Edit tour

Windows Analysis Report
SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe
Analysis ID:	1368584
MD5:	6b64da54d1dc0ed56ee74b830415bf80
SHA1:	901e52797fa8f878549cd913badae459213ba2ca
SHA256:	82bfaa07d548662efd85a71d121be0b067b6a78fb4c811bec2048a5826c2c716
Tags:	exe
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Found large amount of non-executed APIs

Potential time zone aware malware

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe (PID: 6648 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe MD5: 6B64DA54D1DC0ED56EE74B830415BF80)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmalwrconfig.asp?mmid=
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmalwrignorelist.asp?mmid=
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmalwrignorelist.asp?mmid=&
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmalwrignrlistaudit.asp?mmid=
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmalwrignrlistaudit.asp?mmid=0
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmalwrscheduledtl.asp?mmid=
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmalwrscheduledtl.asp?mmid=(
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmalwrtemplateinfo.asp?mmid=
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmbactiveprotectionstate.asp?mmid=
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost.itsupport247.net/tfr_wpmbactiveprotectionstate.asp?mmid=&SendProtectionState8wpmbact
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost2.itsupport247.net/
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost2.itsupport247.net/tfr_wpmalwrprdkeyinfo.asp?mmid=
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost2.itsupport247.net/tfr_wpmalwrprdkeyinfo.asp?mmid=4
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost2.itsupport247.net/tfr_wpmalwrregstatus.asp?mmid=
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: https://webpost2.itsupport247.net/tfr_wpmalwruninstallst.asp?mmid=

Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe, 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMBConfig.exe vs SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	Binary or memory string: OriginalFilenameMBConfig.exe vs SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Section loaded: vb6zz.dll

Jump to behavior

Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	Binary or memory string: D*\AD:\umesh jadhav\VSS modules\Malwarebytes\MBConfig\MBConfig.vbp
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe, 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: lp[@*\AD:\umesh jadhav\VSS modules\Malwarebytes\MBConfig\MBConfig.vbp

Source: classification engine

Classification label: clean3.winEXE@1/0@0/0

Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: /protection -install
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: /protection -stop
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: /protection -start
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: /ignore -add folder
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: /ignore -add file
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: /ignore -add value
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: /ignore -add key
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: /ignore -add ip
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: /ignore -add url
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: wpmalwrtemplateinfo/addignorelist
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: &ec=0(/ignore -add folder
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: #@#$/ignore -add file
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: folder"/ignore -add key *Registry Key Added : &/ignore -add value .Registry Value Added : /ignore -add ip
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: IP Added : "/ignore -add url
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: StartTime:wpmalwrtemplateinfo/scnadditm@wpmalwrtemplateinfo/enbladdhrtcs:wpmalwrtemplateinfo/actptopswFwpmalwrtemplateinfo/actunwntdmodfct@wpmalwrtemplateinfo/actunwntdprgBwpmalwrtemplateinfo/autoflashscan:wpmalwrtemplateinfo/actprotfs:wpmalwrtemplateinfo/actprotipBwpmalwrtemplateinfo/addignorelist
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: WeekDays&UpdateSaazScheduler(fncReadSaazSchedulerFBaseComponents\MBytes\SchConfig.txt"IsUpdtSchRequired"/protection -stop,/protection -uninstall(/protection -install0/set startwithwindows on$/protection -start0/set startfsdisabled off./set startfsdisabled on0/set startipdisabled off./set startipdisabled on
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: WeekDays&UpdateSaazScheduler(fncReadSaazSchedulerFBaseComponents\MBytes\SchConfig.txt"IsUpdtSchRequired"/protection -stop,/protection -uninstall(/protection -install0/set startwithwindows on$/protection -start0/set startfsdisabled off./set startfsdisabled on0/set startipdisabled off./set startipdisabled on
Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	String found in binary or memory: WeekDays&UpdateSaazScheduler(fncReadSaazSchedulerFBaseComponents\MBytes\SchConfig.txt"IsUpdtSchRequired"/protection -stop,/protection -uninstall(/protection -install0/set startwithwindows on$/protection -start0/set startfsdisabled off./set startfsdisabled on0/set startipdisabled off./set startipdisabled on

Source: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	Code function: 0_2_00405C94 push eax; retn 0044h		0_2_00405C95
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	Code function: 0_2_00405CBB pushad ; retn 0044h		0_2_00405CC5

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

API coverage: 0.2 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	0%	ReversingLabs
SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	1%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://webpost.itsupport247.net/tfr_wpmalwrscheduledtl.asp?mmid=(	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost.itsupport247.net/tfr_wpmbactiveprotectionstate.asp?mmid=	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost2.itsupport247.net/tfr_wpmalwrprdkeyinfo.asp?mmid=	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost.itsupport247.net/tfr_wpmalwrconfig.asp?mmid=	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost.itsupport247.net	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost.itsupport247.net/tfr_wpmalwrignorelist.asp?mmid=	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
http://ocsp.thawte.com0	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false	URL Reputation: safe	unknown
https://webpost.itsupport247.net/tfr_wpmalwrignorelist.asp?mmid=&	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost2.itsupport247.net/	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost.itsupport247.net/tfr_wpmbactiveprotectionstate.asp?mmid=&SendProtectionState8wpmbact	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost.itsupport247.net/tfr_wpmalwrtemplateinfo.asp?mmid=	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost.itsupport247.net/tfr_wpmalwrignrlistaudit.asp?mmid=0	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost.itsupport247.net/tfr_wpmalwrignrlistaudit.asp?mmid=	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost2.itsupport247.net/tfr_wpmalwruninstallst.asp?mmid=	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost2.itsupport247.net/tfr_wpmalwrprdkeyinfo.asp?mmid=4	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost.itsupport247.net/tfr_wpmalwrscheduledtl.asp?mmid=	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high
https://webpost2.itsupport247.net/tfr_wpmalwrregstatus.asp?mmid=	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1368584
Start date and time:	2024-01-01 21:15:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe
Detection:	CLEAN
Classification:	clean3.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 67% Number of executed functions: 3 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.779795968789662
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe
File size:	331'496 bytes
MD5:	6b64da54d1dc0ed56ee74b830415bf80
SHA1:	901e52797fa8f878549cd913badae459213ba2ca
SHA256:	82bfaa07d548662efd85a71d121be0b067b6a78fb4c811bec2048a5826c2c716
SHA512:	875ac412ea87857e23bb0c8e8e8cad0883c10f84f4f61279cda50f20e6e91f66dcc4d520d0dc336e6cf3c5201f949579d627c3377402b895ce5cc7a8b0b5b407
SSDEEP:	6144:+ptTy/ujr5tSXtOdiL2QGDq2qr8kgugBs9pofOtcrnK2O2eIKGRvM2yjqS:XWzqrXpgBs9yfa6j7yjqS
TLSH:	B964A417FB60200EF16389B018356511996BFD361E91EC9FAB807A4E6475AC3DAF0B1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................z.......................Rich............................PE..L......U.....................0.......O............@

File Icon


Icon Hash:	8dcca6f0cce9b20d

Static PE Info

General

Entrypoint:	0x404fbc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5506870A [Mon Mar 16 07:32:26 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	472cceca95ba9325e78498a51fcd2075

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	05/05/2014 02:00:00 04/06/2016 01:59:59
Subject Chain	CN="Continuum Managed Services, LLC", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Continuum Managed Services, LLC", L=Boston, S=Massachusetts, C=US
Version:	3
Thumbprint MD5:	505A27A8768C8EEC9C9F6F4D620E2861
Thumbprint SHA-1:	E9784DB7FFC00221582180455EE0155E036DC90B
Thumbprint SHA-256:	F3CE868009B554C6B26CB56BCA095F79461A4427E0DE05D9531EB51C639181EC
Serial:	7BA337AA82059C429E2451E39BE22328

Entrypoint Preview

Instruction
push 00405268h
call 00007F716CD99575h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
jc 00007F716CD99503h
sahf
jns 00007F716CD995DFh
mov eax, 46F69B43h
pop ebx
fmulp st(1), st(0)
cdq
test dword ptr [eax], 00000000h
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+42h], cl
inc ebx
outsd
outsb
imul sp, word ptr [edi+00h], 0000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax+5Bh], dh
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ab04	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x1918	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4f000	0x1ee8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x2ec	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4a6c0	0x4b000	False	0.27095377604166665	data	5.781351854553988	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4c000	0xcb4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0x1918	0x2000	False	0.339599609375	data	4.713890590061011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4da70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.5122601279317697
RT_ICON	0x4d940	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 256			0.3223684210526316
RT_ICON	0x4d658	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.19623655913978494
RT_ICON	0x4d530	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.4155405405405405
RT_GROUP_ICON	0x4d51c	0x14	data	English	United States	1.15
RT_GROUP_ICON	0x4d4ec	0x30	data			1.0
RT_VERSION	0x4d1b0	0x33c	data	English	United States	0.46618357487922707

Imports

DLL	Import
MSVBVM60.DLL	__vbaVarTstGt, __vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLineInputStr, __vbaLenBstr, __vbaStrVarMove, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaResume, __vbaStrCat, __vbaVarCmpNe, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaBoolStr, __vbaVarForInit, __vbaForEachCollObj, __vbaExitProc, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaBoolVar, __vbaStrFixstr, __vbaForEachCollVar, __vbaRefVarAry, __vbaFpR8, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVarZero, __vbaNextEachCollObj, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaNextEachCollVar, __vbaI2I4, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaFixstrConstruct, __vbaStrR8, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, _CIsqrt, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaDateStr, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaFPException, __vbaInStrVar, __vbaUbound, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVarLateMemCallLdRf, __vbaR8Str, __vbaVar2Vec, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaVarCmpEq, __vbaLateMemCall, __vbaAryLock, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaUnkVar, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaLateMemCallLd, __vbaVarSetObjAddref, __vbaRecDestructAnsi, _CIatan, __vbaCastObj, __vbaAryCopy, __vbaStrMove, __vbaForEachVar, __vbaStrVarCopy, _allmul, _CItan, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaRecAssign, __vbaFreeObj, __vbaFreeStr

DLL

Import

MSVBVM60.DLL

__vbaVarTstGt, __vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLineInputStr, __vbaLenBstr, __vbaStrVarMove, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaResume, __vbaStrCat, __vbaVarCmpNe, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaBoolStr, __vbaVarForInit, __vbaForEachCollObj, __vbaExitProc, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaBoolVar, __vbaStrFixstr, __vbaForEachCollVar, __vbaRefVarAry, __vbaFpR8, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVarZero, __vbaNextEachCollObj, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaNextEachCollVar, __vbaI2I4, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaFixstrConstruct, __vbaStrR8, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, _CIsqrt, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaDateStr, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaFPException, __vbaInStrVar, __vbaUbound, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVarLateMemCallLdRf, __vbaR8Str, __vbaVar2Vec, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaVarCmpEq, __vbaLateMemCall, __vbaAryLock, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaUnkVar, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaLateMemCallLd, __vbaVarSetObjAddref, __vbaRecDestructAnsi, _CIatan, __vbaCastObj, __vbaAryCopy, __vbaStrMove, __vbaForEachVar, __vbaStrVarCopy, _allmul, _CItan, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaRecAssign, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	21:16:28
Start date:	01/01/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe
Imagebase:	0x400000
File size:	331'496 bytes
MD5 hash:	6B64DA54D1DC0ED56EE74B830415BF80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0.5%
Signature Coverage:	0%
Total number of Nodes:	990
Total number of Limit Nodes:	1

Executed Functions

Function 0042C9A0 Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaOnError.MSVBVM60(00000001,6CE6D83C,?,00000000), ref: 0042CA11
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000001,?), ref: 0042CA35
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA46
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,00000001,?), ref: 0042CA57
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA5F
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA9B
__vbaStrToAnsi.MSVBVM60(?,00000000,?,00000000,?,00000000,00000001,?), ref: 0042CAA6
__vbaStrToAnsi.MSVBVM60(?,?,?,00000001,?,?,?,00000000,?,00000000,00000001,?), ref: 0042CAC6
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,00000000,00000001,?), ref: 0042CAD5
__vbaStrToUnicode.MSVBVM60(00000001,?,?,00000000,?,00000000,00000001,?), ref: 0042CAE0
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?,00000000,00000001,?), ref: 0042CAF6
#525.MSVBVM60(?,?,?,00000001,?), ref: 0042CB1E
__vbaStrMove.MSVBVM60(?,?,00000001,?), ref: 0042CB29
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,00000001,?), ref: 0042CB49
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000001,00000000,?,?,00000001,?), ref: 0042CB59
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00000001,00000000,?,?,00000001,?), ref: 0042CB68
__vbaStrToUnicode.MSVBVM60(00000001,?,?,00000000,00000001,00000000,?,?,00000001,?), ref: 0042CB73
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,00000001,00000000,?,?,00000001,?), ref: 0042CB7D
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000001,00000000,?,?,00000001,?), ref: 0042CB8F
#616.MSVBVM60(?,?,?,?,00000001,?), ref: 0042CBBE
__vbaStrMove.MSVBVM60(?,?,00000001,?), ref: 0042CBC9
__vbaStrCopy.MSVBVM60(?,?,00000001,?), ref: 0042CBDC
__vbaExitProc.MSVBVM60(?,?,00000001,?), ref: 0042CBE2
__vbaStrToAnsi.MSVBVM60(?,00000020,00000000,?,?,00000020,?,00000000,?,00000000,00000001,?), ref: 0042CC2B
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,00000000,00000001,?), ref: 0042CC39
__vbaStrToUnicode.MSVBVM60(00000001,?,?,00000000,?,00000000,00000001,?), ref: 0042CC44
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CC49
__vbaStrI4.MSVBVM60(?,?,00000000,?,00000000,00000001,?), ref: 0042CC65
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CC70
__vbaExitProc.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CC76
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CC95
__vbaExitProc.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CC9B
__vbaExitProc.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CDF5
__vbaFreeStr.MSVBVM60(0042CE58,?,00000000,?,00000000,00000001,?), ref: 0042CE51

Strings

, xrefs: 0042CC09

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Ansi$ErrorFreeUnicode$ExitProcSystem$CopyMove$List$#525#616
String ID:
API String ID: 330019382-3916222277
Opcode ID: 9cd808ef110cc928ce8bbdec73ca6e40830ffc47be58d2dcae275445d59655fd
Instruction ID: ebfda267fd3c2a133e45f08d633ffe08c3df0f1e74dec8e59eb3913051d4d8e6
Opcode Fuzzy Hash: 9cd808ef110cc928ce8bbdec73ca6e40830ffc47be58d2dcae275445d59655fd
Instruction Fuzzy Hash: 88A1B5B1D10218EBDB14DFE4E988ADEBBB9FF48700F10815AE506B7260DBB45A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00414260 Relevance: 12.1, APIs: 8, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 0041427E
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 004142B7
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 004142C6
#645.MSVBVM60(00004008,00000010), ref: 004142E6
__vbaStrMove.MSVBVM60 ref: 004142F1
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 004142FD
__vbaFreeStr.MSVBVM60 ref: 00414311
__vbaFreeStr.MSVBVM60(00414356), ref: 0041434F

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#645ChkstkCopyErrorMove
String ID:
API String ID: 261703656-0
Opcode ID: 136fd64b8e54a792e814259614aaa0fdbdc3bc5fb64fd11f5386d3a0caed8d04
Instruction ID: 72fd8a27d6d656bb203e1743176f54fe215745347b47a82870b7ef4b3ed562ce
Opcode Fuzzy Hash: 136fd64b8e54a792e814259614aaa0fdbdc3bc5fb64fd11f5386d3a0caed8d04
Instruction Fuzzy Hash: 76213D74900208EBCB00DFA4DA89BDEBBB4FF48705F208169E512B72A0DB785A45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00404FBC Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(00405268), ref: 00404FC1

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: e46bd725314600806dd5ed6ed7197a2cd8858193f1f629e24407fa8204c6c591
Instruction ID: 4fb7f4713162326bb61cd32c45e0bfd10d436aee1e3b542b8e6694f4e91bc323
Opcode Fuzzy Hash: e46bd725314600806dd5ed6ed7197a2cd8858193f1f629e24407fa8204c6c591
Instruction Fuzzy Hash: F0110B9160EBC24FC30747719D326857FB0AE13618B1E01DBD1D1DA0F3D26D494AC726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0043ACC0 Relevance: 198.2, APIs: 96, Strings: 17, Instructions: 498COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CF560EF,6CE9285F,6CE927C2), ref: 0043AD2B
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0043AD45
__vbaStrMove.MSVBVM60 ref: 0043AD56
__vbaStrCopy.MSVBVM60 ref: 0043AD67
__vbaStrCmp.MSVBVM60(00405F48), ref: 0043AD85
__vbaStrCmp.MSVBVM60(00405F48,68000000), ref: 0043AD9D
__vbaStrCat.MSVBVM60(?, /schedule /scan -), ref: 0043ADC7
__vbaStrMove.MSVBVM60(?, /schedule /scan -), ref: 0043ADCE
#519.MSVBVM60(8D8D0000,?, /schedule /scan -), ref: 0043ADDB
__vbaStrMove.MSVBVM60(?, /schedule /scan -), ref: 0043ADE6
#517.MSVBVM60(00000000,?, /schedule /scan -), ref: 0043ADE9
__vbaStrMove.MSVBVM60(?, /schedule /scan -), ref: 0043ADF4
__vbaStrCmp.MSVBVM60(true,00000000,?, /schedule /scan -), ref: 0043ADFC
__vbaFreeStrList.MSVBVM60(00000002,?,?,?, /schedule /scan -), ref: 0043AE17
__vbaStrCat.MSVBVM60( -remove,?), ref: 0043AE37
__vbaStrMove.MSVBVM60 ref: 0043AE3E
#519.MSVBVM60(FFFFFF78), ref: 0043AE4B
__vbaStrMove.MSVBVM60 ref: 0043AE56
#517.MSVBVM60(00000000), ref: 0043AE59
__vbaStrMove.MSVBVM60 ref: 0043AE64
__vbaStrCmp.MSVBVM60(true,00000000), ref: 0043AE6C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043AE87
__vbaStrCat.MSVBVM60( -reboot,?), ref: 0043AEA7
__vbaStrMove.MSVBVM60 ref: 0043AEAE
__vbaStrCat.MSVBVM60( -log -silent,?), ref: 0043AEC0
__vbaStrMove.MSVBVM60 ref: 0043AEC7
#519.MSVBVM60(0034FC45), ref: 0043AED4
__vbaStrMove.MSVBVM60 ref: 0043AEDF
#517.MSVBVM60(00000000), ref: 0043AEE2
__vbaStrMove.MSVBVM60 ref: 0043AEED
__vbaStrCmp.MSVBVM60(true,00000000), ref: 0043AEF5
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043AF10
__vbaStrCat.MSVBVM60( /wakefromsleep,?), ref: 0043AF30
__vbaStrMove.MSVBVM60 ref: 0043AF37
__vbaStrCat.MSVBVM60(0040EFB4,?), ref: 0043AF49
__vbaStrMove.MSVBVM60 ref: 0043AF50
#517.MSVBVM60(68000000,00000000), ref: 0043AF57
__vbaStrMove.MSVBVM60 ref: 0043AF62
__vbaStrCat.MSVBVM60(00000000), ref: 0043AF65
__vbaStrMove.MSVBVM60 ref: 0043AF6C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043AF78
#519.MSVBVM60(00002710), ref: 0043AF8C
__vbaStrMove.MSVBVM60 ref: 0043AF97
#517.MSVBVM60(00000000), ref: 0043AF9A
__vbaStrMove.MSVBVM60 ref: 0043AFA5
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0043AFAD
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043AFC9
__vbaStrCat.MSVBVM60( /starting ,?), ref: 0043AFE9
__vbaStrMove.MSVBVM60 ref: 0043AFF0
__vbaStrCat.MSVBVM60(00002710,00000000), ref: 0043AFF7
__vbaStrMove.MSVBVM60 ref: 0043AFFE
__vbaFreeStr.MSVBVM60 ref: 0043B003
#519.MSVBVM60(C7D6FFFF), ref: 0043B014
__vbaStrMove.MSVBVM60 ref: 0043B01F
#517.MSVBVM60(00000000), ref: 0043B022
__vbaStrMove.MSVBVM60 ref: 0043B02D
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0043B035
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043B051
__vbaStrCat.MSVBVM60( /every ,?), ref: 0043B071
__vbaStrMove.MSVBVM60 ref: 0043B078
__vbaStrCat.MSVBVM60(C7D6FFFF,00000000), ref: 0043B07F
__vbaStrMove.MSVBVM60 ref: 0043B086
__vbaFreeStr.MSVBVM60 ref: 0043B08B
#519.MSVBVM60(FD04EAE8), ref: 0043B09C
__vbaStrMove.MSVBVM60 ref: 0043B0A7
#517.MSVBVM60(00000000), ref: 0043B0AA
__vbaStrMove.MSVBVM60 ref: 0043B0B5
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0043B0BD
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043B0D9
__vbaStrCat.MSVBVM60( /recover ,?), ref: 0043B0F9
__vbaStrMove.MSVBVM60 ref: 0043B100
__vbaStrCat.MSVBVM60(FD04EAE8,00000000), ref: 0043B107
__vbaStrMove.MSVBVM60 ref: 0043B10E
__vbaFreeStr.MSVBVM60 ref: 0043B113
__vbaStrCat.MSVBVM60( /errorsilent /silent /xml,?), ref: 0043B129
__vbaStrMove.MSVBVM60 ref: 0043B130
__vbaStrCopy.MSVBVM60 ref: 0043B148
__vbaStrCopy.MSVBVM60 ref: 0043B156

Part of subcall function 0042C2D0: __vbaStrCopy.MSVBVM60(6CE6D83C,6CE6D8B1,?), ref: 0042C369
Part of subcall function 0042C2D0: __vbaStrCopy.MSVBVM60 ref: 0042C371
Part of subcall function 0042C2D0: __vbaOnError.MSVBVM60(00000001), ref: 0042C37C
Part of subcall function 0042C2D0: __vbaStrCopy.MSVBVM60 ref: 0042C391
Part of subcall function 0042C2D0: __vbaStrCopy.MSVBVM60 ref: 0042C3A2
Part of subcall function 0042C2D0: __vbaStrCopy.MSVBVM60 ref: 0042C3F0
Part of subcall function 0042C2D0: __vbaStrCopy.MSVBVM60 ref: 0042C401
Part of subcall function 0042C2D0: __vbaStrCopy.MSVBVM60 ref: 0042C41A
Part of subcall function 0042C2D0: #526.MSVBVM60(?,00000001), ref: 0042C433
Part of subcall function 0042C2D0: __vbaStrCat.MSVBVM60(?, Execution Path & Parameters : ), ref: 0042C442

__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,000493E0), ref: 0043B183
__vbaStrCat.MSVBVM60(00000000,Schedule for ,00405F48,00405F48,00405F48,?), ref: 0043B1C3
__vbaStrMove.MSVBVM60 ref: 0043B1CA
__vbaStrCat.MSVBVM60( Scan Success.,00000000), ref: 0043B1D2
__vbaStrMove.MSVBVM60 ref: 0043B1D9
__vbaStrCat.MSVBVM60(00000000,Schedule for ,00405F48,00405F48,00405F48,?), ref: 0043B237
__vbaStrMove.MSVBVM60 ref: 0043B23E
__vbaStrCat.MSVBVM60( Scan Failed.,00000000), ref: 0043B246
__vbaStrMove.MSVBVM60 ref: 0043B24D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0043B284
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043B294
__vbaFreeVar.MSVBVM60 ref: 0043B3D4
__vbaExitProc.MSVBVM60 ref: 0043B3DA
__vbaFreeStr.MSVBVM60(0043B440), ref: 0043B429
__vbaFreeStr.MSVBVM60 ref: 0043B42E
__vbaFreeStr.MSVBVM60 ref: 0043B433
__vbaFreeStr.MSVBVM60 ref: 0043B438
__vbaFreeStr.MSVBVM60 ref: 0043B43D

Strings

/starting , xrefs: 0043AFE4
UpdateMBytesScheduler, xrefs: 0043B1E1, 0043B255
Scan Success., xrefs: 0043B1CD
Schedule for , xrefs: 0043B1B5, 0043B229
/every , xrefs: 0043B06C
true, xrefs: 0043ADF7, 0043AE67, 0043AEF0
/schedule /scan -, xrefs: 0043ADB9
MSG, xrefs: 0043B1DC, 0043B250
-log -silent, xrefs: 0043AEBB
Scan Failed., xrefs: 0043B241
/wakefromsleep, xrefs: 0043AF2B
ModFunctions, xrefs: 0043B1E6, 0043B25A
-remove, xrefs: 0043AE32
/recover , xrefs: 0043B0F4
U\C, xrefs: 0043AD74
/errorsilent /silent /xml, xrefs: 0043B124
-reboot, xrefs: 0043AEA2

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Copy$List$#517$#519$Error$#526CheckExitHresultProc
String ID: -log -silent$ -reboot$ -remove$ /errorsilent /silent /xml$ /every $ /recover $ /schedule /scan -$ /starting $ /wakefromsleep$ Scan Failed.$ Scan Success.$MSG$ModFunctions$Schedule for $U\C$UpdateMBytesScheduler$true
API String ID: 67049960-1269589571
Opcode ID: 066493685b494359a7d230c4dcbdce8c5c05e8f96273914c9a9c285d83b435b7
Instruction ID: 83bd965f6d966659a02c4af1b278b160cb33df281e44e54cee1b1a32b77ac53f
Opcode Fuzzy Hash: 066493685b494359a7d230c4dcbdce8c5c05e8f96273914c9a9c285d83b435b7
Instruction Fuzzy Hash: AD02FF71E40208ABDB04DBA4DD89AEEBBB5EF48700F20816AF506F72A4EF745945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042E940 Relevance: 151.0, APIs: 70, Strings: 16, Instructions: 491COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66,?,?,00429932,?,?,?), ref: 0042E95E
__vbaOnError.MSVBVM60(00000001,6CE6D8B1,6CE5A323,6CE6D8E2,?,00404B66), ref: 0042E98E
__vbaStrCat.MSVBVM60(?,Webpost string : ,00405F48,00405F48,00405F48,?), ref: 0042E9B9
__vbaStrMove.MSVBVM60(?,Webpost string : ,00405F48,00405F48,00405F48,?), ref: 0042E9C4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042EA10
__vbaFreeStr.MSVBVM60 ref: 0042EA2B
__vbaFreeVar.MSVBVM60 ref: 0042EA34
__vbaStrCat.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EA5F
__vbaStrMove.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EA6A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040,?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EAB8
__vbaFreeStr.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EAD3
__vbaFreeVar.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EADC
#716.MSVBVM60(?,zWbPost.WebPost,00000000,?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EB01
__vbaObjVar.MSVBVM60(?,?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EB0B
__vbaObjSetAddref.MSVBVM60(H_@H_@,00000000,?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EB16
__vbaFreeVar.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EB1F
__vbaStrCopy.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EB34
__vbaObjIs.MSVBVM60(H_@H_@,00000000,?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EB47
__vbaChkstk.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EC0F
__vbaChkstk.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EC38
__vbaChkstk.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EC67
__vbaChkstk.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EC96
__vbaChkstk.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042ECC5
__vbaChkstk.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042ECF4
__vbaChkstk.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042ED23
__vbaChkstk.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042ED52
__vbaChkstk.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042ED81
__vbaLateMemCallLd.MSVBVM60(?,H_@H_@,PostXMLString,00000009,?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042EDBA
__vbaBoolVar.MSVBVM60(00000000), ref: 0042EDC7
__vbaFreeVar.MSVBVM60 ref: 0042EDD4
__vbaStrCat.MSVBVM60(?,WebPost Return Status: ,00405F48,00405F48,00405F48,?), ref: 0042EE10
__vbaStrMove.MSVBVM60 ref: 0042EE1B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042EE69
__vbaFreeStr.MSVBVM60 ref: 0042EE84
__vbaFreeVar.MSVBVM60 ref: 0042EE8D
__vbaStrCat.MSVBVM60(?,WebPost Return Status: ,00405F48,00405F48,00405F48,?), ref: 0042EEBB
__vbaStrMove.MSVBVM60 ref: 0042EEC6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042EF12
__vbaFreeStr.MSVBVM60 ref: 0042EF2D
__vbaFreeVar.MSVBVM60 ref: 0042EF36
__vbaStrCat.MSVBVM60(?,WebPost Failed : ,00405F48,00405F48,00405F48,?), ref: 0042EF5F
__vbaStrMove.MSVBVM60 ref: 0042EF6A
__vbaStrCat.MSVBVM60(0040C0DC,00000000), ref: 0042EF76
__vbaStrMove.MSVBVM60 ref: 0042EF81
__vbaStrCat.MSVBVM60(?,00000000), ref: 0042EF8C
__vbaStrMove.MSVBVM60 ref: 0042EF97
__vbaStrCat.MSVBVM60( - ,00000000), ref: 0042EFA3
__vbaStrMove.MSVBVM60 ref: 0042EFAE
__vbaStrCat.MSVBVM60(?,00000000), ref: 0042EFB9
__vbaStrMove.MSVBVM60 ref: 0042EFC4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042F010
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0042F03E
__vbaFreeVar.MSVBVM60 ref: 0042F04A
__vbaStrCat.MSVBVM60(0040C0DC,?), ref: 0042F060
__vbaStrMove.MSVBVM60 ref: 0042F06B
__vbaStrCat.MSVBVM60(?,00000000), ref: 0042F076
__vbaStrMove.MSVBVM60 ref: 0042F081
__vbaStrCat.MSVBVM60( - ,00000000), ref: 0042F08D
__vbaStrMove.MSVBVM60 ref: 0042F098
__vbaStrCat.MSVBVM60(?,00000000), ref: 0042F0A3
__vbaStrMove.MSVBVM60 ref: 0042F0AE
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0042F0C2
__vbaStrCopy.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042F0D8
__vbaObjSetAddref.MSVBVM60(H_@H_@,00000000,?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042F0EB
__vbaExitProc.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042F4DD
__vbaFreeObj.MSVBVM60(0042F573,?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042F548
__vbaFreeStr.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042F551
__vbaFreeStr.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042F55A
__vbaFreeStr.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042F563
__vbaFreeStr.MSVBVM60(?,Webpost url : ,00405F48,00405F48,00405F48,?), ref: 0042F56C

Strings

zWbPost.WebPost, xrefs: 0042EAF8
ERR, xrefs: 0042EFCB
PostXMLString, xrefs: 0042EDAD
WebPost Return Status: , xrefs: 0042EE07, 0042EEB2
- , xrefs: 0042EF9E, 0042F088
WebPost Failed : , xrefs: 0042EF56
H_@, xrefs: 0042ECDD
H_@, xrefs: 0042ECAE
MSG, xrefs: 0042E9CB, 0042EA71, 0042EE22, 0042EECD
modWebpost, xrefs: 0042E9D5, 0042EA7B, 0042EE2C, 0042EED7, 0042EFD5
FncWebPost, xrefs: 0042E9D0, 0042EA76, 0042EE27, 0042EED2, 0042EFD0
Webpost string : , xrefs: 0042E9AE
H_@H_@H_@, xrefs: 0042F0D5
%, xrefs: 0042F0DE
H_@H_@, xrefs: 0042EB12, 0042EB43, 0042F0E7, 0042F545, 0042EDB2, 0042EB15, 0042EB46, 0042EDB5, 0042F0EA
Webpost url : , xrefs: 0042EA54

