Edit tour

Windows Analysis Report
AGrsqxaSjd.exe

Overview

General Information

Sample name:	AGrsqxaSjd.exe renamed because original name is a hash value
Original sample name:	02409c8e60592f537c66f9faf8137c6ad71bfa81884107f926c4f9a69429144e.exe
Analysis ID:	1571529
MD5:	065753739a03f973e392ff9d2e744d44
SHA1:	404470202a947ced4f89674856b819f1ae183f5c
SHA256:	02409c8e60592f537c66f9faf8137c6ad71bfa81884107f926c4f9a69429144e
Tags:	exeuser-adrian__luca
Infos:

Detection

DarkCloud

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected DarkCloud

AI detected suspicious sample

Machine Learning detection for sample

PE file has a writeable .text section

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Writes or reads registry keys via WMI

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Found large amount of non-executed APIs

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

AGrsqxaSjd.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\AGrsqxaSjd.exe" MD5: 065753739A03F973E392FF9D2E744D44)

WmiPrvSE.exe (PID: 7536 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8136579075:AAGj0tA4jaUAY9OKp-x5cJn4qOrj2emlQuE/sendMessage?chat_id=7309975149"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
AGrsqxaSjd.exe	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1328576742.0000000000401000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: AGrsqxaSjd.exe PID: 7416	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: AGrsqxaSjd.exe PID: 7416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.AGrsqxaSjd.exe.400000.0.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.0.AGrsqxaSjd.exe.400000.0.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T14:31:07.011552+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49712	162.55.60.2	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: AGrsqxaSjd.exe

Avira: detected

Found malware configuration

Source: AGrsqxaSjd.exe

Malware Configuration Extractor: DarkCloud {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8136579075:AAGj0tA4jaUAY9OKp-x5cJn4qOrj2emlQuE/sendMessage?chat_id=7309975149"}

Multi AV Scanner detection for submitted file

Source: AGrsqxaSjd.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: AGrsqxaSjd.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: AGrsqxaSjd.exe	String decryptor: Cookies
Source: AGrsqxaSjd.exe	String decryptor: \Default\Login Data
Source: AGrsqxaSjd.exe	String decryptor: \Login Data
Source: AGrsqxaSjd.exe	String decryptor: Password :
Source: AGrsqxaSjd.exe	String decryptor: //setting[@name='Password']/value
Source: AGrsqxaSjd.exe	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: AGrsqxaSjd.exe	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: AGrsqxaSjd.exe	String decryptor: SMTP Email Address
Source: AGrsqxaSjd.exe	String decryptor: NNTP Email Address
Source: AGrsqxaSjd.exe	String decryptor: Email
Source: AGrsqxaSjd.exe	String decryptor: HTTPMail User Name
Source: AGrsqxaSjd.exe	String decryptor: HTTPMail Server
Source: AGrsqxaSjd.exe	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: AGrsqxaSjd.exe	String decryptor: Password
Source: AGrsqxaSjd.exe	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: AGrsqxaSjd.exe	String decryptor: ^3[47][0-9]{13}$
Source: AGrsqxaSjd.exe	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: AGrsqxaSjd.exe	String decryptor: ^389[0-9]{11}$
Source: AGrsqxaSjd.exe	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: AGrsqxaSjd.exe	String decryptor: ^63[7-9][0-9]{13}$
Source: AGrsqxaSjd.exe	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: AGrsqxaSjd.exe	String decryptor: ^9[0-9]{15}$
Source: AGrsqxaSjd.exe	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: AGrsqxaSjd.exe	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: AGrsqxaSjd.exe	String decryptor: Mastercard
Source: AGrsqxaSjd.exe	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: AGrsqxaSjd.exe	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: AGrsqxaSjd.exe	String decryptor: Visa Card
Source: AGrsqxaSjd.exe	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: AGrsqxaSjd.exe	String decryptor: Visa Master Card
Source: AGrsqxaSjd.exe	String decryptor: \logins.json
Source: AGrsqxaSjd.exe	String decryptor: \signons.sqlite
Source: AGrsqxaSjd.exe	String decryptor: Foxmail.exe
Source: AGrsqxaSjd.exe	String decryptor: mail\
Source: AGrsqxaSjd.exe	String decryptor: \Accounts\Account.rec0
Source: AGrsqxaSjd.exe	String decryptor: \AccCfg\Accounts.tdat
Source: AGrsqxaSjd.exe	String decryptor: EnableSignature
Source: AGrsqxaSjd.exe	String decryptor: Application : FoxMail
Source: AGrsqxaSjd.exe	String decryptor: encryptedUsername
Source: AGrsqxaSjd.exe	String decryptor: logins
Source: AGrsqxaSjd.exe	String decryptor: encryptedPassword
Source: AGrsqxaSjd.exe	String decryptor: \Default\Cookies
Source: AGrsqxaSjd.exe	String decryptor: \Cookies
Source: AGrsqxaSjd.exe	String decryptor: \cookies.sqlite
Source: AGrsqxaSjd.exe	String decryptor: \cookies.db

Source: AGrsqxaSjd.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: W.pdb4 source: AGrsqxaSjd.exe

Source: Joe Sandbox View

IP Address: 162.55.60.2 162.55.60.2

Source: unknown

DNS query: name: showip.net

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49712 -> 162.55.60.2:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe

Code function: 0_2_00432D60 __vbaStrMove,__vbaStrCat,__vbaFixstrConstruct,__vbaNew2,__vbaHresultCheckObj,__vbaHresultCheckObj,__vbaStrToAnsi,InternetOpenA,__vbaSetSystemError,__vbaFreeStrList,__vbaFreeStrList,__vbaFreeObj,__vbaStrToAnsi,InternetOpenUrlA,__vbaSetSystemError,__vbaStrToUnicode,__vbaFreeStr,__vbaStrToAnsi,__vbaSetSystemError,__vbaStrToUnicode,__vbaLsetFixstr,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,__vbaStrToAnsi,InternetReadFile,__vbaStrToUnicode,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,#631,__vbaStrMove,__vbaLsetFixstr,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaSetSystemError,#598,__vbaSetSystemError,__vbaStrCopy,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,

0_2_00432D60

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net

Source: global traffic

DNS traffic detected: DNS query: showip.net

Source: AGrsqxaSjd.exe, 00000000.00000003.1384373852.0000000000734000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384398201.0000000000723000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schema.org
Source: AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net
Source: AGrsqxaSjd.exe, 00000000.00000003.1384447891.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/
Source: AGrsqxaSjd.exe, 00000000.00000003.1384447891.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/2
Source: AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netW
Source: AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netll_
Source: AGrsqxaSjd.exe, 00000000.00000002.2571164744.0000000000694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.neto
Source: AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.maxmind.com
Source: AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AGrsqxaSjd.exe	String found in binary or memory: https://api.telegram.org/bot
Source: AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AGrsqxaSjd.exe, 00000000.00000003.1384447891.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571406087.000000000072B000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384398201.0000000000723000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384421857.000000000070F000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384447891.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571779294.0000000003300000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: AGrsqxaSjd.exe, 00000000.00000003.1384373852.0000000000734000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384398201.0000000000723000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://showip.net/
Source: AGrsqxaSjd.exe, 00000000.00000003.1384373852.0000000000734000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384398201.0000000000723000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://showip.net/?checkip=
Source: AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://unpkg.com/leaflet
Source: AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AGrsqxaSjd.exe, 00000000.00000002.2571406087.000000000072B000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384398201.0000000000723000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384421857.000000000070F000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7
Source: AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openstreetmap.org/copyright

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe

Code function: 0_2_00404840 GetAsyncKeyState,

0_2_00404840

System Summary

PE file has a writeable .text section

Source: AGrsqxaSjd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Code function: 0_2_0040421E		0_2_0040421E
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Code function: 0_2_00426E80		0_2_00426E80

Source: AGrsqxaSjd.exe

Static PE information: Resource name: CUSTOM type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed

Source: AGrsqxaSjd.exe

Binary or memory string: OriginalFilenameflagellum.exe vs AGrsqxaSjd.exe

Source: AGrsqxaSjd.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: AGrsqxaSjd.exe	Binary or memory string: C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: AGrsqxaSjd.exe, 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: @@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp Dm

Source: classification engine

Classification label: mal96.troj.spyw.winEXE@2/4@1/1

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe

Mutant created: NULL

Source: AGrsqxaSjd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AGrsqxaSjd.exe	Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: AGrsqxaSjd.exe, 00000000.00000003.1345044578.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1343516703.00000000006AB000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1343896243.0000000000689000.00000004.00000020.00020000.00000000.sdmp, LoggraNoUCYctgwnrtnRFCefIupAVHcOBQqsTNNMrZheterostracan.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: AGrsqxaSjd.exe

ReversingLabs: Detection: 84%

Source: unknown	Process created: C:\Users\user\Desktop\AGrsqxaSjd.exe "C:\Users\user\Desktop\AGrsqxaSjd.exe"
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32

Jump to behavior

Source:

Binary string: W.pdb4 source: AGrsqxaSjd.exe

Source: AGrsqxaSjd.exe

Static PE information: real checksum: 0x71304 should be: 0x6db5b

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe

Code function: 0_2_004013B6 push ebp; retf

0_2_004013DD

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe

API coverage: 9.4 %

Source: WebData.0.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: WebData.0.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: WebData.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: WebData.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: AGrsqxaSjd.exe, 00000000.00000002.2571164744.000000000068F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ictivebrokers.co.inVMware20,11696497155d
Source: AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384447891.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WebData.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: WebData.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: WebData.0.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: WebData.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: WebData.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: WebData.0.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: WebData.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: WebData.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: WebData.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: WebData.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: WebData.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: WebData.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: WebData.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: WebData.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: WebData.0.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: WebData.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: WebData.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: WebData.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: WebData.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: WebData.0.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: AGrsqxaSjd.exe, 00000000.00000002.2571164744.000000000068F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ctivebrokers.co.inVMware20,11696497155d
Source: WebData.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: WebData.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: WebData.0.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: WebData.0.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: WebData.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: WebData.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: WebData.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: AGrsqxaSjd.exe, type: SAMPLE
Source: Yara match	File source: 0.2.AGrsqxaSjd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.AGrsqxaSjd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1328576742.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AGrsqxaSjd.exe PID: 7416, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\AGrsqxaSjd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior

Source: Yara match

File source: Process Memory Space: AGrsqxaSjd.exe PID: 7416, type: MEMORYSTR

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: AGrsqxaSjd.exe, type: SAMPLE
Source: Yara match	File source: 0.2.AGrsqxaSjd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.AGrsqxaSjd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1328576742.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AGrsqxaSjd.exe PID: 7416, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Obfuscated Files or Information	11 Input Capture	1 System Network Configuration Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
AGrsqxaSjd.exe	84%	ReversingLabs	Win32.Trojan.DarkCloudStealer
AGrsqxaSjd.exe	100%	Avira	TR/Dropper.Gen
AGrsqxaSjd.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://showip.netW	0%	Avira URL Cloud	safe
http://showip.netll_	0%	Avira URL Cloud	safe
http://showip.neto	0%	Avira URL Cloud	safe
http://showip.net/2	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
showip.net	162.55.60.2	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schema.org	AGrsqxaSjd.exe, 00000000.00000003.1384373852.0000000000734000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384398201.0000000000723000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.netW	AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1	AGrsqxaSjd.exe, 00000000.00000003.1384447891.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571406087.000000000072B000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384398201.0000000000723000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384421857.000000000070F000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384447891.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571779294.0000000003300000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	AGrsqxaSjd.exe	false		high
https://showip.net/	AGrsqxaSjd.exe, 00000000.00000003.1384373852.0000000000734000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384398201.0000000000723000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.openstreetmap.org/copyright	AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.net/2	AGrsqxaSjd.exe, 00000000.00000003.1384447891.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://unpkg.com/leaflet	AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.netll_	AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.maxmind.com	AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	false		high
https://showip.net/?checkip=	AGrsqxaSjd.exe, 00000000.00000003.1384373852.0000000000734000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384398201.0000000000723000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000003.1384339139.0000000003308000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	AGrsqxaSjd.exe, 00000000.00000003.1343067039.000000000069B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.net/	AGrsqxaSjd.exe, 00000000.00000003.1384447891.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.neto	AGrsqxaSjd.exe, 00000000.00000002.2571164744.0000000000694000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://showip.net	AGrsqxaSjd.exe, 00000000.00000002.2571164744.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.55.60.2	showip.net	United States		35893	ACPCA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571529
Start date and time:	2024-12-09 14:30:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AGrsqxaSjd.exe renamed because original name is a hash value
Original Sample Name:	02409c8e60592f537c66f9faf8137c6ad71bfa81884107f926c4f9a69429144e.exe
Detection:	MAL
Classification:	mal96.troj.spyw.winEXE@2/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: AGrsqxaSjd.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.55.60.2	yMvZXcwN2OdoP6x.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	oS6KsQIqJxe038Y.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	showip.net/
	Purchase Order AB013058.PDF.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	showip.net/
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	8m65n7ieJC.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	Factura modificada____678979879.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	Pago SEPA.pdf.exe	Get hash	malicious	GuLoader	Browse	showip.net/
	Lista de cotizaciones.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	New Order___________pdf.exe	Get hash	malicious	DarkCloud	Browse	showip.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
showip.net	yMvZXcwN2OdoP6x.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	oS6KsQIqJxe038Y.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2
	Purchase Order AB013058.PDF.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	8m65n7ieJC.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Factura modificada____678979879.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Pago SEPA.pdf.exe	Get hash	malicious	GuLoader	Browse	162.55.60.2
	Lista de cotizaciones.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	New Order___________pdf.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ACPCA	Owari.ppc.elf	Get hash	malicious	Unknown	Browse	162.1.10.3
	Owari.arm7.elf	Get hash	malicious	Mirai	Browse	162.137.25.149
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	162.0.215.33
	jew.mips.elf	Get hash	malicious	Unknown	Browse	162.52.78.93
	home.ppc.elf	Get hash	malicious	Mirai	Browse	162.54.91.8
	i686.elf	Get hash	malicious	Unknown	Browse	162.54.34.238
	main_mpsl.elf	Get hash	malicious	Mirai	Browse	162.65.245.139
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	162.55.63.205
	teste.x86_64.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	162.128.62.120

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LoggraNoUCYctgwnrtnRFCefIupAVHcOBQqsTNNMrZheterostracan

Download File

Process:	C:\Users\user\Desktop\AGrsqxaSjd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

Download File

Process:	C:\Users\user\Desktop\AGrsqxaSjd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db

Download File

Process:	C:\Users\user\Desktop\AGrsqxaSjd.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db-shm

Download File

Process:	C:\Users\user\Desktop\AGrsqxaSjd.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.923052379146856
TrID:	Win32 Executable (generic) a (10002005/4) 98.59% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02%
File name:	AGrsqxaSjd.exe
File size:	411'648 bytes
MD5:	065753739a03f973e392ff9d2e744d44
SHA1:	404470202a947ced4f89674856b819f1ae183f5c
SHA256:	02409c8e60592f537c66f9faf8137c6ad71bfa81884107f926c4f9a69429144e
SHA512:	0ea8d18f4fb990ba94298465d55d3890f5dad23653507133c8450081cfa5aa519394673657c7c8a3f044a5cbbfb9783022b7e518993e07e5420092181176f32d
SSDEEP:	12288:srL6kXGxltymcfhTYs1yk+KjYKkJj6GmZU:0Xp0s13+sYb6nZ
TLSH:	B3943926E620703EF563C8B1B9E5A257A8252D361694AD1BF391EF0935312E3B4F131F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9...9...9.......8...P...?.......8...Rich9...........PE..L....z.g.............................5............@................

File Icon


Icon Hash:	00869eb0b230201f

Static PE Info

General

Entrypoint:	0x403594
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x670C7A9E [Mon Oct 14 01:57:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5f466a91533ccabcf8e304faad3b90f2

Entrypoint Preview

Instruction
push 0040395Ch
call 00007F4C98D9AD73h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, dh
call far 4881h : F14F403Bh
lodsd
and al, dl
insd
out D7h, al
mov esp, 000000DEh
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-5Fh], bl
xor al, byte ptr [ebx]
push eax
jc 00007F4C98D9ADF1h
push 00000065h
arpl word ptr [ecx+esi+00h], si
rol dword ptr [eax+00h], 08h
rol dword ptr [eax+00h], 00000000h
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add eax, B053A203h
sbb eax, ebp
mov eax, dword ptr [eax-60h]
fmul st(0), st(1)
pop esi
or byte ptr [edx], bh
xor esi, 1505F753h
sar byte ptr [ebp-5A49B8A6h], cl
add dword ptr [ebp+4Fh], ebx
push ss
xchg eax, edx
cdq
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
loop 00007F4C98D9AD82h
add byte ptr [eax], al
inc esi
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 726F4600h
insd
xor dword ptr [eax], eax
or eax, 46000501h
outsd
jc 00007F4C98D9ADEFh
xor dword ptr [eax], eax
or al, byte ptr [ecx]
sbb dword ptr [ecx], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b794	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0x28f38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3c000	0x3b600	457d0e1d61ddb168cc0f3091b478bb30	False	0.33246710526315787	data	5.779114393920952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x3d000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3e000	0x28f38	0x28e00	298637d500a8d2dbdf56e8fd813b2a45	False	0.9593248279816514	data	7.876896783910386	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
CUSTOM	0x3e938	0x28600	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed	English	United States	0.9682668540687248
RT_ICON	0x3e808	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 256			0.3223684210526316
RT_ICON	0x3e520	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.19623655913978494
RT_ICON	0x3e3f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.4155405405405405
RT_GROUP_ICON	0x3e3c8	0x30	data			1.0
RT_VERSION	0x3e1a0	0x228	data	English	United States	0.4891304347826087

Imports

DLL

Import

MSVBVM60.DLL

__vbaVarTstGt, __vbaVarSub, __vbaNextEachAry, _CIcos, _adj_fptan, __vbaStrI4, __vbaHresultCheck, __vbaVarMove, __vbaVarVargNofree, __vbaCyMul, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaPut3, __vbaFreeVarList, _adj_fdiv_m64, __vbaFpCDblR8, __vbaVarIndexStore, __vbaNextEachVar, __vbaFreeObjList, __vbaStrErrVarCopy, __vbaVarIndexLoadRef, _adj_fprem1, __vbaResume, __vbaCopyBytes, __vbaStrCat, __vbaLsetFixstr, __vbaStrDate, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarXor, __vbaLateMemSt, __vbaVarIndexLoadRefLock, __vbaVarForInit, __vbaForEachCollObj, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaBoolVar, __vbaBoolVarNull, __vbaRefVarAry, __vbaVarTstLt, _CIsin, __vbaErase, __vbaVarCmpGt, __vbaNextEachCollObj, __vbaVarZero, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaPutOwner3, __vbaAryConstruct2, __vbaVarTstEq, __vbaDateR8, __vbaI2I4, __vbaObjVar, DllFunctionCall, __vbaVarLateMemSt, __vbaVarOr, __vbaFpUI1, __vbaRedimPreserve, __vbaLbound, _adj_fpatan, __vbaFixstrConstruct, __vbaR8Cy, __vbaRedim, __vbaUI1ErrVar, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaVarMul, __vbaStrUI1, __vbaUI1I4, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaExitEachAry, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaUbound, __vbaStrVarVal, __vbaGetOwner3, __vbaVarCat, __vbaDateVar, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaInStr, __vbaVar2Vec, __vbaVarLateMemCallLdRf, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaVarSetObj, __vbaStrCopy, __vbaVarNot, __vbaFreeStrList, _adj_fdivr_m32, __vbaPowerR8, _adj_fdiv_r, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaVarCmpEq, __vbaForEachAry, __vbaAryLock, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI2, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaUI1Str, __vbaCastObj, __vbaAryCopy, __vbaStrMove, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, __vbaUI1Var, __vbaVarForNext, _CIexp, __vbaMidStmtBstr, __vbaI4ErrVar, __vbaFreeStr, __vbaFreeObj, __vbaRecAssign

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T14:31:07.011552+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49712	162.55.60.2	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 14:31:05.614801884 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:05.734174013 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:05.734426022 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:05.734692097 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:05.853991032 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.011470079 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.011502981 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.011518002 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.011552095 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.011605024 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.011754036 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.011769056 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.011782885 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.011809111 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.011837006 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.012039900 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.012063026 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.012075901 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.012093067 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.012114048 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.012490034 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.012535095 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.131200075 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.131298065 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.131328106 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.131367922 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.135382891 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.135469913 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.203634977 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.203660011 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.203735113 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.207880020 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.207963943 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.208053112 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.208098888 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.216103077 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.216170073 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.216196060 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.216228962 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.224054098 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.224132061 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.224153042 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.224189997 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.232383966 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.232445002 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:31:07.232491970 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:31:07.232542038 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:32:54.897342920 CET	49712	80	192.168.2.9	162.55.60.2
Dec 9, 2024 14:32:55.017136097 CET	80	49712	162.55.60.2	192.168.2.9
Dec 9, 2024 14:32:55.017242908 CET	49712	80	192.168.2.9	162.55.60.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 14:31:04.888655901 CET	57294	53	192.168.2.9	1.1.1.1
Dec 9, 2024 14:31:05.597604036 CET	53	57294	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 14:31:04.888655901 CET	192.168.2.9	1.1.1.1	0xbf81	Standard query (0)	showip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 14:31:05.597604036 CET	1.1.1.1	192.168.2.9	0xbf81	No error (0)	showip.net		162.55.60.2	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

showip.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49712	162.55.60.2	80	7416	C:\Users\user\Desktop\AGrsqxaSjd.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 14:31:05.734692097 CET	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Dec 9, 2024 14:31:07.011470079 CET	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Mon, 09 Dec 2024 13:31:06 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Dec 9, 2024 14:31:07.011502981 CET	1236	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;
Dec 9, 2024 14:31:07.011518002 CET	1236	IN	Data Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
Dec 9, 2024 14:31:07.011754036 CET	388	IN	Data Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20 Data Ascii: ge"))\|\|(C()?A("Microsoft Edge"):B("Edg/"))\|\|C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
Dec 9, 2024 14:31:07.011769056 CET	1236	IN	Data Raw: 61 72 20 62 3d 48 28 61 29 3b 31 21 3d 3d 28 62 26 31 29 26 26 28 4f 62 6a 65 63 74 2e 69 73 46 72 6f 7a 65 6e 28 61 29 26 26 28 61 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 29 29 2c 49 28 61 2c 62 7c Data Ascii: ar b=H(a);1!==(b&1)&&(Object.isFrozen(a)&&(a=Array.prototype.slice.call(a)),I(a,b\|1))} var H=F?function(a){return a[F]\|0}:function(a){return a.g\|0},J=F?function(a){return a[F]}:function(a){return a.g},I=F?function(a,b){a[F]=b}:function(a
Dec 9, 2024 14:31:07.011782885 CET	1236	IN	Data Raw: 65 3d 61 2e 6c 65 6e 67 74 68 2c 66 3d 64 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 61 5b 66 5d 3b 6e 75 6c 6c 21 3d 67 26 26 67 21 3d 3d 63 26 26 28 63 5b 66 2d 62 5d 3d 67 29 7d 61 2e 6c 65 6e 67 74 68 3d 64 2b 31 3b 61 5b 64 5d 3d 63 7d Data Ascii: e=a.length,f=d;f<e;f++){var g=a[f];null!=g&&g!==c&&(c[f-b]=g)}a.length=d+1;a[d]=c};function Aa(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "boolean":return a?1:0;case "object":if(a&&!Array.isArray(a)&&ta&&null!=a&&a i
Dec 9, 2024 14:31:07.012039900 CET	1236	IN	Data Raw: 28 65 2c 66 29 26 26 28 62 5b 66 5d 3d 63 28 65 5b 66 5d 29 29 7d 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 44 61 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 69 66 28 6e 75 6c 6c 21 3d 61 29 7b 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 Data Ascii: (e,f)&&(b[f]=c(e[f]))}return a}function Da(a,b,c,d,e,f){if(null!=a){if(Array.isArray(a))a=e&&0==a.length&&H(a)&1?void 0:f&&H(a)&2?a:Ea(a,b,c,void 0!==d,e,f);else if(N(a)){var g={},h;for(h in a)Object.prototype.hasOwnProperty.call(a,h)&&(g[h]=D
Dec 9, 2024 14:31:07.012063026 CET	1236	IN	Data Raw: 66 28 63 3e 3d 66 7c 7c 65 29 7b 65 3d 62 3b 69 66 28 62 26 32 35 36 29 66 3d 61 5b 61 2e 6c 65 6e 67 74 68 2d 31 5d 3b 65 6c 73 65 7b 69 66 28 6e 75 6c 6c 3d 3d 64 29 72 65 74 75 72 6e 3b 66 3d 61 5b 66 2b 28 28 62 3e 3e 39 26 31 29 2d 31 29 5d Data Ascii: f(c>=f\|\|e){e=b;if(b&256)f=a[a.length-1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e\|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)} function La(a,b){var c
Dec 9, 2024 14:31:07.012075901 CET	1236	IN	Data Raw: 72 65 61 6b 7d 66 3d 21 30 7d 65 3d 62 3b 63 3d 21 63 3b 67 3d 4a 28 61 2e 68 29 3b 61 3d 4c 28 67 29 3b 67 3d 28 67 3e 3e 39 26 31 29 2d 31 3b 66 6f 72 28 76 61 72 20 68 2c 6b 2c 77 3d 30 3b 77 3c 64 2e 6c 65 6e 67 74 68 3b 77 2b 2b 29 69 66 28 Data Ascii: reak}f=!0}e=b;c=!c;g=J(a.h);a=L(g);g=(g>>9&1)-1;for(var h,k,w=0;w<d.length;w++)if(k=d[w],k<a){k+=g;var r=e[k];null==r?e[k]=c?O:wa():c&&r!==O&&va(r)}else h\|\|(r=void 0,e.length&&N(r=e[e.length-1])?h=r:e.push(h={})),r=h[k],null==h[k]?h[k]=c?O:wa(
Dec 9, 2024 14:31:07.012490034 CET	1236	IN	Data Raw: 6e 63 74 69 6f 6e 20 57 61 28 61 29 7b 74 68 69 73 2e 67 3d 61 7c 7c 70 2e 64 6f 63 75 6d 65 6e 74 7c 7c 64 6f 63 75 6d 65 6e 74 7d 57 61 2e 70 72 6f 74 6f 74 79 70 65 2e 61 70 70 65 6e 64 43 68 69 6c 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 Data Ascii: nction Wa(a){this.g=a\|\|p.document\|\|document}Wa.prototype.appendChild=function(a,b){a.appendChild(b)}; function Xa(a,b){a.src=b instanceof V&&b.constructor===V?b.g:"type_error:TrustedResourceUrl";var c,d;(c=(b=null==(d=(c=(a.ownerDocumen
Dec 9, 2024 14:31:07.131200075 CET	1236	IN	Data Raw: 28 61 29 7b 69 66 28 61 2e 69 2e 62 6f 64 79 26 26 21 61 2e 6d 29 7b 76 61 72 20 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 62 28 61 29 3b 70 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 62 28 61 2c Data Ascii: (a){if(a.i.body&&!a.m){var b=function(){fb(a);p.setTimeout(function(){return gb(a,3)},50)};Za(a.l,a.u,2,!0,function(){p[a.o]\|\|b()},b);a.m=!0}} function fb(a){for(var b=W(1,5),c=0;c<b;c++){var d=X(a);a.i.body.appendChild(d);a.j.push(d)}b=

