Create Interactive Tour

Windows Analysis Report
Launcher for Zapret.exe

Overview

General Information

Sample name:	Launcher for Zapret.exe
Analysis ID:	1540156
MD5:	f4a8627b03da3601ed7fd50c4353b6c2
SHA1:	dacbb2e6bbcefc818341d2bc2600fb1d5aeb77e7
SHA256:	4b838a0bf49716ec168dfd5a22d677179234dca67c46f1f27f1ede3f322da395
Tags:	exeuser-Bacn
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Found large amount of non-executed APIs

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Launcher for Zapret.exe (PID: 1240 cmdline: "C:\Users\user\Desktop\Launcher for Zapret.exe" -install MD5: F4A8627B03DA3601ED7FD50C4353B6C2)

Launcher for Zapret.exe (PID: 4408 cmdline: "C:\Users\user\Desktop\Launcher for Zapret.exe" /install MD5: F4A8627B03DA3601ED7FD50C4353B6C2)

Launcher for Zapret.exe (PID: 764 cmdline: "C:\Users\user\Desktop\Launcher for Zapret.exe" /load MD5: F4A8627B03DA3601ED7FD50C4353B6C2)

cleanup

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Launcher for Zapret.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Launcher for Zapret.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Launcher for Zapret.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: Launcher for Zapret.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Launcher for Zapret.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Launcher for Zapret.exe	String found in binary or memory: http://forum.oszone.net/image.php?u=648697?zp=
Source: Launcher for Zapret.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Launcher for Zapret.exe	String found in binary or memory: https://p.thenewone.lol/domains-export.txt?zp=
Source: Launcher for Zapret.exe	String found in binary or memory: https://p.thenewone.lol/domains-export.txt?zp=Open
Source: Launcher for Zapret.exe	String found in binary or memory: https://p.thenewone.lol:18443/domains-export.txt?zp=
Source: Launcher for Zapret.exe	String found in binary or memory: https://p.thenewone.lol:8443/domains-export.txt?zp=
Source: Launcher for Zapret.exe	String found in binary or memory: https://p.thenewone.lol:8443/domains-export.txt?zp=hhttps://p.thenewone.lol:18443/domains-export.txt
Source: Launcher for Zapret.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Launcher for Zapret.exe	String found in binary or memory: https://topersoft.com0

Source: Launcher for Zapret.exe

Static PE information: invalid certificate

Source: Launcher for Zapret.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Launcher for Zapret.exe	Binary or memory string: x64 x86\Project1.vbpH
Source: Launcher for Zapret.exe	Binary or memory string: x64 x86\Project1.vbp
Source: Launcher for Zapret.exe, 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmp, Launcher for Zapret.exe, 00000002.00000002.2256988614.0000000000447000.00000004.00000001.01000000.00000003.sdmp, Launcher for Zapret.exe, 00000003.00000002.2235602108.0000000000447000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: x64 x86\Project1.vbp

Source: classification engine

Classification label: clean2.winEXE@3/3@0/0

Source: C:\Users\user\Desktop\Launcher for Zapret.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Launcher for Zapret.exe

File created: C:\Users\user\AppData\Local\Temp\~DFFD426ED8B652D717.TMP

Jump to behavior

Source: Launcher for Zapret.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Launcher for Zapret.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Launcher for Zapret.exe	String found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
Source: Launcher for Zapret.exe	String found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
Source: Launcher for Zapret.exe	String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: Launcher for Zapret.exe	String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: Launcher for Zapret.exe	String found in binary or memory: <Settings>x<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\|<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>"<Actions Context=l<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\<AllowHardTerminate>false</AllowHardTerminate>\<StartWhenAvailable>false</StartWhenAvailable>x<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
Source: Launcher for Zapret.exe	String found in binary or memory: <Settings>x<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\|<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>"<Actions Context=l<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\<AllowHardTerminate>false</AllowHardTerminate>\<StartWhenAvailable>false</StartWhenAvailable>x<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
Source: Launcher for Zapret.exe	String found in binary or memory: <IdleSettings>F<StopOnIdleEnd>true</StopOnIdleEnd>H<RestartOnIdle>false</RestartOnIdle>
Source: Launcher for Zapret.exe	String found in binary or memory: <IdleSettings>F<StopOnIdleEnd>true</StopOnIdleEnd>H<RestartOnIdle>false</RestartOnIdle>

Source: unknown	Process created: C:\Users\user\Desktop\Launcher for Zapret.exe "C:\Users\user\Desktop\Launcher for Zapret.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\Launcher for Zapret.exe "C:\Users\user\Desktop\Launcher for Zapret.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\Launcher for Zapret.exe "C:\Users\user\Desktop\Launcher for Zapret.exe" /load

Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Automated click: OK
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Automated click: OK
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Launcher for Zapret.exe

Static PE information: real checksum: 0x59816 should be: 0x57ec8

Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Code function: 0_2_00402041 push cs; ret	0_2_0040204B
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Code function: 0_2_00405C09 push eax; retf 0000h	0_2_00405C0B
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Code function: 0_2_00403098 push es; ret	0_2_00403099
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Code function: 0_2_0040430C push esi; retf 0000h	0_2_0040430F
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Code function: 0_2_00408584 push eax; retf	0_2_00408594

Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher for Zapret.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Launcher for Zapret.exe

API coverage: 0.4 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Launcher for Zapret.exe	5%	ReversingLabs

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	Launcher for Zapret.exe	false	URL Reputation: safe	unknown
https://topersoft.com0	Launcher for Zapret.exe	false		unknown
https://sectigo.com/CPS0	Launcher for Zapret.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	Launcher for Zapret.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	Launcher for Zapret.exe	false	URL Reputation: safe	unknown
http://forum.oszone.net/image.php?u=648697?zp=	Launcher for Zapret.exe	false		unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	Launcher for Zapret.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	Launcher for Zapret.exe	false	URL Reputation: safe	unknown

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540156
Start date and time:	2024-10-23 13:51:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Launcher for Zapret.exe
Detection:	CLEAN
Classification:	clean2.winEXE@3/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: Launcher for Zapret.exe

Joe Sandbox View / Context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF2CE0E421F638160B.TMP

Download File

Process:	C:\Users\user\Desktop\Launcher for Zapret.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.013027043669054
Encrypted:	false
SSDEEP:	48:rP/8cCR0ZWXqbRHUbgtX204/kFHji+lkpDCKf:T/8cCfqbY9cBc
MD5:	39000E02F17EC867FFE6842F4687AC16
SHA1:	70C909A413C70D4417B1C89D2CB5CB1E3DA4BCDC
SHA-256:	C36EB4935834E6353B1B9A11C52AB4949CBB917FCA9AFCAC06C84D766A1E795C
SHA-512:	A1C1F70C0B288538670AB0DAAD4281124452659C8B47637ADC0D9E1400A897B27D2720D880BC4F4DD6FB43FD0C1D278EEEF9F829D6ACEF0E04390C742B0D4A1D
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA807BB668B346075.TMP

Download File

Process:	C:\Users\user\Desktop\Launcher for Zapret.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.01395675176337
Encrypted:	false
SSDEEP:	48:rk/8cCR0ZWXqbRHUbgtX204/kFHji+lkpDCKf:g/8cCfqbY9cBc
MD5:	8AA1AE33972C8440CECBAFDA3613E9B1
SHA1:	45DC0768FC0B3A298538A68119415779BDC21C59
SHA-256:	CE2EAFAFB5DFAC3F8A7994CCD0198626996F48A67B0CAD70A5E4F3E921D63208
SHA-512:	5ACB9BF00692B6353AD6FEF496A1FD2072CE134FC14EC096194FD3BCB6C48AD026413AB1A6AE55FEAC626385AB79A320D4776BF8D8B0184684221CFF2BE39DF3
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFD426ED8B652D717.TMP

Download File

Process:	C:\Users\user\Desktop\Launcher for Zapret.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.012840642785635
Encrypted:	false
SSDEEP:	48:rMZ/8cCR0ZWXqbRHUbgtX204/kFHji+lkpDCKf:QZ/8cCfqbY9cBc
MD5:	20A0021B1E2EA0CBA4A418522EBE3A1D
SHA1:	0F8D0189A0C5CC95444ADD4964737C855057DCBD
SHA-256:	889DFFB621EEBE2C2E44B6C7E67744BB50586F031BD0ADD9B5547799A5D2D07D
SHA-512:	5B964547E600BA506D9D258EE92811E8F87F30D32DCE22B3A99DF3741E36E07F6198D223D528707834C44D66D67CA126E1DB2E72454BD19C2275482DEE52BB07
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Instruction
push 0040BF94h
call 00007FB56C7A28C3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, ch
xchg eax, ebx
sub al, dl
imul eax, dword ptr [ebx+4Bh], B0h
pop ds
and al, F8h
xor eax, 0083613Eh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+75h], cl
outsb
arpl word ptr [eax+65h], bp
jc 00007FB56C7A2931h
pop edx
popad
jo 00007FB56C7A2944h
je 00007FB56C7A28D3h
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
xor eax, ebx

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x465f4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x8608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x51000	0x1ae0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x45d60	0x46000	5c96d720a3179f84d95f31a3d1a269e5	False	0.371728515625	data	6.341322931331817	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x47000	0x2408	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4a000	0x8608	0x9000	43ed30f1b4489764b10a19afc38edeba	False	0.2065158420138889	data	4.109226818531518	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4a1c0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.17536608408124704
RT_ICON	0x4e3e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.21369294605809128
RT_ICON	0x50990	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.2816604127579737
RT_ICON	0x51a38	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.5
RT_GROUP_ICON	0x51ea0	0x3e	data			0.8064516129032258
RT_VERSION	0x51ee0	0x390	data	English	United States	0.42105263157894735
RT_MANIFEST	0x52270	0x398	XML 1.0 document, ASCII text, with CRLF line terminators			0.4597826086956522

DLL	Import
MSVBVM60.DLL	_CIcos, _adj_fptan, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaLineInputStr, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaResume, __vbaStrCat, __vbaLsetFixstr, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaExitProc, __vbaStrLike, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaVarZero, __vbaVargVarMove, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet4, __vbaObjVar, DllFunctionCall, __vbaVarLateMemSt, __vbaFpUI1, _adj_fpatan, __vbaStrR8, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, __vbaPrintFile, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaStrVarCopy, _allmul, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

_CIcos, _adj_fptan, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaLineInputStr, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaResume, __vbaStrCat, __vbaLsetFixstr, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaExitProc, __vbaStrLike, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaVarZero, __vbaVargVarMove, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet4, __vbaObjVar, DllFunctionCall, __vbaVarLateMemSt, __vbaFpUI1, _adj_fpatan, __vbaStrR8, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, __vbaPrintFile, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaStrVarCopy, _allmul, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• Launcher for Zapret.exe
• Launcher for Zapret.exe
• Launcher for Zapret.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• Launcher for Zapret.exe
• Launcher for Zapret.exe
• Launcher for Zapret.exe

Click to jump to process

Target ID:	0
Start time:	07:52:38
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\Launcher for Zapret.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Launcher for Zapret.exe" -install
Imagebase:	0x400000
File size:	338'656 bytes
MD5 hash:	F4A8627B03DA3601ED7FD50C4353B6C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:52:41
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\Launcher for Zapret.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Launcher for Zapret.exe" /install
Imagebase:	0x400000
File size:	338'656 bytes
MD5 hash:	F4A8627B03DA3601ED7FD50C4353B6C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:52:43
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\Launcher for Zapret.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Launcher for Zapret.exe" /load
Imagebase:	0x400000
File size:	338'656 bytes
MD5 hash:	F4A8627B03DA3601ED7FD50C4353B6C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	0%
Total number of Nodes:	322
Total number of Limit Nodes:	11