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Chkstk$CheckHresult$AddrefCopyList$#716BoolCallErrorExitLateProc
String ID: - $%$ERR$FncWebPost$H_@$H_@$H_@H_@$H_@H_@H_@$MSG$PostXMLString$WebPost Failed : $WebPost Return Status: $Webpost string : $Webpost url : $modWebpost$zWbPost.WebPost
API String ID: 3122310103-2193965207
Opcode ID: 2db577f7a03e7c0c1076a0274b978fc888e5fc236fd39ba6876aee8cd3b5b691
Instruction ID: af2a877eb6919113901865a274f9fea6ada6f31b0250666b1d5a5b7bf602c9b8
Opcode Fuzzy Hash: 2db577f7a03e7c0c1076a0274b978fc888e5fc236fd39ba6876aee8cd3b5b691
Instruction Fuzzy Hash: 7F321C74A00218DFDB14DF54DD89BDDBBB5FB48300F1081AAE50AB72A1DB786A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00428EB0 Relevance: 149.2, APIs: 73, Strings: 12, Instructions: 426COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,00000001,6CE6D8B1,6CE6D8CD), ref: 00428FBD

Part of subcall function 00429FF0: __vbaStrCopy.MSVBVM60(00000001,00000000,6CE6D8CD), ref: 0042A091
Part of subcall function 00429FF0: __vbaStrCopy.MSVBVM60 ref: 0042A099
Part of subcall function 00429FF0: __vbaOnError.MSVBVM60(00000001), ref: 0042A0A4
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(?,0040B494), ref: 0042A0C0
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A0CD
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(0040B49C,00000000), ref: 0042A0D5
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A0DC
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(0040B184,00000000), ref: 0042A0E4
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A0EB
Part of subcall function 00429FF0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042A0F7
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(<acttaken>,?), ref: 0042A110
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A117
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(?,00000000), ref: 0042A11E
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A125
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(</acttaken>,00000000), ref: 0042A12D

__vbaStrMove.MSVBVM60(autoadd,?,add), ref: 00428FE8

Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A134
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(0040B184,00000000), ref: 0042A13C
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A143
Part of subcall function 00429FF0: __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0042A153
Part of subcall function 00429FF0: __vbaVarDup.MSVBVM60 ref: 0042A183
Part of subcall function 00429FF0: #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A1A0
Part of subcall function 00429FF0: __vbaVarMove.MSVBVM60(?,?,000000FF,00000000), ref: 0042A1AF
Part of subcall function 00429FF0: __vbaFreeVar.MSVBVM60(?,?,000000FF,00000000), ref: 0042A1C1
Part of subcall function 00429FF0: __vbaRefVarAry.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A1CE
Part of subcall function 00429FF0: __vbaUbound.MSVBVM60(00000001,?,?,?,000000FF,00000000), ref: 0042A1D9
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(0040B184,<files>,?,?,?,000000FF,00000000), ref: 0042A1F8
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A1FF
Part of subcall function 00429FF0: __vbaRefVarAry.MSVBVM60(?,?,?,?,000000FF,00000000), ref: 0042A20C
Part of subcall function 00429FF0: __vbaUbound.MSVBVM60(00000001,?,?,?,?,000000FF,00000000), ref: 0042A217
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(<file><![CDATA[,?,?,?,?,000000FF,00000000), ref: 0042A257
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A25E
Part of subcall function 00429FF0: __vbaVarIndexLoad.MSVBVM60(?,?,00000001,?,?,000000FF,00000000), ref: 0042A296

__vbaStrMove.MSVBVM60(manualadd,?,manual), ref: 00429009

Part of subcall function 00429FF0: __vbaStrVarVal.MSVBVM60(?,00000000), ref: 0042A2A4
Part of subcall function 00429FF0: #519.MSVBVM60(00000000), ref: 0042A2AB
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A2B6
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(00000000), ref: 0042A2B9
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A2C0
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(]]></file>,00000000), ref: 0042A2C8
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A2CF
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(0040B184,00000000), ref: 0042A2D7
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60 ref: 0042A2DE
Part of subcall function 00429FF0: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0042A2F6
Part of subcall function 00429FF0: __vbaFreeVar.MSVBVM60 ref: 0042A305
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(</files>,?,?,?,?,000000FF,00000000), ref: 0042A331
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A338
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(0040B184,00000000,?,?,?,000000FF,00000000), ref: 0042A340
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A347
Part of subcall function 00429FF0: __vbaFreeStr.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A34C
Part of subcall function 00429FF0: __vbaStrCat.MSVBVM60(?,?,?,?,?,000000FF,00000000), ref: 0042A361
Part of subcall function 00429FF0: __vbaStrMove.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A368
Part of subcall function 00429FF0: __vbaVarDup.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A391
Part of subcall function 00429FF0: #711.MSVBVM60(?,00000014,?,000000FF,00000000,?,?,?,000000FF,00000000), ref: 0042A3B0
Part of subcall function 00429FF0: __vbaVarMove.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A3BF
Part of subcall function 00429FF0: __vbaFreeVar.MSVBVM60(?,?,?,000000FF,00000000), ref: 0042A3CB
Part of subcall function 00429FF0: __vbaRefVarAry.MSVBVM60(?,?,?,?,000000FF,00000000), ref: 0042A3D8
Part of subcall function 00429FF0: __vbaUbound.MSVBVM60(00000001,?,?,?,?,000000FF,00000000), ref: 0042A3E3

__vbaStrMove.MSVBVM60(autormv,?,remove), ref: 0042902A
#546.MSVBVM60(?), ref: 0042903D
#545.MSVBVM60(?,?), ref: 00429047
#546.MSVBVM60(?), ref: 00429069
#542.MSVBVM60(?,?), ref: 00429079
#546.MSVBVM60(?), ref: 00429096
#553.MSVBVM60(?,?), ref: 004290A6
#546.MSVBVM60(?), ref: 004290C3
#543.MSVBVM60(?,?), ref: 004290D3
#546.MSVBVM60(?), ref: 004290F0
#544.MSVBVM60(?,?), ref: 00429100
#546.MSVBVM60(?), ref: 0042911D
#547.MSVBVM60(?,?), ref: 0042912D
__vbaVarCat.MSVBVM60(?,?,?), ref: 00429148
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00429159
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042916A
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042917B
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042918C
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042919D
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004291AE
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004291BF
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004291D0
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004291E1
__vbaStrVarMove.MSVBVM60(00000000), ref: 004291E4
__vbaStrMove.MSVBVM60 ref: 004291EF
__vbaFreeVarList.MSVBVM60(00000016,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00429284
__vbaStrCat.MSVBVM60(0040B184,<wpmalwrignrlistaudit>), ref: 004292A4
__vbaStrMove.MSVBVM60 ref: 004292AB
__vbaStrCat.MSVBVM60(<regid>,?), ref: 004292B9
__vbaStrMove.MSVBVM60 ref: 004292C0
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 004292CA
__vbaStrMove.MSVBVM60 ref: 004292D1
__vbaStrCat.MSVBVM60(</regid>,00000000), ref: 004292D9
__vbaStrMove.MSVBVM60 ref: 004292E0
__vbaStrCat.MSVBVM60(0040B184,00000000), ref: 004292E8
__vbaStrMove.MSVBVM60 ref: 004292EF
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00429305
__vbaStrCat.MSVBVM60(<scandatetime>,?), ref: 0042931A
__vbaStrMove.MSVBVM60 ref: 00429321
__vbaStrCat.MSVBVM60(?,00000000), ref: 00429328
__vbaStrMove.MSVBVM60 ref: 0042932F
__vbaStrCat.MSVBVM60(</scandatetime>,00000000), ref: 00429337
__vbaStrMove.MSVBVM60 ref: 0042933E
__vbaStrCat.MSVBVM60(0040B184,00000000), ref: 00429346
__vbaStrMove.MSVBVM60 ref: 0042934D
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0042935D
__vbaStrCat.MSVBVM60(?,?), ref: 00429371
__vbaStrMove.MSVBVM60 ref: 00429378
__vbaStrCat.MSVBVM60(0040B184,00000000), ref: 00429380
__vbaStrMove.MSVBVM60 ref: 00429387
__vbaFreeStr.MSVBVM60 ref: 00429392
__vbaStrCat.MSVBVM60(?,?), ref: 004293A3
__vbaStrMove.MSVBVM60 ref: 004293AA
__vbaStrCat.MSVBVM60(0040B184,00000000), ref: 004293B2
__vbaStrMove.MSVBVM60 ref: 004293B9
__vbaFreeStr.MSVBVM60 ref: 004293BE
__vbaStrCat.MSVBVM60(?,?), ref: 004293CF
__vbaStrMove.MSVBVM60 ref: 004293D6
__vbaStrCat.MSVBVM60(0040B184,00000000), ref: 004293DE
__vbaStrMove.MSVBVM60 ref: 004293E5
__vbaFreeStr.MSVBVM60 ref: 004293EA
__vbaStrCat.MSVBVM60(</wpmalwrignrlistaudit>,?), ref: 004293FC
__vbaStrMove.MSVBVM60 ref: 00429403

Part of subcall function 00429690: __vbaStrCopy.MSVBVM60(6CE5A323,6CE6D8B1,6CE6D8CD), ref: 0042975A
Part of subcall function 00429690: __vbaStrCopy.MSVBVM60 ref: 00429761
Part of subcall function 00429690: __vbaStrMove.MSVBVM60(wpmalwrignrlistaudit,?,00000000), ref: 0042977D
Part of subcall function 00429690: __vbaFreeStr.MSVBVM60 ref: 00429782
Part of subcall function 00429690: __vbaStrCmp.MSVBVM60(00405F48,?), ref: 00429797
Part of subcall function 00429690: __vbaStrCat.MSVBVM60(tfr_wpmalwrignrlistaudit.asp?mmid=,?), ref: 004297B0
Part of subcall function 00429690: __vbaStrMove.MSVBVM60 ref: 004297B7
Part of subcall function 00429690: __vbaStrCat.MSVBVM60(00000000,00000000), ref: 004297C0
Part of subcall function 00429690: __vbaStrMove.MSVBVM60 ref: 004297C7
Part of subcall function 00429690: __vbaStrCat.MSVBVM60(&sid=,00000000), ref: 004297CF
Part of subcall function 00429690: __vbaStrMove.MSVBVM60 ref: 004297D6
Part of subcall function 00429690: __vbaStrCat.MSVBVM60(00000000,00000000), ref: 004297E0
Part of subcall function 00429690: __vbaStrMove.MSVBVM60 ref: 004297E7

__vbaExitProc.MSVBVM60(?), ref: 00429415
__vbaFreeStr.MSVBVM60(0042966E), ref: 0042964E
__vbaFreeStr.MSVBVM60 ref: 00429653
__vbaFreeObj.MSVBVM60 ref: 00429658
__vbaFreeStr.MSVBVM60 ref: 00429661
__vbaFreeStr.MSVBVM60 ref: 00429666
__vbaFreeStr.MSVBVM60 ref: 0042966B

Strings

manualadd, xrefs: 00428FFA
manual, xrefs: 00428FF1
<scandatetime>, xrefs: 00429315
autormv, xrefs: 0042901B
remove, xrefs: 00429012
</scandatetime>, xrefs: 00429332
<regid>, xrefs: 004292B4
add, xrefs: 00428FCA
</wpmalwrignrlistaudit>, xrefs: 004293F7
autoadd, xrefs: 00428FD3
</regid>, xrefs: 004292D4
<wpmalwrignrlistaudit>, xrefs: 00429294

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$#546List$Copy$Ubound$#711Error$#519#542#543#544#545#547#553ExitIndexLoadProc
String ID: </regid>$</scandatetime>$</wpmalwrignrlistaudit>$<regid>$<scandatetime>$<wpmalwrignrlistaudit>$add$autoadd$autormv$manual$manualadd$remove
API String ID: 1345816901-952097601
Opcode ID: 5febeae07aeca5a2d467a4d86a71202fe6fea9926ae2e6d5ee384d54310662fb
Instruction ID: 17e36ddcb4cf0d93d6d26d162eac57f6fc8f433312a42ac2542095a9bf68e8ca
Opcode Fuzzy Hash: 5febeae07aeca5a2d467a4d86a71202fe6fea9926ae2e6d5ee384d54310662fb
Instruction Fuzzy Hash: F902A5B2D1022CAACB15DF94DC94AEEBBB8FF58700F14429BE506B7150DBB45A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044A0A0 Relevance: 147.5, APIs: 73, Strings: 11, Instructions: 480COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE55560,00000000,6CE5A323), ref: 0044A117
__vbaStrCopy.MSVBVM60 ref: 0044A11F
__vbaStrCopy.MSVBVM60 ref: 0044A127
__vbaStrCopy.MSVBVM60 ref: 0044A12F
__vbaOnError.MSVBVM60(00000001), ref: 0044A13A
__vbaStrCat.MSVBVM60(Configuration\zScriptDNS.ini,00000000), ref: 0044A158
__vbaStrMove.MSVBVM60 ref: 0044A165

Part of subcall function 0044A7E0: __vbaChkstk.MSVBVM60(00000000,00404B66,?,?,0044A176,?,URL,00000000), ref: 0044A7FE
Part of subcall function 0044A7E0: __vbaStrCopy.MSVBVM60(6CE6D8B1,6CE6D83C,6CE5A323,00000000,00404B66), ref: 0044A82B
Part of subcall function 0044A7E0: __vbaStrCopy.MSVBVM60 ref: 0044A837
Part of subcall function 0044A7E0: __vbaStrCopy.MSVBVM60 ref: 0044A843
Part of subcall function 0044A7E0: __vbaOnError.MSVBVM60(000000FF), ref: 0044A852
Part of subcall function 0044A7E0: #608.MSVBVM60(?,00000000), ref: 0044A865
Part of subcall function 0044A7E0: #606.MSVBVM60(00001388,?), ref: 0044A874
Part of subcall function 0044A7E0: __vbaStrMove.MSVBVM60 ref: 0044A87F
Part of subcall function 0044A7E0: __vbaFreeVar.MSVBVM60 ref: 0044A888
Part of subcall function 0044A7E0: __vbaStrToAnsi.MSVBVM60(?,?), ref: 0044A89D
Part of subcall function 0044A7E0: __vbaLenBstr.MSVBVM60(?,00000000), ref: 0044A8A8
Part of subcall function 0044A7E0: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0044A8B7
Part of subcall function 0044A7E0: __vbaStrToAnsi.MSVBVM60(?,00405F48,00000000), ref: 0044A8C7
Part of subcall function 0044A7E0: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0044A8D6
Part of subcall function 0044A7E0: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0044A8E5
Part of subcall function 0044A7E0: __vbaSetSystemError.MSVBVM60(00000000), ref: 0044A8F4
Part of subcall function 0044A7E0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A902
Part of subcall function 0044A7E0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A910
Part of subcall function 0044A7E0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A91E
Part of subcall function 0044A7E0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A92C

__vbaStrMove.MSVBVM60(?,URL,00000000), ref: 0044A17B
__vbaFreeStr.MSVBVM60 ref: 0044A180
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 0044A196
__vbaStrCat.MSVBVM60(00000000,Making entry in ,00405F48,00405F48,00405F48,?), ref: 0044A1D1
__vbaStrMove.MSVBVM60 ref: 0044A1D8
__vbaStrCat.MSVBVM60(Configuration\zScriptDNS.ini,00000000), ref: 0044A1E0
__vbaStrMove.MSVBVM60 ref: 0044A1E7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0044A217
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0044A227
__vbaFreeVar.MSVBVM60 ref: 0044A233
__vbaStrCat.MSVBVM60(Configuration\zScriptDNS.ini,00000000), ref: 0044A24C
__vbaStrMove.MSVBVM60 ref: 0044A253
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0044A260
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0044A26B
__vbaStrToAnsi.MSVBVM60(?,URL,00000000), ref: 0044A277
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0044A282
__vbaSetSystemError.MSVBVM60(00000000), ref: 0044A28A
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A29E
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A2A8
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0044A2C0
__vbaStrCat.MSVBVM60(AlertCD,00000000,?), ref: 0044A2E8
__vbaStrMove.MSVBVM60 ref: 0044A2EF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,0000002C), ref: 0044A311
__vbaFreeStr.MSVBVM60 ref: 0044A31F
__vbaStrCat.MSVBVM60(AlertCD,00000000), ref: 0044A344
__vbaStrMove.MSVBVM60 ref: 0044A34B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000034), ref: 0044A36D
__vbaFreeStr.MSVBVM60 ref: 0044A376
__vbaNew2.MSVBVM60(004054A4,?), ref: 0044A393
__vbaNew2.MSVBVM60(0040714C,0044CB28), ref: 0044A3B2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406674,00000014), ref: 0044A3D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040715C,00000050), ref: 0044A3FB
__vbaStrCat.MSVBVM60(004074E8,?), ref: 0044A40F
__vbaStrMove.MSVBVM60 ref: 0044A416
__vbaStrCat.MSVBVM60(?,00000000), ref: 0044A41D
__vbaStrMove.MSVBVM60 ref: 0044A424
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040719C,0000003C), ref: 0044A443
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0044A457
__vbaFreeObj.MSVBVM60 ref: 0044A463
__vbaSetSystemError.MSVBVM60(00001388), ref: 0044A47A
__vbaNew2.MSVBVM60(0040714C,0044CB28), ref: 0044A49A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406674,00000014), ref: 0044A4BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040715C,00000050), ref: 0044A4E3
__vbaNew2.MSVBVM60(004054A4,?), ref: 0044A4F9
__vbaStrCat.MSVBVM60(AlertCD\,00000000), ref: 0044A511
__vbaStrMove.MSVBVM60 ref: 0044A518
__vbaStrCat.MSVBVM60(?,00000000), ref: 0044A51F
__vbaStrMove.MSVBVM60 ref: 0044A526
__vbaStrCat.MSVBVM60(004074E8,?,?), ref: 0044A537
__vbaStrMove.MSVBVM60 ref: 0044A53E
__vbaStrCat.MSVBVM60(?,00000000), ref: 0044A545
__vbaStrMove.MSVBVM60 ref: 0044A54C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040719C,0000005C), ref: 0044A567
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0044A583
__vbaFreeObj.MSVBVM60 ref: 0044A58F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0044A5E3
__vbaFreeVar.MSVBVM60 ref: 0044A5EC
__vbaCastObj.MSVBVM60(00000000,0040719C), ref: 0044A600
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044A60B
__vbaExitProc.MSVBVM60 ref: 0044A611
__vbaFreeStr.MSVBVM60(0044A7C7), ref: 0044A7A7
__vbaFreeStr.MSVBVM60 ref: 0044A7AC
__vbaFreeStr.MSVBVM60 ref: 0044A7B1
__vbaFreeObj.MSVBVM60 ref: 0044A7B6
__vbaFreeStr.MSVBVM60 ref: 0044A7BF
__vbaFreeStr.MSVBVM60 ref: 0044A7C4

Strings

AlertCD\, xrefs: 0044A50C
File moved to AlertCD., xrefs: 0044A5B6
ModMain, xrefs: 0044A1F4, 0044A5C5
URL, xrefs: 0044A168, 0044A26E
subMoveToAlertCD, xrefs: 0044A1EF
xJ@, xrefs: 0044A129
Making entry in , xrefs: 0044A1C5
AlertCD, xrefs: 0044A2E3, 0044A33F
subReadAlertTktFolder, xrefs: 0044A5C0
Configuration\zScriptDNS.ini, xrefs: 0044A14D, 0044A1DB, 0044A247
MSG, xrefs: 0044A1EA, 0044A5BB

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$CheckHresult$Ansi$Copy$Unicode$Error$ListNew2$System$#606#608BstrCastChkstkExitProc
String ID: AlertCD$AlertCD\$Configuration\zScriptDNS.ini$File moved to AlertCD.$MSG$Making entry in $ModMain$URL$subMoveToAlertCD$subReadAlertTktFolder$xJ@
API String ID: 403019749-766094786
Opcode ID: 5652f9ef70269d9ce11ad8d01d0f5963765e1517273f49dc775e5d636a404ecb
Instruction ID: 54e1037ea4ee5c95bb1de53f93852e0a05b0414cc5eeaff66fe558e0185e6075
Opcode Fuzzy Hash: 5652f9ef70269d9ce11ad8d01d0f5963765e1517273f49dc775e5d636a404ecb
Instruction Fuzzy Hash: EF021E75A40218AFDB04DFA4DD89E9EBBB8FF48700F10416AF505F72A0EA746905CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041C820 Relevance: 136.8, APIs: 63, Strings: 15, Instructions: 349COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00000000,<wpmalwrignorelist><regid>,6CF3D40D,6CE6D8B1,00000000), ref: 0041C89B
__vbaStrMove.MSVBVM60 ref: 0041C8A8
__vbaStrCat.MSVBVM60(</regid></wpmalwrignorelist>,00000000), ref: 0041C8B0
__vbaStrMove.MSVBVM60 ref: 0041C8B7
__vbaFreeStr.MSVBVM60 ref: 0041C8BC
__vbaStrCopy.MSVBVM60 ref: 0041C8C7

Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60(6CE6D83C,00000000,6CE6D8CD), ref: 0042B53E
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B546
Part of subcall function 0042B4A0: __vbaOnError.MSVBVM60(00000001), ref: 0042B551
Part of subcall function 0042B4A0: __vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0042B569
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B581
Part of subcall function 0042B4A0: #519.MSVBVM60 ref: 0042B58D
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60 ref: 0042B59E
Part of subcall function 0042B4A0: #527.MSVBVM60(00000000), ref: 0042B5A1
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60 ref: 0042B5AB
Part of subcall function 0042B4A0: __vbaFreeStr.MSVBVM60 ref: 0042B5B0
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B5D5
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B5E3
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60(80000002,?,?,00000001,?), ref: 0042B61A

__vbaStrMove.MSVBVM60(wpmalwrignorelist,?,00000000), ref: 0041C8E1
__vbaFreeStr.MSVBVM60 ref: 0041C8E6
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 0041C8F5
__vbaStrCopy.MSVBVM60 ref: 0041C908

Part of subcall function 0042B4A0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042B626
Part of subcall function 0042B4A0: #520.MSVBVM60(?,00004008), ref: 0042B654
Part of subcall function 0042B4A0: #619.MSVBVM60(?,?,00000001), ref: 0042B664
Part of subcall function 0042B4A0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0042B689
Part of subcall function 0042B4A0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042B69F
Part of subcall function 0042B4A0: __vbaStrCat.MSVBVM60(004074E8,?), ref: 0042B6C1
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60 ref: 0042B6CC
Part of subcall function 0042B4A0: __vbaStrCat.MSVBVM60(Configuration\zScriptDNS.ini,?), ref: 0042B6DE
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60 ref: 0042B6E9
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0042B6FD
Part of subcall function 0042B4A0: #519.MSVBVM60(00000000,?,00000000), ref: 0042B700
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60(?,00000000), ref: 0042B70B
Part of subcall function 0042B4A0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 0042B717
Part of subcall function 0042B4A0: __vbaStrCmp.MSVBVM60(00405F48,?), ref: 0042B736
Part of subcall function 0042B4A0: __vbaStrCmp.MSVBVM60(00405F48,?), ref: 0042B74E

__vbaStrMove.MSVBVM60(wpmalwrignorelist,?,00000000), ref: 0041C922
__vbaStrCat.MSVBVM60(tfr_wpmalwrignorelist.asp?mmid=,00000000), ref: 0041C92A
__vbaStrMove.MSVBVM60 ref: 0041C931
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041C93B
__vbaStrMove.MSVBVM60 ref: 0041C942
__vbaStrCat.MSVBVM60(&sid=,00000000), ref: 0041C94A
__vbaStrMove.MSVBVM60 ref: 0041C951
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041C95B
__vbaStrMove.MSVBVM60 ref: 0041C962
__vbaStrCat.MSVBVM60(&rid=,00000000), ref: 0041C96A
__vbaStrMove.MSVBVM60 ref: 0041C971
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041C97A
__vbaStrMove.MSVBVM60 ref: 0041C981
__vbaStrCat.MSVBVM60(&rty=,00000000), ref: 0041C989
__vbaStrMove.MSVBVM60 ref: 0041C990
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041C99A
__vbaStrMove.MSVBVM60 ref: 0041C9A1
__vbaStrCat.MSVBVM60(&ec=0,00000000), ref: 0041C9A9
__vbaStrMove.MSVBVM60 ref: 0041C9B0
__vbaFreeStrList.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?), ref: 0041C9DC
__vbaStrCat.MSVBVM60(00000000,https://webpost.itsupport247.net/tfr_wpmalwrignorelist.asp?mmid=), ref: 0041C9F5
__vbaStrMove.MSVBVM60 ref: 0041C9FC
__vbaStrCat.MSVBVM60(&sid=,00000000), ref: 0041CA04
__vbaStrMove.MSVBVM60 ref: 0041CA0B
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041CA15
__vbaStrMove.MSVBVM60 ref: 0041CA1C
__vbaStrCat.MSVBVM60(&rid=,00000000), ref: 0041CA24
__vbaStrMove.MSVBVM60 ref: 0041CA2B
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041CA35
__vbaStrMove.MSVBVM60 ref: 0041CA3C
__vbaStrCat.MSVBVM60(&rty=,00000000), ref: 0041CA44
__vbaStrMove.MSVBVM60 ref: 0041CA4B
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041CA54
__vbaStrMove.MSVBVM60 ref: 0041CA5B
__vbaStrCat.MSVBVM60(&ec=0,00000000), ref: 0041CA63
__vbaStrMove.MSVBVM60 ref: 0041CA6A
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041CA8A
__vbaStrCopy.MSVBVM60 ref: 0041CA98
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041CAB4
__vbaFreeStr.MSVBVM60 ref: 0041CAB9
__vbaStrCmp.MSVBVM60(00407EB0,?), ref: 0041CADB
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 0041CAEE
#560.MSVBVM60(00004008), ref: 0041CB02
__vbaInStr.MSVBVM60(00000001,<wpmalwrignorelist>,?,00000001), ref: 0041CB29
__vbaInStr.MSVBVM60(00000001,<error>,?,00000001), ref: 0041CB47
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0041CB9B
__vbaFreeVar.MSVBVM60 ref: 0041CBA4
__vbaStrCopy.MSVBVM60 ref: 0041CBB2
__vbaStrCopy.MSVBVM60 ref: 0041CBC5
__vbaFreeStr.MSVBVM60(0041CC49), ref: 0041CC37
__vbaFreeStr.MSVBVM60 ref: 0041CC3C
__vbaFreeStr.MSVBVM60 ref: 0041CC41
__vbaFreeStr.MSVBVM60 ref: 0041CC46

Strings

<error>, xrefs: 0041CB3C
&sid=, xrefs: 0041C945, 0041C9FF
tfr_wpmalwrignorelist.asp?mmid=, xrefs: 0041C925
GetSchTemplate, xrefs: 0041CB78
<wpmalwrignorelist><regid>, xrefs: 0041C859
</regid></wpmalwrignorelist>, xrefs: 0041C8AB
MSG, xrefs: 0041CB73
wpmalwrignorelist, xrefs: 0041C8D2, 0041C913
&rty=, xrefs: 0041C984, 0041CA3F
&ec=0, xrefs: 0041C9A4, 0041CA5E
https://webpost.itsupport247.net/tfr_wpmalwrignorelist.asp?mmid=, xrefs: 0041C9EF
<wpmalwrignorelist>, xrefs: 0041CB1E
ModIgnoreList, xrefs: 0041CB7D
&rid=, xrefs: 0041C965, 0041CA1F
Webpost Failed., xrefs: 0041CB6E

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Copy$List$#519$#520#527#560#619CheckErrorHresult
String ID: &ec=0$&rid=$&rty=$&sid=$</regid></wpmalwrignorelist>$<error>$<wpmalwrignorelist>$<wpmalwrignorelist><regid>$GetSchTemplate$MSG$ModIgnoreList$Webpost Failed.$https://webpost.itsupport247.net/tfr_wpmalwrignorelist.asp?mmid=$tfr_wpmalwrignorelist.asp?mmid=$wpmalwrignorelist
API String ID: 709879051-4256339873
Opcode ID: 4d43e9545b0432622713d2746aba2eb18fbfc965cde4c944a0941d7425227e57
Instruction ID: a57b50e49ed8c1765d32eb5db0280306a03327aec4484a3a1dd5f075bf258271
Opcode Fuzzy Hash: 4d43e9545b0432622713d2746aba2eb18fbfc965cde4c944a0941d7425227e57
Instruction Fuzzy Hash: 15C12072E40218ABDB04DBA5DC85DEEBBB9FF98700B10812AE506F31A4DE746905CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00436120 Relevance: 133.3, APIs: 61, Strings: 15, Instructions: 333COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00000000,<wpmalwrscheduledtl><regid>,?,?,00000000), ref: 00436192
__vbaStrMove.MSVBVM60 ref: 0043619F
__vbaStrCat.MSVBVM60(</regid></wpmalwrscheduledtl>,00000000), ref: 004361A7
__vbaStrMove.MSVBVM60 ref: 004361AE
__vbaFreeStr.MSVBVM60 ref: 004361B3
__vbaStrCopy.MSVBVM60 ref: 004361BE

Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60(6CE6D83C,00000000,6CE6D8CD), ref: 0042B53E
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B546
Part of subcall function 0042B4A0: __vbaOnError.MSVBVM60(00000001), ref: 0042B551
Part of subcall function 0042B4A0: __vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0042B569
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B581
Part of subcall function 0042B4A0: #519.MSVBVM60 ref: 0042B58D
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60 ref: 0042B59E
Part of subcall function 0042B4A0: #527.MSVBVM60(00000000), ref: 0042B5A1
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60 ref: 0042B5AB
Part of subcall function 0042B4A0: __vbaFreeStr.MSVBVM60 ref: 0042B5B0
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B5D5
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B5E3
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60(80000002,?,?,00000001,?), ref: 0042B61A