Target ID:	0
Start time:	08:31:00
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\AGrsqxaSjd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AGrsqxaSjd.exe"
Imagebase:	0x400000
File size:	411'648 bytes
MD5 hash:	065753739A03F973E392FF9D2E744D44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000000.1328576742.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:31:03
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x270000
File size:	418'304 bytes
MD5 hash:	64ACA4F48771A5BA50CD50F2410632AD
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	236

Executed Functions

Function 00432D60 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 236
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaFixstrConstruct.MSVBVM60(00000100,?,6D41A323,6D42D8B1,00402BF8), ref: 00432DAC
__vbaNew2.MSVBVM60(0040B3CC,0043D7AC), ref: 00432DC4
__vbaHresultCheckObj.MSVBVM60(00000000,021D004C,0040B3BC,00000014), ref: 00432DE9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B924,00000060), ref: 00432E0D
__vbaStrToAnsi.MSVBVM60(?,?,00000001,00000000,00000000,00000000), ref: 00432E20
__vbaSetSystemError.MSVBVM60(00000000), ref: 00432E34
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00432E46
__vbaFreeObj.MSVBVM60 ref: 00432E4E
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,04000000,00000000), ref: 00432E6D
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000000,00000000,04000000,00000000), ref: 00432E7C
__vbaStrToUnicode.MSVBVM60(+@,?,?,00000000,00000000,04000000,00000000), ref: 00432E86
__vbaFreeStr.MSVBVM60(?,00000000,00000000,04000000,00000000), ref: 00432E92
__vbaStrToAnsi.MSVBVM60(?,?,00000100,?), ref: 00432EB4
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00432EC1
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00432ECB
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 00432EDE
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00432EEA
__vbaStrCopy.MSVBVM60(?,04000000,00000000), ref: 00432EF5
__vbaStrToAnsi.MSVBVM60(?,?,00000100,?), ref: 00432F17
InternetReadFile.WININET(?,00000000), ref: 00432F27
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00432F31
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 00432F3E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00432F4A
__vbaStrCopy.MSVBVM60(00000001,?), ref: 00432F68
#631.MSVBVM60(00000000), ref: 00432F6F
__vbaStrMove.MSVBVM60 ref: 00432F7A
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 00432F8A
__vbaStrCat.MSVBVM60(?,?), ref: 00432F94
__vbaStrMove.MSVBVM60 ref: 00432F9F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00432FAF
__vbaSetSystemError.MSVBVM60 ref: 00432FBC
#598.MSVBVM60 ref: 00432FC9
__vbaSetSystemError.MSVBVM60(?), ref: 00432FDD
__vbaStrCopy.MSVBVM60 ref: 00432FE5
__vbaFreeStr.MSVBVM60(0043302F), ref: 00433027
__vbaFreeStr.MSVBVM60 ref: 0043302C

Strings

+@, xrefs: 00432E58, 00432E81, 00432E85

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$ErrorSystem$AnsiFixstrList$CopyLsetUnicode$CheckHresultMove$#598#631ConstructFileInternetNew2Read
String ID: +@
API String ID: 2099816023-3835504741
Opcode ID: ff79127468d54d56c65a2b4fb234e00d9a04df02ea88e933ff6b37a7ff715c2b
Instruction ID: edbb0f66bed64e040fb60fe4c65a7fb52963413ea26ab3d363ace2bf05d0307f
Opcode Fuzzy Hash: ff79127468d54d56c65a2b4fb234e00d9a04df02ea88e933ff6b37a7ff715c2b
Instruction Fuzzy Hash: 4E81DD75D00209AFDB04EBE5DD85EEEBB7DEF88700F10851AF601B72A0DA745945CB64

Function 00404840 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d787e95ab2364f8c5944c0cb77657234ffda1dd00567e8ec13494130a83e1fd
Instruction ID: 43803f6cc10c83bb38a9917bfb5aaa7b0d14b68f36a172b12e4e776ba28fef18
Opcode Fuzzy Hash: 2d787e95ab2364f8c5944c0cb77657234ffda1dd00567e8ec13494130a83e1fd
Instruction Fuzzy Hash: DAB01275B8C041EED70076B86D014251180D2C83433209C33F501F61C0CA38DF00C33D

Function 004154B0 Relevance: 1436.8, APIs: 730, Strings: 88, Instructions: 5257COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004030D6), ref: 004154CE
__vbaAryConstruct2.MSVBVM60(?,00407468,00000008,?,?,?,?,004030D6), ref: 00415500
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004030D6), ref: 0041550F
__vbaStrCopy.MSVBVM60(?,?,?,?,004030D6), ref: 00415527

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?,?,?,?,?,004030D6), ref: 00415541
__vbaStrCopy.MSVBVM60(?,?,?,?,004030D6), ref: 00415552
__vbaStrMove.MSVBVM60 ref: 0041557A
__vbaGenerateBoundsError.MSVBVM60 ref: 0041559F
__vbaStrMove.MSVBVM60(?,?), ref: 004155C6
__vbaStrCopy.MSVBVM60 ref: 004155DA
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00415605
__vbaStrCopy.MSVBVM60(?,?,?,?,?,004030D6), ref: 00415620
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,004030D6), ref: 0041563A
__vbaStrCopy.MSVBVM60(?,?,?,?,?,004030D6), ref: 0041564B
__vbaStrMove.MSVBVM60 ref: 00415673
__vbaGenerateBoundsError.MSVBVM60 ref: 00415698

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 004156BF
__vbaStrCopy.MSVBVM60 ref: 004156D3
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004156FE
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 00415719
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 00415733
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 00415744
__vbaStrMove.MSVBVM60 ref: 0041576C
__vbaStrMove.MSVBVM60(?,?), ref: 004157B8
__vbaStrCopy.MSVBVM60 ref: 004157CC
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004157F7
__vbaStrCopy.MSVBVM60 ref: 00415812
__vbaStrMove.MSVBVM60(?), ref: 0041582C
__vbaStrCopy.MSVBVM60 ref: 0041583D
__vbaStrMove.MSVBVM60 ref: 00415865
__vbaGenerateBoundsError.MSVBVM60 ref: 0041588A
__vbaStrMove.MSVBVM60(?,?), ref: 004158B1
__vbaStrCopy.MSVBVM60 ref: 004158C5
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004158F0
__vbaStrCopy.MSVBVM60 ref: 0041590B
__vbaStrMove.MSVBVM60(?), ref: 00415925
__vbaStrCopy.MSVBVM60 ref: 00415936
__vbaStrMove.MSVBVM60 ref: 0041595E
__vbaGenerateBoundsError.MSVBVM60 ref: 00415983

Part of subcall function 0042DDC0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 0042DF0A
Part of subcall function 0042DDC0: __vbaStrCopy.MSVBVM60 ref: 0042DF29
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(0042DF6C), ref: 0042DF65

__vbaStrMove.MSVBVM60(?,?), ref: 004159AA
__vbaStrCopy.MSVBVM60 ref: 004159BE
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004159E9
__vbaStrCopy.MSVBVM60 ref: 00415A04
__vbaStrMove.MSVBVM60(?), ref: 00415A1E
__vbaStrCopy.MSVBVM60 ref: 00415A2F
__vbaStrMove.MSVBVM60 ref: 00415A57
__vbaStrMove.MSVBVM60(?,?), ref: 00415AA3
__vbaStrCopy.MSVBVM60 ref: 00415AB7
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00415AE2
__vbaStrCopy.MSVBVM60 ref: 00415AFD
__vbaStrMove.MSVBVM60(?), ref: 00415B17
__vbaStrCopy.MSVBVM60 ref: 00415B28
__vbaStrMove.MSVBVM60 ref: 00415B50
__vbaGenerateBoundsError.MSVBVM60 ref: 00415B75
__vbaStrMove.MSVBVM60(?,?), ref: 00415B9C
__vbaStrCopy.MSVBVM60 ref: 00415BB0
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00415BDB
__vbaStrCopy.MSVBVM60 ref: 00415BF6
__vbaStrMove.MSVBVM60(?), ref: 00415C10
__vbaStrCopy.MSVBVM60 ref: 00415C21
__vbaStrMove.MSVBVM60 ref: 00415C49
__vbaGenerateBoundsError.MSVBVM60 ref: 00415C6E
__vbaStrMove.MSVBVM60(?,?), ref: 00415C95
__vbaStrCopy.MSVBVM60 ref: 00415CA9
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00415CD4
__vbaStrCopy.MSVBVM60 ref: 00415CEF
__vbaStrMove.MSVBVM60(?), ref: 00415D09
__vbaStrCopy.MSVBVM60 ref: 00415D1A
__vbaStrMove.MSVBVM60 ref: 00415D42
__vbaStrMove.MSVBVM60(?,?), ref: 00415D8E
__vbaStrCopy.MSVBVM60 ref: 00415DA2
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00415DCD
__vbaStrCopy.MSVBVM60 ref: 00415DE8
__vbaStrMove.MSVBVM60(?), ref: 00415E02
__vbaStrCopy.MSVBVM60 ref: 00415E13
__vbaStrMove.MSVBVM60 ref: 00415E3B
__vbaGenerateBoundsError.MSVBVM60 ref: 00415E60
__vbaStrMove.MSVBVM60(?,?), ref: 00415E87
__vbaStrCopy.MSVBVM60 ref: 00415E9B
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00415EC6
__vbaStrCopy.MSVBVM60 ref: 00415EE1
__vbaStrMove.MSVBVM60(?), ref: 00415EFB
__vbaStrCopy.MSVBVM60 ref: 00415F0C
__vbaStrMove.MSVBVM60 ref: 00415F34
__vbaGenerateBoundsError.MSVBVM60 ref: 00415F59
__vbaStrMove.MSVBVM60(?,?), ref: 00415F80
__vbaStrCopy.MSVBVM60 ref: 00415F94
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00415FBF
__vbaStrCopy.MSVBVM60 ref: 00415FDA
__vbaStrMove.MSVBVM60(?), ref: 00415FF4
__vbaStrCopy.MSVBVM60 ref: 00416005
__vbaStrMove.MSVBVM60 ref: 0041602D
__vbaStrMove.MSVBVM60(?,?), ref: 00416079
__vbaStrCopy.MSVBVM60 ref: 0041608D
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004160B8
__vbaStrCopy.MSVBVM60 ref: 004160D3
__vbaStrMove.MSVBVM60(?), ref: 004160ED
__vbaStrCopy.MSVBVM60 ref: 004160FE
__vbaStrMove.MSVBVM60 ref: 00416126
__vbaGenerateBoundsError.MSVBVM60 ref: 0041614B
__vbaStrMove.MSVBVM60(?,?), ref: 00416172
__vbaStrCopy.MSVBVM60 ref: 00416186
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004161B1
__vbaStrCopy.MSVBVM60 ref: 004161CC
__vbaStrMove.MSVBVM60(?), ref: 004161E6
__vbaStrCopy.MSVBVM60 ref: 004161F7
__vbaStrMove.MSVBVM60 ref: 0041621F
__vbaGenerateBoundsError.MSVBVM60 ref: 00416244
__vbaStrMove.MSVBVM60(?,?), ref: 0041626B
__vbaStrCopy.MSVBVM60 ref: 0041627F
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004162AA
__vbaStrCopy.MSVBVM60 ref: 004162C5
__vbaStrMove.MSVBVM60(?), ref: 004162DF
__vbaStrCopy.MSVBVM60 ref: 004162F0
__vbaStrMove.MSVBVM60 ref: 00416318
__vbaStrMove.MSVBVM60(?,?), ref: 00416364
__vbaStrCopy.MSVBVM60 ref: 00416378
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004163A3
__vbaStrCopy.MSVBVM60 ref: 004163BE
__vbaStrMove.MSVBVM60(?), ref: 004163D8
__vbaStrCopy.MSVBVM60 ref: 004163E9
__vbaStrMove.MSVBVM60 ref: 00416411
__vbaGenerateBoundsError.MSVBVM60 ref: 00416436
__vbaStrMove.MSVBVM60(?,?), ref: 0041645D
__vbaStrCopy.MSVBVM60 ref: 00416471
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041649C
__vbaStrCopy.MSVBVM60 ref: 004164B7
__vbaStrMove.MSVBVM60(?), ref: 004164D1
__vbaStrCopy.MSVBVM60 ref: 004164E2
__vbaStrMove.MSVBVM60 ref: 0041650A
__vbaGenerateBoundsError.MSVBVM60 ref: 0041652F
__vbaStrMove.MSVBVM60(?,?), ref: 00416556
__vbaStrCopy.MSVBVM60 ref: 0041656A
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00416595
__vbaStrCopy.MSVBVM60 ref: 004165B0
__vbaStrMove.MSVBVM60(?), ref: 004165CA
__vbaStrCopy.MSVBVM60 ref: 004165DB
__vbaStrMove.MSVBVM60 ref: 00416603
__vbaStrMove.MSVBVM60(?,?), ref: 0041664F
__vbaStrCopy.MSVBVM60 ref: 00416663
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041668E
__vbaStrCopy.MSVBVM60 ref: 004166A9
__vbaStrMove.MSVBVM60(?), ref: 004166C3
__vbaStrCopy.MSVBVM60 ref: 004166D4
__vbaStrMove.MSVBVM60 ref: 004166FC
__vbaVarMove.MSVBVM60(?,?), ref: 0041672E
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 00416752
__vbaStrCopy.MSVBVM60 ref: 0041676D
__vbaStrMove.MSVBVM60(?), ref: 00416787
__vbaStrCopy.MSVBVM60 ref: 00416798
__vbaStrMove.MSVBVM60 ref: 004167C0
__vbaVarMove.MSVBVM60(?,?), ref: 004167F5
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 00416819
__vbaStrCopy.MSVBVM60 ref: 00416834
__vbaStrMove.MSVBVM60(?), ref: 0041684E
__vbaStrCopy.MSVBVM60 ref: 0041685F
__vbaStrMove.MSVBVM60 ref: 00416887
__vbaStrMove.MSVBVM60(?,?), ref: 004168A8
__vbaStrMove.MSVBVM60(00000000), ref: 004168D2
#716.MSVBVM60(00000008,00000000), ref: 004168E0
__vbaObjVar.MSVBVM60(00000008), ref: 004168ED
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004168FB
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,00000000,00000000,00000000), ref: 0041692D
__vbaFreeVar.MSVBVM60 ref: 0041693C
__vbaStrCopy.MSVBVM60 ref: 00416954
__vbaStrMove.MSVBVM60(?), ref: 0041696E
__vbaStrCopy.MSVBVM60 ref: 0041697F
__vbaStrMove.MSVBVM60 ref: 004169A7
__vbaStrMove.MSVBVM60(?,?), ref: 004169C8
__vbaStrMove.MSVBVM60(00000000), ref: 004169F2
#716.MSVBVM60(00000008,00000000), ref: 00416A00
__vbaObjVar.MSVBVM60(00000008), ref: 00416A0D
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00416A1B
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,00000000,00000000,00000000), ref: 00416A4D
__vbaFreeVar.MSVBVM60 ref: 00416A5C
__vbaChkstk.MSVBVM60 ref: 00416A82
__vbaLateMemSt.MSVBVM60(?,Global), ref: 00416AB8
__vbaChkstk.MSVBVM60 ref: 00416ADE
__vbaLateMemSt.MSVBVM60(?,IgnoreCase), ref: 00416B14
__vbaChkstk.MSVBVM60 ref: 00416B26
__vbaLateMemSt.MSVBVM60(?,Pattern), ref: 00416B50
__vbaChkstk.MSVBVM60 ref: 00416B62
__vbaLateMemSt.MSVBVM60(?,Pattern), ref: 00416B98
__vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,00000000,00000000), ref: 00416BC2
__vbaStrCopy.MSVBVM60 ref: 00416BDD
__vbaStrCopy.MSVBVM60 ref: 00416C03
__vbaStrMove.MSVBVM60(?), ref: 00416C1D
__vbaStrCopy.MSVBVM60 ref: 00416C2E
__vbaStrMove.MSVBVM60 ref: 00416C56
__vbaStrMove.MSVBVM60(?,?), ref: 00416C77
__vbaStrCopy.MSVBVM60 ref: 00416C88
__vbaStrMove.MSVBVM60(00000000), ref: 00416CA2
__vbaStrCopy.MSVBVM60 ref: 00416CB3
__vbaStrMove.MSVBVM60 ref: 00416CDB
__vbaStrMove.MSVBVM60(00000000,?), ref: 00416CFC
__vbaStrMove.MSVBVM60 ref: 00416D4E
__vbaStrCat.MSVBVM60(?,00000000), ref: 00416D5C
__vbaStrMove.MSVBVM60 ref: 00416D6A
__vbaStrMove.MSVBVM60(00000000), ref: 00416D7D
__vbaStrCat.MSVBVM60(00000000), ref: 00416D84
#626.MSVBVM60(?,00000008,0000000A), ref: 00416DAF
__vbaObjVar.MSVBVM60(?), ref: 00416DBC
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00416DC7
__vbaFreeStrList.MSVBVM60(0000000D,?,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 00416E2A
__vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 00416E4A
#598.MSVBVM60 ref: 00416E5A
__vbaStrCopy.MSVBVM60 ref: 00416E6F
__vbaLenBstr.MSVBVM60(00000000), ref: 00416E96
__vbaVarVargNofree.MSVBVM60 ref: 00416EC0
__vbaLenVar.MSVBVM60(00000008,00000000), ref: 00416ECE
__vbaVarCmpEq.MSVBVM60(0000000A,00008002,00000000), ref: 00416EE3
__vbaVarNot.MSVBVM60(?,00000000), ref: 00416EF1
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 00416F06
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00416F0D
__vbaFreeVar.MSVBVM60 ref: 00416F20
__vbaStrCat.MSVBVM60(004055A8,00000000), ref: 00416F43
__vbaStrMove.MSVBVM60 ref: 00416F4E
__vbaVarVargNofree.MSVBVM60(00000008), ref: 00416F7E
__vbaVarCat.MSVBVM60(00000008,00000000), ref: 00416F8C
__vbaStrVarMove.MSVBVM60(00000000), ref: 00416F93
__vbaStrMove.MSVBVM60 ref: 00416F9E
__vbaFreeVar.MSVBVM60 ref: 00416FAA
__vbaChkstk.MSVBVM60 ref: 0041700E
__vbaChkstk.MSVBVM60 ref: 0041703D
__vbaChkstk.MSVBVM60 ref: 0041706C
__vbaChkstk.MSVBVM60 ref: 0041709B
__vbaLateMemCall.MSVBVM60(?,enumvalues,00000004), ref: 004170D0
#560.MSVBVM60(?), ref: 004170E7
__vbaUbound.MSVBVM60(00000001,?,00000000), ref: 0041710A
__vbaRefVarAry.MSVBVM60(?), ref: 00417119
__vbaUbound.MSVBVM60(00000001), ref: 00417124
__vbaRedimPreserve.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000002), ref: 0041714E
__vbaRefVarAry.MSVBVM60(?), ref: 00417165
__vbaUbound.MSVBVM60(00000001), ref: 00417170
__vbaI2I4.MSVBVM60 ref: 00417178
__vbaVarCopy.MSVBVM60 ref: 004171E3
__vbaChkstk.MSVBVM60 ref: 00417208
__vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 00417242
__vbaVarMove.MSVBVM60 ref: 00417253
__vbaVarTstEq.MSVBVM60(00008002,?), ref: 00417282
__vbaStrCat.MSVBVM60(004055A8,?), ref: 004172B6
__vbaChkstk.MSVBVM60 ref: 004172E4
__vbaVarIndexLoadRef.MSVBVM60(?,?,00000001), ref: 0041731E
__vbaChkstk.MSVBVM60 ref: 00417352
__vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 00417391
__vbaChkstk.MSVBVM60 ref: 0041739E
__vbaChkstk.MSVBVM60 ref: 004173C0
__vbaChkstk.MSVBVM60 ref: 004173EF
__vbaLateMemCall.MSVBVM60(?,getstringvalue,00000004), ref: 00417424
__vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 00417444
__vbaVarTstEq.MSVBVM60(00008002,?), ref: 0041747B
__vbaStrCat.MSVBVM60(004055A8,?), ref: 004174AF
__vbaChkstk.MSVBVM60 ref: 004174DD
__vbaVarIndexLoadRef.MSVBVM60(?,?,00000001), ref: 00417517
__vbaChkstk.MSVBVM60 ref: 0041754B
__vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041758A
__vbaChkstk.MSVBVM60 ref: 00417597
__vbaChkstk.MSVBVM60 ref: 004175B9
__vbaChkstk.MSVBVM60 ref: 004175E8
__vbaStrCat.MSVBVM60(004055A8,?), ref: 00418945
__vbaGenerateBoundsError.MSVBVM60 ref: 0041899F
__vbaGenerateBoundsError.MSVBVM60 ref: 004189BC
__vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 004189DD
__vbaChkstk.MSVBVM60 ref: 004189EA
__vbaVarLateMemSt.MSVBVM60(?,firebirdsncgfOSuUoKhMPcZZKaHeweYGxAwtGYYSacRrcPIcUQEflashers), ref: 00418A1C
__vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 00418A32
__vbaGenerateBoundsError.MSVBVM60 ref: 00418A99
__vbaGenerateBoundsError.MSVBVM60 ref: 00418AB6
__vbaChkstk.MSVBVM60 ref: 00418AC7
__vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 00418B01
__vbaChkstk.MSVBVM60 ref: 00418B11
__vbaVarLateMemSt.MSVBVM60(?,palmitoleicLIAHVjNxTeizPuQabacli), ref: 00418B43
__vbaFreeVar.MSVBVM60 ref: 00418B4F
__vbaGenerateBoundsError.MSVBVM60 ref: 00418BB4
__vbaGenerateBoundsError.MSVBVM60 ref: 00418BD1
__vbaVarCat.MSVBVM60(00000008,00000008,?), ref: 00418BF2
__vbaChkstk.MSVBVM60 ref: 00418BFF
__vbaVarLateMemSt.MSVBVM60(?,foambNcAqYCUqVnIeMZJldXgNbootjack), ref: 00418C31
__vbaFreeVar.MSVBVM60 ref: 00418C3D
__vbaVarTstEq.MSVBVM60(00000001,?), ref: 00418C78
__vbaStrCopy.MSVBVM60 ref: 00418C9C
__vbaStrMove.MSVBVM60(?), ref: 00418CB6
__vbaStrCopy.MSVBVM60 ref: 00418CF3
__vbaStrMove.MSVBVM60 ref: 00418D1B
__vbaStrMove.MSVBVM60(?,?,?,00000001), ref: 00418D44
__vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 00418D4D
__vbaChkstk.MSVBVM60(?,00000001), ref: 00418D68
__vbaLateMemCallLd.MSVBVM60(00000008,?,test,00000001,?,00000001), ref: 00418DA7
__vbaChkstk.MSVBVM60(00000000), ref: 00418DB6
__vbaLateMemCallLd.MSVBVM60(0000000A,?,test,00000001,00000000), ref: 00418DF5
__vbaVarOr.MSVBVM60(?,00000000), ref: 00418E06
__vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00418E1B
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00418E22
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 00418E54
__vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 00418E6D
__vbaChkstk.MSVBVM60(00000008), ref: 00418EE9
__vbaVarIndexLoad.MSVBVM60(00000008,?,00000001,00000008), ref: 00418F23
__vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 00418F34
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00418F49
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00418F5E
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00418F73
__vbaStrVarMove.MSVBVM60(00000000), ref: 00418F7A
__vbaStrMove.MSVBVM60 ref: 00418F87
__vbaFreeVarList.MSVBVM60(00000005,00000008,0000000A,?,?,?), ref: 00418FB2
__vbaStrCopy.MSVBVM60 ref: 00418FCD
__vbaStrMove.MSVBVM60(?), ref: 00418FE7
__vbaStrCopy.MSVBVM60 ref: 00418FF8
__vbaStrMove.MSVBVM60(00000000), ref: 00419012
__vbaStrCopy.MSVBVM60 ref: 00419036
__vbaStrMove.MSVBVM60 ref: 0041905E
__vbaStrCopy.MSVBVM60(?,?), ref: 00419092
__vbaStrMove.MSVBVM60 ref: 004190BA
__vbaStrMove.MSVBVM60(00000000,00000000,?,00000001), ref: 004190E3
__vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 004190EC
__vbaChkstk.MSVBVM60(00000001,?,00000001), ref: 00419109
__vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001,00000001,?,00000001), ref: 00419143
__vbaInStrVar.MSVBVM60(?,00000000,00000008,00000000), ref: 0041915D
__vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00419172
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00419179
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 004191C7
__vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 004191E7
__vbaStrCopy.MSVBVM60 ref: 00419211
__vbaStrMove.MSVBVM60(?), ref: 0041922B
__vbaStrCopy.MSVBVM60 ref: 0041923C
__vbaStrMove.MSVBVM60 ref: 00419264
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0041928C
__vbaStrCat.MSVBVM60(00000000), ref: 00419293
__vbaStrMove.MSVBVM60 ref: 004192A1
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004192AD
__vbaStrMove.MSVBVM60 ref: 004192BB
__vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 004192C7
__vbaStrMove.MSVBVM60 ref: 004192D5
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004192E1
__vbaStrMove.MSVBVM60 ref: 004192EE
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,00000000,00000000,00000000,?,00000000), ref: 0041932E
__vbaStrCopy.MSVBVM60 ref: 00419349
__vbaStrMove.MSVBVM60(?), ref: 00419363
__vbaStrCopy.MSVBVM60 ref: 00419374
__vbaStrMove.MSVBVM60(00000000), ref: 0041938E
__vbaStrCopy.MSVBVM60 ref: 004193B2
__vbaStrMove.MSVBVM60 ref: 004193DA
__vbaStrCopy.MSVBVM60(?,?), ref: 0041940E
__vbaStrMove.MSVBVM60 ref: 00419436
__vbaStrMove.MSVBVM60(00000000,00000000,00000000,00000001), ref: 0041945F
__vbaInStr.MSVBVM60(00000000,00000000), ref: 00419468
__vbaChkstk.MSVBVM60 ref: 00419483
__vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001), ref: 004194BD
__vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 004194D5
__vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 004194EA
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004194F1
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041953F
__vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 00419558
__vbaStrErrVarCopy.MSVBVM60(?), ref: 004195BA
__vbaChkstk.MSVBVM60(00000008), ref: 004195F0
__vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008), ref: 0041962A
__vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 0041963B
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00419650
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00419665
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041967A
__vbaStrVarMove.MSVBVM60(00000000), ref: 00419681
__vbaStrMove.MSVBVM60 ref: 0041968E
__vbaFreeVarList.MSVBVM60(00000006,00008008,0000000A,?,00000008,?,?), ref: 004196C0
__vbaStrCopy.MSVBVM60 ref: 004196DB
__vbaStrMove.MSVBVM60(?), ref: 004196F5
__vbaStrCopy.MSVBVM60 ref: 00419706
__vbaStrMove.MSVBVM60(00000000), ref: 00419720
__vbaStrCopy.MSVBVM60 ref: 00419744
__vbaStrMove.MSVBVM60 ref: 0041976C
__vbaStrCopy.MSVBVM60(?,?), ref: 004197A0
__vbaStrMove.MSVBVM60 ref: 004197C8
__vbaStrMove.MSVBVM60(00000000,00000000,00000000,00000001), ref: 004197F1
__vbaInStr.MSVBVM60(00000000,00000000), ref: 004197FA
__vbaChkstk.MSVBVM60 ref: 00419815
__vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001), ref: 0041984F
__vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 00419867
__vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041987C
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00419883
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 004198D1
__vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 004198EA
__vbaStrErrVarCopy.MSVBVM60(?), ref: 0041994C
__vbaChkstk.MSVBVM60(00000008), ref: 00419982
__vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008), ref: 004199BC
__vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 004199CD
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004199E2
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004199F7
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00419A0C
__vbaStrVarMove.MSVBVM60(00000000), ref: 00419A13
__vbaStrMove.MSVBVM60 ref: 00419A20
__vbaFreeVarList.MSVBVM60(00000006,00008008,0000000A,?,00000008,?,?), ref: 00419A52
__vbaStrCopy.MSVBVM60 ref: 00419A6D
__vbaStrMove.MSVBVM60(?), ref: 00419A87
__vbaStrCopy.MSVBVM60 ref: 00419A98
__vbaStrMove.MSVBVM60(00000000), ref: 00419AB2
__vbaStrCopy.MSVBVM60 ref: 00419AD6
__vbaStrMove.MSVBVM60 ref: 00419AFE
__vbaStrCopy.MSVBVM60(?,?), ref: 00419B32
__vbaStrMove.MSVBVM60 ref: 00419B5A
__vbaStrMove.MSVBVM60(00000000,00000000,00000000,00000001), ref: 00419B83
__vbaInStr.MSVBVM60(00000000,00000000), ref: 00419B8C
__vbaChkstk.MSVBVM60 ref: 00419BA7
__vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001), ref: 00419BE1
__vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 00419BF9
__vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00419C0E
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00419C15
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 00419C63
__vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 00419C7C
__vbaStrErrVarCopy.MSVBVM60(?), ref: 00419CDE
__vbaStrMove.MSVBVM60 ref: 00419CEC