Executed Functions

Function 0042E210 Relevance: 1143.8, APIs: 632, Strings: 19, Instructions: 4557COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040E720,00447020), ref: 0042E3DA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004104E4,0000008C), ref: 0042E40C
__vbaNew2.MSVBVM60(0040E720,00447020), ref: 0042E428
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004104E4,00000084), ref: 0042E454
__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 0042E468
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F90,00000014), ref: 0042E48D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411170,00000050), ref: 0042E4AD
__vbaStrCat.MSVBVM60(\winws.exe,?), ref: 0042E4B8
__vbaStrMove.MSVBVM60 ref: 0042E4C3
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0042E4CE
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042E4E0
__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 0042E4F8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F90,00000014), ref: 0042E51D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411170,00000050), ref: 0042E53D
__vbaStrCat.MSVBVM60(\WinDivert.dll,?), ref: 0042E548
__vbaStrMove.MSVBVM60 ref: 0042E553
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0042E55E
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042E570
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0042E5B2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042E5C2
__vbaVarDup.MSVBVM60 ref: 0042E60E
__vbaVarDup.MSVBVM60 ref: 0042E629
#595.MSVBVM60(?,00000010,?,?,?), ref: 0042E63D
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042E655
__vbaEnd.MSVBVM60 ref: 0042E65E
__vbaStrCopy.MSVBVM60 ref: 0042E672
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042E68C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000064), ref: 0042E6AA
__vbaFreeObj.MSVBVM60 ref: 0042E6B3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042E6CA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000064), ref: 0042E6E8
__vbaFreeObj.MSVBVM60 ref: 0042E6F1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042E708
#608.MSVBVM60(?,000000C0), ref: 0042E721
#608.MSVBVM60(?,000000E2), ref: 0042E72C
#608.MSVBVM60(?,000000F2), ref: 0042E737
#608.MSVBVM60(?,000000EE), ref: 0042E745
#608.MSVBVM60(?,000000E7), ref: 0042E753
#608.MSVBVM60(?,000000E0), ref: 0042E761
#608.MSVBVM60(?,000000E3), ref: 0042E76F
#608.MSVBVM60(?,000000F0), ref: 0042E77D
#608.MSVBVM60(?,000000F3), ref: 0042E78B
#608.MSVBVM60(?,000000E7), ref: 0042E799
#608.MSVBVM60(?,000000EA), ref: 0042E7A7
#608.MSVBVM60(?,000000E0), ref: 0042E7B5
#608.MSVBVM60(?,00000020), ref: 0042E7C0
#608.MSVBVM60(?,000000F1), ref: 0042E7CE
#608.MSVBVM60(?,00000020), ref: 0042E7D9
#608.MSVBVM60(?,00000057), ref: 0042E7E4
#608.MSVBVM60(?,00000069), ref: 0042E7EF
#608.MSVBVM60(?,0000006E), ref: 0042E7FA
#608.MSVBVM60(?,00000064), ref: 0042E805
#608.MSVBVM60(?,0000006F), ref: 0042E810
#608.MSVBVM60(?,00000077), ref: 0042E81B
#608.MSVBVM60(?,00000073), ref: 0042E826
__vbaVarAdd.MSVBVM60(?,?,?), ref: 0042E83C
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E84A
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E85B
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E86C
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E87D
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E88E
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E89F
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E8B0
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E8C1
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E8D2
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E8E3
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E8F4
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E905
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E916
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E927
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E938
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E949
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E95A
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E96B
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E97C
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042E98D
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0042E994
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410F70,00000054), ref: 0042E9B6
__vbaFreeStr.MSVBVM60 ref: 0042E9BF
__vbaFreeObj.MSVBVM60 ref: 0042E9C8
__vbaFreeVarList.MSVBVM60(0000002B,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042EAF1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042EB0E
#608.MSVBVM60(?,000000C7), ref: 0042EB25
#608.MSVBVM60(?,000000E0), ref: 0042EB30
#608.MSVBVM60(?,000000EF), ref: 0042EB3B
#608.MSVBVM60(?,000000F3), ref: 0042EB49
#608.MSVBVM60(?,000000F1), ref: 0042EB57
#608.MSVBVM60(?,000000F2), ref: 0042EB65
#608.MSVBVM60(?,000000E8), ref: 0042EB73
#608.MSVBVM60(?,000000F2), ref: 0042EB81
#608.MSVBVM60(?,000000FC), ref: 0042EB8F
#608.MSVBVM60(?,00000020), ref: 0042EB9A
#608.MSVBVM60(?,000000EE), ref: 0042EBA8
#608.MSVBVM60(?,000000E1), ref: 0042EBB6
#608.MSVBVM60(?,000000F5), ref: 0042EBC4
#608.MSVBVM60(?,000000EE), ref: 0042EBD2
#608.MSVBVM60(?,000000E4), ref: 0042EBE0
#608.MSVBVM60(?,00000020), ref: 0042EBEB
#608.MSVBVM60(?,000000EF), ref: 0042EBF9
#608.MSVBVM60(?,000000F0), ref: 0042EC07
#608.MSVBVM60(?,000000E8), ref: 0042EC15
#608.MSVBVM60(?,00000020), ref: 0042EC20
#608.MSVBVM60(?,000000F1), ref: 0042EC2E
#608.MSVBVM60(?,000000F2), ref: 0042EC3C
#608.MSVBVM60(?,000000E0), ref: 0042EC4A
#608.MSVBVM60(?,000000F0), ref: 0042EC58
#608.MSVBVM60(?,000000F2), ref: 0042EC66
#608.MSVBVM60(?,000000E5), ref: 0042EC74
__vbaVarAdd.MSVBVM60(?,?,?), ref: 0042EC84
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042EC92
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ECA3
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ECB4
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ECC5
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ECD6
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ECE7
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ECF8
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ED09
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ED1A
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ED2B
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ED3C
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ED4D
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ED5E
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ED6F
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ED80
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042ED91
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042EDA2
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042EDB3
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042EDC4
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042EDD5
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042EDE6
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042EDF7
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042EE08
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042EE19
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0042EE20
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410F70,00000054), ref: 0042EE4C
__vbaFreeStr.MSVBVM60 ref: 0042EE55
__vbaFreeObj.MSVBVM60 ref: 0042EE5E
__vbaFreeVarList.MSVBVM60(00000033,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042EFBF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042EFDC
#608.MSVBVM60(?,000000D3), ref: 0042EFF3
#608.MSVBVM60(?,000000F1), ref: 0042EFFE
#608.MSVBVM60(?,000000F2), ref: 0042F009
#608.MSVBVM60(?,000000E0), ref: 0042F017
#608.MSVBVM60(?,000000ED), ref: 0042F025
#608.MSVBVM60(?,000000EE), ref: 0042F033
#608.MSVBVM60(?,000000E2), ref: 0042F041
#608.MSVBVM60(?,000000E8), ref: 0042F04F
#608.MSVBVM60(?,000000F2), ref: 0042F05D
#608.MSVBVM60(?,000000FC), ref: 0042F06B
#608.MSVBVM60(?,00000020), ref: 0042F076
#608.MSVBVM60(?,000000F1), ref: 0042F084
#608.MSVBVM60(?,000000EB), ref: 0042F092
#608.MSVBVM60(?,000000F3), ref: 0042F0A0
#608.MSVBVM60(?,000000E6), ref: 0042F0AE
#608.MSVBVM60(?,000000E1), ref: 0042F0BC
#608.MSVBVM60(?,000000EE), ref: 0042F0CA
#608.MSVBVM60(?,000000E9), ref: 0042F0D8
__vbaVarAdd.MSVBVM60(?,?,?), ref: 0042F0E8
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F0F6
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F107
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F118
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F129
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F13A
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F14B
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F15C
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F16D
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F17E
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F18F
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F1A0
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F1B1
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F1C2
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F1D3
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F1E4
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F1F5
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0042F1FC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410F70,00000054), ref: 0042F228
__vbaFreeStr.MSVBVM60 ref: 0042F231
__vbaFreeObj.MSVBVM60 ref: 0042F23A
__vbaFreeVarList.MSVBVM60(00000023,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042F32B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F348
#608.MSVBVM60(?,000000C7), ref: 0042F35F
#608.MSVBVM60(?,000000E0), ref: 0042F36A
#608.MSVBVM60(?,000000EF), ref: 0042F375
#608.MSVBVM60(?,000000F3), ref: 0042F383
#608.MSVBVM60(?,000000F1), ref: 0042F391
#608.MSVBVM60(?,000000F2), ref: 0042F39F
#608.MSVBVM60(?,000000E8), ref: 0042F3AD
#608.MSVBVM60(?,000000F2), ref: 0042F3BB
#608.MSVBVM60(?,000000FC), ref: 0042F3C9
#608.MSVBVM60(?,00000020), ref: 0042F3D4
#608.MSVBVM60(?,000000EE), ref: 0042F3E2
#608.MSVBVM60(?,000000E1), ref: 0042F3F0
#608.MSVBVM60(?,000000F5), ref: 0042F3FE
#608.MSVBVM60(?,000000EE), ref: 0042F40C
#608.MSVBVM60(?,000000E4), ref: 0042F41A
__vbaVarAdd.MSVBVM60(?,?,?), ref: 0042F42A
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F438
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F449
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F45A
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F46B
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F47C
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F48D
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F49E
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F4AF
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F4C0
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F4D1
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F4E2
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F4F3
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F504
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0042F50B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041083C,00000054), ref: 0042F537
__vbaFreeStr.MSVBVM60 ref: 0042F540
__vbaFreeObj.MSVBVM60 ref: 0042F549
__vbaFreeVarList.MSVBVM60(0000001D,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042F616
#608.MSVBVM60(?,00000043), ref: 0042F621
#608.MSVBVM60(?,0000004F), ref: 0042F629
#608.MSVBVM60(?,0000004D), ref: 0042F631
#608.MSVBVM60(?,00000050), ref: 0042F63C
#608.MSVBVM60(?,00000055), ref: 0042F647
#608.MSVBVM60(?,00000054), ref: 0042F652
#608.MSVBVM60(?,00000045), ref: 0042F65D
#608.MSVBVM60(?,00000052), ref: 0042F668
#608.MSVBVM60(?,0000004E), ref: 0042F673
#608.MSVBVM60(?,00000041), ref: 0042F67E
#608.MSVBVM60(?,0000004D), ref: 0042F689
#608.MSVBVM60(?,00000045), ref: 0042F694
__vbaVarAdd.MSVBVM60(?,?,?), ref: 0042F6A2
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F6B0
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F6C1
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F6D2
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F6E3
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F6F4
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F705
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F716
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F727
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F738
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F749
#666.MSVBVM60(?,00000000), ref: 0042F753
__vbaStrVarMove.MSVBVM60(?), ref: 0042F760
__vbaStrMove.MSVBVM60 ref: 0042F76D
__vbaFreeVarList.MSVBVM60(00000018,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042F811
#608.MSVBVM60(?,00000055), ref: 0042F81C
#608.MSVBVM60(?,00000053), ref: 0042F824
#608.MSVBVM60(?,00000045), ref: 0042F82C
#608.MSVBVM60(?,00000052), ref: 0042F837
#608.MSVBVM60(?,0000004E), ref: 0042F842
#608.MSVBVM60(?,00000041), ref: 0042F84D
#608.MSVBVM60(?,0000004D), ref: 0042F858
#608.MSVBVM60(?,00000045), ref: 0042F863
__vbaVarAdd.MSVBVM60(?,?,?), ref: 0042F871
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F87F
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F890
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F8A1
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F8B2
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F8C3
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F8D4
#666.MSVBVM60(?,00000000), ref: 0042F8DE
__vbaStrVarMove.MSVBVM60(?), ref: 0042F8EB
__vbaStrMove.MSVBVM60 ref: 0042F8F8
__vbaFreeVarList.MSVBVM60(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042F964
#608.MSVBVM60(?,00000074), ref: 0042F96F
#608.MSVBVM60(?,00000065), ref: 0042F977
#608.MSVBVM60(?,0000006D), ref: 0042F97F
#608.MSVBVM60(?,00000070), ref: 0042F98A
__vbaVarAdd.MSVBVM60(?,?,?), ref: 0042F998
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F9A6
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042F9B7
#666.MSVBVM60(?,00000000), ref: 0042F9C1
__vbaStrVarMove.MSVBVM60(?), ref: 0042F9CE
__vbaStrMove.MSVBVM60 ref: 0042F9DB
__vbaFreeVarList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0042FA0F
__vbaStrCopy.MSVBVM60 ref: 0042FA22
__vbaStrCopy.MSVBVM60 ref: 0042FA2C

Part of subcall function 00435950: __vbaStrToAnsi.MSVBVM60(?,?,00000000,0000003F,?,6CC8D83C,6CCB1B7C,6CD768D4), ref: 00435998
Part of subcall function 00435950: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004359B0
Part of subcall function 00435950: __vbaStrToUnicode.MSVBVM60(00401886,?,?,00000000), ref: 004359B7
Part of subcall function 00435950: __vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004359C0
Part of subcall function 00435950: __vbaVarCopy.MSVBVM60(?,00000000,?,?,00000000), ref: 004359DF
Part of subcall function 00435950: __vbaSetSystemError.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004359EE
Part of subcall function 00435950: __vbaFreeVar.MSVBVM60(00435A1A,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00435A13

__vbaVarTstNe.MSVBVM60(?,?,?,?,?,?), ref: 0042FA6F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042FA8C
__vbaFreeVar.MSVBVM60 ref: 0042FA94
__vbaStrCopy.MSVBVM60 ref: 0042FAB0

Part of subcall function 00435600: __vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000000,00000000,0000003F,00000000,?,?,6CC8D83C,6CCB1B7C,6CC8D8F4), ref: 0043564F
Part of subcall function 00435600: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,00401886,?), ref: 00435669
Part of subcall function 00435600: __vbaStrToUnicode.MSVBVM60(00401886,?,?,?,?,?,?,?,?,?,?,00401886,?), ref: 00435670
Part of subcall function 00435600: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00401886,?), ref: 0043567C
Part of subcall function 00435600: __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401886,?), ref: 0043568B

__vbaFreeStr.MSVBVM60(?,80000001,?), ref: 0042FAD3
__vbaFreeVar.MSVBVM60 ref: 0042FADC
__vbaStrCopy.MSVBVM60 ref: 0042FB02
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,80000001,?,?,00000002,00000004), ref: 0042FB45
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042FB51
__vbaStrCopy.MSVBVM60 ref: 0042FB7A
__vbaStrCopy.MSVBVM60 ref: 0042FB84
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,80000001,?,?,00000002,00000004), ref: 0042FBBD
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042FBC9
__vbaStrCopy.MSVBVM60 ref: 0042FBF2
__vbaStrCopy.MSVBVM60 ref: 0042FBFC
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,80000001,?,?,00000002,00000004), ref: 0042FC35
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042FC41
__vbaStrCopy.MSVBVM60 ref: 0042FC6A
__vbaStrCopy.MSVBVM60 ref: 0042FC74
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,80000001,?,?,00000002,00000004), ref: 0042FCAD
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042FCB9
__vbaI4Var.MSVBVM60(?,?,80000001,?,?), ref: 0042FE13
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042FE28
__vbaFreeVar.MSVBVM60 ref: 0042FE30
__vbaStrCopy.MSVBVM60 ref: 0042FE3E
__vbaStrCopy.MSVBVM60 ref: 0042FE48
__vbaStrVarMove.MSVBVM60(?,?,80000001,?,?), ref: 0042FE70
__vbaStrMove.MSVBVM60 ref: 0042FE7D
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042FE8D
__vbaFreeVar.MSVBVM60 ref: 0042FE95
__vbaStrToAnsi.MSVBVM60(?,windowzapret), ref: 0042FEA4
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0042FEB8
__vbaStrI4.MSVBVM60(80000001), ref: 0042FEC5
__vbaStrMove.MSVBVM60 ref: 0042FED0
__vbaFreeStr.MSVBVM60 ref: 0042FED9
__vbaR8Str.MSVBVM60(?), ref: 0042FEE3
__vbaStrCopy.MSVBVM60 ref: 0042FF1B
__vbaStrCopy.MSVBVM60 ref: 0042FF25
__vbaStrCopy.MSVBVM60 ref: 0042FB0C

Part of subcall function 004356E0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,0000003F,?,00000000,6CC8D83C,00401230), ref: 00435725
Part of subcall function 004356E0: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00401886), ref: 0043573D
Part of subcall function 004356E0: __vbaStrToUnicode.MSVBVM60(00401886,?,?,00000000,?,?,?,?,?,?,?,?,?,00401886), ref: 00435744
Part of subcall function 004356E0: __vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00401886), ref: 0043574D
Part of subcall function 004356E0: __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00435771

