                            • __vbaStrMove.MSVBVM60 ref: 0040FCF7
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0040FD0F
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040FD38
                            • __vbaFreeVar.MSVBVM60 ref: 0040FD44
                            • __vbaStrCopy.MSVBVM60 ref: 0040FD59
                            • __vbaStrMove.MSVBVM60(?), ref: 0040FD6D
                            • __vbaStrCopy.MSVBVM60 ref: 0040FD7B
                            • __vbaStrMove.MSVBVM60 ref: 0040FD9A
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0040FDB2
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040FDDB
                            • __vbaFreeVar.MSVBVM60 ref: 0040FDE7
                            • __vbaStrCopy.MSVBVM60 ref: 0040FDFC
                            • __vbaStrMove.MSVBVM60(?), ref: 0040FE10
                            • __vbaStrCopy.MSVBVM60 ref: 0040FE1E
                            • __vbaStrMove.MSVBVM60 ref: 0040FE3D
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0040FE55
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040FE7E
                            • __vbaFreeVar.MSVBVM60 ref: 0040FE8A
                            • __vbaStrCopy.MSVBVM60 ref: 0040FE9F
                            • __vbaStrMove.MSVBVM60(?), ref: 0040FEB3
                            • __vbaStrCopy.MSVBVM60 ref: 0040FEC1
                            • __vbaStrMove.MSVBVM60 ref: 0040FEE0
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0040FEF8
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040FF21
                            • __vbaFreeVar.MSVBVM60 ref: 0040FF2D
                            Strings
                            • ?, xrefs: 00404BC1
                            • FooLYMsydKdRNBihulsNisUDLbnJcmksK, xrefs: 0040FCD0
                            • 251D08123A181D112D252913, xrefs: 0040FAF4
                            • 3C0C3E3C281D0A0C2410, xrefs: 0040FCAE
                            • ZRVaerbSjrqolGOtJhLqYsgeQEuJfMgr, xrefs: 0040FA73
                            • 08392D04263012, xrefs: 0040F868
                            • CKVBoOUaMcDUJGOHGJvFjNc, xrefs: 0040F88A
                            • 1D0D3A3424310B1D, xrefs: 0040F90B
                            • 32003B022C082D22, xrefs: 0040F9AE
                            • TPhIGEVnnDAcxBmquNLKnxUzhkIueKypvOtCpKegGKCE, xrefs: 0040F92D
                            • 31240401170C2703131D1C, xrefs: 0040FA51
                            • fPMjsRvSvSZvbiRQuLuLkdqnSERSXTtkj, xrefs: 0040FEB9
                            • 1624061621, xrefs: 0040FE97
                            • 0C331C0A0D3E30281F1C223825, xrefs: 0040FDF4
                            • rqDLrfgHeMXtBIJNQMVTnpL, xrefs: 0040FD73
                            • uKOpxVfGPojaWlGmQXDxwDxNMuhoHFdoFUMMiOFTSMZm, xrefs: 0040FB9E
                            • 3A213536071329, xrefs: 0040FD51
                            • 1E1C352A18270A15, xrefs: 0040FB16
                            • eqoUvMkYQUbSu, xrefs: 0040F9D0
                            • BOAezyQgIspGLVNiHNHvleLmQsVUunyK, xrefs: 0040FE16
                            • bfREBoLXCcddVfJhnFXyYuXxpQJIQoDsWClnUWyuUW, xrefs: 0040FB38
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$List$Bstr$#516#631#645#666ChkstkError$#537#608#632BoolNull
                            • String ID: 08392D04263012$0C331C0A0D3E30281F1C223825$1624061621$1D0D3A3424310B1D$1E1C352A18270A15$251D08123A181D112D252913$31240401170C2703131D1C$32003B022C082D22$3A213536071329$3C0C3E3C281D0A0C2410$?$BOAezyQgIspGLVNiHNHvleLmQsVUunyK$CKVBoOUaMcDUJGOHGJvFjNc$FooLYMsydKdRNBihulsNisUDLbnJcmksK$TPhIGEVnnDAcxBmquNLKnxUzhkIueKypvOtCpKegGKCE$ZRVaerbSjrqolGOtJhLqYsgeQEuJfMgr$bfREBoLXCcddVfJhnFXyYuXxpQJIQoDsWClnUWyuUW$eqoUvMkYQUbSu$fPMjsRvSvSZvbiRQuLuLkdqnSERSXTtkj$rqDLrfgHeMXtBIJNQMVTnpL$uKOpxVfGPojaWlGmQXDxwDxNMuhoHFdoFUMMiOFTSMZm
                            • API String ID: 1362582428-4032726971
                            • Opcode ID: 045151720ca34b80217fede66e984c1df7254fbe7a9a42797cf3d567d0e4e77e
                            • Instruction ID: 3733970d6049696ffd29fdd2be1d968e258b6aa6fcfb499826e013364ab60497
                            • Opcode Fuzzy Hash: 045151720ca34b80217fede66e984c1df7254fbe7a9a42797cf3d567d0e4e77e
                            • Instruction Fuzzy Hash: 93320E72900109EBCB04EFD4DE94EDEB7B9FF48304F10816AE506B6164EB746A49CF64
                            Function 004258C0 Relevance: 144.0, APIs: 73, Strings: 9, Instructions: 536COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5263 4258c0-4259af __vbaChkstk __vbaOnError call 433f70 __vbaAryMove __vbaUbound __vbaI2I4 5267 4259b5-425a27 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove 5263->5267 5268 4260b9-426161 __vbaFreeVar __vbaAryDestruct __vbaFreeVar __vbaAryDestruct * 2 __vbaFreeStr 5263->5268 5274 425a29-425a30 5267->5274 5275 425a7c-425a82 __vbaGenerateBoundsError 5267->5275 5274->5275 5276 425a32-425a51 5274->5276 5277 425a88-425acc __vbaStrMove __vbaStrCat 5275->5277 5278 425a53-425a5d 5276->5278 5279 425a5f-425a65 __vbaGenerateBoundsError 5276->5279 5280 425b21-425b27 __vbaGenerateBoundsError 5277->5280 5281 425ace-425ad5 5277->5281 5284 425a6b-425a7a 5278->5284 5279->5284 5283 425b2d-425c07 __vbaStrCat #645 __vbaStrMove __vbaStrCmp #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 5280->5283 5281->5280 5282 425ad7-425af6 5281->5282 5285 425b04-425b0a __vbaGenerateBoundsError 5282->5285 5286 425af8-425b02 5282->5286 5287 425f2c-4260b4 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaVarCat #645 __vbaStrMove __vbaStrCmp __vbaVarCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 5283->5287 5288 425c0d-425c4b #716 __vbaVarZero 5283->5288 5284->5277 5289 425b10-425b1f 5285->5289 5286->5289 5290 425ca0-425ca6 __vbaGenerateBoundsError 5288->5290 5291 425c4d-425c54 5288->5291 5289->5283 5294 425cac-425e19 __vbaStrCat * 2 __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove 5290->5294 5291->5290 5293 425c56-425c75 5291->5293 5296 425c83-425c89 __vbaGenerateBoundsError 5293->5296 5297 425c77-425c81 5293->5297 5305 425e1b-425e22 5294->5305 5306 425e6e-425e74 __vbaGenerateBoundsError 5294->5306 5300 425c8f-425c9e 5296->5300 5297->5300 5300->5294 5305->5306 5307 425e24-425e43 5305->5307 5308 425e7a-425f26 __vbaStrMove __vbaStrCat __vbaStrMove call 428470 __vbaFreeStrList __vbaStrCat #529 __vbaFreeVar 5306->5308 5309 425e51-425e57 __vbaGenerateBoundsError 5307->5309 5310 425e45-425e4f 5307->5310 5308->5287 5312 425e5d-425e6c 5309->5312 5310->5312 5312->5308
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596,?,?,?,004169AF,?,?), ref: 004258DE
                            • __vbaAryMove.MSVBVM60(?,?,?,00442064,?,00000000,?,?,00403596), ref: 0042594A
                            • __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00403596), ref: 0042595D
                            • __vbaI2I4.MSVBVM60(?,00000000,?,?,00403596), ref: 00425965
                            • __vbaStrCopy.MSVBVM60 ref: 004259C4
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 0042590E
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00433F8E
                              • Part of subcall function 004338E0: __vbaOnError.MSVBVM60(000000FF,6D10D8B1,?,6D0FA323,00000000,00403596), ref: 00433FBE
                              • Part of subcall function 004338E0: #645.MSVBVM60(00004008,00000010), ref: 00433FE5
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00433FF0
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00405BB8,?), ref: 00434013
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00406074,?), ref: 00434031
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(0040C3B4,?), ref: 00434047
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043406D
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00434078
                              • Part of subcall function 004338E0: #579.MSVBVM60(00000000), ref: 0043407F
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60 ref: 00434099
                              • Part of subcall function 004338E0: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 004340C8
                            • __vbaStrMove.MSVBVM60(?), ref: 004259D8
                            • __vbaStrCopy.MSVBVM60 ref: 004259E6
                            • __vbaStrMove.MSVBVM60 ref: 00425A05
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00425A1D
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425A5F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425A7C
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00425AB1
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00425AB8
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425B04
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425B21
                            • __vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 00425B42
                            • #645.MSVBVM60(00000008,00000000), ref: 00425B5E
                            • __vbaStrMove.MSVBVM60 ref: 00425B69
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00425B75
                            • #645.MSVBVM60(00000008,00000000), ref: 00425B8E
                            • __vbaStrMove.MSVBVM60 ref: 00425B99
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00425BA5
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000), ref: 00425BDF
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00425BF5
                            • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00425C1F
                            • __vbaVarZero.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00425C2E
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425C83
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425CA0
                            • __vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 00425CC1
                            • __vbaStrCat.MSVBVM60(\keyDBPath.db,015AC8B4), ref: 00425CDD
                            • __vbaChkstk.MSVBVM60 ref: 00425CF8
                            • __vbaChkstk.MSVBVM60 ref: 00425D1B
                            • __vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 00425D53
                            • __vbaLateMemCall.MSVBVM60(00000000), ref: 00425D5A
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00425D70
                            • __vbaStrCopy.MSVBVM60 ref: 00425D99
                            • __vbaStrMove.MSVBVM60(?), ref: 00425DAD
                            • __vbaStrCopy.MSVBVM60 ref: 00425DBB
                            • __vbaStrMove.MSVBVM60 ref: 00425DDA
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00425DF2
                            • __vbaStrCat.MSVBVM60(\keyDBPath.db,015AC8B4), ref: 00425E04
                            • __vbaStrMove.MSVBVM60 ref: 00425E0F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425E51
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425E6E
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00425EA3
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00425EAA
                            • __vbaStrMove.MSVBVM60 ref: 00425EB5
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 00425EEE
                            • __vbaStrCat.MSVBVM60(\keyDBPath.db,015AC8B4), ref: 00425F09
                            • #529.MSVBVM60(00000008), ref: 00425F1D
                            • __vbaFreeVar.MSVBVM60 ref: 00425F26
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00425F3B
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00425F4F
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00425F5D
                            • __vbaStrMove.MSVBVM60 ref: 00425F7C
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00425F94
                            • __vbaVarCat.MSVBVM60(?,00000008,?,00000000), ref: 00425FDF
                            • #645.MSVBVM60(00000000), ref: 00425FE6
                            • __vbaStrMove.MSVBVM60 ref: 00425FF1
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00425FFD
                            • __vbaVarCat.MSVBVM60(?,00000008,?,00000000), ref: 00426021
                            • #645.MSVBVM60(00000000), ref: 00426028
                            • __vbaStrMove.MSVBVM60 ref: 00426033
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0042603F
                            • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,00000000,?), ref: 00426087
                            • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004260A4
                            • __vbaFreeVar.MSVBVM60(00426162), ref: 00426122
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426131
                            • __vbaFreeVar.MSVBVM60 ref: 0042613A
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426146
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426152
                            • __vbaFreeStr.MSVBVM60 ref: 0042615B
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Error$BoundsGenerateList$Copy$#645$Chkstk$BstrDestruct$#516#631$#529#537#579#608#632#716CallLatePreserveRedimUboundZero
                            • String ID: 2E12313E1F1E2C295A263B060C1F2B$35092D2111372343013C1A2C$BieBFxYPmkOuBvoHOetuExeiXHSeHwfEP$CopyFile$Scripting.FileSystemObject$\key3.db$\key4.db$\keyDBPath.db$iraXYqqBZtUJjekNgZGCZRS
                            • API String ID: 2306589352-4032843836
                            • Opcode ID: 4c2aee613a863bacab5e4bb7a4efdfbce1a6736b91e9b24dbb7a644387920a80
                            • Instruction ID: d40ef85574a411c5de84a87df3b41eaeb901711f1d4bfe7c240431cba33de84c
                            • Opcode Fuzzy Hash: 4c2aee613a863bacab5e4bb7a4efdfbce1a6736b91e9b24dbb7a644387920a80
                            • Instruction Fuzzy Hash: 98322B75900218DFDB14DF94DD88BDEBBB5FB48300F1081AAE50ABB264DB745A89CF58
                            Function 0043F1F0 Relevance: 140.5, APIs: 70, Strings: 10, Instructions: 465COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5314 43f1f0-43f339 __vbaChkstk __vbaOnError __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVar 5319 43f8a1-43f93a __vbaAryUnlock __vbaFreeVar __vbaAryDestruct __vbaFreeVar * 2 5314->5319 5320 43f33f-43f3a3 __vbaStrCopy call 433f70 __vbaAryMove __vbaFreeStr 5314->5320 5324 43f3a5 5320->5324 5325 43f3aa-43f3d8 __vbaForEachAry 5320->5325 5324->5319 5326 43f894-43f89b 5325->5326 5326->5319 5327 43f3dd-43f4f1 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaVarAdd #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 5326->5327 5332 43f4f7-43f696 #716 __vbaVarZero __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCat __vbaVarAdd __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeStrList __vbaFreeVarList 5327->5332 5333 43f86d-43f88e __vbaNextEachAry 5327->5333 5332->5333 5338 43f69c-43f6fd __vbaStrCat __vbaStrMove call 43dac0 __vbaFreeStr __vbaStrCopy call 43d900 __vbaFreeStr 5332->5338 5333->5326 5343 43f703-43f726 call 409410 __vbaSetSystemError 5338->5343 5346 43f806-43f867 call 4093c8 __vbaSetSystemError call 43db50 __vbaStrCat #529 __vbaFreeVar 5343->5346 5347 43f72c-43f801 call 43d6f0 __vbaStrMove __vbaStrCat __vbaStrMove call 43d6f0 __vbaStrMove __vbaStrCat __vbaStrMove call 43d6f0 __vbaStrMove __vbaStrCat __vbaStrMove call 43d6f0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 5343->5347 5346->5333 5347->5343
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0043F20E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 0043F23E
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043F253
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,00403596), ref: 0043F267
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043F275
                            • __vbaStrMove.MSVBVM60 ref: 0043F294
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0043F2AC
                            • #645.MSVBVM60(00000008,00000010), ref: 0043F2D8
                            • __vbaStrMove.MSVBVM60 ref: 0043F2E3
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0043F2EF
                            • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,?), ref: 0043F31E
                            • __vbaFreeVar.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0043F32A
                            • __vbaStrCopy.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0043F35E
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00433F8E
                              • Part of subcall function 004338E0: __vbaOnError.MSVBVM60(000000FF,6D10D8B1,?,6D0FA323,00000000,00403596), ref: 00433FBE
                              • Part of subcall function 004338E0: #645.MSVBVM60(00004008,00000010), ref: 00433FE5
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00433FF0
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00405BB8,?), ref: 00434013
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(00406074,?), ref: 00434031
                              • Part of subcall function 004338E0: __vbaStrCmp.MSVBVM60(0040C3B4,?), ref: 00434047
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043406D
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60 ref: 00434078
                              • Part of subcall function 004338E0: #579.MSVBVM60(00000000), ref: 0043407F
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60 ref: 00434099
                              • Part of subcall function 004338E0: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 004340C8
                            • __vbaAryMove.MSVBVM60(00442070,?,?,00442064,?,?,?,00000000,?,00000000,00403596), ref: 0043F384
                            • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0043F38D
                            • __vbaForEachAry.MSVBVM60(00000008,?,?,?,00000000,?,?,?,00000000,?,00000000,00403596), ref: 0043F3CC
                            • __vbaAryUnlock.MSVBVM60(?,0043F93B,?,?,?,00000000,?,00000000,00403596), ref: 0043F907
                            • __vbaFreeVar.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0043F913
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,00403596), ref: 0043F922
                            • __vbaFreeVar.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0043F92B
                            • __vbaFreeVar.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0043F934
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$FreeMove$BstrCopy$#516#631#645ChkstkErrorList$#537#579#608#632DestructEachPreserveRedimUnlock
                            • String ID: 1E1F000A3A0F0278372C$397D291F1C0E24230417312C293C29390700$C:\\MailMasterData\$CopyFile$QBlekHljVSNoOasEQpyBnvdgHZtvthb$SELECT c0, c1, c2, c3, c4, c5 FROM Search_content$Scripting.FileSystemObject$\163MailContacts.db$d$hzGuCQoMOIvBXLNmXsahuUfjJilnuvxIas
                            • API String ID: 3684354002-986262973
                            • Opcode ID: 03bad9a453429b058d281c669d7f36d595a56e50ba755d981f024da0a260cb9f
                            • Instruction ID: c0353d94722206326bb423f4f6831f48dbd192d9fe9b2cb31370bd3ea485b3bf
                            • Opcode Fuzzy Hash: 03bad9a453429b058d281c669d7f36d595a56e50ba755d981f024da0a260cb9f
                            • Instruction Fuzzy Hash: 8622F971D00209DBDB14DFE0DE48BEEB7B8FB48704F10856AE506AB2A4EB745A49CF54
                            Function 00404BCE Relevance: 133.7, APIs: 69, Strings: 7, Instructions: 702COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5360 404bce-4100cd __vbaChkstk __vbaStrCopy __vbaOnError #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 5363 4100f6-4101eb __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrCopy __vbaStrMove call 4329f0 5360->5363 5364 4100cf-4100f0 #529 5360->5364 5374 410210 5363->5374 5375 4101ed-41020e __vbaHresultCheckObj 5363->5375 5364->5363 5376 41021a-41032c __vbaChkstk * 2 __vbaLateMemCallLd __vbaCastObjVar __vbaObjSet __vbaFreeStrList __vbaFreeObj __vbaFreeVarList __vbaObjSetAddref __vbaI2I4 5374->5376 5375->5376 5378 410354 5376->5378 5379 41032e-410352 __vbaHresultCheckObj 5376->5379 5380 41035e-41038a 5378->5380 5379->5380 5382 41038c-4103ad __vbaHresultCheckObj 5380->5382 5383 4103af 5380->5383 5384 4103b9-410478 __vbaChkstk * 2 5382->5384 5383->5384 5386 41047a-41049b __vbaHresultCheckObj 5384->5386 5387 41049d 5384->5387 5388 4104a7-4104cc 5386->5388 5387->5388 5390 4104f1 5388->5390 5391 4104ce-4104ef __vbaHresultCheckObj 5388->5391 5392 4104fb-4105ba __vbaChkstk * 2 5390->5392 5391->5392 5394 4105bc-4105dd __vbaHresultCheckObj 5392->5394 5395 4105df 5392->5395 5396 4105e9-4106dc __vbaChkstk * 3 5394->5396 5395->5396 5398 410704 5396->5398 5399 4106de-410702 __vbaHresultCheckObj 5396->5399 5400 41070e-41073b 5398->5400 5399->5400 5402 410763 5400->5402 5403 41073d-410761 __vbaHresultCheckObj 5400->5403 5404 41076d-4107f5 __vbaObjSetAddref call 405704 __vbaSetSystemError call 405744 __vbaSetSystemError 5402->5404 5403->5404 5410 4107f7-410818 __vbaHresultCheckObj 5404->5410 5411 41081a 5404->5411 5412 410824-410874 call 4057e4 __vbaSetSystemError 5410->5412 5411->5412 5416 410876-410897 __vbaHresultCheckObj 5412->5416 5417 410899 5412->5417 5418 4108a3-4108cc 5416->5418 5417->5418 5420 4108f1 5418->5420 5421 4108ce-4108ef __vbaHresultCheckObj 5418->5421 5422 4108fb-410902 5420->5422 5421->5422 5423 410920 5422->5423 5424 410904-41091e __vbaNew2 5422->5424 5425 41092a-41097f __vbaObjSet 5423->5425 5424->5425 5427 410981-4109a2 __vbaHresultCheckObj 5425->5427 5428 4109a4 5425->5428 5429 4109ae-410a46 __vbaFreeObj __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 5427->5429 5428->5429 5435 410a48-410a69 __vbaHresultCheckObj 5429->5435 5436 410a6b 5429->5436 5437 410a75-410b22 __vbaChkstk __vbaLateMemCall __vbaFreeStrList __vbaFreeObj __vbaFreeVar call 405794 __vbaSetSystemError __vbaStrCopy * 2 call 43c240 5435->5437 5436->5437 5441 410b27-410bb9 __vbaFreeStrList __vbaFreeObj * 2 __vbaFreeStr 5437->5441
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0041001E
                            • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00403596), ref: 00410057
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00403596), ref: 00410066
                            • #645.MSVBVM60(00004008,00000000), ref: 0041008F
                            • __vbaStrMove.MSVBVM60 ref: 0041009A
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 004100A6
                            • __vbaFreeStr.MSVBVM60 ref: 004100BE
                            • #529.MSVBVM60(00004008), ref: 004100F0
                            • __vbaStrCopy.MSVBVM60 ref: 00410105
                            • __vbaStrMove.MSVBVM60(?), ref: 00410119
                            • __vbaStrCopy.MSVBVM60 ref: 00410127
                            • __vbaStrMove.MSVBVM60(?), ref: 0041013B
                            • __vbaStrCopy.MSVBVM60 ref: 00410149
                            • __vbaStrMove.MSVBVM60 ref: 00410168
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0041018D
                            • __vbaStrMove.MSVBVM60 ref: 004101AC
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000218), ref: 00410202
                            • __vbaChkstk.MSVBVM60(00406170), ref: 00410224
                            • __vbaChkstk.MSVBVM60(00406170), ref: 00410247
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$CopyMove$Chkstk$#529#645CheckErrorFreeHresult
                            • String ID: 0C28632139303A31350934193B$223F0231170F233A1B123033$Add$DC-SC$Remove$ZRVaerbSjrqolGOtJhLqYsgeQEuJfMgr$bZjMqPSNDGlvvCdoXVxTd
                            • API String ID: 483646690-259710238
                            • Opcode ID: a03905c59e63a42218f0358937c4cbd2f53b771b92b44fe7f92d9f88ef2851ac
                            • Instruction ID: 1b0ba7ba865a09e586449e98c63bb5dcde2fab0e61f6a1d726ed921e711302fa
                            • Opcode Fuzzy Hash: a03905c59e63a42218f0358937c4cbd2f53b771b92b44fe7f92d9f88ef2851ac
                            • Instruction Fuzzy Hash: 8072F8B4900218DFDB14DFA4C988BDDBBB5BF48304F1085A9E50AB72A1D7749AC5CF94
                            Function 00425986 Relevance: 112.5, APIs: 55, Strings: 9, Instructions: 462COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5443 425986-425994 5444 42599a-4259af 5443->5444 5445 426178-42617f __vbaErrorOverflow 5443->5445 5447 4259b5-425a27 __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove 5444->5447 5448 4260b9-426161 __vbaFreeVar __vbaAryDestruct __vbaFreeVar __vbaAryDestruct * 2 __vbaFreeStr 5444->5448 5454 425a29-425a30 5447->5454 5455 425a7c-425a82 __vbaGenerateBoundsError 5447->5455 5454->5455 5456 425a32-425a51 5454->5456 5457 425a88-425acc __vbaStrMove __vbaStrCat 5455->5457 5458 425a53-425a5d 5456->5458 5459 425a5f-425a65 __vbaGenerateBoundsError 5456->5459 5460 425b21-425b27 __vbaGenerateBoundsError 5457->5460 5461 425ace-425ad5 5457->5461 5464 425a6b-425a7a 5458->5464 5459->5464 5463 425b2d-425c07 __vbaStrCat #645 __vbaStrMove __vbaStrCmp #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 5460->5463 5461->5460 5462 425ad7-425af6 5461->5462 5465 425b04-425b0a __vbaGenerateBoundsError 5462->5465 5466 425af8-425b02 5462->5466 5467 425f2c-425f8a __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 5463->5467 5468 425c0d-425c4b #716 __vbaVarZero 5463->5468 5464->5457 5469 425b10-425b1f 5465->5469 5466->5469 5482 425f8f-4260b4 __vbaStrMove __vbaVarCat #645 __vbaStrMove __vbaStrCmp __vbaVarCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 5467->5482 5470 425ca0-425ca6 __vbaGenerateBoundsError 5468->5470 5471 425c4d-425c54 5468->5471 5469->5463 5474 425cac-425e19 __vbaStrCat * 2 __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeVarList __vbaStrCopy call 4338e0 __vbaStrMove __vbaStrCopy __vbaStrMove call 4329f0 __vbaStrMove __vbaStrCat __vbaStrMove 5470->5474 5471->5470 5473 425c56-425c75 5471->5473 5476 425c83-425c89 __vbaGenerateBoundsError 5473->5476 5477 425c77-425c81 5473->5477 5485 425e1b-425e22 5474->5485 5486 425e6e-425e74 __vbaGenerateBoundsError 5474->5486 5480 425c8f-425c9e 5476->5480 5477->5480 5480->5474 5485->5486 5487 425e24-425e43 5485->5487 5488 425e7a-425ec7 __vbaStrMove __vbaStrCat __vbaStrMove call 428470 5486->5488 5489 425e51-425e57 __vbaGenerateBoundsError 5487->5489 5490 425e45-425e4f 5487->5490 5493 425ecc-425f26 __vbaFreeStrList __vbaStrCat #529 __vbaFreeVar 5488->5493 5492 425e5d-425e6c 5489->5492 5490->5492 5492->5488 5493->5467
                            APIs
                            • __vbaStrCopy.MSVBVM60 ref: 004259C4
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?), ref: 004259D8
                            • __vbaStrCopy.MSVBVM60 ref: 004259E6
                            • __vbaStrMove.MSVBVM60 ref: 00425A05
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00425A1D
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425A5F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425A7C
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00425AB1
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00425AB8
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425B04
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425B21
                            • __vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 00425B42
                            • #645.MSVBVM60(00000008,00000000), ref: 00425B5E
                            • __vbaStrMove.MSVBVM60 ref: 00425B69
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00425B75
                            • #645.MSVBVM60(00000008,00000000), ref: 00425B8E
                            • __vbaStrMove.MSVBVM60 ref: 00425B99
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00425BA5
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000), ref: 00425BDF
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00425BF5
                            • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00425C1F
                            • __vbaVarZero.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00425C2E
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425C83
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00425CA0
                            • __vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 00425CC1
                            • __vbaStrCat.MSVBVM60(\keyDBPath.db,015AC8B4), ref: 00425CDD
                            • __vbaChkstk.MSVBVM60 ref: 00425CF8
                            • __vbaChkstk.MSVBVM60 ref: 00425D1B
                            • __vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 00425D53
                            • __vbaLateMemCall.MSVBVM60(00000000), ref: 00425D5A
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00425D70
                            • __vbaStrCopy.MSVBVM60 ref: 00425D99
                            • __vbaStrMove.MSVBVM60(?), ref: 00425DAD
                            • __vbaStrCopy.MSVBVM60 ref: 00425DBB