__vbaStrMove.MSVBVM60(wpmalwrscheduledtl,?,00000000), ref: 004361D8
__vbaFreeStr.MSVBVM60 ref: 004361DD
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 004361EC
__vbaStrCat.MSVBVM60(tfr_wpmalwrscheduledtl.asp?mmid=,?), ref: 00436203
__vbaStrMove.MSVBVM60 ref: 0043620A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00436214
__vbaStrMove.MSVBVM60 ref: 0043621B
__vbaStrCat.MSVBVM60(&sid=,00000000), ref: 00436223
__vbaStrMove.MSVBVM60 ref: 0043622A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00436234
__vbaStrMove.MSVBVM60 ref: 0043623B
__vbaStrCat.MSVBVM60(&rid=,00000000), ref: 00436243
__vbaStrMove.MSVBVM60 ref: 0043624A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00436253
__vbaStrMove.MSVBVM60 ref: 0043625A
__vbaStrCat.MSVBVM60(&rty=,00000000), ref: 00436262
__vbaStrMove.MSVBVM60 ref: 00436269
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00436273
__vbaStrMove.MSVBVM60 ref: 0043627A
__vbaStrCat.MSVBVM60(&ec=0,00000000), ref: 00436282
__vbaStrMove.MSVBVM60 ref: 00436289
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 004362AD
__vbaStrCat.MSVBVM60(00000000,https://webpost.itsupport247.net/tfr_wpmalwrscheduledtl.asp?mmid=), ref: 004362C7
__vbaStrMove.MSVBVM60 ref: 004362CE
__vbaStrCat.MSVBVM60(&sid=,00000000), ref: 004362D6
__vbaStrMove.MSVBVM60 ref: 004362DD
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 004362E7
__vbaStrMove.MSVBVM60 ref: 004362EE
__vbaStrCat.MSVBVM60(&rid=,00000000), ref: 004362F6
__vbaStrMove.MSVBVM60 ref: 004362FD
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00436306
__vbaStrMove.MSVBVM60 ref: 0043630D
__vbaStrCat.MSVBVM60(&rty=,00000000), ref: 00436315
__vbaStrMove.MSVBVM60 ref: 0043631C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00436326
__vbaStrMove.MSVBVM60 ref: 0043632D
__vbaStrCat.MSVBVM60(&ec=0,00000000), ref: 00436335
__vbaStrMove.MSVBVM60 ref: 0043633C
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0043635C
__vbaStrCopy.MSVBVM60 ref: 0043636A
__vbaStrMove.MSVBVM60(?,?,?), ref: 00436386
__vbaFreeStr.MSVBVM60 ref: 0043638B
__vbaStrCmp.MSVBVM60(00407EB0,?), ref: 004363AD
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 004363C0
#560.MSVBVM60(00004008), ref: 004363D4
__vbaInStr.MSVBVM60(00000001,<wpmalwrscheduledtl>,?,00000001), ref: 004363FB
__vbaInStr.MSVBVM60(00000001,<error>,?,00000001), ref: 00436419
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0043646D
__vbaFreeVar.MSVBVM60 ref: 00436476
__vbaStrCopy.MSVBVM60 ref: 00436484
__vbaStrCopy.MSVBVM60 ref: 00436497
__vbaFreeStr.MSVBVM60(00436513), ref: 00436501
__vbaFreeStr.MSVBVM60 ref: 00436506
__vbaFreeStr.MSVBVM60 ref: 0043650B
__vbaFreeStr.MSVBVM60 ref: 00436510

Strings

tfr_wpmalwrscheduledtl.asp?mmid=, xrefs: 004361FE
https://webpost.itsupport247.net/tfr_wpmalwrscheduledtl.asp?mmid=, xrefs: 004362C1
GetMBSchTemplate, xrefs: 0043644A
<error>, xrefs: 00436410
</regid></wpmalwrscheduledtl>, xrefs: 004361A2
wpmalwrscheduledtl, xrefs: 004361C9
&sid=, xrefs: 0043621E, 004362D1
MSG, xrefs: 00436445
ModMain, xrefs: 0043644F
&rty=, xrefs: 0043625D, 00436310
&ec=0, xrefs: 0043627D, 00436330
<wpmalwrscheduledtl><regid>, xrefs: 00436156
<wpmalwrscheduledtl>, xrefs: 004363EE
&rid=, xrefs: 0043623E, 004362F1
Webpost Failed., xrefs: 00436440

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Copy$List$#519#527#560CheckErrorHresult
String ID: &ec=0$&rid=$&rty=$&sid=$</regid></wpmalwrscheduledtl>$<error>$<wpmalwrscheduledtl>$<wpmalwrscheduledtl><regid>$GetMBSchTemplate$MSG$ModMain$Webpost Failed.$https://webpost.itsupport247.net/tfr_wpmalwrscheduledtl.asp?mmid=$tfr_wpmalwrscheduledtl.asp?mmid=$wpmalwrscheduledtl
API String ID: 817588582-2744441417
Opcode ID: f6385feb00c04e9cc3c6042bd2391f7f6e522de638e21fb2c0c3fe5948856feb
Instruction ID: 04d85783ad80f79046031d92eec5fed2d445683dc3e9bd152b29dcd596e1077b
Opcode Fuzzy Hash: f6385feb00c04e9cc3c6042bd2391f7f6e522de638e21fb2c0c3fe5948856feb
Instruction Fuzzy Hash: 20B11F71E40219ABDB04DBA5DC85DEFBBB9FF98700B14812AE106F31A4DE746905CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00439130 Relevance: 133.3, APIs: 61, Strings: 15, Instructions: 333COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00000000,<wpmalwrtemplateinfo><regid>,?,00000000), ref: 004391A2
__vbaStrMove.MSVBVM60 ref: 004391AF
__vbaStrCat.MSVBVM60(</regid></wpmalwrtemplateinfo>,00000000), ref: 004391B7
__vbaStrMove.MSVBVM60 ref: 004391BE
__vbaFreeStr.MSVBVM60 ref: 004391C3
__vbaStrCopy.MSVBVM60 ref: 004391CE

Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60(6CE6D83C,00000000,6CE6D8CD), ref: 0042B53E
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B546
Part of subcall function 0042B4A0: __vbaOnError.MSVBVM60(00000001), ref: 0042B551
Part of subcall function 0042B4A0: __vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0042B569
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B581
Part of subcall function 0042B4A0: #519.MSVBVM60 ref: 0042B58D
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60 ref: 0042B59E
Part of subcall function 0042B4A0: #527.MSVBVM60(00000000), ref: 0042B5A1
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60 ref: 0042B5AB
Part of subcall function 0042B4A0: __vbaFreeStr.MSVBVM60 ref: 0042B5B0
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B5D5
Part of subcall function 0042B4A0: __vbaStrCopy.MSVBVM60 ref: 0042B5E3
Part of subcall function 0042B4A0: __vbaStrMove.MSVBVM60(80000002,?,?,00000001,?), ref: 0042B61A

__vbaStrMove.MSVBVM60(wpmalwrtemplateinfo,?,00000000), ref: 004391E8
__vbaFreeStr.MSVBVM60 ref: 004391ED
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 004391FC
__vbaStrCat.MSVBVM60(tfr_wpmalwrtemplateinfo.asp?mmid=,?), ref: 00439213
__vbaStrMove.MSVBVM60 ref: 0043921A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00439224
__vbaStrMove.MSVBVM60 ref: 0043922B
__vbaStrCat.MSVBVM60(&sid=,00000000), ref: 00439233
__vbaStrMove.MSVBVM60 ref: 0043923A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00439244
__vbaStrMove.MSVBVM60 ref: 0043924B
__vbaStrCat.MSVBVM60(&rid=,00000000), ref: 00439253
__vbaStrMove.MSVBVM60 ref: 0043925A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00439263
__vbaStrMove.MSVBVM60 ref: 0043926A
__vbaStrCat.MSVBVM60(&rty=,00000000), ref: 00439272
__vbaStrMove.MSVBVM60 ref: 00439279
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00439283
__vbaStrMove.MSVBVM60 ref: 0043928A
__vbaStrCat.MSVBVM60(&ec=0,00000000), ref: 00439292
__vbaStrMove.MSVBVM60 ref: 00439299
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 004392BD
__vbaStrCat.MSVBVM60(00000000,https://webpost.itsupport247.net/tfr_wpmalwrtemplateinfo.asp?mmid=), ref: 004392D7
__vbaStrMove.MSVBVM60 ref: 004392DE
__vbaStrCat.MSVBVM60(&sid=,00000000), ref: 004392E6
__vbaStrMove.MSVBVM60 ref: 004392ED
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 004392F7
__vbaStrMove.MSVBVM60 ref: 004392FE
__vbaStrCat.MSVBVM60(&rid=,00000000), ref: 00439306
__vbaStrMove.MSVBVM60 ref: 0043930D
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00439316
__vbaStrMove.MSVBVM60 ref: 0043931D
__vbaStrCat.MSVBVM60(&rty=,00000000), ref: 00439325
__vbaStrMove.MSVBVM60 ref: 0043932C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00439336
__vbaStrMove.MSVBVM60 ref: 0043933D
__vbaStrCat.MSVBVM60(&ec=0,00000000), ref: 00439345
__vbaStrMove.MSVBVM60 ref: 0043934C
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0043936C
__vbaStrCopy.MSVBVM60 ref: 0043937A
__vbaStrMove.MSVBVM60(?,?,?), ref: 00439396
__vbaFreeStr.MSVBVM60 ref: 0043939B
__vbaStrCmp.MSVBVM60(00407EB0,?), ref: 004393BD
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 004393D0
#560.MSVBVM60(00004008), ref: 004393E4
__vbaInStr.MSVBVM60(00000001,<wpmalwrtemplateinfo>,?,00000001), ref: 0043940B
__vbaInStr.MSVBVM60(00000001,<error>,?,00000001), ref: 00439429
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0043947D
__vbaFreeVar.MSVBVM60 ref: 00439486
__vbaStrCopy.MSVBVM60 ref: 00439494
__vbaStrCopy.MSVBVM60 ref: 004394A7
__vbaFreeStr.MSVBVM60(00439523), ref: 00439511
__vbaFreeStr.MSVBVM60 ref: 00439516
__vbaFreeStr.MSVBVM60 ref: 0043951B
__vbaFreeStr.MSVBVM60 ref: 00439520

Strings

wpmalwrtemplateinfo, xrefs: 004391D9
tfr_wpmalwrtemplateinfo.asp?mmid=, xrefs: 0043920E
<error>, xrefs: 00439420
&sid=, xrefs: 0043922E, 004392E1
https://webpost.itsupport247.net/tfr_wpmalwrtemplateinfo.asp?mmid=, xrefs: 004392D1
GetSchTemplate, xrefs: 0043945A
MSG, xrefs: 00439455
<wpmalwrtemplateinfo>, xrefs: 004393FE
ModMain, xrefs: 0043945F
&rty=, xrefs: 0043926D, 00439320
&ec=0, xrefs: 0043928D, 00439340
</regid></wpmalwrtemplateinfo>, xrefs: 004391B2
<wpmalwrtemplateinfo><regid>, xrefs: 00439166
&rid=, xrefs: 0043924E, 00439301
Webpost Failed., xrefs: 00439450

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Copy$List$#519#527#560CheckErrorHresult
String ID: &ec=0$&rid=$&rty=$&sid=$</regid></wpmalwrtemplateinfo>$<error>$<wpmalwrtemplateinfo>$<wpmalwrtemplateinfo><regid>$GetSchTemplate$MSG$ModMain$Webpost Failed.$https://webpost.itsupport247.net/tfr_wpmalwrtemplateinfo.asp?mmid=$tfr_wpmalwrtemplateinfo.asp?mmid=$wpmalwrtemplateinfo
API String ID: 817588582-2536041537
Opcode ID: 56763d3e7c221f3b7a91303e14382d4f56d249258ddff6e57d0596725178b232
Instruction ID: 1e9525caaaf91eb7defdb7ebc419d688124bd34cee1241ed736a05b20b320be0
Opcode Fuzzy Hash: 56763d3e7c221f3b7a91303e14382d4f56d249258ddff6e57d0596725178b232
Instruction Fuzzy Hash: 80B11072E40219ABDB04DBA5DC85DEFBBB9FF98700B14812AE506F31A0DE746905CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00431F80 Relevance: 131.7, APIs: 62, Strings: 13, Instructions: 457COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE5A323,6CE6D8B1,6CE6D8F4), ref: 00432033
__vbaStrCopy.MSVBVM60 ref: 0043203B
__vbaStrCopy.MSVBVM60 ref: 0043204C
__vbaOnError.MSVBVM60(00000001), ref: 00432057
#716.MSVBVM60(?,zWbPost.WebPost,00000000), ref: 0043206E
__vbaVarSetVar.MSVBVM60(?,?), ref: 0043207C
__vbaVarLateMemCallLd.MSVBVM60(?,?,PostXMLString,00000009), ref: 004321EA
__vbaBoolVar.MSVBVM60(00000000), ref: 004321F7
__vbaFreeVar.MSVBVM60 ref: 00432202
__vbaStrCat.MSVBVM60(?, Webpost Success : Return Status : ,00405F48,00405F48,00405F48,?), ref: 00432248
__vbaStrMove.MSVBVM60 ref: 00432255
__vbaStrCat.MSVBVM60(, ErrNo : ,00000000), ref: 0043225D
__vbaStrMove.MSVBVM60 ref: 00432264
__vbaStrCat.MSVBVM60(?,00000000), ref: 0043226B
__vbaStrMove.MSVBVM60 ref: 00432272
__vbaStrCat.MSVBVM60(, ErrDesc : ,00000000), ref: 0043227A
__vbaStrMove.MSVBVM60 ref: 00432281
__vbaStrCat.MSVBVM60(?,00000000), ref: 00432288
__vbaStrMove.MSVBVM60 ref: 0043228F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 004322C0
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 004322DC
__vbaFreeVar.MSVBVM60 ref: 004322E8
__vbaStrCat.MSVBVM60(?, Webpost failed : Return Status : ,00405F48,00405F48,00405F48,?), ref: 00432324
__vbaStrMove.MSVBVM60 ref: 00432331
__vbaStrCat.MSVBVM60(, ErrNo : ,00000000), ref: 00432339
__vbaStrMove.MSVBVM60 ref: 00432340
__vbaStrCat.MSVBVM60(?,00000000), ref: 00432347
__vbaStrMove.MSVBVM60 ref: 0043234E
__vbaStrCat.MSVBVM60(, ErrDesc : ,00000000), ref: 00432356
__vbaStrMove.MSVBVM60 ref: 0043235D
__vbaStrCat.MSVBVM60(?,00000000), ref: 00432364
__vbaStrMove.MSVBVM60 ref: 0043236B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0043239B
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 004323B7
__vbaFreeVar.MSVBVM60 ref: 004323C3
__vbaInStr.MSVBVM60(00000000,wpmalwruninstallst,?,00000001), ref: 004323E3
__vbaInStr.MSVBVM60(00000000,wpmalwrregstatus ,?,00000001), ref: 0043240B
__vbaStrCopy.MSVBVM60 ref: 00432420
#519.MSVBVM60(?), ref: 00432431
__vbaStrMove.MSVBVM60 ref: 0043243C
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 00432444
__vbaFreeStr.MSVBVM60 ref: 00432457
__vbaStrCat.MSVBVM60(?, Webpost return status : ,00405F48,00405F48,00405F48,?), ref: 00432491
__vbaStrMove.MSVBVM60 ref: 00432498
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 004324C9
__vbaFreeStr.MSVBVM60 ref: 004324D2
__vbaFreeVar.MSVBVM60 ref: 004324E1
__vbaStrCopy.MSVBVM60 ref: 004324F2
#520.MSVBVM60(?,00004008), ref: 0043251D
__vbaStrVarMove.MSVBVM60(?), ref: 00432527
__vbaStrMove.MSVBVM60 ref: 00432532
__vbaFreeVar.MSVBVM60 ref: 00432537
__vbaStrCopy.MSVBVM60 ref: 0043254A
__vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0043255D
__vbaExitProc.MSVBVM60 ref: 00432563
__vbaFreeVar.MSVBVM60(00432748), ref: 0043271D
__vbaFreeStr.MSVBVM60 ref: 0043272C
__vbaFreeStr.MSVBVM60 ref: 00432731
__vbaFreeStr.MSVBVM60 ref: 00432736

Strings

zWbPost.WebPost, xrefs: 00432065
wpmalwruninstallst, xrefs: 004323D6, 004323F0
, ErrNo : , xrefs: 00432258, 00432334
, ErrDesc : , xrefs: 00432275, 00432351
PostXMLString, xrefs: 004321DD
MSG, xrefs: 00432292, 0043236E, 0043249B
ModFunctions, xrefs: 0043229C, 00432378, 004324A5
Webpost failed : Return Status : , xrefs: 00432315
wpmalwrregstatus , xrefs: 00432404, 00432418
ReqWebPostData, xrefs: 00432297, 00432373
Webpost Success : Return Status : , xrefs: 00432239
Webpost return status : , xrefs: 00432488
ReqWebPost, xrefs: 004324A0

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Copy$CheckHresult$List$#519#520#716AddrefBoolCallErrorExitLateProc
String ID: Webpost Success : Return Status : $ Webpost failed : Return Status : $ Webpost return status : $, ErrDesc : $, ErrNo : $MSG$ModFunctions$PostXMLString$ReqWebPost$ReqWebPostData$wpmalwrregstatus $wpmalwruninstallst$zWbPost.WebPost
API String ID: 1610952589-802328968
Opcode ID: 20500448c770eb9c7f6f39e49043a4abbfacacccf19b331a5fbd503da6e87064
Instruction ID: e2782061c4dc97511eafe2016e2889410605cc4caca4ea6b9a6ff9435105f5be
Opcode Fuzzy Hash: 20500448c770eb9c7f6f39e49043a4abbfacacccf19b331a5fbd503da6e87064
Instruction Fuzzy Hash: E9125DB1D00218DFDB14DFA8CD84A9EBBB8FF48700F2081AAE505B7295DB755A46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004457E0 Relevance: 112.2, APIs: 49, Strings: 15, Instructions: 232COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CE5A323,6CE6D8B1,6CE6D83C), ref: 0044583F
__vbaStrCopy.MSVBVM60 ref: 0044585C
__vbaStrCopy.MSVBVM60 ref: 0044586D
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 00445881
__vbaStrCopy.MSVBVM60 ref: 0044589A
__vbaStrCat.MSVBVM60(00000000,Uninstall Failed), ref: 004458B5
__vbaStrMove.MSVBVM60 ref: 004458C2
__vbaStrCopy.MSVBVM60 ref: 004458D5
__vbaStrCopy.MSVBVM60 ref: 004458E6
__vbaStrCopy.MSVBVM60 ref: 00445905
__vbaStrCat.MSVBVM60(<regid>,00000000), ref: 0044591A
__vbaStrMove.MSVBVM60 ref: 00445921
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0044592A
__vbaStrMove.MSVBVM60 ref: 00445931
__vbaStrCat.MSVBVM60(</regid>,00000000), ref: 00445939
__vbaStrMove.MSVBVM60 ref: 00445942
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00445954
#546.MSVBVM60(?), ref: 00445964
__vbaVarDup.MSVBVM60 ref: 0044597E
__vbaStrCat.MSVBVM60(<mndttime>,00000000), ref: 00445990
__vbaStrMove.MSVBVM60 ref: 00445997
#650.MSVBVM60(?,?,00000001,00000001,00000000), ref: 004459A6
__vbaStrMove.MSVBVM60 ref: 004459B1
__vbaStrCat.MSVBVM60(00000000), ref: 004459B4
__vbaStrMove.MSVBVM60 ref: 004459BB
__vbaStrCat.MSVBVM60(</mndttime>,00000000), ref: 004459C3
__vbaStrMove.MSVBVM60 ref: 004459CC
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004459DC
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004459E8
__vbaStrCat.MSVBVM60(<status>,00000000), ref: 00445A03
__vbaStrMove.MSVBVM60 ref: 00445A0A
__vbaStrCat.MSVBVM60(?,00000000), ref: 00445A11
__vbaStrMove.MSVBVM60 ref: 00445A18
__vbaStrCat.MSVBVM60(</status>,00000000), ref: 00445A20
__vbaStrMove.MSVBVM60 ref: 00445A29
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00445A35
__vbaStrCat.MSVBVM60(<desc><![CDATA[,00000000), ref: 00445A4D
__vbaStrMove.MSVBVM60 ref: 00445A54
__vbaStrCat.MSVBVM60(?,00000000), ref: 00445A5B
__vbaStrMove.MSVBVM60 ref: 00445A62
__vbaStrCat.MSVBVM60(]]></desc>,00000000), ref: 00445A6A
__vbaStrMove.MSVBVM60 ref: 00445A73
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00445A7F
__vbaStrCat.MSVBVM60(</wpmalwruninstallst>,00000000), ref: 00445A97
__vbaStrMove.MSVBVM60 ref: 00445AA0
__vbaExitProc.MSVBVM60 ref: 00445AA2
__vbaFreeStr.MSVBVM60(00445BF4), ref: 00445BE7
__vbaFreeStr.MSVBVM60 ref: 00445BEC
__vbaFreeStr.MSVBVM60 ref: 00445BF1

Strings

MM\/DD\/YYYY HH\:NN\:SS, xrefs: 0044596A
<mndttime>, xrefs: 0044598B
<wpmalwruninstallst>, xrefs: 004458FB
</regid>, xrefs: 00445934
<status>, xrefs: 004459FE
</mndttime>, xrefs: 004459BE
FAILED, xrefs: 00445892
<regid>, xrefs: 00445915
]]></desc>, xrefs: 00445A65
SUCCESS, xrefs: 004458CD
<desc><![CDATA[, xrefs: 00445A48
Uninstallation successfull., xrefs: 004458DE
Uninstall Failed, xrefs: 004458A3
</status>, xrefs: 00445A1B
</wpmalwruninstallst>, xrefs: 00445A92

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Copy$List$#546#650ErrorExitProc
String ID: </mndttime>$</regid>$</status>$</wpmalwruninstallst>$<desc><![CDATA[$<mndttime>$<regid>$<status>$<wpmalwruninstallst>$FAILED$MM\/DD\/YYYY HH\:NN\:SS$SUCCESS$Uninstall Failed$Uninstallation successfull.$]]></desc>
API String ID: 2786762717-800127591
Opcode ID: e64597c76bada6a477b99eb879093e7f1d5020cab8eef796de7e794949b7025a
Instruction ID: 65656015cf49e3b70be78d0af0208cc076bbe1401ed15fab0ed9108d3df1f70e
Opcode Fuzzy Hash: e64597c76bada6a477b99eb879093e7f1d5020cab8eef796de7e794949b7025a
Instruction Fuzzy Hash: 75814F71D01208ABDB00EBE5DD84AEEFBB9EF94300F24816BE105A72A0DBB45E45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00419730 Relevance: 107.2, APIs: 57, Strings: 4, Instructions: 434COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE6D8B1,00000000,00000000), ref: 004197AD
__vbaOnError.MSVBVM60(00000001), ref: 004197BC
__vbaSetSystemError.MSVBVM60(00000000,00000000,0000003F), ref: 004197F2
__vbaStrToAnsi.MSVBVM60(?,?,000001FF), ref: 00419822
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00419835
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041983F
__vbaFreeStr.MSVBVM60 ref: 00419851
#685.MSVBVM60 ref: 00419873
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419880
__vbaFreeObj.MSVBVM60 ref: 0041988B
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 004198CE
#685.MSVBVM60 ref: 004198E8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004198EF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 0041990F
__vbaFreeObj.MSVBVM60 ref: 00419921
#685.MSVBVM60(00002710), ref: 004199BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004199C1
__vbaStrI4.MSVBVM60(?,fncUpdSetServiceStarted : ), ref: 004199ED
__vbaStrMove.MSVBVM60 ref: 004199F8
__vbaStrCat.MSVBVM60(00000000), ref: 004199FF
__vbaVarDup.MSVBVM60 ref: 00419A29
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 00419A5F
__vbaFreeStr.MSVBVM60 ref: 00419A68
__vbaFreeObj.MSVBVM60 ref: 00419A71
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00419A8F
__vbaSetSystemError.MSVBVM60(?), ref: 00419AA8
#685.MSVBVM60 ref: 00419AC0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419ACD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 00419AED
#685.MSVBVM60 ref: 00419AF3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419AFA
__vbaStrI4.MSVBVM60(?,fncUpdSetServiceStarted : ), ref: 00419B29
__vbaStrMove.MSVBVM60 ref: 00419B34
__vbaStrCat.MSVBVM60(00000000), ref: 00419B3B
__vbaVarDup.MSVBVM60 ref: 00419B65
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 00419B9B
__vbaFreeStr.MSVBVM60 ref: 00419BA4
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00419BB4
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00419BD2
__vbaSetSystemError.MSVBVM60(?), ref: 00419BEB
__vbaExitProc.MSVBVM60 ref: 00419BF1
#685.MSVBVM60 ref: 00419C0E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419C1B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 00419C3B
#685.MSVBVM60 ref: 00419C41
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419C48
__vbaStrI4.MSVBVM60(?,fncUpdSetServiceStarted : ), ref: 00419C77
__vbaStrMove.MSVBVM60 ref: 00419C82
__vbaStrCat.MSVBVM60(00000000), ref: 00419C89
__vbaVarDup.MSVBVM60 ref: 00419CB3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 00419CE9
__vbaFreeStr.MSVBVM60 ref: 00419CF2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00419D02
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00419D20
__vbaExitProc.MSVBVM60 ref: 00419D29
__vbaFreeStr.MSVBVM60(00419EE9), ref: 00419EE2

Strings

hSCManager, xrefs: 00419C9A
hService, xrefs: 00419B4C
blnStart, xrefs: 00419A10
fncUpdSetServiceStarted : , xrefs: 004199E4, 00419B1D, 00419C6B

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685$CheckErrorHresult$ListSystem$Move$ExitProc$AnsiCopyUnicode
String ID: blnStart$fncUpdSetServiceStarted : $hSCManager$hService
API String ID: 628489315-1474227879
Opcode ID: 17dfe4ba16436696914cfe38be1b1074aebde54b35158d5bddef63ad765c865b
Instruction ID: 260c7798a551d9578db1768fe8ba0bc2d04adf6ecbb7264bc68e987b78bc76ad
Opcode Fuzzy Hash: 17dfe4ba16436696914cfe38be1b1074aebde54b35158d5bddef63ad765c865b
Instruction Fuzzy Hash: DA02C8B1D01218AFDB10DFA4DD48BDEBBB8BF44704F1081AAE149B7291DB745A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042B4A0 Relevance: 105.3, APIs: 55, Strings: 5, Instructions: 342COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE6D83C,00000000,6CE6D8CD), ref: 0042B53E
__vbaStrCopy.MSVBVM60 ref: 0042B546
__vbaOnError.MSVBVM60(00000001), ref: 0042B551
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0042B569
__vbaStrCopy.MSVBVM60 ref: 0042B581
#519.MSVBVM60 ref: 0042B58D
__vbaStrMove.MSVBVM60 ref: 0042B59E
#527.MSVBVM60(00000000), ref: 0042B5A1
__vbaStrMove.MSVBVM60 ref: 0042B5AB
__vbaFreeStr.MSVBVM60 ref: 0042B5B0
__vbaStrCopy.MSVBVM60 ref: 0042B5D5
__vbaStrCopy.MSVBVM60 ref: 0042B5E3
__vbaStrMove.MSVBVM60(80000002,?,?,00000001,?), ref: 0042B61A
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042B626
#520.MSVBVM60(?,00004008), ref: 0042B654
#619.MSVBVM60(?,?,00000001), ref: 0042B664
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0042B689
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042B69F
__vbaStrCat.MSVBVM60(004074E8,?), ref: 0042B6C1
__vbaStrMove.MSVBVM60 ref: 0042B6CC
__vbaStrCat.MSVBVM60(Configuration\zScriptDNS.ini,?), ref: 0042B6DE
__vbaStrMove.MSVBVM60 ref: 0042B6E9
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0042B6FD
#519.MSVBVM60(00000000,?,00000000), ref: 0042B700
__vbaStrMove.MSVBVM60(?,00000000), ref: 0042B70B
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 0042B717
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 0042B736
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 0042B74E
__vbaStrCat.MSVBVM60(Configuration\zScriptDNS.ini,?,?,?,?), ref: 0042B77B
__vbaStrMove.MSVBVM60(?,?), ref: 0042B786

Part of subcall function 0042BCE0: __vbaStrCopy.MSVBVM60(?,6CE6D8B1,6CE6D8E2), ref: 0042BD45
Part of subcall function 0042BCE0: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BD4D
Part of subcall function 0042BCE0: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BD55
Part of subcall function 0042BCE0: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BD5D
Part of subcall function 0042BCE0: __vbaOnError.MSVBVM60(00000001), ref: 0042BD68
Part of subcall function 0042BCE0: #525.MSVBVM60(00000064), ref: 0042BD77
Part of subcall function 0042BCE0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BD82
Part of subcall function 0042BCE0: __vbaStrToAnsi.MSVBVM60(?,?), ref: 0042BD9D
Part of subcall function 0042BCE0: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BDA8
Part of subcall function 0042BCE0: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BDB3
Part of subcall function 0042BCE0: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BDBE
Part of subcall function 0042BCE0: __vbaSetSystemError.MSVBVM60(00000000), ref: 0042BDC8
Part of subcall function 0042BCE0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BDDC
Part of subcall function 0042BCE0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BDE6
Part of subcall function 0042BCE0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BDF0
Part of subcall function 0042BCE0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BDFA

__vbaFreeStr.MSVBVM60(00000000,?,?), ref: 0042B791
__vbaStrCopy.MSVBVM60(?,?), ref: 0042B7A4
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 0042B7BA
__vbaStrCat.MSVBVM60(Configuration\zMBUpgradeDNS.ini,?), ref: 0042B7D4
__vbaStrMove.MSVBVM60(?,?), ref: 0042B7DF
__vbaStrMove.MSVBVM60(?,00000000,00000000), ref: 0042B7F3
#519.MSVBVM60(00000000), ref: 0042B7F6
__vbaStrMove.MSVBVM60(?,?), ref: 0042B801
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042B80D
#520.MSVBVM60(?,?), ref: 0042B842
#520.MSVBVM60(?,00004008), ref: 0042B85E
#619.MSVBVM60(?,?,00000001), ref: 0042B87F
__vbaVarCmpNe.MSVBVM60(?,00008008,?), ref: 0042B8AA
__vbaVarCmpNe.MSVBVM60(?,?,?,00000000), ref: 0042B8BF
__vbaVarAnd.MSVBVM60(?,00000000), ref: 0042B8C9
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0042B8D0
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0042B8E6
__vbaStrCat.MSVBVM60(0040B12C,?), ref: 0042B904
__vbaStrMove.MSVBVM60 ref: 0042B90F
__vbaStrCopy.MSVBVM60 ref: 0042B91E
__vbaExitProc.MSVBVM60 ref: 0042B924
__vbaFreeStr.MSVBVM60(0042B9A2), ref: 0042B990
__vbaFreeStr.MSVBVM60 ref: 0042B995
__vbaFreeStr.MSVBVM60 ref: 0042B99A
__vbaFreeStr.MSVBVM60 ref: 0042B99F

Strings

InstallationPath, xrefs: 0042B5CD
URL, xrefs: 0042B57A
Configuration\zMBUpgradeDNS.ini, xrefs: 0042B7CF
SOFTWARE\SAAZOD, xrefs: 0042B5DB
Configuration\zScriptDNS.ini, xrefs: 0042B6D9, 0042B776