Part of subcall function 0042EA80: __vbaLenBstr.MSVBVM60(00000000,00402700,00000000,6D42D8B1), ref: 0042EAC9
Part of subcall function 0042EA80: __vbaLenBstr.MSVBVM60 ref: 0042EAD7
Part of subcall function 0042EA80: __vbaFpI4.MSVBVM60 ref: 0042EB11
Part of subcall function 0042EA80: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 0042EB31
Part of subcall function 0042EA80: __vbaUbound.MSVBVM60(00000001,?), ref: 0042EB40
Part of subcall function 0042EA80: __vbaGenerateBoundsError.MSVBVM60 ref: 0042EB80
Part of subcall function 0042EA80: #631.MSVBVM60(?,?,?,0040A4B0), ref: 0042EBB4
Part of subcall function 0042EA80: __vbaStrMove.MSVBVM60 ref: 0042EBBF
Part of subcall function 0042EA80: __vbaStrCat.MSVBVM60(00000000), ref: 0042EBC2
Part of subcall function 0042EA80: __vbaStrMove.MSVBVM60 ref: 0042EBCD

__vbaAryMove.MSVBVM60(?,?,?), ref: 00419D12

Part of subcall function 0041B290: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0041B2AE
Part of subcall function 0041B290: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004030D6), ref: 0041B2DE
Part of subcall function 0041B290: #716.MSVBVM60(?,System.Security.Cryptography.RijndaelManaged,00000000,?,?,?,00000000,004030D6), ref: 0041B2FD
Part of subcall function 0041B290: __vbaVarSetVar.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 0041B30B
Part of subcall function 0041B290: __vbaChkstk.MSVBVM60 ref: 0041B32E
Part of subcall function 0041B290: __vbaVarLateMemSt.MSVBVM60(?,keySize), ref: 0041B358
Part of subcall function 0041B290: __vbaChkstk.MSVBVM60 ref: 0041B37B
Part of subcall function 0041B290: __vbaVarLateMemSt.MSVBVM60(?,Padding), ref: 0041B3A5
Part of subcall function 0041B290: __vbaChkstk.MSVBVM60 ref: 0041B3C8
Part of subcall function 0041B290: __vbaVarLateMemSt.MSVBVM60(?,Mode), ref: 0041B3F2
Part of subcall function 0041B290: __vbaStrCopy.MSVBVM60 ref: 0041B407
Part of subcall function 0041B290: __vbaStrMove.MSVBVM60(?), ref: 0041B41B
Part of subcall function 0041B290: __vbaStrCopy.MSVBVM60 ref: 0041B429

__vbaChkstk.MSVBVM60(00000008,?), ref: 00419D54
__vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008,?), ref: 00419D8E
__vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 00419D9F
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00419DB4
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00419DC9
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00419DDE
__vbaStrVarMove.MSVBVM60(00000000), ref: 00419DE5
__vbaStrMove.MSVBVM60 ref: 00419DF2
__vbaFreeStr.MSVBVM60 ref: 00419DFE
__vbaFreeVarList.MSVBVM60(00000006,00008008,0000000A,?,00000008,?,?), ref: 00419E30
__vbaErase.MSVBVM60(00000000,?), ref: 00419E42
__vbaStrCopy.MSVBVM60 ref: 00419E5A
__vbaStrMove.MSVBVM60(?), ref: 00419E74
__vbaStrCopy.MSVBVM60 ref: 00419E85
__vbaStrMove.MSVBVM60(00000000), ref: 00419E9F
__vbaStrCopy.MSVBVM60 ref: 00419EC3
__vbaStrMove.MSVBVM60 ref: 00419EEB
__vbaStrCopy.MSVBVM60(?,?), ref: 00419F1F
__vbaStrMove.MSVBVM60 ref: 00419F47
__vbaStrMove.MSVBVM60(00000000,00000000,?,00000001), ref: 00419F70
__vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 00419F79
__vbaChkstk.MSVBVM60(?,00000001), ref: 00419F94
__vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001,?,00000001), ref: 00419FCE
__vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 00419FE6
__vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00419FFB
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0041A002
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041A050
__vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 0041A069
__vbaStrCopy.MSVBVM60 ref: 0041A093
__vbaStrMove.MSVBVM60(?), ref: 0041A0AD
__vbaStrErrVarCopy.MSVBVM60(?), ref: 0041A0F6
__vbaStrCopy.MSVBVM60 ref: 0041A12B
__vbaStrMove.MSVBVM60 ref: 0041A153
__vbaChkstk.MSVBVM60(00000008,?,?), ref: 0041A19C
__vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008,?,?), ref: 0041A1D6
__vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 0041A1E7
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041A1FC
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041A211
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041A226
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041A23B
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0041A250
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041A257
__vbaStrMove.MSVBVM60 ref: 0041A264
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041A288
__vbaFreeVarList.MSVBVM60(00000009,00008008,0000000A,?,00000008,?,?,00000008,?,?), ref: 0041A2D2
__vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 0041A2ED
__vbaStrMove.MSVBVM60 ref: 0041A2FB
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041A307
__vbaStrMove.MSVBVM60 ref: 0041A314
__vbaFreeStr.MSVBVM60 ref: 0041A320
__vbaInStr.MSVBVM60(00000000,WinSCP 2,00000000,00000001), ref: 0041A363
__vbaChkstk.MSVBVM60 ref: 0041A37E
__vbaVarIndexLoad.MSVBVM60(00008008,?,00000001), ref: 0041A3B8
__vbaVarCmpEq.MSVBVM60(0000000A,00008008,00000000), ref: 0041A3D0
__vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041A3E5
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0041A3EC
__vbaFreeVar.MSVBVM60 ref: 0041A3FF
__vbaStrErrVarCopy.MSVBVM60(?), ref: 0041A41E
__vbaStrMove.MSVBVM60 ref: 0041A42C
__vbaInStr.MSVBVM60(00000000,WinSCP 2,?,00000001), ref: 0041A46F
__vbaChkstk.MSVBVM60(?,00000001), ref: 0041A48A
__vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,?,00000001), ref: 0041A4C4
__vbaVarCmpEq.MSVBVM60(0000000A,00008008,00000000), ref: 0041A4DC
__vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041A4F1
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0041A4F8
__vbaFreeVar.MSVBVM60 ref: 0041A50B
__vbaStrErrVarCopy.MSVBVM60(?), ref: 0041A52A
__vbaStrMove.MSVBVM60 ref: 0041A535
__vbaStrCopy.MSVBVM60 ref: 0041A54D
__vbaStrMove.MSVBVM60(?), ref: 0041A567
__vbaStrCopy.MSVBVM60 ref: 0041A58B
__vbaStrMove.MSVBVM60 ref: 0041A5B3
__vbaInStr.MSVBVM60(00000000,WinSCP 2,?,00000001,?,?), ref: 0041A5EB
__vbaChkstk.MSVBVM60(?,00000001,?,?), ref: 0041A606
__vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001,?,00000001,?,?), ref: 0041A640
__vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 0041A658
__vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0041A66D
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0041A674
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041A69F
__vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 0041A6B8
__vbaStrErrVarCopy.MSVBVM60(?), ref: 0041A6DE
__vbaStrMove.MSVBVM60 ref: 0041A6EC
__vbaStrCat.MSVBVM60(Url: ,00000000), ref: 0041A705
__vbaStrMove.MSVBVM60 ref: 0041A713
__vbaStrCat.MSVBVM60(?,00000000), ref: 0041A721
__vbaStrMove.MSVBVM60 ref: 0041A72F
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041A73B
__vbaStrMove.MSVBVM60 ref: 0041A748
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041A75E
__vbaStrCat.MSVBVM60(Username: ,00000000), ref: 0041A779
__vbaStrMove.MSVBVM60 ref: 0041A787
__vbaStrCat.MSVBVM60(?,00000000), ref: 0041A792
__vbaStrMove.MSVBVM60 ref: 0041A7A0
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041A7AC
__vbaStrMove.MSVBVM60 ref: 0041A7B9
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041A7CF
__vbaStrCat.MSVBVM60(Password: ,00000000), ref: 0041A7EB
__vbaStrMove.MSVBVM60 ref: 0041A7F9

Part of subcall function 0041B890: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0041B8AE
Part of subcall function 0041B890: __vbaOnError.MSVBVM60(000000FF,004019D0,-00000001,6D4FEC2C,00000000,004030D6), ref: 0041B8DE
Part of subcall function 0041B890: __vbaStrCat.MSVBVM60(00000000), ref: 0041B8FE
Part of subcall function 0041B890: __vbaVarMove.MSVBVM60 ref: 0041B91D
Part of subcall function 0041B890: __vbaLenBstr.MSVBVM60 ref: 0041B930
Part of subcall function 0041B890: __vbaStrCat.MSVBVM60(0040796C,?), ref: 0041B9A0
Part of subcall function 0041B890: __vbaStrMove.MSVBVM60 ref: 0041B9AE
Part of subcall function 0041B890: #631.MSVBVM60(00000002,-00000001,00000002,00000000), ref: 0041B9CF
Part of subcall function 0041B890: __vbaStrMove.MSVBVM60 ref: 0041B9DD
Part of subcall function 0041B890: __vbaStrCat.MSVBVM60(00000000), ref: 0041B9E4
Part of subcall function 0041B890: __vbaStrMove.MSVBVM60 ref: 0041B9F2
Part of subcall function 0041B890: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041BA08
Part of subcall function 0041B890: __vbaFreeVar.MSVBVM60 ref: 0041BA17

__vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 0041A81F
__vbaStrCat.MSVBVM60(00000000), ref: 0041A826
__vbaStrMove.MSVBVM60 ref: 0041A834
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041A840
__vbaStrMove.MSVBVM60 ref: 0041A84D
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041A86A
__vbaStrCat.MSVBVM60(Application: WinSCP,00000000), ref: 0041A886
__vbaStrMove.MSVBVM60 ref: 0041A894
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041A8A0
__vbaStrMove.MSVBVM60 ref: 0041A8AD
__vbaFreeStr.MSVBVM60 ref: 0041A8B9
__vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 0041A8D1
__vbaStrMove.MSVBVM60 ref: 0041A8DF
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041A8EB
__vbaStrMove.MSVBVM60 ref: 0041A8F8
__vbaFreeStr.MSVBVM60 ref: 0041A904
__vbaStrCat.MSVBVM60(004055A8,?), ref: 0041A93E
__vbaChkstk.MSVBVM60 ref: 0041A999
__vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041A9D8
__vbaChkstk.MSVBVM60 ref: 0041A9E5
__vbaChkstk.MSVBVM60 ref: 0041AA07
__vbaChkstk.MSVBVM60 ref: 0041AA36
__vbaChkstk.MSVBVM60 ref: 0041AA65
__vbaLateMemCall.MSVBVM60(?,getstringvalue,00000005), ref: 0041AA9A
__vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0041AAB3
__vbaUbound.MSVBVM60(00000001,?), ref: 0041AACC
__vbaRedimPreserve.MSVBVM60(00000880,00000010,?,0000000C,00000001,00000000,00000000), ref: 0041AAF6
__vbaStrCat.MSVBVM60(004055A8,?), ref: 0041AB0F
__vbaGenerateBoundsError.MSVBVM60 ref: 0041AB69
__vbaGenerateBoundsError.MSVBVM60 ref: 0041AB86
__vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 0041ABA7
__vbaChkstk.MSVBVM60 ref: 0041ABB4
__vbaVarLateMemSt.MSVBVM60(?,firebirdsncgfOSuUoKhMPcZZKaHeweYGxAwtGYYSacRrcPIcUQEflashers), ref: 0041ABE6
__vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0041ABFC
__vbaStrCopy.MSVBVM60 ref: 0041AC17
__vbaStrMove.MSVBVM60(?), ref: 0041AC31
__vbaStrCopy.MSVBVM60 ref: 0041AC42
__vbaStrMove.MSVBVM60 ref: 0041AC6A
__vbaGenerateBoundsError.MSVBVM60(?,?), ref: 0041ACD7
__vbaChkstk.MSVBVM60 ref: 0041AD05
__vbaVarLateMemSt.MSVBVM60(?,palmitoleicLIAHVjNxTeizPuQabacli), ref: 0041AD44
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041AD68
__vbaFreeVar.MSVBVM60 ref: 0041AD77
__vbaGenerateBoundsError.MSVBVM60 ref: 0041ADDC
__vbaGenerateBoundsError.MSVBVM60 ref: 0041ADF9
__vbaVarCat.MSVBVM60(00000008,00000008,?), ref: 0041AE1A
__vbaChkstk.MSVBVM60 ref: 0041AE27
__vbaVarLateMemSt.MSVBVM60(?,foambNcAqYCUqVnIeMZJldXgNbootjack), ref: 0041AE59
__vbaFreeVar.MSVBVM60 ref: 0041AE65
__vbaChkstk.MSVBVM60 ref: 0041AEC6
__vbaChkstk.MSVBVM60 ref: 0041AEF5
__vbaChkstk.MSVBVM60 ref: 0041AF24
__vbaLateMemCall.MSVBVM60(?,EnumKey,00000003), ref: 0041AF59
#560.MSVBVM60(?), ref: 0041AF6D
__vbaForEachVar.MSVBVM60(?,?,?,?,?,?), ref: 0041AFAC
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041AFDD
__vbaFreeStr.MSVBVM60 ref: 0041AFE9
__vbaNextEachVar.MSVBVM60(?,?,?,?,?), ref: 0041B019
__vbaAryUnlock.MSVBVM60(?,0041B26A), ref: 0041B113
__vbaFreeObj.MSVBVM60 ref: 0041B11F
__vbaFreeVar.MSVBVM60 ref: 0041B12B
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041B13A
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041B149
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041B158
__vbaFreeVar.MSVBVM60 ref: 0041B161
__vbaFreeStr.MSVBVM60 ref: 0041B16A
__vbaErrorOverflow.MSVBVM60 ref: 0041B283