__vbaStrCopy.MSVBVM60 ref: 0042FCCA
__vbaStrCopy.MSVBVM60 ref: 0042FCD4
__vbaI4Var.MSVBVM60(?,?,80000001,?,?), ref: 0042FCFC
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042FD11
__vbaFreeVar.MSVBVM60 ref: 0042FD19
__vbaStrCopy.MSVBVM60 ref: 0042FD27
__vbaStrCopy.MSVBVM60 ref: 0042FD31
__vbaI4Var.MSVBVM60(?,?,80000001,?,?), ref: 0042FD59
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042FD6E
__vbaFreeVar.MSVBVM60 ref: 0042FD76
__vbaStrCopy.MSVBVM60 ref: 0042FD84
__vbaStrCopy.MSVBVM60 ref: 0042FD8E
__vbaI4Var.MSVBVM60(?,?,80000001,?,?), ref: 0042FDB6
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042FDCB
__vbaFreeVar.MSVBVM60 ref: 0042FDD3
__vbaStrCopy.MSVBVM60 ref: 0042FDE1
__vbaStrCopy.MSVBVM60 ref: 0042FDEB
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,80000001,?,?,00000002,00000004), ref: 0042FF5E
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042FF6A
__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 0042FF8C
__vbaObjSetAddref.MSVBVM60(?,00401398), ref: 0042FFA2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F90,00000010), ref: 0042FFBC
__vbaFreeObj.MSVBVM60 ref: 0042FFC5
__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 0042FFE3
__vbaNew2.MSVBVM60(0040C110,004470B4), ref: 00430002
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00430015
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F90,0000000C), ref: 0043002F
__vbaFreeObj.MSVBVM60 ref: 00430038
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430055
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411834,0000005C), ref: 0043007A
__vbaFreeObj.MSVBVM60 ref: 00430083
__vbaObjSet.MSVBVM60(?,00000000), ref: 004300A0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004300DA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E4), ref: 00430105
__vbaFreeObj.MSVBVM60 ref: 0043010E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043012B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430165
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E4), ref: 00430190
__vbaFreeObj.MSVBVM60 ref: 00430199
__vbaStrCmp.MSVBVM60(00412A30,00000000), ref: 004301AB
__vbaNew2.MSVBVM60(0040C5C8,0044708C), ref: 004301C8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004301E1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,0000008C), ref: 0043020C
__vbaFreeObj.MSVBVM60 ref: 00430215
__vbaStrCmp.MSVBVM60(00412A30,00000000), ref: 00430230
__vbaNew2.MSVBVM60(0040C5C8,0044708C), ref: 00430260
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430279
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411834,0000005C), ref: 0043029E
__vbaFreeObj.MSVBVM60 ref: 004302A7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004302CF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 004302F7
__vbaFreeObj.MSVBVM60 ref: 00430300
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430314
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00430339
__vbaFreeObj.MSVBVM60 ref: 00430342
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043036A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 00430392
__vbaFreeObj.MSVBVM60 ref: 0043039B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004303AF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 004303D4
__vbaFreeObj.MSVBVM60 ref: 004303DD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430407
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0043042F
__vbaFreeObj.MSVBVM60 ref: 00430438
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043044C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00430471
__vbaFreeObj.MSVBVM60 ref: 0043047A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004304A4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 004304CC
__vbaFreeObj.MSVBVM60 ref: 004304D5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004304E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0043050E
__vbaFreeObj.MSVBVM60 ref: 00430517
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430541
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 00430569
__vbaFreeObj.MSVBVM60 ref: 00430572
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430586
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 004305AB
__vbaFreeObj.MSVBVM60 ref: 004305B4
__vbaHresultCheckObj.MSVBVM60(00000000,00401398,00410514,000006F8), ref: 004305E1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430603
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 00430628
__vbaFreeObj.MSVBVM60 ref: 00430631
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430645
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 0043066A
__vbaFreeObj.MSVBVM60 ref: 00430673
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430691
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E4), ref: 004306BC
__vbaFreeObj.MSVBVM60 ref: 004306C5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004306D9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E4), ref: 00430704
__vbaFreeObj.MSVBVM60 ref: 0043070D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430721
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E4), ref: 0043074C
__vbaFreeObj.MSVBVM60 ref: 00430755
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430769
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,00000094), ref: 00430794
__vbaFreeObj.MSVBVM60 ref: 0043079D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004307B1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,00000094), ref: 004307DC
__vbaFreeObj.MSVBVM60 ref: 004307E5
__vbaHresultCheckObj.MSVBVM60(00000000,00401398,00410514,000006FC), ref: 00430812
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430834
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041083C,00000054), ref: 0043085C
__vbaFreeObj.MSVBVM60 ref: 00430865
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430879
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000044), ref: 004308D5
__vbaFreeObj.MSVBVM60 ref: 004308DE
__vbaFreeVar.MSVBVM60 ref: 004308E7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043090A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041083C,00000054), ref: 00430932
__vbaFreeObj.MSVBVM60 ref: 0043093B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043094F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000044), ref: 004309AB
__vbaFreeObj.MSVBVM60 ref: 004309B4
__vbaFreeVar.MSVBVM60 ref: 004309BD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004309DB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000040), ref: 00430A02
__vbaI4Var.MSVBVM60(?), ref: 00430A0C
__vbaFreeObj.MSVBVM60 ref: 00430A18
__vbaFreeVar.MSVBVM60 ref: 00430A21
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430A37
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E4), ref: 00430A62
__vbaFreeObj.MSVBVM60 ref: 00430A6B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430A89
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041083C,00000054), ref: 00430AB1
__vbaFreeObj.MSVBVM60 ref: 00430ABA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430ACE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000044), ref: 00430B2A
__vbaFreeObj.MSVBVM60 ref: 00430B33
__vbaFreeVar.MSVBVM60 ref: 00430B3C
__vbaNew2.MSVBVM60(0040E720,00447020), ref: 00430B66
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004104E4,00000058), ref: 00430B99
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430BD8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000040), ref: 00430BFF
__vbaI4Var.MSVBVM60(?), ref: 00430C09
__vbaFreeObj.MSVBVM60 ref: 00430C15
__vbaFreeVar.MSVBVM60 ref: 00430C1E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430C32
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 00430C57
__vbaFreeObj.MSVBVM60 ref: 00430C60
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430C74
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 00430C99
__vbaFreeObj.MSVBVM60 ref: 00430CA2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430CC9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000040), ref: 00430CF0
__vbaI4Var.MSVBVM60(?), ref: 00430CFA
__vbaFreeObj.MSVBVM60 ref: 00430D06
__vbaFreeVar.MSVBVM60 ref: 00430D0F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430D23
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 00430D48
__vbaFreeObj.MSVBVM60 ref: 00430D51
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430D65
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 00430D8A
__vbaFreeObj.MSVBVM60 ref: 00430D93
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430DB4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 00430DD9
__vbaFreeObj.MSVBVM60 ref: 00430DE2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430DF6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 00430E11
__vbaFreeObj.MSVBVM60 ref: 00430E1A
#608.MSVBVM60(?,0000000D), ref: 00430E55
__vbaVarCat.MSVBVM60(?,?,00008008), ref: 00430E8C
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 00430E9A
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00430EA8
__vbaStrVarMove.MSVBVM60(00000000), ref: 00430EAB
__vbaStrMove.MSVBVM60 ref: 00430EB6
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 00430EC3
__vbaFreeStr.MSVBVM60 ref: 00430ECC
__vbaFreeVarList.MSVBVM60(00000004,?,?,00000007,?), ref: 00430EE4
#608.MSVBVM60(?,0000000D), ref: 00430F19
__vbaVarCat.MSVBVM60(00000002,?,00000008), ref: 00430F4F
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 00430F5D
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00430F6B
__vbaStrVarMove.MSVBVM60(00000000), ref: 00430F6E
__vbaStrMove.MSVBVM60 ref: 00430F79
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 00430F86
__vbaFreeStr.MSVBVM60 ref: 00430F8F
__vbaFreeVarList.MSVBVM60(00000004,?,00000002,00000007,?), ref: 00430FA7
#608.MSVBVM60(?,0000000D), ref: 00430FD4
__vbaVarCat.MSVBVM60(00000003,?,00000008), ref: 0043100A
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 00431018
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00431026
__vbaStrVarMove.MSVBVM60(00000000), ref: 00431029
__vbaStrMove.MSVBVM60 ref: 00431034
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 00431041
__vbaFreeStr.MSVBVM60 ref: 0043104A
__vbaFreeVarList.MSVBVM60(00000004,?,00000003,00000007,?), ref: 00431062
#608.MSVBVM60(?,0000000D), ref: 0043108F
__vbaVarCat.MSVBVM60(00000004,?,00000008), ref: 004310C5
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 004310D3
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004310E1
__vbaStrVarMove.MSVBVM60(00000000), ref: 004310E4
__vbaStrMove.MSVBVM60 ref: 004310EF
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 004310FC
__vbaFreeStr.MSVBVM60 ref: 00431105
__vbaFreeVarList.MSVBVM60(00000004,?,00000004,00000007,?), ref: 0043111D
#608.MSVBVM60(?,0000000D), ref: 0043115F
__vbaVarCat.MSVBVM60(00000001,?,00000008), ref: 00431195
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 004311A3
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004311B1
__vbaStrVarMove.MSVBVM60(00000000), ref: 004311B4
__vbaStrMove.MSVBVM60 ref: 004311BF
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 004311CC
__vbaFreeStr.MSVBVM60 ref: 004311D5
__vbaFreeVarList.MSVBVM60(00000004,?,00000001,00000007,?), ref: 004311ED
#608.MSVBVM60(?,0000000D), ref: 0043121A
__vbaVarCat.MSVBVM60(00000002,?,00000008), ref: 00431250
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 0043125E
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0043126C
__vbaStrVarMove.MSVBVM60(00000000), ref: 0043126F
__vbaStrMove.MSVBVM60 ref: 0043127A
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 00431287
__vbaFreeStr.MSVBVM60 ref: 00431290
__vbaFreeVarList.MSVBVM60(00000004,?,00000002,00000007,?), ref: 004312A8
#608.MSVBVM60(?,0000000D), ref: 004312D5
__vbaVarCat.MSVBVM60(00000003,?,00000008), ref: 0043130B
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 00431319
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00431327
__vbaStrVarMove.MSVBVM60(00000000), ref: 0043132A
__vbaStrMove.MSVBVM60 ref: 00431335
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 00431342
__vbaFreeStr.MSVBVM60 ref: 0043134B
__vbaFreeVarList.MSVBVM60(00000004,?,00000003,00000007,?), ref: 00431363
#608.MSVBVM60(?,0000000D), ref: 00431390
__vbaVarCat.MSVBVM60(00000004,?,00000008), ref: 004313C6
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 004313D4
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004313E2
__vbaStrVarMove.MSVBVM60(00000000), ref: 004313E5
__vbaStrMove.MSVBVM60 ref: 004313F0
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 004313FD
__vbaFreeStr.MSVBVM60 ref: 00431406
__vbaFreeVarList.MSVBVM60(00000004,?,00000004,00000007,?), ref: 0043141E
__vbaHresultCheckObj.MSVBVM60(00000000,00401398,00410514,000006FC), ref: 0043145B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043147D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000040), ref: 004314A8
__vbaI4Var.MSVBVM60(?), ref: 004314B2
__vbaFreeObj.MSVBVM60 ref: 004314BE
__vbaFreeVar.MSVBVM60 ref: 004314C7
#608.MSVBVM60(?,0000000D), ref: 004314F1
__vbaVarCat.MSVBVM60(00000001,?,00000008), ref: 00431527
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 00431535
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00431543
__vbaStrVarMove.MSVBVM60(00000000), ref: 00431546
__vbaStrMove.MSVBVM60 ref: 00431551
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 0043155E
__vbaFreeStr.MSVBVM60 ref: 00431567
__vbaFreeVarList.MSVBVM60(00000004,?,00000001,00000007,?), ref: 0043157F
#608.MSVBVM60(?,0000000D), ref: 004315AC
__vbaVarCat.MSVBVM60(00000002,?,00000008), ref: 004315E2
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 004315F0
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004315FE
__vbaStrVarMove.MSVBVM60(00000000), ref: 00431601
__vbaStrMove.MSVBVM60 ref: 0043160C
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 00431619
__vbaFreeStr.MSVBVM60 ref: 00431622
__vbaFreeVarList.MSVBVM60(00000004,?,00000002,00000007,?), ref: 0043163A
#608.MSVBVM60(?,0000000D), ref: 00431667
__vbaVarCat.MSVBVM60(00000003,?,00000008), ref: 0043169D
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 004316AB
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004316B9
__vbaStrVarMove.MSVBVM60(00000000), ref: 004316BC
__vbaStrMove.MSVBVM60 ref: 004316C7
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 004316D4
__vbaFreeStr.MSVBVM60 ref: 004316DD
__vbaFreeVarList.MSVBVM60(00000004,?,00000003,00000007,?), ref: 004316F5
#608.MSVBVM60(?,0000000D), ref: 00431722
__vbaVarCat.MSVBVM60(00000004,?,00000008), ref: 00431758
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 00431766
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00431774
__vbaStrVarMove.MSVBVM60(00000000), ref: 00431777
__vbaStrMove.MSVBVM60 ref: 00431782
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 0043178F
__vbaFreeStr.MSVBVM60 ref: 00431798
__vbaObjSet.MSVBVM60(?,00000000), ref: 004317C1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000040), ref: 004317EC
__vbaI4Var.MSVBVM60(?), ref: 004317F6
__vbaFreeObj.MSVBVM60 ref: 00431802
__vbaFreeVar.MSVBVM60 ref: 0043180B
#608.MSVBVM60(?,0000000D), ref: 00431835
__vbaVarCat.MSVBVM60(00000001,?,00000008), ref: 0043186B
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 00431879
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00431887
__vbaStrVarMove.MSVBVM60(00000000), ref: 0043188A
__vbaStrMove.MSVBVM60 ref: 00431895
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 004318A2
__vbaFreeStr.MSVBVM60 ref: 004318AB
__vbaFreeVarList.MSVBVM60(00000004,?,00000001,00000007,?), ref: 004318C3
#608.MSVBVM60(?,0000000D), ref: 004318F0
__vbaVarCat.MSVBVM60(00000002,?,00000008), ref: 00431926
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 00431934
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00431942
__vbaStrVarMove.MSVBVM60(00000000), ref: 00431945
__vbaStrMove.MSVBVM60 ref: 00431950
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 0043195D
__vbaFreeStr.MSVBVM60 ref: 00431966
__vbaFreeVarList.MSVBVM60(00000004,?,00000002,00000007,?), ref: 0043197E
#608.MSVBVM60(?,0000000D), ref: 004319AB
__vbaVarCat.MSVBVM60(00000003,?,00000008), ref: 004319E1
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 004319EF
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004319FD
__vbaStrVarMove.MSVBVM60(00000000), ref: 00431A00
__vbaStrMove.MSVBVM60 ref: 00431A0B
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 00431A18
__vbaFreeStr.MSVBVM60 ref: 00431A21
__vbaFreeVarList.MSVBVM60(00000004,?,00000003,00000007,?), ref: 00431A39
#608.MSVBVM60(?,0000000D), ref: 00431A66
__vbaVarCat.MSVBVM60(00000004,?,00000008), ref: 00431A9C
__vbaVarCat.MSVBVM60(00000007,?,00000000), ref: 00431AAA
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00431AB8
__vbaStrVarMove.MSVBVM60(00000000), ref: 00431ABB
__vbaStrMove.MSVBVM60 ref: 00431AC6
__vbaLsetFixstr.MSVBVM60(00000040,(C,00000000), ref: 00431AD3
__vbaFreeStr.MSVBVM60 ref: 00431ADC
__vbaFreeVarList.MSVBVM60(00000004,?,00000004,00000007,?), ref: 00431AF4
__vbaRecUniToAnsi.MSVBVM60(00410468,?,=#C), ref: 00431B0D
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 00431B1B
__vbaRecAnsiToUni.MSVBVM60(00410468,=#C,?), ref: 00431B2E
__vbaHresultCheckObj.MSVBVM60(00000000,00401398,004104E4,000002B4), ref: 00431B58
__vbaFreeStr.MSVBVM60(00431D1B), ref: 00431D14

Strings

Software\ZapretLauncher, xrefs: 0042FA24, 0042FAA8, 0042FB04, 0042FB7C, 0042FBF4, 0042FC6C, 0042FCCC, 0042FD29, 0042FD86, 0042FDE3, 0042FE40, 0042FF1D
Zapret , xrefs: 00430E45, 00430F05, 00430FC0, 0043107B, 004314DD, 00431598, 00431653, 0043170E
<pD, xrefs: 0042F768
=#C, xrefs: 00431B06, 00431B28
Autostart, xrefs: 0042FA1A, 0042FAE2, 0042FCC2
DpD, xrefs: 0042F9D6
\winws.exe, xrefs: 0042E4B3
Ver, xrefs: 0042FE36
Preset, xrefs: 0042FC4A, 0042FDD9
dpD, xrefs: 0042FE78
Zapret , xrefs: 0043114B, 00431206, 004312C1, 0043137C, 00431821, 004318DC, 00431997, 00431A52
@pD, xrefs: 0042F8F3
Autoupdate, xrefs: 0042FBD2, 0042FD7C
Autorun, xrefs: 0042FB5A, 0042FD1F
\WinDivert.dll, xrefs: 0042E543
Control, xrefs: 0042FEFF
windowzapret, xrefs: 0042FE9E
(C, xrefs: 00430EC0, 00430F83, 0043103E, 004310F9, 004311C9, 00431284, 0043133F, 004313FA, 0043155B, 00431616, 004316D1, 0043178C, 0043189F, 0043195A, 00431A15, 00431AD0
zapret, xrefs: 0042E667