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$CopyFree$List$AnsiUnicode$#519#520Error$#619$#525#527BoolExitNullProcSystem
String ID: Configuration\zMBUpgradeDNS.ini$Configuration\zScriptDNS.ini$InstallationPath$SOFTWARE\SAAZOD$URL
API String ID: 2832585970-531440369
Opcode ID: 1fbea30ae6816f315a9225d2b230aedb8a0b641d1afa98c2ca4329fc64000706
Instruction ID: ea3e6c729fa67703433fa4d11687c78d1deaf359c76a2f10049cecf2a1df17c2
Opcode Fuzzy Hash: 1fbea30ae6816f315a9225d2b230aedb8a0b641d1afa98c2ca4329fc64000706
Instruction Fuzzy Hash: 1BE1DAB1D00218EBDB14DFA5DD84ADEBBB9FF48300F5081AAE50AB7250DB745A49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00433DD0 Relevance: 100.1, APIs: 47, Strings: 10, Instructions: 350COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE5A323,6CE6D8B1,6CE927C2), ref: 00433E95
__vbaOnError.MSVBVM60(00000001), ref: 00433EA0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 00433EF7
__vbaFreeVar.MSVBVM60 ref: 00433F03
__vbaSetSystemError.MSVBVM60 ref: 00433F53
__vbaStrCopy.MSVBVM60 ref: 00433F7A
__vbaSetSystemError.MSVBVM60 ref: 00433FF3
__vbaStrVarVal.MSVBVM60(?,?), ref: 0043401A
#519.MSVBVM60(00000000), ref: 00434021
__vbaStrMove.MSVBVM60 ref: 00434035
__vbaStrCat.MSVBVM60(?,Failed to Get MD5 check Sum for File ,00405F48,00405F48,00405F48,?), ref: 00434075
__vbaStrMove.MSVBVM60 ref: 0043407C
__vbaStrCat.MSVBVM60( Error = ,00000000), ref: 00434084
__vbaStrMove.MSVBVM60 ref: 0043408B
__vbaStrMove.MSVBVM60(00000000), ref: 00434097
__vbaStrCat.MSVBVM60(00000000), ref: 0043409A
__vbaStrMove.MSVBVM60 ref: 004340A1
__vbaStrCat.MSVBVM60( with ,00000000), ref: 004340A9
__vbaStrMove.MSVBVM60 ref: 004340B0
__vbaStrCat.MSVBVM60(?,00000000), ref: 004340B7
__vbaStrMove.MSVBVM60 ref: 004340C1
__vbaStrCat.MSVBVM60( KB Block Size,00000000), ref: 004340C9
__vbaStrMove.MSVBVM60 ref: 004340D3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 00434106
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 0043413B
__vbaFreeVar.MSVBVM60 ref: 0043414A
__vbaStrVarVal.MSVBVM60(?,?), ref: 00434167
#519.MSVBVM60(00000000), ref: 0043416E
__vbaStrMove.MSVBVM60 ref: 00434179
#527.MSVBVM60(00000000), ref: 0043417C
__vbaVarMove.MSVBVM60 ref: 0043419C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004341AC
__vbaVarCat.MSVBVM60(?,?,?,00405F48,00405F48,00405F48,?), ref: 004341FC
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 00434207
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0043423C
__vbaFreeStr.MSVBVM60 ref: 00434245
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0043425B
__vbaStrVarCopy.MSVBVM60(?), ref: 0043426F
__vbaStrMove.MSVBVM60 ref: 0043427A
__vbaExitProc.MSVBVM60 ref: 0043427C
__vbaFreeVar.MSVBVM60(0043465A), ref: 00434633
__vbaFreeVar.MSVBVM60 ref: 00434638
__vbaFreeStr.MSVBVM60 ref: 00434643
__vbaFreeStr.MSVBVM60 ref: 00434648
__vbaFreeStr.MSVBVM60 ref: 0043464D
__vbaFreeStr.MSVBVM60 ref: 00434652
__vbaFreeVar.MSVBVM60 ref: 00434657

Strings

Error = , xrefs: 0043407F
ModFunctions, xrefs: 00433ED9, 004340E0, 00434218
Failed to Get MD5 check Sum for File , xrefs: 00434066
ERR, xrefs: 004340D6
KB Block Size, xrefs: 004340C4
with , xrefs: 004340A4
GetDataMD5, xrefs: 00433ED4, 004340DB, 00434213
Getting MD5 checksum..., xrefs: 00433ECA
FileMD5CheckSum : , xrefs: 004341BC
MSG, xrefs: 00433ECF, 0043420E

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$CheckCopyErrorHresultList$#519System$#527ExitProc
String ID: Error = $ KB Block Size$ with $ERR$Failed to Get MD5 check Sum for File $FileMD5CheckSum : $GetDataMD5$Getting MD5 checksum...$MSG$ModFunctions
API String ID: 2721106980-482781455
Opcode ID: 537c6638ecf5543d78be96d41dca750fa2b8d3ff998eb77b9cd10c918d1a6523
Instruction ID: d5bbeba211eb0501a669ebfb498b47a62ab7ba2cd0ac400e48ef9467168be6d9
Opcode Fuzzy Hash: 537c6638ecf5543d78be96d41dca750fa2b8d3ff998eb77b9cd10c918d1a6523
Instruction Fuzzy Hash: E4E139B1D002189BCB14DFA5CD85ADEFBB8FF94300F1085AAE509B72A4DBB46A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00417850 Relevance: 98.4, APIs: 52, Strings: 4, Instructions: 387COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004178D9
__vbaOnError.MSVBVM60(00000001), ref: 004178E8
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000001), ref: 00417914
__vbaStrToAnsi.MSVBVM60(?,?,00000040), ref: 00417941
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00417954
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041795E
__vbaFreeStr.MSVBVM60 ref: 00417970

Part of subcall function 0041B720: __vbaChkstk.MSVBVM60(00002710,00404B66,?,?,?,?,00419983,00002710), ref: 0041B73E
Part of subcall function 0041B720: __vbaOnError.MSVBVM60(000000FF,00000005,6CE6D94B,6CE5B728,00002710,00404B66), ref: 0041B76E
Part of subcall function 0041B720: __vbaSetSystemError.MSVBVM60 ref: 0041B786

__vbaSetSystemError.MSVBVM60(?,00000003,?,000007D0), ref: 004179BF
#685.MSVBVM60 ref: 004179EB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004179F6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 00417A1A
#685.MSVBVM60 ref: 00417A20
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417A2B
__vbaStrI4.MSVBVM60(00000001,fncUpdSetServiceContinued : ), ref: 00417A61
__vbaStrMove.MSVBVM60 ref: 00417A6C
__vbaStrCat.MSVBVM60(00000000), ref: 00417A73
__vbaVarDup.MSVBVM60 ref: 00417A9B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 00417AD4
__vbaFreeStr.MSVBVM60 ref: 00417ADD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00417AED
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00417B0E
__vbaSetSystemError.MSVBVM60(?), ref: 00417B2D
#685.MSVBVM60(000007D0), ref: 00417B3B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417B46
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 00417B6A
#685.MSVBVM60 ref: 00417B70
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417B7B
__vbaStrI4.MSVBVM60(000007D0,fncUpdSetServiceContinued : ), ref: 00417BB1
__vbaStrMove.MSVBVM60 ref: 00417BBC
__vbaStrCat.MSVBVM60(00000000), ref: 00417BC3
__vbaVarDup.MSVBVM60 ref: 00417BEB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 00417C24
__vbaFreeStr.MSVBVM60 ref: 00417C2D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00417C3D
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00417C5E
__vbaSetSystemError.MSVBVM60(?), ref: 00417C7D
__vbaExitProc.MSVBVM60 ref: 00417C7F
#685.MSVBVM60 ref: 00417C9C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417CA3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 00417CC7
#685.MSVBVM60 ref: 00417CCD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417CD4
__vbaStrI4.MSVBVM60(?,fncUpdSetServiceContinued : ), ref: 00417D0A
__vbaStrMove.MSVBVM60 ref: 00417D15
__vbaStrCat.MSVBVM60(00000000), ref: 00417D1C
__vbaVarDup.MSVBVM60 ref: 00417D49
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 00417D82
__vbaFreeStr.MSVBVM60 ref: 00417D8B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00417D9B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00417DBC
__vbaExitProc.MSVBVM60 ref: 00417DC5
__vbaFreeStr.MSVBVM60(00417F8E), ref: 00417F87

Strings

hSCManager, xrefs: 00417D30
ControlService, xrefs: 00417A82
fncUpdSetServiceContinued : , xrefs: 00417A55, 00417BA5, 00417CFE
hService, xrefs: 00417BD2

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Error$#685CheckHresultListSystem$Move$ExitProc$AnsiChkstkCopyUnicode
String ID: ControlService$fncUpdSetServiceContinued : $hSCManager$hService
API String ID: 604478572-3379593567
Opcode ID: 3a2089555de153f4c6d04b76db678ef7dd91949e96f943ea8ccdf055908bfef1
Instruction ID: 5ae498029cd2ea1f50a7336de9d4f6d8f85d2cb53e67f7275427dbdd482d612a
Opcode Fuzzy Hash: 3a2089555de153f4c6d04b76db678ef7dd91949e96f943ea8ccdf055908bfef1
Instruction Fuzzy Hash: C9F1FBB1D002189FDB10DFA5CE88BDEBBB8BF48304F1085AAE249B7151DB745A85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004164F0 Relevance: 98.3, APIs: 47, Strings: 9, Instructions: 322COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00416582
__vbaOnError.MSVBVM60(00000001), ref: 00416591
__vbaVarDup.MSVBVM60 ref: 004165DD
#626.MSVBVM60(?,?,0000000A), ref: 004165F2
__vbaVarLateMemCallLd.MSVBVM60(?,?,InstancesOf,00000001), ref: 00416629
__vbaObjVar.MSVBVM60(00000000), ref: 00416633
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041663E
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,?,?), ref: 0041665C
__vbaForEachCollVar.MSVBVM60(?,?,?), ref: 00416682
#527.MSVBVM60(?,00000001), ref: 004166BA
__vbaStrMove.MSVBVM60 ref: 004166C1
__vbaVarLateMemCallLd.MSVBVM60(?,?,Caption,00000000,00000000), ref: 004166D3
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 004166E1
#519.MSVBVM60(00000000), ref: 004166E8
__vbaStrMove.MSVBVM60 ref: 004166F3
#527.MSVBVM60(00000000), ref: 004166F6
__vbaStrMove.MSVBVM60 ref: 004166FD
__vbaInStr.MSVBVM60(00000001,00000000), ref: 00416702
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0041672A
__vbaFreeVar.MSVBVM60 ref: 00416736
__vbaNextEachCollVar.MSVBVM60(?,?), ref: 00416766
__vbaVarLateMemCallLd.MSVBVM60(?,?,Caption,00000000), ref: 00416787
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 00416795
#519.MSVBVM60(00000000), ref: 0041679C
__vbaStrMove.MSVBVM60 ref: 004167A7
#527.MSVBVM60(00000000), ref: 004167AA
__vbaStrMove.MSVBVM60 ref: 004167B1
__vbaStrMove.MSVBVM60(00405F48,00405F48,00405F48,0000000A), ref: 004167DA
__vbaStrCat.MSVBVM60( found running,00000000), ref: 004167E2
__vbaStrMove.MSVBVM60 ref: 004167ED
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0041681E
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041683A
__vbaFreeVarList.MSVBVM60(00000002,?,0000000A), ref: 0041684A
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041686E
__vbaExitProc.MSVBVM60 ref: 00416874
__vbaStrCat.MSVBVM60( not running.,?,00405F48,00405F48,00405F48,?), ref: 004168AF
__vbaStrMove.MSVBVM60 ref: 004168BA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 004168EB
__vbaFreeStr.MSVBVM60 ref: 004168F4
__vbaFreeVar.MSVBVM60 ref: 004168FD
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00416910
__vbaExitProc.MSVBVM60 ref: 00416916
__vbaFreeObj.MSVBVM60(00416AFA), ref: 00416AE0
__vbaFreeVar.MSVBVM60 ref: 00416AE5
__vbaFreeObj.MSVBVM60 ref: 00416AEE
__vbaFreeStr.MSVBVM60 ref: 00416AF3
__vbaErrorOverflow.MSVBVM60 ref: 00416B11

Strings

IsProcessRunning_WMI, xrefs: 004167F5, 004168C2
Caption, xrefs: 004166C6, 0041677A
ModProcesses, xrefs: 004167FA, 004168C7
InstancesOf, xrefs: 00416616
not running., xrefs: 004168AA
Win32_Process, xrefs: 004165AC
MSG, xrefs: 004167F0, 004168BD
winmgmts:, xrefs: 004165C4
found running, xrefs: 004167DD

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$List$#527AddrefCallLate$#519CheckCollEachErrorExitHresultProc$#626CopyNextOverflow
String ID: found running$ not running.$Caption$InstancesOf$IsProcessRunning_WMI$MSG$ModProcesses$Win32_Process$winmgmts:
API String ID: 642694409-1675402352
Opcode ID: 10761a3947a6a563588a8bbd5f1b99b0d2f5a3d598377464b45d29ee979daed4
Instruction ID: b250c8aeabb373f9a2eb12284a1a5ca294977703c881f34b15d42bd0e9aa8df6
Opcode Fuzzy Hash: 10761a3947a6a563588a8bbd5f1b99b0d2f5a3d598377464b45d29ee979daed4
Instruction Fuzzy Hash: 9CD107B1D00218ABDB14DFA4DD88BDEBBB8FB48300F14816EE146B71A4DB745A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00424FB0 Relevance: 96.4, APIs: 64, Instructions: 412COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CE5D9F1,6CE6D8B1,6CE6D8F4), ref: 00425016
#607.MSVBVM60(?,000000FF,?), ref: 00425036
__vbaStrVarMove.MSVBVM60(?), ref: 00425040
__vbaStrMove.MSVBVM60 ref: 00425051
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042505C
__vbaLenBstr.MSVBVM60(?), ref: 00425070
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00425085
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00425092
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 0042509A
__vbaStrToUnicode.MSVBVM60(00425534,?,?,00000000), ref: 004250AB
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 004250B5
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 004250C1
#537.MSVBVM60(00000000,?,00000001), ref: 004250DF
__vbaStrMove.MSVBVM60 ref: 004250E6
__vbaInStr.MSVBVM60(00000000,00000000), ref: 004250EB
__vbaFreeStr.MSVBVM60 ref: 00425100
#537.MSVBVM60(00000000,?,00000001), ref: 0042511E
__vbaStrMove.MSVBVM60 ref: 00425125
__vbaInStr.MSVBVM60(00000000,00000000), ref: 0042512A
#616.MSVBVM60(?,-00000001), ref: 0042513E
__vbaStrMove.MSVBVM60 ref: 00425149
__vbaFreeStr.MSVBVM60 ref: 0042514E
__vbaExitProc.MSVBVM60 ref: 00425154
__vbaExitProc.MSVBVM60 ref: 00425299
__vbaErrorOverflow.MSVBVM60 ref: 00425308
__vbaStrCopy.MSVBVM60(6CF5C281,6CE6D8B1,6CF560EF), ref: 004253A2
__vbaOnError.MSVBVM60(00000001), ref: 004253B1
#519.MSVBVM60(?), ref: 004253C8
__vbaStrMove.MSVBVM60 ref: 004253D5
__vbaVarDup.MSVBVM60 ref: 004253F4
__vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 0042540A
#711.MSVBVM60(?,00000000), ref: 00425411
__vbaVarMove.MSVBVM60 ref: 0042541D
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00425433
__vbaFreeVar.MSVBVM60 ref: 0042543B

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Error$List$#537AnsiExitProcUnicode$#519#607#616#711BstrCopyOverflowSystem
String ID:
API String ID: 1579714342-0
Opcode ID: b3f36ec26956edb7dc4e3b0b928c3b8a94d5ce33091fdf6187ec35f840f015ee
Instruction ID: 60a9410f18223bf34a1ffa7056b07c5fd0b77872f0bc17490b54d24eb5699ace
Opcode Fuzzy Hash: b3f36ec26956edb7dc4e3b0b928c3b8a94d5ce33091fdf6187ec35f840f015ee
Instruction Fuzzy Hash: A302E7B1D00218ABDB14DFA4DD84BDEBBB8FF48700F10816AE509B72A0DB745A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004247A0 Relevance: 92.0, APIs: 61, Instructions: 488COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE6D8B1,6CE5A323,00000000), ref: 00424862
__vbaStrCopy.MSVBVM60 ref: 0042486A
__vbaStrCopy.MSVBVM60 ref: 00424872
__vbaOnError.MSVBVM60(00000001), ref: 0042487D
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 00424893
__vbaNew2.MSVBVM60(004082E4,?), ref: 004248B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004082F4,00000054), ref: 004248E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF80,00000068), ref: 00424904
__vbaObjSet.MSVBVM60(?,?), ref: 00424918
__vbaForEachCollObj.MSVBVM60(0040ADB0,?,?,00000000), ref: 0042492F
__vbaFreeObj.MSVBVM60 ref: 0042493A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040ADB0,00000020), ref: 00424974
#619.MSVBVM60(?,?,00000004), ref: 00424995
#528.MSVBVM60(?,?), ref: 004249A3
#528.MSVBVM60(?,00004008), ref: 004249D6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040ADB0,00000020), ref: 004249F7
__vbaInStr.MSVBVM60(00000001,?,?,00000001), ref: 00424A09
__vbaVarCat.MSVBVM60(?,?,?,?), ref: 00424A42
__vbaVarCmpEq.MSVBVM60(?,00000000), ref: 00424A50
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 00424A65
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00424A6C
__vbaFreeStr.MSVBVM60 ref: 00424A78
__vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,0000000B), ref: 00424AA1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040ADB0,00000020), ref: 00424AD9
__vbaStrCat.MSVBVM60(004074E8,?), ref: 00424AE8
__vbaStrMove.MSVBVM60 ref: 00424AF9
__vbaStrCat.MSVBVM60(?,00000000), ref: 00424B00
__vbaStrMove.MSVBVM60 ref: 00424B0B
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00424B12
__vbaSetSystemError.MSVBVM60(00000000), ref: 00424B1E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00424B36
__vbaNextEachCollObj.MSVBVM60(0040ADB0,?,?), ref: 00424B56
__vbaNew2.MSVBVM60(004082E4,?), ref: 00424B7A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004082F4,00000054), ref: 00424BA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AF80,00000068), ref: 00424BC6
__vbaObjSet.MSVBVM60(?,?), ref: 00424BDA
__vbaForEachCollObj.MSVBVM60(0040ADB0,?,?,00000000), ref: 00424BF1
__vbaFreeObj.MSVBVM60 ref: 00424BFC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040ADB0,00000020), ref: 00424C3C
__vbaInStr.MSVBVM60(00000001,?,?,00000001), ref: 00424C4E
__vbaFreeStr.MSVBVM60 ref: 00424C63
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040ADB0,00000020), ref: 00424C94
__vbaStrCat.MSVBVM60(004074E8,?), ref: 00424CA3
__vbaStrMove.MSVBVM60 ref: 00424CAA
__vbaStrCat.MSVBVM60(?,00000000), ref: 00424CB1
__vbaStrMove.MSVBVM60 ref: 00424CB8
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00424CBF
__vbaSetSystemError.MSVBVM60(00000000), ref: 00424CCB
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00424CE3
__vbaNextEachCollObj.MSVBVM60(0040ADB0,?,?), ref: 00424D03
__vbaObjIs.MSVBVM60(?,00000000), ref: 00424D1E
__vbaCastObj.MSVBVM60(00000000,0040ADB0), ref: 00424D3A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424D45
__vbaExitProc.MSVBVM60 ref: 00424D4B
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,00424F91), ref: 00424F62
__vbaFreeStr.MSVBVM60 ref: 00424F74
__vbaFreeObj.MSVBVM60 ref: 00424F7F
__vbaFreeStr.MSVBVM60 ref: 00424F84
__vbaFreeStr.MSVBVM60 ref: 00424F89
__vbaFreeObj.MSVBVM60 ref: 00424F8E

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$CheckHresult$CollEachListMove$CopyError$#528AnsiNew2NextSystem$#619BoolCastExitNullProc
String ID:
API String ID: 3895190889-0
Opcode ID: 9d0372463e552f9ff1d664b854ebffd5fc347b4c69af05a91cdc6d655cad825a
Instruction ID: 99f621cb94adda549111485ca73b081912b2199ad8214cbc5d8ca610ee31f72b
Opcode Fuzzy Hash: 9d0372463e552f9ff1d664b854ebffd5fc347b4c69af05a91cdc6d655cad825a
Instruction Fuzzy Hash: 3A12F7B1900218AFCB14DB94DD88EEEBBB9FF98700F14415AE506B72A0DB746A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00416B20 Relevance: 89.6, APIs: 46, Strings: 5, Instructions: 311COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE6D83C,6CE6D8B1,00000000), ref: 00416B6F
#527.MSVBVM60(?), ref: 00416B79
__vbaStrMove.MSVBVM60 ref: 00416B8A
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,000003FF,00000000), ref: 00416BA8
__vbaAryLock.MSVBVM60(?,?), ref: 00416BB9
__vbaGenerateBoundsError.MSVBVM60 ref: 00416BD8
__vbaGenerateBoundsError.MSVBVM60 ref: 00416BEA
__vbaSetSystemError.MSVBVM60(?,00001000,?), ref: 00416C09
__vbaAryUnlock.MSVBVM60(?), ref: 00416C13
__vbaGenerateBoundsError.MSVBVM60 ref: 00416C5F
__vbaGenerateBoundsError.MSVBVM60 ref: 00416C71
__vbaSetSystemError.MSVBVM60(00000410,00000000), ref: 00416C8E
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,000003FF,00000000), ref: 00416CB4
__vbaAryLock.MSVBVM60(?,?), ref: 00416CC5
__vbaGenerateBoundsError.MSVBVM60 ref: 00416CE7
__vbaGenerateBoundsError.MSVBVM60 ref: 00416CF8
__vbaSetSystemError.MSVBVM60(00000000,?,00001000,?), ref: 00416D18
__vbaAryUnlock.MSVBVM60(?), ref: 00416D22
__vbaVarDup.MSVBVM60 ref: 00416D44
#606.MSVBVM60(00000104,?), ref: 00416D53
__vbaStrMove.MSVBVM60 ref: 00416D5E
__vbaFreeVar.MSVBVM60 ref: 00416D63
__vbaGenerateBoundsError.MSVBVM60 ref: 00416D82
__vbaGenerateBoundsError.MSVBVM60 ref: 00416D8D
__vbaStrToAnsi.MSVBVM60(?,?,00000104), ref: 00416DA2
__vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 00416DBC
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00416DCA
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00416DD3
__vbaInStr.MSVBVM60(00000000,004085F4,?,00000001,?,00000000), ref: 00416DEB
#616.MSVBVM60(?,-00000001,?,00000000), ref: 00416DFB
__vbaStrMove.MSVBVM60(?,00000000), ref: 00416E06
#527.MSVBVM60(?,00000001,?,00000000), ref: 00416E0E
__vbaStrMove.MSVBVM60(?,00000000), ref: 00416E19
#527.MSVBVM60(?,00000000,?,00000000), ref: 00416E20
__vbaStrMove.MSVBVM60(?,00000000), ref: 00416E2B
__vbaInStr.MSVBVM60(00000001,00000000,?,00000000), ref: 00416E30
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00416E47
__vbaStrCopy.MSVBVM60 ref: 00416E60
__vbaSetSystemError.MSVBVM60(?), ref: 00416E6F
#527.MSVBVM60(?), ref: 00416E9D
__vbaStrMove.MSVBVM60 ref: 00416EA8
__vbaAryDestruct.MSVBVM60(00000000,?,00416EFF), ref: 00416EE5
__vbaFreeStr.MSVBVM60 ref: 00416EF0
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00416EF7
__vbaFreeStr.MSVBVM60 ref: 00416EFC

Strings

ServiceStart, xrefs: 0041709A
fncUpdSetService : , xrefs: 0041706B, 004171D1, 00417335
ServiceStop, xrefs: 00417200
SERVICERESTART, xrefs: 00417364
fK@, xrefs: 00416E55, 00416EA3

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Error$BoundsGenerate$Move$FreeSystem$#527$CopyDestructLockRedimUnlock$#606#616AnsiListUnicode
String ID: SERVICERESTART$ServiceStart$ServiceStop$fK@$fncUpdSetService :
API String ID: 1296604355-135592322
Opcode ID: 668a229cdbd40a0eaf01f95c3bb1997a6172c2940bb2e3ee418e98f2773969ab
Instruction ID: 977fcbf6acfec2ed50174909e6f4ae858a9dc6def5604f5501378a00b8a11693
Opcode Fuzzy Hash: 668a229cdbd40a0eaf01f95c3bb1997a6172c2940bb2e3ee418e98f2773969ab
Instruction Fuzzy Hash: A5C13075E002199FCB14DFA4DD85AEEB7B5FB48300F118129F912B72A0DB749946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042DCD0 Relevance: 82.5, APIs: 46, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

__vbaFixstrConstruct.MSVBVM60(00000101,?,00000000,6CE6D8B1,?), ref: 0042DD32
__vbaOnError.MSVBVM60(00000001), ref: 0042DD41
__vbaStrToAnsi.MSVBVM60(?,wininet.dll), ref: 0042DD73
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042DD7E
__vbaFreeStr.MSVBVM60 ref: 0042DD8A
__vbaStrToAnsi.MSVBVM60(?,wininet.dll), ref: 0042DDAB
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042DDB6
__vbaFreeStr.MSVBVM60 ref: 0042DDC2
__vbaStrToAnsi.MSVBVM60(?,?,00000100,00000000), ref: 0042DDF5
__vbaSetSystemError.MSVBVM60(00000800,?,0042D984,00000000,00000000), ref: 0042DE08
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042DE16
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0042DE23
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042DE33
__vbaStrCopy.MSVBVM60(-00000002), ref: 0042DE62
#616.MSVBVM60(00000000), ref: 0042DE69
__vbaStrMove.MSVBVM60 ref: 0042DE7A
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0042DE86
__vbaStrI4.MSVBVM60(0042D984), ref: 0042DE8D
__vbaStrMove.MSVBVM60 ref: 0042DE98
__vbaStrCat.MSVBVM60(0040C0DC,00000000), ref: 0042DEA6
__vbaStrMove.MSVBVM60 ref: 0042DEAD
__vbaStrCat.MSVBVM60(?,00000000), ref: 0042DEB4
__vbaStrMove.MSVBVM60 ref: 0042DEBB
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0042DECF
__vbaSetSystemError.MSVBVM60(?), ref: 0042DEF7
__vbaExitProc.MSVBVM60 ref: 0042DEFD
__vbaStrToAnsi.MSVBVM60(?,?,000000C8,00000000), ref: 0042DF22
__vbaSetSystemError.MSVBVM60(00001000,00000000,0042D984,00000000,00000000), ref: 0042DF39
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042DF47
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0042DF59
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042DF68
__vbaStrCopy.MSVBVM60(?), ref: 0042DF88
#616.MSVBVM60(00000000), ref: 0042DF8F
__vbaStrMove.MSVBVM60 ref: 0042DFA0
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0042DFAC
__vbaStrI4.MSVBVM60(0042D984), ref: 0042DFAF
__vbaStrMove.MSVBVM60 ref: 0042DFBA
__vbaStrCat.MSVBVM60(0040C0DC,00000000), ref: 0042DFC8
__vbaStrMove.MSVBVM60 ref: 0042DFCF
__vbaStrCat.MSVBVM60(?,00000000), ref: 0042DFD6
__vbaStrMove.MSVBVM60 ref: 0042DFDD
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0042DFF1
__vbaExitProc.MSVBVM60 ref: 0042DFFA
__vbaFreeStr.MSVBVM60(0042E1A0), ref: 0042E199

Strings

wininet.dll, xrefs: 0042DD64, 0042DDA2

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Error$FixstrSystem$AnsiListLset$#616CopyExitProcUnicode$Construct
String ID: wininet.dll
API String ID: 3528847054-3354682871
Opcode ID: 2640ca12da2e761267f4490a7f31898019f67f1674307d1530c5ad9c9e8694fa
Instruction ID: 4ab0e6fcaf40ad6fe7a896afbcdb922c36d42519d77e5ec3362e70ad7f7adcde
Opcode Fuzzy Hash: 2640ca12da2e761267f4490a7f31898019f67f1674307d1530c5ad9c9e8694fa
Instruction Fuzzy Hash: 6BA1DEB1D00218EBDB14DFE4EE49AEEBBB9EF48700F10412AF506B71A0DB745A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC30 Relevance: 77.3, APIs: 32, Strings: 12, Instructions: 293COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 0041AC98
__vbaStrCat.MSVBVM60(00000000,SYSTEM\CurrentControlSet\Services\), ref: 0041ACB6
__vbaStrMove.MSVBVM60 ref: 0041ACC3
__vbaI2I4.MSVBVM60 ref: 0041ACCD
__vbaStrCopy.MSVBVM60 ref: 0041ACDE

Part of subcall function 0042C9A0: __vbaOnError.MSVBVM60(00000001,6CE6D83C,?,00000000), ref: 0042CA11
Part of subcall function 0042C9A0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000001,?), ref: 0042CA35
Part of subcall function 0042C9A0: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA46
Part of subcall function 0042C9A0: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,00000001,?), ref: 0042CA57
Part of subcall function 0042C9A0: __vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA5F
Part of subcall function 0042C9A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA9B
Part of subcall function 0042C9A0: __vbaStrToAnsi.MSVBVM60(?,00000000,?,00000000,?,00000000,00000001,?), ref: 0042CAA6
Part of subcall function 0042C9A0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000001,?,?,?,00000000,?,00000000,00000001,?), ref: 0042CAC6
Part of subcall function 0042C9A0: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,00000000,00000001,?), ref: 0042CAD5

__vbaStrMove.MSVBVM60(80000002,?,?,?), ref: 0041AD05
#519.MSVBVM60(00000000), ref: 0041AD08
__vbaStrMove.MSVBVM60 ref: 0041AD13
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041AD1F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0041AD73

Part of subcall function 00419F10: __vbaStrCopy.MSVBVM60(00000005,00000000,6CE5B728), ref: 00419FB1
Part of subcall function 00419F10: __vbaStrCopy.MSVBVM60 ref: 00419FB9
Part of subcall function 00419F10: __vbaOnError.MSVBVM60(00000001), ref: 00419FC4
Part of subcall function 00419F10: __vbaSetSystemError.MSVBVM60(00000000,00000000,00000004), ref: 00419FF0
Part of subcall function 00419F10: __vbaSetSystemError.MSVBVM60(?,00000030,00000003,00000000,00000000,?,?,?), ref: 0041A02F
Part of subcall function 00419F10: #685.MSVBVM60 ref: 0041A047
Part of subcall function 00419F10: __vbaObjSet.MSVBVM60(?,00000000), ref: 0041A04E

__vbaFreeVar.MSVBVM60 ref: 0041AD7C
__vbaStrCmp.MSVBVM60(00408FF0,?), ref: 0041AD92
__vbaStrCat.MSVBVM60( startup type is Automatic,00000000,00405F48,00405F48,00405F48,?), ref: 0041ADCF
__vbaStrMove.MSVBVM60 ref: 0041ADD6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0041AE13
__vbaFreeStr.MSVBVM60 ref: 0041AE20
__vbaFreeVar.MSVBVM60 ref: 0041AE2F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0041AE7F
__vbaFreeVar.MSVBVM60 ref: 0041AE84
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040,?,running,?,?,paused,?), ref: 0041AF20
__vbaFreeVar.MSVBVM60(?,running,?,?,paused,?), ref: 0041AF25
__vbaExitProc.MSVBVM60(?,running,?,?,paused,?), ref: 0041AF35
__vbaExitProc.MSVBVM60(00000000,00000001,?,?,running,?,?,paused,?), ref: 0041AF68
__vbaStrCat.MSVBVM60( cannot be set to automatic,00000000,00405F48,00405F48,00405F48,?), ref: 0041AFA8
__vbaStrMove.MSVBVM60 ref: 0041AFAF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0041AFE6
__vbaFreeStr.MSVBVM60 ref: 0041AFEF
__vbaFreeVar.MSVBVM60 ref: 0041AFF8
__vbaExitProc.MSVBVM60 ref: 0041B14E
__vbaFreeStr.MSVBVM60(0041B1A6), ref: 0041B199
__vbaFreeStr.MSVBVM60 ref: 0041B19E
__vbaFreeStr.MSVBVM60 ref: 0041B1A3