                            • __vbaStrMove.MSVBVM60 ref: 00425DDA
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00425DF2
                            • __vbaStrCat.MSVBVM60(\keyDBPath.db,015AC8B4), ref: 00425E04
                            • __vbaStrMove.MSVBVM60 ref: 00425E0F
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00425EA3
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00425EAA
                            • __vbaStrMove.MSVBVM60 ref: 00425EB5
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 00425EEE
                            • __vbaFreeVar.MSVBVM60(00426162), ref: 00426122
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426131
                            • __vbaFreeVar.MSVBVM60 ref: 0042613A
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426146
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426152
                            • __vbaFreeStr.MSVBVM60 ref: 0042615B
                            • __vbaErrorOverflow.MSVBVM60 ref: 00426178
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Error$BoundsGenerate$List$Copy$BstrDestruct$#516#631#645Chkstk$#537#608#632#716CallLateOverflowZero
                            • String ID: 2E12313E1F1E2C295A263B060C1F2B$35092D2111372343013C1A2C$BieBFxYPmkOuBvoHOetuExeiXHSeHwfEP$CopyFile$Scripting.FileSystemObject$\key3.db$\key4.db$\keyDBPath.db$iraXYqqBZtUJjekNgZGCZRS
                            • API String ID: 4274892437-4032843836
                            • Opcode ID: 486f9a536cb461702c93fa0e1f1326eea5c8a110c1056cfd413e8839a2e9d931
                            • Instruction ID: 5fdf1d288a0cfaf23a029ab88daaefa300d62c1c0b17e211f6a69b412afc6a1a
                            • Opcode Fuzzy Hash: 486f9a536cb461702c93fa0e1f1326eea5c8a110c1056cfd413e8839a2e9d931
                            • Instruction Fuzzy Hash: 27221B75900218DFDB14DF94DD88BEEBBB5FB48300F1081A9E50ABB264DB745A89CF58
                            Function 00437990 Relevance: 110.6, APIs: 58, Strings: 5, Instructions: 370fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • __vbaOnError.MSVBVM60(00000001,?,00000000), ref: 00437A1D
                            • __vbaVarCopy.MSVBVM60(?,00000000), ref: 00437A41
                            • __vbaStrVarVal.MSVBVM60(?,?,00405AFC,000000FF,00000000,?,00000000), ref: 00437A57
                            • #709.MSVBVM60(00000000,?,00000000), ref: 00437A5E
                            • __vbaStrCopy.MSVBVM60(?,00000000), ref: 00437A74
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00437A8A
                            • #632.MSVBVM60(?,?,-00000001,0000000A,?,00000000), ref: 00437ACE
                            • __vbaStrCopy.MSVBVM60(?,00000000), ref: 00437ADC
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 00437AEB
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaVarCat.MSVBVM60(?,?,00000008,?,?,?,00000000), ref: 00437B25
                            • __vbaVarCat.MSVBVM60(?,00000008,00000000,?,00000000), ref: 00437B36
                            • __vbaVarMove.MSVBVM60(?,00000000), ref: 00437B3D
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,00000000), ref: 00437B59
                            • __vbaFreeVarList.MSVBVM60(00000004,0000000A,?,?,00000008,?,00000000), ref: 00437B7D
                            • #648.MSVBVM60(0000000A), ref: 00437B9E
                            • __vbaFreeVar.MSVBVM60 ref: 00437BAC
                            • __vbaStrVarCopy.MSVBVM60(?), ref: 00437BB6
                            • __vbaStrMove.MSVBVM60 ref: 00437BC1
                            • __vbaFileOpen.MSVBVM60(00000002,000000FF,00000000,00000000), ref: 00437BC9
                            • __vbaFreeStr.MSVBVM60 ref: 00437BD2
                            • #537.MSVBVM60(00000050), ref: 00437BE0
                            • __vbaStrMove.MSVBVM60 ref: 00437BE7
                            • #537.MSVBVM60(0000004B), ref: 00437BEB
                            • __vbaStrMove.MSVBVM60 ref: 00437BF2
                            • #537.MSVBVM60(00000005), ref: 00437BF6
                            • __vbaStrMove.MSVBVM60 ref: 00437BFD
                            • #537.MSVBVM60(00000006), ref: 00437C01
                            • __vbaStrMove.MSVBVM60 ref: 00437C08
                            • #607.MSVBVM60(?,00000012,00000002), ref: 00437C29
                            • __vbaStrMove.MSVBVM60 ref: 00437C5C
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00437C68
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00437C71
                            • __vbaStrMove.MSVBVM60 ref: 00437C78
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00437C84
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00437C87
                            • __vbaStrMove.MSVBVM60 ref: 00437C8E
                            • __vbaStrMove.MSVBVM60(00000000), ref: 00437C9A
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00437C9D
                            • __vbaVarCat.MSVBVM60(00000008,?,00000008), ref: 00437CC4
                            • __vbaPrintFile.MSVBVM60(0040CAD4,00000000,00000000), ref: 00437CD1
                            • __vbaFreeStrList.MSVBVM60(0000000A,?,?,?,?,00000000,?,?,?,?,?), ref: 00437D01
                            • __vbaFreeVarList.MSVBVM60(00000004,00000002,00000008,?,00000008), ref: 00437D25
                            • __vbaFileClose.MSVBVM60(00000000), ref: 00437D2F
                            • #716.MSVBVM60(00000002,shell.application,00000000), ref: 00437D43
                            • __vbaObjVar.MSVBVM60(00000002), ref: 00437D56
                            • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00437D63
                            • __vbaFreeVar.MSVBVM60 ref: 00437D71
                            • __vbaLateMemCallLd.MSVBVM60(00000002,?,Namespace,00000001), ref: 00437DB5
                            • __vbaObjVar.MSVBVM60(00000000), ref: 00437DBF
                            • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00437DC6
                            • __vbaFreeVar.MSVBVM60 ref: 00437DCE
                            • __vbaLateMemCall.MSVBVM60(?,CopyHere,00000002), ref: 00437E3C
                            • __vbaExitProc.MSVBVM60 ref: 00437E45
                            • __vbaFreeObj.MSVBVM60(00437EDF), ref: 00437EC7
                            • __vbaFreeVar.MSVBVM60 ref: 00437ED2
                            • __vbaFreeObj.MSVBVM60 ref: 00437ED7
                            • __vbaFreeVar.MSVBVM60 ref: 00437EDC
                            • __vbaErrorOverflow.MSVBVM60(0000000A,?,00000000), ref: 00437EF6
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$#537List$Copy$BstrFile$#516#631#632AddrefCallErrorLate$#607#608#648#709#716CloseExitOpenOverflowPrintProc
                            • String ID: 64393B26$CopyHere$Namespace$PJCRVJHxARCPFtIsqmmoQnTFBCqPzcH$shell.application
                            • API String ID: 3980988675-1214931655
                            • Opcode ID: 1bf5d1d59e800d97591aaa090185da908724f47a9571307c04f55edf0cb7bf60
                            • Instruction ID: 91907bb903d2ab575c76fc4c17fc368393a901037b13223a26106fd95aea8663
                            • Opcode Fuzzy Hash: 1bf5d1d59e800d97591aaa090185da908724f47a9571307c04f55edf0cb7bf60
                            • Instruction Fuzzy Hash: C0F1E6B1D002299BDB14DFA5DD84BDEBBB8FF48700F1081AAE20AB7254DB705A45CF94
                            Function 00439F30 Relevance: 80.8, APIs: 45, Strings: 1, Instructions: 260COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596,?,?,00438F96,?,?,?), ref: 00439F4E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 00439F7E
                            • #618.MSVBVM60(?,00000001,?,00000000,?,?,00403596), ref: 00439F93
                            • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,?,?,00403596), ref: 00439F9E
                            • __vbaStrCmp.MSVBVM60(00405AFC,00000000,?,00000001,?,00000000,?,?,00403596), ref: 00439FAA
                            • __vbaFreeStr.MSVBVM60(?,00000001,?,00000000,?,?,00403596), ref: 00439FBF
                            • __vbaStrCat.MSVBVM60(00405AFC,?,?,00000001,?,00000000,?,?,00403596), ref: 00439FDF
                            • __vbaStrMove.MSVBVM60(?,?,00000001,?,00000000,?,?,00403596), ref: 00439FEA
                            • #519.MSVBVM60(00000000,?,00000001,?,00000000,?,?,00403596), ref: 00439FFD
                            • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,?,?,00403596), ref: 0043A008
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000,?,00000001,?,00000000,?,?,00403596), ref: 0043A014
                            • __vbaFreeStr.MSVBVM60(?,00000001,?,00000000,?,?,00403596), ref: 0043A028
                            • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,?,?,00403596), ref: 0043A045
                            • #616.MSVBVM60(00000000,00000002,?,00000001,?,00000000,?,?,00403596), ref: 0043A05C
                            • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,?,?,00403596), ref: 0043A067
                            • __vbaStrCmp.MSVBVM60(0040CDC8,00000000,?,00000001,?,00000000,?,?,00403596), ref: 0043A073
                            • __vbaFreeStr.MSVBVM60(?,00000001,?,00000000,?,?,00403596), ref: 0043A088
                            • __vbaStrCat.MSVBVM60(00000000,0040CDC8,?,00000001,?,00000000,?,?,00403596), ref: 0043A0A8
                            • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,?,?,00403596), ref: 0043A0B3
                            • __vbaStrCat.MSVBVM60(?,?,?,00000001,?,00000000,?,?,00403596), ref: 0043A0CC
                            • #645.MSVBVM60(00000008,00000000), ref: 0043A0E2
                            • __vbaStrMove.MSVBVM60 ref: 0043A0ED
                            • __vbaFreeVar.MSVBVM60 ref: 0043A0F6
                            • __vbaLenBstr.MSVBVM60(?), ref: 0043A107
                            • __vbaStrCat.MSVBVM60(00405AFC), ref: 0043A127
                            • __vbaStrMove.MSVBVM60 ref: 0043A132
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 0043A13D
                            • __vbaStrMove.MSVBVM60 ref: 0043A148
                            • #578.MSVBVM60(00000000), ref: 0043A14F
                            • _adj_fdiv_m64.MSVBVM60 ref: 0043A17E
                            • __vbaFpR8.MSVBVM60 ref: 0043A18D
                            • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0043A1C3
                            • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,00403596), ref: 0043A1E9
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,00403596), ref: 0043A1F4
                            • __vbaStrCat.MSVBVM60(00405AFC,00000000,00000000,?,?,?,?,?,00403596), ref: 0043A206
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,00403596), ref: 0043A211
                            • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,00403596), ref: 0043A21C
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,00403596), ref: 0043A227
                            • #576.MSVBVM60(00000000,?,?,?,?,?,00403596), ref: 0043A22E
                            • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00403596), ref: 0043A242
                            • #645.MSVBVM60(0000000A,00000000), ref: 0043A285
                            • __vbaStrMove.MSVBVM60 ref: 0043A290
                            • __vbaFreeVar.MSVBVM60 ref: 0043A299
                            • __vbaFreeStr.MSVBVM60(0043A2D7), ref: 0043A2D0
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$#645List$#519#576#578#616#618BstrChkstkCopyError_adj_fdiv_m64
                            • String ID: *.*
                            • API String ID: 2663026681-438819550
                            • Opcode ID: 281596691e92de8d6ab370eb35cb0c252fb95dba4a973d4a4bcd6f8adb561412
                            • Instruction ID: fc817cbef8498ae0f505d4ea6be27db2221935e2398e782be0c19900b425a37e
                            • Opcode Fuzzy Hash: 281596691e92de8d6ab370eb35cb0c252fb95dba4a973d4a4bcd6f8adb561412
                            • Instruction Fuzzy Hash: AFA12D70A00209DBDB04DFA4DE88BEE7B74FF48701F104169E842F72A4DB799A85CB59
                            Function 0043BED0 Relevance: 79.0, APIs: 41, Strings: 4, Instructions: 274COMMON
                            Download Yara Rule
                            APIs
                            • #645.MSVBVM60(?,00000010,?,00000000), ref: 0043BF2F
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 0043BF40
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000,?,00000000), ref: 0043BF48
                            • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0043BF5B
                            • __vbaNew2.MSVBVM60(0040CD4C,?,?,00000000), ref: 0043BF7A
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408BD4,00000054,?,00000000), ref: 0043BFA4
                            • __vbaCastObj.MSVBVM60(?,00407938,?,00000000), ref: 0043BFB3
                            • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0043BFC4
                            • __vbaFreeObj.MSVBVM60(?,00000000), ref: 0043BFC9
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407938,00000068,?,00000000), ref: 0043BFEE
                            • __vbaObjSet.MSVBVM60(?,?,?,00000000), ref: 0043BFFF
                            • __vbaForEachCollObj.MSVBVM60(00406564,?,?,00000000,?,00000000), ref: 0043C00F
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406564,00000020,?,00000000), ref: 0043C03C
                            • __vbaInStr.MSVBVM60(00000000,.log,?,00000001,?,00000000), ref: 0043C04E
                            • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0043C061
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406564,0000001C,?,00000000), ref: 0043C08F
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 0043C09E
                              • Part of subcall function 00431770: __vbaChkstk.MSVBVM60(?,00403596,?,?,00000000,?,?,00403596), ref: 0043178E
                              • Part of subcall function 00431770: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 004317BE
                              • Part of subcall function 00431770: #645.MSVBVM60(00004008,00000000), ref: 004317DE
                              • Part of subcall function 00431770: __vbaStrMove.MSVBVM60 ref: 004317E9
                              • Part of subcall function 00431770: __vbaLenBstrB.MSVBVM60(00000000), ref: 004317F0
                              • Part of subcall function 00431770: __vbaFreeStr.MSVBVM60 ref: 00431806
                              • Part of subcall function 00431770: #648.MSVBVM60(0000000A), ref: 00431831
                              • Part of subcall function 00431770: __vbaFreeVar.MSVBVM60 ref: 0043183E
                              • Part of subcall function 00431770: __vbaFileOpen.MSVBVM60(00000020,000000FF,?,00000000), ref: 0043185A
                              • Part of subcall function 00431770: #570.MSVBVM60(?), ref: 0043186C
                              • Part of subcall function 00431770: #525.MSVBVM60(00000000), ref: 00431873
                              • Part of subcall function 00431770: __vbaStrMove.MSVBVM60 ref: 0043187E
                              • Part of subcall function 00431770: __vbaGet3.MSVBVM60(00000000,00000000,?), ref: 00431896
                              • Part of subcall function 00431770: __vbaFileClose.MSVBVM60(?), ref: 004318A8
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043C0AE
                            • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0043C0B3
                              • Part of subcall function 00429470: __vbaChkstk.MSVBVM60(?,00403596,?,?,?,0042761D,?,00000000), ref: 0042948E
                              • Part of subcall function 00429470: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 004294BB
                              • Part of subcall function 00429470: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 004294C7
                              • Part of subcall function 00429470: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 004294D3
                              • Part of subcall function 00429470: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 004294E2
                              • Part of subcall function 00429470: __vbaInStr.MSVBVM60(00000000,?,?,00000001,?,00000000,?,?,00403596), ref: 004294FB
                              • Part of subcall function 00429470: __vbaInStr.MSVBVM60(00000000,00000001,?,00000001,?,00000000,?,?,00403596), ref: 0042950F
                              • Part of subcall function 00429470: __vbaInStr.MSVBVM60(00000000,?,?,00000001,?,00000000,?,?,00403596), ref: 00429539
                              • Part of subcall function 00429470: __vbaVarMove.MSVBVM60 ref: 00429555
                              • Part of subcall function 00429470: __vbaInStr.MSVBVM60(00000000,?,?,00000001), ref: 0042956E
                              • Part of subcall function 00429470: __vbaI2I4.MSVBVM60 ref: 00429576
                              • Part of subcall function 00429470: __vbaVarSub.MSVBVM60(?,?,00000002), ref: 004295A8
                              • Part of subcall function 00429470: __vbaVarMove.MSVBVM60 ref: 004295B3
                              • Part of subcall function 00429470: __vbaI4Var.MSVBVM60(?,?), ref: 004295D4
                            • __vbaStrMove.MSVBVM60(?,vault,"},"MetaMetricsController,?,00000000), ref: 0043C0D1
                            • __vbaStrMove.MSVBVM60(vault":",00405BB8,00000001,000000FF,00000000,?,00000000), ref: 0043C0EB
                            • #712.MSVBVM60(00000000,?,00000000), ref: 0043C0EE
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 0043C0F9
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 0043C105
                            • __vbaNextEachCollObj.MSVBVM60(00406564,?,?,?,00000000), ref: 0043C11B
                            • __vbaCastObj.MSVBVM60(00000000,00406564,?,00000000), ref: 0043C132
                            • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0043C13D
                            • __vbaCastObj.MSVBVM60(00000000,00407938,?,00000000), ref: 0043C145
                            • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0043C150
                            • __vbaCastObj.MSVBVM60(00000000,0040D0FC,?,00000000), ref: 0043C158
                            • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0043C163
                            • __vbaStrCmp.MSVBVM60(00405BB8,?,?,00000000), ref: 0043C16E
                            • #712.MSVBVM60(?,00405AFC,00405BB8,00000001,000000FF,00000000,?,00000000), ref: 0043C18B
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 0043C196
                            • __vbaFreeStr.MSVBVM60(0043B982,?,?,00000000), ref: 0043C1A8
                            • __vbaFreeObjList.MSVBVM60(00000002,?,?,0043C21C,?,00000000), ref: 0043C1EB
                            • __vbaFreeVar.MSVBVM60 ref: 0043C1F7
                            • __vbaFreeStr.MSVBVM60 ref: 0043C200
                            • __vbaFreeObj.MSVBVM60 ref: 0043C20F
                            • __vbaFreeObj.MSVBVM60 ref: 0043C214
                            • __vbaFreeObj.MSVBVM60 ref: 0043C219
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$Move$CastCheckHresult$Copy$#645#712ChkstkCollEachErrorFileList$#525#570#648BstrCloseGet3New2NextOpen
                            • String ID: "},"MetaMetricsController$.log$vault$vault":"
                            • API String ID: 1097575717-653149892
                            • Opcode ID: a016f890743e8d2d6aacb4bc34fc47c10f109ceabe3eb3162743c2c17129d682
                            • Instruction ID: ba90e9b4959c4cc82ba3282d0c8c5f7c015c2cad28d9f62145a5a2331f7ff3ed
                            • Opcode Fuzzy Hash: a016f890743e8d2d6aacb4bc34fc47c10f109ceabe3eb3162743c2c17129d682
                            • Instruction Fuzzy Hash: 9CA11AB1900208AFDB04EFA4DD89DEEBBB9FB88704F104129F506B72A4DA746949CB54
                            Function 0040E8F0 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 262COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596), ref: 0040E90E
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00403596), ref: 0040E955
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E3C,000006FC), ref: 0040E990
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaFreeVar.MSVBVM60 ref: 0040E9AB
                            • __vbaNew2.MSVBVM60(00404FCC,004426B4), ref: 0040E9CB
                            • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00404FBC,0000001C), ref: 0040EA25
                            • __vbaChkstk.MSVBVM60(?), ref: 0040EA5D
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404FDC,0000005C), ref: 0040EAB3
                            • __vbaStrMove.MSVBVM60 ref: 0040EAE6
                            • __vbaFreeObj.MSVBVM60 ref: 0040EAEF
                            • __vbaStrCmp.MSVBVM60(00000000,0481DC1C), ref: 0040EB09
                            • __vbaStrCopy.MSVBVM60 ref: 0040EB26
                            • __vbaStrMove.MSVBVM60(00000000), ref: 0040EB3A
                            • __vbaStrCopy.MSVBVM60 ref: 0040EB48
                            • __vbaStrMove.MSVBVM60(?), ref: 0040EB5C
                            • __vbaStrCopy.MSVBVM60 ref: 0040EB6A
                            • __vbaStrMove.MSVBVM60 ref: 0040EB89
                            • __vbaStrCopy.MSVBVM60 ref: 0040EB97
                            • __vbaStrMove.MSVBVM60 ref: 0040EBB6
                            • __vbaStrCat.MSVBVM60(004059B4,0162B774), ref: 0040EBC7
                            • __vbaStrMove.MSVBVM60 ref: 0040EBD2
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040EBEB
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0040EBF2
                            • __vbaStrMove.MSVBVM60 ref: 0040EBFD
                            • __vbaStrCat.MSVBVM60(0481DC1C,00000000), ref: 0040EC0A
                            • __vbaStrMove.MSVBVM60 ref: 0040EC15
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040EC2E
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0040EC35
                            • __vbaStrMove.MSVBVM60 ref: 0040EC40
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0040EC4C
                            • __vbaStrMove.MSVBVM60 ref: 0040EC59
                            • __vbaFreeStrList.MSVBVM60(0000000E,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0040EC99
                            • __vbaStrCopy.MSVBVM60 ref: 0040ECB4
                            Strings
                            • ChikIPulOlfwqeciOjMuuJ, xrefs: 0040EB62
                            • 332A27000037230E3E222A4D59, xrefs: 0040EB1E
                            • mqdHDdiDnJqrspWuUUXrrZA, xrefs: 0040EB8F
                            • 4F5A13072820142C053020372D, xrefs: 0040EB40
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$BstrCheckHresultList$#516#631Chkstk$#537#608#632ErrorNew2
                            • String ID: 332A27000037230E3E222A4D59$4F5A13072820142C053020372D$ChikIPulOlfwqeciOjMuuJ$mqdHDdiDnJqrspWuUUXrrZA
                            • API String ID: 1902784594-947323658
                            • Opcode ID: 6bf9da099f0161b189192a6122c31975c5b11196a98c5edfe9306684f3e69ebb
                            • Instruction ID: 8dcef9c2100789abd365d7498ff35d568561e052340072f87e241967b7c1f8ca
                            • Opcode Fuzzy Hash: 6bf9da099f0161b189192a6122c31975c5b11196a98c5edfe9306684f3e69ebb
                            • Instruction Fuzzy Hash: 04C108B5900218DFDB04DFA4DA88BDEBBB5FF48304F108169E606B72A4DB745A45CF58
                            Function 00440080 Relevance: 63.3, APIs: 32, Strings: 4, Instructions: 260COMMON
                            Download Yara Rule
                            APIs
                            • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004400DA
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004400F0
                            • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004400FA
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 00440105
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 00440119
                              • Part of subcall function 00438340: __vbaFixstrConstruct.MSVBVM60(00000100,?,6D10D8B1,6D10D83C,00000000), ref: 0043838C
                              • Part of subcall function 00438340: __vbaNew2.MSVBVM60(00404FCC,004426B4), ref: 004383A4
                              • Part of subcall function 00438340: __vbaHresultCheckObj.MSVBVM60(00000000,0324004C,00404FBC,00000014), ref: 004383C9
                              • Part of subcall function 00438340: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040CB38,00000060), ref: 004383ED
                              • Part of subcall function 00438340: __vbaStrToAnsi.MSVBVM60(?,?,00000001,00000000,00000000,00000000), ref: 00438400
                              • Part of subcall function 00438340: __vbaSetSystemError.MSVBVM60(00000000), ref: 00438414
                              • Part of subcall function 00438340: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00438426
                              • Part of subcall function 00438340: __vbaFreeObj.MSVBVM60 ref: 0043842E
                              • Part of subcall function 00438340: __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,04000000,00000000), ref: 0043844D
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00440129
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000), ref: 00440141
                            • __vbaLenBstr.MSVBVM60(?), ref: 0044014E
                            • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0044016B
                            • __vbaNew2.MSVBVM60(00409E0C,?), ref: 00440181
                            • __vbaNew2.MSVBVM60(00409E0C,?), ref: 0044019A
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C200,00000024), ref: 004401BE
                            • __vbaStrCopy.MSVBVM60 ref: 004401F9
                            • __vbaStrMove.MSVBVM60(?), ref: 00440209
                            • __vbaStrCopy.MSVBVM60 ref: 00440213
                            • __vbaStrMove.MSVBVM60 ref: 0044021E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 00440232
                            • __vbaStrMove.MSVBVM60(?), ref: 00440242
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0044025A
                            • __vbaLenBstr.MSVBVM60(?), ref: 00440267
                            • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 00440284
                            • __vbaNew2.MSVBVM60(00409E0C,?), ref: 0044029A
                            • __vbaNew2.MSVBVM60(00409E0C,?), ref: 004402B3
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C200,00000024), ref: 004402D7
                              • Part of subcall function 0043FD60: __vbaChkstk.MSVBVM60(00000000,00403596,?,?,?,0044027F,?,00000000), ref: 0043FD7E
                              • Part of subcall function 0043FD60: __vbaOnError.MSVBVM60(00000001,6D10D8B1,6D10D83C,00000000,00000000,00403596), ref: 0043FDAE
                              • Part of subcall function 0043FD60: __vbaInStr.MSVBVM60(00000000,00406074,?,00000001), ref: 0043FDD1
                              • Part of subcall function 0043FD60: __vbaNew.MSVBVM60(00409E0C,?,00000001), ref: 0043FDE6
                              • Part of subcall function 0043FD60: __vbaObjSet.MSVBVM60(?,00000000,?,00000001), ref: 0043FDF1
                              • Part of subcall function 0043FD60: #631.MSVBVM60(?,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 0043FE91
                              • Part of subcall function 0043FD60: __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000), ref: 0043FE9C
                              • Part of subcall function 0043FD60: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000), ref: 0043FEA5
                              • Part of subcall function 0043FD60: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,00000000), ref: 0043FEB6
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C200,0000001C), ref: 0044030A
                            • __vbaStrVarMove.MSVBVM60(?), ref: 00440314
                            • __vbaStrMove.MSVBVM60 ref: 0044031F
                            • __vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 0044032B
                            • __vbaCastObj.MSVBVM60(00000000,0040C200), ref: 0044033A
                            • __vbaObjSet.MSVBVM60(?,00000000), ref: 00440345
                            • __vbaFreeObj.MSVBVM60(004403A4), ref: 00440394