Strings

2B1A1D186E3C14292B3477160011301F3B1A, xrefs: 004159F9
MQrjmATXcbKBCpTnQeWeFoZmsCWHLbX, xrefs: 004162E5
Application: WinSCP, xrefs: 0041A881
===============DARKCLOUD===============, xrefs: 00418010, 004192C2, 0041A2E8, 0041A8CC
oqTEhrlCyZMdapkEdLDclMl, xrefs: 0041678D, 0041A120
xSlwZiQnRQDmDXCuhsXxuBZdyNiiKUGCJV, xrefs: 00419403, 00419795, 00419B27, 00419F14
1F17012475252A042E333A, xrefs: 00415BEB
2A11, xrefs: 00419A62
ycjdNikmPGuofJBlFuYhiU, xrefs: 004193A7
03200102292E1B3D521F2730067622332213, xrefs: 004163B3
WinSCP 2, xrefs: 0041A35C, 0041A468, 0041A5E4
030F0E0C15, xrefs: 00415ED6
xkkmUOcnApOwfnMrtRiLqYdmoMgvcQZQmvQyWtcMFt, xrefs: 0041792A, 0041902B, 0041A580
nFboeyGjLSXZdNDBKtuiEFuv, xrefs: 00415F01
qShfovovyMStOCIvCXCTm, xrefs: 00415D0F
VZWslqsTuRVoohxyApIZOsnmhgBXMscV, xrefs: 004164D7
151C3D3373040C051C1F4B300A0319310022, xrefs: 0041551C
VIQkIQvoVSlzJCqPkbZMOkamREyrplLtg, xrefs: 0041789C, 00418CE8, 00419087
03092417503834140A4B0008180D, xrefs: 00415AF2
8V@, xrefs: 0041AA1F, 0041AF3C
Global, xrefs: 00416AAC
0438083B3E05003027, xrefs: 00417846, 00418C91, 00418FED
EnumKey, xrefs: 0041AF50
23213803311C3F39781F053938331C251E252B360D033A043318331D76232F1409263B390037052E37633830, xrefs: 00416BF8
GetExpandedStringValue, xrefs: 00418648
2628097069392E26003D05, xrefs: 0041570E
HuMANzoInvqjU, xrefs: 0041592B
1203273C3C123D1972050A1D1E1D0B, xrefs: 004164AC
Username: , xrefs: 0041A774
mSrrJAMwPlIBizSlvSJnbgNFHPMbtExWOukmyCoPHVWO, xrefs: 00415FFA
IgnoreCase, xrefs: 00416B08
2B05173A, xrefs: 0041933E
rQYUtUvOvXVHZcAyVluIUULaqDmfiNK, xrefs: 00415C16
firebirdsncgfOSuUoKhMPcZZKaHeweYGxAwtGYYSacRrcPIcUQEflashers, xrefs: 00418A07, 0041ABD1
anxXwGUGUdnvXPPexWyUMBU, xrefs: 00416CA8
8V@, xrefs: 004172FC, 00417220
IKtURdOrQrJTUtVlROvWiJksPlxjRXfYF, xrefs: 004163DE
keONWvDpKfSIpBeJlhvrDso, xrefs: 00419739
TyByvsFtDEqry, xrefs: 00419EB8
2600151E5A3A3A0B045124342510, xrefs: 00415900
Url: , xrefs: 0041A700
183F2B3D61012B0610, xrefs: 004162BA
323A320607240022233B36576315392428063E3F, xrefs: 00417DBC, 00419206
KvWGqCPwJjbEahwFyEaHtclpMhLMZdkTc, xrefs: 004165D0, 0041AC37
303C2B25, xrefs: 004196D0
foambNcAqYCUqVnIeMZJldXgNbootjack, xrefs: 00418C1C, 0041AE44
test, xrefs: 00418D94, 00418DE2
0401311D6B260E131F1633, xrefs: 00415615
ONaNuyhIWxRaZpCuCIJJV, xrefs: 00415E08
Password: , xrefs: 0041A7E6
Pattern, xrefs: 00416B44, 00416B8C
1E322400241908017731200E023D24, xrefs: 00416829, 00416949
lTHVnVqKJBd, xrefs: 00416C23
8V@, xrefs: 0041AEDE, 00418D80, 00419121, 0041949B, 0041982D, 00419BBF, 00419FAC, 0041A396, 0041A4A2, 0041A61E, 0041A1B4, 00419D6C, 0041999A, 00419608, 00418F01
GetMultiStringValue, xrefs: 00418841
246E0B064A1D2C7B135246573D0B791F6515647B196E3A1B6B2A264A3D5D7B703D37433E7909686214617A02274C00077D3D3A1C5F7A7C1F424A, xrefs: 0041669E
3B0A1E26380C1C25, xrefs: 00417871, 00418FC2, 0041A542
xvgYCIjKTvXwKZvOGENTBKktGKyOWJn, xrefs: 00415739
0A1E1F22742B07350508144E32391D, xrefs: 004160C8
nFQicSAaduskqngkTsQuJSQnPJftLtPZbn, xrefs: 00415547
1222214566250B1339791C180F27, xrefs: 00415807
WMGpGpmGqxkNiuhOPRtUqQ, xrefs: 00415B1D
072C0F25593D3A320A722F3B1D26, xrefs: 00415DDD
1A25273F563C130B3B3606, xrefs: 00415CE4
enumvalues, xrefs: 004170C7
ZeTIHNyyHBXWWduBzHihkYbgKwZvGwUkc, xrefs: 00415A24
2018204463330B0E3D, xrefs: 004161C1
KpWpwCfxkOfEMPxJmczozsJFjHeXHZjBIcRmJFEeiq, xrefs: 004161EC
320A371833092330020F0334246A360C332B302A12270E18, xrefs: 00416C7D
~, xrefs: 0041AE6B
2F7C7A4948306C2575644C3A11463F25611E53417441302C7F19465B372254200C493B40467C3917254E160C413541797C452D3168257416054C0A2A683E113F51, xrefs: 00416762
SBJKrTxbGsmfngkQEZstaBFyGmSEblEHt, xrefs: 004160F3
bBmqvFpxvKYRy, xrefs: 00415832
azFPgggmVIbknbWTCKHORYF, xrefs: 004166C9, 00419ACB
292D0B02, xrefs: 00419E4F
GetDWORDValue, xrefs: 00417614
302435041B0F220D33220A5B50282A162902373C, xrefs: 0041A088
1B26261A611804351E, xrefs: 00415FCF
251A13216305042F18, xrefs: 004165A5
1023251F2F053E, xrefs: 00419369, 004196FB, 00419A8D, 00419E7A
getstringvalue, xrefs: 0041741B, 0041AA91
HostName, xrefs: 0041A340
vWLeMKukaisAUxbjdBqdvNUMxQIdSGzWuRsblpzmZY, xrefs: 00415640
jHpwcVpxuYcEiGETWFUrBhJaHFinZvnuzuawSdeontU, xrefs: 00416854, 00416974
palmitoleicLIAHVjNxTeizPuQabacli, xrefs: 00418B2E, 0041AD2F
TsJBjnGaVJTXmCZLPDiQTvFLVphStxldHrXdpGCrMOT, xrefs: 00417E4E, 00419231
getbinaryvalue, xrefs: 0041780D
UserName, xrefs: 0041A44C

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Copy$Free$List$Chkstk$Error$BoundsGenerate$Late$IndexLoad$BoolNull$Bstr$Call$Ubound$#631Redim$#716AddrefDestruct$#516#560EachNofreePreserveVarg$#537#598#608#626#632Construct2EraseNextOverflowUnlock
String ID: 03092417503834140A4B0008180D$030F0E0C15$03200102292E1B3D521F2730067622332213$0401311D6B260E131F1633$0438083B3E05003027$072C0F25593D3A320A722F3B1D26$0A1E1F22742B07350508144E32391D$1023251F2F053E$1203273C3C123D1972050A1D1E1D0B$1222214566250B1339791C180F27$151C3D3373040C051C1F4B300A0319310022$183F2B3D61012B0610$1A25273F563C130B3B3606$1B26261A611804351E$1E322400241908017731200E023D24$1F17012475252A042E333A$2018204463330B0E3D$23213803311C3F39781F053938331C251E252B360D033A043318331D76232F1409263B390037052E37633830$246E0B064A1D2C7B135246573D0B791F6515647B196E3A1B6B2A264A3D5D7B703D37433E7909686214617A02274C00077D3D3A1C5F7A7C1F424A$251A13216305042F18$2600151E5A3A3A0B045124342510$2628097069392E26003D05$292D0B02$2A11$2B05173A$2B1A1D186E3C14292B3477160011301F3B1A$2F7C7A4948306C2575644C3A11463F25611E53417441302C7F19465B372254200C493B40467C3917254E160C413541797C452D3168257416054C0A2A683E113F51$302435041B0F220D33220A5B50282A162902373C$303C2B25$320A371833092330020F0334246A360C332B302A12270E18$323A320607240022233B36576315392428063E3F$3B0A1E26380C1C25$8V@$8V@$8V@$===============DARKCLOUD===============$Application: WinSCP$EnumKey$GetDWORDValue$GetExpandedStringValue$GetMultiStringValue$Global$HostName$HuMANzoInvqjU$IKtURdOrQrJTUtVlROvWiJksPlxjRXfYF$IgnoreCase$KpWpwCfxkOfEMPxJmczozsJFjHeXHZjBIcRmJFEeiq$KvWGqCPwJjbEahwFyEaHtclpMhLMZdkTc$MQrjmATXcbKBCpTnQeWeFoZmsCWHLbX$ONaNuyhIWxRaZpCuCIJJV$Password: $Pattern$SBJKrTxbGsmfngkQEZstaBFyGmSEblEHt$TsJBjnGaVJTXmCZLPDiQTvFLVphStxldHrXdpGCrMOT$TyByvsFtDEqry$Url: $UserName$Username: $VIQkIQvoVSlzJCqPkbZMOkamREyrplLtg$VZWslqsTuRVoohxyApIZOsnmhgBXMscV$WMGpGpmGqxkNiuhOPRtUqQ$WinSCP 2$ZeTIHNyyHBXWWduBzHihkYbgKwZvGwUkc$anxXwGUGUdnvXPPexWyUMBU$azFPgggmVIbknbWTCKHORYF$bBmqvFpxvKYRy$enumvalues$firebirdsncgfOSuUoKhMPcZZKaHeweYGxAwtGYYSacRrcPIcUQEflashers$foambNcAqYCUqVnIeMZJldXgNbootjack$getbinaryvalue$getstringvalue$jHpwcVpxuYcEiGETWFUrBhJaHFinZvnuzuawSdeontU$keONWvDpKfSIpBeJlhvrDso$lTHVnVqKJBd$mSrrJAMwPlIBizSlvSJnbgNFHPMbtExWOukmyCoPHVWO$nFQicSAaduskqngkTsQuJSQnPJftLtPZbn$nFboeyGjLSXZdNDBKtuiEFuv$oqTEhrlCyZMdapkEdLDclMl$palmitoleicLIAHVjNxTeizPuQabacli$qShfovovyMStOCIvCXCTm$rQYUtUvOvXVHZcAyVluIUULaqDmfiNK$test$vWLeMKukaisAUxbjdBqdvNUMxQIdSGzWuRsblpzmZY$xSlwZiQnRQDmDXCuhsXxuBZdyNiiKUGCJV$xkkmUOcnApOwfnMrtRiLqYdmoMgvcQZQmvQyWtcMFt$xvgYCIjKTvXwKZvOGENTBKktGKyOWJn$ycjdNikmPGuofJBlFuYhiU$~
API String ID: 3462107310-1560269496
Opcode ID: 1365aa2246e3f2cca95b1da27a375b6b3a465d23d85869c4b91ccfaf227d7d0e
Instruction ID: 00fa0c254ae13740f31c86811d7fd109a71ff9e9f309cfcbc8a9d2ad7831d534
Opcode Fuzzy Hash: 1365aa2246e3f2cca95b1da27a375b6b3a465d23d85869c4b91ccfaf227d7d0e
Instruction Fuzzy Hash: FAC3E5759002189FDB65DF54CD88BDEB7B8BB48304F1082EAE50AA72A0DB745BC5CF94

Function 0040D4E0 Relevance: 1165.2, APIs: 621, Strings: 42, Instructions: 4925COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0040D4FE
__vbaAryConstruct2.MSVBVM60(?,00404E44,00000008,?,?,?,00000000,004030D6), ref: 0040D530
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004030D6), ref: 0040D53F
__vbaUbound.MSVBVM60(00000001,00659730,?,?,?,00000000,004030D6), ref: 0040D555
__vbaI2I4.MSVBVM60(?,?,?,00000000,004030D6), ref: 0040D55D
__vbaGenerateBoundsError.MSVBVM60 ref: 0040D60A
__vbaGenerateBoundsError.MSVBVM60 ref: 0040D627
__vbaStrCat.MSVBVM60(004055A8,00659730), ref: 0040D64B
__vbaStrMove.MSVBVM60 ref: 0040D659
__vbaAryMove.MSVBVM60((En,?,?,0043D064), ref: 0040D682
__vbaFreeStr.MSVBVM60 ref: 0040D68E
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 0040D6B9
__vbaI2I4.MSVBVM60 ref: 0040D6C1
__vbaStrCopy.MSVBVM60 ref: 0040D722
__vbaStrMove.MSVBVM60(?), ref: 0040D73C
__vbaStrCopy.MSVBVM60 ref: 0040D74D
__vbaStrMove.MSVBVM60 ref: 0040D775
__vbaStrMove.MSVBVM60(?,?), ref: 0040D796
__vbaStrMove.MSVBVM60(006E4528), ref: 0040D841
__vbaStrCat.MSVBVM60(00000000), ref: 0040D848
__vbaUbound.MSVBVM60(00000001,006597C0), ref: 0040FD78
__vbaI2I4.MSVBVM60 ref: 0040FD80
__vbaStrCat.MSVBVM60(004055A8,006597C0), ref: 0040FE6E
__vbaStrMove.MSVBVM60 ref: 0040FE7C
__vbaAryMove.MSVBVM60((En,?,?,0043D064), ref: 0040FEA5
__vbaFreeStr.MSVBVM60 ref: 0040FEB1
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 0040FEDC
__vbaI2I4.MSVBVM60 ref: 0040FEE4
__vbaStrCopy.MSVBVM60 ref: 0040FF44
__vbaStrMove.MSVBVM60(?), ref: 0040FF5E
__vbaStrCopy.MSVBVM60 ref: 0040FF6F
__vbaStrMove.MSVBVM60 ref: 0040FF97

Strings

===============DARKCLOUD===============, xrefs: 0040FC90
302B1433392B041317270137112B0128283E2A2122040C3B1437520A2B3905172C030633431707253D3305022E073404112B142E222F052A72595F61200234777A, xrefs: 0041228F
oqTEhrlCyZMdapkEdLDclMl, xrefs: 0040F39D
xSlwZiQnRQDmDXCuhsXxuBZdyNiiKUGCJV, xrefs: 004123B3
AAobmlFZVPxYE, xrefs: 004128E2
0003112E1E301C370D0239140F22070D2F1B3727071C3029123A003F3034, xrefs: 00412388
\User Data\Default\Login Data, xrefs: 0040DCDE, 0040E02F, 00410501, 00410855
TcDrGNJvvKjh, xrefs: 0040FA5E, 004122BA
(En, xrefs: 0040D67D, 0040D6B0, 0040D79C, 0040D7A5, 0040D7B8, 0040D7C7, 0040D823, 0040D8F4, 0040D8FD, 0040D910, 0040D91E, 0040D974, 0040DAF3, 0040DAFC, 0040DB0F, 0040DB1D, 0040DB79, 0040DC5B, 0040DC64, 0040DC77, 0040DC85, 0040DCCB, 0040DD5F, 0040DD68, 0040DD7B, 0040DD89, 0040DDCF, 0040DDD8, 0040DDEB, 0040DDF9, 0040DE3F, 0040DED1, 0040DEF5, 0040DFAC, 0040DFB5, 0040DFC8, 0040DFD6, 0040E01C, 0040E140, 0040E149, 0040E15C, 0040E16A, 0040E1C6, 0040E298, 0040E2A1, 0040E2B3, 0040E2C2, 0040E317, 0040E496, 0040E49F, 0040E4B1, 0040E4C0, 0040E51B, 0040E5FD, 0040E606, 0040E618, 0040E627, 0040E66E, 0040E69C, 0040E6A5, 0040E6B8, 0040E6C6, 0040E71C, 0040E816, 0040E916, 0040E91F, 0040E931, 0040E940, 0040E985, 0040EA18, 0040EA21, 0040EA33, 0040EA42, 0040EA87, 0040EA90, 0040EAA2, 0040EAB1, 0040EAF6, 0040EB87, 0040EBAB, 0040EC63, 0040EC6C, 0040EC7E, 0040EC8D, 0040ECD2, 0040ED70, 0040ED79, 0040ED8C, 0040ED9B, 0040EDE3, 0040EE22, 0040EE2B, 0040EE3D, 0040EE4C, 0040EE91, 0040FEA0, 0040FED3, 0040FFBE, 0040FFC7, 0040FFD9, 0040FFE8, 00410043, 00410115, 0041011E, 00410131, 00410140, 00410196, 00410315, 0041031E, 00410331, 00410340, 0041039C, 0041047D, 00410486, 00410499, 004104A8, 004104EE, 00410582, 0041058B, 0041059E, 004105AD, 004105F3, 004105FC, 0041060F, 0041061E, 00410664, 004106F6, 00410719, 004107D1, 004107DA, 004107ED, 004107FC, 00410842, 00410966, 0041096F, 00410982, 00410991, 004109ED, 00410ABE, 00410AC7, 00410ADA, 00410AE8, 00410B3E, 00410CBD, 00410CC6, 00410CD9, 00410CE7, 00410D43, 00410E25, 00410E2E, 00410E41, 00410E4F, 00410E97, 00410EC6, 00410ECF, 00410EE2, 00410EF1, 00410F47, 00411041, 00411142, 0041114B, 0041115E, 0041116C, 004111B2, 00411246, 0041124F, 00411262, 00411270, 004112B6, 004112BF, 004112D2, 004112E0, 00411326, 004113B8, 004113DC, 00411493, 0041149C, 004114AF, 004114BD, 00411503
lTHVnVqKJBd, xrefs: 0040FA25
\Default, xrefs: 004118FF
6F1B1A19, xrefs: 004127A1
EoyHOIFPgxTjvtZwjUtMeZQ, xrefs: 0040D742, 0040DA4E, 0040FF64, 00410270
\Profiles, xrefs: 0040E717, 0040E997, 0040ECE4, 00410F42, 004111C5, 00411516
jAMBZCJPZkSYHclvQlTnjDT, xrefs: 0040E0E6, 0040E3F1, 0041090C, 00410C18, 004117E2
2F08281B2E3626210D0118786A702B17251D031D0C, xrefs: 0040FBEA
33250134392504126B5048, xrefs: 0040F9FA
AJMysHCsjcSZXddJaKcAAE, xrefs: 0040F67A
wwHIhKTguiXEm, xrefs: 00412872
DC-Creds, xrefs: 00412B06
Profiles, xrefs: 0040E680, 00410EAA
5E7B360D06182A173D16240F110620596B1110093F020E1C3162355D1A22152F28, xrefs: 0040F372
333D2D2928333C13241805111D34572E34002C, xrefs: 0040D717, 0040DA23, 0040FF39, 00410245
azFPgggmVIbknbWTCKHORYF, xrefs: 0040EF90, 0040F15C
060C3C001A183021122507021318377420302E12152A393F0D1D032A01146E5A3A2302022A3D1F2C34, xrefs: 00412481
ZYbKuIAfZGABKZsrrWeOuYJ, xrefs: 004127EE
olUnnsCDZEQcMXkIRjcKrc, xrefs: 00411FCF
\User Data, xrefs: 0040D96F, 0040E312, 00410191, 00410B39
3F3A081A0422363F191C0A2E2A043A3D0C17173D050905360B3242766A6A191E1639340426393633391D050600301D323C3630362A3E081161587E6729250D4257, xrefs: 00411FA4
NordVPN, xrefs: 0040EDF6
013B331C3810262F625E4C, xrefs: 0040F9CF
3D173E033034353038231F3B223F1617310D09022433080D1D0446717B77092B1B02343F3F0E24070B3A2B2B39041D2417023339283A0F324F6B6765263E114961, xrefs: 0041209D
1D012D3D2A24701E0A2738, xrefs: 0040E0BB, 0040E3C6, 004108E1, 00410BED, 004117B7
1A2D06251C15230809000F0E, xrefs: 0041274B
anxXwGUGUdnvXPPexWyUMBU, xrefs: 0040FC15, 004120C8
2633230215490E3927040209, xrefs: 0040EF65, 0040F131
65620A163C371A0404081A3605092F5C6C3320323636253F1D54156C050B0F263F, xrefs: 0040F64F
r, xrefs: 00412B6F
SUcZtmyBDNhfpgqYTpBGyg, xrefs: 004124AC
TsJBjnGaVJTXmCZLPDiQTvFLVphStxldHrXdpGCrMOT, xrefs: 004121C1
2025241E192613331619310E31353F3F221D0D031F282839071B733A2C30273D002A011E3315173F3C3D3B1D16150300230E213974150830292D372D0736742533, xrefs: 00412196
221B0C3A05152A30, xrefs: 00412776

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$CopyUbound$Error$BoundsFreeGenerate$ChkstkConstruct2
String ID: (En$0003112E1E301C370D0239140F22070D2F1B3727071C3029123A003F3034$013B331C3810262F625E4C$060C3C001A183021122507021318377420302E12152A393F0D1D032A01146E5A3A2302022A3D1F2C34$1A2D06251C15230809000F0E$1D012D3D2A24701E0A2738$2025241E192613331619310E31353F3F221D0D031F282839071B733A2C30273D002A011E3315173F3C3D3B1D16150300230E213974150830292D372D0736742533$221B0C3A05152A30$2633230215490E3927040209$2F08281B2E3626210D0118786A702B17251D031D0C$302B1433392B041317270137112B0128283E2A2122040C3B1437520A2B3905172C030633431707253D3305022E073404112B142E222F052A72595F61200234777A$33250134392504126B5048$333D2D2928333C13241805111D34572E34002C$3D173E033034353038231F3B223F1617310D09022433080D1D0446717B77092B1B02343F3F0E24070B3A2B2B39041D2417023339283A0F324F6B6765263E114961$3F3A081A0422363F191C0A2E2A043A3D0C17173D050905360B3242766A6A191E1639340426393633391D050600301D323C3630362A3E081161587E6729250D4257$5E7B360D06182A173D16240F110620596B1110093F020E1C3162355D1A22152F28$65620A163C371A0404081A3605092F5C6C3320323636253F1D54156C050B0F263F$6F1B1A19$===============DARKCLOUD===============$AAobmlFZVPxYE$AJMysHCsjcSZXddJaKcAAE$DC-Creds$EoyHOIFPgxTjvtZwjUtMeZQ$NordVPN$Profiles$SUcZtmyBDNhfpgqYTpBGyg$TcDrGNJvvKjh$TsJBjnGaVJTXmCZLPDiQTvFLVphStxldHrXdpGCrMOT$ZYbKuIAfZGABKZsrrWeOuYJ$\Default$\Profiles$\User Data$\User Data\Default\Login Data$anxXwGUGUdnvXPPexWyUMBU$azFPgggmVIbknbWTCKHORYF$jAMBZCJPZkSYHclvQlTnjDT$lTHVnVqKJBd$olUnnsCDZEQcMXkIRjcKrc$oqTEhrlCyZMdapkEdLDclMl$r$wwHIhKTguiXEm$xSlwZiQnRQDmDXCuhsXxuBZdyNiiKUGCJV
API String ID: 410742324-2015333847
Opcode ID: 31a448adb062f6022ac815a1d79c97102e26fda67437d6ae5e85209e46d6577a
Instruction ID: 393a281464da97b9c1e1e85cfeb9b11dbb17ef5791edb26e4e75dbd9ecbfdce2
Opcode Fuzzy Hash: 31a448adb062f6022ac815a1d79c97102e26fda67437d6ae5e85209e46d6577a
Instruction Fuzzy Hash: 25C3F774901218DFDB24DF60DD88BDAB7B5FB48304F1081EAE54AB72A0DB745A89CF58

Function 004345B0 Relevance: 773.1, APIs: 429, Strings: 11, Instructions: 3052COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 004345CE
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004030D6), ref: 004345FE
__vbaUbound.MSVBVM60(00000001,00659730,?,00000000,?,00000000,004030D6), ref: 00434613
__vbaI2I4.MSVBVM60(?,00000000,?,00000000,004030D6), ref: 0043461B
__vbaGenerateBoundsError.MSVBVM60 ref: 004346B6
__vbaGenerateBoundsError.MSVBVM60 ref: 004346D0
__vbaStrCat.MSVBVM60(004055A8,00659730), ref: 004346F3
__vbaStrMove.MSVBVM60 ref: 004346FE
__vbaAryMove.MSVBVM60((En,?,00000000,0043D064), ref: 0043471E
__vbaFreeStr.MSVBVM60 ref: 00434727
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 00434751
__vbaI2I4.MSVBVM60 ref: 00434759
__vbaStrCopy.MSVBVM60 ref: 004347B2
__vbaStrMove.MSVBVM60(00000000), ref: 004347C6
__vbaStrCopy.MSVBVM60 ref: 004347D4
__vbaStrMove.MSVBVM60 ref: 004347F3
__vbaStrMove.MSVBVM60(?,?), ref: 0043480B
__vbaStrMove.MSVBVM60(006E4528), ref: 004348A4
__vbaStrCat.MSVBVM60(00000000), ref: 004348AB
__vbaUbound.MSVBVM60(00000001,006597C0), ref: 00435DBB
__vbaI2I4.MSVBVM60 ref: 00435DC3
__vbaStrCat.MSVBVM60(004055A8,006597C0), ref: 00435EA7
__vbaStrMove.MSVBVM60 ref: 00435EB2
__vbaAryMove.MSVBVM60((En,?,00000000,0043D064), ref: 00435ED2
__vbaFreeStr.MSVBVM60 ref: 00435EDB
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 00435F05
__vbaI2I4.MSVBVM60 ref: 00435F0D
__vbaStrCopy.MSVBVM60 ref: 00435F6C
__vbaStrMove.MSVBVM60(00000000), ref: 00435F80
__vbaStrCopy.MSVBVM60 ref: 00435F8E
__vbaStrMove.MSVBVM60 ref: 00435FAD