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$#608$CheckHresult$Move$List$Copy$FixstrLset$ErrorNew2System$Ansi$#666Unicode$Addref$#595
String ID: <pD$=#C$@pD$Autorun$Autostart$Autoupdate$Control$DpD$Preset$Software\ZapretLauncher$Ver$Zapret $Zapret $\WinDivert.dll$\winws.exe$dpD$windowzapret$zapret$(C
API String ID: 1553068728-2813122897
Opcode ID: 7b3584b34ebfc0d0c5dcb8c99a21265a622abb88846cf6a5be87858bd60b7c06
Instruction ID: 57a7686197bccc7e47f8ac022e7436f0ee73c5a21e44db5c9fe1c25cc3c29efc
Opcode Fuzzy Hash: 7b3584b34ebfc0d0c5dcb8c99a21265a622abb88846cf6a5be87858bd60b7c06
Instruction Fuzzy Hash: 51831FB1900219AFDB65DBA0CC84FEEB77CEF48704F00469AF60AA6154DB745B89CF64

Function 00401B28 Relevance: 1.7, APIs: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(0040BF94), ref: 00401B2D

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: e1f908ce889410de6274dabc06ca2271de231b16d3ab1237697495d45eb93315
Instruction ID: 9a16dd457a6164c3e167d08ba03bc358cfa45791b6c9fa7611ca31e3ea79be5f
Opcode Fuzzy Hash: e1f908ce889410de6274dabc06ca2271de231b16d3ab1237697495d45eb93315
Instruction Fuzzy Hash: E4514EE18AE7D84FD3039B300AA45603F78AD93219B5B4BDBC085DA4E3D21D4C4AD727

Non-executed Functions

Function 0042C6D0 Relevance: 110.7, APIs: 60, Strings: 3, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C73C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000044), ref: 0042C786
__vbaFreeObj.MSVBVM60 ref: 0042C78F
__vbaFreeVar.MSVBVM60 ref: 0042C798
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C7B5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000040), ref: 0042C7D6
__vbaI4Var.MSVBVM60(?), ref: 0042C7E0
__vbaFreeObj.MSVBVM60 ref: 0042C7EC
__vbaFreeVar.MSVBVM60 ref: 0042C7F5
#608.MSVBVM60(?,0000000D), ref: 0042C81A
__vbaVarCat.MSVBVM60(?,?,?), ref: 0042C849
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042C854
__vbaVarCat.MSVBVM60(00000001,?,00000000), ref: 0042C862
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042C865
__vbaStrMove.MSVBVM60 ref: 0042C870
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 0042C87D
__vbaFreeStr.MSVBVM60 ref: 0042C886
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000001), ref: 0042C89E
#608.MSVBVM60(?,0000000D), ref: 0042C8CE
__vbaVarCat.MSVBVM60(?,?,?), ref: 0042C8F7
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042C902
__vbaVarCat.MSVBVM60(00000002,?,00000000), ref: 0042C910
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042C913
__vbaStrMove.MSVBVM60 ref: 0042C91E
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 0042C92B
__vbaFreeStr.MSVBVM60 ref: 0042C934
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000002), ref: 0042C94C
#608.MSVBVM60(?,0000000D), ref: 0042C96F
__vbaVarCat.MSVBVM60(?,?,?), ref: 0042C998
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042C9A3
__vbaVarCat.MSVBVM60(00000003,?,00000000), ref: 0042C9B1
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042C9B4
__vbaStrMove.MSVBVM60 ref: 0042C9BF
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 0042C9CC
__vbaFreeStr.MSVBVM60 ref: 0042C9D5
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000003), ref: 0042C9ED
#608.MSVBVM60(?,0000000D), ref: 0042CA10
__vbaVarCat.MSVBVM60(?,?,?), ref: 0042CA39
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042CA44
__vbaVarCat.MSVBVM60(00000004,?,00000000), ref: 0042CA52
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042CA55
__vbaStrMove.MSVBVM60 ref: 0042CA60
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 0042CA6D
__vbaFreeStr.MSVBVM60 ref: 0042CA76
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000004), ref: 0042CA8E
__vbaRecUniToAnsi.MSVBVM60(00410468,?,?), ref: 0042CAA7
__vbaSetSystemError.MSVBVM60(00000001,00000000), ref: 0042CAB5
__vbaRecAnsiToUni.MSVBVM60(00410468,?,?), ref: 0042CAC8
__vbaStrCat.MSVBVM60(taskkill /f /im winws.exe,RunDLL32.EXE shell32.dll,ShellExec_RunDLL ), ref: 0042CAEA
#600.MSVBVM60(?,00000000), ref: 0042CAFC
__vbaFreeVar.MSVBVM60 ref: 0042CB07
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042CB21
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041083C,00000054), ref: 0042CB3F
__vbaFreeObj.MSVBVM60 ref: 0042CB48
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042CB5C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 0042CB77
__vbaFreeObj.MSVBVM60 ref: 0042CB80
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042CB94
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 0042CBAF
__vbaFreeObj.MSVBVM60 ref: 0042CBB8

Strings

Zapret , xrefs: 0042C810, 0042C8C4, 0042C965, 0042CA06
taskkill /f /im winws.exe, xrefs: 0042CAE5
RunDLL32.EXE shell32.dll,ShellExec_RunDLL , xrefs: 0042CAE0

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$Move$CheckHresult$#608FixstrListLset$Ansi$#600ErrorSystem
String ID: RunDLL32.EXE shell32.dll,ShellExec_RunDLL $Zapret $taskkill /f /im winws.exe
API String ID: 2769052595-1693910576
Opcode ID: a32412f52a3c05563e93321750c3986ac89cc64d6e0c7eff54eb190f1c6dd976
Instruction ID: da2546be9f27c6dfc280981c24f8c50003e7537360c84d59167b7aa45c571cc0
Opcode Fuzzy Hash: a32412f52a3c05563e93321750c3986ac89cc64d6e0c7eff54eb190f1c6dd976
Instruction Fuzzy Hash: 23F10AB190021AAFDB14DFA4DD88EEEBF78FF48705F10412AF606A6160DB745589CFA4

Function 00445AA0 Relevance: 102.0, APIs: 57, Strings: 1, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00401830,00410E14,00000058), ref: 00445C0C
#608.MSVBVM60(?,00000068), ref: 00445C1E
#608.MSVBVM60(?,00000074), ref: 00445C26
#608.MSVBVM60(?,00000074), ref: 00445C2E
#608.MSVBVM60(?,00000070), ref: 00445C39
#608.MSVBVM60(?,00000073), ref: 00445C44
#608.MSVBVM60(?,0000003A), ref: 00445C4F
#608.MSVBVM60(?,0000002F), ref: 00445C5A
#608.MSVBVM60(?,0000002F), ref: 00445C65
#608.MSVBVM60(?,00000074), ref: 00445C70
#608.MSVBVM60(?,0000002E), ref: 00445C7B
#608.MSVBVM60(?,0000006D), ref: 00445C86
#608.MSVBVM60(?,00000065), ref: 00445C91
#608.MSVBVM60(?,0000002F), ref: 00445C9C
#608.MSVBVM60(?,00000074), ref: 00445CA7
#608.MSVBVM60(?,0000006F), ref: 00445CB2
#608.MSVBVM60(?,00000070), ref: 00445CBD
#608.MSVBVM60(?,00000065), ref: 00445CC8
#608.MSVBVM60(?,00000072), ref: 00445CD3
#608.MSVBVM60(?,00000073), ref: 00445CDE
#608.MSVBVM60(?,0000006F), ref: 00445CE9
#608.MSVBVM60(?,00000066), ref: 00445CF4
#608.MSVBVM60(?,00000074), ref: 00445CFF
__vbaStrToAnsi.MSVBVM60(?,00412A30,00000001), ref: 00445D12
__vbaStrToAnsi.MSVBVM60(?,00412A30,00000000), ref: 00445D1E
__vbaVarAdd.MSVBVM60(?,?,?,00000000), ref: 00445D33
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445D3E
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445D4F
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445D60
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445D71
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445D82
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445D93
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445DA4
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445DB5
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445DC6
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445DD7
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445DE8
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445DF9
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445E0A
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445E1B
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445E2C
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445E3D
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445E4E
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445E5F
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445E70
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445E81
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 00445E88
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00445E93
__vbaStrToAnsi.MSVBVM60(?,open,00000000), ref: 00445E9F
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00445EAE
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00445ECA
__vbaFreeVarList.MSVBVM60(0000002B,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00445FF0
__vbaHresultCheckObj.MSVBVM60(00000000,00401830,00410E14,000002B4), ref: 0044601A
__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 00446032
__vbaObjSetAddref.MSVBVM60(?,00401830), ref: 0044604B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F90,00000010), ref: 0044606B
__vbaFreeObj.MSVBVM60 ref: 00446074

Strings

open, xrefs: 00445E99

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$#608$Ansi$CheckFreeHresult$List$AddrefErrorNew2System
String ID: open
API String ID: 3888866446-2758837156
Opcode ID: d5a73473a8df5f1ac69bee5e48b88e4e371a598c84df507e6b83b1d7dc56fa92
Instruction ID: e41a1bff06a570bbabbe5a6095d233d9e2ea438132c5783edf9092f8db1eb2cf
Opcode Fuzzy Hash: d5a73473a8df5f1ac69bee5e48b88e4e371a598c84df507e6b83b1d7dc56fa92
Instruction Fuzzy Hash: 8A12BFB2C0122DAADB24DB95CC84EDEF7BCEF99700F10C5DBA509A6154D6746B84CFA0

Function 00445380 Relevance: 98.5, APIs: 55, Strings: 1, Instructions: 460
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00401820,00410E14,00000058), ref: 004454E0
#608.MSVBVM60(?,00000068), ref: 004454F2
#608.MSVBVM60(?,00000074), ref: 004454FA
#608.MSVBVM60(?,00000074), ref: 00445502
#608.MSVBVM60(?,00000070), ref: 0044550D
#608.MSVBVM60(?,00000073), ref: 00445518
#608.MSVBVM60(?,0000003A), ref: 00445523
#608.MSVBVM60(?,0000002F), ref: 0044552E
#608.MSVBVM60(?,0000002F), ref: 00445539
#608.MSVBVM60(?,00000074), ref: 00445544
#608.MSVBVM60(?,0000006F), ref: 0044554F
#608.MSVBVM60(?,00000070), ref: 0044555A
#608.MSVBVM60(?,00000065), ref: 00445565
#608.MSVBVM60(?,00000072), ref: 00445570
#608.MSVBVM60(?,00000073), ref: 0044557B
#608.MSVBVM60(?,0000006F), ref: 00445586
#608.MSVBVM60(?,00000066), ref: 00445591
#608.MSVBVM60(?,00000074), ref: 0044559C
#608.MSVBVM60(?,0000002E), ref: 004455A7
#608.MSVBVM60(?,00000063), ref: 004455B2
#608.MSVBVM60(?,0000006F), ref: 004455BD
#608.MSVBVM60(?,0000006D), ref: 004455C8
__vbaStrToAnsi.MSVBVM60(?,00412A30,00000001), ref: 004455DB
__vbaStrToAnsi.MSVBVM60(?,00412A30,00000000), ref: 004455E7
__vbaVarAdd.MSVBVM60(?,?,?,00000000), ref: 004455FC
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445607
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445618
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445629
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0044563A
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0044564B
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0044565C
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0044566D
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0044567E
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0044568F
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 004456A0
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 004456B1
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 004456C2
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 004456D3
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 004456E4
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 004456F5
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445706
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445717
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445728
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00445739
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 00445740
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00445751
__vbaStrToAnsi.MSVBVM60(?,open,00000000), ref: 0044575D
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0044576C
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00445788
__vbaFreeVarList.MSVBVM60(00000029,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004458A0
__vbaHresultCheckObj.MSVBVM60(00000000,00401820,00410E14,000002B4), ref: 004458C7
__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 004458DF
__vbaObjSetAddref.MSVBVM60(?,00401820), ref: 004458F8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F90,00000010), ref: 00445918
__vbaFreeObj.MSVBVM60 ref: 00445921

Strings

open, xrefs: 00445757

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$#608$Ansi$CheckFreeHresult$List$AddrefErrorNew2System
String ID: open
API String ID: 3888866446-2758837156
Opcode ID: 7053e4f39d533993864f9909d28b51e7207718e4e20dec9ba61d6d6f63142c6f
Instruction ID: a081e4e7eab3d5db8979b85081366f936a323008fac9b96ae48767ff1d4c84c2
Opcode Fuzzy Hash: 7053e4f39d533993864f9909d28b51e7207718e4e20dec9ba61d6d6f63142c6f
Instruction Fuzzy Hash: 8E02CEB2C0122DAADB25DB95CC84EDEFBBCEF99700F10C5DBA109A6154D6745B84CFA0

Function 00428270 Relevance: 93.1, APIs: 50, Strings: 3, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(sc start zapret,RunDLL32.EXE shell32.dll,ShellExec_RunDLL ), ref: 004282D5
#600.MSVBVM60(?,00000000), ref: 004282EB
__vbaFreeVar.MSVBVM60 ref: 004282F6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042830D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041083C,00000054), ref: 00428339
__vbaFreeObj.MSVBVM60 ref: 00428342
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428360
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410BBC,00000040), ref: 0042838B
__vbaI4Var.MSVBVM60(?), ref: 00428395
__vbaFreeObj.MSVBVM60 ref: 004283A1
__vbaFreeVar.MSVBVM60 ref: 004283AA
#608.MSVBVM60(?,0000000D), ref: 004283CA
__vbaVarCat.MSVBVM60(?,?,?), ref: 004283F9
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00428404
__vbaVarCat.MSVBVM60(00000001,?,00000000), ref: 00428412
__vbaStrVarMove.MSVBVM60(00000000), ref: 00428415
__vbaStrMove.MSVBVM60 ref: 00428420
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 0042842D
__vbaFreeStr.MSVBVM60 ref: 00428436
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000001), ref: 0042844E
#608.MSVBVM60(?,0000000D), ref: 00428479
__vbaVarCat.MSVBVM60(?,?,?), ref: 004284A2
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004284AD
__vbaVarCat.MSVBVM60(00000002,?,00000000), ref: 004284BB
__vbaStrVarMove.MSVBVM60(00000000), ref: 004284BE
__vbaStrMove.MSVBVM60 ref: 004284C9
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 004284D6
__vbaFreeStr.MSVBVM60 ref: 004284DF
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000002), ref: 004284F7
#608.MSVBVM60(?,0000000D), ref: 0042851A
__vbaVarCat.MSVBVM60(?,?,?), ref: 00428543
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042854E
__vbaVarCat.MSVBVM60(00000003,?,00000000), ref: 0042855C
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042855F
__vbaStrMove.MSVBVM60 ref: 0042856A
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 00428577
__vbaFreeStr.MSVBVM60 ref: 00428580
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000003), ref: 00428598
#608.MSVBVM60(?,0000000D), ref: 004285BB
__vbaVarCat.MSVBVM60(?,?,?), ref: 004285E4
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004285EF
__vbaVarCat.MSVBVM60(00000004,?,00000000), ref: 004285FD
__vbaStrVarMove.MSVBVM60(00000000), ref: 00428600
__vbaStrMove.MSVBVM60 ref: 0042860B
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 00428618
__vbaFreeStr.MSVBVM60 ref: 00428621
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000004), ref: 00428639
__vbaRecUniToAnsi.MSVBVM60(00410468,?,?), ref: 00428652
__vbaSetSystemError.MSVBVM60(00000001,00000000), ref: 00428660
__vbaRecAnsiToUni.MSVBVM60(00410468,?,?), ref: 00428673