                            • __vbaFreeStr.MSVBVM60 ref: 0044039D
                            Strings
                            • 230118284F6C57352F22352409562D0A01, xrefs: 004400B1
                            • fHlRgqmXDWXtKsoNPMvNQWrOEpyUcOI, xrefs: 0044020B
                            • 201826174B427733202F5A26160B27312E19223D32152A6B1316384C2627122D1E3C0205422D303E341D3F1A0A3D7F3E1E21267A1B3F6B0311210E23, xrefs: 004401F1
                            • BKulXuCxFGMBMyxCouqqcWBRAOGUElG, xrefs: 004400F2
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Bstr$CheckHresultListNew2$Copy$#631$#516AnsiError$#537#608#632CastChkstkConstructFixstrSystem
                            • String ID: 201826174B427733202F5A26160B27312E19223D32152A6B1316384C2627122D1E3C0205422D303E341D3F1A0A3D7F3E1E21267A1B3F6B0311210E23$230118284F6C57352F22352409562D0A01$BKulXuCxFGMBMyxCouqqcWBRAOGUElG$fHlRgqmXDWXtKsoNPMvNQWrOEpyUcOI
                            • API String ID: 506135884-1592942100
                            • Opcode ID: 4e6399dbadc08cc9ce1efb31395d13bebde98f3ae51bc70cede14567eada2bc8
                            • Instruction ID: 409d43d62eb2fff1980695803f12e35260ad09f23bec7247be2b1832974d6450
                            • Opcode Fuzzy Hash: 4e6399dbadc08cc9ce1efb31395d13bebde98f3ae51bc70cede14567eada2bc8
                            • Instruction Fuzzy Hash: E6A1FAB5D00208ABDB04DFE5DD85DEEBBB8FF58304F20452AE502B7194DB74A949CB64
                            Function 00437F00 Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 254COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596,?,?,?,?,00439D86,00000000), ref: 00437F1E
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 00437F4B
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 00437F5A
                            • __vbaNew.MSVBVM60(00409E0C,?,00000000,?,00000000,00403596), ref: 00437F6C
                            • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,?,00000000,00403596), ref: 00437F77
                            • __vbaStrCat.MSVBVM60(\*.*,00000000,?,00000000,?,00000000,00403596), ref: 00437F8D
                            • #645.MSVBVM60(00000008,00000017), ref: 00437FA3
                            • __vbaStrMove.MSVBVM60 ref: 00437FAE
                            • __vbaFreeVar.MSVBVM60 ref: 00437FB7
                            • __vbaLenBstr.MSVBVM60(?), ref: 00437FC8
                            • __vbaStrCmp.MSVBVM60(0040C3B4,?), ref: 00437FE6
                            • __vbaStrCmp.MSVBVM60(00406074,?), ref: 00437FFC
                            • __vbaStrCat.MSVBVM60(00405AFC,00000000), ref: 0043804B
                            • __vbaStrMove.MSVBVM60 ref: 00438056
                            • __vbaStrCat.MSVBVM60(?,00000000), ref: 00438061
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C200,00000020), ref: 004380B0
                            • __vbaFreeStr.MSVBVM60 ref: 004380CB
                            • __vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A), ref: 004380E3
                            • #645.MSVBVM60(0000000A,00000000), ref: 00438107
                            • __vbaStrMove.MSVBVM60 ref: 00438112
                            • __vbaFreeVar.MSVBVM60 ref: 0043811B
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C200,00000024), ref: 00438163
                            • __vbaI2I4.MSVBVM60 ref: 00438181
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C200,0000001C), ref: 00438216
                            • __vbaStrVarMove.MSVBVM60(00000008), ref: 00438232
                            • __vbaStrMove.MSVBVM60 ref: 0043823D
                            • __vbaFreeVar.MSVBVM60 ref: 00438246
                            • #579.MSVBVM60(?), ref: 00438257
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$FreeMove$CheckHresult$#645$#579BstrChkstkCopyErrorList
                            • String ID: \*.*
                            • API String ID: 2067065791-1173974218
                            • Opcode ID: b920f6e0357a01ebda85f4a9dbe44c36e8bfaccee50401eef7fb371a17666a60
                            • Instruction ID: b57e32675a29baad176de9cb0986b63da4e050062e73079c77f15442be0671d9
                            • Opcode Fuzzy Hash: b920f6e0357a01ebda85f4a9dbe44c36e8bfaccee50401eef7fb371a17666a60
                            • Instruction Fuzzy Hash: 52C1E9B1900218EFDB14DFA4DA48BDEBBB4FF48704F108199E506B72A0DB785A49CF65
                            Function 00404BA7 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 349COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0040F10E
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00403596), ref: 0040F155
                            • __vbaNew2.MSVBVM60(00404FCC,004426B4,?,?,?,00000000,00403596), ref: 0040F18A
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404FBC,00000018), ref: 0040F1DB
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405BEC,00000098), ref: 0040F229
                            • __vbaNew2.MSVBVM60(00404FCC,004426B4), ref: 0040F254
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404FBC,00000018), ref: 0040F2A5
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405BEC,00000080), ref: 0040F2F3
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$CheckHresult$New2$ChkstkError
                            • String ID: .BMP$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$G$\Screenshot
                            • API String ID: 945047687-2248638952
                            • Opcode ID: 7f0c52b334ce1b84ce433dbe8f0b8b1851e2d9f69bc38244755e387e118ad83d
                            • Instruction ID: e7a81632f5e9a6fad6418ac5b37ea0dc9987014e1ac18a35c71c027af3785cf4
                            • Opcode Fuzzy Hash: 7f0c52b334ce1b84ce433dbe8f0b8b1851e2d9f69bc38244755e387e118ad83d
                            • Instruction Fuzzy Hash: 92E12D75900618EFDB14DFA4C948B9EBBB5BB48304F10817AF60AB72A0DB745989CF58
                            Function 00431900 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 153COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596,?,?,?,?,00000000,00403596), ref: 0043191E
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00403596), ref: 0043194E
                            • __vbaStrCat.MSVBVM60(00405AFC,015AC8B4,?,?,?,?,00403596), ref: 0043196D
                            • #645.MSVBVM60(00000008,00000000), ref: 00431983
                            • __vbaVarMove.MSVBVM60 ref: 00431999
                            • __vbaFreeVar.MSVBVM60 ref: 004319A2
                            • __vbaVarTstGt.MSVBVM60(00008008,?), ref: 004319CE
                            • __vbaInStrVar.MSVBVM60(00000008,00000000,00000008,?,00000001), ref: 00431A0E
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00431A15
                            • __vbaFreeVar.MSVBVM60 ref: 00431A25
                            • __vbaStrCat.MSVBVM60(00405AFC,015AC8B4), ref: 00431A4D
                            • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00431A69
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00431A70
                            • __vbaStrMove.MSVBVM60 ref: 00431A7B
                            • __vbaVarAdd.MSVBVM60(0000000A,?,00000008), ref: 00431AA4
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00431AAB
                            • __vbaStrMove.MSVBVM60 ref: 00431AB6
                            • __vbaStrCopy.MSVBVM60 ref: 00431AC4
                            • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?), ref: 00431AE9
                            • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,00403596), ref: 00431B00
                            • #645.MSVBVM60(0000000A,00000000), ref: 00431B24
                            • __vbaVarMove.MSVBVM60 ref: 00431B3A
                            • __vbaFreeVar.MSVBVM60 ref: 00431B43
                            • __vbaFreeVar.MSVBVM60(00431BA1), ref: 00431B9A
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$FreeMove$#645List$BoolChkstkCopyErrorNull
                            • String ID: DC-
                            • API String ID: 3297433690-374979773
                            • Opcode ID: 4037a8e26c37cd9d51cba3a9d74cd440b73380fa82c72b31ad3925ba7c8d4c75
                            • Instruction ID: 6fb5f0a873c36afceb14723fc5c093b11bc0e73bf04ccbcef8a58205f5ec6c86
                            • Opcode Fuzzy Hash: 4037a8e26c37cd9d51cba3a9d74cd440b73380fa82c72b31ad3925ba7c8d4c75
                            • Instruction Fuzzy Hash: 1C61D5B5C01248DBDB00DFD0DA48BDEBBB8FB08305F10856AE156B72A4DB746A49CF64
                            Function 0043DB70 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0043DB8E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 0043DBBE
                              • Part of subcall function 0043DD00: __vbaChkstk.MSVBVM60(00000000,00403596,0043DBD0,?,00000000,?,00000000,00403596), ref: 0043DD1E
                              • Part of subcall function 0043DD00: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DD4E
                              • Part of subcall function 0043DD00: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DD66
                              • Part of subcall function 0043DD00: __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DD80
                              • Part of subcall function 0043DD00: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DD91
                              • Part of subcall function 0043DD00: __vbaStrMove.MSVBVM60 ref: 0043DDB9
                              • Part of subcall function 0043DD00: #666.MSVBVM60(?,00000008,?,?,?,?,?,?), ref: 0043DDF0
                              • Part of subcall function 0043DD00: __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0043DE1F
                              • Part of subcall function 0043DD00: __vbaStrVarMove.MSVBVM60(00000000), ref: 0043DE26
                              • Part of subcall function 0043DD00: __vbaStrMove.MSVBVM60 ref: 0043DE31
                              • Part of subcall function 0043DD00: __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0043DE55
                              • Part of subcall function 0043DD00: __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,00000000,?,00000000,00403596,0043DBD0), ref: 0043DE75
                              • Part of subcall function 0043DD00: #645.MSVBVM60(00004008,00000010), ref: 0043DEA1
                              • Part of subcall function 0043DD00: __vbaStrMove.MSVBVM60 ref: 0043DEAF
                              • Part of subcall function 0043DD00: __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 0043DEBB
                            • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043DBD7
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000,?,00000000,?,00000000,00403596), ref: 0043DBEF
                            • __vbaStrCat.MSVBVM60(\ThunderBirdContacts.txt,015AC8B4,?,00000000,?,00000000,00403596), ref: 0043DC0C
                            • __vbaFreeStr.MSVBVM60(?,00442054,?,00000000,?,00000000,00403596), ref: 0043DC2E
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043DC45
                            • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043DC17
                              • Part of subcall function 00437430: __vbaChkstk.MSVBVM60(?,00403596,?,?,?,0041759F,?,00442038), ref: 0043744E
                              • Part of subcall function 00437430: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 0043747E
                              • Part of subcall function 00437430: #648.MSVBVM60(0000000A), ref: 004374A4
                              • Part of subcall function 00437430: __vbaFreeVar.MSVBVM60 ref: 004374B1
                              • Part of subcall function 00437430: __vbaFileOpen.MSVBVM60(00000220,000000FF,?), ref: 004374D0
                              • Part of subcall function 00437430: __vbaPut3.MSVBVM60(00000000,00000000,?), ref: 004374E8
                              • Part of subcall function 00437430: __vbaFileClose.MSVBVM60(?), ref: 004374FA
                            • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043DC5E
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000,?,00000000,?,00000000,00403596), ref: 0043DC76
                            • __vbaStrCat.MSVBVM60(\163MailContacts.txt,015AC8B4,?,00000000,?,00000000,00403596), ref: 0043DC93
                            • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043DC9E
                            • __vbaFreeStr.MSVBVM60(?,00442054,?,00000000,?,00000000,00403596), ref: 0043DCB5
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00403596), ref: 0043DCCC
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$ChkstkError$FileList$#645#648#666CloseOpenPut3
                            • String ID: \163MailContacts.txt$\ThunderBirdContacts.txt
                            • API String ID: 250720439-586816672
                            • Opcode ID: 2cbbe17c19f35bd4a5726f693c8f83a416bbfaf33b8aae46aeb04752903af0b9
                            • Instruction ID: d23a5136e73d553887f3ee9a9d4e4cfcb48021d98c0fa6bc3a0ccdb1669ca3dc
                            • Opcode Fuzzy Hash: 2cbbe17c19f35bd4a5726f693c8f83a416bbfaf33b8aae46aeb04752903af0b9
                            • Instruction Fuzzy Hash: C0313270A01205DBE704DF94DB097DE7BB4EB49705F60806AF602B72A0DBF85E49CB69
                            Function 0043D900 Relevance: 27.2, APIs: 18, Instructions: 151COMMON
                            Download Yara Rule
                            APIs
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,?,00000000), ref: 0043D94E
                              • Part of subcall function 0043D590: #644.MSVBVM60(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00403596), ref: 0043D5D0
                              • Part of subcall function 0043D590: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0043D5E6
                              • Part of subcall function 0043D590: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 0043D609
                              • Part of subcall function 0043D590: #644.MSVBVM60 ref: 0043D615
                              • Part of subcall function 0043D590: __vbaAryLock.MSVBVM60(?,?), ref: 0043D621
                              • Part of subcall function 0043D590: __vbaGenerateBoundsError.MSVBVM60 ref: 0043D640
                              • Part of subcall function 0043D590: #644.MSVBVM60(00000000), ref: 0043D65C
                              • Part of subcall function 0043D590: __vbaAryUnlock.MSVBVM60(?), ref: 0043D668
                              • Part of subcall function 0043D590: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 0043D688
                              • Part of subcall function 0043D590: __vbaAryMove.MSVBVM60(?,?), ref: 0043D69A
                            • __vbaAryMove.MSVBVM60(?,?,00403596), ref: 0043D96B
                            • __vbaLbound.MSVBVM60(00000001,?), ref: 0043D977
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 0043D985
                            • __vbaAryLock.MSVBVM60(?,?), ref: 0043D9A6
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043D9C5
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043D9D2
                            • #644.MSVBVM60(00000000), ref: 0043D9E7
                            • __vbaAryUnlock.MSVBVM60(?), ref: 0043D9F0
                            • __vbaSetSystemError.MSVBVM60(?,?,-00000001,?,?), ref: 0043DA0E
                            • __vbaAryLock.MSVBVM60(?,?), ref: 0043DA1C
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043DA3B
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043DA48
                            • #644.MSVBVM60(00000000), ref: 0043DA57
                            • __vbaAryUnlock.MSVBVM60(?), ref: 0043DA60
                            • __vbaAryDestruct.MSVBVM60(00000000,?,0043DA9C), ref: 0043DA92
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0043DA99
                            • __vbaErrorOverflow.MSVBVM60 ref: 0043DAB2
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Error$#644BoundsGenerate$LockSystemUnlock$DestructMoveRedim$LboundOverflowUbound
                            • String ID:
                            • API String ID: 797121997-0
                            • Opcode ID: 8eea039f10814c8ccb22edca54a3332967faa9692cdabb7d3d5ae2289ce16544
                            • Instruction ID: 0708d7b9e01d8bba30c6d2c118ee8b284b962ec723d6b551db8ea99c4f8a80b9
                            • Opcode Fuzzy Hash: 8eea039f10814c8ccb22edca54a3332967faa9692cdabb7d3d5ae2289ce16544
                            • Instruction Fuzzy Hash: 91513D75D00208AFCB04DFA4D9849EEBBB9EF8C715F10915AE902B7360D7759981CFA8
                            Function 00404BB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0040F6DE
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00403596), ref: 0040F725
                            • __vbaSetSystemError.MSVBVM60(000000DF), ref: 0040F77E
                            • __vbaErrorOverflow.MSVBVM60 ref: 0040F7D5
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0040F7FE
                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00403596), ref: 0040F845
                            • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00403596), ref: 0040F870
                            • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00403596), ref: 0040F884
                            • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00403596), ref: 0040F892
                            • __vbaStrMove.MSVBVM60 ref: 0040F8B1
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0040F8C9
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040F8F2
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00403596), ref: 0040F8FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Error$Move$ChkstkCopyFree$ListOverflowSystem
                            • String ID: 3
                            • API String ID: 2272671529-1842515611
                            • Opcode ID: 110891f871a6d3e11ca3b22c976c6d533f9368ed20350e2ad7ae9ab5a59cc725
                            • Instruction ID: b844a33ae8679b19327ecc89843fcaa567874d9d8cecde71310122f64c86bd57
                            • Opcode Fuzzy Hash: 110891f871a6d3e11ca3b22c976c6d533f9368ed20350e2ad7ae9ab5a59cc725
                            • Instruction Fuzzy Hash: 72215C78905208EBCB10DF94DA4879DBBF4FB44708F10813AF5147B6A0C3B99A84CB9A
                            Function 00403AA0 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: #100
                            • String ID:
                            • API String ID: 1341478452-0
                            • Opcode ID: da16f7506d8e5e2561c98f661efb74245863b94851fa52944c62741b4c66bd7f
                            • Instruction ID: ff3c1fb01d8f45df6f9861ae03478e204013017bc2bfb9eb46490ea0d24b0fc4
                            • Opcode Fuzzy Hash: da16f7506d8e5e2561c98f661efb74245863b94851fa52944c62741b4c66bd7f
                            • Instruction Fuzzy Hash: E141BAA205E7C15FD3038B7059256827FB59E5321AB0E81EBC4C2CE5B3E11D495AC776

                            Non-executed Functions

                            Function 0040546C Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 34d4713f9331bb620293a7360e72dc9cc780fd90e8503813e609bbf2b7e302c6
                            • Instruction ID: 33a3e5547ee155327db92c69ec326320fdaab922b2d9e84d618055fcd23014d8
                            • Opcode Fuzzy Hash: 34d4713f9331bb620293a7360e72dc9cc780fd90e8503813e609bbf2b7e302c6
                            • Instruction Fuzzy Hash: 29B01220384802BADA10DB988C41B661590E6003833614C33F050E92D1C778CD808D2D
                            Function 00435AC0 Relevance: 130.0, APIs: 72, Strings: 2, Instructions: 480COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00436CC0: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 00436D1D
                              • Part of subcall function 00436CC0: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00436D61
                              • Part of subcall function 00436CC0: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00436D70
                              • Part of subcall function 00436CC0: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00436D79
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00436D99
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DB9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 00436DD9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DF9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436E19
                            • #632.MSVBVM60(?,?,?,?,00402DC0,?,6D1FC2DA,00000000,?), ref: 00435B4F
                            • __vbaStrVarMove.MSVBVM60(?,?,?,00402DC0,?,6D1FC2DA,00000000,?), ref: 00435B59
                            • __vbaStrMove.MSVBVM60(?,?,00402DC0,?,6D1FC2DA,00000000,?), ref: 00435B6A
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00402DC0,?,6D1FC2DA,00000000,?), ref: 00435B76
                            • __vbaLenBstr.MSVBVM60(00000000,6D1FC2DA,00000000,?), ref: 00435B94
                            • #632.MSVBVM60(?,00004008,?,00000002), ref: 00435BD8
                            • __vbaStrVarMove.MSVBVM60(?), ref: 00435BE2
                            • __vbaStrMove.MSVBVM60 ref: 00435BED
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00435BF9
                            • __vbaStrCopy.MSVBVM60 ref: 00435C08
                            • __vbaStrCmp.MSVBVM60(00405AFC,?), ref: 00435C1D
                            • #632.MSVBVM60(?,00004008,-00000001,00000002), ref: 00435C5C
                            • __vbaStrVarMove.MSVBVM60(?), ref: 00435C66
                            • __vbaStrMove.MSVBVM60 ref: 00435C71
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00435C7D
                            • __vbaStrCopy.MSVBVM60 ref: 00435C8F
                            • __vbaStrCmp.MSVBVM60(00405AF4,?), ref: 00435CA1
                            • __vbaStrCmp.MSVBVM60(00405AFC,?), ref: 00435CB7
                            • __vbaStrCmp.MSVBVM60(00405E94,?), ref: 00435CCD
                            • __vbaStrCmp.MSVBVM60(00405B04,?), ref: 00435CE3
                            • __vbaStrCmp.MSVBVM60(0040C900,?), ref: 00435CF9
                            • __vbaStrCat.MSVBVM60(0040C908,?), ref: 00435D08
                            • __vbaStrMove.MSVBVM60 ref: 00435D13
                            • __vbaStrCmp.MSVBVM60(0040C8F8,?), ref: 00435D26
                            • __vbaStrCat.MSVBVM60(0040C910,?), ref: 00435D35
                            • __vbaStrMove.MSVBVM60 ref: 00435D40
                            • __vbaStrCopy.MSVBVM60 ref: 00435D4F
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?), ref: 00435D63
                            • __vbaStrCopy.MSVBVM60 ref: 00435D6D
                            • __vbaStrMove.MSVBVM60 ref: 00435D80
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?,?), ref: 00435D9B
                            • __vbaStrCmp.MSVBVM60(00000000), ref: 00435D9E
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00435DBF
                            • __vbaStrCat.MSVBVM60(0040C918,?), ref: 00435DD6
                            • __vbaStrMove.MSVBVM60 ref: 00435DE1
                            • __vbaStrCopy.MSVBVM60 ref: 00435E03
                            • __vbaStrMove.MSVBVM60(?), ref: 00435E13
                            • __vbaStrCopy.MSVBVM60 ref: 00435E1D
                            • __vbaStrMove.MSVBVM60 ref: 00435E2C
                            • __vbaStrMove.MSVBVM60(?,?,?), ref: 00435E47
                            • __vbaStrCmp.MSVBVM60(00000000), ref: 00435E4A
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00435E6F
                            • __vbaStrCat.MSVBVM60(0040C920,?), ref: 00435E86
                            • __vbaStrMove.MSVBVM60 ref: 00435E91
                            • __vbaStrCmp.MSVBVM60(0040C8F0,?), ref: 00435EB7
                            • __vbaStrCat.MSVBVM60(00408C98,?), ref: 00435EC6
                            • __vbaStrMove.MSVBVM60 ref: 00435ED1
                            • __vbaStrCmp.MSVBVM60(0040C928,?), ref: 00435EF1
                            • #632.MSVBVM60(?,00004008,-00000001,00000002), ref: 00435F30
                            • __vbaStrVarMove.MSVBVM60(?), ref: 00435F40
                            • __vbaStrMove.MSVBVM60 ref: 00435F47
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00435F53
                            • __vbaStrCat.MSVBVM60(?,0040C930), ref: 00435F72
                            • __vbaStrMove.MSVBVM60 ref: 00435F7D
                            • #581.MSVBVM60(00000000), ref: 00435F80
                            • __vbaFpI4.MSVBVM60 ref: 00435F86
                            • #698.MSVBVM60(00000002,00000000), ref: 00435F91
                            • __vbaVarAdd.MSVBVM60(?,00000002,00000008), ref: 00435FA3
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00435FAA
                            • __vbaStrMove.MSVBVM60 ref: 00435FB1
                            • __vbaFreeStr.MSVBVM60 ref: 00435FB6
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00435FC6
                            • __vbaStrCat.MSVBVM60(?,?), ref: 00435FE1
                            • __vbaStrMove.MSVBVM60 ref: 00435FEC
                            • __vbaStrCmp.MSVBVM60(?,?), ref: 00435FFB
                            • __vbaStrCat.MSVBVM60(?,?), ref: 00436009
                            • __vbaStrMove.MSVBVM60 ref: 00436014
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?,004360A8), ref: 00436089
                            • __vbaFreeStr.MSVBVM60 ref: 0043609B
                            • __vbaFreeStr.MSVBVM60 ref: 004360A0
                            • __vbaFreeStr.MSVBVM60 ref: 004360A5
                            • __vbaErrorOverflow.MSVBVM60(6D1FC2DA,00000000,?), ref: 004360BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$List$#632Copy$Bstr$#516#631$#537#581#608#698ErrorOverflow
                            • String ID: EvLbuvqxERJWOBWBhkJcDrwA$TTClbgMTBFQz
                            • API String ID: 2359777993-2214825631
                            • Opcode ID: 0185599ff40b280c478a34e5d0f09017253d1477a5cfc227de83c365244e69cf
                            • Instruction ID: 2b510f4eeb33fd2b1e24c205ca7501f9f6646a724ef07d2aefea222ffabf6d0d
                            • Opcode Fuzzy Hash: 0185599ff40b280c478a34e5d0f09017253d1477a5cfc227de83c365244e69cf
                            • Instruction Fuzzy Hash: D7020DB190020A9FDB14DFE4DD85EEEBBB9FF48300F10812AE546A7294EB74A945CF54
                            Function 00420330 Relevance: 124.7, APIs: 70, Strings: 1, Instructions: 476COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596,?,?,?,?,00000000), ref: 0042034E
                            • __vbaOnError.MSVBVM60(000000FF,00401D38,-00000001,6D1DEC2C,00000000,00403596), ref: 0042037E
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0042039E
                            • __vbaVarMove.MSVBVM60 ref: 004203BD
                            • __vbaLenBstr.MSVBVM60 ref: 004203D0
                            • __vbaStrCat.MSVBVM60(00409030,?), ref: 00420440
                            • __vbaStrMove.MSVBVM60 ref: 0042044E
                            • #631.MSVBVM60(00000002,-00000001,00000002,00000000), ref: 0042046F
                            • __vbaStrMove.MSVBVM60 ref: 0042047D
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00420484
                            • __vbaStrMove.MSVBVM60 ref: 00420492
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004204A8
                            • __vbaFreeVar.MSVBVM60 ref: 004204B7
                            • __vbaAryMove.MSVBVM60(?,?,?), ref: 004204ED
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 0042050D
                            • __vbaRecAssign.MSVBVM60(0040663C,?,?,?), ref: 00420538
                            • __vbaAryCopy.MSVBVM60(?,?), ref: 00420564
                            • __vbaUI1I2.MSVBVM60 ref: 0042057A
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 004205B0
                            • __vbaAryCopy.MSVBVM60(?,?,?), ref: 004205D6
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 004205F6
                            • __vbaRecAssign.MSVBVM60(0040663C,?,?,?), ref: 00420621
                            • __vbaAryCopy.MSVBVM60(?,?), ref: 00420643
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420675
                            • __vbaRecAssign.MSVBVM60(0040663C,?,?,?), ref: 004206A0
                            • __vbaVarMove.MSVBVM60 ref: 004206D0
                            • __vbaAryCopy.MSVBVM60(?,?), ref: 004206E5