Strings

Profiles, xrefs: 00435715, 00436ECF
1E08152C02383D211B080A200F030836, xrefs: 004347AA, 00434A57, 00435F64, 00436211
d, xrefs: 0043755A
(En, xrefs: 00434719, 00434749, 00434811, 0043481A, 0043482D, 00434838, 00434888, 00434944, 0043494D, 0043495F, 0043496B, 004349BA, 00434ABE, 00434B2B, 00434B34, 00434B46, 00434B52, 00434BA1, 00434D2E, 00434D37, 00434D4A, 00434D55, 00434DA5, 00434E61, 00434E6A, 00434E7C, 00434E88, 00434ED7, 00434FDB, 00435048, 00435051, 00435063, 0043506F, 004350BE, 004351E4, 004351ED, 004351FF, 0043520B, 0043524A, 004352DC, 004352E5, 004352F7, 00435303, 00435342, 0043534B, 0043535D, 00435369, 004353A8, 0043542A, 0043544E, 004354AF, 004354B8, 004354CB, 004354D6, 00435516, 0043553F, 00435548, 0043555B, 00435567, 004355A7, 0043569B, 004356A4, 004356B6, 004356C2, 00435703, 00435731, 004357ED, 004357F6, 00435809, 00435814, 00435864, 00435996, 0043599F, 004359B2, 004359BE, 004359FE, 00435A7A, 00435A83, 00435A96, 00435AA2, 00435AE2, 00435B31, 00435B3A, 00435B4D, 00435B58, 00435B98, 00435BA1, 00435BB4, 00435BBF, 00435BFF, 00435C82, 00435CA6, 00435ECD, 00435EFD, 00435FCB, 00435FD4, 00435FE7, 00435FF2, 00436042, 004360FE, 00436107, 00436119, 00436125, 00436174, 00436278, 004362E5, 004362EE, 00436300, 0043630C, 0043635B, 004364E8, 004364F1, 00436504, 0043650F, 0043655F, 0043661B, 00436624, 00436636, 00436642, 00436691, 00436795, 00436802, 0043680B, 0043681D, 00436829, 00436878, 0043699E, 004369A7, 004369B9, 004369C5, 00436A04, 00436A96, 00436A9F, 00436AB1, 00436ABD, 00436AFC, 00436B05, 00436B17, 00436B23, 00436B62, 00436BE4, 00436C08, 00436C69, 00436C72, 00436C85, 00436C90, 00436CD0, 00436CF9, 00436D02, 00436D15, 00436D21, 00436D61, 00436E55, 00436E5E, 00436E70, 00436E7C, 00436EBD, 00436EEB, 00436FA7, 00436FB0, 00436FC3, 00436FCE, 0043701E, 00437150, 00437159, 0043716C, 00437178, 004371B8, 00437234, 0043723D, 00437250, 0043725C, 0043729C, 004372EB, 004372F4, 00437307, 00437312, 00437352, 0043735B, 0043736E, 00437379, 004373B9, 0043743C, 00437460
\User Data, xrefs: 004349B5, 00434ED2, 00435529, 0043616F, 0043668C, 00436CE3
\User Data\Default\Cookies, xrefs: 0043525C, 004355BA, 00436A16, 00436D74
JBLpJcMQUGKeOdjmEdqOvwF, xrefs: 004347CC, 00434A79, 00435F86, 00436233
Cookies.json, xrefs: 00434C85, 00435190, 00435659, 00435942, 00435D47, 0043643F, 0043694A, 00436E13, 004370FC, 00437501
\Profiles, xrefs: 0043585F, 00435A11, 00435AF5, 00437019, 004371CB, 004372AF
DEmYVhVfpKtLM, xrefs: 00434CE9, 00434F96, 004364A3, 00436750
192E3639033F0303, xrefs: 00434CC7, 00434F74, 00436481, 0043672E

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$CopyUbound$Error$BoundsFreeGenerate$Chkstk
String ID: (En$192E3639033F0303$1E08152C02383D211B080A200F030836$Cookies.json$DEmYVhVfpKtLM$JBLpJcMQUGKeOdjmEdqOvwF$Profiles$\Profiles$\User Data$\User Data\Default\Cookies$d
API String ID: 485188857-2150985054
Opcode ID: ddc84c3067681ef8b22f21cc7cad60c6979dc4e2a81344d67f8c1fb19ce3b58a
Instruction ID: 7559e76cfa8c2e51358e57783d1b0a7060e06a56415cb1bc04387870c2b5d029
Opcode Fuzzy Hash: ddc84c3067681ef8b22f21cc7cad60c6979dc4e2a81344d67f8c1fb19ce3b58a
Instruction Fuzzy Hash: 40638274D00204DFDB18DFA4ED88AEEB7B5FB48704F20916AE506B72A0DB749985CF58

Function 0041C460 Relevance: 676.1, APIs: 353, Strings: 32, Instructions: 2376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004030D6,?,?,00411B3E,?,0043D040,?), ref: 0041C47E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004030D6), ref: 0041C4AE
__vbaStrCat.MSVBVM60(\LoggraNoUCYctgwnrtnRFCefIupAVHcOBQqsTNNMrZheterostracan,00673F04), ref: 0041C4D4
__vbaStrMove.MSVBVM60 ref: 0041C4E2
#712.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 0041C505
__vbaStrMove.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 0041C513
__vbaStrCat.MSVBVM60(\WebData,00673F04,?,Login Data,Web Data,00000001,000000FF,00000000), ref: 0041C52B
__vbaStrMove.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 0041C536
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,Login Data,Web Data,00000001,000000FF,00000000), ref: 0041C551
__vbaVarZero.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 0041C563
__vbaChkstk.MSVBVM60 ref: 0041C5AA
__vbaChkstk.MSVBVM60 ref: 0041C5D9
__vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 0041C611
__vbaLateMemCall.MSVBVM60(00000000), ref: 0041C618
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 0041C647
__vbaVarZero.MSVBVM60 ref: 0041C659
__vbaChkstk.MSVBVM60 ref: 0041C6A0
__vbaChkstk.MSVBVM60 ref: 0041C6CF
__vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 0041C707
__vbaLateMemCall.MSVBVM60(00000000), ref: 0041C70E
__vbaStrCopy.MSVBVM60(?), ref: 0041C765

Part of subcall function 00434340: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 0043438E
Part of subcall function 00434340: __vbaAryMove.MSVBVM60(?,?,004030D6), ref: 004343AB
Part of subcall function 00434340: __vbaLbound.MSVBVM60(00000001,?), ref: 004343B7
Part of subcall function 00434340: __vbaUbound.MSVBVM60(00000001,?), ref: 004343C5
Part of subcall function 00434340: __vbaAryLock.MSVBVM60(?,?), ref: 004343E6
Part of subcall function 00434340: __vbaGenerateBoundsError.MSVBVM60 ref: 00434405
Part of subcall function 00434340: #644.MSVBVM60(00000000), ref: 00434427
Part of subcall function 00434340: __vbaAryUnlock.MSVBVM60(?), ref: 00434430
Part of subcall function 00434340: __vbaSetSystemError.MSVBVM60(?,?,-00000001,?,?), ref: 0043444E
Part of subcall function 00434340: __vbaAryLock.MSVBVM60(?,?), ref: 0043445C

__vbaFreeStr.MSVBVM60(?,?), ref: 0041C787
__vbaSetSystemError.MSVBVM60(?), ref: 0041C7A6
__vbaVarMove.MSVBVM60(?,00000000), ref: 0041C7E7
__vbaAryMove.MSVBVM60(?,00000064,?,00000002), ref: 0041C847
__vbaVarCmpEq.MSVBVM60(00000008,00008008,?), ref: 0041C87A
__vbaVarNot.MSVBVM60(?,00000000), ref: 0041C888
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0041C88F
__vbaVarMove.MSVBVM60(?,00000000), ref: 0041C8CD
__vbaStrCopy.MSVBVM60 ref: 0041C8E5
__vbaStrMove.MSVBVM60(?), ref: 0041C8FF
__vbaStrCopy.MSVBVM60 ref: 0041C910
__vbaStrMove.MSVBVM60(?), ref: 0041C92A
__vbaStrCat.MSVBVM60(Url : ,00000000), ref: 0041C93C
__vbaStrCopy.MSVBVM60 ref: 0041C971
__vbaStrMove.MSVBVM60 ref: 0041C999
__vbaStrCopy.MSVBVM60(?,?), ref: 0041C9E1
__vbaStrMove.MSVBVM60 ref: 0041CA09
__vbaVarCat.MSVBVM60(?,?,00000008,?,?), ref: 0041CA58
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041CA6D
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041CA82
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041CA94
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041CAA9
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041CABE
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041CAD0
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041CAE5
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041CAEC
__vbaStrMove.MSVBVM60 ref: 0041CAF9
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000), ref: 0041CB39
__vbaFreeVarList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?), ref: 0041CB91
__vbaStrMove.MSVBVM60(?), ref: 0041CBC6
__vbaStrCopy.MSVBVM60 ref: 0041CBD7
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0041CC27
__vbaStrCat.MSVBVM60(00000000), ref: 0041CC2E
__vbaStrMove.MSVBVM60 ref: 0041CC3C
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041CC49
__vbaStrMove.MSVBVM60 ref: 0041CC57
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041CC63
__vbaStrMove.MSVBVM60 ref: 0041CC71
__vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 0041CC7D
__vbaStrMove.MSVBVM60 ref: 0041CC8B
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041CC97
__vbaStrMove.MSVBVM60 ref: 0041CCA4
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,00000000), ref: 0041CCEB
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041CEE2

Part of subcall function 004341C0: __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004342AC
Part of subcall function 004341C0: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6,0041CF00), ref: 004342D9
Part of subcall function 004341C0: __vbaAryDestruct.MSVBVM60(00000000,?,0043431C,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 00434315

__vbaAryMove.MSVBVM60(?,?,?,00000003), ref: 0041CF11
__vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 0041CF44
__vbaVarNot.MSVBVM60(?,00000000), ref: 0041CF52
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0041CF59
__vbaVarMove.MSVBVM60(?,00000000), ref: 0041CF97
__vbaStrCat.MSVBVM60(Name on Card: ,00000000), ref: 0041CFAF
__vbaVarCat.MSVBVM60(?,?,00000008), ref: 0041D03B
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041D050
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041D065
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041D077
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041D08C
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041D0A1
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041D0B3
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041D0C8
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041D0CF
__vbaStrMove.MSVBVM60 ref: 0041D0DC
__vbaFreeVarList.MSVBVM60(00000009,00000008,?,?,?,?,?,?,?,?), ref: 0041D123
__vbaStrCopy.MSVBVM60 ref: 0041D13E
__vbaStrMove.MSVBVM60(?), ref: 0041D158
__vbaStrErrVarCopy.MSVBVM60(?), ref: 0041D162
__vbaStrMove.MSVBVM60 ref: 0041D170
__vbaStrCopy.MSVBVM60 ref: 0041D181
__vbaStrMove.MSVBVM60 ref: 0041D1A9
__vbaStrCat.MSVBVM60(Card Type: ,00000000), ref: 0041D1BA
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041D1E3
__vbaStrCat.MSVBVM60(00000000), ref: 0041D1EA
__vbaStrMove.MSVBVM60 ref: 0041D1F8
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041D204
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0041D234
__vbaStrCat.MSVBVM60(00000000), ref: 0041D23B
__vbaStrMove.MSVBVM60 ref: 0041D249
__vbaStrCat.MSVBVM60(?,00000000), ref: 0041D256
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041D264
__vbaStrCat.MSVBVM60(00405824,00000000,?,00000000), ref: 0041D270
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041D27D
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0041D2D9
__vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 0041D2F4
__vbaStrMove.MSVBVM60 ref: 0041D302
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041D30E
__vbaStrMove.MSVBVM60 ref: 0041D31B
__vbaFreeStr.MSVBVM60 ref: 0041D327
__vbaSetSystemError.MSVBVM60(?), ref: 0041D345

Part of subcall function 00434590: __vbaSetSystemError.MSVBVM60(?,0041CD2E,00000064), ref: 0043459C

#529.MSVBVM60(00004008,00000064), ref: 0041D388
__vbaStrMove.MSVBVM60 ref: 0041D212

Part of subcall function 0042DDC0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 0042DF0A
Part of subcall function 0042DDC0: __vbaStrCopy.MSVBVM60 ref: 0042DF29
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(0042DF6C), ref: 0042DF65

__vbaStrMove.MSVBVM60 ref: 0041D1C8

Part of subcall function 0041EE80: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0041EE9E
Part of subcall function 0041EE80: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004030D6), ref: 0041EECE
Part of subcall function 0041EE80: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004030D6), ref: 0041EEEA
Part of subcall function 0041EE80: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004030D6), ref: 0041EEFE
Part of subcall function 0041EE80: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004030D6), ref: 0041EF0C
Part of subcall function 0041EE80: __vbaStrMove.MSVBVM60 ref: 0041EF2B
Part of subcall function 0041EE80: __vbaStrMove.MSVBVM60(?,?), ref: 0041EF43
Part of subcall function 0041EE80: __vbaStrMove.MSVBVM60(00000000), ref: 0041EF64
Part of subcall function 0041EE80: #716.MSVBVM60(?,00000000), ref: 0041EF6F
Part of subcall function 0041EE80: __vbaObjVar.MSVBVM60(?), ref: 0041EF79
Part of subcall function 0041EE80: __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041EF84
Part of subcall function 0041EE80: __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,?), ref: 0041EFA4
Part of subcall function 0041EE80: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 0041EFB0
Part of subcall function 0041EE80: __vbaChkstk.MSVBVM60 ref: 0041EFD0

__vbaStrMove.MSVBVM60 ref: 0041CBFF

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrCopy.MSVBVM60 ref: 0041CBAC

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaVarMove.MSVBVM60(?,00000001), ref: 0041C81B

Part of subcall function 004341C0: __vbaStr2Vec.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6,0041CF00), ref: 00434202
Part of subcall function 004341C0: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6,0041CF00), ref: 00434212
Part of subcall function 004341C0: __vbaStr2Vec.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6,0041CF00), ref: 00434219
Part of subcall function 004341C0: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6,0041CF00), ref: 00434223
Part of subcall function 004341C0: __vbaSetSystemError.MSVBVM60(00402CD0,0041CF00,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6,0041CF00), ref: 00434234
Part of subcall function 004341C0: __vbaSetSystemError.MSVBVM60(00402CD0,0041CF00,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6,0041CF00), ref: 0043424C
Part of subcall function 004341C0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 0043426F
Part of subcall function 004341C0: __vbaAryLock.MSVBVM60(?,?), ref: 00434280
Part of subcall function 004341C0: __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043429F
Part of subcall function 004341C0: __vbaSetSystemError.MSVBVM60(00000000,00000000,?), ref: 004342C5
Part of subcall function 004341C0: __vbaAryUnlock.MSVBVM60(?), ref: 004342CB

__vbaSetSystemError.MSVBVM60(?), ref: 0041CD0C
#645.MSVBVM60(00004008,00000000,00000064), ref: 0041CD54
__vbaStrMove.MSVBVM60 ref: 0041CD62
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0041CD6E
__vbaFreeStr.MSVBVM60 ref: 0041CD89
__vbaStrCopy.MSVBVM60(?), ref: 0041CDC3
__vbaFreeStr.MSVBVM60(?,?), ref: 0041CDE5
__vbaSetSystemError.MSVBVM60(?), ref: 0041CE04
__vbaVarMove.MSVBVM60(?,00000000), ref: 0041CE45
__vbaStrMove.MSVBVM60(?,00000001), ref: 0041CE68
__vbaStrCat.MSVBVM60(004055A8,00000000), ref: 0041CE74
__vbaStrMove.MSVBVM60 ref: 0041CE82
__vbaStrMove.MSVBVM60(?,00000002,00000000), ref: 0041CE9F
__vbaStrCat.MSVBVM60(00000000), ref: 0041CEA6
__vbaVarMove.MSVBVM60 ref: 0041CEC5

Part of subcall function 00434130: __vbaSetSystemError.MSVBVM60(?,004030D6,?,?,?,?,?,00000000,004030D6), ref: 00434170
Part of subcall function 00434130: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004030D6), ref: 00434187

__vbaStrCopy.MSVBVM60 ref: 0041D3A5
__vbaStrToAnsi.MSVBVM60(?,?,?), ref: 0041D3C4
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041D3D0
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041D3E4
__vbaFreeStr.MSVBVM60 ref: 0041D3F0
__vbaStrToAnsi.MSVBVM60(?,?), ref: 0041D41C
__vbaStrToAnsi.MSVBVM60(?,?,?,?), ref: 0041D43E
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 0041D455
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041D469
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0041D47D
__vbaVarMove.MSVBVM60 ref: 0041D48C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D4A2
__vbaSetSystemError.MSVBVM60(?), ref: 0041D4C1
#558.MSVBVM60(?), ref: 0041D4CB
__vbaSetSystemError.MSVBVM60(?), ref: 0041D506
__vbaI2I4.MSVBVM60 ref: 0041D51B

Part of subcall function 00434500: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 0043453F
Part of subcall function 00434500: __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 0043454B
Part of subcall function 00434500: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 00434556
Part of subcall function 00434500: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004030D6), ref: 0043455F

#529.MSVBVM60(00004008), ref: 0041ECAF
__vbaFreeVarList.MSVBVM60(00000002,?,?,0041EE5E), ref: 0041ED9D
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041EDAF
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041EDBE
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041EDCD
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041EDDC
__vbaFreeVar.MSVBVM60 ref: 0041EDE5
__vbaFreeVar.MSVBVM60 ref: 0041EDEE
__vbaFreeStr.MSVBVM60 ref: 0041EDF7
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041EE03
__vbaFreeStr.MSVBVM60 ref: 0041EE0C
__vbaFreeVar.MSVBVM60 ref: 0041EE15
__vbaFreeVar.MSVBVM60 ref: 0041EE1E
__vbaFreeStr.MSVBVM60 ref: 0041EE27
__vbaFreeStr.MSVBVM60 ref: 0041EE33
__vbaFreeStr.MSVBVM60 ref: 0041EE3F
__vbaFreeStr.MSVBVM60 ref: 0041EE4B
__vbaFreeStr.MSVBVM60 ref: 0041EE57

Strings

===============DARKCLOUD===============, xrefs: 0041CC78, 0041D2EF, 0041DEE6, 0041EBC6
fZCnjHnpIGuWYufYFuJTsZzMYQpNVmCSBggClUwgmL, xrefs: 0041CBCC, 0041D176, 0041DE3B, 0041EB1B
Login Data, xrefs: 0041C4FA
024668, xrefs: 0041D8B6, 0041E5B2
TcDrGNJvvKjh, xrefs: 0041C9D6, 0041DC2F
SELECT origin_url, username_value, password_value FROM logins, xrefs: 0041C75A
lTHVnVqKJBd, xrefs: 0041C966, 0041DBBF
Scripting.FileSystemObject, xrefs: 0041C545, 0041C63B
expiration_month\expiration_year, xrefs: 0041E4E3
Expiry Date; , xrefs: 0041CFD9, 0041E920
8V@, xrefs: 0041D86E
CopyFile, xrefs: 0041C605, 0041C6FB
Web Data, xrefs: 0041C4F5
SELECT origin_url, username_value, password_value, length(password_value) FROM logins, xrefs: 0041D39A
33250134392504126B5048, xrefs: 0041C905, 0041DB5E
b, xrefs: 0041EC8B
card_number_encrypted, xrefs: 0041E4F7
name_on_card, xrefs: 0041E4CF
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, xrefs: 0041CDB8, 0041DFFB
Name on Card: , xrefs: 0041CFAA, 0041E8F1
d, xrefs: 0041CE0A
HvFifFDbwWSESPfuPWaeSKl, xrefs: 0041D968, 0041E664
\WebData, xrefs: 0041C526
Url : , xrefs: 0041C937, 0041DB90
Card Type: , xrefs: 0041D1B5, 0041EA55
007758, xrefs: 0041D8E1, 0041E5DD
013B331C3810262F625E4C, xrefs: 0041C8DA, 0041DB33
ItwXjeKuthVRdpXyikTUBGFniKETOLdVtYpxoTfOnqQ, xrefs: 0041D90C, 0041E608
username_value, xrefs: 0041D781
Card Number: , xrefs: 0041D001, 0041EA08
1B331E06210D113D2E1A39794F46, xrefs: 0041CBA1, 0041D133, 0041DE10, 0041EAF0
\LoggraNoUCYctgwnrtnRFCefIupAVHcOBQqsTNNMrZheterostracan, xrefs: 0041C4CF

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Error$CopySystem$List$Chkstk$Destruct$AnsiUnicode$#716BoundsBstrGenerateLock$#516#529#631BoolCallLateNullRedimStr2UnlockZero$#537#558#608#632#644#645#712AddrefLboundUbound
String ID: 007758$013B331C3810262F625E4C$024668$1B331E06210D113D2E1A39794F46$33250134392504126B5048$8V@$===============DARKCLOUD===============$Card Number: $Card Type: $CopyFile$Expiry Date; $HvFifFDbwWSESPfuPWaeSKl$ItwXjeKuthVRdpXyikTUBGFniKETOLdVtYpxoTfOnqQ$Login Data$Name on Card: $SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$SELECT origin_url, username_value, password_value FROM logins$SELECT origin_url, username_value, password_value, length(password_value) FROM logins$Scripting.FileSystemObject$TcDrGNJvvKjh$Url : $Web Data$\LoggraNoUCYctgwnrtnRFCefIupAVHcOBQqsTNNMrZheterostracan$\WebData$b$card_number_encrypted$d$expiration_month\expiration_year$fZCnjHnpIGuWYufYFuJTsZzMYQpNVmCSBggClUwgmL$lTHVnVqKJBd$name_on_card$username_value
API String ID: 102252830-1045776294
Opcode ID: 28927cd90c74e004a20e069f97b2961b6eacb11fc04b6395372ac42a25ae0287
Instruction ID: 01fe39b194a8a2267bf08dea85a880b09ee330dfa5b6df1433968e31978d050b
Opcode Fuzzy Hash: 28927cd90c74e004a20e069f97b2961b6eacb11fc04b6395372ac42a25ae0287
Instruction Fuzzy Hash: 793309B5900218DFDB15DF90DD88BDEB7B8BB48304F0085EAE24AB7260DB745A89CF54