Strings

fncChkService, xrefs: 0041AD50, 0041ADDE, 0041AE5C, 0041AEFD, 0041AFB7
paused, xrefs: 0041AE91
running, xrefs: 0041AEC1
ERR, xrefs: 0041AFB2
SYSTEM\CurrentControlSet\Services\, xrefs: 0041ACA5
Start, xrefs: 0041ACD6
Starting Service, xrefs: 0041AE52
cannot be set to automatic, xrefs: 0041AF9D
Service Already running, xrefs: 0041AEF3
startup type is Automatic, xrefs: 0041ADC4
ModSrvcManager, xrefs: 0041AD55, 0041ADE3, 0041AE61, 0041AF02, 0041AFBC
MSG, xrefs: 0041AD4B, 0041ADD9, 0041AE57, 0041AEF8

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Error$CheckHresultMove$CopySystem$AnsiExitProc$#519#685ListUnicode
String ID: cannot be set to automatic$ startup type is Automatic$ERR$MSG$ModSrvcManager$SYSTEM\CurrentControlSet\Services\$Service Already running$Start$Starting Service$fncChkService$paused$running
API String ID: 2386408151-2090317768
Opcode ID: 3910f3a76fd0f48aa205e4e6f4fb36349806485da3a6bb8b7885c28578c018c5
Instruction ID: bdf3599c32be0371010e0fe4eda7aa737e9cf6a99aff9546c3293f18961433c5
Opcode Fuzzy Hash: 3910f3a76fd0f48aa205e4e6f4fb36349806485da3a6bb8b7885c28578c018c5
Instruction Fuzzy Hash: 2EB159B1A40209AFDB00DBA4DD89FAE7BB5EB48700F20416AF105B72D5DBB86945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B1C0 Relevance: 75.5, APIs: 32, Strings: 11, Instructions: 279COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 0041B228
__vbaStrCat.MSVBVM60(00000000,SYSTEM\CurrentControlSet\Services\), ref: 0041B246
__vbaStrMove.MSVBVM60 ref: 0041B253
__vbaI2I4.MSVBVM60 ref: 0041B25D
__vbaStrCopy.MSVBVM60 ref: 0041B26E

Part of subcall function 0042C9A0: __vbaOnError.MSVBVM60(00000001,6CE6D83C,?,00000000), ref: 0042CA11
Part of subcall function 0042C9A0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000001,?), ref: 0042CA35
Part of subcall function 0042C9A0: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA46
Part of subcall function 0042C9A0: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,00000001,?), ref: 0042CA57
Part of subcall function 0042C9A0: __vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA5F
Part of subcall function 0042C9A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA9B
Part of subcall function 0042C9A0: __vbaStrToAnsi.MSVBVM60(?,00000000,?,00000000,?,00000000,00000001,?), ref: 0042CAA6
Part of subcall function 0042C9A0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000001,?,?,?,00000000,?,00000000,00000001,?), ref: 0042CAC6
Part of subcall function 0042C9A0: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,00000000,00000001,?), ref: 0042CAD5

__vbaStrMove.MSVBVM60(80000002,?,?,?), ref: 0041B295
#519.MSVBVM60(00000000), ref: 0041B298
__vbaStrMove.MSVBVM60 ref: 0041B2A3
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041B2AF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0041B303
__vbaFreeVar.MSVBVM60 ref: 0041B30C
__vbaStrCmp.MSVBVM60(00408FF0,?), ref: 0041B322
__vbaStrCat.MSVBVM60( startup type is Automatic,00000000,00405F48,00405F48,00405F48,?), ref: 0041B35F
__vbaStrMove.MSVBVM60 ref: 0041B366
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0041B3A3
__vbaFreeStr.MSVBVM60 ref: 0041B3B0
__vbaFreeVar.MSVBVM60 ref: 0041B3BF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0041B40F
__vbaFreeVar.MSVBVM60 ref: 0041B414
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040,?,stopped,?), ref: 0041B480

Part of subcall function 00416F20: __vbaStrCopy.MSVBVM60(6CE6D8B1,00000000,00000000), ref: 00416F9D
Part of subcall function 00416F20: __vbaOnError.MSVBVM60(00000001), ref: 00416FAC

__vbaFreeVar.MSVBVM60(?,stopped,?), ref: 0041B485
__vbaExitProc.MSVBVM60(?,stopped,?), ref: 0041B495
__vbaExitProc.MSVBVM60(?,00000002,?,?,stopped,?), ref: 0041B4C8
__vbaFreeStr.MSVBVM60(0041B706,?,00405F48,00405F48,00405F48,?), ref: 0041B6F9
__vbaFreeStr.MSVBVM60(?,00405F48,00405F48,00405F48,?), ref: 0041B6FE
__vbaFreeStr.MSVBVM60(?,00405F48,00405F48,00405F48,?), ref: 0041B703

Strings

Service Already stopped, xrefs: 0041B453
ERR, xrefs: 0041B512
SYSTEM\CurrentControlSet\Services\, xrefs: 0041B235
fncChkStpService, xrefs: 0041B2E0, 0041B36E, 0041B3EC, 0041B45D, 0041B517
Start, xrefs: 0041B266
cannot be set to automatic, xrefs: 0041B4FD
startup type is Automatic, xrefs: 0041B354
ModSrvcManager, xrefs: 0041B2E5, 0041B373, 0041B3F1, 0041B462, 0041B51C
stopped, xrefs: 0041B421
Stopping Service, xrefs: 0041B3E2
MSG, xrefs: 0041B2DB, 0041B369, 0041B3E7, 0041B458

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Error$CheckHresultMove$AnsiCopy$ExitProcSystem$#519ListUnicode
String ID: cannot be set to automatic$ startup type is Automatic$ERR$MSG$ModSrvcManager$SYSTEM\CurrentControlSet\Services\$Service Already stopped$Start$Stopping Service$fncChkStpService$stopped
API String ID: 3577124608-3117266642
Opcode ID: 15388aaa293805d6d033c7317443e182167f42edcbc0162a7de4d68603a60547
Instruction ID: b49af427cae64e9bef379660f102563669791849c9064a2f448799ceac7f6978
Opcode Fuzzy Hash: 15388aaa293805d6d033c7317443e182167f42edcbc0162a7de4d68603a60547
Instruction Fuzzy Hash: 7AB16DB1A40209AFDB00DFA4DD85FAE7BB4EB48700F20416AF505B72E5EB786945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042BEC0 Relevance: 73.8, APIs: 40, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,6CE6D8B1,00000000), ref: 0042BF1F
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00020119,?), ref: 0042BF46
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00020119,?), ref: 0042BF57
__vbaStrToUnicode.MSVBVM60(00000001,?,?,00000000,?,00000000,00020119,?), ref: 0042BF68
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00020119,?), ref: 0042BF73
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00020219,?,?,00000000,?,00000000,00020119,?), ref: 0042BFA4
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00020219,?,?,00000000,?,00000000,00020119,?), ref: 0042BFB5
__vbaStrToUnicode.MSVBVM60(00000001,?,?,00000000,?,00000000,00020219,?,?,00000000,?,00000000,00020119,?), ref: 0042BFC0
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00020219,?,?,00000000,?,00000000,00020119,?), ref: 0042BFCB
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00020019,?,?,00000000,?,00000000,00020219,?,?,00000000,?,00000000,00020119), ref: 0042BFF8
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000000,?,00000000,00020219,?,?,00000000,?,00000000,00020119,?), ref: 0042C009
__vbaStrToUnicode.MSVBVM60(00000001,?,?,00000000,?,00000000,00020219,?,?,00000000,?,00000000,00020119,?), ref: 0042C014
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00020219,?,?,00000000,?,00000000,00020119,?), ref: 0042C01F
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00020119,?), ref: 0042C05D
__vbaStrToAnsi.MSVBVM60(?,00000000,?,00000000,?,00000000,00020119,?), ref: 0042C068
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000001,?,?,?,00000000,?,00000000,00020119,?), ref: 0042C089
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,00000000,00020119,?), ref: 0042C098
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,00020119,?), ref: 0042C0A3
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?,00000000,00020119,?), ref: 0042C0B9
#525.MSVBVM60(?,?,?,00020119,?), ref: 0042C0E2
__vbaStrMove.MSVBVM60(?,?,00020119,?), ref: 0042C0ED
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,00020119,?), ref: 0042C10D
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000001,00000000,?,?,00020119,?), ref: 0042C11D
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,00020119,?), ref: 0042C12C
__vbaStrToUnicode.MSVBVM60(?,?,?,?,00020119,?), ref: 0042C137
__vbaStrToUnicode.MSVBVM60(?,?,?,?,00020119,?), ref: 0042C141
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00020119,?), ref: 0042C153
#616.MSVBVM60(?,?,?,?,00020119,?), ref: 0042C19A
__vbaStrMove.MSVBVM60(?,?,00020119,?), ref: 0042C1A5
__vbaStrToAnsi.MSVBVM60(?,00000020,00000000,00000004,?,00000020,?,00000000,?,00000000,00020119,?), ref: 0042C1F8
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,00000000,00020119,?), ref: 0042C206
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,00020119,?), ref: 0042C211
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00020119,?), ref: 0042C216
__vbaStrI4.MSVBVM60(?,?,00000000,?,00000000,00020119,?), ref: 0042C232
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,00020119,?), ref: 0042C23D
__vbaExitProc.MSVBVM60(?,00000000,?,00000000,00020119,?), ref: 0042C243
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00020119,?), ref: 0042C268
__vbaExitProc.MSVBVM60(?,00000000,?,00000000,00020119,?), ref: 0042C26E
__vbaFreeStr.MSVBVM60(0042C2AC,?,00000000,?,00000000,00020119,?), ref: 0042C2A5
__vbaErrorOverflow.MSVBVM60(?,?,00020119,?), ref: 0042C2C2

Strings

0(@, xrefs: 0042C03E
, xrefs: 0042C1D2

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$AnsiError$FreeUnicode$System$Move$CopyExitListProc$#525#616Overflow
String ID: $0(@
API String ID: 3532621681-660204250
Opcode ID: b4e17015cb8fde222e251dabde0131b807c999356eb845eeff9f4fe3cf6b8a2c
Instruction ID: 0b581c373314ad0ddcc74a18f5d8e81f4e0a746dcc1f7c381a9c3d59065c456e
Opcode Fuzzy Hash: b4e17015cb8fde222e251dabde0131b807c999356eb845eeff9f4fe3cf6b8a2c
Instruction Fuzzy Hash: 5DC1A5B5D00218EBDB14DFD4E988ADEBBB9EF48700F10855AF502B7260DB749A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185E0 Relevance: 73.8, APIs: 39, Strings: 3, Instructions: 302COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE6D8B1,00000000,00000000), ref: 00418669
__vbaOnError.MSVBVM60(00000001), ref: 00418678
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000001), ref: 004186A4
__vbaStrToAnsi.MSVBVM60(?,?,00000020), ref: 004186D1
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 004186E4
__vbaStrToUnicode.MSVBVM60(?,?), ref: 004186EE
__vbaFreeStr.MSVBVM60 ref: 00418700

Part of subcall function 0041B720: __vbaChkstk.MSVBVM60(00002710,00404B66,?,?,?,?,00419983,00002710), ref: 0041B73E
Part of subcall function 0041B720: __vbaOnError.MSVBVM60(000000FF,00000005,6CE6D94B,6CE5B728,00002710,00404B66), ref: 0041B76E
Part of subcall function 0041B720: __vbaSetSystemError.MSVBVM60 ref: 0041B786

__vbaSetSystemError.MSVBVM60(?,00000001,?,000007D0), ref: 0041874F
#685.MSVBVM60 ref: 0041877B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418786
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 004187AA
#685.MSVBVM60 ref: 004187B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004187BB
__vbaStrI4.MSVBVM60(00000001,fncUpdSetServiceStopped : ), ref: 004187F1
__vbaStrMove.MSVBVM60 ref: 004187FC
__vbaStrCat.MSVBVM60(00000000), ref: 00418803
__vbaVarDup.MSVBVM60 ref: 0041882B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 00418864
__vbaFreeStr.MSVBVM60 ref: 0041886D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041887D
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041889E
__vbaSetSystemError.MSVBVM60(?), ref: 004188C7
__vbaSetSystemError.MSVBVM60(?,000007D0), ref: 004188D9
__vbaExitProc.MSVBVM60 ref: 004188DB
#685.MSVBVM60 ref: 004188F8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004188FF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 00418923
#685.MSVBVM60 ref: 00418929
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418930
__vbaStrI4.MSVBVM60(?,fncUpdSetServiceStopped : ), ref: 00418966
__vbaStrMove.MSVBVM60 ref: 00418971
__vbaStrCat.MSVBVM60(00000000), ref: 00418978
__vbaVarDup.MSVBVM60 ref: 004189A5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 004189DE
__vbaFreeStr.MSVBVM60 ref: 004189E7
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004189F7
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00418A18
__vbaExitProc.MSVBVM60 ref: 00418A2B
__vbaFreeStr.MSVBVM60(00418BF5), ref: 00418BEE

Strings

hSCManager, xrefs: 0041898C
ControlService, xrefs: 00418812
fncUpdSetServiceStopped : , xrefs: 004187E5, 0041895A

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$ErrorFree$System$#685CheckHresultList$ExitMoveProc$AnsiChkstkCopyUnicode
String ID: ControlService$fncUpdSetServiceStopped : $hSCManager
API String ID: 2019432316-1592688099
Opcode ID: c70de743d669e4f0f9c9664f4918824488c1b0e19d23ef9391773689a0375b2d
Instruction ID: 0c6caa643cbaa213d853a316fc674a497cadff2f8b75c0446717251178190623
Opcode Fuzzy Hash: c70de743d669e4f0f9c9664f4918824488c1b0e19d23ef9391773689a0375b2d
Instruction Fuzzy Hash: 4AD1FDB1D002189FDB10DFA5CD88BDEBBB8BB48304F1085AEE249B7251DB745A85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00417FB0 Relevance: 73.8, APIs: 39, Strings: 3, Instructions: 302COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00418039
__vbaOnError.MSVBVM60(00000001), ref: 00418048
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000001), ref: 00418074
__vbaStrToAnsi.MSVBVM60(?,?,00000040), ref: 004180A1
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 004180B4
__vbaStrToUnicode.MSVBVM60(?,?), ref: 004180BE
__vbaFreeStr.MSVBVM60 ref: 004180D0

Part of subcall function 0041B720: __vbaChkstk.MSVBVM60(00002710,00404B66,?,?,?,?,00419983,00002710), ref: 0041B73E
Part of subcall function 0041B720: __vbaOnError.MSVBVM60(000000FF,00000005,6CE6D94B,6CE5B728,00002710,00404B66), ref: 0041B76E
Part of subcall function 0041B720: __vbaSetSystemError.MSVBVM60 ref: 0041B786

__vbaSetSystemError.MSVBVM60(?,00000002,?,000007D0), ref: 0041811F
#685.MSVBVM60 ref: 0041814B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418156
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 0041817A
#685.MSVBVM60 ref: 00418180
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041818B
__vbaStrI4.MSVBVM60(00000001,fncUpdSetServicePaused : ), ref: 004181C1
__vbaStrMove.MSVBVM60 ref: 004181CC
__vbaStrCat.MSVBVM60(00000000), ref: 004181D3
__vbaVarDup.MSVBVM60 ref: 004181FB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 00418234
__vbaFreeStr.MSVBVM60 ref: 0041823D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041824D
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041826E
__vbaSetSystemError.MSVBVM60(?), ref: 00418297
__vbaSetSystemError.MSVBVM60(?,000007D0), ref: 004182A9
__vbaExitProc.MSVBVM60 ref: 004182AB
#685.MSVBVM60 ref: 004182C8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004182CF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 004182F3
#685.MSVBVM60 ref: 004182F9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00418300
__vbaStrI4.MSVBVM60(?,fncUpdSetServicePaused : ), ref: 00418336
__vbaStrMove.MSVBVM60 ref: 00418341
__vbaStrCat.MSVBVM60(00000000), ref: 00418348
__vbaVarDup.MSVBVM60 ref: 00418375
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,00000044), ref: 004183AE
__vbaFreeStr.MSVBVM60 ref: 004183B7
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004183C7
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004183E8
__vbaExitProc.MSVBVM60 ref: 004183FB
__vbaFreeStr.MSVBVM60(004185C5), ref: 004185BE

Strings

fncUpdSetServicePaused : , xrefs: 004181B5, 0041832A
hSCManager, xrefs: 0041835C
ControlService, xrefs: 004181E2

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$ErrorFree$System$#685CheckHresultList$ExitMoveProc$AnsiChkstkCopyUnicode
String ID: ControlService$fncUpdSetServicePaused : $hSCManager
API String ID: 2019432316-1818130502
Opcode ID: 41c558c4998a85488e0139983cfaec61f1a188ee618870486a79d276194c412b
Instruction ID: 39554adcabb641e7f3feab116551300027a842e79f2f9fff81de3b262b8f5507
Opcode Fuzzy Hash: 41c558c4998a85488e0139983cfaec61f1a188ee618870486a79d276194c412b
Instruction Fuzzy Hash: 02D1FCB1D012189FDB10DFA5CD88BDEBBB8BB48304F1085AEE249B7291DB745A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042C2D0 Relevance: 73.8, APIs: 35, Strings: 7, Instructions: 259COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE6D83C,6CE6D8B1,?), ref: 0042C369
__vbaStrCopy.MSVBVM60 ref: 0042C371
__vbaOnError.MSVBVM60(00000001), ref: 0042C37C
__vbaStrCopy.MSVBVM60 ref: 0042C391
__vbaStrCopy.MSVBVM60 ref: 0042C3A2
__vbaStrCopy.MSVBVM60 ref: 0042C3F0
__vbaStrCopy.MSVBVM60 ref: 0042C401
__vbaStrCopy.MSVBVM60 ref: 0042C41A
#526.MSVBVM60(?,00000001), ref: 0042C433
__vbaStrCat.MSVBVM60(?, Execution Path & Parameters : ), ref: 0042C442
__vbaVarCat.MSVBVM60(?,?,?,00405F48,00405F48,00405F48,?), ref: 0042C49B
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042C4AC
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0042C4B3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042C4E8
__vbaFreeStr.MSVBVM60 ref: 0042C4F1
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0042C51C
#645.MSVBVM60(00004008,00000000), ref: 0042C547
__vbaStrMove.MSVBVM60 ref: 0042C558
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0042C560
__vbaFreeStr.MSVBVM60 ref: 0042C573
__vbaRecUniToAnsi.MSVBVM60(00405FB8,?,0000003C), ref: 0042C595
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042C5AD
__vbaRecAnsiToUni.MSVBVM60(00405FB8,0000003C,?), ref: 0042C5BF
__vbaRecDestructAnsi.MSVBVM60(00405FB8,?), ref: 0042C5D1
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0042C5FB
__vbaStrI4.MSVBVM60(?), ref: 0042C629
__vbaStrMove.MSVBVM60 ref: 0042C634

Part of subcall function 00431300: __vbaChkstk.MSVBVM60(00000000,00404B66,?,?,?,?,0042C646,?), ref: 0043131E
Part of subcall function 00431300: __vbaFixstrConstruct.MSVBVM60(00000100,00000000,6CE6D8B1,6CE9285F,00000000,00000000,00404B66), ref: 0043134E
Part of subcall function 00431300: __vbaOnError.MSVBVM60(000000FF), ref: 0043135D
Part of subcall function 00431300: #685.MSVBVM60 ref: 00431377
Part of subcall function 00431300: __vbaObjSet.MSVBVM60(?,00000000), ref: 00431382
Part of subcall function 00431300: __vbaHresultCheckObj.MSVBVM60(00000000,?,00407E74,0000004C), ref: 004313B5
Part of subcall function 00431300: __vbaFreeObj.MSVBVM60 ref: 004313D0
Part of subcall function 00431300: __vbaLenBstr.MSVBVM60(?,00000000), ref: 004313E9
Part of subcall function 00431300: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 004313F8
Part of subcall function 00431300: __vbaSetSystemError.MSVBVM60(00001200,00000000,00000000,00000000,00000000), ref: 00431416
Part of subcall function 00431300: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00431424
Part of subcall function 00431300: __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 00431431
Part of subcall function 00431300: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00431447

__vbaStrMove.MSVBVM60(?), ref: 0042C64B
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0042C65E
__vbaSetSystemError.MSVBVM60(?), ref: 0042C67A
__vbaExitProc.MSVBVM60 ref: 0042C67C
__vbaRecDestructAnsi.MSVBVM60(00405FB8,?,0042C7BA), ref: 0042C794
__vbaRecDestruct.MSVBVM60(00405FB8,0000003C), ref: 0042C7A3
__vbaFreeStr.MSVBVM60 ref: 0042C7B2
__vbaFreeStr.MSVBVM60 ref: 0042C7B7

Strings

ModFunctions, xrefs: 0042C4C4
Open, xrefs: 0042C3F9
Execution Path & Parameters : , xrefs: 0042C439
@, xrefs: 0042C3DC
ShellAndWait, xrefs: 0042C4BF
MSG, xrefs: 0042C4BA
<, xrefs: 0042C3CE

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CopyErrorFree$AnsiSystem$DestructMove$CheckFixstrHresultList$#526#645#685BstrChkstkConstructExitLsetProcUnicode
String ID: Execution Path & Parameters : $<$@$MSG$ModFunctions$Open$ShellAndWait
API String ID: 647838663-548087096
Opcode ID: 6bb796982fe2994a965c4ff41311c3a9b81aa80d2d11c878880b5f14fb9f2f63
Instruction ID: 8e79b2276992c50b8c74b113f3cf40aab8f35018adc2e9dc0d5bead915af84ac
Opcode Fuzzy Hash: 6bb796982fe2994a965c4ff41311c3a9b81aa80d2d11c878880b5f14fb9f2f63
Instruction Fuzzy Hash: 03B1FAB1D01219DBDB10DF94CE84BDEBBB9FB48304F1081AAE509B7290DB786A45DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00434670 Relevance: 73.7, APIs: 38, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE5A323,6CE6D8B1,6CE927C2), ref: 004346EA
__vbaStrCopy.MSVBVM60 ref: 004346F2
__vbaStrCopy.MSVBVM60 ref: 004346FA
__vbaOnError.MSVBVM60(00000001), ref: 00434705
#645.MSVBVM60(00004008,00000000), ref: 00434724
__vbaStrMove.MSVBVM60 ref: 00434735
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0043473D
__vbaFreeStr.MSVBVM60 ref: 0043474F
__vbaStrCat.MSVBVM60(?,00407530,ini), ref: 00434779
__vbaStrMove.MSVBVM60 ref: 00434780
__vbaStrCat.MSVBVM60(\BaseComponents\MBytes,00000000,00000000), ref: 0043478E
__vbaStrMove.MSVBVM60 ref: 00434795

Part of subcall function 004247A0: __vbaStrCopy.MSVBVM60(6CE6D8B1,6CE5A323,00000000), ref: 00424862
Part of subcall function 004247A0: __vbaStrCopy.MSVBVM60 ref: 0042486A
Part of subcall function 004247A0: __vbaStrCopy.MSVBVM60 ref: 00424872
Part of subcall function 004247A0: __vbaOnError.MSVBVM60(00000001), ref: 0042487D
Part of subcall function 004247A0: __vbaStrCmp.MSVBVM60(00405F48,?), ref: 00424893
Part of subcall function 004247A0: __vbaNew2.MSVBVM60(004082E4,?), ref: 004248B8
Part of subcall function 004247A0: __vbaHresultCheckObj.MSVBVM60(00000000,?,004082F4,00000054), ref: 004248E0

__vbaStrMove.MSVBVM60(?,?,MD5,?), ref: 004347D2
__vbaFreeStr.MSVBVM60 ref: 004347D7
__vbaExitProc.MSVBVM60 ref: 004347E7
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000), ref: 004347A7

Part of subcall function 00434B30: __vbaStrCopy.MSVBVM60(6CE6D8B1,00000001,00000000), ref: 00434B95
Part of subcall function 00434B30: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00434B9D
Part of subcall function 00434B30: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00434BA5
Part of subcall function 00434B30: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00434BAD
Part of subcall function 00434B30: __vbaOnError.MSVBVM60(00000001), ref: 00434BB8
Part of subcall function 00434B30: #525.MSVBVM60(00000064), ref: 00434BC7
Part of subcall function 00434B30: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00434BD8
Part of subcall function 00434B30: __vbaStrToAnsi.MSVBVM60(?,?), ref: 00434BEF
Part of subcall function 00434B30: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00434BFA
Part of subcall function 00434B30: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00434C05
Part of subcall function 00434B30: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00434C10
Part of subcall function 00434B30: __vbaSetSystemError.MSVBVM60(00000000), ref: 00434C1A
Part of subcall function 00434B30: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00434C2E
Part of subcall function 00434B30: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00434C38
Part of subcall function 00434B30: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00434C42

__vbaStrCopy.MSVBVM60 ref: 00434809
__vbaStrMove.MSVBVM60(?,?,?,?), ref: 00434829
__vbaFreeStr.MSVBVM60 ref: 00434834
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 00434846
__vbaStrMove.MSVBVM60(?,?,MD5,?), ref: 00434872
__vbaFreeStr.MSVBVM60 ref: 00434877
__vbaExitProc.MSVBVM60 ref: 00434883
__vbaFreeStr.MSVBVM60(00434B16), ref: 00434AFF
__vbaFreeStr.MSVBVM60 ref: 00434B04
__vbaFreeStr.MSVBVM60 ref: 00434B09
__vbaFreeStr.MSVBVM60 ref: 00434B0E
__vbaFreeStr.MSVBVM60 ref: 00434B13

Strings

ini, xrefs: 00434765
O:C, xrefs: 004346F4
\BaseComponents\MBytes, xrefs: 00434789
MD5, xrefs: 004347BB, 00434801, 0043485B, 0043490C

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$Free$Move$AnsiError$Unicode$ExitProc$#525#645CheckHresultListNew2System
String ID: MD5$O:C$\BaseComponents\MBytes$ini
API String ID: 1240496537-4091789508
Opcode ID: 0f76f2149e9fa48e0a1e2f102ae91e4beff24b6f130841ba1e9efc73950500c6
Instruction ID: 6fccd65fa7a95afbd67dbdf094dd20d1c178e07ad70cd2894f3028779b142eda
Opcode Fuzzy Hash: 0f76f2149e9fa48e0a1e2f102ae91e4beff24b6f130841ba1e9efc73950500c6
Instruction Fuzzy Hash: 7191D7B1D10218EBCB14DFE5DD84ADEBBB4BF88304F60812AE516B72A4DB746A05CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042FA00 Relevance: 72.0, APIs: 34, Strings: 7, Instructions: 264COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE81480,6CE9163A,6CF443F3), ref: 0042FA65
__vbaOnError.MSVBVM60(00000001), ref: 0042FA74
__vbaStrCat.MSVBVM60(?, Executing fncExecuteShell : ,00405F48,00405F48,00405F48,?), ref: 0042FAAE
__vbaStrMove.MSVBVM60 ref: 0042FABF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042FAEF
__vbaFreeStr.MSVBVM60 ref: 0042FAF8
__vbaFreeVar.MSVBVM60 ref: 0042FB01
#600.MSVBVM60(00004008,00000000), ref: 0042FB20
__vbaFpI4.MSVBVM60 ref: 0042FB26
__vbaStrCat.MSVBVM60(?, Failed to Execute Shell : ,00405F48,00405F48,00405F48,?), ref: 0042FB66
__vbaStrMove.MSVBVM60 ref: 0042FB71
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042FBA2
__vbaFreeStr.MSVBVM60 ref: 0042FBAB
__vbaFreeVar.MSVBVM60 ref: 0042FBB4
__vbaSetSystemError.MSVBVM60(001F0FFF,000000FF,00000000), ref: 0042FBDF
__vbaSetSystemError.MSVBVM60(?,?), ref: 0042FBFB
__vbaSetSystemError.MSVBVM60(?,000927C0), ref: 0042FC31
__vbaSetSystemError.MSVBVM60(?,00000103), ref: 0042FC47
__vbaSetSystemError.MSVBVM60(?), ref: 0042FC7C
__vbaExitProc.MSVBVM60 ref: 0042FC8C
#685.MSVBVM60 ref: 0042FCA4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042FCAF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407E74,0000004C), ref: 0042FCD0
__vbaStrMove.MSVBVM60(?), ref: 0042FCE4
__vbaStrMove.MSVBVM60( Failed OpenProcess. Error : ,00405F48,00405F48,00405F48,?), ref: 0042FD0E
__vbaStrCat.MSVBVM60(00000000), ref: 0042FD11
__vbaStrMove.MSVBVM60 ref: 0042FD1C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042FD4D
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0042FD61
__vbaFreeObj.MSVBVM60 ref: 0042FD6D
__vbaExitProc.MSVBVM60 ref: 0042FD86
__vbaFreeVar.MSVBVM60 ref: 0042FEB5
__vbaExitProc.MSVBVM60 ref: 0042FEBB
__vbaFreeStr.MSVBVM60(0042FF08), ref: 0042FF01

Strings

ModFunctions, xrefs: 0042FACC, 0042FB7E, 0042FD29
ERR , xrefs: 0042FB74, 0042FD1F
Failed to Execute Shell : , xrefs: 0042FB5D
MSG , xrefs: 0042FAC2
Failed OpenProcess. Error : , xrefs: 0042FD06
fncExecuteShell, xrefs: 0042FAC7, 0042FB79, 0042FD24
Executing fncExecuteShell : , xrefs: 0042FAA5

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Error$MoveSystem$CheckHresult$ExitProc$#600#685CopyList
String ID: Executing fncExecuteShell : $ Failed OpenProcess. Error : $ Failed to Execute Shell : $ERR $MSG $ModFunctions$fncExecuteShell
API String ID: 2821864976-3135461410
Opcode ID: 0bcc108a7464721b586ba8aa5152b4322a65afb5117399191e7cca5c7b4fad81
Instruction ID: 30741df727af776d65bbc4c6765c8d72014e2408affc69cb2e2a9e39e57429a1
Opcode Fuzzy Hash: 0bcc108a7464721b586ba8aa5152b4322a65afb5117399191e7cca5c7b4fad81
Instruction Fuzzy Hash: CAB13CB1E01209EBCB00DFA5DD89A9EBBB4FB44705F60817AE105B72E0D7B86945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0043C250 Relevance: 72.0, APIs: 39, Strings: 2, Instructions: 253COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,00000000,6CE6D83C,6CF560EF), ref: 0043C2D3
__vbaStrCat.MSVBVM60(Configuration\SAAZScheduler.ini,00000000), ref: 0043C2EB
__vbaStrMove.MSVBVM60 ref: 0043C2FC

Part of subcall function 00431BB0: __vbaChkstk.MSVBVM60(00000000,00404B66,?,?,?,?,00448239,00000000), ref: 00431BCE
Part of subcall function 00431BB0: __vbaStrCopy.MSVBVM60(6CE5A323,6CE6D8B1,6CE6D8F4,00000000,00404B66), ref: 00431BFB
Part of subcall function 00431BB0: __vbaOnError.MSVBVM60(00000001), ref: 00431C0A
Part of subcall function 00431BB0: __vbaOnError.MSVBVM60(000000FF), ref: 00431C19
Part of subcall function 00431BB0: #525.MSVBVM60(00002000), ref: 00431C2B
Part of subcall function 00431BB0: __vbaStrMove.MSVBVM60 ref: 00431C36
Part of subcall function 00431BB0: __vbaStrToAnsi.MSVBVM60(?,?), ref: 00431C4B
Part of subcall function 00431BB0: __vbaStrToAnsi.MSVBVM60(?,?,00002000,00000000), ref: 00431C5F
Part of subcall function 00431BB0: __vbaStrToAnsi.MSVBVM60(?,00405F48,00000000), ref: 00431C6F
Part of subcall function 00431BB0: __vbaStrToAnsi.MSVBVM60(?,00405F48,00000000), ref: 00431C7F
Part of subcall function 00431BB0: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431C8E
Part of subcall function 00431BB0: __vbaSetSystemError.MSVBVM60(00000000), ref: 00431C9D
Part of subcall function 00431BB0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00431CAB
Part of subcall function 00431BB0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00431CB9
Part of subcall function 00431BB0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00431CC7
Part of subcall function 00431BB0: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00431CE9