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 004206FF
                            • __vbaVarMul.MSVBVM60(00000008,00000002,?,00000003,00000000), ref: 00420744
                            • __vbaVarSub.MSVBVM60(?,00000000), ref: 00420752
                            • __vbaI4Var.MSVBVM60(00000000), ref: 00420759
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000), ref: 0042076F
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 00420785
                            • __vbaVarMul.MSVBVM60(?,00000002,?), ref: 00420805
                            • __vbaI2Var.MSVBVM60(00000000), ref: 0042080C
                            • __vbaVarMul.MSVBVM60(?,00000002,?,00000003), ref: 00420845
                            • __vbaVarSub.MSVBVM60(?,00000000), ref: 00420853
                            • __vbaVarAdd.MSVBVM60(?,00000002,00000000), ref: 00420868
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00433A6E
                              • Part of subcall function 004338E0: __vbaOnError.MSVBVM60(000000FF,6D10D8B1,?,6D0FA323,00000000,00403596), ref: 00433A9E
                              • Part of subcall function 004338E0: __vbaVarVargNofree.MSVBVM60 ref: 00433ABF
                              • Part of subcall function 004338E0: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00433ACE
                              • Part of subcall function 004338E0: __vbaI2Var.MSVBVM60(00000000), ref: 00433AD5
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60 ref: 00433B5B
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60 ref: 00433B7E
                              • Part of subcall function 004338E0: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00433BA6
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60 ref: 00433BB6
                              • Part of subcall function 004338E0: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 00433BD9
                            • __vbaFreeVar.MSVBVM60(00006011,?,00006011,00000000,00000000), ref: 00420896
                            • __vbaUI1I2.MSVBVM60 ref: 004208B2
                            • __vbaUI1I2.MSVBVM60 ref: 004208C7
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420906
                              • Part of subcall function 00420BA0: __vbaUbound.MSVBVM60(00000001,?,00401D38,-00000001,6D1DEC2C), ref: 00420C1A
                              • Part of subcall function 00420BA0: __vbaUI1I2.MSVBVM60(?,00401D38,-00000001,6D1DEC2C), ref: 00420C22
                              • Part of subcall function 00420BA0: __vbaAryCopy.MSVBVM60(?,00401E10,?,00401D38,-00000001,6D1DEC2C), ref: 00420C30
                              • Part of subcall function 00420BA0: __vbaFreeVar.MSVBVM60(00420E8E), ref: 00420E7A
                              • Part of subcall function 00420BA0: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00420E82
                              • Part of subcall function 00420BA0: __vbaFreeVar.MSVBVM60 ref: 00420E8B
                            • __vbaRecAssign.MSVBVM60(0040663C,?,?,?), ref: 00420931
                            • __vbaAryCopy.MSVBVM60(?,?), ref: 00420953
                            • #698.MSVBVM60(?,?), ref: 00420984
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0042099F
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 004209A6
                            • __vbaStrMove.MSVBVM60 ref: 004209B1
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004209C7
                            • __vbaStrVarVal.MSVBVM60(?,?,00405BB8,00000001,000000FF,00000000), ref: 00420A0F
                            • #712.MSVBVM60(?,00000000), ref: 00420A1A
                            • __vbaStrMove.MSVBVM60 ref: 00420A25
                            • __vbaFreeStr.MSVBVM60 ref: 00420A31
                            • __vbaRecDestruct.MSVBVM60(0040663C,?,00420B77), ref: 00420A9E
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420AB0
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420AC2
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420AD4
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420AE6
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00420AF5
                            • __vbaFreeVar.MSVBVM60 ref: 00420AFE
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420B0D
                            • __vbaFreeVar.MSVBVM60 ref: 00420B16
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420B25
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420B34
                            • __vbaFreeStr.MSVBVM60 ref: 00420B3D
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00420B49
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420B58
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00420B64
                            • __vbaFreeStr.MSVBVM60 ref: 00420B70
                            • __vbaErrorOverflow.MSVBVM60 ref: 00420B8D
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Destruct$Free$Move$Copy$Chkstk$Assign$ErrorUbound$IndexList$#631#698#712BstrLoadNofreeOverflowRedimStoreVarg
                            • String ID: (
                            • API String ID: 3448099741-3887548279
                            • Opcode ID: 6cff36407beb03d6a12f62781baa4de4d8d050b2944e0c8d272e88fb7868daae
                            • Instruction ID: 2efabc58e63909414a9119f428e78c22a1c6be0bed616ceb1a159470a40f9566
                            • Opcode Fuzzy Hash: 6cff36407beb03d6a12f62781baa4de4d8d050b2944e0c8d272e88fb7868daae
                            • Instruction Fuzzy Hash: E6220BB1800258EFDB14DF90DD48BEDBBB8FB48304F108599E54AB72A1DB751A88CF65
                            Function 00430F30 Relevance: 87.8, APIs: 45, Strings: 5, Instructions: 342COMMON
                            Download Yara Rule
                            APIs
                            • #644.MSVBVM60(AES,6D1045C1,00000000,00402790), ref: 00430F8A
                            • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00430FA1
                            • __vbaStrCopy.MSVBVM60 ref: 00430FB0
                            • #644.MSVBVM60(ChainingMode), ref: 00430FC0
                            • #644.MSVBVM60(ChainingModeGCM), ref: 00430FCA
                            • __vbaSetSystemError.MSVBVM60(?,?,00000000,00000020,00000000), ref: 00430FDF
                            • __vbaAryLock.MSVBVM60(?), ref: 00430FF3
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00431012
                            • #644.MSVBVM60(00000000), ref: 00431034
                            • __vbaAryUnlock.MSVBVM60(?), ref: 00431042
                            • __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 0043104E
                            • __vbaSetSystemError.MSVBVM60(?,?,00000000,00000000,00000000,-00000001,?,00000000), ref: 00431072
                            • __vbaAryLock.MSVBVM60(?,?,?,00000000), ref: 00431098
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,00000000), ref: 004310B7
                            • #644.MSVBVM60(00000000,?,?,00000000), ref: 004310D3
                            • __vbaAryUnlock.MSVBVM60(?,?,?,00000000), ref: 004310DB
                            • __vbaSetSystemError.MSVBVM60(?), ref: 004312B4
                            • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004312C4
                            • __vbaFreeStr.MSVBVM60(004312EA), ref: 004312E3
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Error$#644System$BoundsGenerateLockUnlock$CopyFreeUbound
                            • String ID: @$AES$BCryptOpenAlgorithmProvider$ChainingMode$ChainingModeGCM
                            • API String ID: 254650619-2246351549
                            • Opcode ID: 5bfc70ed6c09e09f5830eec17ca97fabedaa7f6b1d5aad84f950764ed82e929d
                            • Instruction ID: 5db6a0b5460dbc188c6b79ce96adee2cb5856f497ecded918d6ccc8781b39293
                            • Opcode Fuzzy Hash: 5bfc70ed6c09e09f5830eec17ca97fabedaa7f6b1d5aad84f950764ed82e929d
                            • Instruction Fuzzy Hash: 61C1FC74A003089FCB14DFA4CD94AAEB7B9FF49304F10856EE915EB361DA75A842CF58
                            Function 0041FD30 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 268COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0041FD4E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00403596), ref: 0041FD7E
                            • #716.MSVBVM60(?,System.Security.Cryptography.RijndaelManaged,00000000,?,00000000,?,00000000,00403596), ref: 0041FD9D
                            • __vbaVarSetVar.MSVBVM60(?,?,?,00000000,?,00000000,00403596), ref: 0041FDAB
                            • __vbaChkstk.MSVBVM60 ref: 0041FDCE
                            • __vbaVarLateMemSt.MSVBVM60(?,keySize), ref: 0041FDF8
                            • __vbaChkstk.MSVBVM60 ref: 0041FE1B
                            • __vbaVarLateMemSt.MSVBVM60(?,Padding), ref: 0041FE45
                            • __vbaChkstk.MSVBVM60 ref: 0041FE68
                            • __vbaVarLateMemSt.MSVBVM60(?,Mode), ref: 0041FE92
                            • __vbaStrCopy.MSVBVM60 ref: 0041FEA7
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?), ref: 0041FEBB
                            • __vbaStrCopy.MSVBVM60 ref: 0041FEC9
                            • __vbaStrMove.MSVBVM60 ref: 0041FEE8
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041FF00
                              • Part of subcall function 00420190: #644.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403596), ref: 004201D3
                              • Part of subcall function 00420190: __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,00000000,?,00000000), ref: 004201E2
                              • Part of subcall function 00420190: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 004201F8
                              • Part of subcall function 00420190: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00420224
                              • Part of subcall function 00420190: #644.MSVBVM60(00000000), ref: 00420230
                              • Part of subcall function 00420190: __vbaAryLock.MSVBVM60(?,?), ref: 0042023C
                              • Part of subcall function 00420190: __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042025B
                              • Part of subcall function 00420190: __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,00000000), ref: 00420282
                              • Part of subcall function 00420190: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000), ref: 00420296
                              • Part of subcall function 00420190: __vbaAryUnlock.MSVBVM60(?), ref: 004202A0
                            • __vbaChkstk.MSVBVM60(?), ref: 0041FF1E
                            • __vbaVarLateMemSt.MSVBVM60(?,Key,?), ref: 0041FF45
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041FF61
                            • __vbaFreeVar.MSVBVM60(?,?,00000000,?,00000000,00403596), ref: 0041FF6D
                            • __vbaVarLateMemCallLd.MSVBVM60(?,?,CreateDecryptor,00000000,?,?,00000000,?,00000000,00403596), ref: 0041FF90
                            • __vbaVarSetVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00403596), ref: 0041FF9E
                            • __vbaUbound.MSVBVM60(00000001), ref: 0041FFDE
                            • __vbaChkstk.MSVBVM60 ref: 00420002
                            • __vbaChkstk.MSVBVM60 ref: 00420028
                            • __vbaChkstk.MSVBVM60 ref: 00420057
                            • __vbaVarLateMemCallLd.MSVBVM60(?,?,TransformFinalBlock,00000003), ref: 00420090
                            • __vbaVar2Vec.MSVBVM60(?,00000000), ref: 0042009E
                            • __vbaAryMove.MSVBVM60(?,?), ref: 004200AC
                            • __vbaFreeVar.MSVBVM60 ref: 004200B5
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 004200C8
                              • Part of subcall function 004334F0: __vbaStrCopy.MSVBVM60(6D10D8B1,00000000,00000000), ref: 00433532
                              • Part of subcall function 004334F0: __vbaGenerateBoundsError.MSVBVM60 ref: 00433571
                              • Part of subcall function 004334F0: __vbaStrUI1.MSVBVM60(?), ref: 0043358A
                              • Part of subcall function 004334F0: __vbaStrMove.MSVBVM60 ref: 00433595
                              • Part of subcall function 004334F0: __vbaStrCmp.MSVBVM60(00409030,00000000), ref: 0043359D
                              • Part of subcall function 004334F0: __vbaFreeStr.MSVBVM60 ref: 004335B0
                              • Part of subcall function 004334F0: __vbaGenerateBoundsError.MSVBVM60 ref: 004335E7
                              • Part of subcall function 004334F0: #608.MSVBVM60(?,00000000), ref: 00433606
                              • Part of subcall function 004334F0: __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00433618
                              • Part of subcall function 004334F0: __vbaStrVarMove.MSVBVM60(00000000), ref: 0043361F
                            • __vbaStrMove.MSVBVM60(?,?), ref: 004200E9
                            • __vbaAryDestruct.MSVBVM60(00000000,?,0042016C), ref: 00420147
                            • __vbaFreeVar.MSVBVM60 ref: 00420150
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042015C
                            • __vbaFreeVar.MSVBVM60 ref: 00420165
                            • __vbaErrorOverflow.MSVBVM60 ref: 00420182
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Chkstk$Error$Late$Bstr$BoundsCopyGenerate$#516#608#631#644CallDestructListSystemUbound$#537#632#716LockOverflowRedimUnlockVar2
                            • String ID: 302D232C142A3B1224283D041826220D$CreateDecryptor$Key$Mode$Padding$System.Security.Cryptography.RijndaelManaged$TransformFinalBlock$keySize$vXIEVdSHdTRTiwTJfPBRFIiwvydbdHDXzdvcmWMCNL
                            • API String ID: 2183829440-2785477933
                            • Opcode ID: f3f4a9b1573242279f81475b22629c2e5304b1d694f87653ea29582ca9b85df8
                            • Instruction ID: 38975633da4927435cf1b3390f0a335ed91eeee338163cc87c1505167e1d3acd
                            • Opcode Fuzzy Hash: f3f4a9b1573242279f81475b22629c2e5304b1d694f87653ea29582ca9b85df8
                            • Instruction Fuzzy Hash: 7AC108B0D00209DFDB14DFA4C949B9DBBB5FF48304F1085AEE509AB2A1DB749A85CF54
                            Function 00431310 Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 275COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596,?,?,?,?,00430BB3,00000000,?,?,?,?,?,?,?,00000000), ref: 0043132E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 0043135E
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 00431373
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,00000000,?,?,00403596), ref: 00431387
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 00431395
                            • __vbaStrMove.MSVBVM60 ref: 004313B4
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004313D2
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004313D9
                            • __vbaStrMove.MSVBVM60 ref: 004313E4
                              • Part of subcall function 00431770: __vbaChkstk.MSVBVM60(?,00403596,?,?,00000000,?,?,00403596), ref: 0043178E
                              • Part of subcall function 00431770: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 004317BE
                              • Part of subcall function 00431770: #645.MSVBVM60(00004008,00000000), ref: 004317DE
                              • Part of subcall function 00431770: __vbaStrMove.MSVBVM60 ref: 004317E9
                              • Part of subcall function 00431770: __vbaLenBstrB.MSVBVM60(00000000), ref: 004317F0
                              • Part of subcall function 00431770: __vbaFreeStr.MSVBVM60 ref: 00431806
                              • Part of subcall function 00431770: #648.MSVBVM60(0000000A), ref: 00431831
                              • Part of subcall function 00431770: __vbaFreeVar.MSVBVM60 ref: 0043183E
                              • Part of subcall function 00431770: __vbaFileOpen.MSVBVM60(00000020,000000FF,?,00000000), ref: 0043185A
                              • Part of subcall function 00431770: #570.MSVBVM60(?), ref: 0043186C
                              • Part of subcall function 00431770: #525.MSVBVM60(00000000), ref: 00431873
                              • Part of subcall function 00431770: __vbaStrMove.MSVBVM60 ref: 0043187E
                              • Part of subcall function 00431770: __vbaGet3.MSVBVM60(00000000,00000000,?), ref: 00431896
                              • Part of subcall function 00431770: __vbaFileClose.MSVBVM60(?), ref: 004318A8
                            • __vbaStrMove.MSVBVM60(?), ref: 004313F8
                              • Part of subcall function 00434610: __vbaChkstk.MSVBVM60(00000000,00403596,?,?,00000000,?,?,00403596), ref: 0043462E
                              • Part of subcall function 00434610: __vbaStrCopy.MSVBVM60(?,00000000), ref: 00434674
                              • Part of subcall function 00434610: __vbaOnError.MSVBVM60(000000FF,?,00000000), ref: 00434683
                              • Part of subcall function 00434610: #632.MSVBVM60(?,00004008,00000001,00000002), ref: 004346CF
                              • Part of subcall function 00434610: __vbaVarMove.MSVBVM60 ref: 004346DB
                              • Part of subcall function 00434610: __vbaFreeVar.MSVBVM60 ref: 004346E4
                              • Part of subcall function 00434610: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00434707
                              • Part of subcall function 00434610: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001), ref: 0043472D
                              • Part of subcall function 00434610: __vbaFreeVar.MSVBVM60(004347CF), ref: 004347C8
                            • __vbaObjSet.MSVBVM60(?,00000000,?), ref: 0043140C
                            • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,00000000), ref: 00431430
                            • __vbaObjIs.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?,00403596), ref: 00431446
                            • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,?,00403596), ref: 00431468
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000,?,?,?,?,00000000,?,?,00403596), ref: 00431474
                            • __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,?,?,00403596), ref: 0043148B
                            • __vbaChkstk.MSVBVM60 ref: 004314D1
                            • __vbaChkstk.MSVBVM60(Item,00000001), ref: 00431507
                            • __vbaLateMemCallLd.MSVBVM60(?,?,Item,00000001,Item,00000001), ref: 0043153A
                            • __vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00431548
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00431552
                            • __vbaStrMove.MSVBVM60 ref: 0043155D
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0043156D
                            • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00431597
                            • __vbaUbound.MSVBVM60(00000001,?,00000000,?,?,?,?,00000000,?,?,00403596), ref: 004315AC
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000005,?,?,?,?,00000000,?,?,00403596), ref: 004315CB
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 004315E1
                            • __vbaFreeVar.MSVBVM60(00006011,00000005,00006011,00000000,00000003), ref: 00431657
                            • __vbaStrCopy.MSVBVM60 ref: 00431669
                            • __vbaAryMove.MSVBVM60(?,?,?,?,00000000,00000000,00000004,00000000), ref: 00431695
                            • __vbaFreeStr.MSVBVM60 ref: 0043169E
                            • __vbaAryDestruct.MSVBVM60(00000000,?,0043174E), ref: 00431705
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00431714
                            • __vbaFreeStr.MSVBVM60 ref: 0043171D
                            • __vbaFreeObj.MSVBVM60 ref: 00431726
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00431732
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0043173E
                              • Part of subcall function 00436F30: __vbaStrCopy.MSVBVM60(6D1FC2DA,00008008), ref: 00436F69
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$ChkstkCopy$BstrDestruct$ErrorList$#516#631#632CallFileLateUbound$#525#537#570#608#645#648CloseGet3OpenRedim
                            • String ID: 140418161205433906193F37$Item$encrypted_key$gHHwusicjrxKR$os_crypt
                            • API String ID: 676153682-1624684834
                            • Opcode ID: cc50cb8e4726a478c9f35926f34eaf97b2579ef294eed6cedddd9af5f07b2016
                            • Instruction ID: 0f34aecd759c24fdb52b0926b48386dc00c982200836cd546443aad987c317a2
                            • Opcode Fuzzy Hash: cc50cb8e4726a478c9f35926f34eaf97b2579ef294eed6cedddd9af5f07b2016
                            • Instruction Fuzzy Hash: 6CC10A71900208EBDB04DF94DD89FDEBB79BF48705F108169E506B72A0EB745A89CF54
                            Function 0041132F Relevance: 77.3, APIs: 40, Strings: 4, Instructions: 252COMMON
                            Download Yara Rule
                            APIs
                            • __vbaSetSystemError.MSVBVM60(000000DF), ref: 00411371
                            • __vbaStrCat.MSVBVM60(00406280,0162B774), ref: 004113FA
                            • __vbaStrMove.MSVBVM60 ref: 00411407
                            • __vbaStrCat.MSVBVM60(00406288,0162B774), ref: 00411425
                            • __vbaStrMove.MSVBVM60 ref: 00411432
                            • __vbaStrCopy.MSVBVM60 ref: 0041144C
                            • __vbaStrMove.MSVBVM60(?), ref: 00411460
                            • __vbaStrCopy.MSVBVM60 ref: 0041146E
                            • __vbaStrMove.MSVBVM60 ref: 0041148D
                            • __vbaStrMove.MSVBVM60(?,?,0162B774), ref: 004114AC
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004114B3
                            • __vbaStrMove.MSVBVM60 ref: 004114C0
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004114DC
                            • __vbaStrCat.MSVBVM60(004062E8,0162B774,?,?,?,?,?,?,?,?,00403596), ref: 004114FD
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00403596), ref: 0041150A
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00403596), ref: 00411524
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00403596), ref: 00411538
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00403596), ref: 00411546
                            • __vbaStrMove.MSVBVM60 ref: 00411565
                            • __vbaStrMove.MSVBVM60(?,?,0162B774), ref: 00411584
                            • __vbaStrCat.MSVBVM60(00000000), ref: 0041158B
                            • __vbaStrMove.MSVBVM60 ref: 00411598
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004115B4
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403596), ref: 004115D1
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403596), ref: 004115E5
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403596), ref: 004115F3
                            • __vbaStrMove.MSVBVM60 ref: 00411612
                            • __vbaStrMove.MSVBVM60(?,?,0162B774), ref: 00411631
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00411638
                            • __vbaStrMove.MSVBVM60 ref: 00411645
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00411661
                            • __vbaStrCat.MSVBVM60(004063AC,0162B774), ref: 00411682
                            • __vbaStrMove.MSVBVM60 ref: 0041168F
                            • __vbaStrCat.MSVBVM60(004063B4,0162B774), ref: 004116AA
                            • __vbaStrMove.MSVBVM60 ref: 004116B7
                            • __vbaStrCat.MSVBVM60(004063BC,0162B774), ref: 004116D1
                            • __vbaStrMove.MSVBVM60 ref: 004116DE
                            • __vbaStrCat.MSVBVM60(004063C4,0162B774), ref: 004116F9
                            • __vbaStrMove.MSVBVM60 ref: 00411706
                            • #608.MSVBVM60(?,000000DF), ref: 00411745
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0041175A
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00411761
                            • __vbaStrMove.MSVBVM60 ref: 0041176E
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041177E
                            • __vbaSetSystemError.MSVBVM60(000000DF), ref: 004117FD
                            • #608.MSVBVM60(?,000000DF), ref: 00411836
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0041184B
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 00411852
                            • __vbaStrMove.MSVBVM60 ref: 0041185F
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041186F
                            • __vbaSetSystemError.MSVBVM60(000000DF), ref: 004118ED
                            • __vbaErrorOverflow.MSVBVM60(?,?,00403596), ref: 00411F70
                            Strings
                            • QAoTbJBakCdqGCAWtLTuuIuYBbkbggxXKP, xrefs: 00411466
                            • I, xrefs: 00411787
                            • QuoDhKRbMgipsjBaijsdAYTnYBEnOcwFomViTRySYmp, xrefs: 004115EB
                            • KbdkGQkDIOpBlYohKEFaeUAbarLXUZiM, xrefs: 0041153E
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Copy$FreeList$Error$System$#608$Overflow
                            • String ID: I$KbdkGQkDIOpBlYohKEFaeUAbarLXUZiM$QAoTbJBakCdqGCAWtLTuuIuYBbkbggxXKP$QuoDhKRbMgipsjBaijsdAYTnYBEnOcwFomViTRySYmp
                            • API String ID: 855881387-986593838
                            • Opcode ID: 840084c40ae94a306f6fc645d50ea10019a84773e438af102bc29b226e3100a1
                            • Instruction ID: f1e38e8c8f4c0d812641a43e70459e8dda0ba4d2526f3e43df7ace4fa9d88513
                            • Opcode Fuzzy Hash: 840084c40ae94a306f6fc645d50ea10019a84773e438af102bc29b226e3100a1
                            • Instruction Fuzzy Hash: 81B11E75900209EFDB08DFA0EE48ADE77B5FB84301F5081AAF606A36A4DB745A45CB58
                            Function 0041BC6F Relevance: 63.3, APIs: 31, Strings: 5, Instructions: 347COMMON
                            Download Yara Rule
                            APIs
                            • __vbaVarCopy.MSVBVM60 ref: 0041BCBC
                            • __vbaChkstk.MSVBVM60 ref: 0041BCE1
                            • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 0041BD18
                            • __vbaVarMove.MSVBVM60 ref: 0041BD29
                            • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 0041BD58
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041BD8F
                            • __vbaChkstk.MSVBVM60 ref: 0041BDBD
                            • __vbaVarIndexLoadRef.MSVBVM60(?,?,00000001), ref: 0041BDF4
                            • __vbaChkstk.MSVBVM60 ref: 0041BE28
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041BE67
                            • __vbaChkstk.MSVBVM60 ref: 0041BE74
                            • __vbaChkstk.MSVBVM60 ref: 0041BE96
                            • __vbaChkstk.MSVBVM60 ref: 0041BEC5
                            • __vbaLateMemCall.MSVBVM60(?,getstringvalue,00000004), ref: 0041BEFA
                            • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 0041BF1A
                            • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 0041BF51
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041BF88
                            • __vbaChkstk.MSVBVM60 ref: 0041BFB6
                            • __vbaVarIndexLoadRef.MSVBVM60(?,?,00000001), ref: 0041BFED
                            • __vbaChkstk.MSVBVM60 ref: 0041C021
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041C060
                            • __vbaChkstk.MSVBVM60 ref: 0041C06D
                            • __vbaChkstk.MSVBVM60 ref: 0041C08F
                            • __vbaChkstk.MSVBVM60 ref: 0041C0BE
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041D3F4
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D44E
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D46B
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041D48C
                            • __vbaChkstk.MSVBVM60 ref: 0041D499
                            • __vbaVarLateMemSt.MSVBVM60(?,frolickedYAvkfGKWrNQBejXLqblENOHOKnKXbDNjQCmpuddlings), ref: 0041D4CB
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0041D4E1
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D548