Function 004216E0 Relevance: 619.7, APIs: 308, Strings: 45, Instructions: 1933
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 004216FE
__vbaAryConstruct2.MSVBVM60(?,0040A2FC,00000008,?,?,?,00000000,004030D6), ref: 00421730
__vbaAryConstruct2.MSVBVM60(?,0040A2FC,00000008,?,?,?,00000000,004030D6), ref: 00421741
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004030D6), ref: 00421750
__vbaAryMove.MSVBVM60(?,?,?,0043D064,?,?,?,00000000,004030D6), ref: 00421793
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004030D6), ref: 0042179F
__vbaForEachAry.MSVBVM60(00000008,?,?,?,?,?,?,?,00000000,004030D6), ref: 004217C7
__vbaStrErrVarCopy.MSVBVM60(?,00000001), ref: 004217E5
__vbaStrMove.MSVBVM60 ref: 004217F3
__vbaInStr.MSVBVM60(00000000,Foxmail,00000000), ref: 00421801
__vbaFreeStr.MSVBVM60 ref: 0042181C
__vbaStrErrVarCopy.MSVBVM60(?), ref: 00421838
__vbaStrMove.MSVBVM60 ref: 00421846
__vbaStrCat.MSVBVM60(004055A8,00000000), ref: 00421852
__vbaStrMove.MSVBVM60 ref: 0042185D
__vbaFreeStr.MSVBVM60 ref: 00421869
__vbaExitEachAry.MSVBVM60(?), ref: 00421876
__vbaStrCmp.MSVBVM60(00405638,?), ref: 004218C2
__vbaStrCopy.MSVBVM60 ref: 004218E2
__vbaStrMove.MSVBVM60(?), ref: 004218FC
__vbaStrCopy.MSVBVM60 ref: 0042190D
__vbaStrMove.MSVBVM60 ref: 00421935
__vbaStrMove.MSVBVM60(?,?), ref: 00421956
__vbaStrMove.MSVBVM60(00000000), ref: 00421980
#716.MSVBVM60(?,00000000), ref: 0042198E
__vbaVarZero.MSVBVM60 ref: 004219A0
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 004219DE
__vbaChkstk.MSVBVM60 ref: 00421A07
__vbaVarLateMemCallLd.MSVBVM60(?,?,RegRead,00000001), ref: 00421A46
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 00421A50
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 00421A5B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 00421A67
__vbaStrMove.MSVBVM60(?), ref: 00421AAA
__vbaStrCopy.MSVBVM60 ref: 00421ABB
__vbaStrMove.MSVBVM60(?,?), ref: 00421B04
__vbaStrMove.MSVBVM60(00405638,00000001,000000FF,00000000), ref: 00421B37
#712.MSVBVM60(?,00000000), ref: 00421B42
__vbaStrMove.MSVBVM60 ref: 00421B4D
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 00421B7F
#712.MSVBVM60(?,00409DD4,00405638,00000001,000000FF,00000000), ref: 00421BA3
__vbaStrMove.MSVBVM60 ref: 00421BAE
__vbaLenBstr.MSVBVM60(?), ref: 00421BD2
#617.MSVBVM60(?,00004008,-00000002), ref: 00421BF0
__vbaStrVarMove.MSVBVM60(?), ref: 00421BFD
__vbaStrMove.MSVBVM60 ref: 00421C08
__vbaFreeVar.MSVBVM60 ref: 00421C14
__vbaLenBstrB.MSVBVM60(?), ref: 00421C25
__vbaInStr.MSVBVM60(00000000,00409DDC,?,00000001), ref: 00421C48
__vbaStrCopy.MSVBVM60 ref: 00421C86
__vbaStrMove.MSVBVM60(?), ref: 00421CA0
#520.MSVBVM60(?,00004008), ref: 00421CC7
__vbaStrCopy.MSVBVM60 ref: 00421CD8
__vbaStrMove.MSVBVM60 ref: 00421D00
__vbaStrMove.MSVBVM60 ref: 00421AE3

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrCopy.MSVBVM60 ref: 00421A90

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrCopy.MSVBVM60(?,?,?,00000000,004030D6), ref: 00421768

Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042F35E
Part of subcall function 0042ECB0: __vbaOnError.MSVBVM60(000000FF,6D42D8B1,?,6D41A323,00000000,004030D6), ref: 0042F38E
Part of subcall function 0042ECB0: #645.MSVBVM60(00004008,00000010), ref: 0042F3B5
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F3C0
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(00405638,?), ref: 0042F3E3
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(00407034,?), ref: 0042F401
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(0040B454,?), ref: 0042F417
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(?,00000001), ref: 0042F43D
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F448
Part of subcall function 0042ECB0: #579.MSVBVM60(00000000), ref: 0042F44F
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60 ref: 0042F469
Part of subcall function 0042ECB0: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 0042F498

__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00421D69
__vbaStrVarMove.MSVBVM60(00000000), ref: 00421D70
__vbaStrMove.MSVBVM60 ref: 00421D7E
__vbaStrCopy.MSVBVM60 ref: 00421D92
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00421DBD
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,00000000,004030D6), ref: 00421DDD
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004030D6), ref: 00421DF8
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 00421E12
__vbaAryUnlock.MSVBVM60(?,004239B4), ref: 004238D9
__vbaAryUnlock.MSVBVM60(?), ref: 004238E6
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004238FC
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042390E
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042391D
__vbaFreeStr.MSVBVM60(?,00000000,004030D6), ref: 00423926
__vbaFreeStr.MSVBVM60(?,00000000,004030D6), ref: 0042392F
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042393B
__vbaFreeStr.MSVBVM60(?,00000000,004030D6), ref: 00423944
__vbaFreeStr.MSVBVM60(?,00000000,004030D6), ref: 0042394D
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00423965
__vbaFreeVar.MSVBVM60(?,00000000,004030D6), ref: 0042396E
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00423986
__vbaFreeStr.MSVBVM60(?,00000000,004030D6), ref: 00423992
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004239A1
__vbaFreeStr.MSVBVM60(?,00000000,004030D6), ref: 004239AD
__vbaErrorOverflow.MSVBVM60 ref: 004239C8

Strings

MQrjmATXcbKBCpTnQeWeFoZmsCWHLbX, xrefs: 00422AF3
0724202A29, xrefs: 00421DED
===============DARKCLOUD===============, xrefs: 00423652
NJYCuslhStnYMXoegRKOxOkAMWedORFgYr, xrefs: 00421FB1
0C3313072C240423612308325B, xrefs: 00422616, 0042279A, 00423715
RegRead, xrefs: 00421A33
TcDrGNJvvKjh, xrefs: 004233BE
141C0B0F2D310B0A0525233705260B, xrefs: 00422AC8
lTHVnVqKJBd, xrefs: 00423385
Scripting.FileSystemObject, xrefs: 004225DF
LjEIFuwIagJbWvTzDPnZsSVSDcmtKPRtDOvnpDghVu, xrefs: 00421E3F
3B0A1E26380C1C25, xrefs: 00422D1E, 00423197
1522070B1E1A3A1201331D190D0A, xrefs: 00422EC5, 0042306C
030F0E0C15, xrefs: 00422A43, 00422BED
nMYKSsdHFElZtgocMFxXVGZSajUxwsfQJgOogzRStYS, xrefs: 00421AB0
xkkmUOcnApOwfnMrtRiLqYdmoMgvcQZQmvQyWtcMFt, xrefs: 00422D49, 004231C2
CopyFile, xrefs: 0042272C
EPrpdCQjWOQmQkIHejAWXODGFTsdQMDBKF, xrefs: 00422654, 004227C5, 00423740
nFboeyGjLSXZdNDBKtuiEFuv, xrefs: 00422A6E, 00422C18
VaTxflgrQimnphjepakwkKpYtdHOUdpd, xrefs: 004220FC
VZWslqsTuRVoohxyApIZOsnmhgBXMscV, xrefs: 00422EF0, 00423097
0E3837142F, xrefs: 00421F5F
351620240C2D33212B090A565854203F30282F3B39, xrefs: 004235AE
33250134392504126B5048, xrefs: 0042335A
250B2B0E313E131E2A21140101370612491D371910, xrefs: 004222C3
0F18071C0E2126612B1102020D, xrefs: 004218D7
1B11273B0B2B1B32312231361F02053F2A, xrefs: 00422DA3
btfPHeNRUBfdv, xrefs: 004235D9
oyJHmrXtBkBwntYragiSxdH, xrefs: 004222EE
yXKdngQROxygnaZpRrpTYKgVxGyOtGq, xrefs: 00421902
3D151B0503121C251A312F130B05101E1545050E2840, xrefs: 004220D1
Url : , xrefs: 004233FB
KwTLkwDVeAtEbhikonDeQtnbYeRChNxbS, xrefs: 004221F5
Foxmail, xrefs: 004217FA
013B331C3810262F625E4C, xrefs: 0042332F
C:\\, xrefs: 0042175D
owAvqReMxvEKzUQvtucIgZZPWghaFykLhf, xrefs: 00421CCD
2B152F08183138116F073105, xrefs: 004221CA
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command\, xrefs: 004219EE
2435190333022824, xrefs: 00421C7B
0B36333E120D246820143F, xrefs: 00421A85
IKtURdOrQrJTUtVlROvWiJksPlxjRXfYF, xrefs: 00422DCE
392233162C39192D393109, xrefs: 00422F4A
@, xrefs: 004237FF
KvWGqCPwJjbEahwFyEaHtclpMhLMZdkTc, xrefs: 004228B8, 00422F75

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Copy$DestructList$Bstr$ChkstkError$#516#631#712Construct2EachUnlock$#520#537#579#608#617#632#645#716CallExitLateOverflowPreserveRedimZero
String ID: 013B331C3810262F625E4C$030F0E0C15$0724202A29$0B36333E120D246820143F$0C3313072C240423612308325B$0E3837142F$0F18071C0E2126612B1102020D$141C0B0F2D310B0A0525233705260B$1522070B1E1A3A1201331D190D0A$1B11273B0B2B1B32312231361F02053F2A$2435190333022824$250B2B0E313E131E2A21140101370612491D371910$2B152F08183138116F073105$33250134392504126B5048$351620240C2D33212B090A565854203F30282F3B39$392233162C39192D393109$3B0A1E26380C1C25$3D151B0503121C251A312F130B05101E1545050E2840$===============DARKCLOUD===============$@$C:\\$CopyFile$EPrpdCQjWOQmQkIHejAWXODGFTsdQMDBKF$Foxmail$HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command\$IKtURdOrQrJTUtVlROvWiJksPlxjRXfYF$KvWGqCPwJjbEahwFyEaHtclpMhLMZdkTc$KwTLkwDVeAtEbhikonDeQtnbYeRChNxbS$LjEIFuwIagJbWvTzDPnZsSVSDcmtKPRtDOvnpDghVu$MQrjmATXcbKBCpTnQeWeFoZmsCWHLbX$NJYCuslhStnYMXoegRKOxOkAMWedORFgYr$RegRead$Scripting.FileSystemObject$TcDrGNJvvKjh$Url : $VZWslqsTuRVoohxyApIZOsnmhgBXMscV$VaTxflgrQimnphjepakwkKpYtdHOUdpd$btfPHeNRUBfdv$lTHVnVqKJBd$nFboeyGjLSXZdNDBKtuiEFuv$nMYKSsdHFElZtgocMFxXVGZSajUxwsfQJgOogzRStYS$owAvqReMxvEKzUQvtucIgZZPWghaFykLhf$oyJHmrXtBkBwntYragiSxdH$xkkmUOcnApOwfnMrtRiLqYdmoMgvcQZQmvQyWtcMFt$yXKdngQROxygnaZpRrpTYKgVxGyOtGq
API String ID: 3369885347-3580722378
Opcode ID: 9c61ab30980ef436bf4b94c302d30464035fb3c07987bfe89eb7efe5969894af
Instruction ID: 183a2b9ebfa072188e44c0b6334db17ed458975aa797906c928631bdf410eddd
Opcode Fuzzy Hash: 9c61ab30980ef436bf4b94c302d30464035fb3c07987bfe89eb7efe5969894af
Instruction Fuzzy Hash: AA13F975900228DFDB24DF60DD88FDEB7B9BB45300F1081EAA14AB62A0DB745B89CF55

Function 004375F0 Relevance: 609.1, APIs: 319, Strings: 28, Instructions: 1839
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6,?,?,?,?,004372CE,00000000), ref: 0043760E
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004030D6), ref: 0043763E
#645.MSVBVM60(00004008,00000010), ref: 00437667
__vbaStrMove.MSVBVM60 ref: 00437675
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 00437681
__vbaFreeStr.MSVBVM60 ref: 0043769C
__vbaStrCat.MSVBVM60(004055A8), ref: 004376DA
__vbaAryMove.MSVBVM60(?,?,?,0043D064), ref: 00437710
__vbaFreeStr.MSVBVM60 ref: 0043771C
__vbaForEachAry.MSVBVM60(00000008,?,?,?,?), ref: 0043775B
__vbaStrMove.MSVBVM60 ref: 004376E8

Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042F35E
Part of subcall function 0042ECB0: __vbaOnError.MSVBVM60(000000FF,6D42D8B1,?,6D41A323,00000000,004030D6), ref: 0042F38E
Part of subcall function 0042ECB0: #645.MSVBVM60(00004008,00000010), ref: 0042F3B5
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F3C0
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(00405638,?), ref: 0042F3E3
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(00407034,?), ref: 0042F401
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(0040B454,?), ref: 0042F417
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(?,00000001), ref: 0042F43D
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F448
Part of subcall function 0042ECB0: #579.MSVBVM60(00000000), ref: 0042F44F
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60 ref: 0042F469
Part of subcall function 0042ECB0: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 0042F498

__vbaAryUnlock.MSVBVM60(?,00439680), ref: 004395B6
__vbaFreeVar.MSVBVM60 ref: 004395C2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004395D1
__vbaFreeVar.MSVBVM60 ref: 004395DA
__vbaFreeVar.MSVBVM60 ref: 004395E3
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004395EF
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004395FB
__vbaFreeVar.MSVBVM60 ref: 00439604
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00439610
__vbaFreeStr.MSVBVM60 ref: 00439619
__vbaFreeVar.MSVBVM60 ref: 00439625
__vbaFreeVar.MSVBVM60 ref: 00439631
__vbaFreeVar.MSVBVM60 ref: 0043963D
__vbaFreeVar.MSVBVM60 ref: 00439649
__vbaFreeStr.MSVBVM60 ref: 00439655
__vbaFreeStr.MSVBVM60 ref: 00439661
__vbaFreeVar.MSVBVM60 ref: 0043966D
__vbaFreeVar.MSVBVM60 ref: 00439679

Strings

"Path raw": ", xrefs: 00437E77, 00438DDC
value, xrefs: 00438AE1
name, xrefs: 00438AB9
Scripting.FileSystemObject, xrefs: 004378D7
"Name raw": ", xrefs: 00437D9B, 00438C8E
RpslgTwPqQlPvwROtkaodN, xrefs: 004379C0, 00437B85, 004383D1, 004384CE, 00439388
path, xrefs: 00438ACD
"HTTP only raw": "false",, xrefs: 00438173, 0043913F
SELECT expiry, host, name, path, value FROM moz_cookies, xrefs: 00437C46, 00438604
CopyFile, xrefs: 00437AA7
"Expires": ", xrefs: 00437F71, 00438E5B
"First Party Domain": "", xrefs: 004382BA, 00439286
2C1003083F1E35027F0832, xrefs: 00437939, 00437B5A, 004383A6, 004384A3, 0043935D
"Store raw": "firefox-default",, xrefs: 00438286, 00439252
0E33003C1E210D1A743A17152F1A0E, xrefs: 00437773, 0043790E
"This domain only raw": "false",, xrefs: 00438252, 0043921E
"Expires raw": ", xrefs: 00437FF7, 00438EBB
"Send for": "Any type of connection",, xrefs: 0043810B, 004390D7
expiry, xrefs: 00438A91
"Content raw": ", xrefs: 00437EF4, 00438E1F
pRPoSuHhiZIfyFnkPjkxdFDZVQSBtCET, xrefs: 0043779E, 00437964
host, xrefs: 00438AA5
"SameSite raw": "no_restriction",, xrefs: 004381A7, 00439173
6, xrefs: 00439447
"Send for raw": "false",, xrefs: 0043813F, 0043910B
"This domain only": "Valid for subdomains",, xrefs: 0043821E, 004391EA
"Host raw": "https://, xrefs: 00437D1E, 00438C4B
d, xrefs: 00437C92

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$Destruct$#645ChkstkError$#579EachPreserveRedimUnlock
String ID: "Content raw": "$ "Expires raw": "$ "Expires": "$ "First Party Domain": ""$ "HTTP only raw": "false",$ "Host raw": "https://$ "Name raw": "$ "Path raw": "$ "SameSite raw": "no_restriction",$ "Send for raw": "false",$ "Send for": "Any type of connection",$ "Store raw": "firefox-default",$ "This domain only raw": "false",$ "This domain only": "Valid for subdomains",$0E33003C1E210D1A743A17152F1A0E$2C1003083F1E35027F0832$6$CopyFile$RpslgTwPqQlPvwROtkaodN$SELECT expiry, host, name, path, value FROM moz_cookies$Scripting.FileSystemObject$d$expiry$host$name$pRPoSuHhiZIfyFnkPjkxdFDZVQSBtCET$path$value
API String ID: 3719278416-3556673606
Opcode ID: 34138d5798142d64515c342307399d0eb7cf95d5319861f6188db78b6f13091b
Instruction ID: 43420eaac984232e9af21603fadc0c5cbb8924fb70437fcd59561cef64829787
Opcode Fuzzy Hash: 34138d5798142d64515c342307399d0eb7cf95d5319861f6188db78b6f13091b
Instruction Fuzzy Hash: 29030C75900119DFDB25DFA0DD88FDEB7B8BB48301F1082EAE54AB6160EB745A88CF54

Function 00412DE0 Relevance: 594.0, APIs: 312, Strings: 26, Instructions: 2467COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 00412DFE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004030D6), ref: 00412E2E
__vbaUbound.MSVBVM60(00000001,006597C0,?,?,?,00000000,004030D6), ref: 00412E43
__vbaI2I4.MSVBVM60(?,?,?,00000000,004030D6), ref: 00412E4B
__vbaGenerateBoundsError.MSVBVM60 ref: 00412EE8
__vbaGenerateBoundsError.MSVBVM60 ref: 00412F05
__vbaStrCat.MSVBVM60(\accounts.xml,006597C0), ref: 00412F28
#645.MSVBVM60(00000008,00000000), ref: 00412F47
__vbaStrMove.MSVBVM60 ref: 00412F52
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 00412F5E
__vbaFreeStr.MSVBVM60 ref: 00412F76
__vbaFreeVar.MSVBVM60 ref: 00412F82
__vbaNew2.MSVBVM60(00405800,00000000), ref: 00412FAD
__vbaGenerateBoundsError.MSVBVM60 ref: 0041301D
__vbaGenerateBoundsError.MSVBVM60 ref: 0041303A
__vbaStrCat.MSVBVM60(\accounts.xml,006597C0), ref: 0041305E
__vbaChkstk.MSVBVM60(?), ref: 00413080
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405810,000000E8), ref: 004130E8
__vbaFreeVar.MSVBVM60 ref: 00413106
__vbaNew2.MSVBVM60(00405800,00000000), ref: 00413122
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405810,000000B4), ref: 0041318F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00405940,00000030), ref: 004131F2
__vbaObjSet.MSVBVM60(?,?), ref: 0041322E
__vbaForEachCollObj.MSVBVM60(00405940,?,?,00000000), ref: 00413245
__vbaFreeObj.MSVBVM60 ref: 00413257
__vbaStrCopy.MSVBVM60 ref: 00413271
__vbaStrMove.MSVBVM60(?), ref: 00413285
__vbaStrCopy.MSVBVM60 ref: 00413293
__vbaStrMove.MSVBVM60(?), ref: 004132A7
__vbaStrCopy.MSVBVM60 ref: 004132B5
__vbaStrMove.MSVBVM60 ref: 004132D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000030), ref: 00413310
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406444,0000001C), ref: 00413375
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00405940,00000068), ref: 004133D5
__vbaStrCopy.MSVBVM60 ref: 004133F5
__vbaStrMove.MSVBVM60 ref: 00413414
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000030), ref: 00413450
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406444,0000001C), ref: 004134B5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000068), ref: 00413515
__vbaStrMove.MSVBVM60(?,?,0065A764), ref: 00413546
__vbaStrCat.MSVBVM60(00000000), ref: 0041354D
__vbaStrMove.MSVBVM60 ref: 00413558
__vbaStrCat.MSVBVM60(?,00000000), ref: 00413563
__vbaStrMove.MSVBVM60 ref: 0041356E
__vbaStrMove.MSVBVM60(?,?,00405824,00000000), ref: 0041358C
__vbaStrCat.MSVBVM60(00000000), ref: 00413593
__vbaStrMove.MSVBVM60 ref: 0041359E
__vbaStrCat.MSVBVM60(00000000), ref: 004135A5
__vbaStrMove.MSVBVM60 ref: 004135B0
__vbaStrCat.MSVBVM60(?,00000000), ref: 004135BB
__vbaStrMove.MSVBVM60 ref: 004135C6
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004135D2
__vbaStrMove.MSVBVM60 ref: 004135DF
__vbaFreeStrList.MSVBVM60(00000011,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041362B
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 00413652
__vbaStrMove.MSVBVM60(?), ref: 0041367E
__vbaStrCopy.MSVBVM60 ref: 0041368C
__vbaStrMove.MSVBVM60(?), ref: 004136A0
__vbaStrCopy.MSVBVM60 ref: 004136AE
__vbaStrMove.MSVBVM60 ref: 004136CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000030), ref: 00413709
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406444,0000001C), ref: 0041376E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000068), ref: 004137CE
__vbaStrCopy.MSVBVM60 ref: 004137EE
__vbaStrMove.MSVBVM60 ref: 0041380D
__vbaStrMove.MSVBVM60(?,?,0065A764), ref: 0041382C
__vbaStrCat.MSVBVM60(00000000), ref: 00413833
__vbaStrMove.MSVBVM60 ref: 0041383E
__vbaStrCat.MSVBVM60(?,00000000), ref: 00413849
__vbaStrMove.MSVBVM60 ref: 00413854
__vbaStrMove.MSVBVM60(?,?,00405824,00000000), ref: 00413872
__vbaStrCat.MSVBVM60(00000000), ref: 00413879
__vbaStrMove.MSVBVM60 ref: 00413884
__vbaStrCat.MSVBVM60(00000000), ref: 0041388B
__vbaStrMove.MSVBVM60 ref: 00413896
__vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00405824,00000000), ref: 004138A7
__vbaStrMove.MSVBVM60 ref: 004138B2
__vbaStrCat.MSVBVM60(00000000), ref: 004138B9
__vbaStrMove.MSVBVM60 ref: 004138C4
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004138D0
__vbaStrMove.MSVBVM60 ref: 004138DD
__vbaFreeStrList.MSVBVM60(00000011,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413929
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413942
__vbaNextEachCollObj.MSVBVM60(00405940,?,?), ref: 00413962
__vbaGenerateBoundsError.MSVBVM60 ref: 004139CA
__vbaGenerateBoundsError.MSVBVM60 ref: 004139E7
__vbaStrCat.MSVBVM60(\recentservers.xml,006597C0), ref: 00413A0B
#645.MSVBVM60(00000008,00000000), ref: 00413A2A
__vbaStrMove.MSVBVM60 ref: 00413A35
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 00413A41
__vbaFreeStr.MSVBVM60 ref: 00413A59
__vbaFreeVar.MSVBVM60 ref: 00413A65
__vbaNew2.MSVBVM60(00405800,00000000), ref: 00413A90
__vbaGenerateBoundsError.MSVBVM60 ref: 00413AFF
__vbaGenerateBoundsError.MSVBVM60 ref: 00413B1C
__vbaStrCat.MSVBVM60(\recentservers.xml,006597C0), ref: 00413B40
__vbaChkstk.MSVBVM60(?), ref: 00413B62
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405810,000000E8), ref: 00413BCA
__vbaFreeVar.MSVBVM60 ref: 00413BE8
__vbaNew2.MSVBVM60(00405800,00000000), ref: 00413C04
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405810,000000DC), ref: 00413C76
__vbaObjSet.MSVBVM60(?,?), ref: 00413CB2
__vbaForEachCollObj.MSVBVM60(00405940,?,?,00000000), ref: 00413CC9
__vbaStrCopy.MSVBVM60 ref: 00413CE9
__vbaStrMove.MSVBVM60(?), ref: 00413CFD
__vbaStrCopy.MSVBVM60 ref: 00413D0B
__vbaStrMove.MSVBVM60(?,?), ref: 00413D42
__vbaStrCopy.MSVBVM60 ref: 00413D50
__vbaStrMove.MSVBVM60(?), ref: 00413D64
__vbaStrCopy.MSVBVM60 ref: 00413D72
__vbaStrMove.MSVBVM60(?,?), ref: 00413DAC
__vbaStrMove.MSVBVM60(00000000), ref: 00413DD2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000094), ref: 00413E0E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00405940,00000068), ref: 00413E6E
__vbaStrMove.MSVBVM60(?), ref: 00413EAC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000094), ref: 00413EE8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000068), ref: 00413F48
__vbaStrCat.MSVBVM60(Url : ftp://,0065A764), ref: 00413F6B
__vbaStrMove.MSVBVM60 ref: 00413F76
__vbaStrCat.MSVBVM60(?,00000000), ref: 00413F81
__vbaStrMove.MSVBVM60 ref: 00413F8C
__vbaStrCat.MSVBVM60(00406590,00000000), ref: 00413F98
__vbaStrMove.MSVBVM60 ref: 00413FA3
__vbaStrCat.MSVBVM60(?,00000000), ref: 00413FAE
__vbaStrMove.MSVBVM60 ref: 00413FB9
__vbaStrCat.MSVBVM60(0040505C,00000000), ref: 00413FC5
__vbaStrMove.MSVBVM60 ref: 00413FD0
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 00413FDC
__vbaStrMove.MSVBVM60 ref: 00413FE9
__vbaFreeStrList.MSVBVM60(00000013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00414040
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00414059
__vbaStrCopy.MSVBVM60 ref: 00414071
__vbaStrMove.MSVBVM60(?), ref: 00414085
__vbaStrCopy.MSVBVM60 ref: 00414093
__vbaStrMove.MSVBVM60(?), ref: 004140A7
__vbaStrCopy.MSVBVM60 ref: 004140B5
__vbaStrMove.MSVBVM60 ref: 004140D4
__vbaStrMove.MSVBVM60(?,?), ref: 004140EC
__vbaStrCopy.MSVBVM60 ref: 004140FA
__vbaStrMove.MSVBVM60 ref: 00414119
__vbaStrMove.MSVBVM60(?), ref: 0041413F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000094), ref: 0041417B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000068), ref: 004141DB
__vbaStrMove.MSVBVM60(?,?,0065A764), ref: 0041420C
__vbaStrCat.MSVBVM60(00000000), ref: 00414213
__vbaStrMove.MSVBVM60 ref: 0041421E
__vbaStrCat.MSVBVM60(?,00000000), ref: 00414229
__vbaStrMove.MSVBVM60 ref: 00414234
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 00414240
__vbaStrMove.MSVBVM60 ref: 0041424D
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041428D
__vbaFreeObj.MSVBVM60 ref: 0041429C
__vbaStrCopy.MSVBVM60 ref: 004142B1
__vbaStrMove.MSVBVM60(?), ref: 004142C5
__vbaStrCopy.MSVBVM60 ref: 004142D3
__vbaStrMove.MSVBVM60 ref: 004142F2
__vbaStrMove.MSVBVM60(?,?), ref: 0041430A
__vbaStrMove.MSVBVM60(?), ref: 00414330
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000094), ref: 0041436C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000068), ref: 004143CC
__vbaStrMove.MSVBVM60 ref: 004143FD
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0041441D
__vbaFreeObj.MSVBVM60 ref: 0041442C
__vbaAryMove.MSVBVM60(?,?,?), ref: 00414453
__vbaUbound.MSVBVM60(00000001,?), ref: 00414466
__vbaStrMove.MSVBVM60(?,?), ref: 00414487
__vbaNextEachCollObj.MSVBVM60(00405940,?,?), ref: 004144A4
__vbaStrCat.MSVBVM60(?,00000000), ref: 00414597
__vbaStrMove.MSVBVM60 ref: 004145A2
__vbaStrMove.MSVBVM60(00000000,?,00405824,00000000), ref: 004145C0
__vbaStrCat.MSVBVM60(00000000), ref: 004145C7
__vbaStrMove.MSVBVM60 ref: 004145D2
__vbaStrCat.MSVBVM60(00000000), ref: 004145D9
__vbaStrMove.MSVBVM60 ref: 004145E4
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004145F0
__vbaStrMove.MSVBVM60 ref: 004145FD
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 0041463D
__vbaStrCat.MSVBVM60(===============DARKCLOUD===============,0065A764), ref: 00414659
__vbaStrMove.MSVBVM60 ref: 00414664
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 00414670
__vbaStrMove.MSVBVM60 ref: 0041467D
__vbaFreeStr.MSVBVM60 ref: 00414686
__vbaStrCopy.MSVBVM60 ref: 0041469B
__vbaGenerateBoundsError.MSVBVM60 ref: 004146EE
__vbaGenerateBoundsError.MSVBVM60 ref: 0041470B
__vbaStrCat.MSVBVM60(\sitemanager.xml,006597C0), ref: 0041472E
#645.MSVBVM60(00000008,00000000), ref: 0041474D
__vbaStrMove.MSVBVM60 ref: 00414758
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 00414764
__vbaFreeStr.MSVBVM60 ref: 0041477C
__vbaFreeVar.MSVBVM60 ref: 00414788
__vbaNew2.MSVBVM60(00405800,00000000), ref: 004147B3
__vbaGenerateBoundsError.MSVBVM60 ref: 00414823
__vbaGenerateBoundsError.MSVBVM60 ref: 00414840
__vbaStrCat.MSVBVM60(\sitemanager.xml,006597C0), ref: 00414864
__vbaChkstk.MSVBVM60(?), ref: 00414886
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405810,000000E8), ref: 004148EE
__vbaFreeVar.MSVBVM60 ref: 0041490C
__vbaNew2.MSVBVM60(00405800,00000000), ref: 00414928
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405810,000000DC), ref: 0041499A
__vbaObjSet.MSVBVM60(?,?), ref: 004149D6
__vbaForEachCollObj.MSVBVM60(00405940,?,?,00000000), ref: 004149ED
__vbaStrCopy.MSVBVM60 ref: 00414A0D
__vbaStrMove.MSVBVM60(?), ref: 00414A21
__vbaStrCopy.MSVBVM60 ref: 00414A2F
__vbaStrMove.MSVBVM60 ref: 00414A4E
__vbaStrMove.MSVBVM60 ref: 00413D91