__vbaStrMove.MSVBVM60(?), ref: 0043C313
#608.MSVBVM60(?,00000000), ref: 0043C31A
__vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 0043C330
#711.MSVBVM60(?,00000000), ref: 0043C337
__vbaAryVar.MSVBVM60(00002008,?), ref: 0043C346
__vbaAryCopy.MSVBVM60(?,?), ref: 0043C35D
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043C36D
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0043C37D
__vbaUbound.MSVBVM60(00000001,?), ref: 0043C393
__vbaI2I4.MSVBVM60 ref: 0043C39B
__vbaStrCopy.MSVBVM60(?,?), ref: 0043C3CE
__vbaAryLock.MSVBVM60(?,?), ref: 0043C3DC
__vbaGenerateBoundsError.MSVBVM60(?,?), ref: 0043C3FA
__vbaGenerateBoundsError.MSVBVM60 ref: 0043C40F
__vbaStrMove.MSVBVM60(?,?,?,?), ref: 0043C437
__vbaAryUnlock.MSVBVM60(?), ref: 0043C43D
__vbaStrMove.MSVBVM60(?,?), ref: 0043C44C
__vbaFreeStr.MSVBVM60(?,?), ref: 0043C451
__vbaAryLock.MSVBVM60(?,?), ref: 0043C46C
__vbaGenerateBoundsError.MSVBVM60(?,?), ref: 0043C48A
__vbaGenerateBoundsError.MSVBVM60 ref: 0043C49F
__vbaStrMove.MSVBVM60(?,0043DDF5,?,?), ref: 0043C4C7
__vbaAryUnlock.MSVBVM60(?), ref: 0043C4CD
__vbaStrMove.MSVBVM60(?,?), ref: 0043C4DC
__vbaStrCmp.MSVBVM60(?,?), ref: 0043C4EF
__vbaStrCopy.MSVBVM60(?,?), ref: 0043C508
__vbaStrCopy.MSVBVM60(?,?), ref: 0043C53A
__vbaStrCopy.MSVBVM60(?,?), ref: 0043C54D
__vbaExitProc.MSVBVM60(?,?), ref: 0043C553
__vbaFreeStr.MSVBVM60(0043C73C), ref: 0043C719
__vbaFreeStr.MSVBVM60(?,?), ref: 0043C71E
__vbaFreeStr.MSVBVM60(?,?), ref: 0043C723
__vbaFreeStr.MSVBVM60(?,?), ref: 0043C728
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0043C730
__vbaFreeStr.MSVBVM60(?,?), ref: 0043C739

Strings

Configuration\SAAZScheduler.ini, xrefs: 0043C2E6
ExecutableName, xrefs: 0043C3C6

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$ErrorMove$Copy$Ansi$BoundsGenerate$ListUnicode$LockUnlock$#525#608#711ChkstkDestructExitProcSystemUbound
String ID: Configuration\SAAZScheduler.ini$ExecutableName
API String ID: 2274918054-223570493
Opcode ID: 747f0bca8d14468e2cd004599b37dde6d14573d99a1c8cd39743359fe0774916
Instruction ID: 62b3e800503a0694f227a5c09f01185463d78811477d2a990c26896ad21cfdc2
Opcode Fuzzy Hash: 747f0bca8d14468e2cd004599b37dde6d14573d99a1c8cd39743359fe0774916
Instruction Fuzzy Hash: 4FB1C5B5D00218EBCB04DFA5D984AEDBBB5FF88304F20816EE506B7260DB746A46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042B010 Relevance: 72.0, APIs: 36, Strings: 5, Instructions: 216COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE5A323,6CE6D8B1,00000000), ref: 0042B099
__vbaStrCopy.MSVBVM60 ref: 0042B0A1
__vbaOnError.MSVBVM60(00000001), ref: 0042B0AC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000030), ref: 0042B0E4
#716.MSVBVM60(?,MSXML2.DOMDocument,00000000), ref: 0042B108
__vbaVarSetVar.MSVBVM60(?,?), ref: 0042B116
__vbaVarLateMemCallLd.MSVBVM60(?,?,Load,00000001), ref: 0042B15C
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0042B162
__vbaFreeVar.MSVBVM60 ref: 0042B16E
#519.MSVBVM60(?,wpmalwrignorelist/), ref: 0042B18D
__vbaStrMove.MSVBVM60 ref: 0042B19E
#517.MSVBVM60(00000000), ref: 0042B1A1
__vbaStrMove.MSVBVM60 ref: 0042B1AC
__vbaStrCat.MSVBVM60(00000000), ref: 0042B1AF
__vbaVarLateMemCallLd.MSVBVM60(?,?,selectSingleNode,00000001), ref: 0042B1E8
__vbaVarSetVar.MSVBVM60(?,00000000), ref: 0042B1F2
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042B202
__vbaFreeVar.MSVBVM60 ref: 0042B20E
__vbaUnkVar.MSVBVM60(?,00000000), ref: 0042B220
__vbaObjIs.MSVBVM60(00000000), ref: 0042B227
__vbaVarLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 0042B247
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0042B251
#519.MSVBVM60(00000000), ref: 0042B258
__vbaStrMove.MSVBVM60 ref: 0042B263
__vbaFreeStr.MSVBVM60 ref: 0042B268
__vbaFreeVar.MSVBVM60 ref: 0042B271
__vbaStrCopy.MSVBVM60 ref: 0042B284
__vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0042B29C
__vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0042B2AA
__vbaExitProc.MSVBVM60 ref: 0042B2AC
__vbaFreeVar.MSVBVM60(0042B488), ref: 0042B46B
__vbaFreeStr.MSVBVM60 ref: 0042B476
__vbaFreeStr.MSVBVM60 ref: 0042B47B
__vbaFreeStr.MSVBVM60 ref: 0042B480
__vbaFreeVar.MSVBVM60 ref: 0042B485

Strings

selectSingleNode, xrefs: 0042B1D8
Load, xrefs: 0042B149
Text, xrefs: 0042B23A
wpmalwrignorelist/, xrefs: 0042B184
MSXML2.DOMDocument, xrefs: 0042B0FF

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$CallCopyLateMove$#519Addref$#517#716BoolCheckErrorExitHresultListNullProc
String ID: Load$MSXML2.DOMDocument$Text$selectSingleNode$wpmalwrignorelist/
API String ID: 2138374868-4159502393
Opcode ID: b757e74845ffe43b56a73e75ac1184cc6865972beb585c17d9dea347ab109343
Instruction ID: 7cc3103a790468d0a269b59cf6f1a62063eb12e9674f444b1d9b54ebf617661a
Opcode Fuzzy Hash: b757e74845ffe43b56a73e75ac1184cc6865972beb585c17d9dea347ab109343
Instruction Fuzzy Hash: 2F9108B1D10218EBCB14DFA4ED88ADEBBB8FB48700F10815AE505B72A4DB745A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00416090 Relevance: 70.8, APIs: 47, Instructions: 266COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 004160AE
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 004160E7
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 004160FF
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,00404B66), ref: 00416118
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,00404B66), ref: 0041612A
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00404B66), ref: 00416138
__vbaFreeStr.MSVBVM60(?,?,?,?,00404B66), ref: 0041614A
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 0041617D
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,00404B66), ref: 00416195
__vbaGenerateBoundsError.MSVBVM60 ref: 004161D2
__vbaGenerateBoundsError.MSVBVM60 ref: 004161EC
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?), ref: 00416213
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041621F
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041622D
__vbaAryUnlock.MSVBVM60(00000000), ref: 00416237
__vbaFreeStr.MSVBVM60 ref: 00416240
__vbaAryLock.MSVBVM60(00000000,?), ref: 00416255
__vbaGenerateBoundsError.MSVBVM60 ref: 00416292
__vbaGenerateBoundsError.MSVBVM60 ref: 004162AC
__vbaStrToAnsi.MSVBVM60(?,004074E8,?,?), ref: 004162C9
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 004162E2
__vbaAryUnlock.MSVBVM60(00000000), ref: 004162EC
__vbaFreeStr.MSVBVM60 ref: 004162F5
__vbaSetSystemError.MSVBVM60(?,?,00000034), ref: 00416311
__vbaStrI2.MSVBVM60(?), ref: 00416323
__vbaStrMove.MSVBVM60 ref: 0041632E
__vbaStrCat.MSVBVM60(004080EC,00000000), ref: 0041633A
__vbaStrMove.MSVBVM60 ref: 00416345
__vbaStrI2.MSVBVM60(?,00000000), ref: 00416351
__vbaStrMove.MSVBVM60 ref: 0041635C
__vbaStrCat.MSVBVM60(00000000), ref: 00416363
__vbaStrMove.MSVBVM60 ref: 00416371
__vbaStrCat.MSVBVM60(004080EC,00000000), ref: 0041637D
__vbaStrMove.MSVBVM60 ref: 0041638B
__vbaStrI2.MSVBVM60(?,00000000), ref: 00416397
__vbaStrMove.MSVBVM60 ref: 004163A5
__vbaStrCat.MSVBVM60(00000000), ref: 004163AC
__vbaStrMove.MSVBVM60 ref: 004163BA
__vbaStrCat.MSVBVM60(004080EC,00000000), ref: 004163C6
__vbaStrMove.MSVBVM60 ref: 004163D4
__vbaStrI2.MSVBVM60(?,00000000), ref: 004163E0
__vbaStrMove.MSVBVM60 ref: 004163EE
__vbaStrCat.MSVBVM60(00000000), ref: 004163F5
__vbaStrMove.MSVBVM60 ref: 00416400
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 0041643E
__vbaAryDestruct.MSVBVM60(00000000,?,004164C3), ref: 004164B3
__vbaFreeStr.MSVBVM60 ref: 004164BC

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Error$Free$BoundsGenerateSystem$Ansi$LockUnicodeUnlock$ChkstkCopyDestructListRedim
String ID:
API String ID: 3622588618-0
Opcode ID: 1580e320a11f186d15296b5ef466aeaefe005f202b611ba04caf7462ea8339d7
Instruction ID: dea23858b78561569232352db0d388471338031dc30e3bdead4f8fa248571075
Opcode Fuzzy Hash: 1580e320a11f186d15296b5ef466aeaefe005f202b611ba04caf7462ea8339d7
Instruction Fuzzy Hash: 0CC1FC75900208DFDB14DFA4DE48BDEBBB9FB48301F1082A9E50AB7261DB749A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042B9C0 Relevance: 66.2, APIs: 44, Instructions: 213COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66,?,?,0042B6F8,?,?,00000000), ref: 0042B9DE
__vbaStrCopy.MSVBVM60(?,6CE6D8B1,00000000,?,00404B66), ref: 0042BA0B
__vbaStrCopy.MSVBVM60 ref: 0042BA17
__vbaStrCopy.MSVBVM60 ref: 0042BA23
__vbaOnError.MSVBVM60(000000FF), ref: 0042BA32
#608.MSVBVM60(?,00000000), ref: 0042BA45
#606.MSVBVM60(00001388,?), ref: 0042BA54
__vbaStrMove.MSVBVM60 ref: 0042BA5F
__vbaFreeVar.MSVBVM60 ref: 0042BA68
__vbaStrToAnsi.MSVBVM60(?,?), ref: 0042BA7D
__vbaLenBstr.MSVBVM60(?,00000000), ref: 0042BA88
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BA97
__vbaStrToAnsi.MSVBVM60(?,00405F48,00000000), ref: 0042BAA7
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BAB6
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BAC5
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042BAD4
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BAE2
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BAF0
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BAFE
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BB0C
__vbaStrI4.MSVBVM60(?), ref: 0042BB16
__vbaStrMove.MSVBVM60 ref: 0042BB21
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0042BB3D
#608.MSVBVM60(?,00000000), ref: 0042BB53
__vbaStrVarVal.MSVBVM60(00000001,?,00000000,00000001,000000FF,00000000), ref: 0042BB69
#712.MSVBVM60(?,00000000), ref: 0042BB74
__vbaStrMove.MSVBVM60 ref: 0042BB7F
#519.MSVBVM60(00000000), ref: 0042BB86
__vbaStrMove.MSVBVM60 ref: 0042BB91
__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 0042BB9A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0042BBB9
__vbaFreeVar.MSVBVM60 ref: 0042BBC5
__vbaStrCopy.MSVBVM60 ref: 0042BBDF
__vbaI4Str.MSVBVM60(?), ref: 0042BBF2
#616.MSVBVM60(?,00000000), ref: 0042BBFD
#520.MSVBVM60(?,00000008), ref: 0042BC15
__vbaStrVarMove.MSVBVM60(?), ref: 0042BC1F
__vbaStrMove.MSVBVM60 ref: 0042BC2A
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0042BC3A
__vbaFreeStr.MSVBVM60(0042BCBE), ref: 0042BC93
__vbaFreeStr.MSVBVM60 ref: 0042BC9C
__vbaFreeStr.MSVBVM60 ref: 0042BCA5
__vbaFreeStr.MSVBVM60 ref: 0042BCAE
__vbaFreeStr.MSVBVM60 ref: 0042BCB7

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Ansi$CopyUnicode$List$#608Error$#519#520#606#616#712BstrChkstkSystem
String ID:
API String ID: 2952968493-0
Opcode ID: 438183a5161b9fba6a76ddf2c74752062a56809cb140716b8db4ea872d20cdd2
Instruction ID: 97b65fc9068bfc7959452b815ebae977ca372f75fbbe8961291caf31f02b4b09
Opcode Fuzzy Hash: 438183a5161b9fba6a76ddf2c74752062a56809cb140716b8db4ea872d20cdd2
Instruction Fuzzy Hash: EE91CA76900108EBCB04DFE4DE88EEEBB78FB48705F108169F212B61A4DB74A605CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0044A7E0 Relevance: 66.2, APIs: 44, Instructions: 213COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404B66,?,?,0044A176,?,URL,00000000), ref: 0044A7FE
__vbaStrCopy.MSVBVM60(6CE6D8B1,6CE6D83C,6CE5A323,00000000,00404B66), ref: 0044A82B
__vbaStrCopy.MSVBVM60 ref: 0044A837
__vbaStrCopy.MSVBVM60 ref: 0044A843
__vbaOnError.MSVBVM60(000000FF), ref: 0044A852
#608.MSVBVM60(?,00000000), ref: 0044A865
#606.MSVBVM60(00001388,?), ref: 0044A874
__vbaStrMove.MSVBVM60 ref: 0044A87F
__vbaFreeVar.MSVBVM60 ref: 0044A888
__vbaStrToAnsi.MSVBVM60(?,?), ref: 0044A89D
__vbaLenBstr.MSVBVM60(?,00000000), ref: 0044A8A8
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0044A8B7
__vbaStrToAnsi.MSVBVM60(?,00405F48,00000000), ref: 0044A8C7
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0044A8D6
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0044A8E5
__vbaSetSystemError.MSVBVM60(00000000), ref: 0044A8F4
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A902
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A910
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A91E
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0044A92C
__vbaStrI4.MSVBVM60(?), ref: 0044A936
__vbaStrMove.MSVBVM60 ref: 0044A941
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0044A95D
#608.MSVBVM60(?,00000000), ref: 0044A973
__vbaStrVarVal.MSVBVM60(00000001,?,00000000,00000001,000000FF,00000000), ref: 0044A989
#712.MSVBVM60(?,00000000), ref: 0044A994
__vbaStrMove.MSVBVM60 ref: 0044A99F
#519.MSVBVM60(00000000), ref: 0044A9A6
__vbaStrMove.MSVBVM60 ref: 0044A9B1
__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 0044A9BA
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0044A9D9
__vbaFreeVar.MSVBVM60 ref: 0044A9E5
__vbaStrCopy.MSVBVM60 ref: 0044A9FF
__vbaI4Str.MSVBVM60(?), ref: 0044AA12
#616.MSVBVM60(?,00000000), ref: 0044AA1D
#520.MSVBVM60(?,00000008), ref: 0044AA35
__vbaStrVarMove.MSVBVM60(?), ref: 0044AA3F
__vbaStrMove.MSVBVM60 ref: 0044AA4A
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0044AA5A
__vbaFreeStr.MSVBVM60(0044AADE), ref: 0044AAB3
__vbaFreeStr.MSVBVM60 ref: 0044AABC
__vbaFreeStr.MSVBVM60 ref: 0044AAC5
__vbaFreeStr.MSVBVM60 ref: 0044AACE
__vbaFreeStr.MSVBVM60 ref: 0044AAD7

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Ansi$CopyUnicode$List$#608Error$#519#520#606#616#712BstrChkstkSystem
String ID:
API String ID: 2952968493-0
Opcode ID: efe326a8e30932994d2394103c54ff3af613990ae719b97883b17111da5f114b
Instruction ID: 9d0aa112cbdbd12db0700497b66a5b1db77dd9d837ed7b5b1d25cd2a7e3d3010
Opcode Fuzzy Hash: efe326a8e30932994d2394103c54ff3af613990ae719b97883b17111da5f114b
Instruction Fuzzy Hash: 4891BA76900108EBDB04DFE4DE88EEEB778FB48705F108569F212B61A4DB74A646CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00425310 Relevance: 61.8, APIs: 41, Instructions: 271COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CF5C281,6CE6D8B1,6CF560EF), ref: 004253A2
__vbaOnError.MSVBVM60(00000001), ref: 004253B1
#519.MSVBVM60(?), ref: 004253C8
__vbaStrMove.MSVBVM60 ref: 004253D5
__vbaVarDup.MSVBVM60 ref: 004253F4
__vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 0042540A
#711.MSVBVM60(?,00000000), ref: 00425411
__vbaVarMove.MSVBVM60 ref: 0042541D
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00425433
__vbaFreeVar.MSVBVM60 ref: 0042543B
__vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00425495
__vbaVarTstEq.MSVBVM60(00008008,00000000), ref: 004254A6
__vbaFreeVar.MSVBVM60 ref: 004254B6
__vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 0042550D
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0042551B
#519.MSVBVM60(00000000), ref: 00425522
__vbaStrMove.MSVBVM60 ref: 00425529

Part of subcall function 00424FB0: __vbaOnError.MSVBVM60(00000001,6CE5D9F1,6CE6D8B1,6CE6D8F4), ref: 00425016
Part of subcall function 00424FB0: #607.MSVBVM60(?,000000FF,?), ref: 00425036
Part of subcall function 00424FB0: __vbaStrVarMove.MSVBVM60(?), ref: 00425040
Part of subcall function 00424FB0: __vbaStrMove.MSVBVM60 ref: 00425051
Part of subcall function 00424FB0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042505C
Part of subcall function 00424FB0: __vbaLenBstr.MSVBVM60(?), ref: 00425070
Part of subcall function 00424FB0: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00425085
Part of subcall function 00424FB0: __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00425092
Part of subcall function 00424FB0: __vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 0042509A
Part of subcall function 00424FB0: __vbaStrToUnicode.MSVBVM60(00425534,?,?,00000000), ref: 004250AB
Part of subcall function 00424FB0: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 004250B5
Part of subcall function 00424FB0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 004250C1
Part of subcall function 00424FB0: #537.MSVBVM60(00000000,?,00000001), ref: 004250DF

__vbaStrMove.MSVBVM60(?), ref: 00425539
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00425545
__vbaFreeVar.MSVBVM60 ref: 0042554D
#519.MSVBVM60(?), ref: 0042555E
__vbaStrMove.MSVBVM60 ref: 00425565
#608.MSVBVM60(?,00000025), ref: 00425573
__vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 004255B1
#608.MSVBVM60(?,00000025), ref: 004255C3
__vbaVarCat.MSVBVM60(?,?,?,?,00000001,000000FF,00000000), ref: 004255E8
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004255FD
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 00425608
__vbaStrMove.MSVBVM60(00000000), ref: 00425614
#712.MSVBVM60(00000000), ref: 00425617
__vbaStrMove.MSVBVM60 ref: 00425622
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00425632
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00425653
#519.MSVBVM60(?), ref: 00425669
__vbaStrMove.MSVBVM60 ref: 00425670
__vbaStrCopy.MSVBVM60 ref: 0042567F
__vbaExitProc.MSVBVM60 ref: 00425685
__vbaFreeVar.MSVBVM60(00425863), ref: 00425847
__vbaFreeStr.MSVBVM60 ref: 00425856
__vbaFreeStr.MSVBVM60 ref: 0042585B
__vbaFreeStr.MSVBVM60 ref: 00425860

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$List$#519$ErrorIndexLoad$#608AnsiCopyUnicode$#537#607#711#712BstrExitProcSystem
String ID:
API String ID: 3112395444-0
Opcode ID: b70647f444aac1892165c49214914d6c71f800a6e8d749c7cba54b5a20e49e00
Instruction ID: a3d470aadbf07e26180bc3bdd558953687d4ecac39aafa4bfc92a4c55865ae8d
Opcode Fuzzy Hash: b70647f444aac1892165c49214914d6c71f800a6e8d749c7cba54b5a20e49e00
Instruction Fuzzy Hash: CCC1D7B1D002189BDB14DF94DD84BDEFBB9FF48300F5081AAE509A72A0DB745A89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0043B460 Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 227COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CF560EF,6CE6D8B1,6CE5A323), ref: 0043B4DA
__vbaStrCopy.MSVBVM60 ref: 0043B4F2

Part of subcall function 00416B20: __vbaStrCopy.MSVBVM60(6CE6D83C,6CE6D8B1,00000000), ref: 00416B6F
Part of subcall function 00416B20: #527.MSVBVM60(?), ref: 00416B79
Part of subcall function 00416B20: __vbaStrMove.MSVBVM60 ref: 00416B8A
Part of subcall function 00416B20: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,000003FF,00000000), ref: 00416BA8
Part of subcall function 00416B20: __vbaAryLock.MSVBVM60(?,?), ref: 00416BB9
Part of subcall function 00416B20: __vbaGenerateBoundsError.MSVBVM60 ref: 00416BD8
Part of subcall function 00416B20: __vbaSetSystemError.MSVBVM60(?,00001000,?), ref: 00416C09
Part of subcall function 00416B20: __vbaAryUnlock.MSVBVM60(?), ref: 00416C13

Part of subcall function 004164F0: __vbaStrCopy.MSVBVM60 ref: 00416582
Part of subcall function 004164F0: __vbaOnError.MSVBVM60(00000001), ref: 00416591
Part of subcall function 004164F0: __vbaVarDup.MSVBVM60 ref: 004165DD
Part of subcall function 004164F0: #626.MSVBVM60(?,?,0000000A), ref: 004165F2
Part of subcall function 004164F0: __vbaVarLateMemCallLd.MSVBVM60(?,?,InstancesOf,00000001), ref: 00416629
Part of subcall function 004164F0: __vbaObjVar.MSVBVM60(00000000), ref: 00416633
Part of subcall function 004164F0: __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041663E
Part of subcall function 004164F0: __vbaFreeVarList.MSVBVM60(00000004,?,0000000A,?,?), ref: 0041665C

__vbaFreeStr.MSVBVM60(mbam-msp.exe,mbam-msp.exe,?), ref: 0043B536
__vbaStrCopy.MSVBVM60 ref: 0043B55B
__vbaStrCopy.MSVBVM60 ref: 0043B565

Part of subcall function 0042C9A0: __vbaOnError.MSVBVM60(00000001,6CE6D83C,?,00000000), ref: 0042CA11
Part of subcall function 0042C9A0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000001,?), ref: 0042CA35
Part of subcall function 0042C9A0: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA46
Part of subcall function 0042C9A0: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,00000001,?), ref: 0042CA57
Part of subcall function 0042C9A0: __vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA5F
Part of subcall function 0042C9A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00000001,?), ref: 0042CA9B
Part of subcall function 0042C9A0: __vbaStrToAnsi.MSVBVM60(?,00000000,?,00000000,?,00000000,00000001,?), ref: 0042CAA6
Part of subcall function 0042C9A0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000001,?,?,?,00000000,?,00000000,00000001,?), ref: 0042CAC6
Part of subcall function 0042C9A0: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,00000000,00000001,?), ref: 0042CAD5

__vbaStrMove.MSVBVM60(80000002,?,?,00000001), ref: 0043B58E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043B59A
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 0043B5B3
__vbaStrCat.MSVBVM60(MBData,00000000), ref: 0043B5DA
__vbaStrMove.MSVBVM60 ref: 0043B5E1

Part of subcall function 0042CFC0: __vbaOnError.MSVBVM60(00000001,6CE6D83C,6CE6D8B1,00000000), ref: 0042D088
Part of subcall function 0042CFC0: __vbaStrCopy.MSVBVM60 ref: 0042D0AA
Part of subcall function 0042CFC0: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042D0FD
Part of subcall function 0042CFC0: __vbaFreeVar.MSVBVM60 ref: 0042D109
Part of subcall function 0042CFC0: __vbaStrCopy.MSVBVM60 ref: 0042D11E
Part of subcall function 0042CFC0: __vbaStrCat.MSVBVM60(?,Searching for MalwareBytes Installation Path in registry :: ,00405F48,00405F48,00405F48,?), ref: 0042D14E
Part of subcall function 0042CFC0: __vbaStrMove.MSVBVM60 ref: 0042D15F

__vbaStrMove.MSVBVM60 ref: 0043B5F4
__vbaStrCat.MSVBVM60(mbam-msp.exe,00000000), ref: 0043B5FC
__vbaStrMove.MSVBVM60 ref: 0043B603
__vbaFreeStr.MSVBVM60 ref: 0043B608
__vbaStrCat.MSVBVM60(?,/logtofolder ), ref: 0043B61E
__vbaStrMove.MSVBVM60 ref: 0043B625
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,0000002C), ref: 0043B65C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000034), ref: 0043B697
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,0000002C), ref: 0043B6C8
__vbaSetSystemError.MSVBVM60(00001388,?,?,?,?,80000002), ref: 0043B709
__vbaExitProc.MSVBVM60 ref: 0043B70F
__vbaExitProc.MSVBVM60 ref: 0043B883
__vbaFreeStr.MSVBVM60(0043B8F6), ref: 0043B8DA
__vbaFreeStr.MSVBVM60 ref: 0043B8DF
__vbaFreeStr.MSVBVM60 ref: 0043B8E4
__vbaFreeStr.MSVBVM60 ref: 0043B8E9
__vbaFreeStr.MSVBVM60 ref: 0043B8EE
__vbaFreeStr.MSVBVM60 ref: 0043B8F3

Strings

/logtofolder , xrefs: 0043B615
mbam-msp.exe, xrefs: 0043B4F8, 0043B50D, 0043B5F7
MBData, xrefs: 0043B5CF
Logs, xrefs: 0043B553
SOFTWARE\Malwarebytes' Anti-Malware, xrefs: 0043B55D

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Error$Copy$Move$CheckHresultSystem$Ansi$ExitListProc$#527#626AddrefBoundsCallGenerateLateLockRedimUnicodeUnlock
String ID: /logtofolder $Logs$MBData$SOFTWARE\Malwarebytes' Anti-Malware$mbam-msp.exe
API String ID: 75567093-2247454915
Opcode ID: 4ddf9cd00a833c83bf7cad5e140252bf40dff2b24827214cc23f0c26b7180063
Instruction ID: e55ed8c64a1338ca829cafbcfef6cd77f21f4814642ef59fbd4bf27993b2ef83
Opcode Fuzzy Hash: 4ddf9cd00a833c83bf7cad5e140252bf40dff2b24827214cc23f0c26b7180063
Instruction Fuzzy Hash: FF912AB1D00218ABDB04EFA5DD84AEDBBB8FF48300F60816EE105B72A5DB745A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00425880 Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE6E06B,6CE6D8B1,6CE55560), ref: 00425918
__vbaStrCopy.MSVBVM60 ref: 00425920
__vbaOnError.MSVBVM60(00000001), ref: 0042592B
#519.MSVBVM60(?), ref: 00425942
__vbaStrMove.MSVBVM60 ref: 0042594F
__vbaVarDup.MSVBVM60 ref: 0042596E
__vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00425984
#711.MSVBVM60(?,00000000), ref: 0042598B
__vbaVarMove.MSVBVM60 ref: 00425997
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004259A7
__vbaFreeVar.MSVBVM60 ref: 004259B3
__vbaRefVarAry.MSVBVM60(?), ref: 004259C4
__vbaUbound.MSVBVM60(00000001,?), ref: 004259CF
__vbaI2I4.MSVBVM60 ref: 004259D7
__vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00425A3C
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 00425A4A
#519.MSVBVM60(00000000), ref: 00425A51
#518.MSVBVM60(?,?), ref: 00425A69
#519.MSVBVM60(?), ref: 00425A6F
#518.MSVBVM60(?,?), ref: 00425A8B
__vbaVarTstEq.MSVBVM60(?,?), ref: 00425A9B
__vbaFreeStr.MSVBVM60 ref: 00425AA7
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00425ACC
__vbaExitProc.MSVBVM60 ref: 00425B14
__vbaExitProc.MSVBVM60 ref: 00425C73
__vbaFreeVar.MSVBVM60(00425CF2), ref: 00425CDB
__vbaFreeStr.MSVBVM60 ref: 00425CEA
__vbaFreeStr.MSVBVM60 ref: 00425CEF
__vbaErrorOverflow.MSVBVM60 ref: 00425D09

Strings

#@#, xrefs: 00425951

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#519Move$#518CopyErrorExitListProc$#711IndexLoadOverflowUbound
String ID: #@#
API String ID: 1545676309-2538872796
Opcode ID: a77064fa9207110fa7fa8f5f57ea6bd997884f182a6aff52939a55ad4676d20d
Instruction ID: 0426512af9c0b9e3793cec8c25ea56f20210d670d22f21cdabe30443026f8348
Opcode Fuzzy Hash: a77064fa9207110fa7fa8f5f57ea6bd997884f182a6aff52939a55ad4676d20d
Instruction Fuzzy Hash: 0C9191B1D00218AFDB54DFA5DD84BDDBBB8BB48300F5081AAE509B72A0DB745A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042F760 Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 169COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0042F7BF
__vbaOnError.MSVBVM60(00000001), ref: 0042F7CE

Part of subcall function 0042F590: __vbaFixstrConstruct.MSVBVM60(000003E8,?), ref: 0042F5E0
Part of subcall function 0042F590: __vbaOnError.MSVBVM60(00000001), ref: 0042F5EF
Part of subcall function 0042F590: __vbaStrToAnsi.MSVBVM60(?,?,000003E8), ref: 0042F609
Part of subcall function 0042F590: __vbaSetSystemError.MSVBVM60(00000000), ref: 0042F617
Part of subcall function 0042F590: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0042F625
Part of subcall function 0042F590: __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0042F637
Part of subcall function 0042F590: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042F643
Part of subcall function 0042F590: __vbaStrCopy.MSVBVM60(00000000), ref: 0042F65A
Part of subcall function 0042F590: #616.MSVBVM60(00000000), ref: 0042F661
Part of subcall function 0042F590: __vbaStrMove.MSVBVM60 ref: 0042F672
Part of subcall function 0042F590: __vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0042F67D
Part of subcall function 0042F590: __vbaStrMove.MSVBVM60 ref: 0042F688
Part of subcall function 0042F590: __vbaFreeStr.MSVBVM60 ref: 0042F693
Part of subcall function 0042F590: #645.MSVBVM60(00004008,00000010), ref: 0042F6AF
Part of subcall function 0042F590: __vbaStrMove.MSVBVM60 ref: 0042F6BA
Part of subcall function 0042F590: __vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0042F6C2