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D565
                            • __vbaChkstk.MSVBVM60 ref: 0041D576
                            • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 0041D5AD
                            • __vbaChkstk.MSVBVM60 ref: 0041D5BD
                            • __vbaVarLateMemSt.MSVBVM60(?,firebasehdvlYdKMJEZpxQfirehall), ref: 0041D5EF
                            • __vbaFreeVar.MSVBVM60 ref: 0041D5FB
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D660
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D67D
                            • __vbaVarCat.MSVBVM60(00000008,00000008,?), ref: 0041D69E
                            • __vbaChkstk.MSVBVM60 ref: 0041D6AB
                            • __vbaVarLateMemSt.MSVBVM60(?,tattlesNIjTrKGrYbXCRYBposifriezer), ref: 0041D6DD
                            • __vbaFreeVar.MSVBVM60 ref: 0041D6E9
                            • __vbaVarTstEq.MSVBVM60(00000001,?), ref: 0041D724
                            • __vbaStrCopy.MSVBVM60 ref: 0041D748
                            • __vbaStrMove.MSVBVM60(?), ref: 0041D762
                            • __vbaStrCopy.MSVBVM60 ref: 0041D79F
                            • __vbaStrMove.MSVBVM60 ref: 0041D7C7
                            • __vbaStrMove.MSVBVM60(?,?,?,00000001), ref: 0041D7F0
                            • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 0041D7F9
                            • __vbaChkstk.MSVBVM60(?,00000001), ref: 0041D814
                            • __vbaLateMemCallLd.MSVBVM60(00000008,?,test,00000001,?,00000001), ref: 0041D853
                            • __vbaChkstk.MSVBVM60(00000000), ref: 0041D862
                            • __vbaLateMemCallLd.MSVBVM60(0000000A,?,test,00000001,00000000), ref: 0041D8A1
                            • __vbaVarOr.MSVBVM60(?,00000000), ref: 0041D8B2
                            • __vbaChkstk.MSVBVM60 ref: 0041F95D
                            • __vbaChkstk.MSVBVM60 ref: 0041F98C
                            • __vbaChkstk.MSVBVM60 ref: 0041F9BB
                            • __vbaLateMemCall.MSVBVM60(?,EnumKey,00000003), ref: 0041F9F0
                            • #560.MSVBVM60(?), ref: 0041FA07
                            • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?), ref: 0041FA49
                            • __vbaAryUnlock.MSVBVM60(?,0041FD0A), ref: 0041FBB3
                            • __vbaFreeObj.MSVBVM60 ref: 0041FBBF
                            • __vbaFreeVar.MSVBVM60 ref: 0041FBCB
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041FBDA
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041FBE9
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041FBF8
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041FC04
                            • __vbaErrorOverflow.MSVBVM60 ref: 0041FD23
                            Strings
                            • firebasehdvlYdKMJEZpxQfirehall, xrefs: 0041D5DA
                            • tattlesNIjTrKGrYbXCRYBposifriezer, xrefs: 0041D6C8
                            • u, xrefs: 0041F398
                            • frolickedYAvkfGKWrNQBejXLqblENOHOKnKXbDNjQCmpuddlings, xrefs: 0041D4B6
                            • getstringvalue, xrefs: 0041BEF1
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Chkstk$ErrorLate$BoundsFreeGenerate$CallDestructIndexLoadMove$Copy$List$#560EachOverflowUnlock
                            • String ID: firebasehdvlYdKMJEZpxQfirehall$frolickedYAvkfGKWrNQBejXLqblENOHOKnKXbDNjQCmpuddlings$getstringvalue$tattlesNIjTrKGrYbXCRYBposifriezer$u
                            • API String ID: 1374960466-972973604
                            • Opcode ID: cda417ce00df754f652aafeda0537c8bc0d539388a2fe725082ffff6b17a2729
                            • Instruction ID: 627a6266f9a48f63dfc59cde70594bb2afdc51988206ef6f2b5cc02db97179a6
                            • Opcode Fuzzy Hash: cda417ce00df754f652aafeda0537c8bc0d539388a2fe725082ffff6b17a2729
                            • Instruction Fuzzy Hash: 8A02E2B49002599FDB64CF58C988BDDBBB0FB48304F1486EAE409AB351DB75AAC5CF44
                            Function 00432BC0 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 327COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00432BDE
                            • __vbaStrCopy.MSVBVM60(6D10D8B1,?,00000000,00000000,00403596), ref: 00432C0B
                            • __vbaOnError.MSVBVM60(000000FF), ref: 00432C1A
                            • __vbaUbound.MSVBVM60(00000001), ref: 00432C3F
                            • __vbaLbound.MSVBVM60(00000001), ref: 00432C4F
                            • __vbaAryLock.MSVBVM60(?), ref: 00432C7F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00432CBC
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00432CD6
                            • #644.MSVBVM60(?), ref: 00432CEF
                            • __vbaAryUnlock.MSVBVM60(00000000), ref: 00432CFF
                            • __vbaLenBstr.MSVBVM60(?), ref: 00432D79
                            • #644.MSVBVM60(?), ref: 00432D8E
                            • __vbaSetSystemError.MSVBVM60(?,?,00000000,00000000,?,?,?), ref: 00432DD8
                            • #685.MSVBVM60 ref: 00432DFF
                            • __vbaObjSet.MSVBVM60(?,00000000), ref: 00432E0A
                            • #685.MSVBVM60 ref: 00432E5A
                            • __vbaObjSet.MSVBVM60(?,00000000), ref: 00432E65
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD20,0000004C), ref: 00432EB0
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD20,00000044), ref: 00432F23
                            • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432F45
                            • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00432F66
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 00432F94
                            • __vbaAryLock.MSVBVM60(?,?), ref: 00432FAC
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00432FE9
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00433003
                            • __vbaSetSystemError.MSVBVM60(?,?,?), ref: 00433029
                            • __vbaAryUnlock.MSVBVM60(00000000), ref: 00433033
                            • __vbaStrMove.MSVBVM60(?), ref: 0043304E
                            • __vbaAryCopy.MSVBVM60(?,?), ref: 00433063
                            • __vbaSetSystemError.MSVBVM60(?), ref: 00433079
                            • __vbaSetSystemError.MSVBVM60(?), ref: 0043308F
                            • __vbaAryDestruct.MSVBVM60(00000000,?,00433107), ref: 004330F7
                            • __vbaFreeStr.MSVBVM60 ref: 00433100
                            • __vbaErrorOverflow.MSVBVM60 ref: 0043311D
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Error$BoundsGenerateSystem$Free$#644#685CheckCopyHresultListLockUnlock$BstrChkstkDestructLboundMoveOverflowRedimUbound
                            • String ID: P)@
                            • API String ID: 2919997023-2707892697
                            • Opcode ID: 62cc1f989a48b3d2e369a89c16a7495d2bb6a9b855c9e74522a3ec0431e18df8
                            • Instruction ID: 68de8dc19ad1eb9ff62f644d58878e2dbef5a335d41fe29dbe8aa42a27fcadf6
                            • Opcode Fuzzy Hash: 62cc1f989a48b3d2e369a89c16a7495d2bb6a9b855c9e74522a3ec0431e18df8
                            • Instruction Fuzzy Hash: 5FE12AB1900218DFDB14DF94CA88BEEBBB5FF48304F108199E60ABB294D7745A85DF54
                            Function 004118AB Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 192COMMON
                            Download Yara Rule
                            APIs
                            • __vbaSetSystemError.MSVBVM60(000000DF), ref: 004118ED
                            • __vbaStrCat.MSVBVM60(004063CC,0162B774), ref: 00411979
                            • __vbaStrMove.MSVBVM60 ref: 00411986
                            • __vbaStrCat.MSVBVM60(004063D4,0162B774), ref: 004119A4
                            • __vbaStrMove.MSVBVM60 ref: 004119B1
                            • __vbaStrCat.MSVBVM60(004061EC,0162B774), ref: 004119CE
                            • __vbaStrMove.MSVBVM60 ref: 004119DB
                            • __vbaStrCat.MSVBVM60(004061F4,0162B774), ref: 004119F6
                            • __vbaStrMove.MSVBVM60 ref: 00411A03
                            • __vbaStrCat.MSVBVM60(004061FC,0162B774), ref: 00411A1E
                            • __vbaStrMove.MSVBVM60 ref: 00411A2B
                            • __vbaStrCat.MSVBVM60(00406204,0162B774), ref: 00411A45
                            • __vbaStrMove.MSVBVM60 ref: 00411A52
                            • __vbaStrCat.MSVBVM60(0040620C,0162B774), ref: 00411ACF
                            • __vbaStrMove.MSVBVM60 ref: 00411ADC
                            • __vbaStrCat.MSVBVM60(00406214,0162B774), ref: 00411AF9
                            • __vbaStrMove.MSVBVM60 ref: 00411B06
                            • __vbaStrCat.MSVBVM60(0040621C,0162B774), ref: 00411B24
                            • __vbaStrMove.MSVBVM60 ref: 00411B31
                            • __vbaStrCat.MSVBVM60(00405E8C,0162B774), ref: 00411B4C
                            • __vbaStrMove.MSVBVM60 ref: 00411B59
                            • __vbaStrCat.MSVBVM60(00406074,0162B774), ref: 00411B73
                            • __vbaStrMove.MSVBVM60 ref: 00411B80
                            • __vbaStrCat.MSVBVM60(00405E94,0162B774), ref: 00411B9B
                            • __vbaStrMove.MSVBVM60 ref: 00411BA8
                            • __vbaSetSystemError.MSVBVM60(000000DF), ref: 00411C24
                            • __vbaStrCat.MSVBVM60(00405E9C,0162B774), ref: 00411CB0
                            • __vbaStrMove.MSVBVM60 ref: 00411CBD
                            • __vbaStrCat.MSVBVM60(00405AE4,0162B774), ref: 00411CD8
                            • __vbaStrMove.MSVBVM60 ref: 00411CE5
                            • __vbaStrCat.MSVBVM60(00405AEC,0162B774), ref: 00411D00
                            • __vbaStrMove.MSVBVM60 ref: 00411D0D
                            • __vbaStrCat.MSVBVM60(00405AF4,0162B774), ref: 00411D27
                            • __vbaStrMove.MSVBVM60 ref: 00411D34
                            • __vbaErrorOverflow.MSVBVM60(?,?,00403596), ref: 00411F70
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Error$System$Overflow
                            • String ID: r
                            • API String ID: 2066313126-1812594589
                            • Opcode ID: 80e8e8bb5bbdba9d4ba9073e38937a8ff8173fbcc5744e5c9639c7b474ffa3dc
                            • Instruction ID: 4ecbe0e3ed66a31256e6706478a46dd5935853b72ff1a4918157b0e5ff15c182
                            • Opcode Fuzzy Hash: 80e8e8bb5bbdba9d4ba9073e38937a8ff8173fbcc5744e5c9639c7b474ffa3dc
                            • Instruction Fuzzy Hash: E8815C74A04601DFE708DF90EB0869A37B1EB85701F6080A9F746E76B4DBB80D85DB5D
                            Function 0042E0C0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            • __vbaStrCopy.MSVBVM60(?,00000000,6D1045C1,?,?,?,?,?,?,?,?,?,?,?,6D1045C1,00403596), ref: 0042E0FF
                            • #573.MSVBVM60(?,?), ref: 0042E120
                            • __vbaStrVarMove.MSVBVM60(?), ref: 0042E12C
                            • __vbaStrMove.MSVBVM60 ref: 0042E139
                            • __vbaFreeVar.MSVBVM60 ref: 0042E13E
                            • __vbaLenBstr.MSVBVM60(?), ref: 0042E148
                            • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,00000009,?), ref: 0042E167
                            • #573.MSVBVM60(?,00004003), ref: 0042E182
                            • __vbaStrVarMove.MSVBVM60(?), ref: 0042E188
                            • __vbaStrMove.MSVBVM60 ref: 0042E18F
                            • __vbaFreeVar.MSVBVM60 ref: 0042E194
                            • __vbaLenBstr.MSVBVM60(?), ref: 0042E19E
                            • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,00000012,?), ref: 0042E1BD
                            • #573.MSVBVM60(?,00004003), ref: 0042E1D8
                            • __vbaStrVarMove.MSVBVM60(?), ref: 0042E1DE
                            • __vbaStrMove.MSVBVM60 ref: 0042E1E5
                            • __vbaFreeVar.MSVBVM60 ref: 0042E1EA
                            • __vbaLenBstr.MSVBVM60(?), ref: 0042E1F4
                            • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,0000001B,?), ref: 0042E213
                            • #573.MSVBVM60(?,00004003), ref: 0042E22E
                            • __vbaStrVarMove.MSVBVM60(?), ref: 0042E234
                            • __vbaStrMove.MSVBVM60 ref: 0042E23B
                            • __vbaFreeVar.MSVBVM60 ref: 0042E240
                            • __vbaLenBstr.MSVBVM60(?), ref: 0042E24A
                            • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,00000024,?), ref: 0042E269
                            • #573.MSVBVM60(?,00004003), ref: 0042E284
                            • __vbaStrVarMove.MSVBVM60(?), ref: 0042E28A
                            • __vbaStrMove.MSVBVM60 ref: 0042E291
                            • __vbaFreeVar.MSVBVM60 ref: 0042E296
                            • __vbaLenBstr.MSVBVM60(?), ref: 0042E2A0
                            • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,0000002D,?), ref: 0042E2BB
                            • __vbaFreeStr.MSVBVM60(0042E2EB), ref: 0042E2E4
                            • __vbaErrorOverflow.MSVBVM60(?), ref: 0042E301
                            Strings
                            • 00000000 00000000 00000000 00000000 00000000, xrefs: 0042E0EB
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$BstrMove$Free$#573Stmt$CopyErrorOverflow
                            • String ID: 00000000 00000000 00000000 00000000 00000000
                            • API String ID: 4201252254-3035815846
                            • Opcode ID: d22e356f151802305bb35b7eb09d9f40bd82399374c75f579777282359d6ddb8
                            • Instruction ID: 0f336651dc7d389711d86089c79e1914a7e27e60f25b20ce67796c351773d1ae
                            • Opcode Fuzzy Hash: d22e356f151802305bb35b7eb09d9f40bd82399374c75f579777282359d6ddb8
                            • Instruction Fuzzy Hash: 2961E7B1910119AFDF04DFA4DD98EEEBBB9FF88701F00452AE506B3164EB746905CB64
                            Function 004309E0 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 210COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596), ref: 004309FE
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 00430A2E
                            • __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00403596), ref: 00430A4A
                              • Part of subcall function 004334F0: __vbaStrCopy.MSVBVM60(6D10D8B1,00000000,00000000), ref: 00433532
                              • Part of subcall function 004334F0: __vbaGenerateBoundsError.MSVBVM60 ref: 00433571
                              • Part of subcall function 004334F0: __vbaStrUI1.MSVBVM60(?), ref: 0043358A
                              • Part of subcall function 004334F0: __vbaStrMove.MSVBVM60 ref: 00433595
                              • Part of subcall function 004334F0: __vbaStrCmp.MSVBVM60(00409030,00000000), ref: 0043359D
                              • Part of subcall function 004334F0: __vbaFreeStr.MSVBVM60 ref: 004335B0
                              • Part of subcall function 004334F0: __vbaGenerateBoundsError.MSVBVM60 ref: 004335E7
                              • Part of subcall function 004334F0: #608.MSVBVM60(?,00000000), ref: 00433606
                              • Part of subcall function 004334F0: __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00433618
                              • Part of subcall function 004334F0: __vbaStrVarMove.MSVBVM60(00000000), ref: 0043361F
                            • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,?,00403596), ref: 00430A65
                            • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,00403596), ref: 00430A7A
                              • Part of subcall function 004338E0: __vbaLenBstr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 00433926
                              • Part of subcall function 004338E0: #632.MSVBVM60(?,?,?,?), ref: 00433982
                              • Part of subcall function 004338E0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00433998
                              • Part of subcall function 004338E0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043399F
                              • Part of subcall function 004338E0: #537.MSVBVM60(00000000), ref: 004339A6
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339B1
                              • Part of subcall function 004338E0: __vbaStrCat.MSVBVM60(00000000), ref: 004339B4
                              • Part of subcall function 004338E0: __vbaStrMove.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339BB
                              • Part of subcall function 004338E0: __vbaFreeStr.MSVBVM60(?,6D0FE251,00402A88,00000000), ref: 004339C0
                              • Part of subcall function 004338E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004339D8
                            • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,?,00403596), ref: 00430A8E
                            • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,00403596), ref: 00430A9C
                            • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,?,00403596), ref: 00430AB0
                            • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,00403596), ref: 00430ABE
                            • __vbaStrMove.MSVBVM60 ref: 00430AD7
                            • __vbaStrCopy.MSVBVM60 ref: 00430AE5
                            • __vbaStrMove.MSVBVM60 ref: 00430B04
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,6D10D8B1,00000001,6D0FA323), ref: 00432A33
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?), ref: 00432A69
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00432A74
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,?), ref: 00432A77
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00432A82
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00432A8B
                              • Part of subcall function 004329F0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00432AA9
                              • Part of subcall function 004329F0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432AC6
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AD1
                              • Part of subcall function 004329F0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00432AD4
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE0
                              • Part of subcall function 004329F0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00432AE9
                              • Part of subcall function 004329F0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00432B0A
                              • Part of subcall function 004329F0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 00432B1C
                              • Part of subcall function 004329F0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 00432B23
                              • Part of subcall function 004329F0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00432B2E
                            • __vbaStrMove.MSVBVM60(?,?,00000000,00000001), ref: 00430B22
                            • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00430B2B
                              • Part of subcall function 004329F0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 00432B3A
                              • Part of subcall function 004329F0: __vbaStrCopy.MSVBVM60 ref: 00432B59
                              • Part of subcall function 004329F0: __vbaFreeStr.MSVBVM60(00432B9C), ref: 00432B95
                            • __vbaStrMove.MSVBVM60(?,?,00000000,00000001), ref: 00430B4B
                            • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00430B54
                            • __vbaFreeStrList.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,00000000,?), ref: 00430B92
                            • __vbaAryMove.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430BBE
                              • Part of subcall function 00430D00: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0000000B,00000000,?,00000000), ref: 00430D58
                              • Part of subcall function 00430D00: __vbaUbound.MSVBVM60(00000001,?), ref: 00430D6D
                              • Part of subcall function 00430D00: __vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 00430DBC
                              • Part of subcall function 00430D00: __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00430DC8
                              • Part of subcall function 00430D00: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-0000001F,?,00000000), ref: 00430DEC
                              • Part of subcall function 00430D00: __vbaUbound.MSVBVM60(00000001,?), ref: 00430DFB
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430BDD
                            • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430BF1
                            • __vbaAryMove.MSVBVM60(?,?,?,?,00000000,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000), ref: 00430C17
                            • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430C20
                            • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430C33
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430C4E
                            • __vbaAryDestruct.MSVBVM60(00000000,?,00430CDC,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430CA8
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430CB4
                            • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430CBD
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430CC9
                            • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,?,?,00403596), ref: 00430CD5
                              • Part of subcall function 00431310: __vbaChkstk.MSVBVM60(?,00403596,?,?,?,?,00430BB3,00000000,?,?,?,?,?,?,?,00000000), ref: 0043132E
                              • Part of subcall function 00431310: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 0043135E
                              • Part of subcall function 00431310: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 00431373
                              • Part of subcall function 00431310: __vbaStrMove.MSVBVM60(?,?,00000000,?,?,00403596), ref: 00431387
                              • Part of subcall function 00431310: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 00431395
                              • Part of subcall function 00431310: __vbaStrMove.MSVBVM60 ref: 004313B4
                              • Part of subcall function 00431310: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004313D2
                              • Part of subcall function 00431310: __vbaStrCat.MSVBVM60(00000000), ref: 004313D9
                              • Part of subcall function 00431310: __vbaStrMove.MSVBVM60 ref: 004313E4
                              • Part of subcall function 00431310: __vbaStrMove.MSVBVM60(?), ref: 004313F8
                              • Part of subcall function 00431310: __vbaObjSet.MSVBVM60(?,00000000,?), ref: 0043140C
                              • Part of subcall function 00431310: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,00000000), ref: 00431430
                              • Part of subcall function 00431310: __vbaObjIs.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?,00403596), ref: 00431446
                              • Part of subcall function 00431310: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,?,00403596), ref: 00431468
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$Ubound$DestructErrorList$Bstr$#516#608#631BoundsChkstkGenerateRedim$#537#632
                            • String ID: 1E4861$2C7043$ShyQWHarfaxHKhJpViVbMVflZQLWIMCXu$rZArGHyTUuEGOFKvdTHAu
                            • API String ID: 1910222529-37977648
                            • Opcode ID: 444dbca418d0ce73d12a01e36c6dccb4130d0bd8476728aa40bb42c275313b09
                            • Instruction ID: 33ce9bd0e0b21683b91caf3893c1b824eca7017663a13b040a94bbe5a3e702db
                            • Opcode Fuzzy Hash: 444dbca418d0ce73d12a01e36c6dccb4130d0bd8476728aa40bb42c275313b09
                            • Instruction Fuzzy Hash: 8C910CB1900208ABDB04DFD0DD49FDEBBB9BF48705F10812AF502BB1A4DB746A49CB94
                            Function 00422C34 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 241COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60 ref: 00422C8D
                            • __vbaChkstk.MSVBVM60 ref: 00422CBC
                            • __vbaVarIndexLoad.MSVBVM60(?,?,00000002), ref: 00422CF3
                            • __vbaVarMove.MSVBVM60 ref: 00422D01
                            • __vbaChkstk.MSVBVM60 ref: 00422D75
                            • __vbaChkstk.MSVBVM60 ref: 00422DA4
                            • __vbaVarIndexLoad.MSVBVM60(?,?,00000002), ref: 00422DDB
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00422DF3
                            • __vbaChkstk.MSVBVM60(00000000), ref: 00422DFF
                            • __vbaChkstk.MSVBVM60(00000000), ref: 00422E2E
                            • __vbaVarIndexLoad.MSVBVM60(?,?,00000002,00000000), ref: 00422E65
                            • __vbaVarCat.MSVBVM60(?,00000000), ref: 00422E76
                            • __vbaVarMove.MSVBVM60 ref: 00422E81
                            • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00422E9E
                            • __vbaChkstk.MSVBVM60 ref: 00422EDA
                            • __vbaChkstk.MSVBVM60 ref: 00422F09
                            • __vbaVarIndexLoad.MSVBVM60(?,?,00000002), ref: 00422F40
                            • __vbaVarMove.MSVBVM60 ref: 00422F4E
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 00422FBD
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 00422FD6
                            • __vbaVarOr.MSVBVM60(?,00000000), ref: 00422FE4
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 00422FFD
                            • __vbaVarOr.MSVBVM60(?,00000000), ref: 0042300B
                            • __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 00423024
                            • __vbaVarOr.MSVBVM60(?,00000000), ref: 00423032
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00423039
                            • __vbaStrCopy.MSVBVM60 ref: 0042305D
                            • __vbaStrMove.MSVBVM60(?), ref: 00423077
                            • __vbaStrCopy.MSVBVM60 ref: 00423088
                            • __vbaStrMove.MSVBVM60(?), ref: 004230A2
                            • __vbaStrCopy.MSVBVM60 ref: 004230B3
                            • __vbaStrMove.MSVBVM60 ref: 004230DB
                            • __vbaStrCopy.MSVBVM60(?,?), ref: 0042310F
                            • __vbaStrMove.MSVBVM60 ref: 00423137
                            • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,?,?), ref: 00423176
                            • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,00000000), ref: 00423193
                            • __vbaVarOr.MSVBVM60(?,00000000), ref: 004231A1
                            • __vbaBoolVarNull.MSVBVM60(00000000), ref: 004231A8
                            • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000), ref: 004231EF
                            • __vbaSetSystemError.MSVBVM60(00000000), ref: 004236FE
                            • #529.MSVBVM60(00004008), ref: 00423725
                            • #529.MSVBVM60(00004008), ref: 0042374F
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?,004238FE), ref: 0042383D
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042384F
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042385E
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042386D
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042387C
                            • __vbaFreeVar.MSVBVM60 ref: 00423885
                            • __vbaFreeVar.MSVBVM60 ref: 0042388E
                            • __vbaFreeStr.MSVBVM60 ref: 00423897
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004238A3
                            • __vbaFreeStr.MSVBVM60 ref: 004238AC