Part of subcall function 0042DDC0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 0042DF0A
Part of subcall function 0042DDC0: __vbaStrCopy.MSVBVM60 ref: 0042DF29
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(0042DF6C), ref: 0042DF65

__vbaStrMove.MSVBVM60 ref: 00413D2A

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrCopy.MSVBVM60 ref: 004144CC
__vbaStrMove.MSVBVM60(?), ref: 004144E0
__vbaStrCopy.MSVBVM60 ref: 004144EE
__vbaStrMove.MSVBVM60(00000000), ref: 00414502
__vbaStrCopy.MSVBVM60 ref: 00414510
__vbaStrMove.MSVBVM60 ref: 0041452F
__vbaStrCopy.MSVBVM60 ref: 0041453D
__vbaStrMove.MSVBVM60 ref: 0041455C
__vbaStrMove.MSVBVM60(?,?,0065A764), ref: 0041457A
__vbaStrCat.MSVBVM60(00000000), ref: 00414581
__vbaStrMove.MSVBVM60 ref: 0041458C
__vbaStrCopy.MSVBVM60 ref: 0041366A

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?,?), ref: 00414A66
__vbaStrCopy.MSVBVM60 ref: 00414A74
__vbaStrMove.MSVBVM60(?), ref: 00414A88
__vbaStrCopy.MSVBVM60 ref: 00414A96
__vbaStrMove.MSVBVM60 ref: 00414AB5
__vbaStrMove.MSVBVM60(?,?), ref: 00414AD0
__vbaStrMove.MSVBVM60(00000000), ref: 00414AF6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000094), ref: 00414B32
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00405940,00000068), ref: 00414B92
__vbaStrMove.MSVBVM60(?), ref: 00414BD0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000094), ref: 00414C0C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000068), ref: 00414C6C
__vbaStrCat.MSVBVM60(Url : ftp://,0065A764), ref: 00414C90
__vbaStrMove.MSVBVM60 ref: 00414C9B
__vbaStrCat.MSVBVM60(?,00000000), ref: 00414CA6
__vbaStrMove.MSVBVM60 ref: 00414CB1
__vbaStrCat.MSVBVM60(00406590,00000000), ref: 00414CBD
__vbaStrMove.MSVBVM60 ref: 00414CC8
__vbaStrCat.MSVBVM60(?,00000000), ref: 00414CD3
__vbaStrMove.MSVBVM60 ref: 00414CDE
__vbaStrCat.MSVBVM60(0040505C,00000000), ref: 00414CEA
__vbaStrMove.MSVBVM60 ref: 00414CF5
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 00414D01
__vbaStrMove.MSVBVM60 ref: 00414D0E
__vbaFreeStrList.MSVBVM60(00000013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00414D65
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00414D7E
__vbaStrCopy.MSVBVM60 ref: 00414D96
__vbaStrMove.MSVBVM60(?), ref: 00414DAA
__vbaStrCopy.MSVBVM60 ref: 00414DB8
__vbaStrMove.MSVBVM60(?), ref: 00414DCC
__vbaStrCopy.MSVBVM60 ref: 00414DDA
__vbaStrMove.MSVBVM60 ref: 00414DF9
__vbaStrMove.MSVBVM60(?,?), ref: 00414E11
__vbaStrCopy.MSVBVM60 ref: 00414E1F
__vbaStrMove.MSVBVM60 ref: 00414E3E
__vbaStrMove.MSVBVM60(?), ref: 00414E64
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000094), ref: 00414EA0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000068), ref: 00414F00
__vbaStrMove.MSVBVM60(?,?,0065A764), ref: 00414F30
__vbaStrCat.MSVBVM60(00000000), ref: 00414F37
__vbaStrMove.MSVBVM60 ref: 00414F42
__vbaStrCat.MSVBVM60(?,00000000), ref: 00414F4D
__vbaStrMove.MSVBVM60 ref: 00414F58
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 00414F64
__vbaStrMove.MSVBVM60 ref: 00414F71
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00414FB1
__vbaFreeObj.MSVBVM60 ref: 00414FC0
__vbaStrCopy.MSVBVM60 ref: 00414FD5
__vbaStrMove.MSVBVM60(?), ref: 00414FE9
__vbaStrCopy.MSVBVM60 ref: 00414FF7
__vbaStrMove.MSVBVM60 ref: 00415016
__vbaStrMove.MSVBVM60(?,?), ref: 0041502E
__vbaStrMove.MSVBVM60(?), ref: 00415054
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000094), ref: 00415090
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000068), ref: 004150F0
__vbaStrMove.MSVBVM60 ref: 00415121
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 00415141
__vbaFreeObj.MSVBVM60 ref: 00415150
__vbaAryMove.MSVBVM60(?,?,?), ref: 00415177
__vbaUbound.MSVBVM60(00000001,?), ref: 0041518A
__vbaStrMove.MSVBVM60(?,?), ref: 004151AB
__vbaNextEachCollObj.MSVBVM60(00405940,?,?), ref: 004151C8
__vbaStrCopy.MSVBVM60 ref: 004151F0
__vbaStrMove.MSVBVM60(?), ref: 00415204
__vbaStrCopy.MSVBVM60 ref: 00415212
__vbaStrMove.MSVBVM60 ref: 00415231
__vbaStrMove.MSVBVM60(?,?,0065A764), ref: 00415250
__vbaStrCat.MSVBVM60(00000000), ref: 00415257
__vbaStrMove.MSVBVM60 ref: 00415262
__vbaStrCat.MSVBVM60(?,00000000), ref: 0041526D
__vbaStrMove.MSVBVM60 ref: 00415278
__vbaStrCat.MSVBVM60(Application : FileZilla,00405824,00000000), ref: 00415289
__vbaStrMove.MSVBVM60 ref: 00415294
__vbaStrCat.MSVBVM60(00000000), ref: 0041529B
__vbaStrMove.MSVBVM60 ref: 004152A6
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004152B2
__vbaStrMove.MSVBVM60 ref: 004152BF
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,00000000,00000000,00000000,?,00000000), ref: 004152EB
__vbaStrCat.MSVBVM60(===============DARKCLOUD===============,0065A764), ref: 00415306
__vbaStrMove.MSVBVM60 ref: 00415311
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0041531D
__vbaStrMove.MSVBVM60 ref: 0041532A
__vbaFreeStr.MSVBVM60 ref: 00415333
__vbaStrCopy.MSVBVM60 ref: 00415348
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,00415489), ref: 00415431
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,00000000,004030D6), ref: 00415443
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,00000000,004030D6), ref: 00415452
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 0041545B
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,00000000,004030D6), ref: 00415467
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 00415470
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 00415479
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 00415482

Strings

===============DARKCLOUD===============, xrefs: 004138A2, 00414654, 00415301
303C2B25, xrefs: 0041408B, 00414DB0
xSlwZiQnRQDmDXCuhsXxuBZdyNiiKUGCJV, xrefs: 00414535
TcDrGNJvvKjh, xrefs: 004136A6, 00414508, 0041520A
lTHVnVqKJBd, xrefs: 004133ED, 004140F2, 00414E17
ycjdNikmPGuofJBlFuYhiU, xrefs: 00413D03, 00414A27
\recentservers.xml, xrefs: 00413A06, 00413B3B
Application : FileZilla, xrefs: 00415284
23051E051502351E66484C, xrefs: 00413269
33250134392504126B5048, xrefs: 00413662, 004144C4, 004151E8
2F3A1E1C011017011C0822776B4C1C1932223138, xrefs: 00413684
Url : ftp://, xrefs: 00413F66, 00414C8B
232B3119, xrefs: 004142A9, 00414FCD
GnJnphsvuugLWQlLpVEXVpZ, xrefs: 004137E6
\sitemanager.xml, xrefs: 00414729, 0041485F
121C073600320F26382B0364626333011F3D221C2E3605, xrefs: 004144E6
292D0B02, xrefs: 00413D48, 00414A6C
013B331C3810262F625E4C, xrefs: 0041328B, 00414069, 00414D8E
2B05173A, xrefs: 00413CE1, 00414A05
Server, xrefs: 00413C33, 00414957
%, xrefs: 0041534E
TyByvsFtDEqry, xrefs: 00413D6A, 00414A8E
\accounts.xml, xrefs: 00412F23, 00413059
keONWvDpKfSIpBeJlhvrDso, xrefs: 004140AD, 00414DD2
TsJBjnGaVJTXmCZLPDiQTvFLVphStxldHrXdpGCrMOT, xrefs: 004142CB, 00414FEF
OswqqzaZrFrliPZWuqWKCNs, xrefs: 004132AD

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Copy$CheckHresult$List$Error$BoundsGenerate$CollEachNew2$Chkstk$#645BstrDestructNextUbound$#516#631$#537#608#632
String ID: %$013B331C3810262F625E4C$121C073600320F26382B0364626333011F3D221C2E3605$23051E051502351E66484C$232B3119$292D0B02$2B05173A$2F3A1E1C011017011C0822776B4C1C1932223138$303C2B25$33250134392504126B5048$===============DARKCLOUD===============$Application : FileZilla$GnJnphsvuugLWQlLpVEXVpZ$OswqqzaZrFrliPZWuqWKCNs$Server$TcDrGNJvvKjh$TsJBjnGaVJTXmCZLPDiQTvFLVphStxldHrXdpGCrMOT$TyByvsFtDEqry$Url : ftp://$\accounts.xml$\recentservers.xml$\sitemanager.xml$keONWvDpKfSIpBeJlhvrDso$lTHVnVqKJBd$xSlwZiQnRQDmDXCuhsXxuBZdyNiiKUGCJV$ycjdNikmPGuofJBlFuYhiU
API String ID: 2863888553-2646638358
Opcode ID: 584e366f406b0930e0655fefdd54eb915662b6bb6a5660477b45127905f4bd37
Instruction ID: d0dea3cc7f5c8e9f14b529e8d927f0d9802cd4780a62f45803ddd7a5cefcf977
Opcode Fuzzy Hash: 584e366f406b0930e0655fefdd54eb915662b6bb6a5660477b45127905f4bd37
Instruction Fuzzy Hash: A243E575900218DFDB14DFA0DD88BDEB7B5FB48301F1082AAE50AB72A4DB745A89CF54

Function 0040D57E Relevance: 446.6, APIs: 230, Strings: 24, Instructions: 2110COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 0040D60A
__vbaGenerateBoundsError.MSVBVM60 ref: 0040D627
__vbaStrCat.MSVBVM60(004055A8,00659730), ref: 0040D64B
__vbaStrMove.MSVBVM60 ref: 0040D659
__vbaAryMove.MSVBVM60((En,?,?,0043D064), ref: 0040D682
__vbaFreeStr.MSVBVM60 ref: 0040D68E
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 0040D6B9
__vbaI2I4.MSVBVM60 ref: 0040D6C1
__vbaStrCopy.MSVBVM60 ref: 0040D722
__vbaStrMove.MSVBVM60(?), ref: 0040D73C
__vbaStrCopy.MSVBVM60 ref: 0040D74D
__vbaStrMove.MSVBVM60 ref: 0040D775
__vbaStrMove.MSVBVM60(?,?), ref: 0040D796
__vbaStrMove.MSVBVM60(006E4528), ref: 0040D841
__vbaStrCat.MSVBVM60(00000000), ref: 0040D848
__vbaUbound.MSVBVM60(00000001,006597C0), ref: 0040FD78
__vbaI2I4.MSVBVM60 ref: 0040FD80
__vbaStrCat.MSVBVM60(004055A8,006597C0), ref: 0040FE6E
__vbaStrMove.MSVBVM60 ref: 0040FE7C
__vbaAryMove.MSVBVM60((En,?,?,0043D064), ref: 0040FEA5
__vbaFreeStr.MSVBVM60 ref: 0040FEB1
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 0040FEDC
__vbaI2I4.MSVBVM60 ref: 0040FEE4
__vbaStrCopy.MSVBVM60 ref: 0040FF44
__vbaStrMove.MSVBVM60(?), ref: 0040FF5E
__vbaStrCopy.MSVBVM60 ref: 0040FF6F
__vbaStrMove.MSVBVM60 ref: 0040FF97
__vbaErrorOverflow.MSVBVM60 ref: 00412DD7

Strings

5E7B360D06182A173D16240F110620596B1110093F020E1C3162355D1A22152F28, xrefs: 0040F372
Profiles, xrefs: 0040E680
===============DARKCLOUD===============, xrefs: 0040FC90
oqTEhrlCyZMdapkEdLDclMl, xrefs: 0040F39D
333D2D2928333C13241805111D34572E34002C, xrefs: 0040D717, 0040DA23
azFPgggmVIbknbWTCKHORYF, xrefs: 0040EF90, 0040F15C
\User Data\Default\Login Data, xrefs: 0040DCDE, 0040E02F
TcDrGNJvvKjh, xrefs: 0040FA5E
(En, xrefs: 0040D67D, 0040D6B0, 0040D79C, 0040D7A5, 0040D7B8, 0040D7C7, 0040D823, 0040D8F4, 0040D8FD, 0040D910, 0040D91E, 0040D974, 0040DAF3, 0040DAFC, 0040DB0F, 0040DB1D, 0040DB79, 0040DC5B, 0040DC64, 0040DC77, 0040DC85, 0040DCCB, 0040DD5F, 0040DD68, 0040DD7B, 0040DD89, 0040DDCF, 0040DDD8, 0040DDEB, 0040DDF9, 0040DE3F, 0040DED1, 0040DEF5, 0040DFAC, 0040DFB5, 0040DFC8, 0040DFD6, 0040E01C, 0040E140, 0040E149, 0040E15C, 0040E16A, 0040E1C6, 0040E298, 0040E2A1, 0040E2B3, 0040E2C2, 0040E317, 0040E496, 0040E49F, 0040E4B1, 0040E4C0, 0040E51B, 0040E5FD, 0040E606, 0040E618, 0040E627, 0040E66E, 0040E69C, 0040E6A5, 0040E6B8, 0040E6C6, 0040E71C, 0040E816, 0040E916, 0040E91F, 0040E931, 0040E940, 0040E985, 0040EA18, 0040EA21, 0040EA33, 0040EA42, 0040EA87, 0040EA90, 0040EAA2, 0040EAB1, 0040EAF6, 0040EB87, 0040EBAB, 0040EC63, 0040EC6C, 0040EC7E, 0040EC8D, 0040ECD2, 0040ED70, 0040ED79, 0040ED8C, 0040ED9B, 0040EDE3, 0040EE22, 0040EE2B, 0040EE3D, 0040EE4C, 0040EE91
lTHVnVqKJBd, xrefs: 0040FA25
\User Data, xrefs: 0040D96F, 0040E312
EoyHOIFPgxTjvtZwjUtMeZQ, xrefs: 0040D742, 0040DA4E
NordVPN, xrefs: 0040EDF6
013B331C3810262F625E4C, xrefs: 0040F9CF
\Profiles, xrefs: 0040E717, 0040E997, 0040ECE4
1D012D3D2A24701E0A2738, xrefs: 0040E0BB, 0040E3C6
jAMBZCJPZkSYHclvQlTnjDT, xrefs: 0040E0E6, 0040E3F1
anxXwGUGUdnvXPPexWyUMBU, xrefs: 0040FC15
1, xrefs: 0040FD44
65620A163C371A0404081A3605092F5C6C3320323636253F1D54156C050B0F263F, xrefs: 0040F64F
2633230215490E3927040209, xrefs: 0040EF65, 0040F131
2F08281B2E3626210D0118786A702B17251D031D0C, xrefs: 0040FBEA
33250134392504126B5048, xrefs: 0040F9FA
AJMysHCsjcSZXddJaKcAAE, xrefs: 0040F67A

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Copy$ErrorUbound$BoundsFreeGenerate$Overflow
String ID: (En$013B331C3810262F625E4C$1$1D012D3D2A24701E0A2738$2633230215490E3927040209$2F08281B2E3626210D0118786A702B17251D031D0C$33250134392504126B5048$333D2D2928333C13241805111D34572E34002C$5E7B360D06182A173D16240F110620596B1110093F020E1C3162355D1A22152F28$65620A163C371A0404081A3605092F5C6C3320323636253F1D54156C050B0F263F$===============DARKCLOUD===============$AJMysHCsjcSZXddJaKcAAE$EoyHOIFPgxTjvtZwjUtMeZQ$NordVPN$Profiles$TcDrGNJvvKjh$\Profiles$\User Data$\User Data\Default\Login Data$anxXwGUGUdnvXPPexWyUMBU$azFPgggmVIbknbWTCKHORYF$jAMBZCJPZkSYHclvQlTnjDT$lTHVnVqKJBd$oqTEhrlCyZMdapkEdLDclMl
API String ID: 2627448202-2245370215
Opcode ID: 29d6bef24f3533a7a31a53c8349ea6d816c50b52bc48a358010fff522edc5deb
Instruction ID: 9f8d0edf5cefd390c6526526bf223bc4a2d14f22ff7b2c8f7ac3ca6ad98ebe04
Opcode Fuzzy Hash: 29d6bef24f3533a7a31a53c8349ea6d816c50b52bc48a358010fff522edc5deb
Instruction Fuzzy Hash: 79331A70A00218DFDB24DF60DD84BDAB7B5FB48304F1085EAE54AB72A0DB745A89CF58

Function 0040D6E2 Relevance: 436.0, APIs: 224, Strings: 24, Instructions: 2050COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0040D722

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?), ref: 0040D73C
__vbaStrCopy.MSVBVM60 ref: 0040D74D
__vbaStrMove.MSVBVM60 ref: 0040D775