__vbaStrMove.MSVBVM60 ref: 0042F7EB
#645.MSVBVM60(00004008,00000000), ref: 0042F80C
__vbaStrMove.MSVBVM60 ref: 0042F817
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0042F81F
__vbaFreeStr.MSVBVM60 ref: 0042F831
__vbaStrCat.MSVBVM60(?,Dll not found at ',00405F48,00405F48,00405F48,?), ref: 0042F86B
__vbaStrMove.MSVBVM60 ref: 0042F876
__vbaStrCat.MSVBVM60(004085CC,00000000), ref: 0042F87E
__vbaStrMove.MSVBVM60 ref: 0042F889
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042F8BA
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042F8CA
__vbaFreeVar.MSVBVM60 ref: 0042F8D6
__vbaExitProc.MSVBVM60 ref: 0042F8E6
#526.MSVBVM60(?,00000001), ref: 0042F904
__vbaStrCat.MSVBVM60(\regsvr32.exe /s ,?), ref: 0042F913
__vbaVarCat.MSVBVM60(?,?,?,00000000), ref: 0042F943
__vbaVarCat.MSVBVM60(?,00004008,00000000), ref: 0042F951
#600.MSVBVM60(00000000), ref: 0042F954
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042F96E
__vbaExitProc.MSVBVM60 ref: 0042F981
__vbaFreeStr.MSVBVM60(0042F9E8), ref: 0042F9E0
__vbaFreeStr.MSVBVM60 ref: 0042F9E5

Strings

RegisterDLL, xrefs: 0042F891
ERR, xrefs: 0042F88C
\regsvr32.exe /s , xrefs: 0042F90E
Dll not found at ', xrefs: 0042F862
modCommon, xrefs: 0042F896

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$ErrorFixstrList$#645CopyExitLsetProc$#526#600#616AnsiCheckConstructHresultSystemUnicode
String ID: Dll not found at '$ERR$RegisterDLL$\regsvr32.exe /s $modCommon
API String ID: 1980989329-172343994
Opcode ID: b5644d51f55a4e96ecd1aae059f265bc1d71b609618a4ace31166b9b4c1eda06
Instruction ID: 3752d9c37ce05ca6ec8b3f87f0bf32206a89c8de6d59f6832f4cb22dfc3fdacb
Opcode Fuzzy Hash: b5644d51f55a4e96ecd1aae059f265bc1d71b609618a4ace31166b9b4c1eda06
Instruction Fuzzy Hash: 8E61FEB1D00218AFCB10DFA5DE85EDEBBB4FB48700F60816AE546B7290DB745A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00431520 Relevance: 46.7, APIs: 31, Instructions: 201COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CE6D8B1,6CE9285F,00000000), ref: 00431585
#525.MSVBVM60(000000FF), ref: 004315B1
__vbaStrMove.MSVBVM60 ref: 004315C2
__vbaStrToAnsi.MSVBVM60(?), ref: 004315DB
__vbaStrToAnsi.MSVBVM60(?,?,000000FF,00000000), ref: 004315EB
__vbaStrToAnsi.MSVBVM60(?,00405F48,00000000), ref: 004315F7
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431604
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000), ref: 00431611
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0043161C
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 00431630
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0043163A
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 00431644
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0043164B
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000,?,00000000), ref: 00431666
#617.MSVBVM60(?,00004008,?), ref: 0043168C
__vbaStrVarMove.MSVBVM60(?), ref: 00431696
__vbaStrMove.MSVBVM60 ref: 004316A1
__vbaStrToAnsi.MSVBVM60(?), ref: 004316BF
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000000), ref: 004316CD
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000), ref: 004316DA
__vbaSetSystemError.MSVBVM60(00000000), ref: 004316E5
__vbaStrToUnicode.MSVBVM60(?,?), ref: 004316F9
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00431700
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00431707
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043171A
__vbaStrI4.MSVBVM60(?), ref: 0043172B
__vbaStrMove.MSVBVM60 ref: 00431736
__vbaExitProc.MSVBVM60 ref: 0043173C
__vbaFreeVar.MSVBVM60 ref: 0043187D
__vbaExitProc.MSVBVM60 ref: 00431883
__vbaFreeStr.MSVBVM60(004318E2), ref: 004318DB

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Ansi$Unicode$FreeMove$Error$ExitListProcSystem$#525#617
String ID:
API String ID: 551464816-0
Opcode ID: 92da607d741b5b7e9ad8d1340427c746715db182aa475bb16bceeca8360c43c8
Instruction ID: 7b8d2e779467fd756eaefbc0b03b80c26aac9d7131cbce488bda9e3ada425197
Opcode Fuzzy Hash: 92da607d741b5b7e9ad8d1340427c746715db182aa475bb16bceeca8360c43c8
Instruction Fuzzy Hash: 077174B1D00218ABCB04EFA5DD84ADEBBB9FF48700F10856AE515B7260DB746A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042E1C0 Relevance: 46.7, APIs: 31, Instructions: 201COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,0042D984,?,6CEA68B3), ref: 0042E225
#525.MSVBVM60(000000FF), ref: 0042E251
__vbaStrMove.MSVBVM60 ref: 0042E262
__vbaStrToAnsi.MSVBVM60(?), ref: 0042E27B
__vbaStrToAnsi.MSVBVM60(?,?,000000FF,00000000), ref: 0042E28B
__vbaStrToAnsi.MSVBVM60(?,00405F48,00000000), ref: 0042E297
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042E2A4
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000), ref: 0042E2B1
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0042E2BC
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0042E2D0
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0042E2DA
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0042E2E4
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0042E2EB
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000,?,00000000), ref: 0042E306
#617.MSVBVM60(?,00004008,?), ref: 0042E32C
__vbaStrVarMove.MSVBVM60(?), ref: 0042E336
__vbaStrMove.MSVBVM60 ref: 0042E341
__vbaStrToAnsi.MSVBVM60(?), ref: 0042E35F
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000000), ref: 0042E36D
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000), ref: 0042E37A
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042E385
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042E399
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042E3A0
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042E3A7
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0042E3BA
__vbaStrI4.MSVBVM60(?), ref: 0042E3CB
__vbaStrMove.MSVBVM60 ref: 0042E3D6
__vbaExitProc.MSVBVM60 ref: 0042E3DC
__vbaFreeVar.MSVBVM60 ref: 0042E51D
__vbaExitProc.MSVBVM60 ref: 0042E523
__vbaFreeStr.MSVBVM60(0042E582), ref: 0042E57B

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Ansi$Unicode$FreeMove$Error$ExitListProcSystem$#525#617
String ID:
API String ID: 551464816-0
Opcode ID: 0b6f7fda2e976c894334d5299aeb3c641b0d9af48003ba7db4aadbda1ca20631
Instruction ID: 4e7578f93294206aed1cba5d9d3be389695aa7c00b1079dbf477b8bbd5e95dd1
Opcode Fuzzy Hash: 0b6f7fda2e976c894334d5299aeb3c641b0d9af48003ba7db4aadbda1ca20631
Instruction Fuzzy Hash: FB7183B1D00218ABCB04EFE5DD84ADEBBB9FB48300F50856AF515B7260DB746A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00434B30 Relevance: 45.6, APIs: 25, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE6D8B1,00000001,00000000), ref: 00434B95
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00434B9D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00434BA5
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00434BAD
__vbaOnError.MSVBVM60(00000001), ref: 00434BB8
#525.MSVBVM60(00000064), ref: 00434BC7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00434BD8
__vbaStrToAnsi.MSVBVM60(?,?), ref: 00434BEF
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00434BFA
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00434C05
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00434C10
__vbaSetSystemError.MSVBVM60(00000000), ref: 00434C1A
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00434C2E
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00434C38
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00434C42
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00434C4C
__vbaStrI4.MSVBVM60(00000000), ref: 00434C4F
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00434C5A
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00434C6E
__vbaExitProc.MSVBVM60 ref: 00434C77
__vbaFreeStr.MSVBVM60(00434D0C), ref: 00434CF5
__vbaFreeStr.MSVBVM60 ref: 00434CFA
__vbaFreeStr.MSVBVM60 ref: 00434CFF
__vbaFreeStr.MSVBVM60 ref: 00434D04
__vbaFreeStr.MSVBVM60 ref: 00434D09

Strings

3@, xrefs: 00434BA7

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$AnsiCopyUnicode$ErrorMove$#525ExitListProcSystem
String ID: 3@
API String ID: 1729276524-1720102972
Opcode ID: a939d0b0ab789899575669972a604bdbf2bbf58ca72bcb57b7026cfc42515118
Instruction ID: 375097492e09d90d427ee88f1a9318e4ddf8461b175fe1641706df03356aed5c
Opcode Fuzzy Hash: a939d0b0ab789899575669972a604bdbf2bbf58ca72bcb57b7026cfc42515118
Instruction Fuzzy Hash: 88519BB1D1021CAFCB44DFE8DD84ADEBBB9AF48710F14812AE505F3254DA746A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405645 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00415486
__vbaStrCopy.MSVBVM60 ref: 0041548E
__vbaStrCopy.MSVBVM60 ref: 00415496
__vbaStrCopy.MSVBVM60 ref: 0041549E
__vbaStrCopy.MSVBVM60 ref: 004154A6
__vbaStrCopy.MSVBVM60 ref: 004154AE
__vbaStrCopy.MSVBVM60 ref: 004154B6
__vbaOnError.MSVBVM60(00000001), ref: 004154C6
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 004154E2
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 004154FB
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 0041551A
__vbaStrCmp.MSVBVM60(00405F48,?), ref: 00415537
__vbaStrCopy.MSVBVM60 ref: 00415556
#546.MSVBVM60(?), ref: 00415568
__vbaVarCat.MSVBVM60(?,?,?), ref: 0041564A
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041565B
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041566C
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041567D
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041568E
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041569F
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004156B0
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004156C1
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004156D2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040719C,00000038), ref: 004157CB
__vbaExitProc.MSVBVM60 ref: 004157FA
__vbaFreeStr.MSVBVM60(004158C0), ref: 0041589A
__vbaFreeStr.MSVBVM60 ref: 0041589F
__vbaFreeStr.MSVBVM60 ref: 004158A4
__vbaFreeStr.MSVBVM60 ref: 004158A9
__vbaFreeStr.MSVBVM60 ref: 004158AE
__vbaFreeStr.MSVBVM60 ref: 004158B3
__vbaFreeStr.MSVBVM60 ref: 004158B8
__vbaFreeStr.MSVBVM60 ref: 004158BD

Strings

fK@, xrefs: 004154A0

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CopyFree$#546CheckErrorExitHresultProc
String ID: fK@
API String ID: 3897326867-3595221470
Opcode ID: 51e35ddc49f16c4dd1c02f8dc1e3d2e61338e9058e666839bbd1c16ecb8dccc9
Instruction ID: d717fb48b10b0d69a794e5199e3664035c9d7b86c9899c3ca349a485b05eecfc
Opcode Fuzzy Hash: 51e35ddc49f16c4dd1c02f8dc1e3d2e61338e9058e666839bbd1c16ecb8dccc9
Instruction Fuzzy Hash: B171C4B0D112299BCB10DFA8DD85ADDBBB8FF98B00F10419BE505B7290D7B45A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0042E5A0 Relevance: 36.2, APIs: 24, Instructions: 171COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,6CE6D8B1,6CE6D8F4), ref: 0042E611
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?), ref: 0042E638
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,00000000,?), ref: 0042E649
__vbaStrToUnicode.MSVBVM60(0042D3D6,?,?,00000000,?,00000000,?,00000000,?), ref: 0042E65A
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,?,00000000,?), ref: 0042E665
#537.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0042E697
#607.MSVBVM60(?,?,00000008,?,00000000,?,00000000,?,00000000,?), ref: 0042E6B3
__vbaStrVarMove.MSVBVM60(?,?,00000000,?,00000000,?,00000000,?), ref: 0042E6BD
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,?,00000000,?), ref: 0042E6C8
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,00000000,?,00000000,?,00000000,?), ref: 0042E6D8
__vbaStrToAnsi.MSVBVM60(?,?,?,?,00000000,?), ref: 0042E6FB
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000000,00000000), ref: 0042E70B
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0042E71B
__vbaStrToUnicode.MSVBVM60(0042D3D6,?), ref: 0042E726
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042E730
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042E73C
__vbaStrMove.MSVBVM60(?), ref: 0042E765
__vbaExitProc.MSVBVM60 ref: 0042E76B
__vbaStrCopy.MSVBVM60 ref: 0042E78A
__vbaExitProc.MSVBVM60 ref: 0042E790

Part of subcall function 00430F80: __vbaStrCopy.MSVBVM60(6CE5A323,6CE6D8B1,6CE6D8F4), ref: 00430FF7
Part of subcall function 00430F80: __vbaOnError.MSVBVM60(00000001), ref: 00431006
Part of subcall function 00430F80: #608.MSVBVM60(?,00000000), ref: 0043102E
Part of subcall function 00430F80: __vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 00431052
Part of subcall function 00430F80: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00431060
Part of subcall function 00430F80: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00431073
Part of subcall function 00430F80: #608.MSVBVM60(?,00000000), ref: 004310A1
Part of subcall function 00430F80: __vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 004310C9
Part of subcall function 00430F80: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 004310DB
Part of subcall function 00430F80: __vbaI4Var.MSVBVM60(00000000), ref: 004310E2

__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,?,00000000,?), ref: 0042E7AF
__vbaExitProc.MSVBVM60(?,00000000,?,00000000,?,00000000,?), ref: 0042E7B5
__vbaExitProc.MSVBVM60(?,00000000,?,00000000,?,00000000,?), ref: 0042E8C0
__vbaFreeStr.MSVBVM60(0042E92A,?,00000000,?,00000000,?,00000000,?), ref: 0042E923

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$ErrorExitProc$AnsiCopyListMoveUnicode$#608System$#537#607
String ID:
API String ID: 569701059-0
Opcode ID: 1807e52a601d9759a1552fa2cbd88862e6cbe859ba8f124d4e3522e1436aafd6
Instruction ID: 908d098cce36d008b9a8ff83bdfdc27f666e025826658d5cab2af6cbfc9ce3ee
Opcode Fuzzy Hash: 1807e52a601d9759a1552fa2cbd88862e6cbe859ba8f124d4e3522e1436aafd6
Instruction Fuzzy Hash: 7461C7B1D10218EBDB14DFE5D988ADEBBB8EF48700F20852AF505B7260DBB45A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0042BCE0 Relevance: 34.6, APIs: 23, Instructions: 127COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,6CE6D8B1,6CE6D8E2), ref: 0042BD45
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BD4D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BD55
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BD5D
__vbaOnError.MSVBVM60(00000001), ref: 0042BD68
#525.MSVBVM60(00000064), ref: 0042BD77
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BD82
__vbaStrToAnsi.MSVBVM60(?,?), ref: 0042BD9D
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BDA8
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BDB3
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BDBE
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042BDC8
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BDDC
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BDE6
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BDF0
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042BDFA
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0042BE11
__vbaExitProc.MSVBVM60 ref: 0042BE1A
__vbaFreeStr.MSVBVM60(0042BEA0), ref: 0042BE89
__vbaFreeStr.MSVBVM60 ref: 0042BE8E
__vbaFreeStr.MSVBVM60 ref: 0042BE93
__vbaFreeStr.MSVBVM60 ref: 0042BE98
__vbaFreeStr.MSVBVM60 ref: 0042BE9D

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$AnsiCopyUnicode$Error$#525ExitListMoveProcSystem
String ID:
API String ID: 3015245144-0
Opcode ID: de5bedc4e0070cb5553a9561447dde8d07c32b8ff99a08fb42f35fb849394d89
Instruction ID: 796ee91647091ef0243b7b9276f742930a8b5626fec37ca81f7716c81cdf7d62
Opcode Fuzzy Hash: de5bedc4e0070cb5553a9561447dde8d07c32b8ff99a08fb42f35fb849394d89
Instruction Fuzzy Hash: 1A4179B1D1011CAFCB44DFA8DD84ADEBBB9AF48700F14416AE505B3254DA746A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00431BB0 Relevance: 34.6, APIs: 23, Instructions: 126COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404B66,?,?,?,?,00448239,00000000), ref: 00431BCE
__vbaStrCopy.MSVBVM60(6CE5A323,6CE6D8B1,6CE6D8F4,00000000,00404B66), ref: 00431BFB
__vbaOnError.MSVBVM60(00000001), ref: 00431C0A
__vbaOnError.MSVBVM60(000000FF), ref: 00431C19
#525.MSVBVM60(00002000), ref: 00431C2B
__vbaStrMove.MSVBVM60 ref: 00431C36
__vbaStrToAnsi.MSVBVM60(?,?), ref: 00431C4B
__vbaStrToAnsi.MSVBVM60(?,?,00002000,00000000), ref: 00431C5F
__vbaStrToAnsi.MSVBVM60(?,00405F48,00000000), ref: 00431C6F
__vbaStrToAnsi.MSVBVM60(?,00405F48,00000000), ref: 00431C7F
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431C8E
__vbaSetSystemError.MSVBVM60(00000000), ref: 00431C9D
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00431CAB
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00431CB9
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00431CC7
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00431CE9
#616.MSVBVM60(?,-00000001), ref: 00431D17
__vbaStrMove.MSVBVM60 ref: 00431D22
__vbaStrCopy.MSVBVM60 ref: 00431D39
__vbaExitProc.MSVBVM60 ref: 00431EF3
__vbaFreeStr.MSVBVM60(00431F62), ref: 00431F52
__vbaFreeStr.MSVBVM60 ref: 00431F5B
__vbaErrorOverflow.MSVBVM60 ref: 00431F78

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Ansi$Error$FreeUnicode$CopyMove$#525#616ChkstkExitListOverflowProcSystem
String ID:
API String ID: 776782920-0
Opcode ID: 0e7caeb819d9586e7a1933bdabd0c7e930e707240625696f0682383448b9dafd
Instruction ID: 0c0b63dd6509438b0372b0fefed04afb70563109168a843926a243127bd6592a
Opcode Fuzzy Hash: 0e7caeb819d9586e7a1933bdabd0c7e930e707240625696f0682383448b9dafd
Instruction Fuzzy Hash: 8951DF75900208EFDB04DFE4DE48ADEBBB9FB48305F108559F502B71A0DB796A45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00405638 Relevance: 33.1, APIs: 22, Instructions: 145fileCOMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041518F
__vbaStrCopy.MSVBVM60 ref: 00415197
__vbaOnError.MSVBVM60(00000001), ref: 004151A2
__vbaInStr.MSVBVM60(00000000,004080EC,?,00000001), ref: 004151BB
#709.MSVBVM60(?,004074E8,000000FF,00000000), ref: 004151DC
__vbaI2I4.MSVBVM60 ref: 004151EA
#616.MSVBVM60(?,-00000001), ref: 00415205
__vbaStrMove.MSVBVM60 ref: 00415210
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040719C,0000002C), ref: 00415238
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040719C,00000034), ref: 00415262
#648.MSVBVM60(?), ref: 0041528A
__vbaFreeVar.MSVBVM60 ref: 00415296
__vbaI2I4.MSVBVM60(?), ref: 004152A9
__vbaFileOpen.MSVBVM60(00000008,000000FF,00000000), ref: 004152B0
__vbaI2I4.MSVBVM60(?), ref: 004152BF
__vbaPrintFile.MSVBVM60(0040813C,00000000), ref: 004152C7
__vbaI2I4.MSVBVM60 ref: 004152D9
__vbaFileClose.MSVBVM60(00000000), ref: 004152DC
__vbaExitProc.MSVBVM60 ref: 0041530B
__vbaFreeStr.MSVBVM60(00415341), ref: 00415334
__vbaFreeStr.MSVBVM60 ref: 00415339
__vbaFreeStr.MSVBVM60 ref: 0041533E
__vbaErrorOverflow.MSVBVM60 ref: 00415360
__vbaStrCopy.MSVBVM60 ref: 00415486
__vbaStrCopy.MSVBVM60 ref: 0041548E
__vbaStrCopy.MSVBVM60 ref: 00415496
__vbaStrCopy.MSVBVM60 ref: 0041549E
__vbaStrCopy.MSVBVM60 ref: 004154A6
__vbaStrCopy.MSVBVM60 ref: 004154AE
__vbaStrCopy.MSVBVM60 ref: 004154B6
__vbaOnError.MSVBVM60(00000001), ref: 004154C6

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$Free$ErrorFile$CheckHresult$#616#648#709CloseExitMoveOpenOverflowPrintProc
String ID:
API String ID: 233458788-0
Opcode ID: 8fc36e45f4c212f06bfae192ffd56c74e04cddc252b39f22c37a5a647beed76b
Instruction ID: 399e37b42636545b16adc66c7b72ed4fb5a5f806ebcaaac6640ffd2e5d35f369
Opcode Fuzzy Hash: 8fc36e45f4c212f06bfae192ffd56c74e04cddc252b39f22c37a5a647beed76b
Instruction Fuzzy Hash: ED514EB0901208EBDB00EFA5DE88ADEBBB9FF48704F60816AE505B7290D7785A45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00431300 Relevance: 31.6, APIs: 21, Instructions: 138COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404B66,?,?,?,?,0042C646,?), ref: 0043131E
__vbaFixstrConstruct.MSVBVM60(00000100,00000000,6CE6D8B1,6CE9285F,00000000,00000000,00404B66), ref: 0043134E
__vbaOnError.MSVBVM60(000000FF), ref: 0043135D
#685.MSVBVM60 ref: 00431377
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431382
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407E74,0000004C), ref: 004313B5
__vbaFreeObj.MSVBVM60 ref: 004313D0
__vbaLenBstr.MSVBVM60(?,00000000), ref: 004313E9
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 004313F8
__vbaSetSystemError.MSVBVM60(00001200,00000000,00000000,00000000,00000000), ref: 00431416
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00431424
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 00431431
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00431447
__vbaStrCopy.MSVBVM60(-00000002), ref: 00431477
#616.MSVBVM60(00000000), ref: 0043147E
__vbaStrMove.MSVBVM60 ref: 00431489
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 00431499
__vbaStrMove.MSVBVM60 ref: 004314B2
__vbaFreeStr.MSVBVM60 ref: 004314BB
__vbaFreeStr.MSVBVM60(00431502), ref: 004314FB

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Fixstr$ErrorLsetMove$#616#685AnsiBstrCheckChkstkConstructCopyHresultListSystemUnicode
String ID:
API String ID: 1086883217-0
Opcode ID: 53def45dc9c790687b43cd2c2e618407ff5a25bc2af77b4622977b107bec04bf
Instruction ID: 81ac47548c54cb174765db0572dd11a4f4f167d02bda1043b17e4b7eb45c1ec0
Opcode Fuzzy Hash: 53def45dc9c790687b43cd2c2e618407ff5a25bc2af77b4622977b107bec04bf
Instruction Fuzzy Hash: B051E6B5900208EFDB04DFD4DA89BDEBBB9FB48701F204169F606B72A0D7746A45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042F590 Relevance: 31.6, APIs: 21, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaFixstrConstruct.MSVBVM60(000003E8,?), ref: 0042F5E0
__vbaOnError.MSVBVM60(00000001), ref: 0042F5EF
__vbaStrToAnsi.MSVBVM60(?,?,000003E8), ref: 0042F609
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042F617
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0042F625
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0042F637
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042F643
__vbaStrCopy.MSVBVM60(00000000), ref: 0042F65A
#616.MSVBVM60(00000000), ref: 0042F661
__vbaStrMove.MSVBVM60 ref: 0042F672
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0042F67D
__vbaStrMove.MSVBVM60 ref: 0042F688
__vbaFreeStr.MSVBVM60 ref: 0042F693
#645.MSVBVM60(00004008,00000010), ref: 0042F6AF
__vbaStrMove.MSVBVM60 ref: 0042F6BA
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0042F6C2
__vbaFreeStr.MSVBVM60 ref: 0042F6D4
__vbaStrCopy.MSVBVM60 ref: 0042F6FF
__vbaExitProc.MSVBVM60 ref: 0042F705
__vbaFreeStr.MSVBVM60(0042F746), ref: 0042F73E
__vbaFreeStr.MSVBVM60 ref: 0042F743

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$FixstrMove$CopyErrorLset$#616#645AnsiConstructExitListProcSystemUnicode
String ID:
API String ID: 2497608304-0
Opcode ID: 8d3a856ce538877ddc3a7399292d1a4960894653d34f5d50b3d66a7a8193054a
Instruction ID: 5c81ff1c04dc20582182c5bb2a5f6984e8f81212ec80fd84d45049e46001ce31
Opcode Fuzzy Hash: 8d3a856ce538877ddc3a7399292d1a4960894653d34f5d50b3d66a7a8193054a
Instruction Fuzzy Hash: BF41DBB5D01218ABCB00DF94EE85ADEBBB9FF48700F60416AE506B32A0D7745A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0043A9C0 Relevance: 30.1, APIs: 20, Instructions: 125COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CE6D8E2,6CE6D83C,00000005), ref: 0043AA25
__vbaI4Var.MSVBVM60(?), ref: 0043AA3C
__vbaStrToAnsi.MSVBVM60(?,?,?), ref: 0043AA55
__vbaSetSystemError.MSVBVM60(?,00000000,?,?), ref: 0043AA6D
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,?), ref: 0043AA74
__vbaVarCopy.MSVBVM60(?,00000000,?,?), ref: 0043AA90
__vbaFreeStr.MSVBVM60(?,00000000,?,?), ref: 0043AA99
__vbaVarTstNe.MSVBVM60(00008002,?,?,00000000,?,?), ref: 0043AABC
__vbaVarVargNofree.MSVBVM60(?,00000000,?,?), ref: 0043AAD6
__vbaI4Var.MSVBVM60(00000000,?,00000000,?,?), ref: 0043AADD
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000004,?,00000004,?,00000000,?,?), ref: 0043AAFC
__vbaI4Var.MSVBVM60(?,00000000,?,00000000,?,?), ref: 0043AB07
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,?), ref: 0043AB0F
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,?), ref: 0043AB19
__vbaVarCopy.MSVBVM60(?,00000000,?,?), ref: 0043AB34
__vbaFreeStr.MSVBVM60(?,00000000,?,?), ref: 0043AB3D
__vbaI4Var.MSVBVM60(?,?,00000000,?,?), ref: 0043AB4E
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,?), ref: 0043AB56
__vbaExitProc.MSVBVM60(?,00000000,?,?), ref: 0043AB58
__vbaFreeVar.MSVBVM60(0043ACA9,?,00000000,?,?), ref: 0043ACA2

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Error$FreeSystem$AnsiCopyUnicode$ExitNofreeProcVarg
String ID:
API String ID: 1156573013-0
Opcode ID: a1a877822d439e2c86fd15744ea601d147b6feb307d108d25606d1e016a6099e
Instruction ID: 9bda2f29bd762adcc0fe57f4506dc7bd3a396e75f872c94d323dea579556a8c8
Opcode Fuzzy Hash: a1a877822d439e2c86fd15744ea601d147b6feb307d108d25606d1e016a6099e
Instruction Fuzzy Hash: E851B2B5901218EFCB10EFA4DE88B9EBBB9BF48304F10856AE605E7250EB745A04CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0042FF20 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 127COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CE6D8B1,00000000,00000000), ref: 0042FF7F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042FFD9
__vbaFreeVar.MSVBVM60 ref: 0042FFEC
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 00430004
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 00430064
__vbaFreeVar.MSVBVM60 ref: 00430069
__vbaExitProc.MSVBVM60 ref: 0043006B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 004300C9
__vbaFreeVar.MSVBVM60 ref: 004300CE
__vbaExitProc.MSVBVM60 ref: 004300D0

Strings

ModFunctions, xrefs: 0042FFB5, 00430046, 004300AB
fncTerminateUpdateProcess, xrefs: 0042FFB0, 00430041, 004300A6
Successfully Terminated Process, xrefs: 00430037
Terminate Process Failed, xrefs: 0043009C
Executing Function fncTerminateUpdateProcess, xrefs: 0042FFA6
MSG, xrefs: 0042FFAB, 0043003C, 004300A1

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ErrorExitProc$System
String ID: Executing Function fncTerminateUpdateProcess$ Successfully Terminated Process$ Terminate Process Failed$MSG$ModFunctions$fncTerminateUpdateProcess
API String ID: 671821184-3999532821
Opcode ID: 08095165978df2a162bb0cbff3166aa110e73ff49cf77ca1fd9219d8deb4dd63
Instruction ID: 99b82f69b170d4234ced8c6b14e9b21c2918efaf15e3813d7deba71f0d462edb
Opcode Fuzzy Hash: 08095165978df2a162bb0cbff3166aa110e73ff49cf77ca1fd9219d8deb4dd63
Instruction Fuzzy Hash: 71413BB0A84214ABCB00DF94CD8AF9E7BB4AB58B00F20456BF101B72D5C6BD69448F9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAB0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404B66,?,?,?,?,0041A36E,?,?,?,00000000), ref: 0041AACE
__vbaOnError.MSVBVM60(000000FF,6CE6D8B1,00000001,00000000,00000000,00404B66), ref: 0041AAFE
__vbaStrCopy.MSVBVM60 ref: 0041AB4A
__vbaStrCopy.MSVBVM60(0041ABEF), ref: 0041AB64
__vbaStrCopy.MSVBVM60 ref: 0041AB7B
__vbaStrCopy.MSVBVM60 ref: 0041AB92
__vbaStrCopy.MSVBVM60 ref: 0041ABA9
__vbaStrCopy.MSVBVM60 ref: 0041ABC0
__vbaStrCopy.MSVBVM60 ref: 0041ABD7

Strings

startpend, xrefs: 0041AB5C
paused, xrefs: 0041ABCF
running, xrefs: 0041AB8A
stoppend, xrefs: 0041AB73
contpend, xrefs: 0041ABA1
stopped, xrefs: 0041AB42
pausepend, xrefs: 0041ABB8

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$ChkstkError
String ID: contpend$paused$pausepend$running$startpend$stopped$stoppend
API String ID: 1771118016-816634307
Opcode ID: c6e6de030b0973a00bcb3e72d5fa18cbc23e907ca8967e9d79e5703bb055a5ed
Instruction ID: cf9916d0fe9999e2981704911d8745985638809e63f1fdcc2e1d1e593000c8fb
Opcode Fuzzy Hash: c6e6de030b0973a00bcb3e72d5fa18cbc23e907ca8967e9d79e5703bb055a5ed
Instruction Fuzzy Hash: C0313E7494624CDFCB04DF94CA187DDBBB1FB54304F2080AAD142B72A0CB796E5AEB59