Strings

Zapret , xrefs: 004283C0, 0042846F, 00428510, 004285B1
sc start zapret, xrefs: 004282B0
RunDLL32.EXE shell32.dll,ShellExec_RunDLL , xrefs: 004282AB

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$Move$#608FixstrListLset$AnsiCheckHresult$#600ErrorSystem
String ID: RunDLL32.EXE shell32.dll,ShellExec_RunDLL $Zapret $sc start zapret
API String ID: 1793836221-2568397694
Opcode ID: ea76be2558f20822cd3e5111fbabffacc28fc36e59bd0d988e85401307842c50
Instruction ID: c398dc45b14380aafcde77e0b48545320dc0b284a45fdd5c81a1a76eb020e717
Opcode Fuzzy Hash: ea76be2558f20822cd3e5111fbabffacc28fc36e59bd0d988e85401307842c50
Instruction Fuzzy Hash: C2D1E7B1900219AFDB14DFA0DD88EEEBF78FB48705F10452AF606B6160EB745589CFA4

Function 004286D0 Relevance: 93.1, APIs: 50, Strings: 3, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(sc stop zapret,RunDLL32.EXE shell32.dll,ShellExec_RunDLL ), ref: 00428735
#600.MSVBVM60(?,00000000), ref: 0042874B
__vbaFreeVar.MSVBVM60 ref: 00428756
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042876D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041083C,00000054), ref: 00428799
__vbaFreeObj.MSVBVM60 ref: 004287A2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004287BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410BBC,00000040), ref: 004287E7
__vbaI4Var.MSVBVM60(?), ref: 004287F1
__vbaFreeObj.MSVBVM60 ref: 004287FD
__vbaFreeVar.MSVBVM60 ref: 00428806
#608.MSVBVM60(?,0000000D), ref: 00428826
__vbaVarCat.MSVBVM60(?,?,?), ref: 00428855
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00428860
__vbaVarCat.MSVBVM60(00000001,?,00000000), ref: 0042886E
__vbaStrVarMove.MSVBVM60(00000000), ref: 00428871
__vbaStrMove.MSVBVM60 ref: 0042887C
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 00428889
__vbaFreeStr.MSVBVM60 ref: 00428892
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000001), ref: 004288AA
#608.MSVBVM60(?,0000000D), ref: 004288D5
__vbaVarCat.MSVBVM60(?,?,?), ref: 004288FE
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00428909
__vbaVarCat.MSVBVM60(00000002,?,00000000), ref: 00428917
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042891A
__vbaStrMove.MSVBVM60 ref: 00428925
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 00428932
__vbaFreeStr.MSVBVM60 ref: 0042893B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000002), ref: 00428953
#608.MSVBVM60(?,0000000D), ref: 00428976
__vbaVarCat.MSVBVM60(?,?,?), ref: 0042899F
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 004289AA
__vbaVarCat.MSVBVM60(00000003,?,00000000), ref: 004289B8
__vbaStrVarMove.MSVBVM60(00000000), ref: 004289BB
__vbaStrMove.MSVBVM60 ref: 004289C6
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 004289D3
__vbaFreeStr.MSVBVM60 ref: 004289DC
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000003), ref: 004289F4
#608.MSVBVM60(?,0000000D), ref: 00428A17
__vbaVarCat.MSVBVM60(?,?,?), ref: 00428A40
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00428A4B
__vbaVarCat.MSVBVM60(00000004,?,00000000), ref: 00428A59
__vbaStrVarMove.MSVBVM60(00000000), ref: 00428A5C
__vbaStrMove.MSVBVM60 ref: 00428A67
__vbaLsetFixstr.MSVBVM60(00000040,?,00000000), ref: 00428A74
__vbaFreeStr.MSVBVM60 ref: 00428A7D
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,00000004), ref: 00428A95
__vbaRecUniToAnsi.MSVBVM60(00410468,?,?), ref: 00428AAE
__vbaSetSystemError.MSVBVM60(00000001,00000000), ref: 00428ABC
__vbaRecAnsiToUni.MSVBVM60(00410468,?,?), ref: 00428ACF

Strings

Zapret , xrefs: 0042881C, 004288CB, 0042896C, 00428A0D
RunDLL32.EXE shell32.dll,ShellExec_RunDLL , xrefs: 0042870B
sc stop zapret, xrefs: 00428710

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$Move$#608FixstrListLset$AnsiCheckHresult$#600ErrorSystem
String ID: RunDLL32.EXE shell32.dll,ShellExec_RunDLL $Zapret $sc stop zapret
API String ID: 1793836221-1943169256
Opcode ID: d16b6371479077103d1d72060f1af19483e40e730c3c784d45e14531124bc824
Instruction ID: bab8598dcb2305d82b94e25df45a607bf590b08216d41416fbe05214770f6b61
Opcode Fuzzy Hash: d16b6371479077103d1d72060f1af19483e40e730c3c784d45e14531124bc824
Instruction Fuzzy Hash: 7CD1C7B1900219AFDB14DFA0DD89EEEBF78FB48705F10412AF606B6160DB746589CFA4

Function 0042CC20 Relevance: 75.6, APIs: 37, Strings: 6, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#608.MSVBVM60(?,00000022), ref: 0042CC75
#608.MSVBVM60(?,00000022), ref: 0042CC7D
__vbaStrCat.MSVBVM60(sc stop ,RunDLL32.EXE shell32.dll,ShellExec_RunDLL ), ref: 0042CC89
__vbaVarCat.MSVBVM60(?,?,?,00000000), ref: 0042CCB7
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042CCC2
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042CCCD
#600.MSVBVM60(00000000), ref: 0042CCD0
__vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0042CCF2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 0042CD28
#608.MSVBVM60(?,00000022), ref: 0042CD34
#608.MSVBVM60(?,00000022), ref: 0042CD3C
__vbaStrCat.MSVBVM60(sc delete ,RunDLL32.EXE shell32.dll,ShellExec_RunDLL ), ref: 0042CD48
__vbaVarCat.MSVBVM60(?,?,?,00000000), ref: 0042CD71
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042CD7C
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042CD87
#600.MSVBVM60(00000000), ref: 0042CD8A
__vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0042CDAC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 0042CDDF
#608.MSVBVM60(?,00000022), ref: 0042CDEB
#608.MSVBVM60(?,00000022), ref: 0042CDF3
__vbaStrCat.MSVBVM60(sc stop ,RunDLL32.EXE shell32.dll,ShellExec_RunDLL ), ref: 0042CDFF
__vbaVarCat.MSVBVM60(?,?,?,00000000), ref: 0042CE28
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042CE33
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042CE3E
#600.MSVBVM60(00000000), ref: 0042CE41
__vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0042CE63
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 0042CE96
#608.MSVBVM60(?,00000022), ref: 0042CEA2
#608.MSVBVM60(?,00000022), ref: 0042CEAA
__vbaStrCat.MSVBVM60(sc delete ,RunDLL32.EXE shell32.dll,ShellExec_RunDLL ), ref: 0042CEB6
__vbaVarCat.MSVBVM60(?,?,?,00000000), ref: 0042CEDF
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042CEEA
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042CEF5
#600.MSVBVM60(00000000), ref: 0042CEF8
__vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0042CF1A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 0042CF4D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 0042CF8F

Strings

WinDivert, xrefs: 0042CE21, 0042CED8
Zapret, xrefs: 0042CCB0, 0042CD6A
sc delete , xrefs: 0042CD43, 0042CEB1
sc stop , xrefs: 0042CC84, 0042CDFA
d, xrefs: 0042CF6F
RunDLL32.EXE shell32.dll,ShellExec_RunDLL , xrefs: 0042CC7F, 0042CD3E, 0042CDF5, 0042CEAC

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$#608$CheckHresult$#600FreeList
String ID: RunDLL32.EXE shell32.dll,ShellExec_RunDLL $WinDivert$Zapret$d$sc delete $sc stop
API String ID: 314738505-3804287651
Opcode ID: 1a2487f775c7c838cc32e2dd9efcd192f0f04b433975e13e1e2b8749dc2892cf
Instruction ID: ad35f52b0ce933f899cd6aee41da0d7698f055097ee776c34afa7d9561d5b7f0
Opcode Fuzzy Hash: 1a2487f775c7c838cc32e2dd9efcd192f0f04b433975e13e1e2b8749dc2892cf
Instruction Fuzzy Hash: 89C1E7B1900229ABDB10DBE4CC88EEEBBB9FF48704F14451AF605A7190EB746645CFA4

Function 00435CD0 Relevance: 74.0, APIs: 40, Strings: 2, Instructions: 491
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000058), ref: 00435D3C
__vbaSetSystemError.MSVBVM60(?,?), ref: 00435D59
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000058), ref: 00435D74
__vbaSetSystemError.MSVBVM60(?,000000F0), ref: 00435D84
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,000001C0), ref: 00435DB6
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000054), ref: 00435DD1
__vbaFreeStr.MSVBVM60 ref: 00435DD6
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000188), ref: 00435DFB
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000178), ref: 00435E2E
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000180), ref: 00435E5D
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000050), ref: 00435E86
__vbaStrCmp.MSVBVM60(00412A30,?), ref: 00435E91
__vbaFreeStr.MSVBVM60 ref: 00435EA3
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000058), ref: 00435ED4
__vbaSetSystemError.MSVBVM60(?,000000F0,?), ref: 00435EE5
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000058), ref: 00435F00
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,00000224), ref: 00435F32
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,000002A0), ref: 00435F4F
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000050), ref: 00435F74
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,000001C4), ref: 00435F95
__vbaFreeStr.MSVBVM60 ref: 00435F9A
__vbaHresultCheckObj.MSVBVM60(00000000,004015C0,004126A0,00000054), ref: 00435FBA

Strings

Tahoma, xrefs: 004360A0
Blacklist Update, xrefs: 00436167

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckHresult$ErrorSystem$Free
String ID: Blacklist Update$Tahoma
API String ID: 1782569645-1520612030
Opcode ID: e4b57794a00646bde1ef91350f7bee3a1729754f4a728a04a05b9e28d0df1e5b
Instruction ID: 61cf98024ee56bae608cb2fe9732b5a470d4d102d6497ad20a6821e6e37e3d88
Opcode Fuzzy Hash: e4b57794a00646bde1ef91350f7bee3a1729754f4a728a04a05b9e28d0df1e5b
Instruction Fuzzy Hash: 4FF16070A00604BBDB10AFA5CD89F9FBBB8BF59700F20451AF545E71D0DBB8A5458BA8

Function 004323A0 Relevance: 68.6, APIs: 36, Strings: 3, Instructions: 327COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401886), ref: 004323BE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401886), ref: 00432405
__vbaEnd.MSVBVM60(?,?,?,?,00401886), ref: 00432422
__vbaHresultCheckObj.MSVBVM60(00000000,?,004104E4,000002B4), ref: 00432460
__vbaRecUniToAnsi.MSVBVM60(00410468,?,?), ref: 004324CB
__vbaSetSystemError.MSVBVM60(00000002,00000000), ref: 004324D9
__vbaRecAnsiToUni.MSVBVM60(00410468,?,?), ref: 004324F2
__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 00432528
__vbaNew2.MSVBVM60(0040C5C8,0044708C), ref: 00432562
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0043258B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F90,00000010), ref: 004325B8
__vbaFreeObj.MSVBVM60 ref: 004325D3
__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 004325F3

Strings

taskkill /f /im winws.exe, xrefs: 004327D6
Cmd /x/c net stop WinDivert, xrefs: 0043280A, 00432897
RunDLL32.EXE shell32.dll,ShellExec_RunDLL , xrefs: 004327D1

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$New2$AnsiCheckErrorHresult$AddrefChkstkFreeSystem
String ID: Cmd /x/c net stop WinDivert$RunDLL32.EXE shell32.dll,ShellExec_RunDLL $taskkill /f /im winws.exe
API String ID: 2773562908-261871869
Opcode ID: 1c4f88c48c699c8f62b6e999dd8b7f8318969bbac9da0525bb0e6857d630ae8b
Instruction ID: a7f2d2857ec8df991a6d13d9866ea7330b358f322b78a6b2f7ceb8cb8bd2a879
Opcode Fuzzy Hash: 1c4f88c48c699c8f62b6e999dd8b7f8318969bbac9da0525bb0e6857d630ae8b
Instruction Fuzzy Hash: 9CE16474901208EFDB14DF94DA48BDDBBB4FF08305F208199F5466B2A4C7B85A89DF58

Function 00431D40 Relevance: 61.6, APIs: 30, Strings: 5, Instructions: 396COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401886), ref: 00431D5E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401886), ref: 00431DA5
__vbaNew2.MSVBVM60(00410FA0,00447694,?,?,?,?,00401886), ref: 00431DC5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410F90,00000018), ref: 00431E16
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C0C,00000080), ref: 00431E64
_adj_fdiv_m32.MSVBVM60(?), ref: 00431E92
__vbaFpI4.MSVBVM60(?), ref: 00431EA1
__vbaFreeObj.MSVBVM60 ref: 00431EAD

Strings

pD, xrefs: 00431F2B
pD, xrefs: 004320A3
pD, xrefs: 0043214F
pD, xrefs: 004322E1
pD, xrefs: 00431FB2

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckHresult$ChkstkErrorFreeNew2_adj_fdiv_m32
String ID: pD$ pD$ pD$ pD$ pD
API String ID: 1486161763-1927656537
Opcode ID: 86a97c301a954a3cb680e5fa0db036d447a17a34df82e7f6f9596b7369e2075c
Instruction ID: d73e014bb09b33615f6ad6c102770bae535228802ec4b1c1b4336359599b3ae5
Opcode Fuzzy Hash: 86a97c301a954a3cb680e5fa0db036d447a17a34df82e7f6f9596b7369e2075c
Instruction Fuzzy Hash: AD12F7B4A05308DFDB14DFA4C988B9DBBB1FB48304F20866EE509AB391C7785985CF59

Function 00428D60 Relevance: 48.3, APIs: 32, Instructions: 312COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 00428DD9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074,?,?,?,?,?,?,?,00401886), ref: 00428DF7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00428E00
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 00428E14
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074,?,?,?,?,?,?,?,00401886), ref: 00428E32
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00428E3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 00428E65
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 00428E95
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074,?,?,?,?,?,?,?,00401886), ref: 00428EB3
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00428EBC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 00428ED0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074,?,?,?,?,?,?,?,00401886), ref: 00428EEE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00428EF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 00428F21
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 00428F5F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041083C,00000054,?,?,?,?,?,?,?,00401886), ref: 00428F7D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00428F86
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 00428F9A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074,?,?,?,?,?,?,?,00401886), ref: 00428FB5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00428FBE
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 00428FD2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074,?,?,?,?,?,?,?,00401886), ref: 00428FED
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00428FF6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 0042903A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041083C,00000054,?,?,?,?,?,?,?,00401886), ref: 00429058
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00429061
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 00429075
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074,?,?,?,?,?,?,?,00401886), ref: 00429090
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00429099
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 004290AD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074,?,?,?,?,?,?,?,00401886), ref: 004290C8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 004290D1