                            • __vbaFreeVar.MSVBVM60 ref: 004238B5
                            • __vbaFreeVar.MSVBVM60 ref: 004238BE
                            • __vbaFreeStr.MSVBVM60 ref: 004238C7
                            • __vbaFreeStr.MSVBVM60 ref: 004238D3
                            • __vbaFreeStr.MSVBVM60 ref: 004238DF
                            • __vbaFreeStr.MSVBVM60 ref: 004238EB
                            • __vbaFreeStr.MSVBVM60 ref: 004238F7
                            • __vbaErrorOverflow.MSVBVM60 ref: 00423917
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$Chkstk$Move$Destruct$CopyIndexLoad$List$#529BoolErrorNull$OverflowSystem
                            • String ID: [$card_number_encrypted
                            • API String ID: 4110141469-2095276258
                            • Opcode ID: 1604baee518202f1f637bcdb64634173d2e55d9fe324e1b4f3b85dada0cce467
                            • Instruction ID: 41710de975eedf6339869b66b56849becc664ded5fda9d7d567bafbfec4b8b4f
                            • Opcode Fuzzy Hash: 1604baee518202f1f637bcdb64634173d2e55d9fe324e1b4f3b85dada0cce467
                            • Instruction Fuzzy Hash: CBC105B59002189FDB25CF54C898BDEBBB4BF48304F04C5EEE609AB251EB749A85CF54
                            Function 00435000 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 276COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0043501E
                            • __vbaNew.MSVBVM60(00406A28,?,00000000,?,00000000,00403596), ref: 00435051
                            • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,?,00000000,00403596), ref: 0043505C
                              • Part of subcall function 00436CC0: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 00436D1D
                              • Part of subcall function 00436CC0: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00436D61
                              • Part of subcall function 00436CC0: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00436D70
                              • Part of subcall function 00436CC0: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00436D79
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00436D99
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DB9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 00436DD9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DF9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436E19
                            • #632.MSVBVM60(?,00004008,?,00000002), ref: 004350BA
                            • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 004350DF
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 004350F6
                            Strings
                            • EvLbuvqxERJWOBWBhkJcDrwA, xrefs: 00435967
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$#632Free$BstrChkstkListMove
                            • String ID: EvLbuvqxERJWOBWBhkJcDrwA
                            • API String ID: 1396576573-2706661712
                            • Opcode ID: 394774c15aa985795ec5d4538f5ae4c45257db6ceecf97aebd6f9c75db6f5709
                            • Instruction ID: a1bf558557220e339f9fc4a5d544ba7546eae083a0267e77d898368becd0b6c0
                            • Opcode Fuzzy Hash: 394774c15aa985795ec5d4538f5ae4c45257db6ceecf97aebd6f9c75db6f5709
                            • Instruction Fuzzy Hash: F5B1EBB5900209EFDB14EFD4DA84ADEBBB8FF48704F10815AE509BB250DB746A49CF64
                            Function 00429130 Relevance: 45.2, APIs: 30, Instructions: 194COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0042914E
                            • __vbaOnError.MSVBVM60(000000FF,00000000,6D104558,6D1DDAF4,00000000,00403596), ref: 0042917E
                            • __vbaFileOpen.MSVBVM60(00000020,000000FF,00000001), ref: 00429197
                            • #570.MSVBVM60(00000001), ref: 004291A6
                            • __vbaVarDup.MSVBVM60 ref: 004291C3
                            • #606.MSVBVM60(?,?), ref: 004291D1
                            • __vbaStrMove.MSVBVM60 ref: 004291DC
                            • __vbaStr2Vec.MSVBVM60(?,00000000), ref: 004291E7
                            • __vbaAryMove.MSVBVM60(?,?), ref: 004291F5
                            • __vbaFreeStr.MSVBVM60 ref: 004291FE
                            • __vbaFreeVar.MSVBVM60 ref: 00429207
                            • __vbaGetOwner3.MSVBVM60(0040B8EC,?,00000001), ref: 0042921F
                            • __vbaFileClose.MSVBVM60(00000001), ref: 0042922E
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 00429241
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004292AE
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004292C5
                            • __vbaStrUI1.MSVBVM60(00000000), ref: 004292E1
                            • __vbaStrMove.MSVBVM60 ref: 004292EC
                            • __vbaStrCmp.MSVBVM60(00409030,00000000), ref: 004292F8
                            • __vbaFreeStr.MSVBVM60 ref: 0042930C
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00429365
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042937C
                            • #608.MSVBVM60(?,00000000), ref: 0042939E
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 004293B0
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 004293B7
                            • __vbaStrMove.MSVBVM60 ref: 004293C2
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004293D2
                            • __vbaStrCopy.MSVBVM60 ref: 004293F4
                            • __vbaFreeStr.MSVBVM60(00429453), ref: 00429440
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042944C
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$ErrorFreeMove$BoundsGenerate$File$#570#606#608ChkstkCloseCopyDestructListOpenOwner3Str2Ubound
                            • String ID:
                            • API String ID: 3136081494-0
                            • Opcode ID: ead7d0c9ac3408512867829b98041efc4bb6918e384a96b083f004badb01db32
                            • Instruction ID: 4ebc6eac5955453289e46dea49068fe3ca93eeb0c89c562e27a2c2c835386e97
                            • Opcode Fuzzy Hash: ead7d0c9ac3408512867829b98041efc4bb6918e384a96b083f004badb01db32
                            • Instruction Fuzzy Hash: A3911974A00219EFDB04DFA4DA48BDDBBB4FF48704F20816AE406B72A1DB745A49CF55
                            Function 00436280 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 203COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00436CC0: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 00436D1D
                              • Part of subcall function 00436CC0: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00436D61
                              • Part of subcall function 00436CC0: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00436D70
                              • Part of subcall function 00436CC0: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00436D79
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00436D99
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DB9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 00436DD9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DF9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436E19
                            • #632.MSVBVM60(?,?,?,?,?,?,?,?,6D10D8B1), ref: 00436306
                            • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,?,?,6D10D8B1), ref: 0043632B
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,?,6D10D8B1), ref: 00436341
                            • #632.MSVBVM60(?,00004008,?,00000002,?,?,6D10D8B1), ref: 00436398
                            • __vbaVarTstEq.MSVBVM60(00008008,?,?,00000002,?,?,6D10D8B1), ref: 004363BD
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,00000002,?,?,6D10D8B1), ref: 004363D3
                            • __vbaErrorOverflow.MSVBVM60(00436534,?,?,?,?,?,6D10D8B1), ref: 0043654B
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$#632Free$List$BstrErrorMoveOverflow
                            • String ID: : $Invalid Boolean at position $false$true
                            • API String ID: 4277481792-1334132093
                            • Opcode ID: 3a2dd4b6075add6fba8206c87276af37c188b81c333bdd5c3e1a69055af6135c
                            • Instruction ID: f68b1c28e7cb6e97538ec88c372cb08c201a319bdf29854840a2aa6245db4d8d
                            • Opcode Fuzzy Hash: 3a2dd4b6075add6fba8206c87276af37c188b81c333bdd5c3e1a69055af6135c
                            • Instruction Fuzzy Hash: 5781F5B1900219AFDB10DF94DD88AEEBBB8FF88304F14812EE545A7254DBB41949CFA5
                            Function 00428FD3 Relevance: 42.1, APIs: 28, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            • __vbaExitProc.MSVBVM60 ref: 00428FD3
                            • __vbaAryDestruct.MSVBVM60(00000000,?,00429107), ref: 00429015
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00429020
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042902B
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00429036
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00429041
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042904C
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00429057
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00429062
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042906D
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00429078
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00429083
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042908E
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00429099
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004290A4
                            • __vbaFreeVar.MSVBVM60 ref: 004290A9
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004290B5
                            • __vbaFreeStr.MSVBVM60 ref: 004290C0
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004290C8
                            • __vbaFreeStr.MSVBVM60 ref: 004290CD
                            • __vbaFreeStr.MSVBVM60 ref: 004290D2
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004290DA
                            • __vbaFreeStr.MSVBVM60 ref: 004290DF
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004290E7
                            • __vbaFreeStr.MSVBVM60 ref: 004290EC
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004290F4
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004290FC
                            • __vbaFreeStr.MSVBVM60 ref: 00429104
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Destruct$Free$ExitProc
                            • String ID:
                            • API String ID: 3142943836-0
                            • Opcode ID: 9b5f29398deee5af708c78fef8957254f53cbd2d4556c27e12274ffc91c55164
                            • Instruction ID: a8a09f41ec821c69536866163175859a0d35c5ff5168bdc0e6a9c676aab149db
                            • Opcode Fuzzy Hash: 9b5f29398deee5af708c78fef8957254f53cbd2d4556c27e12274ffc91c55164
                            • Instruction Fuzzy Hash: E1317FB294412C6AE754E7D0ED55FFD777CEF94701F004159EA0AAA0D8A9B02B44CFA1
                            Function 00437120 Relevance: 39.2, APIs: 26, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0043713E
                            • __vbaOnError.MSVBVM60(000000FF,00000000,?,00000001,00000000,00403596), ref: 0043716E
                            • __vbaStr2Vec.MSVBVM60(?), ref: 00437185
                            • __vbaAryMove.MSVBVM60(?,?), ref: 00437193
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 004371A6
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00437210
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00437221
                            • __vbaUI1I2.MSVBVM60 ref: 00437245
                            • __vbaUI1I2.MSVBVM60 ref: 00437259
                            • __vbaUI1I2.MSVBVM60 ref: 0043726D
                            • __vbaUI1I2.MSVBVM60 ref: 00437281
                            • __vbaUI1I2.MSVBVM60 ref: 00437293
                            • __vbaUI1I2.MSVBVM60 ref: 004372AB
                            • __vbaUI1I2.MSVBVM60 ref: 004372BD
                            • __vbaUI1I2.MSVBVM60 ref: 004372D5
                            • __vbaUI1I2.MSVBVM60 ref: 004372E5
                            • __vbaUI1I2.MSVBVM60 ref: 004372F7
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00437342
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00437353
                            • __vbaUI1I2.MSVBVM60 ref: 0043735E
                            • __vbaStrVarCopy.MSVBVM60(00002011,0040C820,00000000,00000001,000000FF,00000000), ref: 004373A1
                            • __vbaStrMove.MSVBVM60 ref: 004373AC
                            • #712.MSVBVM60(00000000), ref: 004373B3
                            • __vbaStrMove.MSVBVM60 ref: 004373BE
                            • __vbaFreeStr.MSVBVM60 ref: 004373C7
                            • __vbaAryDestruct.MSVBVM60(00000000,?,0043740A), ref: 00437403
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Error$BoundsGenerate$Move$#712ChkstkCopyDestructFreeStr2Ubound
                            • String ID:
                            • API String ID: 2409928056-0
                            • Opcode ID: 58f4875b6d354415f07d506210901c767129ab141b301916dc669e7ce91143d0
                            • Instruction ID: 6729b0ac127214d7b253876b6841a1b22bd45cf840a4d6b7babe5eb26cf91a6d
                            • Opcode Fuzzy Hash: 58f4875b6d354415f07d506210901c767129ab141b301916dc669e7ce91143d0
                            • Instruction Fuzzy Hash: EB817CB4D04248DFDB24CFE4C948B9DBBB1EF49300F24826AD952BB2A1C7749945CF95
                            Function 00436560 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 170COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00436CC0: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 00436D1D
                              • Part of subcall function 00436CC0: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00436D61
                              • Part of subcall function 00436CC0: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00436D70
                              • Part of subcall function 00436CC0: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00436D79
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00436D99
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DB9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 00436DD9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DF9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436E19
                            • #632.MSVBVM60(?,?,?,?,?,?,00000000,?,?), ref: 004365F2
                            • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,00000000,?,?), ref: 00436617
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,00000000,?,?), ref: 00436629
                            • __vbaVarMove.MSVBVM60(00000000,?,?), ref: 0043664A
                            • __vbaStrCat.MSVBVM60(Invalid null value at position ,00000000,00000000,?,?), ref: 00436678
                            • __vbaStrMove.MSVBVM60 ref: 00436685
                            • __vbaStrI4.MSVBVM60(?,00000000), ref: 0043668B
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 00436696
                            • __vbaStrCat.MSVBVM60(00000000,?,00000000), ref: 00436699
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 004366A0
                            • __vbaStrCat.MSVBVM60( : ,00000000,?,00000000), ref: 004366A8
                            • #632.MSVBVM60(?,00004008,?,00000002,?,00000000), ref: 004366E8
                            • __vbaVarCat.MSVBVM60(?,?,?,?,00000002,?,00000000), ref: 00436710
                            • __vbaVarCat.MSVBVM60(?,00008008,00000000,?,00000002,?,00000000), ref: 0043671E
                            • __vbaStrVarMove.MSVBVM60(00000000,?,00000002,?,00000000), ref: 00436721
                            • __vbaStrMove.MSVBVM60(?,00000002,?,00000000), ref: 0043672E
                            • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000002,?,00000000), ref: 0043673E
                            • __vbaFreeVarList.MSVBVM60(00000005,0000000A,?,?,?,?,?,00000002,?,00000000), ref: 0043675A
                            • __vbaErrorOverflow.MSVBVM60(004367AE), ref: 004367DD
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$#632List$BstrErrorOverflow
                            • String ID: : $Invalid null value at position $null
                            • API String ID: 2513549710-1318792781
                            • Opcode ID: 5603cccf79036d4ad1b84ce4c470086c9509900b8c287b7f8ed21e63eabee95e
                            • Instruction ID: 548c2be2d0729152f5db455d93f7e24d8c6ebc37aedce643582916fcd8046617
                            • Opcode Fuzzy Hash: 5603cccf79036d4ad1b84ce4c470086c9509900b8c287b7f8ed21e63eabee95e
                            • Instruction Fuzzy Hash: DC5118B1D00229EFDB10DF94CC84AEEBBB9FB48704F10815AE509B7254DBB45A49CFA5
                            Function 004336B0 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 160COMMON
                            Download Yara Rule
                            APIs
                            • __vbaLenBstr.MSVBVM60(00000000,x*@,00000000,6D10D8B1), ref: 004336F9
                            • __vbaLenBstr.MSVBVM60 ref: 00433707
                            • _adj_fdiv_m64.MSVBVM60 ref: 00433732
                            • __vbaFpI4.MSVBVM60 ref: 00433741
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 00433761
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 00433770
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004337B0
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004337B8
                            • #631.MSVBVM60(?,?,?,0040BA58), ref: 004337E4
                            • __vbaStrMove.MSVBVM60 ref: 004337EF
                            • __vbaStrCat.MSVBVM60(00000000), ref: 004337F2
                            • __vbaStrMove.MSVBVM60 ref: 004337FD
                            • #581.MSVBVM60(00000000), ref: 00433800
                            • __vbaFpUI1.MSVBVM60 ref: 00433806
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043381F
                            • __vbaFreeVar.MSVBVM60 ref: 0043382B
                            • __vbaAryCopy.MSVBVM60(?,?), ref: 0043384F
                            • __vbaAryCopy.MSVBVM60(?,?), ref: 00433865
                            • __vbaAryDestruct.MSVBVM60(00000000,?,004338B9), ref: 004338AE
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004338B6
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$BoundsBstrCopyDestructErrorFreeGenerateMove$#581#631ListRedimUbound_adj_fdiv_m64
                            • String ID: x*@
                            • API String ID: 796740024-3155455298
                            • Opcode ID: 38168b8391c2eb433fe20c64af5b02cfb1680dd036db8e1628dd459a2b117f89
                            • Instruction ID: 3881fae8e5b61c88480789a8a83859c52abd14dbc83705835c532615df0d7198
                            • Opcode Fuzzy Hash: 38168b8391c2eb433fe20c64af5b02cfb1680dd036db8e1628dd459a2b117f89
                            • Instruction Fuzzy Hash: C45161B0D00208EFDB14EFA4DD89AAEBBB9FB48701F10812AF505B72A0D7745945CF59
                            Function 00433130 Relevance: 34.6, APIs: 23, Instructions: 150COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0043314E
                            • __vbaOnError.MSVBVM60(000000FF,6D10D8B1,00000000,00000000,00000000,00403596), ref: 0043317E
                            • __vbaSetSystemError.MSVBVM60(00000000), ref: 004331A9
                            • __vbaAryDestruct.MSVBVM60(00000000,?,00433389), ref: 00433382
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Error$ChkstkDestructSystem
                            • String ID:
                            • API String ID: 2510513230-0
                            • Opcode ID: 303546ea69abed64bf32e3a0585550fd5fa3556f031ed4e7ac64a63add60fa1a
                            • Instruction ID: b63d5d794330be9397bc6a2a3d96e693a54e4498ddd77fa8304f57cb120bd014
                            • Opcode Fuzzy Hash: 303546ea69abed64bf32e3a0585550fd5fa3556f031ed4e7ac64a63add60fa1a
                            • Instruction Fuzzy Hash: 7261F775D01208EBDB04DFE4DA88BDEBBB5BF48705F10816AE502B72A0DB785A45CF58
                            Function 0043FD60 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596,?,?,?,0044027F,?,00000000), ref: 0043FD7E
                            • __vbaOnError.MSVBVM60(00000001,6D10D8B1,6D10D83C,00000000,00000000,00403596), ref: 0043FDAE
                            • __vbaInStr.MSVBVM60(00000000,00406074,?,00000001), ref: 0043FDD1
                            • __vbaNew.MSVBVM60(00409E0C,?,00000001), ref: 0043FDE6
                            • __vbaObjSet.MSVBVM60(?,00000000,?,00000001), ref: 0043FDF1
                            • #631.MSVBVM60(?,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 0043FE91
                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000), ref: 0043FE9C
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000), ref: 0043FEA5
                            • __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,00000000), ref: 0043FEB6
                            • __vbaStrCat.MSVBVM60(?,IP:,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043FF0B
                            • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040C200,00000020), ref: 0043FF67
                            • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,0000000A), ref: 0043FF8D
                            • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0043FFDC
                            • __vbaCastObj.MSVBVM60(00000000,0040C200), ref: 0043FFF0
                            • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043FFFB
                            • __vbaExitProc.MSVBVM60 ref: 00440012
                            • __vbaFreeObj.MSVBVM60(0044005D), ref: 0044004D
                            • __vbaFreeStr.MSVBVM60 ref: 00440056
                              • Part of subcall function 0043FB70: #631.MSVBVM60(?,00403596,?,6D10D8B1,6D10D83C,00000000), ref: 0043FBC8
                              • Part of subcall function 0043FB70: __vbaStrMove.MSVBVM60(?,00000000,00000002), ref: 0043FBD3
                              • Part of subcall function 0043FB70: __vbaFreeVar.MSVBVM60(?,00000000,00000002), ref: 0043FBDC
                              • Part of subcall function 0043FB70: __vbaStrCmp.MSVBVM60(00406074,?), ref: 0043FBF8
                              • Part of subcall function 0043FB70: #561.MSVBVM60(00004008), ref: 0043FC09
                              • Part of subcall function 0043FB70: __vbaFreeStr.MSVBVM60(0043FC43,6D10D8B1,6D10D83C,00000000), ref: 0043FC3C
                            • __vbaErrorOverflow.MSVBVM60(?,00000000,?,?,?,?,?,00000000), ref: 00440073
                            • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004400DA
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004400F0
                            • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004400FA
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 00440105
                            • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 00440119
                            • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00440129
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000), ref: 00440141
                            • __vbaLenBstr.MSVBVM60(?), ref: 0044014E
                            • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0044016B
                            • __vbaNew2.MSVBVM60(00409E0C,?), ref: 00440181
                              • Part of subcall function 0043FC60: __vbaLenBstr.MSVBVM60(00000000,?,00403596,00000001), ref: 0043FC9D
                              • Part of subcall function 0043FC60: #631.MSVBVM60(?,?,?), ref: 0043FCC4
                              • Part of subcall function 0043FC60: __vbaStrMove.MSVBVM60(?,?,?), ref: 0043FCCF
                              • Part of subcall function 0043FC60: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0043FCD8
                              • Part of subcall function 0043FC60: __vbaStrCmp.MSVBVM60(00406074,?,?,?,?), ref: 0043FCF4
                              • Part of subcall function 0043FC60: #561.MSVBVM60(00004008,?,?,?), ref: 0043FD05
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$Move$#631Bstr$#561CopyErrorList$AddrefCastCheckChkstkExitHresultNew2OverflowProc
                            • String ID: IP:
                            • API String ID: 1255922066-4240305083
                            • Opcode ID: b594994f51abf0ddcafbfdc605b816664a469b7215ffbcd242306dee1802bc81
                            • Instruction ID: 6edd9d789f9792263f125013fdd7593dfa3a02e6cf3454c73d8cfaf94c92f4ad
                            • Opcode Fuzzy Hash: b594994f51abf0ddcafbfdc605b816664a469b7215ffbcd242306dee1802bc81
                            • Instruction Fuzzy Hash: 3F71D7B1900208EFEB04DFD4D948BDEBBB8BB48705F10816AE505BB291D7B85A48CF64
                            Function 00411BE1 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • __vbaSetSystemError.MSVBVM60(000000DF), ref: 00411C24
                            • __vbaStrCat.MSVBVM60(00405E9C,0162B774), ref: 00411CB0
                            • __vbaStrMove.MSVBVM60 ref: 00411CBD
                            • __vbaStrCat.MSVBVM60(00405AE4,0162B774), ref: 00411CD8
                            • __vbaStrMove.MSVBVM60 ref: 00411CE5
                            • __vbaStrCat.MSVBVM60(00405AEC,0162B774), ref: 00411D00
                            • __vbaStrMove.MSVBVM60 ref: 00411D0D
                            • __vbaStrCat.MSVBVM60(00405AF4,0162B774), ref: 00411D27
                            • __vbaStrMove.MSVBVM60 ref: 00411D34
                            • __vbaStrCat.MSVBVM60(004061A4,0162B774), ref: 00411DB1
                            • __vbaStrMove.MSVBVM60 ref: 00411DBE
                            • __vbaStrCat.MSVBVM60(00405AFC,0162B774), ref: 00411DD8
                            • __vbaStrMove.MSVBVM60 ref: 00411DE5
                            • __vbaStrCat.MSVBVM60(004061AC,0162B774), ref: 00411E00
                            • __vbaStrMove.MSVBVM60 ref: 00411E0D
                            • __vbaStrCat.MSVBVM60(00405B04,0162B774), ref: 00411E28
                            • __vbaStrMove.MSVBVM60 ref: 00411E35
                            • __vbaErrorOverflow.MSVBVM60(?,?,00403596), ref: 00411F70
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Error$OverflowSystem
                            • String ID: v
                            • API String ID: 2384280678-1801730948
                            • Opcode ID: 28f80c11ac3a391e2498a7efcb23296e5fb49bbf0079c2931069b795cfde615f
                            • Instruction ID: bd5f4257e2a89e333e77eded54b8394e5c1bf99089107879b3930da99f1eecc6
                            • Opcode Fuzzy Hash: 28f80c11ac3a391e2498a7efcb23296e5fb49bbf0079c2931069b795cfde615f
                            • Instruction Fuzzy Hash: 56414D74A00605DFDB08CB90DB4869A77B1FB85300F6080A9F746A76B4DBB81D85DF5D
                            Function 0043F950 Relevance: 33.2, APIs: 22, Instructions: 158COMMON
                            Download Yara Rule
                            APIs
                            • __vbaOnError.MSVBVM60(00000001,?,?,00000001), ref: 0043F995
                            • __vbaVarDup.MSVBVM60 ref: 0043F9AF
                            • #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 0043F9C6
                            • __vbaAryVar.MSVBVM60(00002008,?,?,?,000000FF,00000000), ref: 0043F9D5
                            • __vbaAryCopy.MSVBVM60(?,?,?,?,000000FF,00000000), ref: 0043F9E6
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,000000FF,00000000), ref: 0043F9F6
                            • __vbaUbound.MSVBVM60(00000001,?,?,?,00000000), ref: 0043FA05
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,00000000), ref: 0043FA31
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,00000000), ref: 0043FA47
                            • __vbaUI1Str.MSVBVM60(?,?,?,00000000), ref: 0043FA59
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,00000000), ref: 0043FA75
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,00000000), ref: 0043FA85
                            • __vbaUI1Str.MSVBVM60(?,?,?,?,00000000), ref: 0043FA91