Uniqueness

Uniqueness Score: -1.00%

Function 00415AA0 Relevance: 27.1, APIs: 18, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 00415ABE
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 00415AF7
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 00415B0F
#648.MSVBVM60(0000000A), ref: 00415B2E
__vbaFreeVar.MSVBVM60 ref: 00415B3D
__vbaI2I4.MSVBVM60(?), ref: 00415B51
__vbaFileOpen.MSVBVM60(00000001,000000FF,00000000), ref: 00415B5C
__vbaI2I4.MSVBVM60 ref: 00415B6C
#570.MSVBVM60(00000000), ref: 00415B73
#621.MSVBVM60(0000000A,?,00000001), ref: 00415B86
__vbaStrVarMove.MSVBVM60(0000000A), ref: 00415B90
__vbaStrMove.MSVBVM60 ref: 00415B9B
__vbaFreeVar.MSVBVM60 ref: 00415BA4
__vbaStrCopy.MSVBVM60 ref: 00415BB7
__vbaI2I4.MSVBVM60 ref: 00415BC7
__vbaFileClose.MSVBVM60(00000000), ref: 00415BCE
__vbaFreeStr.MSVBVM60(00415C0B), ref: 00415BFB
__vbaFreeStr.MSVBVM60 ref: 00415C04

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$CopyFileMove$#570#621#648ChkstkCloseErrorOpen
String ID:
API String ID: 3059586863-0
Opcode ID: 725cec04c97aeb2a3496a9ed7106e7c54a610cd29155144d1fdfbbe1366ac167
Instruction ID: f8f3145c18704e494b2adaa38bddf69ca3974b8b6d35af20ba0435f3781eefcf
Opcode Fuzzy Hash: 725cec04c97aeb2a3496a9ed7106e7c54a610cd29155144d1fdfbbe1366ac167
Instruction Fuzzy Hash: B041C5B5900248EFCB04DFA4DA88BEDBBB4FB48705F108169E512B72A0CB796A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00413F90 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE81480,6CE9163A,6CF443F3), ref: 00413FF2
__vbaOnError.MSVBVM60(00000001), ref: 00414001
#519.MSVBVM60(?), ref: 00414012
__vbaStrMove.MSVBVM60 ref: 00414023
#517.MSVBVM60(00000000), ref: 00414026
__vbaStrMove.MSVBVM60 ref: 00414031
__vbaStrCmp.MSVBVM60(pon,00000000), ref: 00414039
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00414052
__vbaExitProc.MSVBVM60(all,00407EB0,00407EB0), ref: 0041407B
__vbaExitProc.MSVBVM60(all,00407EB0,00407EB0), ref: 004140A6
__vbaFreeStr.MSVBVM60(00414249), ref: 0041423C
__vbaFreeStr.MSVBVM60 ref: 00414241
__vbaFreeStr.MSVBVM60 ref: 00414246

Part of subcall function 0043C760: __vbaStrCopy.MSVBVM60(00000000,00000001,6CF443F3), ref: 0043C7CB
Part of subcall function 0043C760: __vbaStrCopy.MSVBVM60 ref: 0043C7D3
Part of subcall function 0043C760: __vbaStrCopy.MSVBVM60 ref: 0043C7DB
Part of subcall function 0043C760: __vbaOnError.MSVBVM60(00000001), ref: 0043C7E6
Part of subcall function 0043C760: __vbaStrCat.MSVBVM60(mbamapi.exe,00000000,?), ref: 0043C80A
Part of subcall function 0043C760: __vbaStrMove.MSVBVM60 ref: 0043C81B
Part of subcall function 0043C760: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000030), ref: 0043C83C
Part of subcall function 0043C760: __vbaFreeStr.MSVBVM60 ref: 0043C849
Part of subcall function 0043C760: __vbaStrCopy.MSVBVM60 ref: 0043C86E
Part of subcall function 0043C760: __vbaStrCopy.MSVBVM60 ref: 0043C878
Part of subcall function 0043C760: __vbaStrCat.MSVBVM60(mbamapi.exe,00000000,/protection -stop,?,?,000493E0), ref: 0043C897
Part of subcall function 0043C760: __vbaStrMove.MSVBVM60 ref: 0043C8A2

Strings

all, xrefs: 00414071, 0041409C
pon, xrefs: 00414034

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$Free$Move$ErrorExitProc$#517#519CheckHresultList
String ID: all$pon
API String ID: 2193392310-2694293068
Opcode ID: df7c9fd90e58e225312a4f81a37e18198f4372db9473f107a3d069c62b79eddd
Instruction ID: 0d5b5c04722d491d24bc65be5474f27d05418d9d0c5c59b0bb17337220d24c42
Opcode Fuzzy Hash: df7c9fd90e58e225312a4f81a37e18198f4372db9473f107a3d069c62b79eddd
Instruction Fuzzy Hash: 2131DBB1D41258ABCB00DF95DE45ADEFFB8EF94704F20415BE901B32A0D7B82A458F99

Uniqueness

Uniqueness Score: -1.00%

Function 00447D20 Relevance: 24.1, APIs: 16, Instructions: 124COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00447D9A
__vbaOnError.MSVBVM60(00000001), ref: 00447DA9
#608.MSVBVM60(?,00000000), ref: 00447DD1
__vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 00447DF5
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00447E03
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00447E16
#608.MSVBVM60(?,00000000), ref: 00447E44
__vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 00447E6C
__vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00447E7E
__vbaI4Var.MSVBVM60(00000000), ref: 00447E85
#616.MSVBVM60(?,00000000), ref: 00447E90
__vbaStrMove.MSVBVM60 ref: 00447E9B
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00447EAB
__vbaStrCopy.MSVBVM60 ref: 00447EC1
__vbaExitProc.MSVBVM60 ref: 00447EC7
__vbaFreeStr.MSVBVM60(0044804A), ref: 00448043

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#608CopyList$#616ErrorExitMoveProc
String ID:
API String ID: 3865254829-0
Opcode ID: 34e2faef97634d4bfea9aa4020469e57e35877c44e117c73f96a2a0c1426449c
Instruction ID: 8b3d426468eecc94258acbcd3e1233fe2cc166213bb6d3d247ceddf11862fce0
Opcode Fuzzy Hash: 34e2faef97634d4bfea9aa4020469e57e35877c44e117c73f96a2a0c1426449c
Instruction Fuzzy Hash: F351A4B1C10258ABDB10CFD4D989BDDBBB8FB48704F10819AE509B7251DBB45A88CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00430F80 Relevance: 24.1, APIs: 16, Instructions: 123COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE5A323,6CE6D8B1,6CE6D8F4), ref: 00430FF7
__vbaOnError.MSVBVM60(00000001), ref: 00431006
#608.MSVBVM60(?,00000000), ref: 0043102E
__vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 00431052
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00431060
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00431073
#608.MSVBVM60(?,00000000), ref: 004310A1
__vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 004310C9
__vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 004310DB
__vbaI4Var.MSVBVM60(00000000), ref: 004310E2
#616.MSVBVM60(?,00000000), ref: 004310ED
__vbaStrMove.MSVBVM60 ref: 004310F8
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00431108
__vbaStrCopy.MSVBVM60 ref: 0043111E
__vbaExitProc.MSVBVM60 ref: 00431124
__vbaFreeStr.MSVBVM60(004312E5), ref: 004312DE

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#608CopyList$#616ErrorExitMoveProc
String ID:
API String ID: 3865254829-0
Opcode ID: 5e4d141264d7b1f803bdfe03c82e1380c49bcd6090b5cb1ce51c979101476970
Instruction ID: 1b231178e20fa57246b1f9dbc0eb281c02d327518e588266ee05d73759f131b3
Opcode Fuzzy Hash: 5e4d141264d7b1f803bdfe03c82e1380c49bcd6090b5cb1ce51c979101476970
Instruction Fuzzy Hash: 9B51A5B1C11218ABDB10CFD4DE49BDEBBB8FB48704F10819AE606B7255D7B45A48CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00431900 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 0043195F
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0043197C
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431989
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000), ref: 00431996
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00000000), ref: 004319A3
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000), ref: 004319AE
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 004319C2
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 004319CC
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 004319D3
__vbaStrToUnicode.MSVBVM60(H0@,?,?,00000000,?,00000000,?,00000000), ref: 004319DA
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,00000000,?,00000000), ref: 004319F1
__vbaExitProc.MSVBVM60(?,00000000), ref: 00431A04

Strings

H0@, xrefs: 0043196C, 004319D9

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$AnsiUnicode$Error$ExitFreeListProcSystem
String ID: H0@
API String ID: 1826945307-676491785
Opcode ID: d6355a6ee779f557ad157d4b7f83a9fa31ec57104501db21caf9d359dee317e9
Instruction ID: 623f00f58dd9133a18427839de636fe3657ad03bdde1af4f8051f7dfe4c74cf3
Opcode Fuzzy Hash: d6355a6ee779f557ad157d4b7f83a9fa31ec57104501db21caf9d359dee317e9
Instruction Fuzzy Hash: 5341A6B5D00258AFCB40DFE8D984ADEBBF8EB48710F10816AF509E7250D774AA44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042CE80 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404B66), ref: 0042CE9E
__vbaOnError.MSVBVM60(000000FF,6CF3595C,6CE81654,00000001,00000000,00404B66), ref: 0042CECE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000040), ref: 0042CF30
__vbaFreeVar.MSVBVM60 ref: 0042CF45
__vbaCastObj.MSVBVM60(00000000,0040B810), ref: 0042CF59
__vbaObjSet.MSVBVM60(0044C1A4,00000000), ref: 0042CF65
__vbaCastObj.MSVBVM60(00000000,004082D4), ref: 0042CF79
__vbaObjSet.MSVBVM60(0044C010,00000000), ref: 0042CF85
__vbaEnd.MSVBVM60 ref: 0042CF92

Strings

Application Ended, xrefs: 0042CEEE
ModFunctions, xrefs: 0042CEFD
ReadReg, xrefs: 0042CEF8
MSG, xrefs: 0042CEF3

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Cast$CheckChkstkErrorFreeHresult
String ID: Application Ended$MSG$ModFunctions$ReadReg
API String ID: 4101805602-2032026122
Opcode ID: 031f177922bb96bf700b6154e0adbbcd0a784ffd9b06f0aadc19f334b97e868c
Instruction ID: a79916ca03b2c5424379d48c7f0d227053de03252911e01e33ba9588f46f6745
Opcode Fuzzy Hash: 031f177922bb96bf700b6154e0adbbcd0a784ffd9b06f0aadc19f334b97e868c
Instruction Fuzzy Hash: 062108B4A85204EBD700DF94DE49B6EBBB9EB44B05F20446AF141B22E1C7BC16048F9E

Uniqueness

Uniqueness Score: -1.00%

Function 00425D10 Relevance: 21.1, APIs: 14, Instructions: 137COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CE5D9F1,00000000,6CE9163A), ref: 00425DD1
__vbaRecDestruct.MSVBVM60(00407970,?), ref: 00425DF0

Part of subcall function 00420510: __vbaOnError.MSVBVM60(00000001,6CE5A323,6CE6D8B1,00000000), ref: 0042060A
Part of subcall function 00420510: __vbaStrCat.MSVBVM60(mbamapi.exe,00000000,?), ref: 00420637
Part of subcall function 00420510: __vbaStrMove.MSVBVM60 ref: 0042063E
Part of subcall function 00420510: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040719C,00000030), ref: 00420663
Part of subcall function 00420510: __vbaFreeStr.MSVBVM60 ref: 00420673
Part of subcall function 00420510: __vbaNew2.MSVBVM60(0040714C,0044CB28), ref: 0042069B

__vbaRecAssign.MSVBVM60(00407970,?,?,?), ref: 00425E14
__vbaRecDestruct.MSVBVM60(00407D18,?), ref: 00425E29

Part of subcall function 004260F0: __vbaOnError.MSVBVM60(00000001,6CF3D42A,6CF3D40D,00000000), ref: 004261B5
Part of subcall function 004260F0: __vbaVarDup.MSVBVM60 ref: 004261E2
Part of subcall function 004260F0: #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 004261FF
Part of subcall function 004260F0: __vbaVarMove.MSVBVM60(?,?,000000FF,00000000), ref: 00426211
Part of subcall function 004260F0: __vbaFreeVar.MSVBVM60(?,?,000000FF,00000000), ref: 00426223
Part of subcall function 004260F0: __vbaRefVarAry.MSVBVM60(?,?,?,000000FF,00000000), ref: 00426233
Part of subcall function 004260F0: __vbaUbound.MSVBVM60(00000001,?,?,?,000000FF,00000000), ref: 0042623E

__vbaRecAssign.MSVBVM60(00407D18,?,?,?,?,?), ref: 00425E4F
__vbaRecDestruct.MSVBVM60(00407970,?), ref: 00425E64

Part of subcall function 00427C80: __vbaOnError.MSVBVM60(00000001,00000001,6CE6D8B1,6CE6D8CD), ref: 00427D13
Part of subcall function 00427C80: __vbaVarDup.MSVBVM60 ref: 00427D40
Part of subcall function 00427C80: #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 00427D5D
Part of subcall function 00427C80: __vbaVarMove.MSVBVM60(?,?,000000FF,00000000), ref: 00427D6C
Part of subcall function 00427C80: __vbaFreeVar.MSVBVM60(?,?,000000FF,00000000), ref: 00427D7E
Part of subcall function 00427C80: __vbaRefVarAry.MSVBVM60(?,?,?,000000FF,00000000), ref: 00427D8B
Part of subcall function 00427C80: __vbaUbound.MSVBVM60(00000001,?,?,?,000000FF,00000000), ref: 00427D96
Part of subcall function 00427C80: __vbaVarIndexLoad.MSVBVM60(?,?,00000001,?,?,?,00000000), ref: 00427E03

__vbaRecAssign.MSVBVM60(00407970,?,?,?,?,?), ref: 00425E8A

Part of subcall function 00428EB0: __vbaOnError.MSVBVM60(00000001,00000001,6CE6D8B1,6CE6D8CD), ref: 00428FBD
Part of subcall function 00428EB0: __vbaStrMove.MSVBVM60(autoadd,?,add), ref: 00428FE8
Part of subcall function 00428EB0: __vbaStrMove.MSVBVM60(manualadd,?,manual), ref: 00429009
Part of subcall function 00428EB0: __vbaStrMove.MSVBVM60(autormv,?,remove), ref: 0042902A
Part of subcall function 00428EB0: #546.MSVBVM60(?), ref: 0042903D
Part of subcall function 00428EB0: #545.MSVBVM60(?,?), ref: 00429047

__vbaExitProc.MSVBVM60(?,?,?), ref: 00425EA4
__vbaRecDestruct.MSVBVM60(00407970,?,004260D5), ref: 00426095
__vbaRecDestruct.MSVBVM60(00407D18,?), ref: 004260A3
__vbaRecDestruct.MSVBVM60(00407970,?), ref: 004260B1
__vbaRecDestruct.MSVBVM60(00407970,?), ref: 004260BC
__vbaRecDestruct.MSVBVM60(00407970,?), ref: 004260C7
__vbaRecDestruct.MSVBVM60(00407D18,?), ref: 004260D2

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Destruct$Move$Error$AssignFree$#711Ubound$#545#546CheckExitHresultIndexLoadNew2Proc
String ID:
API String ID: 1368443718-0
Opcode ID: a6a1b00224137a77a4827945889e7d582085a1055e63949122d43369b24934e6
Instruction ID: 39f6f3c5f23bd8d1ed80ac415d94991262a8e3309d2b53a5524eec457ce695a7
Opcode Fuzzy Hash: a6a1b00224137a77a4827945889e7d582085a1055e63949122d43369b24934e6
Instruction Fuzzy Hash: B9512EB2D00228AADB10DF95DD41FDEB779FF88700F5045AAE609B7190D7B42A44CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0042C7E0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 0042C7FE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 0042C82E
#546.MSVBVM60(?,?,?,?,?,00404B66), ref: 0042C83F
__vbaVarDup.MSVBVM60 ref: 0042C85F
#660.MSVBVM60(?,?,?,00000001,00000001), ref: 0042C875
__vbaVarCat.MSVBVM60(?,00000008,?), ref: 0042C8B3
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0042C8C5
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0042C8D0
__vbaHresultCheckObj.MSVBVM60(?,00000000,0040B810,0000003C), ref: 0042C90D
__vbaFreeStr.MSVBVM60 ref: 0042C928
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0042C944

Strings

MM\/DD\/YYYY hh\:nn\:ss, xrefs: 0042C845

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#546#660CheckChkstkErrorHresultList
String ID: MM\/DD\/YYYY hh\:nn\:ss
API String ID: 3968653559-3954796748
Opcode ID: 58224a05e9dc7df86fe077c6ea9598f85dd318718309da53325aa6d1e106187e
Instruction ID: bba24cb4d58bbe2c693463f7fd3e1e1ba0bd14333c23149f025be4dba02ad087
Opcode Fuzzy Hash: 58224a05e9dc7df86fe077c6ea9598f85dd318718309da53325aa6d1e106187e
Instruction Fuzzy Hash: 7C41F9B5900218AFDB10DF94DE88FDEB7B8FB48704F108599E246B7190D7746A48CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00430CA0 Relevance: 21.1, APIs: 14, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CE6D83C,6CE6D8B1,00000000), ref: 00430D00
#606.MSVBVM60(000000A5,?), ref: 00430D1C
__vbaStrMove.MSVBVM60 ref: 00430D2D
__vbaFreeVar.MSVBVM60 ref: 00430D32
__vbaStrToAnsi.MSVBVM60(?,?,000000A4), ref: 00430D52
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000), ref: 00430D5F
__vbaSetSystemError.MSVBVM60(00000000), ref: 00430D6A
__vbaStrToUnicode.MSVBVM60(0041232A,?), ref: 00430D7B
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00430D85
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00430D94
#616.MSVBVM60(?,?), ref: 00430DA9
__vbaStrMove.MSVBVM60 ref: 00430DB4
__vbaExitProc.MSVBVM60 ref: 00430DB6
__vbaFreeStr.MSVBVM60(00430F60), ref: 00430F59

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$AnsiErrorMoveUnicode$#606#616ExitListProcSystem
String ID:
API String ID: 192381090-0
Opcode ID: 3a9cf37796c74759b44b91ef11d92cf42c5ac23c3aa82efcb9ca97e36840c4f2
Instruction ID: 6ad1e619654135140038d3f22e61da0fa94a8232d6be7b6eb30a2b29f704041e
Opcode Fuzzy Hash: 3a9cf37796c74759b44b91ef11d92cf42c5ac23c3aa82efcb9ca97e36840c4f2
Instruction Fuzzy Hash: 4341A5B1D00208ABDB00DFA9DA45ADEFBB9FF98700F20815AE505B7260D7B45A05CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00415900 Relevance: 21.1, APIs: 14, Instructions: 90COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 0041591E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 00415963
#606.MSVBVM60(000000A5,00000002), ref: 00415987
__vbaStrMove.MSVBVM60 ref: 00415992
__vbaFreeVar.MSVBVM60 ref: 0041599B
__vbaStrToAnsi.MSVBVM60(?,?,000000A4), ref: 004159B5
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 004159C6
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 004159D5
__vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000), ref: 004159E3
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 004159F1
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00415A07
#616.MSVBVM60(?,?,?,?,00404B66), ref: 00415A1F
__vbaStrMove.MSVBVM60(?,?,00404B66), ref: 00415A2A
__vbaFreeStr.MSVBVM60(00415A71,?,?,00404B66), ref: 00415A6A

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$AnsiErrorMoveUnicode$#606#616ChkstkListSystem
String ID:
API String ID: 512821463-0
Opcode ID: d9c0984803f8f3a5e775e9ed5e69f6856e10997a0db350b997933d294a4fa3ff
Instruction ID: 50af22bcbc1d51691977f8deeaf35caa3fb1a39af54eebd4ceff9bcfe9f9ef75
Opcode Fuzzy Hash: d9c0984803f8f3a5e775e9ed5e69f6856e10997a0db350b997933d294a4fa3ff
Instruction Fuzzy Hash: B741BAB5900208EFDB04DFE4DA89BDEBBB8BB48704F108159F516B72A0D775AA05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041A990 Relevance: 15.1, APIs: 10, Instructions: 59COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404B66), ref: 0041A9AE
__vbaOnError.MSVBVM60(000000FF,00000000,?,00000008,00000000,00404B66), ref: 0041A9DE
__vbaSetSystemError.MSVBVM60(?,?,00000008,00000000,00404B66), ref: 0041A9F7
#606.MSVBVM60(?,00000002), ref: 0041AA13
__vbaStrMove.MSVBVM60 ref: 0041AA1E
__vbaFreeVar.MSVBVM60 ref: 0041AA27
__vbaStrToAnsi.MSVBVM60(?,00000008,?), ref: 0041AA40
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041AA4C
__vbaStrToUnicode.MSVBVM60(00000008,?), ref: 0041AA5A
__vbaFreeStr.MSVBVM60 ref: 0041AA63

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Error$FreeSystem$#606AnsiChkstkMoveUnicode
String ID:
API String ID: 1554177266-0
Opcode ID: 6d93507e3167c71dfdacb4f67a5d50aab473de222612fabd2a6e8149cc7b54af
Instruction ID: b8d8c2f3e563afe920415ae5903a125779c8ff56dea75e08d60bba901e923784
Opcode Fuzzy Hash: 6d93507e3167c71dfdacb4f67a5d50aab473de222612fabd2a6e8149cc7b54af
Instruction Fuzzy Hash: C321CDB5900248EBDB00DFE4DA49BDEBFB8BF48704F104559F501B72A0DB789A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00447AB0 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6CE81654,6CE6D8B1,6CE5A323), ref: 00447B0F
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00447B26
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 00447B3C
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00447B43
__vbaFreeStr.MSVBVM60 ref: 00447B4F
__vbaSetSystemError.MSVBVM60(?,00000010,00000000,?), ref: 00447B7B
__vbaExitProc.MSVBVM60 ref: 00447B7D
__vbaExitProc.MSVBVM60 ref: 00447CC5

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Error$ExitProcSystem$AnsiFreeUnicode
String ID:
API String ID: 4075230305-0
Opcode ID: 10632fa25352d2e51ad250c8922263ae7b3cabb0b78f3eb7ad820e9b4353b231
Instruction ID: 386b1382c70cdbb8cc413d9a1acece2471f36545a22dcb2d1aca2cbce96b5f19
Opcode Fuzzy Hash: 10632fa25352d2e51ad250c8922263ae7b3cabb0b78f3eb7ad820e9b4353b231
Instruction Fuzzy Hash: 4421B5B1C11258EFDB00DFD8DA85AEEBBB8EF48B04F10401BF505B7254C7B85A458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00414390 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 004143AE
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 004143E7
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 004143F6
#645.MSVBVM60(00004008,00000000), ref: 00414416
__vbaStrMove.MSVBVM60 ref: 00414421
__vbaStrCmp.MSVBVM60(00405F48,00000000), ref: 0041442D
__vbaFreeStr.MSVBVM60 ref: 00414441
__vbaFreeStr.MSVBVM60(00414486), ref: 0041447F

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#645ChkstkCopyErrorMove
String ID:
API String ID: 261703656-0
Opcode ID: f621306e610cc557b459eb6c31002e4ea7c5fe8d2969a4e15f817365d610d688
Instruction ID: c9fedc16e51a0a153067f5d8eb4a74617d2b60ac123e5b834f028adaa5caa268
Opcode Fuzzy Hash: f621306e610cc557b459eb6c31002e4ea7c5fe8d2969a4e15f817365d610d688
Instruction Fuzzy Hash: F6214F74940209EFCB00DFA4D988BDEBBB4FF48705F208169E512B72A0DB785A45CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004332A0 Relevance: 12.1, APIs: 8, Instructions: 59COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 004332BE
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 004332EB
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 004332FA
__vbaStrToAnsi.MSVBVM60(00000000,?,000F013F,00000000,?,?,?,?,00404B66), ref: 00433316
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,00404B66), ref: 00433329
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00404B66), ref: 00433337
__vbaFreeStr.MSVBVM60(?,?,?,?,00404B66), ref: 00433346
__vbaFreeStr.MSVBVM60(00433390), ref: 00433389

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$ErrorFree$AnsiChkstkCopySystemUnicode
String ID:
API String ID: 1266057434-0
Opcode ID: b34a28dbb232b9f5ea2cb992a7392c3b22f6a06a5084e6cc548ddb238fe93347
Instruction ID: c4f42bf60c1a1f999eb10d832d35572d67fbb62c741be3d2a19807fe507add5b
Opcode Fuzzy Hash: b34a28dbb232b9f5ea2cb992a7392c3b22f6a06a5084e6cc548ddb238fe93347
Instruction Fuzzy Hash: A421D8B5901208EBDB10DF94DA48BDEBBB4FF48705F208159E511B7290DB785A05CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00415C40 Relevance: 10.5, APIs: 7, Instructions: 45COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 00415C5E
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 00415C97
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 00415CA6
__vbaVarDup.MSVBVM60 ref: 00415CC6
#529.MSVBVM60(?), ref: 00415CD0
__vbaFreeVar.MSVBVM60 ref: 00415CD9
__vbaFreeStr.MSVBVM60(00415CFA), ref: 00415CF3

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#529ChkstkCopyError
String ID:
API String ID: 4177021853-0
Opcode ID: 985adfd185937961b775f67c9e82b0103137d2ce102eb887e398e69372804f6e
Instruction ID: 73cd0cb42bb62a7bb41637493c0dd2948cf822e5b0471067cb933b0e334f8a9e
Opcode Fuzzy Hash: 985adfd185937961b775f67c9e82b0103137d2ce102eb887e398e69372804f6e
Instruction Fuzzy Hash: 4511E974900209EFCB00DF94DA49BDDBBB4FB48744F208159F502B72A0D7796A05CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00415DD0 Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 00415DEE
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 00415E27
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 00415E36
__vbaNew2.MSVBVM60(004082E4,0044C010,?,?,?,?,00404B66), ref: 00415E56
__vbaHresultCheckObj.MSVBVM60(00000000,?,004082F4,00000060), ref: 00415EA0
__vbaFreeStr.MSVBVM60(00415EC1), ref: 00415EBA

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CheckChkstkCopyErrorFreeHresultNew2
String ID:
API String ID: 1980689925-0
Opcode ID: d305ee7adb55381bf517cf8a02bddcf61f990943551daac825fde72da15d6488
Instruction ID: 267f794b38848804a200d38e07846b25f9b38ec30c20112ca0f7e162ea549a9d
Opcode Fuzzy Hash: d305ee7adb55381bf517cf8a02bddcf61f990943551daac825fde72da15d6488
Instruction Fuzzy Hash: 1B2128B4D00608EFDB10DF94C988BDEBBB4FB48715F20815AE411B72A0C779AA45DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00415FB0 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 00415FCE
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 00416007
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 00416016
#576.MSVBVM60(?,?,?,?,?,?,00404B66), ref: 0041602D
#529.MSVBVM60(00004008), ref: 0041604B
__vbaFreeStr.MSVBVM60(00416060), ref: 00416059

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$#529#576ChkstkCopyErrorFree
String ID:
API String ID: 4286210508-0
Opcode ID: 953b7fb092e7f80b83f0a9f70cb7d010dbecc2a64b1d41b195d831120ddb4a60
Instruction ID: 80287169f64a92f3b729ddf2967bde36e80f49637815a645589d56d4b4c69a37
Opcode Fuzzy Hash: 953b7fb092e7f80b83f0a9f70cb7d010dbecc2a64b1d41b195d831120ddb4a60
Instruction Fuzzy Hash: AD11DAB5901208EFDB00DF94DA89BDEBBB4FB48704F208159F511B7290C779AA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00416F20 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CE6D8B1,00000000,00000000), ref: 00416F9D
__vbaOnError.MSVBVM60(00000001), ref: 00416FAC
__vbaExitProc.MSVBVM60(?,?), ref: 00416FF5
__vbaExitProc.MSVBVM60(?,?,00417816), ref: 0041715B
__vbaExitProc.MSVBVM60(?,?,00417816), ref: 004172C2
__vbaExitProc.MSVBVM60 ref: 004177B1
__vbaFreeStr.MSVBVM60(00417816), ref: 0041780E
__vbaFreeStr.MSVBVM60 ref: 00417813

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$ExitProc$Free$CopyError
String ID:
API String ID: 584901865-0
Opcode ID: dc51abd945089afc5cb575ed138efe66c7574be65f1b2293f91165dd03615d9c
Instruction ID: 7defcb6c3f5424c0bd7abb8f85bde3fdee0275f1c10f58c8decd63923f55df52
Opcode Fuzzy Hash: dc51abd945089afc5cb575ed138efe66c7574be65f1b2293f91165dd03615d9c
Instruction Fuzzy Hash: 4C214EB0D05218DBDB10DF9ADA85ADDFBB4BB08704FA081AEE409B3250C7745A45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00415EF0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 00415F0E
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 00415F47
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 00415F56
#576.MSVBVM60(?,?,?,?,?,?,00404B66), ref: 00415F6D
__vbaFreeStr.MSVBVM60(00415F82,?,?,?,?,?,00404B66), ref: 00415F7B

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$#576ChkstkCopyErrorFree
String ID:
API String ID: 3993524119-0
Opcode ID: 5d4625329cf047ea84fdd6d532b9bf9080a18c1843fbbacfcf7483ca55e71275
Instruction ID: f6ae0e3a6571f5a05c5400a5546c608e35dde194e2cd20358b21dd84af107812
Opcode Fuzzy Hash: 5d4625329cf047ea84fdd6d532b9bf9080a18c1843fbbacfcf7483ca55e71275
Instruction Fuzzy Hash: 6C0100B5900208EFCB00DF94CA49B9EBBB4FB88744F208558F511B7290C779AA05CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004144C0 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 004144DE
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 00414517
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 00414526
#531.MSVBVM60(?,?,?,?,?,00404B66), ref: 00414537
__vbaFreeStr.MSVBVM60(0041454C,?,?,?,?,00404B66), ref: 00414545

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$#531ChkstkCopyErrorFree
String ID:
API String ID: 498464191-0
Opcode ID: d792d7f31081d8c637037a07f8675a0436db3923f840194212900ccf30d8605f
Instruction ID: 728c8a1c2a05c04ba7114d39a43fe6dc9ddc0a28aa0b017fae47478311934d7d
Opcode Fuzzy Hash: d792d7f31081d8c637037a07f8675a0436db3923f840194212900ccf30d8605f
Instruction Fuzzy Hash: 3D01E1B5900248EFCB00DF94CA49B9EBBB4FB88704F208159F51177290C779AA05CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00415D20 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404B66), ref: 00415D3E
__vbaStrCopy.MSVBVM60(?,?,?,?,00404B66), ref: 00415D77
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404B66), ref: 00415D86
#532.MSVBVM60(?,?,?,?,?,00404B66), ref: 00415D97
__vbaFreeStr.MSVBVM60(00415DAC,?,?,?,?,00404B66), ref: 00415DA5

Memory Dump Source

Source File: 00000000.00000002.2163417633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163403535.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163458745.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163473438.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$#532ChkstkCopyErrorFree
String ID:
API String ID: 2988226677-0
Opcode ID: d96717021ab7f0e55168510cf05c99686e8a6696d1e385527da7c1bba50d2ad9
Instruction ID: 84909d7f4ba8ae44785da7e941636655dad0c6f6974a6ad94e9a84d31b91ad47
Opcode Fuzzy Hash: d96717021ab7f0e55168510cf05c99686e8a6696d1e385527da7c1bba50d2ad9
Instruction Fuzzy Hash: C2011EB5900248EFCB00DF94CA49BDEBBB4FB48704F208158F501B72A0C779AA05CB94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exePID: 6648, Parent PID: 1028

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Windows Analysis Report
SecuriteInfo.com.BScope.Backdoor.Androm.18428.18185.exe

Function 0042C9A0 Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 259
COMMON

Function 00414260 Relevance: 12.1, APIs: 8, Instructions: 62
COMMON

Function 00404FBC Relevance: 1.6, APIs: 1, Instructions: 52
COMMON