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckHresult$Free
String ID:
API String ID: 3976024557-0
Opcode ID: d6d450b2b633d9e7aac8d8dc8898c8947e4c2220d76d1261173986ff949f41f0
Instruction ID: 9a925ab30834a228cdfa59d4383a1ef12450aa63b8e708d9da4d19336270f6a4
Opcode Fuzzy Hash: d6d450b2b633d9e7aac8d8dc8898c8947e4c2220d76d1261173986ff949f41f0
Instruction Fuzzy Hash: A6B18070600205ABD710AF64DD88EAFBBBCFF59705F20452EF546E71A0CB74A985CBA4

Function 00435A50 Relevance: 40.7, APIs: 27, Instructions: 191COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CCB285F,00401886,6CD768D4), ref: 00435AA8
__vbaOnError.MSVBVM60(00000001), ref: 00435AB0
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?), ref: 00435ACE
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00435ADD
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00435AF1
__vbaFreeStr.MSVBVM60 ref: 00435AFC
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?), ref: 00435B2F
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00435B3A
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00435B48
__vbaFreeStr.MSVBVM60 ref: 00435B50
__vbaVargVarMove.MSVBVM60 ref: 00435B71
#607.MSVBVM60(?,?,00000002), ref: 00435B96
__vbaStrVarMove.MSVBVM60(?), ref: 00435BA0
__vbaStrMove.MSVBVM60 ref: 00435BAB
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00435BBB
__vbaStrToAnsi.MSVBVM60(?,?,?), ref: 00435BD0
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000), ref: 00435BE1
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00435BEC
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00435BFA
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00435C04
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00435C13
#616.MSVBVM60(?,?), ref: 00435C28
__vbaVargVarMove.MSVBVM60 ref: 00435C3E
__vbaExitProc.MSVBVM60 ref: 00435C69
__vbaFreeStr.MSVBVM60(00435CAB), ref: 00435CA3
__vbaFreeStr.MSVBVM60 ref: 00435CA8

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$AnsiErrorMoveUnicode$System$ListVarg$#607#616CopyExitProc
String ID:
API String ID: 1362019287-0
Opcode ID: dfb64bbbf4924c6fe57b992342dffc19ba3acf22b652247f5da2a4b989cc9da0
Instruction ID: 3e69a9d5f29c809366598301eb4a5c2a788f589578a0311f87588924cddaa9a3
Opcode Fuzzy Hash: dfb64bbbf4924c6fe57b992342dffc19ba3acf22b652247f5da2a4b989cc9da0
Instruction Fuzzy Hash: A871B6B2D10228ABCB14DFE4DD84AEEBBB9BF48700F14461AF502B7264DB745945CFA4

Function 0042DE50 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DEA1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042DEC3
__vbaFreeObj.MSVBVM60 ref: 0042DED2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DEE2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042DF04
__vbaFreeObj.MSVBVM60 ref: 0042DF0D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DF1D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042DF3F
__vbaFreeObj.MSVBVM60 ref: 0042DF48
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DF58
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042DF7A
__vbaFreeObj.MSVBVM60 ref: 0042DF83
__vbaStrCopy.MSVBVM60 ref: 0042DFA5
__vbaStrCopy.MSVBVM60 ref: 0042DFAF
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000002,?), ref: 0042DFDF
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042DFEF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 0042E060

Strings

Software\ZapretLauncher, xrefs: 0042DFA7
Preset, xrefs: 0042DF90

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CheckHresult$CopyList
String ID: Preset$Software\ZapretLauncher
API String ID: 1289088096-3185846441
Opcode ID: 7dd391158da71a0f2c66fe6fb5fc160b608ef46ba28bcaf5eb22c72d4f10cb8e
Instruction ID: 0a87e3ef5608df447fda32e00b761ab0b50d7cae2ee98b6559fe13496b7250b2
Opcode Fuzzy Hash: 7dd391158da71a0f2c66fe6fb5fc160b608ef46ba28bcaf5eb22c72d4f10cb8e
Instruction Fuzzy Hash: BF615E70A00219ABDB10DFA5CD49EEEB7B8FF48705F10412AF546A72A0DB789946CF64

Function 0042DA10 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DA67
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042DA85
__vbaFreeObj.MSVBVM60 ref: 0042DA8E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DAA2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042DAC0
__vbaFreeObj.MSVBVM60 ref: 0042DAC9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DADD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042DAFB
__vbaFreeObj.MSVBVM60 ref: 0042DB04
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DB18
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042DB36
__vbaFreeObj.MSVBVM60 ref: 0042DB3F
__vbaStrCopy.MSVBVM60 ref: 0042DB68
__vbaStrCopy.MSVBVM60 ref: 0042DB72
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000002,00000004), ref: 0042DBA2
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042DBB2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 0042DC23

Strings

Software\ZapretLauncher, xrefs: 0042DB6A
Preset, xrefs: 0042DB4B

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CheckHresult$CopyList
String ID: Preset$Software\ZapretLauncher
API String ID: 1289088096-3185846441
Opcode ID: 0e18c76cc33e7bdba969def31e86da77407a580d482cd2cd2794cad74ad9e4f1
Instruction ID: 5929cc30ba983c870a8c86c96333721b5a776e39e1fdfdb5b027324a2db03ce9
Opcode Fuzzy Hash: 0e18c76cc33e7bdba969def31e86da77407a580d482cd2cd2794cad74ad9e4f1
Instruction Fuzzy Hash: BA614C70A00209ABDB14DFA5CD49FEFB7B8FF48704F10412AE545A71A0DBB89545CBA4

Function 0042D5D0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D627
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042D645
__vbaFreeObj.MSVBVM60 ref: 0042D64E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D662
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042D680
__vbaFreeObj.MSVBVM60 ref: 0042D689
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D69D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042D6BB
__vbaFreeObj.MSVBVM60 ref: 0042D6C4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D6D8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042D6F6
__vbaFreeObj.MSVBVM60 ref: 0042D6FF
__vbaStrCopy.MSVBVM60 ref: 0042D728
__vbaStrCopy.MSVBVM60 ref: 0042D732
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000002,00000004), ref: 0042D762
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042D772
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 0042D7E3

Strings

Software\ZapretLauncher, xrefs: 0042D72A
Preset, xrefs: 0042D70B

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CheckHresult$CopyList
String ID: Preset$Software\ZapretLauncher
API String ID: 1289088096-3185846441
Opcode ID: a57bc8134fbeceb394d6e6c188b39699b9a3aae2f28ccaafbbf73af8e6483585
Instruction ID: 138fcbad3a60559722a0f692a494b11c9c32a6deab2ab2c3b417c76379d40881
Opcode Fuzzy Hash: a57bc8134fbeceb394d6e6c188b39699b9a3aae2f28ccaafbbf73af8e6483585
Instruction Fuzzy Hash: 85611C70A00209AFDB14DFA4CD49FEFB7B8FF58704F10412AE546A61A4DB789545CBA4

Function 0042D1A0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D1F1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042D213
__vbaFreeObj.MSVBVM60 ref: 0042D222
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D232
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042D254
__vbaFreeObj.MSVBVM60 ref: 0042D25D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D26D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042D28F
__vbaFreeObj.MSVBVM60 ref: 0042D298
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D2A8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,00000054), ref: 0042D2CA
__vbaFreeObj.MSVBVM60 ref: 0042D2D3
__vbaStrCopy.MSVBVM60 ref: 0042D2F9
__vbaStrCopy.MSVBVM60 ref: 0042D303
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000002,00000004), ref: 0042D333
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042D343
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,00000700), ref: 0042D3AF

Strings

Software\ZapretLauncher, xrefs: 0042D2FB
Preset, xrefs: 0042D2E0

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CheckHresult$CopyList
String ID: Preset$Software\ZapretLauncher
API String ID: 1289088096-3185846441
Opcode ID: 702c906ddec65de7e083eafb1a20f7830d1b370c66a1704a892ecd763fbc298c
Instruction ID: ac3b83efdd96df09edadad8daca65fa865c59a3f133b4f3dda373687aaf37993
Opcode Fuzzy Hash: 702c906ddec65de7e083eafb1a20f7830d1b370c66a1704a892ecd763fbc298c
Instruction Fuzzy Hash: 51615E70900209AFDB14DFA4CD49EEFB7B8FF48704F104129F506A71A4DB789949CBA5

Function 00423AA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00423B08
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E0), ref: 00423B2F
__vbaFreeObj.MSVBVM60 ref: 00423B46
__vbaStrCopy.MSVBVM60 ref: 00423B74
__vbaStrCopy.MSVBVM60 ref: 00423B7E
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000002,00000004), ref: 00423BAE
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00423BBE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00423BDD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E0), ref: 00423C04
__vbaFreeObj.MSVBVM60 ref: 00423C1A
__vbaStrCopy.MSVBVM60 ref: 00423C42
__vbaStrCopy.MSVBVM60 ref: 00423C4C
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000002,00000004), ref: 00423C7C
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00423C8C

Strings

Software\ZapretLauncher, xrefs: 00423B76, 00423C44
Autostart, xrefs: 00423B57, 00423C25

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CopyList$CheckHresult
String ID: Autostart$Software\ZapretLauncher
API String ID: 3163261736-3145406623
Opcode ID: 4fe44eec556fae59edc0c39275df101a7c59ae92016b29088d17702ca0a10f3d
Instruction ID: e1f5c801820e7c8e133ccbc3c8a25cb295a138a5a27ec55c3a660ee558b64fc5
Opcode Fuzzy Hash: 4fe44eec556fae59edc0c39275df101a7c59ae92016b29088d17702ca0a10f3d
Instruction Fuzzy Hash: 90612DB1900259ABCB04DFD4CD89EEEBBB8FF48700F54811AE502BB194D7B85946CBA4

Function 00423D00 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00423D68
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E0), ref: 00423D8F
__vbaFreeObj.MSVBVM60 ref: 00423DA6
__vbaStrCopy.MSVBVM60 ref: 00423DD4
__vbaStrCopy.MSVBVM60 ref: 00423DDE
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000002,00000004), ref: 00423E0E
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00423E1E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00423E3D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E0), ref: 00423E64
__vbaFreeObj.MSVBVM60 ref: 00423E7A
__vbaStrCopy.MSVBVM60 ref: 00423E9E
__vbaStrCopy.MSVBVM60 ref: 00423EA8
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000002,00000004), ref: 00423ED8
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00423EE8

Strings

Software\ZapretLauncher, xrefs: 00423DD6, 00423EA0
Autorun, xrefs: 00423DB7, 00423E85

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CopyList$CheckHresult
String ID: Autorun$Software\ZapretLauncher
API String ID: 3163261736-1177316709
Opcode ID: 3b60d5369ec7e6b072d1a14f5a0b30950ef0543aa29a9d1cfa06c63644ab9335
Instruction ID: 0a23c9ba5e72afa68c80e2add475b24cc2e7ef2c19744ec66fd1ec5461ecbe89
Opcode Fuzzy Hash: 3b60d5369ec7e6b072d1a14f5a0b30950ef0543aa29a9d1cfa06c63644ab9335
Instruction Fuzzy Hash: 0B513DB1D00259AFCB04DFD4CD89AEEBB78FB48700F54812EE506A7194D7785A49CBA4

Function 004357D0 Relevance: 25.6, APIs: 17, Instructions: 116COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60(6CCB285F,00401886,00401230,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00435824
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0043582B
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,00000004), ref: 00435848
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,?,00000004), ref: 0043585A
__vbaStrToUnicode.MSVBVM60(00401886,?,?,00000000,?,?,00000004), ref: 00435865
__vbaFreeStr.MSVBVM60(?,00000000,?,?,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 00435871
__vbaVarVargNofree.MSVBVM60(6CCB285F,00401886,00401230,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00435887
__vbaStrVarCopy.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0043588E
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00435899
__vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004358A3
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004358B8
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004358C9
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00000000,00000000), ref: 004358D7
__vbaStrToUnicode.MSVBVM60(00401886,?,?,00000000,00000000,00000000), ref: 004358E8
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,00000000,00000000), ref: 004358F2
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,00000000), ref: 00435901
__vbaFreeStr.MSVBVM60(0043592F,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00435928

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$AnsiFreeUnicode$ErrorNofreeSystemVarg$BstrCopyListMove
String ID:
API String ID: 3959729296-0
Opcode ID: dae6c1a5e8d84110d802263beda651d40d0a3c8ae19a2af8c939ffe466440a03
Instruction ID: 1e5c7f68e5e5fbb126c35fe2c67bd0aa62da963cb57e4f96f2f46e57c79a5693
Opcode Fuzzy Hash: dae6c1a5e8d84110d802263beda651d40d0a3c8ae19a2af8c939ffe466440a03
Instruction Fuzzy Hash: 1941E9B5900209AFCB04DFA4DE89DEEBBB8FF4C300B10451AF501B7250D634AA41CBA4

Function 004333B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00433418
__vbaStrCopy.MSVBVM60 ref: 00433422

Part of subcall function 00435950: __vbaStrToAnsi.MSVBVM60(?,?,00000000,0000003F,?,6CC8D83C,6CCB1B7C,6CD768D4), ref: 00435998
Part of subcall function 00435950: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004359B0
Part of subcall function 00435950: __vbaStrToUnicode.MSVBVM60(00401886,?,?,00000000), ref: 004359B7
Part of subcall function 00435950: __vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004359C0
Part of subcall function 00435950: __vbaVarCopy.MSVBVM60(?,00000000,?,?,00000000), ref: 004359DF
Part of subcall function 00435950: __vbaSetSystemError.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004359EE
Part of subcall function 00435950: __vbaFreeVar.MSVBVM60(00435A1A,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00435A13

__vbaI4Var.MSVBVM60(?,?,?,?,?), ref: 00433444
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00433459
__vbaFreeVar.MSVBVM60 ref: 00433465
__vbaHresultCheckObj.MSVBVM60(00000000,00401528,004104E4,000002B0), ref: 004334D9
__vbaHresultCheckObj.MSVBVM60(00000000,00401528,004104E4,000002A8), ref: 004334FA
__vbaStrCopy.MSVBVM60 ref: 00433519
__vbaStrCopy.MSVBVM60 ref: 00433523
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,80000001,?,?,00000002,00000004), ref: 00433553
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00433563

Strings

Software\ZapretLauncher, xrefs: 0043341A, 0043351B
Control, xrefs: 004333F8, 00433500

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$Copy$List$CheckErrorHresultSystem$AnsiUnicode
String ID: Control$Software\ZapretLauncher
API String ID: 2733173767-3956967378
Opcode ID: 2221bc160a2c546b8f817da138c13fdfcd8c5bcaccecc5b0631bb2ba6caca767
Instruction ID: b6b001fe8c3f332689ffb10f3c9d19f31d767fc976cd9c8e2c001033a0e65a81
Opcode Fuzzy Hash: 2221bc160a2c546b8f817da138c13fdfcd8c5bcaccecc5b0631bb2ba6caca767
Instruction Fuzzy Hash: F5510CB1D00209EFCB00DF99C989AEEFBB9FF48700F10851AE515AB291D7749945CF94