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000), ref: 0043FAAD
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000), ref: 0043FABD
                            • __vbaUI1Str.MSVBVM60(?,?,?,?,?,00000000), ref: 0043FAC9
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,00000000), ref: 0043FAE5
                            • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,00000000), ref: 0043FAF5
                            • __vbaUI1Str.MSVBVM60(?,?,?,?,?,?,00000000), ref: 0043FB01
                            • __vbaErase.MSVBVM60(00000000,?,?,?,00000000), ref: 0043FB0F
                            • __vbaExitProc.MSVBVM60(?,?,00000000), ref: 0043FB15
                            • __vbaAryDestruct.MSVBVM60(00000000,?,0043FB50,?,?,00000000), ref: 0043FB49
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Error$BoundsGenerate$#711CopyDestructEraseExitFreeListProcUbound
                            • String ID:
                            • API String ID: 4141477222-0
                            • Opcode ID: d39b7e26cbe351c07ca66b20fe6d1e639f31d9ca7c158d15c7659477a680c6a3
                            • Instruction ID: 19298d922849baa24f63ad0f247ff39d38d5845a5370a5a100d7b73a85ddf1b9
                            • Opcode Fuzzy Hash: d39b7e26cbe351c07ca66b20fe6d1e639f31d9ca7c158d15c7659477a680c6a3
                            • Instruction Fuzzy Hash: 33516D31D002189BCB04EF94C984AEDFBB9BF4C714F24416AD405B76A0C7B4A88ACFA5
                            Function 00429470 Relevance: 33.1, APIs: 22, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596,?,?,?,0042761D,?,00000000), ref: 0042948E
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 004294BB
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 004294C7
                            • __vbaStrCopy.MSVBVM60(?,00000000,?,?,00403596), ref: 004294D3
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 004294E2
                            • __vbaInStr.MSVBVM60(00000000,?,?,00000001,?,00000000,?,?,00403596), ref: 004294FB
                            • __vbaInStr.MSVBVM60(00000000,00000001,?,00000001,?,00000000,?,?,00403596), ref: 0042950F
                            • __vbaInStr.MSVBVM60(00000000,?,?,00000001,?,00000000,?,?,00403596), ref: 00429539
                            • __vbaVarMove.MSVBVM60 ref: 00429555
                            • __vbaInStr.MSVBVM60(00000000,?,?,00000001), ref: 0042956E
                            • __vbaI2I4.MSVBVM60 ref: 00429576
                            • __vbaVarSub.MSVBVM60(?,?,00000002), ref: 004295A8
                            • __vbaVarMove.MSVBVM60 ref: 004295B3
                            • __vbaI4Var.MSVBVM60(?,?), ref: 004295D4
                            • #632.MSVBVM60(?,00004008,00000000), ref: 004295E6
                            • __vbaStrVarMove.MSVBVM60(?), ref: 004295F0
                            • __vbaStrMove.MSVBVM60 ref: 004295FB
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042960B
                            • __vbaFreeStr.MSVBVM60(0042966B,?,00000000,?,?,00403596), ref: 00429649
                            • __vbaFreeStr.MSVBVM60(?,00000000,?,?,00403596), ref: 00429652
                            • __vbaFreeStr.MSVBVM60(?,00000000,?,?,00403596), ref: 0042965B
                            • __vbaFreeVar.MSVBVM60(?,00000000,?,?,00403596), ref: 00429664
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$Move$Copy$#632ChkstkErrorList
                            • String ID:
                            • API String ID: 46184515-0
                            • Opcode ID: 7c23d46cdbfcb7fdeb00202b12b36880d3d8bcaac23efb72347e6c1de2e380a4
                            • Instruction ID: e1434c905570eb290201aefb975c99479b5a7184358d473310202bc87d5ba5cc
                            • Opcode Fuzzy Hash: 7c23d46cdbfcb7fdeb00202b12b36880d3d8bcaac23efb72347e6c1de2e380a4
                            • Instruction Fuzzy Hash: 22510871901209EBDB10DFA0DE49BDDBBB8BF48705F208169E506B72A0EB746A49CF54
                            Function 0042E430 Relevance: 30.3, APIs: 20, Instructions: 304COMMON
                            Download Yara Rule
                            APIs
                            • __vbaAryConstruct2.MSVBVM60(?,0040BE84,00000003,?,00000000,6D1045C1), ref: 0042E475
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 0042E4B0
                            • __vbaCopyBytes.MSVBVM60(00000004,?,?,-00000001), ref: 0042E4E4
                            • __vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000048,00000000), ref: 0042E50F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E530
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E538
                            • __vbaUI1I2.MSVBVM60 ref: 0042E545
                            • __vbaUbound.MSVBVM60(00000001,00000000), ref: 0042E558
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E585
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E58D
                            • __vbaUI1I4.MSVBVM60 ref: 0042E597
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E5CB
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E5D5
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E60C
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E616
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E64A
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E654
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E67F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E689
                            • __vbaGenerateBoundsError.MSVBVM60(00000000,?,?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E6D3
                            • __vbaGenerateBoundsError.MSVBVM60(00000000,?,?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E6DD
                            • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E712
                            • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E71C
                            • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E74E
                            • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E758
                            • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E78A
                            • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E794
                            • __vbaCopyBytes.MSVBVM60(00000004,?,?,?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E7AF
                            • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0042E7BE
                            • __vbaGenerateBoundsError.MSVBVM60(00000002), ref: 0042E828
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E842
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E85C
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E873
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0042E881
                            • __vbaErrorOverflow.MSVBVM60(00000000), ref: 0042EBD2
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Error$BoundsGenerate$BytesCopyUbound$Construct2OverflowPreserveRedim
                            • String ID:
                            • API String ID: 889003022-0
                            • Opcode ID: 824e3eb1eb7f378ddfb9f21055443024fdd7f2ad47ffcf305cd2c0d4d27ee1ae
                            • Instruction ID: 31e2beb8eb4382de09a736064b56804334ee4c5515ed4188c92261e2bc9f7ed8
                            • Opcode Fuzzy Hash: 824e3eb1eb7f378ddfb9f21055443024fdd7f2ad47ffcf305cd2c0d4d27ee1ae
                            • Instruction Fuzzy Hash: 51B10A78B00221CFCB18CF69E9849AABB71FF49300B54816ADD15AB351D775DC82CBE9
                            Function 00437750 Relevance: 28.7, APIs: 19, Instructions: 163COMMON
                            Download Yara Rule
                            APIs
                            • __vbaStrCopy.MSVBVM60 ref: 00437795
                            • #594.MSVBVM60(?), ref: 004377B8
                            • __vbaFreeVar.MSVBVM60 ref: 004377C1
                            • __vbaStr2Vec.MSVBVM60(?), ref: 004377D1
                            • __vbaAryMove.MSVBVM60(?,?), ref: 004377DF
                            • __vbaLenBstr.MSVBVM60 ref: 004377E8
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00402EF7,00000000), ref: 00437820
                            • #593.MSVBVM60(0000000A), ref: 00437843
                            • __vbaFpI4.MSVBVM60 ref: 0043786F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043788F
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00437897
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004378BA
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004378CA
                            • __vbaFreeVar.MSVBVM60 ref: 004378E5
                            • __vbaStrVarCopy.MSVBVM60(?), ref: 00437910
                            • __vbaStrMove.MSVBVM60 ref: 0043791B
                            • __vbaAryDestruct.MSVBVM60(00000000,?,00437965), ref: 0043795A
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00437962
                            • __vbaErrorOverflow.MSVBVM60(00000000), ref: 00437980
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Error$BoundsGenerate$CopyDestructFreeMove$#593#594BstrOverflowRedimStr2
                            • String ID:
                            • API String ID: 2878600159-0
                            • Opcode ID: 23d6b58e7e2597a93d2386e84ad191eb64f6dd4ec71b0147697d02010d9ad273
                            • Instruction ID: 2006baacb3ff96883f4c5eeefa52fdf488292c3d5fa07bfbd3b508e6e93bccda
                            • Opcode Fuzzy Hash: 23d6b58e7e2597a93d2386e84ad191eb64f6dd4ec71b0147697d02010d9ad273
                            • Instruction Fuzzy Hash: 40514DB5D04209EFDB18DFA4D988A9DBB75FF4C310F10412AE845B7250D7789885CF69
                            Function 004334F0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 132COMMON
                            Download Yara Rule
                            APIs
                            • __vbaStrCopy.MSVBVM60(6D10D8B1,00000000,00000000), ref: 00433532
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00433571
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0043357B
                            • __vbaStrUI1.MSVBVM60(?), ref: 0043358A
                            • __vbaStrMove.MSVBVM60 ref: 00433595
                            • __vbaStrCmp.MSVBVM60(00409030,00000000), ref: 0043359D
                            • __vbaFreeStr.MSVBVM60 ref: 004335B0
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004335E7
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 004335F1
                            • #608.MSVBVM60(?,00000000), ref: 00433606
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00433618
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043361F
                            • __vbaStrMove.MSVBVM60 ref: 0043362A
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00433636
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$BoundsErrorGenerate$Move$Free$#608CopyList
                            • String ID: x*@
                            • API String ID: 1868846481-3155455298
                            • Opcode ID: 81c0aa74747713222f5e3b1594f73d8bd6bc6bc0693e6a6b50bbdad704933797
                            • Instruction ID: c358e0c624f4da8a4ebc486f20ce9b48f22cc67035f7e9ab06e6b0208cc2867c
                            • Opcode Fuzzy Hash: 81c0aa74747713222f5e3b1594f73d8bd6bc6bc0693e6a6b50bbdad704933797
                            • Instruction Fuzzy Hash: 24414F75D00225EFCB14DFA4DD899AEBB79FF4C701F10816AE802A7360DB789945CB98
                            Function 00437530 Relevance: 27.1, APIs: 18, Instructions: 129COMMON
                            Download Yara Rule
                            APIs
                            • __vbaOnError.MSVBVM60(00000001,?,00000000,6D1045C1), ref: 004375A2
                            • #556.MSVBVM60(0042C5CC), ref: 004375AC
                            • __vbaVarDup.MSVBVM60 ref: 004375D8
                            • #710.MSVBVM60(0042C5CC,?,0040C820), ref: 004375E8
                            • __vbaStrMove.MSVBVM60 ref: 004375F9
                            • __vbaStrCat.MSVBVM60(00000000), ref: 00437602
                            • __vbaStrMove.MSVBVM60 ref: 00437609
                            • __vbaStrCat.MSVBVM60(0040C820,00000000), ref: 00437612
                            • __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0043765D
                            • __vbaVarCat.MSVBVM60(?,00000000), ref: 0043766E
                            • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 0043767C
                            • __vbaInStrVar.MSVBVM60(?,00000000,00000000), ref: 00437684
                            • __vbaVarCmpGt.MSVBVM60(?,00008002,00000000), ref: 00437699
                            • __vbaBoolVar.MSVBVM60(00000000), ref: 004376A0
                            • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004376B3
                            • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 004376CF
                            • __vbaExitProc.MSVBVM60 ref: 004376D8
                            • __vbaExitProc.MSVBVM60 ref: 004376EC
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$ExitFreeListMoveProc$#556#710BoolErrorNofreeVarg
                            • String ID:
                            • API String ID: 2501001033-0
                            • Opcode ID: fd34e116fb30454acb61271d04571052ed24217cd35fc68049ef9ea90975a26a
                            • Instruction ID: 62aa4f62eafc0acfcd3195322b87438414205dd98e20c41b61c9f3b4a20de445
                            • Opcode Fuzzy Hash: fd34e116fb30454acb61271d04571052ed24217cd35fc68049ef9ea90975a26a
                            • Instruction Fuzzy Hash: 6C51C9B1C10258AFDB50DF94CD84BDEBBB8FB48700F1081AAE149B7250DB745A89CFA5
                            Function 004360D0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00436CC0: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 00436D1D
                              • Part of subcall function 00436CC0: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00436D61
                              • Part of subcall function 00436CC0: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00436D70
                              • Part of subcall function 00436CC0: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00436D79
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00436D99
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DB9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 00436DD9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DF9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436E19
                            • __vbaLenBstr.MSVBVM60(?,?,?,6D10D8B1,?,?), ref: 00436128
                            • #632.MSVBVM60(?,?,?,?,?,?,?,6D10D8B1,?,?), ref: 00436169
                            • __vbaStrVarMove.MSVBVM60(?,?,?,?,6D10D8B1,?,?), ref: 00436173
                            • __vbaStrMove.MSVBVM60(?,?,?,6D10D8B1,?,?), ref: 0043617E
                            • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,6D10D8B1,?,?), ref: 0043618A
                            • __vbaInStr.MSVBVM60(00000000,?,+-0123456789.eE,00000001,6D10D8B1,?,?), ref: 004361A0
                            • __vbaStrCat.MSVBVM60(?,?), ref: 004361B2
                            • __vbaStrMove.MSVBVM60 ref: 004361BD
                            • #564.MSVBVM60(00004008,00000002), ref: 004361E9
                            • __vbaHresultCheck.MSVBVM60(00000000), ref: 004361F4
                            • __vbaVarMove.MSVBVM60 ref: 00436200
                            • __vbaFreeStr.MSVBVM60(00436241,?,?,?,6D10D8B1,?,?), ref: 00436239
                            • __vbaFreeStr.MSVBVM60(?,?,?,6D10D8B1,?,?), ref: 0043623E
                            • __vbaErrorOverflow.MSVBVM60 ref: 00436270
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$#632Bstr$#564CheckErrorHresultListOverflow
                            • String ID: +-0123456789.eE
                            • API String ID: 654446260-3706364263
                            • Opcode ID: 3406eb38887ac3e5b00e2f23976b29302bf76b730ed847d5862605b97820192c
                            • Instruction ID: c0da8a12f102db3191c3e05454a36b426f82c0524e00160476eb994125cea775
                            • Opcode Fuzzy Hash: 3406eb38887ac3e5b00e2f23976b29302bf76b730ed847d5862605b97820192c
                            • Instruction Fuzzy Hash: C54120B1D0020AAFDB04DFA5D985AEEBBB8FF48704F11C029E516B7264EB745905CF94
                            Function 00430D00 Relevance: 25.7, APIs: 17, Instructions: 185COMMON
                            Download Yara Rule
                            APIs
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0000000B,00000000,?,00000000), ref: 00430D58
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 00430D6D
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 00430DBC
                            • __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00430DC8
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-0000001F,?,00000000), ref: 00430DEC
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 00430DFB
                              • Part of subcall function 004338E0: __vbaFreeVar.MSVBVM60 ref: 00433BE5
                            • __vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 00430E4A
                            • __vbaUbound.MSVBVM60(00000001,00000000,00000010,?,00000000,00000000), ref: 00430E5D
                            • __vbaUbound.MSVBVM60(00000001,?,00402790,-0000000F), ref: 00430E70
                              • Part of subcall function 00430F30: #644.MSVBVM60(AES,6D1045C1,00000000,00402790), ref: 00430F8A
                              • Part of subcall function 00430F30: __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00430FA1
                              • Part of subcall function 00430F30: __vbaStrCopy.MSVBVM60 ref: 00430FB0
                              • Part of subcall function 00430F30: __vbaSetSystemError.MSVBVM60(?), ref: 004312B4
                              • Part of subcall function 00430F30: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004312C4
                              • Part of subcall function 00430F30: __vbaFreeStr.MSVBVM60(004312EA), ref: 004312E3
                            • #717.MSVBVM60(00000003,?,00000040,00000000,00430BD8,?,?,00000000,-00000001), ref: 00430EAB
                            • __vbaStrVarMove.MSVBVM60(00000003), ref: 00430EB5
                            • __vbaStrMove.MSVBVM60 ref: 00430EC0
                            • __vbaFreeVar.MSVBVM60 ref: 00430EC9
                            • __vbaAryDestruct.MSVBVM60(00000000,?,00430F0D,00430BD8,?,?,00000000,-00000001), ref: 00430EFC
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00430F03
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00430F0A
                            • __vbaErrorOverflow.MSVBVM60 ref: 00430F23
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00433A6E
                              • Part of subcall function 004338E0: __vbaOnError.MSVBVM60(000000FF,6D10D8B1,?,6D0FA323,00000000,00403596), ref: 00433A9E
                              • Part of subcall function 004338E0: __vbaVarVargNofree.MSVBVM60 ref: 00433ABF
                              • Part of subcall function 004338E0: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00433ACE
                              • Part of subcall function 004338E0: __vbaI2Var.MSVBVM60(00000000), ref: 00433AD5
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60 ref: 00433B5B
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60 ref: 00433B7E
                              • Part of subcall function 004338E0: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00433BA6
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60 ref: 00433BB6
                              • Part of subcall function 004338E0: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 00433BD9
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$ErrorFreeUbound$Chkstk$DestructSystem$IndexMoveRedim$#644#717CopyLoadNofreeOverflowStoreVarg
                            • String ID:
                            • API String ID: 161593248-0
                            • Opcode ID: 25ab56430ed5b046e4217277f258a9429a8e2e7c37848ab36f4da31e08463cff
                            • Instruction ID: 4ab4ae6de697d3f2a002a3fcfcf2de0c14450c708bd2cb649568df3d060b18fe
                            • Opcode Fuzzy Hash: 25ab56430ed5b046e4217277f258a9429a8e2e7c37848ab36f4da31e08463cff
                            • Instruction Fuzzy Hash: D06116B1D01208AFDB14DF94DD95EEEBBBDEF48700F10811AF505BA294D6B46A44CFA4
                            Function 00434610 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 105COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596,?,?,00000000,?,?,00403596), ref: 0043462E
                            • __vbaStrCopy.MSVBVM60(?,00000000), ref: 00434674
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000), ref: 00434683
                              • Part of subcall function 00436CC0: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 00436D1D
                              • Part of subcall function 00436CC0: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00436D61
                              • Part of subcall function 00436CC0: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00436D70
                              • Part of subcall function 00436CC0: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00436D79
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00436D99
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DB9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 00436DD9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DF9
                              • Part of subcall function 00436CC0: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436E19
                            • #632.MSVBVM60(?,00004008,00000001,00000002), ref: 004346CF
                            • __vbaVarMove.MSVBVM60 ref: 004346DB
                            • __vbaFreeVar.MSVBVM60 ref: 004346E4
                            • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00434707
                            • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001), ref: 0043472D
                            • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00434752
                            • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001), ref: 00434778
                            • __vbaFreeVar.MSVBVM60(004347CF), ref: 004347C8
                              • Part of subcall function 00435000: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0043501E
                              • Part of subcall function 00435000: __vbaNew.MSVBVM60(00406A28,?,00000000,?,00000000,00403596), ref: 00435051
                              • Part of subcall function 00435000: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,?,00000000,00403596), ref: 0043505C
                              • Part of subcall function 00435000: #632.MSVBVM60(?,00004008,?,00000002), ref: 004350BA
                              • Part of subcall function 00435000: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 004350DF
                              • Part of subcall function 00435000: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 004350F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$#632$ChkstkMove$BstrCopyErrorList
                            • String ID: Invalid JSON
                            • API String ID: 1141054087-3555352431
                            • Opcode ID: bcad162fb368418e90e4f8f9b6b24b60d1b82d9c48f462ba2060d202b102f3f7
                            • Instruction ID: 460a979b593e6d91a6496a03fc78e7a5f8b05b4d5fa7bd7ce9bbc89feeb733de
                            • Opcode Fuzzy Hash: bcad162fb368418e90e4f8f9b6b24b60d1b82d9c48f462ba2060d202b102f3f7
                            • Instruction Fuzzy Hash: 3041F2B5800248EBDB04DFD4CA48BDEBBB8FF48304F10855AE501B7694D7B96A49CF54
                            Function 00436CC0 Relevance: 21.2, APIs: 14, Instructions: 179COMMON
                            Download Yara Rule
                            APIs
                            • __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 00436D1D
                            • #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00436D61
                            • __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00436D70
                            • __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00436D79
                            • __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00436D99
                            • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DB9
                            • __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 00436DD9
                            • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436DF9
                            • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436E19
                            • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00436E39
                            • __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 00436E59
                            • __vbaFreeVar.MSVBVM60(00436F13,?,?,00000000), ref: 00436F0C
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$#632BstrMove
                            • String ID:
                            • API String ID: 563547971-0
                            • Opcode ID: 85e254c9e8b11c4ef682d9ef0a59e34d8e9b0defaeba3d90a8a728213d4ea677
                            • Instruction ID: 908d54e907c8e797c5c84bac67690021573a5d71d501d86e971541fc9772ed40
                            • Opcode Fuzzy Hash: 85e254c9e8b11c4ef682d9ef0a59e34d8e9b0defaeba3d90a8a728213d4ea677
                            • Instruction Fuzzy Hash: 39614EB5C0021ADECF10DF99C841AEEBBB4FF48344F51C16AD455B7280D7741A0A8FA8
                            Function 00431770 Relevance: 21.1, APIs: 14, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596,?,?,00000000,?,?,00403596), ref: 0043178E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 004317BE
                            • #645.MSVBVM60(00004008,00000000), ref: 004317DE
                            • __vbaStrMove.MSVBVM60 ref: 004317E9
                            • __vbaLenBstrB.MSVBVM60(00000000), ref: 004317F0
                            • __vbaFreeStr.MSVBVM60 ref: 00431806
                            • #648.MSVBVM60(0000000A), ref: 00431831
                            • __vbaFreeVar.MSVBVM60 ref: 0043183E
                            • __vbaFileOpen.MSVBVM60(00000020,000000FF,?,00000000), ref: 0043185A
                            • #570.MSVBVM60(?), ref: 0043186C
                            • #525.MSVBVM60(00000000), ref: 00431873
                            • __vbaStrMove.MSVBVM60 ref: 0043187E
                            • __vbaGet3.MSVBVM60(00000000,00000000,?), ref: 00431896
                            • __vbaFileClose.MSVBVM60(?), ref: 004318A8
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$FileFreeMove$#525#570#645#648BstrChkstkCloseErrorGet3Open
                            • String ID:
                            • API String ID: 3431710322-0
                            • Opcode ID: c97f49da77334b8c13f0db4c3999dbf0131ed37c4c1af980d7b6c63f31662347
                            • Instruction ID: 16a83d7c7f31cb66e257ea1b433e91b07d4961812edfc0dab3b9c83c9d1db17e
                            • Opcode Fuzzy Hash: c97f49da77334b8c13f0db4c3999dbf0131ed37c4c1af980d7b6c63f31662347
                            • Instruction Fuzzy Hash: 3831FDB5D00248EBDB04EFE4DA48BDEBBB4FF08715F108159E511B72A0DB795A44CB68
                            Function 0042EBE0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(00000000,00403596), ref: 0042EBFE
                            • __vbaOnError.MSVBVM60(000000FF,00000000,-00000001,6D1045C1,00000000,00403596), ref: 0042EC2E
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0042EC67
                            • __vbaRedim.MSVBVM60(00000080,00000001,004420C8,00000011,00000001,00000000,00000000), ref: 0042ECE8
                            • __vbaAryMove.MSVBVM60(?,?,00006011,004420BC,00006011,?,00004002), ref: 0042EDAA
                            • __vbaAryMove.MSVBVM60(004420C8,?,?,?,?), ref: 0042EE9A
                            • __vbaAryMove.MSVBVM60(?,?,00006011,?,00006011,?,00004002), ref: 0042EFA8
                            • __vbaAryDestruct.MSVBVM60(00000000,?,0042EFE2), ref: 0042EFCF
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042EFDB
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60(00000000,00403596), ref: 00433A6E