Function 0042CFE0 Relevance: 22.6, APIs: 15, Instructions: 144COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D03B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,0000026C), ref: 0042D05A
__vbaFreeObj.MSVBVM60 ref: 0042D063
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D08D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D0A8
__vbaFreeObj.MSVBVM60 ref: 0042D0B1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D0C5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D0E0
__vbaFreeObj.MSVBVM60 ref: 0042D0E9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D0FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D118
__vbaFreeObj.MSVBVM60 ref: 0042D127
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D137
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D152
__vbaFreeObj.MSVBVM60 ref: 0042D15B

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 9a663d7f50bcdb3e2e74171e21b2ae373fc55caf59cf158b6076771c3a658fa9
Instruction ID: cec21e770c71489b6db2d9b6337466d270ca8cf0777536ec6d1c1aa11fdfe06e
Opcode Fuzzy Hash: 9a663d7f50bcdb3e2e74171e21b2ae373fc55caf59cf158b6076771c3a658fa9
Instruction Fuzzy Hash: ED417C70600206AFD710AF65CD49FABBBBCFF59705F204129F582E72A1CBB49946CB94

Function 0042D850 Relevance: 22.6, APIs: 15, Instructions: 143COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D8AB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,0000026C), ref: 0042D8CA
__vbaFreeObj.MSVBVM60 ref: 0042D8D3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D901
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D91C
__vbaFreeObj.MSVBVM60 ref: 0042D925
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D939
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D954
__vbaFreeObj.MSVBVM60 ref: 0042D95D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D971
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D98C
__vbaFreeObj.MSVBVM60 ref: 0042D99B
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D9AB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D9C6
__vbaFreeObj.MSVBVM60 ref: 0042D9CF

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 9e7e545de90b7925f2d73ca6831cb389de47040c85b4c9975a1d245df3ef694f
Instruction ID: 00f7d07a3f1d30086c596510a67ca34646f5de2fbfd63b2a22216e2b893b1552
Opcode Fuzzy Hash: 9e7e545de90b7925f2d73ca6831cb389de47040c85b4c9975a1d245df3ef694f
Instruction Fuzzy Hash: 97414E70600216AFD710AF65CD49FABBBBCFF55704F204129F582E72A1CB74A986CB94

Function 0042D410 Relevance: 22.6, APIs: 15, Instructions: 143COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D46B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,0000026C), ref: 0042D48A
__vbaFreeObj.MSVBVM60 ref: 0042D493
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D4C1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D4DC
__vbaFreeObj.MSVBVM60 ref: 0042D4E5
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D4F9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D514
__vbaFreeObj.MSVBVM60 ref: 0042D51D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D531
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D54C
__vbaFreeObj.MSVBVM60 ref: 0042D55B
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042D56B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042D586
__vbaFreeObj.MSVBVM60 ref: 0042D58F

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 62e32e19d5301e8cd1b55573e80ec99983510e9bd59d6955bb5b998f968bb523
Instruction ID: 67a3a639dc1d1dbd7fe424d4f388b844b7815d87ead08241ab6620be55b54c3e
Opcode Fuzzy Hash: 62e32e19d5301e8cd1b55573e80ec99983510e9bd59d6955bb5b998f968bb523
Instruction Fuzzy Hash: 1E415030600216AFD710AF65CD49FABBBBCFF55704F204129F582A71A1CBB49986CB94

Function 0042DC90 Relevance: 22.6, APIs: 15, Instructions: 143COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042DCEB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,0000026C), ref: 0042DD0A
__vbaFreeObj.MSVBVM60 ref: 0042DD13
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042DD41
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042DD5C
__vbaFreeObj.MSVBVM60 ref: 0042DD65
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042DD79
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042DD94
__vbaFreeObj.MSVBVM60 ref: 0042DD9D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042DDB1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042DDCC
__vbaFreeObj.MSVBVM60 ref: 0042DDDB
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042DDEB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0042DE06
__vbaFreeObj.MSVBVM60 ref: 0042DE0F

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: a531651ece6a0390f3c8b68ab150b48b6acd56f99afab16c23ea005b98f687cb
Instruction ID: 53e1c8567628978ef734bea6cddfaf253ebb885c456c076e3803f6230b1b8e01
Opcode Fuzzy Hash: a531651ece6a0390f3c8b68ab150b48b6acd56f99afab16c23ea005b98f687cb
Instruction Fuzzy Hash: B4415D70600206AFD710AF65CD49FABBBBCFF55704F204129F582A72A1CB749986CB94

Function 00437670 Relevance: 21.1, APIs: 14, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004376B7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,0000008C), ref: 004376D8
__vbaFreeObj.MSVBVM60 ref: 004376E1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004376F5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411834,00000064), ref: 00437713
__vbaFreeObj.MSVBVM60 ref: 0043771C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004126A0,000002A0), ref: 0043773D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00437751
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,0000008C), ref: 00437772
__vbaFreeObj.MSVBVM60 ref: 00437781
__vbaSetSystemError.MSVBVM60(000001F4), ref: 0043778D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004377A1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411834,0000005C), ref: 004377BC
__vbaFreeObj.MSVBVM60 ref: 004377C5

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckHresult$Free$ErrorSystem
String ID:
API String ID: 2964430476-0
Opcode ID: 952122ab5b6eb0f7c416f95f2e1e7579c62a61f96b993bdc7027e3d84f85c18c
Instruction ID: b4ddda0a912a403f42599b662045aec0234eeb412d6ad7399cce64e65d8c0f3a
Opcode Fuzzy Hash: 952122ab5b6eb0f7c416f95f2e1e7579c62a61f96b993bdc7027e3d84f85c18c
Instruction Fuzzy Hash: 2E418E70200206ABD710AB65CD49FAFBBBCFF49B05F204129F481E71E1DB74A945CBA8

Function 00423F50 Relevance: 19.7, APIs: 13, Instructions: 168COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00423FBE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E0), ref: 00423FE8
__vbaFreeObj.MSVBVM60 ref: 00424002
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042402B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E4), ref: 0042404F
__vbaFreeObj.MSVBVM60 ref: 00424058
__vbaVarDup.MSVBVM60 ref: 0042408F
__vbaVarDup.MSVBVM60 ref: 004240A1
#595.MSVBVM60(?,00000040,?,?,?), ref: 004240B5
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004240CD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004240F3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410FB0,000000E0), ref: 0042411D
__vbaFreeObj.MSVBVM60 ref: 00424136

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CheckHresult$#595List
String ID:
API String ID: 2932806862-0
Opcode ID: 0f7fadc354c5949400260c33bfec00a836a502dcc91d8c7495211421b65c4070
Instruction ID: 8e34e4f864d5f086e7c18924af3532731b2ddef1ba1145ef4335e6a1c948ea35
Opcode Fuzzy Hash: 0f7fadc354c5949400260c33bfec00a836a502dcc91d8c7495211421b65c4070
Instruction Fuzzy Hash: F4515C71900258EFDB10DFA4D888EEEBBB9FF48700F14852EE546A7290DB745985CF94

Function 00423420 Relevance: 19.6, APIs: 13, Instructions: 142COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00423483
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000044), ref: 004234C9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004234D2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004234DB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004234EF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041083C,00000054), ref: 0042350D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423516
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0042352A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 00423545
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0042354E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423562
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 0042357D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423586

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CheckHresult
String ID:
API String ID: 1630692628-0
Opcode ID: 43dcb71be14c1623a04240c7d77af0ee4064ed9ecf525d1c668613c931952410
Instruction ID: dd0f1bf935806d13a116e514cd5109e5f2eb7474994b27e94a276bd8fc41f0e8
Opcode Fuzzy Hash: 43dcb71be14c1623a04240c7d77af0ee4064ed9ecf525d1c668613c931952410
Instruction Fuzzy Hash: 7C514E70A00205AFCB10DF69CD89F9ABBF8FF49705F204529F545E72A1D7789982CB94

Function 004235F0 Relevance: 19.6, APIs: 13, Instructions: 141COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0042364C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000044), ref: 00423692
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0042369B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004236A4
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004236B8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041083C,00000054), ref: 004236D6
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004236DF
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004236F3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 0042370E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423717
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0042372B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,00000074), ref: 00423747
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423750

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CheckHresult
String ID:
API String ID: 1630692628-0
Opcode ID: 663d3329c2b2cf4bbb782153b7cb8882e3bed542d15076237f8826724f8335d0
Instruction ID: f19c01c02291f8a9490d4b01b16b27687552e1bb40c0d156018a44d9e92c6e93
Opcode Fuzzy Hash: 663d3329c2b2cf4bbb782153b7cb8882e3bed542d15076237f8826724f8335d0
Instruction Fuzzy Hash: A0513070A00205AFCB00DF65CD89EAEBBB8FF49705F20452EF545E72A1DB789946CB94

Function 00446440 Relevance: 19.6, APIs: 13, Instructions: 133COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0044649C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F70,0000006C,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004464BA
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004464C3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004464D7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F70,0000006C,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004464F5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004464FE
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00446512
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F70,0000006C,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00446530
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00446539
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0044654D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000044), ref: 00446590
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00446599
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004465A2

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CheckHresult
String ID:
API String ID: 1630692628-0
Opcode ID: ff80ec3fc5833073fe7089a74a67815c4e3ecf91f4724883b60abc18293293c5
Instruction ID: 5ea30b716a4a46f049cdccdfd45598a8ad51f42f8351145285302beb9d2f3b22
Opcode Fuzzy Hash: ff80ec3fc5833073fe7089a74a67815c4e3ecf91f4724883b60abc18293293c5
Instruction Fuzzy Hash: 0B416271900205ABD710AFA5CD49F9FBBB8FF49700F10452EF546E32A4DB74A985CB98

Function 00432DB0 Relevance: 18.1, APIs: 12, Instructions: 123COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00432E21
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00432E3C
__vbaFreeObj.MSVBVM60 ref: 00432E45
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00432E59
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00432E74
__vbaFreeObj.MSVBVM60 ref: 00432E7D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00432E91
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00432EAC
__vbaFreeObj.MSVBVM60 ref: 00432EBB
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00432ECB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00432EE6
__vbaFreeObj.MSVBVM60 ref: 00432EEF

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: c2739f9cc6d917d8a2e3f7b50d33bc2d98cd524c92b59539cce0116f83a8b560
Instruction ID: 30ec1568e37c41ff202ed23ccef876df81753d858ae48d9b6e59d814c3c5bbdc
Opcode Fuzzy Hash: c2739f9cc6d917d8a2e3f7b50d33bc2d98cd524c92b59539cce0116f83a8b560
Instruction Fuzzy Hash: 1B414F70600206AFD710AF65CD49FAFBBBCFF59704F204129F581A72A1DBB49986CB94

Function 00433230 Relevance: 18.1, APIs: 12, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004332A5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 004332C0
__vbaFreeObj.MSVBVM60 ref: 004332C9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004332DD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 004332F8
__vbaFreeObj.MSVBVM60 ref: 00433301
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00433315
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00433330
__vbaFreeObj.MSVBVM60 ref: 0043333F
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0043334F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0043336A
__vbaFreeObj.MSVBVM60 ref: 00433373

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 2a837fab7fedf41a01b6aae75179e687e9676696b1feef21a619f3f7e8485512
Instruction ID: ffe86886fb8d4f0bb659a8b8d8aeed98b1da27748f15c1cf602b47d073776341
Opcode Fuzzy Hash: 2a837fab7fedf41a01b6aae75179e687e9676696b1feef21a619f3f7e8485512
Instruction Fuzzy Hash: 47417170500206AFD710AF65CD49FAFBBB8FF59705F104129F981A72A1CB74A985CB94

Function 00432F30 Relevance: 18.1, APIs: 12, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00432FA5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00432FC0
__vbaFreeObj.MSVBVM60 ref: 00432FC9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00432FDD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00432FF8
__vbaFreeObj.MSVBVM60 ref: 00433001
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00433015
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00433030
__vbaFreeObj.MSVBVM60 ref: 0043303F
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0043304F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 0043306A
__vbaFreeObj.MSVBVM60 ref: 00433073

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 825c18a2d37fe4b8b7e9916d7748238bef81e72f7ddb5a593e780de6b43241f1
Instruction ID: 0f1c1d051e88f8e7d5e55f828e999473edc893cbdc80efb77c58824a8750fb7b
Opcode Fuzzy Hash: 825c18a2d37fe4b8b7e9916d7748238bef81e72f7ddb5a593e780de6b43241f1
Instruction Fuzzy Hash: E5416F70500206AFD710AF65CD49FAFBBBCFF59705F204129F581A72A1CBB4A985CB94

Function 004330B0 Relevance: 18.1, APIs: 12, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00433125
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00433140
__vbaFreeObj.MSVBVM60 ref: 00433149
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0043315D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 00433178
__vbaFreeObj.MSVBVM60 ref: 00433181
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00433195
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 004331B0
__vbaFreeObj.MSVBVM60 ref: 004331BF
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004331CF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BCC,0000006C), ref: 004331EA
__vbaFreeObj.MSVBVM60 ref: 004331F3

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: c0a812496cb34d2a384314f8a21304a2b52e3f8efa4716dec91a347177287716
Instruction ID: 17b854823cc7798baf1d51faf25b57e4990bc8fe6af72a113b9c224ec184ea31
Opcode Fuzzy Hash: c0a812496cb34d2a384314f8a21304a2b52e3f8efa4716dec91a347177287716
Instruction Fuzzy Hash: 83417130500206AFD710AF65CD49FAFBBBCFF59705F204169F581A72A1CB74A945CB94

Function 00438D70 Relevance: 16.6, APIs: 11, Instructions: 142COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00410E14,000002B4), ref: 00438E20
__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 00438E38
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00438E51
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F90,00000010), ref: 00438E71
__vbaFreeObj.MSVBVM60 ref: 00438E7A
#608.MSVBVM60(?,0000000D), ref: 00438E86
__vbaVarDup.MSVBVM60 ref: 00438EC0
__vbaVarCat.MSVBVM60(?,?,?,00000030,?,?,?), ref: 00438F06
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 00438F14
#595.MSVBVM60(00000000), ref: 00438F17
__vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00438F37

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult$#595#608AddrefListNew2
String ID:
API String ID: 275726295-0
Opcode ID: f57edb2c5c58a9be4163e16643bd89bf705cc5cba92a0c64eb9195800f260c86
Instruction ID: ce689db361164e6f64ed755647e1e1c08110df2a1fcdaa213ba86889379ef284
Opcode Fuzzy Hash: f57edb2c5c58a9be4163e16643bd89bf705cc5cba92a0c64eb9195800f260c86
Instruction Fuzzy Hash: AB511BB1D01309AFCB10CFA4CA89ADEBBB9FB48700F20416EF149A7251D7746A45CFA4

Function 004377F0 Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00437845
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411834,0000005C), ref: 0043786A
__vbaFreeObj.MSVBVM60 ref: 00437877
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0043788B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,0000008C), ref: 004378B0
__vbaFreeObj.MSVBVM60 ref: 004378BB
__vbaHresultCheckObj.MSVBVM60(00000000,00401680,004126A0,000002A0), ref: 004378D8
__vbaSetSystemError.MSVBVM60(00000320), ref: 004378E4
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004378F8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411834,0000005C), ref: 00437917
__vbaFreeObj.MSVBVM60 ref: 0043791C

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckHresult$Free$ErrorSystem
String ID:
API String ID: 2964430476-0
Opcode ID: 9486811c6adcee288377f13671c1682ca973da19f006c32adb80e006b9489aa8
Instruction ID: 6d9ae4bee56fbdf826b69e650b0b703cd484b47cf706a2bac95026e5b0e59a98
Opcode Fuzzy Hash: 9486811c6adcee288377f13671c1682ca973da19f006c32adb80e006b9489aa8
Instruction Fuzzy Hash: 6F315F70500205ABD714AF65CD49F9FBBBCFF09704F20822AF581A72E1DA789945CBA4

Function 00443D60 Relevance: 12.1, APIs: 8, Instructions: 143COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401886), ref: 00443DC7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411834,0000005C,?,?,?,?,?,?,?,00401886), ref: 00443DE5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00443DEE
__vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00401886), ref: 00443E3B
__vbaObjSet.MSVBVM60(?,00000000,?,004017E0,00000000), ref: 00443EA6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000044), ref: 00443EED
__vbaFreeObj.MSVBVM60 ref: 00443EF6
__vbaFreeVar.MSVBVM60 ref: 00443EFF

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ErrorOverflow
String ID:
API String ID: 3883386472-0
Opcode ID: b15d5f52a30452668ef217efdc114d9d276fbc8cc4fd0a0a8c37b0940e5737d1
Instruction ID: 35aeb58fa4e1c6b5849e60bb2ada1ba8bbc6efd4f99da104f1e1f212a6d4db8e
Opcode Fuzzy Hash: b15d5f52a30452668ef217efdc114d9d276fbc8cc4fd0a0a8c37b0940e5737d1
Instruction Fuzzy Hash: 53419F71901205EFCB10DFA4C989A9ABFB8FF08705F20852EF942A3290D778A945CF94

Function 00432920 Relevance: 12.1, APIs: 8, Instructions: 106COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00401886), ref: 00432966
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00401886), ref: 0043296F
#598.MSVBVM60(?,?,?,?,?,?,00401886), ref: 0043297E
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00401886), ref: 0043298B
__vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,00401886), ref: 004329B9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432A13
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411834,0000005C), ref: 00432A32
__vbaFreeObj.MSVBVM60 ref: 00432A3B

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Error$System$#598CheckFreeHresultOverflow
String ID:
API String ID: 2436890720-0
Opcode ID: 432ac1242ba0a7be0bdc60be63048f33c40fa1c6a3541ec45369a17e084851fa
Instruction ID: 70f7b66b14f925ed947dbc5759cc908d8ba3a017e1f0feaab41d46c831258f94
Opcode Fuzzy Hash: 432ac1242ba0a7be0bdc60be63048f33c40fa1c6a3541ec45369a17e084851fa
Instruction Fuzzy Hash: 1D31C475A00204EFC710EF69C989B9EBBB8FF48710F20816AF845E72A0D7785941CBD4

Function 00423300 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(00000000,00000000,00000001), ref: 0042335A
__vbaStrToAnsi.MSVBVM60(?,?,00000004), ref: 0042336F
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000004), ref: 0042337E
__vbaStrToUnicode.MSVBVM60(?,?,?,00000004), ref: 00423385
__vbaFreeStr.MSVBVM60(?,00000004), ref: 00423390
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000004), ref: 004233AB
__vbaSetSystemError.MSVBVM60(00000000,?,00000004), ref: 004233D0
__vbaSetSystemError.MSVBVM60(?,?,00000004), ref: 004233DB

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$ErrorSystem$AnsiFreeUnicode
String ID:
API String ID: 2293196248-0
Opcode ID: 8c681e16c7009187d15196c05ee5038ebedb0a59b218cd33d912f9c9e5d5a117
Instruction ID: a00ea825325c84c0c36a1636f9a3d38cf73b30abc7ac618472b76b0519f5d781
Opcode Fuzzy Hash: 8c681e16c7009187d15196c05ee5038ebedb0a59b218cd33d912f9c9e5d5a117
Instruction Fuzzy Hash: 66216271E00328ABCB10EFA5DD85E9EB7B8BF48740F50852AF901A7250CB7C5A418F99

Function 00423200 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0042324E
__vbaStrToAnsi.MSVBVM60(?,?,00000004,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423263
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000004,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423272
__vbaStrToUnicode.MSVBVM60(?,?,?,00000004,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423279
__vbaFreeStr.MSVBVM60(?,00000004,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423282
__vbaSetSystemError.MSVBVM60(?,00000004,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00423293
__vbaSetSystemError.MSVBVM60(00000000,?,00000004), ref: 004232B3
__vbaSetSystemError.MSVBVM60(?,?,00000004), ref: 004232BE

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$ErrorSystem$AnsiFreeUnicode
String ID:
API String ID: 2293196248-0
Opcode ID: 835fc1d3292a5bfc9c32719bea052547da7d3bcbb088a5f8b1af3c57c0e67518
Instruction ID: 7da9a5cd0cf6863c90f9aea608a1b18eb664c9c356c7fddb962685eed51df8b5
Opcode Fuzzy Hash: 835fc1d3292a5bfc9c32719bea052547da7d3bcbb088a5f8b1af3c57c0e67518
Instruction Fuzzy Hash: D7216271E00218EBCB10AFA5CC85FAEBBB8BF48750F54416AF511B7251C67C59818FA9

Function 00435950 Relevance: 10.6, APIs: 7, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,?,00000000,0000003F,?,6CC8D83C,6CCB1B7C,6CD768D4), ref: 00435998
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004359B0
__vbaStrToUnicode.MSVBVM60(00401886,?,?,00000000), ref: 004359B7
__vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 004359C0

Part of subcall function 00435A50: __vbaStrCopy.MSVBVM60(6CCB285F,00401886,6CD768D4), ref: 00435AA8
Part of subcall function 00435A50: __vbaOnError.MSVBVM60(00000001), ref: 00435AB0
Part of subcall function 00435A50: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?), ref: 00435ACE
Part of subcall function 00435A50: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00435ADD
Part of subcall function 00435A50: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00435AF1
Part of subcall function 00435A50: __vbaFreeStr.MSVBVM60 ref: 00435AFC
Part of subcall function 00435A50: __vbaExitProc.MSVBVM60 ref: 00435C69
Part of subcall function 00435A50: __vbaFreeStr.MSVBVM60(00435CAB), ref: 00435CA3
Part of subcall function 00435A50: __vbaFreeStr.MSVBVM60 ref: 00435CA8

__vbaVarCopy.MSVBVM60(?,00000000,?,?,00000000), ref: 004359DF
__vbaSetSystemError.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004359EE
__vbaFreeVar.MSVBVM60(00435A1A,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00435A13

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$Free$Error$System$AnsiCopyUnicode$ExitProc
String ID:
API String ID: 4122418836-0
Opcode ID: 8e5c4f7f1b4081dedccdd3c2edfce6279fbf2391fd9bdce5ff753562939fabac
Instruction ID: 8a57ed43659ecf5f5ca6999b8c5edcddf642c7d88ed8848762d396a40e9af1d0
Opcode Fuzzy Hash: 8e5c4f7f1b4081dedccdd3c2edfce6279fbf2391fd9bdce5ff753562939fabac
Instruction Fuzzy Hash: BE21D8B5910249EFCB04EFA5DD85EAEBBB8FF48700F108529F511A7260EB346945CFA4

Function 00428B30 Relevance: 9.1, APIs: 6, Instructions: 106COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00410514,000006FC,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00428B91
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00428BAF
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00428BFD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410BBC,00000044), ref: 00428C44
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00428C49
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00428C52

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckFreeHresult
String ID:
API String ID: 444973724-0
Opcode ID: 876f824836af7470d61d1e8baa2ebffd29ce875b7a81f1ea2096279c8b161102
Instruction ID: 248515885949eb6d22d7a257c21395583c864d62327813e6588f5f4703cb61c7
Opcode Fuzzy Hash: 876f824836af7470d61d1e8baa2ebffd29ce875b7a81f1ea2096279c8b161102
Instruction Fuzzy Hash: A24171B19013059FC714DFA9D988AAEBBF8FF48700F20446EF146A7250D774A941CFA8

Function 00423880 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040C5C8,0044708C), ref: 004238D9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410E14,000002B0), ref: 0042393E
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00423955
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F70,0000006C), ref: 00423977
__vbaFreeObj.MSVBVM60 ref: 00423980

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: 0425daf144cdc2ddfbcac8b110ff9f2a852e3a04e2036277ea8bd6e29d250084
Instruction ID: 1fd16c412044591fcc931196d99a03be644a7aa87cea5b93d44b851e960b4648
Opcode Fuzzy Hash: 0425daf144cdc2ddfbcac8b110ff9f2a852e3a04e2036277ea8bd6e29d250084
Instruction Fuzzy Hash: 91311BB4A00204AFD700DF68C989B9ABBF8EF09704F10806AF909EB391D77899458B94

Function 0042E0D0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042E125
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411FB4,0000026C), ref: 0042E148
__vbaFreeObj.MSVBVM60 ref: 0042E151
__vbaNew2.MSVBVM60(0040D618,004470A0), ref: 0042E16A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004126A0,000002B0), ref: 0042E1CF

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: 14227923978a05979773e53233eb68970023921a669646c2901a58982030fe69
Instruction ID: 6cab3c4c5523cb0f8d2b961dc7c268bfc15abd59d7eccf4d2230892454d83922
Opcode Fuzzy Hash: 14227923978a05979773e53233eb68970023921a669646c2901a58982030fe69
Instruction Fuzzy Hash: 01314B74A01214AFCB00DF69C949B9ABBF8FF09700F24816AF849E7391D775A841CB98

Function 004356E0 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,?,00000000,0000003F,?,00000000,6CC8D83C,00401230), ref: 00435725
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00401886), ref: 0043573D
__vbaStrToUnicode.MSVBVM60(00401886,?,?,00000000,?,?,?,?,?,?,?,?,?,00401886), ref: 00435744
__vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00401886), ref: 0043574D

Part of subcall function 004357D0: __vbaVarVargNofree.MSVBVM60(6CCB285F,00401886,00401230,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00435824
Part of subcall function 004357D0: __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 0043582B
Part of subcall function 004357D0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,00000004), ref: 00435848
Part of subcall function 004357D0: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,?,00000004), ref: 0043585A
Part of subcall function 004357D0: __vbaStrToUnicode.MSVBVM60(00401886,?,?,00000000,?,?,00000004), ref: 00435865
Part of subcall function 004357D0: __vbaFreeStr.MSVBVM60(?,00000000,?,?,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 00435871
Part of subcall function 004357D0: __vbaFreeStr.MSVBVM60(0043592F,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401886), ref: 00435928

__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00435771

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$ErrorFreeSystem$AnsiUnicode$NofreeVarg
String ID:
API String ID: 3986826868-0
Opcode ID: b45b63704c3949d10f41e62c3e74c6857945bf9903a183dd8f7ff3f8be8f75a2
Instruction ID: 79951a38ab36c99eedbd984c9ad18041290c506bec44872108c93ec91b803a30
Opcode Fuzzy Hash: b45b63704c3949d10f41e62c3e74c6857945bf9903a183dd8f7ff3f8be8f75a2
Instruction Fuzzy Hash: C811CEB5910209AFCB04EFA5DD85EAFBBB9FF48700F10852AB901A7250D7789941CFA5

Function 00435600 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000000,00000000,0000003F,00000000,?,?,6CC8D83C,6CCB1B7C,6CC8D8F4), ref: 0043564F
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,00401886,?), ref: 00435669
__vbaStrToUnicode.MSVBVM60(00401886,?,?,?,?,?,?,?,?,?,?,00401886,?), ref: 00435670
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00401886,?), ref: 0043567C
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401886,?), ref: 0043568B

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$ErrorSystem$AnsiFreeUnicode
String ID:
API String ID: 2293196248-0
Opcode ID: 9cbd7a31630bda23c0b889d047c829889cd60b78f224db5c19b7a8e7d1d9eccd
Instruction ID: cd3f658a85651f9c53993f18a0e9ca447dc16cfd6a0a242cfd0245a37c3d695f
Opcode Fuzzy Hash: 9cbd7a31630bda23c0b889d047c829889cd60b78f224db5c19b7a8e7d1d9eccd
Instruction Fuzzy Hash: 9D110AB4D00209AFDB04EFA9CD85EBEBBBCFB4C700F108519F905E7250E67869418BA5

Function 004239C0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00410FA0,00447694), ref: 00423A22
__vbaObjSetAddref.MSVBVM60(?,00401220), ref: 00423A38
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410F90,00000010), ref: 00423A55
__vbaFreeObj.MSVBVM60 ref: 00423A5E

Memory Dump Source

Source File: 00000000.00000002.2272504954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2272487770.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272544165.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2272564850.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Launcher for Zapret.jbxd

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID:
API String ID: 1649212984-0
Opcode ID: c5f6ee96774e71a7523210110158bb6119cff73c9961d35f9bc471913eb81b09
Instruction ID: d9107222bd49b408be6fcbd4610cf1ce588ace6b718776f6d3082d711ba36621
Opcode Fuzzy Hash: c5f6ee96774e71a7523210110158bb6119cff73c9961d35f9bc471913eb81b09
Instruction Fuzzy Hash: 66116074A00209EFC700DF68DD89B9EBFB8FB09715F60816AF945A7291C37869458BD8

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.171512933051791
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Launcher for Zapret.exe
File size:	338'656 bytes
MD5:	f4a8627b03da3601ed7fd50c4353b6c2
SHA1:	dacbb2e6bbcefc818341d2bc2600fb1d5aeb77e7
SHA256:	4b838a0bf49716ec168dfd5a22d677179234dca67c46f1f27f1ede3f322da395
SHA512:	c0f5063aab00b9ae8598b88a1c9d15cc8bdd0799bdd08d99476f2482fb1213ddfcec521c634dca9d326477ef4a6bcf9672d2279952b4f792b924a7d816b8a5d2
SSDEEP:	6144:V1uLVY/wmpHtWTYNFcLvH5UGzZiSdE8WFD:VMZY/wma0FcLvH5UGzZiSdE8WFD
TLSH:	4C740917F669984AE5C10BB0583195672DAA3C3474E0D81FE78EBE0936F61D3BAF1213
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.{.ya..ya..ya...}..xa...~..~a...~..xa..Richya..........................PE..L...{$.g.................`..........(........p....@

Entrypoint:	0x401b28
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6714247B [Sat Oct 19 21:28:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4aa492fbb5432641b16f6cb9a8484c99

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2009-2 CA
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	19/10/2024 23:28:09 19/10/2025 23:28:08
Subject Chain	CN=TOPERSOFT
Version:	3
Thumbprint MD5:	16049664D384E800B71809578558F724
Thumbprint SHA-1:	090D0AECD2FBE530312C689B8442B1AC5EAF4330
Thumbprint SHA-256:	EB33D0D11B9B1198CF3B30A6F5CD723B598216194366E4A5EB9C20B979EF9B53
Serial:	4455021F

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre


Icon Hash:	70cc96abbb96cc71

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Launcher for Zapret.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF2CE0E421F638160B.TMP

C:\Users\user\AppData\Local\Temp\~DFA807BB668B346075.TMP

C:\Users\user\AppData\Local\Temp\~DFFD426ED8B652D717.TMP

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Launcher for Zapret.exePID: 1240, Parent PID: 1028

General

File Activities

File Opened

File Created

File Deleted

Windows Analysis Report
Launcher for Zapret.exe