                              • Part of subcall function 004338E0: __vbaOnError.MSVBVM60(000000FF,6D10D8B1,?,6D0FA323,00000000,00403596), ref: 00433A9E
                              • Part of subcall function 004338E0: __vbaVarVargNofree.MSVBVM60 ref: 00433ABF
                              • Part of subcall function 004338E0: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00433ACE
                              • Part of subcall function 004338E0: __vbaI2Var.MSVBVM60(00000000), ref: 00433AD5
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60 ref: 00433B5B
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60 ref: 00433B7E
                              • Part of subcall function 004338E0: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00433BA6
                              • Part of subcall function 004338E0: __vbaChkstk.MSVBVM60 ref: 00433BB6
                              • Part of subcall function 004338E0: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 00433BD9
                            • __vbaErrorOverflow.MSVBVM60(00000000), ref: 0042EFF8
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Chkstk$ErrorMove$DestructIndexRedim$LoadNofreeOverflowStoreVarg
                            • String ID: #
                            • API String ID: 2367531599-1885708031
                            • Opcode ID: 5f0a61225153ea4662a5e2fbf372d6d8aaa78bd832ade90acd7ddded527252bd
                            • Instruction ID: e43aa9e9a27da25e6817a413130c83c5a780f751d8cb4e79e83fbd715f1d6cea
                            • Opcode Fuzzy Hash: 5f0a61225153ea4662a5e2fbf372d6d8aaa78bd832ade90acd7ddded527252bd
                            • Instruction Fuzzy Hash: 38B10AB0901308EAEB14DFD5DA48BDEBBB5FF08704F608059E2157B290D7B91A48DF69
                            Function 004208D2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420906
                              • Part of subcall function 00420BA0: __vbaUbound.MSVBVM60(00000001,?,00401D38,-00000001,6D1DEC2C), ref: 00420C1A
                              • Part of subcall function 00420BA0: __vbaUI1I2.MSVBVM60(?,00401D38,-00000001,6D1DEC2C), ref: 00420C22
                              • Part of subcall function 00420BA0: __vbaAryCopy.MSVBVM60(?,00401E10,?,00401D38,-00000001,6D1DEC2C), ref: 00420C30
                              • Part of subcall function 00420BA0: __vbaFreeVar.MSVBVM60(00420E8E), ref: 00420E7A
                              • Part of subcall function 00420BA0: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00420E82
                              • Part of subcall function 00420BA0: __vbaFreeVar.MSVBVM60 ref: 00420E8B
                            • __vbaRecAssign.MSVBVM60(0040663C,?,?,?), ref: 00420931
                            • __vbaAryCopy.MSVBVM60(?,?), ref: 00420953
                            • #698.MSVBVM60(?,?), ref: 00420984
                            • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0042099F
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 004209A6
                            • __vbaStrMove.MSVBVM60 ref: 004209B1
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004209C7
                            • __vbaStrVarVal.MSVBVM60(?,?,00405BB8,00000001,000000FF,00000000), ref: 00420A0F
                            • #712.MSVBVM60(?,00000000), ref: 00420A1A
                            • __vbaStrMove.MSVBVM60 ref: 00420A25
                            • __vbaFreeStr.MSVBVM60 ref: 00420A31
                            • __vbaRecDestruct.MSVBVM60(0040663C,?,00420B77), ref: 00420A9E
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420AB0
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420AC2
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420AD4
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420AE6
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00420AF5
                            • __vbaFreeVar.MSVBVM60 ref: 00420AFE
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420B0D
                            • __vbaFreeVar.MSVBVM60 ref: 00420B16
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420B25
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420B34
                            • __vbaFreeStr.MSVBVM60 ref: 00420B3D
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00420B49
                            • __vbaRecDestruct.MSVBVM60(0040663C,?), ref: 00420B58
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00420B64
                            • __vbaFreeStr.MSVBVM60 ref: 00420B70
                            • __vbaErrorOverflow.MSVBVM60 ref: 00420B8D
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Destruct$Free$Move$Copy$#698#712AssignErrorListOverflowUbound
                            • String ID: &
                            • API String ID: 3078955159-1010288
                            • Opcode ID: 29ccb81511c3bfea5d21e75451ae1ac2ecc176d7a5354c854d33a201ddff18cb
                            • Instruction ID: 28fed4bef9ea71e5b84445a166b765d4c04e27adb45756c2de405283e0af8b13
                            • Opcode Fuzzy Hash: 29ccb81511c3bfea5d21e75451ae1ac2ecc176d7a5354c854d33a201ddff18cb
                            • Instruction Fuzzy Hash: C83128B18003589FDB11CFA0DE48BEEBBB8BB44300F14859AE18AB7151DB751B88CF25
                            Function 0043FB70 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            • #631.MSVBVM60(?,00403596,?,6D10D8B1,6D10D83C,00000000), ref: 0043FBC8
                            • __vbaStrMove.MSVBVM60(?,00000000,00000002), ref: 0043FBD3
                            • __vbaFreeVar.MSVBVM60(?,00000000,00000002), ref: 0043FBDC
                            • __vbaStrCmp.MSVBVM60(00406074,?), ref: 0043FBF8
                            • #561.MSVBVM60(00004008), ref: 0043FC09
                            • __vbaFreeStr.MSVBVM60(0043FC43,6D10D8B1,6D10D83C,00000000), ref: 0043FC3C
                            • __vbaErrorOverflow.MSVBVM60 ref: 0043FC59
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$#561#631ErrorMoveOverflow
                            • String ID: 230118284F6C57352F22352409562D0A01$BKulXuCxFGMBMyxCouqqcWBRAOGUElG$IP:
                            • API String ID: 3197503391-1594731854
                            • Opcode ID: d4294fc689ef1a8ddc5e344af47181a1845bee8629c8b658ef57bba30a892bff
                            • Instruction ID: 891bbb078a985f0ec433e74df8c45261bfa407abb224af26ad50611916623fec
                            • Opcode Fuzzy Hash: d4294fc689ef1a8ddc5e344af47181a1845bee8629c8b658ef57bba30a892bff
                            • Instruction Fuzzy Hash: EB212A71D40209AFCB04DFB4D949AAEBBB4FB0D741F105536E916F72A0E6345A08CFA5
                            Function 0043D440 Relevance: 16.6, APIs: 11, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,00000000), ref: 0043D491
                            • __vbaStrCopy.MSVBVM60(?,00000000), ref: 0043D4A4
                            • __vbaVarDup.MSVBVM60(?,00000000), ref: 0043D4C8
                            • #607.MSVBVM60(?,-00000001,?,?,00000000), ref: 0043D4E2
                            • __vbaStrVarMove.MSVBVM60(?,?,00000000), ref: 0043D4EC
                            • __vbaStrMove.MSVBVM60(?,00000000), ref: 0043D4F7
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000000), ref: 0043D507
                            • #644.MSVBVM60(?), ref: 0043D514
                            • __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 0043D52C
                            • __vbaFreeStr.MSVBVM60(0043D566,?,000000FF,00000000,00000000), ref: 0043D55F
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$ErrorFreeMoveSystem$#607#644CopyList
                            • String ID:
                            • API String ID: 3415219340-0
                            • Opcode ID: dce8c9de9865f89a5c218362052696d096d122b54917ff82a7277023de9f6d41
                            • Instruction ID: 331427dc3ea86cc4e6a36ef6567e76a736bc5939e2ba69e4cb66f1865eca9b11
                            • Opcode Fuzzy Hash: dce8c9de9865f89a5c218362052696d096d122b54917ff82a7277023de9f6d41
                            • Instruction Fuzzy Hash: 4D319370C01249AFDB00EFA5DE49EAEBB7DEF84704F10412AF502B62A4DB745A05CF99
                            Function 0043FC60 Relevance: 12.1, APIs: 8, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • __vbaLenBstr.MSVBVM60(00000000,?,00403596,00000001), ref: 0043FC9D
                            • #631.MSVBVM60(?,?,?), ref: 0043FCC4
                            • __vbaStrMove.MSVBVM60(?,?,?), ref: 0043FCCF
                            • __vbaFreeVar.MSVBVM60(?,?,?), ref: 0043FCD8
                            • __vbaStrCmp.MSVBVM60(00406074,?,?,?,?), ref: 0043FCF4
                            • #561.MSVBVM60(00004008,?,?,?), ref: 0043FD05
                            • __vbaFreeStr.MSVBVM60(0043FD41), ref: 0043FD3A
                            • __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0043FD57
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$#561#631BstrErrorMoveOverflow
                            • String ID:
                            • API String ID: 1526774655-0
                            • Opcode ID: 8339636983581ea0f82902997c062e39a2daac726478c26ffb29ba674144a89e
                            • Instruction ID: f79b6b974b09c74ae0464465a05037028eaf9882c45d514e6f149ae8308f7ab3
                            • Opcode Fuzzy Hash: 8339636983581ea0f82902997c062e39a2daac726478c26ffb29ba674144a89e
                            • Instruction Fuzzy Hash: EF212A70D10219EFCB00DFA4DA89AAEBBB4FB09701F10512AE506F7260E7746949CFA4
                            Function 0041C697 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C737
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C751
                            • __vbaChkstk.MSVBVM60 ref: 0041C762
                            • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 0041C79C
                            • __vbaUI1Var.MSVBVM60(00000000), ref: 0041C7A6
                            • __vbaFreeVar.MSVBVM60 ref: 0041C7C4
                            • __vbaStrCopy.MSVBVM60 ref: 0041C7E5
                            • __vbaAryMove.MSVBVM60(?,?,?,?,00000000,00000000,00000004,00000000), ref: 0041C81A
                            • __vbaFreeStr.MSVBVM60 ref: 0041C826
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 0041C83C
                            • __vbaStrMove.MSVBVM60(?,?), ref: 0041C863
                            • __vbaLenBstrB.MSVBVM60(?), ref: 0041C877
                            • __vbaStrCopy.MSVBVM60 ref: 0041C897
                            • __vbaStrMove.MSVBVM60(?), ref: 0041C8B1
                            • __vbaStrCopy.MSVBVM60 ref: 0041C929
                            • __vbaStrMove.MSVBVM60 ref: 0041C951
                            • __vbaChkstk.MSVBVM60(00000008,?,?), ref: 0041C99A
                            • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001,00000008,?,?), ref: 0041C9D1
                            • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 0041C9E2
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041C9F7
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041CA0C
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041CA21
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041CA36
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041CA4B
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041CA52
                            • __vbaStrMove.MSVBVM60 ref: 0041CA5F
                            • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041CA83
                            • __vbaFreeVarList.MSVBVM60(00000008,00000008,0000000A,?,?,?,00000008,?,?), ref: 0041CAC6
                            • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 0041CAE2
                            • __vbaStrMove.MSVBVM60 ref: 0041CAF0
                            • __vbaStrCat.MSVBVM60(004059B4,00000000), ref: 0041CAFC
                            • __vbaStrMove.MSVBVM60 ref: 0041CB09
                            • __vbaFreeStr.MSVBVM60 ref: 0041CB15
                            • __vbaStrCopy.MSVBVM60 ref: 0041CB2D
                            • __vbaChkstk.MSVBVM60 ref: 0041CB57
                            • __vbaVarIndexLoadRefLock.MSVBVM60(00000008,?,?,00000001), ref: 0041CB95
                            • __vbaAryUnlock.MSVBVM60(?,?,00006008), ref: 0041CBE7
                            • __vbaFreeVar.MSVBVM60 ref: 0041CC01
                            • __vbaRefVarAry.MSVBVM60(?,00000000), ref: 0041CC26
                            • __vbaUbound.MSVBVM60(00000001), ref: 0041CC31
                            • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001), ref: 0041CC50
                            • __vbaRefVarAry.MSVBVM60(?), ref: 0041CC67
                            • __vbaUbound.MSVBVM60(00000001), ref: 0041CC72
                            • __vbaI2I4.MSVBVM60 ref: 0041CC83
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041D3F4
                            • __vbaErrorOverflow.MSVBVM60 ref: 0041FD23
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Free$Copy$ChkstkErrorIndexLoadUbound$BoundsGenerateList$BstrLockOverflowRedimUnlock
                            • String ID: 8
                            • API String ID: 506470743-4194326291
                            • Opcode ID: 7dccdb802718e7f7d753b0610d69ad3417f4037bdd4066512c601f6d68bc73a6
                            • Instruction ID: 2ff289b0384ca4ebeec75bf68bc61eb96d46b9f407ea5f647d072a65e819ac21
                            • Opcode Fuzzy Hash: 7dccdb802718e7f7d753b0610d69ad3417f4037bdd4066512c601f6d68bc73a6
                            • Instruction Fuzzy Hash: E331B07491026ACBDB64DF64C988BE9B7B1BB44304F1081DAD80DA7251DBB49EC1CF69
                            Function 0041CCA4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041CD2C
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 0041CD46
                            • __vbaChkstk.MSVBVM60 ref: 0041CD57
                            • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 0041CD91
                            • __vbaUI1Var.MSVBVM60(00000000), ref: 0041CD9B
                            • __vbaFreeVar.MSVBVM60 ref: 0041CDB6
                            • __vbaUbound.MSVBVM60(00000001,?), ref: 0041CE11
                            • __vbaChkstk.MSVBVM60(00000008,?,?), ref: 0041CE5D
                            • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001,00000008,?,?), ref: 0041CE94
                            • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 0041CEA5
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041CEBA
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041CECF
                            • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041CEE4
                            • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041CEEB
                            • __vbaStrMove.MSVBVM60 ref: 0041CEF8
                            • __vbaFreeVarList.MSVBVM60(00000006,00000008,0000000A,?,00000008,?,?), ref: 0041CF2A
                            • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 0041CF61
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041CF98
                            • __vbaChkstk.MSVBVM60 ref: 0041CFC6
                            • __vbaVarIndexLoadRef.MSVBVM60(?,?,00000001), ref: 0041CFFD
                            • __vbaChkstk.MSVBVM60 ref: 0041D031
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041D070
                            • __vbaChkstk.MSVBVM60 ref: 0041D07D
                            • __vbaChkstk.MSVBVM60 ref: 0041D09F
                            • __vbaChkstk.MSVBVM60 ref: 0041D0CE
                            • __vbaLateMemCall.MSVBVM60(?,GetExpandedStringValue,00000004), ref: 0041D103
                            • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 0041D123
                            • __vbaStrCat.MSVBVM60(00405AFC,?), ref: 0041D3F4
                            • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041D48C
                            • __vbaChkstk.MSVBVM60 ref: 0041D499
                            • __vbaVarLateMemSt.MSVBVM60(?,frolickedYAvkfGKWrNQBejXLqblENOHOKnKXbDNjQCmpuddlings), ref: 0041D4CB
                            • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0041D4E1
                            • __vbaChkstk.MSVBVM60 ref: 0041D576
                            • __vbaErrorOverflow.MSVBVM60 ref: 0041FD23
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Chkstk$Free$ErrorIndexListLoad$BoundsGenerateLateMove$CallOverflowUbound
                            • String ID: D
                            • API String ID: 3521923014-2746444292
                            • Opcode ID: 66486b7da092de4f1e10f0308097688f93026d54e5f274b9e619432db0c64ba8
                            • Instruction ID: 6213cacd8f93b72f025af8d3dd06cb792ad3d65fcd703b751ca6599460199b64
                            • Opcode Fuzzy Hash: 66486b7da092de4f1e10f0308097688f93026d54e5f274b9e619432db0c64ba8
                            • Instruction Fuzzy Hash: B831AF74900259CFDB24DF54DA88BEDBBB1BB48304F1081EAD90967261DB749EC1CF69
                            Function 00437430 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • __vbaChkstk.MSVBVM60(?,00403596,?,?,?,0041759F,?,00442038), ref: 0043744E
                            • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00403596), ref: 0043747E
                            • #648.MSVBVM60(0000000A), ref: 004374A4
                            • __vbaFreeVar.MSVBVM60 ref: 004374B1
                            • __vbaFileOpen.MSVBVM60(00000220,000000FF,?), ref: 004374D0
                            • __vbaPut3.MSVBVM60(00000000,00000000,?), ref: 004374E8
                            • __vbaFileClose.MSVBVM60(?), ref: 004374FA
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$File$#648ChkstkCloseErrorFreeOpenPut3
                            • String ID:
                            • API String ID: 509661398-0
                            • Opcode ID: 90eec5d01f0493e4f23ec94d1b0f8293ad898e0cb431004d69751aab33aff11d
                            • Instruction ID: 61b9eb67c3123aa1112f3f7bda87e6a2497cf77cc658bb8372833b38b4a743c3
                            • Opcode Fuzzy Hash: 90eec5d01f0493e4f23ec94d1b0f8293ad898e0cb431004d69751aab33aff11d
                            • Instruction Fuzzy Hash: 75212CB4801248EBDB00DFD4CA48BDEBBB8FB08715F208159F511776A0D7B95A44CBA5
                            Function 00426E76 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • __vbaGenerateBoundsError.MSVBVM60 ref: 00426EC2
                            • #645.MSVBVM60(00004008,00000010), ref: 00426EF3
                            • __vbaStrMove.MSVBVM60 ref: 00426F01
                            • __vbaStrCmp.MSVBVM60(00405BB8,00000000), ref: 00426F0D
                            • __vbaFreeStr.MSVBVM60 ref: 00426F27
                            • __vbaAryUnlock.MSVBVM60(?,00428451), ref: 00428379
                            • __vbaAryUnlock.MSVBVM60(?), ref: 00428386
                            • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042839C
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283AE
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283BD
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 004283C6
                            • __vbaFreeVar.MSVBVM60(?,00000000,00403596), ref: 004283CF
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283DB
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283F3
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 004283FC
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 00428405
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 0042840E
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 00428417
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042842F
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042843E
                            • __vbaFreeStr.MSVBVM60(?,00000000,00403596), ref: 0042844A
                            • __vbaErrorOverflow.MSVBVM60 ref: 00428468
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$Destruct$ErrorUnlock$#645BoundsGenerateListMoveOverflow
                            • String ID: @
                            • API String ID: 3707961213-2766056989
                            • Opcode ID: 65eee5e3f111d8f333aee81df2f940714b34280a7982381a087cc300da6d5ce4
                            • Instruction ID: deb8df03e26c3e372ce134dbde96e30dfa96134267f65f1582378dc777531bd0
                            • Opcode Fuzzy Hash: 65eee5e3f111d8f333aee81df2f940714b34280a7982381a087cc300da6d5ce4
                            • Instruction Fuzzy Hash: 69111630A00229CADB24EF60DA487EDB3B1FF15B01F6040DAD10AB2250EB740BC5CF59
                            Function 0042FAE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • __vbaStrCopy.MSVBVM60(?,?,00000000), ref: 0042FB1F
                              • Part of subcall function 004336B0: __vbaLenBstr.MSVBVM60(00000000,x*@,00000000,6D10D8B1), ref: 004336F9
                              • Part of subcall function 004336B0: __vbaLenBstr.MSVBVM60 ref: 00433707
                              • Part of subcall function 004336B0: __vbaFpI4.MSVBVM60 ref: 00433741
                              • Part of subcall function 004336B0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 00433761
                              • Part of subcall function 004336B0: __vbaUbound.MSVBVM60(00000001,?), ref: 00433770
                              • Part of subcall function 004336B0: __vbaGenerateBoundsError.MSVBVM60 ref: 004337B0
                              • Part of subcall function 004336B0: #631.MSVBVM60(?,?,?,0040BA58), ref: 004337E4
                              • Part of subcall function 004336B0: __vbaStrMove.MSVBVM60 ref: 004337EF
                              • Part of subcall function 004336B0: __vbaStrCat.MSVBVM60(00000000), ref: 004337F2
                              • Part of subcall function 004336B0: __vbaStrMove.MSVBVM60 ref: 004337FD
                            • __vbaAryMove.MSVBVM60(?,?,?), ref: 0042FB39
                            • __vbaFreeStr.MSVBVM60 ref: 0042FB42
                            • __vbaAryDestruct.MSVBVM60(00000000,?,0042FB78), ref: 0042FB71
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Move$Bstr$#631BoundsCopyDestructErrorFreeGenerateRedimUbound
                            • String ID: 00000001
                            • API String ID: 444737788-3071262101
                            • Opcode ID: 4dca48a27ae7b8b27d47a6956a4afd250038cd68b9a109360178d362541cab34
                            • Instruction ID: 5cac5f58681416850c3f7f640b8c84f25c9ea8b457d4a8c8af4af31a955d1f57
                            • Opcode Fuzzy Hash: 4dca48a27ae7b8b27d47a6956a4afd250038cd68b9a109360178d362541cab34
                            • Instruction Fuzzy Hash: 180112B0D00249AFCF40DFE5C949AEEBBB8EB08700F50856AE105F2190E7785549CB65
                            Function 00417630 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • __vbaAryUnlock.MSVBVM60(?), ref: 00417634
                            • __vbaFreeStrList.MSVBVM60(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004176A5
                            • __vbaFreeObj.MSVBVM60 ref: 004176B4
                            • __vbaFreeVarList.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?), ref: 00417702
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$List$Unlock
                            • String ID:
                            • API String ID: 3250417665-0
                            • Opcode ID: 196ed63b370c39b2ecf9ba317ab2d712c356471517bb58430862963607b210a4
                            • Instruction ID: 46db4d59000ae6687cc9ca2c6ff82634fe09280c4e1a7a043da4238f6b86aba3
                            • Opcode Fuzzy Hash: 196ed63b370c39b2ecf9ba317ab2d712c356471517bb58430862963607b210a4
                            • Instruction Fuzzy Hash: 3C2193B781011CAADB26CB94CD94FEA737DBB58700F0485DEB21E66451EA706B8CCF61
                            Function 00419E04 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • __vbaFreeStr.MSVBVM60 ref: 00419E11
                            • __vbaFreeStrList.MSVBVM60(00000013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00419E68
                            • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 00419E8F
                            • __vbaFreeVar.MSVBVM60 ref: 00419E9E
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: Free__vba$List
                            • String ID:
                            • API String ID: 2192533141-0
                            • Opcode ID: b434849d01722693cf2df09cd71abcc4319a701c9fb45172978601c57fa60e53
                            • Instruction ID: f780ff4091b628c7392911114437d44bbc300bd70de6526b42cf1121ac9334e1
                            • Opcode Fuzzy Hash: b434849d01722693cf2df09cd71abcc4319a701c9fb45172978601c57fa60e53
                            • Instruction Fuzzy Hash: 5821B6B781021CAADF1ACBD4CD90EEEB37DBB48700F04825EE217A6455EA706748CF60
                            Function 0041FAD8 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • __vbaFreeStr.MSVBVM60 ref: 0041FAE8
                            • __vbaAryUnlock.MSVBVM60(?), ref: 0041FAF5
                            • __vbaFreeStrList.MSVBVM60(0000000D,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041FB58
                            • __vbaFreeVarList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 0041FBA2
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$List$Unlock
                            • String ID:
                            • API String ID: 3250417665-0
                            • Opcode ID: 26fa374e616543d9b38cd329560c1d7255f8aa18045080f0be1a4216d9cfe91a
                            • Instruction ID: e723ef3ffa429f5b08abfb4e2069f862940cadc0f3ec0b6d67540cac903db33a
                            • Opcode Fuzzy Hash: 26fa374e616543d9b38cd329560c1d7255f8aa18045080f0be1a4216d9cfe91a
                            • Instruction Fuzzy Hash: 8621927781012CABDB65DB84CD94EDAB37DAB48700F0445DAE60B66450EA706BC8CF64
                            Function 0043DAC0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                            Download Yara Rule
                            APIs
                            • __vbaStrToAnsi.MSVBVM60(?,?,?,?,00000000,?,?,?,?,00000000,00403596), ref: 0043DAFF
                            • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,00000000,00403596), ref: 0043DB0B
                            • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00403596), ref: 0043DB16
                            • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00403596), ref: 0043DB1F
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$AnsiErrorFreeSystemUnicode
                            • String ID:
                            • API String ID: 1195834276-0
                            • Opcode ID: 7cc7d12207acbbf9dbe5705aeb13e72deb0bdf7140ced2163ee6c0b40fd83c17
                            • Instruction ID: a052ed6dff7569fce0d5cdbde396104d1482e5ce24a22c2bc83af9c4f7890876
                            • Opcode Fuzzy Hash: 7cc7d12207acbbf9dbe5705aeb13e72deb0bdf7140ced2163ee6c0b40fd83c17
                            • Instruction Fuzzy Hash: CBF03CB1D00249AFCB00EFA5DD49AAFBBBCFB08705F10456AF505F3150D7786A058BA5
                            Function 004200F6 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • __vbaFreeStr.MSVBVM60 ref: 00420103
                            • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0042011F
                            • __vbaFreeVar.MSVBVM60 ref: 0042012B
                            • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00420137
                            Memory Dump Source
                            • Source File: 00000004.00000002.2673929776.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_Purchase Order AB013058.jbxd
                            Yara matches
                            Similarity
                            • API ID: __vba$Free$DestructList
                            • String ID:
                            • API String ID: 1934303848-0
                            • Opcode ID: 877dd100a1529b4c97d98b71b593377e6f36c8d92425dd652bbbe38c5b5cefd9
                            • Instruction ID: e3fb4c3831bf3a66e1793030874a96654b3ea14229c742369d95e12bb8ba51d8
                            • Opcode Fuzzy Hash: 877dd100a1529b4c97d98b71b593377e6f36c8d92425dd652bbbe38c5b5cefd9
                            • Instruction Fuzzy Hash: 0AF0F8728001199BDF09DBD0DD98EFE7739FF44701F04412EE607AA065EA702649CF54