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 0040D796
__vbaGenerateBoundsError.MSVBVM60 ref: 0040D7E4
__vbaGenerateBoundsError.MSVBVM60 ref: 0040D801
__vbaStrMove.MSVBVM60(006E4528), ref: 0040D841
__vbaStrCat.MSVBVM60(00000000), ref: 0040D848
#645.MSVBVM60(00000008,00000000), ref: 0040D867
__vbaStrMove.MSVBVM60 ref: 0040D875
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0040D881
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,00000000,00000000), ref: 0040D8C9
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000000,004030D6), ref: 0040D8D8
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00000000,004030D6), ref: 0040D93B
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00000000,004030D6), ref: 0040D958
#712.MSVBVM60(006E4528,\User Data,00405638,00000001,000000FF,00000000,?,?,?,?,?,?,00000000,004030D6), ref: 0040D987
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004030D6), ref: 0040D994
__vbaLenBstr.MSVBVM60(00678914), ref: 0040D9BC
#709.MSVBVM60(00678914,004055A8,000000FF,00000000), ref: 0040D9D3
#619.MSVBVM60(?,00004008,00000000), ref: 0040D9F0
__vbaStrVarMove.MSVBVM60(?), ref: 0040D9FD
__vbaStrMove.MSVBVM60 ref: 0040DA0A
__vbaFreeVar.MSVBVM60 ref: 0040DA16
__vbaStrCopy.MSVBVM60 ref: 0040DA2E
__vbaStrMove.MSVBVM60(?), ref: 0040DA48
__vbaStrCopy.MSVBVM60 ref: 0040DA59
__vbaStrMove.MSVBVM60 ref: 0040DA81
__vbaStrMove.MSVBVM60(?,?), ref: 0040DAA2
__vbaNew2.MSVBVM60(00405678,00000000), ref: 0040DAB7
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DB3A
__vbaGenerateBoundsError.MSVBVM60 ref: 0040DB57
__vbaStrMove.MSVBVM60(006E4528), ref: 0040DB98
__vbaStrCat.MSVBVM60(00000000), ref: 0040DB9F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405668,00000028), ref: 0040DBFB
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0040DC3F
__vbaFreeVar.MSVBVM60 ref: 0040DC4E
__vbaStrCat.MSVBVM60(\User Data\Default\Login Data,006E4528,?,?,?,?,?,?,00000000,004030D6), ref: 0040DCE3
#645.MSVBVM60(00000008,00000000), ref: 0040DD02
__vbaStrMove.MSVBVM60 ref: 0040DD10
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0040DD1C
__vbaFreeStr.MSVBVM60 ref: 0040DD37
__vbaFreeVar.MSVBVM60 ref: 0040DD43
__vbaErrorOverflow.MSVBVM60 ref: 00412DD7

Strings

5E7B360D06182A173D16240F110620596B1110093F020E1C3162355D1A22152F28, xrefs: 0040F372
Profiles, xrefs: 0040E680
===============DARKCLOUD===============, xrefs: 0040FC90
oqTEhrlCyZMdapkEdLDclMl, xrefs: 0040F39D
333D2D2928333C13241805111D34572E34002C, xrefs: 0040D717, 0040DA23
azFPgggmVIbknbWTCKHORYF, xrefs: 0040EF90, 0040F15C
\User Data\Default\Login Data, xrefs: 0040DCDE, 0040E02F
TcDrGNJvvKjh, xrefs: 0040FA5E
(En, xrefs: 0040D79C, 0040D7A5, 0040D7B8, 0040D7C7, 0040D823, 0040D8F4, 0040D8FD, 0040D910, 0040D91E, 0040D974, 0040DAF3, 0040DAFC, 0040DB0F, 0040DB1D, 0040DB79, 0040DC5B, 0040DC64, 0040DC77, 0040DC85, 0040DCCB, 0040DD5F, 0040DD68, 0040DD7B, 0040DD89, 0040DDCF, 0040DDD8, 0040DDEB, 0040DDF9, 0040DE3F, 0040DED1, 0040DEF5, 0040DFAC, 0040DFB5, 0040DFC8, 0040DFD6, 0040E01C, 0040E140, 0040E149, 0040E15C, 0040E16A, 0040E1C6, 0040E298, 0040E2A1, 0040E2B3, 0040E2C2, 0040E317, 0040E496, 0040E49F, 0040E4B1, 0040E4C0, 0040E51B, 0040E5FD, 0040E606, 0040E618, 0040E627, 0040E66E, 0040E69C, 0040E6A5, 0040E6B8, 0040E6C6, 0040E71C, 0040E816, 0040E916, 0040E91F, 0040E931, 0040E940, 0040E985, 0040EA18, 0040EA21, 0040EA33, 0040EA42, 0040EA87, 0040EA90, 0040EAA2, 0040EAB1, 0040EAF6, 0040EB87, 0040EBAB, 0040EC63, 0040EC6C, 0040EC7E, 0040EC8D, 0040ECD2, 0040ED70, 0040ED79, 0040ED8C, 0040ED9B, 0040EDE3, 0040EE22, 0040EE2B, 0040EE3D, 0040EE4C, 0040EE91
lTHVnVqKJBd, xrefs: 0040FA25
\User Data, xrefs: 0040D96F, 0040E312
EoyHOIFPgxTjvtZwjUtMeZQ, xrefs: 0040D742, 0040DA4E
NordVPN, xrefs: 0040EDF6
013B331C3810262F625E4C, xrefs: 0040F9CF
\Profiles, xrefs: 0040E717, 0040E997, 0040ECE4
1D012D3D2A24701E0A2738, xrefs: 0040E0BB, 0040E3C6
jAMBZCJPZkSYHclvQlTnjDT, xrefs: 0040E0E6, 0040E3F1
anxXwGUGUdnvXPPexWyUMBU, xrefs: 0040FC15
1, xrefs: 0040FD44
65620A163C371A0404081A3605092F5C6C3320323636253F1D54156C050B0F263F, xrefs: 0040F64F
2633230215490E3927040209, xrefs: 0040EF65, 0040F131
2F08281B2E3626210D0118786A702B17251D031D0C, xrefs: 0040FBEA
33250134392504126B5048, xrefs: 0040F9FA
AJMysHCsjcSZXddJaKcAAE, xrefs: 0040F67A

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Error$BoundsGenerate$BstrCopy$List$#516#631#645$#537#608#619#632#709#712CheckHresultNew2Overflow
String ID: (En$013B331C3810262F625E4C$1$1D012D3D2A24701E0A2738$2633230215490E3927040209$2F08281B2E3626210D0118786A702B17251D031D0C$33250134392504126B5048$333D2D2928333C13241805111D34572E34002C$5E7B360D06182A173D16240F110620596B1110093F020E1C3162355D1A22152F28$65620A163C371A0404081A3605092F5C6C3320323636253F1D54156C050B0F263F$===============DARKCLOUD===============$AJMysHCsjcSZXddJaKcAAE$EoyHOIFPgxTjvtZwjUtMeZQ$NordVPN$Profiles$TcDrGNJvvKjh$\Profiles$\User Data$\User Data\Default\Login Data$anxXwGUGUdnvXPPexWyUMBU$azFPgggmVIbknbWTCKHORYF$jAMBZCJPZkSYHclvQlTnjDT$lTHVnVqKJBd$oqTEhrlCyZMdapkEdLDclMl
API String ID: 3691625242-2245370215
Opcode ID: 0d79cb70a671f2482597cc55c55be1d0286c109c534531b9f9a0c7f8ffb0aec8
Instruction ID: 449b54784862ceb2160d55d7b836dd58d6e0b4a5a777826c3ebbb3504bfb4cc8
Opcode Fuzzy Hash: 0d79cb70a671f2482597cc55c55be1d0286c109c534531b9f9a0c7f8ffb0aec8
Instruction Fuzzy Hash: FF231A71A00228DFDB24DF50DD84BDAB7B5FB48304F1085EAE54AB72A0DB745A89CF58

Function 00434636 Relevance: 309.4, APIs: 165, Strings: 11, Instructions: 1417COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 004346B6
__vbaGenerateBoundsError.MSVBVM60 ref: 004346D0
__vbaStrCat.MSVBVM60(004055A8,00659730), ref: 004346F3
__vbaStrMove.MSVBVM60 ref: 004346FE
__vbaAryMove.MSVBVM60((En,?,00000000,0043D064), ref: 0043471E
__vbaFreeStr.MSVBVM60 ref: 00434727
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 00434751
__vbaI2I4.MSVBVM60 ref: 00434759
__vbaStrCopy.MSVBVM60 ref: 004347B2
__vbaStrMove.MSVBVM60(00000000), ref: 004347C6
__vbaStrCopy.MSVBVM60 ref: 004347D4
__vbaStrMove.MSVBVM60 ref: 004347F3
__vbaStrMove.MSVBVM60(?,?), ref: 0043480B
__vbaStrMove.MSVBVM60(006E4528), ref: 004348A4
__vbaStrCat.MSVBVM60(00000000), ref: 004348AB
__vbaUbound.MSVBVM60(00000001,006597C0), ref: 00435DBB
__vbaI2I4.MSVBVM60 ref: 00435DC3
__vbaStrCat.MSVBVM60(004055A8,006597C0), ref: 00435EA7
__vbaStrMove.MSVBVM60 ref: 00435EB2
__vbaAryMove.MSVBVM60((En,?,00000000,0043D064), ref: 00435ED2
__vbaFreeStr.MSVBVM60 ref: 00435EDB
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 00435F05
__vbaI2I4.MSVBVM60 ref: 00435F0D
__vbaStrCopy.MSVBVM60 ref: 00435F6C
__vbaStrMove.MSVBVM60(00000000), ref: 00435F80
__vbaStrCopy.MSVBVM60 ref: 00435F8E
__vbaStrMove.MSVBVM60 ref: 00435FAD
__vbaErrorOverflow.MSVBVM60 ref: 004375DC

Strings

Profiles, xrefs: 00435715
1, xrefs: 00435D94
1E08152C02383D211B080A200F030836, xrefs: 004347AA, 00434A57
(En, xrefs: 00434719, 00434749, 00434811, 0043481A, 0043482D, 00434838, 00434888, 00434944, 0043494D, 0043495F, 0043496B, 004349BA, 00434ABE, 00434B2B, 00434B34, 00434B46, 00434B52, 00434BA1, 00434D2E, 00434D37, 00434D4A, 00434D55, 00434DA5, 00434E61, 00434E6A, 00434E7C, 00434E88, 00434ED7, 00434FDB, 00435048, 00435051, 00435063, 0043506F, 004350BE, 004351E4, 004351ED, 004351FF, 0043520B, 0043524A, 004352DC, 004352E5, 004352F7, 00435303, 00435342, 0043534B, 0043535D, 00435369, 004353A8, 0043542A, 0043544E, 004354AF, 004354B8, 004354CB, 004354D6, 00435516, 0043553F, 00435548, 0043555B, 00435567, 004355A7, 0043569B, 004356A4, 004356B6, 004356C2, 00435703, 00435731, 004357ED, 004357F6, 00435809, 00435814, 00435864, 00435996, 0043599F, 004359B2, 004359BE, 004359FE, 00435A7A, 00435A83, 00435A96, 00435AA2, 00435AE2, 00435B31, 00435B3A, 00435B4D, 00435B58, 00435B98, 00435BA1, 00435BB4, 00435BBF, 00435BFF, 00435C82, 00435CA6
\User Data, xrefs: 004349B5, 00434ED2, 00435529
\User Data\Default\Cookies, xrefs: 0043525C, 004355BA
JBLpJcMQUGKeOdjmEdqOvwF, xrefs: 004347CC, 00434A79
Cookies.json, xrefs: 00434C85, 00435190, 00435659, 00435942, 00435D47
\Profiles, xrefs: 0043585F, 00435A11, 00435AF5
DEmYVhVfpKtLM, xrefs: 00434CE9, 00434F96
192E3639033F0303, xrefs: 00434CC7, 00434F74

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Copy$ErrorUbound$BoundsFreeGenerate$Overflow
String ID: (En$1$192E3639033F0303$1E08152C02383D211B080A200F030836$Cookies.json$DEmYVhVfpKtLM$JBLpJcMQUGKeOdjmEdqOvwF$Profiles$\Profiles$\User Data$\User Data\Default\Cookies
API String ID: 2627448202-4058830025
Opcode ID: ac622c2d6c7906da4e974c1b718f466a0c548926d6c1e0137913b99306399d3f
Instruction ID: a77b62bd0c02affc347b8062058657ca77ebf30411171d4485592245786ace43
Opcode Fuzzy Hash: ac622c2d6c7906da4e974c1b718f466a0c548926d6c1e0137913b99306399d3f
Instruction Fuzzy Hash: 62E25070D00204DFDB18DF94ED84AEEB7B5FB48704F20916AE506B72A4DB74A986CF58

Function 00435DE4 Relevance: 309.4, APIs: 165, Strings: 11, Instructions: 1417COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 00435E6A
__vbaGenerateBoundsError.MSVBVM60 ref: 00435E84
__vbaStrCat.MSVBVM60(004055A8,006597C0), ref: 00435EA7
__vbaStrMove.MSVBVM60 ref: 00435EB2
__vbaAryMove.MSVBVM60((En,?,00000000,0043D064), ref: 00435ED2
__vbaFreeStr.MSVBVM60 ref: 00435EDB
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 00435F05
__vbaI2I4.MSVBVM60 ref: 00435F0D
__vbaStrCopy.MSVBVM60 ref: 00435F6C
__vbaStrMove.MSVBVM60(00000000), ref: 00435F80
__vbaStrCopy.MSVBVM60 ref: 00435F8E
__vbaStrMove.MSVBVM60 ref: 00435FAD
__vbaStrMove.MSVBVM60(?,?), ref: 00435FC5
__vbaStrMove.MSVBVM60(006E4528), ref: 0043605E
__vbaStrCat.MSVBVM60(00000000), ref: 00436065
__vbaAryDestruct.MSVBVM60(00000000,?,004375CB), ref: 004375B5
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004375C4
__vbaErrorOverflow.MSVBVM60 ref: 004375DC

Strings

Profiles, xrefs: 00436ECF
1E08152C02383D211B080A200F030836, xrefs: 00435F64, 00436211
b, xrefs: 0043754E
(En, xrefs: 00435ECD, 00435EFD, 00435FCB, 00435FD4, 00435FE7, 00435FF2, 00436042, 004360FE, 00436107, 00436119, 00436125, 00436174, 00436278, 004362E5, 004362EE, 00436300, 0043630C, 0043635B, 004364E8, 004364F1, 00436504, 0043650F, 0043655F, 0043661B, 00436624, 00436636, 00436642, 00436691, 00436795, 00436802, 0043680B, 0043681D, 00436829, 00436878, 0043699E, 004369A7, 004369B9, 004369C5, 00436A04, 00436A96, 00436A9F, 00436AB1, 00436ABD, 00436AFC, 00436B05, 00436B17, 00436B23, 00436B62, 00436BE4, 00436C08, 00436C69, 00436C72, 00436C85, 00436C90, 00436CD0, 00436CF9, 00436D02, 00436D15, 00436D21, 00436D61, 00436E55, 00436E5E, 00436E70, 00436E7C, 00436EBD, 00436EEB, 00436FA7, 00436FB0, 00436FC3, 00436FCE, 0043701E, 00437150, 00437159, 0043716C, 00437178, 004371B8, 00437234, 0043723D, 00437250, 0043725C, 0043729C, 004372EB, 004372F4, 00437307, 00437312, 00437352, 0043735B, 0043736E, 00437379, 004373B9, 0043743C, 00437460
\User Data, xrefs: 0043616F, 0043668C, 00436CE3
\User Data\Default\Cookies, xrefs: 00436A16, 00436D74
JBLpJcMQUGKeOdjmEdqOvwF, xrefs: 00435F86, 00436233
Cookies.json, xrefs: 0043643F, 0043694A, 00436E13, 004370FC, 00437501
\Profiles, xrefs: 00437019, 004371CB, 004372AF
DEmYVhVfpKtLM, xrefs: 004364A3, 00436750
192E3639033F0303, xrefs: 00436481, 0043672E

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Error$BoundsCopyDestructGenerate$FreeOverflowUbound
String ID: (En$192E3639033F0303$1E08152C02383D211B080A200F030836$Cookies.json$DEmYVhVfpKtLM$JBLpJcMQUGKeOdjmEdqOvwF$Profiles$\Profiles$\User Data$\User Data\Default\Cookies$b
API String ID: 417474364-1767295083
Opcode ID: 00f0c162d805606f1e688d39c5cbe6d497086ef8935af96a2b868f2b3a87b913
Instruction ID: 734cec1f607be98f8d2858ac2c778b1fbb00d1033b7945622ddb2a7d0b7a6129
Opcode Fuzzy Hash: 00f0c162d805606f1e688d39c5cbe6d497086ef8935af96a2b868f2b3a87b913
Instruction Fuzzy Hash: 27E26F70D00205DFDB18DF94ED88AEEB7B5FB48704F20916AE506B72A0DB749986CF58

Function 00434777 Relevance: 298.9, APIs: 159, Strings: 11, Instructions: 1357COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004347B2

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(00000000), ref: 004347C6
__vbaStrCopy.MSVBVM60 ref: 004347D4
__vbaStrMove.MSVBVM60 ref: 004347F3

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 0043480B
__vbaGenerateBoundsError.MSVBVM60 ref: 00434852
__vbaGenerateBoundsError.MSVBVM60 ref: 0043486C
__vbaStrMove.MSVBVM60(006E4528), ref: 004348A4
__vbaStrCat.MSVBVM60(00000000), ref: 004348AB
#645.MSVBVM60(00000008,00000000), ref: 004348C1
__vbaStrMove.MSVBVM60 ref: 004348CC
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 004348D8
__vbaFreeStrList.MSVBVM60(00000007,00000000,?,?,?,?,00000000,00000000), ref: 00434908
__vbaFreeVar.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 00434914
__vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 00434937
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 00434984
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 0043499E
#712.MSVBVM60(006E4528,\User Data,00405638,00000001,000000FF,00000000,?,?,?,?,00000000,?,00000000,004030D6), ref: 004349CC
__vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 004349D9
__vbaLenBstr.MSVBVM60(00678914), ref: 004349FB
#709.MSVBVM60(00678914,004055A8,000000FF,00000000), ref: 00434A13
#619.MSVBVM60(?,00004008,00000000), ref: 00434A2A
__vbaStrVarMove.MSVBVM60(?), ref: 00434A34
__vbaStrMove.MSVBVM60 ref: 00434A41
__vbaFreeVar.MSVBVM60 ref: 00434A4A
__vbaStrCopy.MSVBVM60 ref: 00434A5F
__vbaStrMove.MSVBVM60(00000000), ref: 00434A73
__vbaStrCopy.MSVBVM60 ref: 00434A81
__vbaStrMove.MSVBVM60 ref: 00434AA0
__vbaStrMove.MSVBVM60(?,?), ref: 00434AB8
__vbaAryLock.MSVBVM60(?,006E4528), ref: 00434AC9
__vbaGenerateBoundsError.MSVBVM60 ref: 00434B05
__vbaGenerateBoundsError.MSVBVM60 ref: 00434B1F
__vbaGenerateBoundsError.MSVBVM60 ref: 00434B6B
__vbaGenerateBoundsError.MSVBVM60 ref: 00434B85
__vbaStrMove.MSVBVM60(006E4528), ref: 00434BBD
__vbaStrCat.MSVBVM60(00000000), ref: 00434BC4
__vbaStrMove.MSVBVM60 ref: 00434BCF
__vbaStrMove.MSVBVM60(?,?), ref: 00434BF0
__vbaAryUnlock.MSVBVM60(00000000), ref: 00434BFA
__vbaFreeStrList.MSVBVM60(00000008,00000000,?,?,?,?,?,00000000,00000000), ref: 00434C22
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 00434C3E
__vbaStrCat.MSVBVM60(004055A8,00673F04), ref: 00434C5A
__vbaStrMove.MSVBVM60 ref: 00434C65
__vbaStrCat.MSVBVM60(0065A3F4,00000000), ref: 00434C73
__vbaStrMove.MSVBVM60 ref: 00434C7E
__vbaStrCat.MSVBVM60(Cookies.json,00000000), ref: 00434C8A
__vbaStrMove.MSVBVM60 ref: 00434C95
__vbaFreeStrList.MSVBVM60(00000003,00000000,?,?,?,0043D04C), ref: 00434CB7
__vbaErrorOverflow.MSVBVM60 ref: 004375DC

Strings

Profiles, xrefs: 00435715
1, xrefs: 00435D94
1E08152C02383D211B080A200F030836, xrefs: 004347AA, 00434A57
(En, xrefs: 00434811, 0043481A, 0043482D, 00434838, 00434888, 00434944, 0043494D, 0043495F, 0043496B, 004349BA, 00434ABE, 00434B2B, 00434B34, 00434B46, 00434B52, 00434BA1, 00434D2E, 00434D37, 00434D4A, 00434D55, 00434DA5, 00434E61, 00434E6A, 00434E7C, 00434E88, 00434ED7, 00434FDB, 00435048, 00435051, 00435063, 0043506F, 004350BE, 004351E4, 004351ED, 004351FF, 0043520B, 0043524A, 004352DC, 004352E5, 004352F7, 00435303, 00435342, 0043534B, 0043535D, 00435369, 004353A8, 0043542A, 0043544E, 004354AF, 004354B8, 004354CB, 004354D6, 00435516, 0043553F, 00435548, 0043555B, 00435567, 004355A7, 0043569B, 004356A4, 004356B6, 004356C2, 00435703, 00435731, 004357ED, 004357F6, 00435809, 00435814, 00435864, 00435996, 0043599F, 004359B2, 004359BE, 004359FE, 00435A7A, 00435A83, 00435A96, 00435AA2, 00435AE2, 00435B31, 00435B3A, 00435B4D, 00435B58, 00435B98, 00435BA1, 00435BB4, 00435BBF, 00435BFF, 00435C82, 00435CA6
\User Data, xrefs: 004349B5, 00434ED2, 00435529
\User Data\Default\Cookies, xrefs: 0043525C, 004355BA
JBLpJcMQUGKeOdjmEdqOvwF, xrefs: 004347CC, 00434A79
Cookies.json, xrefs: 00434C85, 00435190, 00435659, 00435942, 00435D47
\Profiles, xrefs: 0043585F, 00435A11, 00435AF5
DEmYVhVfpKtLM, xrefs: 00434CE9, 00434F96
192E3639033F0303, xrefs: 00434CC7, 00434F74

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Error$BoundsGenerate$Copy$BstrList$#516#631$#537#608#619#632#645#709#712LockOverflowUnlock
String ID: (En$1$192E3639033F0303$1E08152C02383D211B080A200F030836$Cookies.json$DEmYVhVfpKtLM$JBLpJcMQUGKeOdjmEdqOvwF$Profiles$\Profiles$\User Data$\User Data\Default\Cookies
API String ID: 121712971-4058830025
Opcode ID: b421f920f424ace3fc824f09ae8c436ee2e816baf89c2b308448551de93d6578
Instruction ID: ae9ffc1dfa9b214b0c55ad2134e1dccb8e2720b913e095cdf957c26746d87182
Opcode Fuzzy Hash: b421f920f424ace3fc824f09ae8c436ee2e816baf89c2b308448551de93d6578
Instruction Fuzzy Hash: 85D25070D00204DFDB18DF94ED84AEEB7B5FB48704F209269E506B72A4DB74A986CF58

Function 00435F2E Relevance: 298.9, APIs: 159, Strings: 11, Instructions: 1357COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00435F6C

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(00000000), ref: 00435F80
__vbaStrCopy.MSVBVM60 ref: 00435F8E
__vbaStrMove.MSVBVM60 ref: 00435FAD

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 00435FC5
__vbaGenerateBoundsError.MSVBVM60 ref: 0043600C
__vbaGenerateBoundsError.MSVBVM60 ref: 00436026
__vbaStrMove.MSVBVM60(006E4528), ref: 0043605E
__vbaStrCat.MSVBVM60(00000000), ref: 00436065
#645.MSVBVM60(00000008,00000000), ref: 0043607B
__vbaStrMove.MSVBVM60 ref: 00436086
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 00436092
__vbaFreeStrList.MSVBVM60(00000007,00000000,?,?,?,?,00000000,00000000), ref: 004360C2
__vbaFreeVar.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 004360CE
__vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 004360F1
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 0043613E
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 00436158
#712.MSVBVM60(006E4528,\User Data,00405638,00000001,000000FF,00000000,?,?,?,?,00000000,?,00000000,004030D6), ref: 00436186
__vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,00000000,004030D6), ref: 00436193
__vbaLenBstr.MSVBVM60(00678914), ref: 004361B5
#709.MSVBVM60(00678914,004055A8,000000FF,00000000), ref: 004361CD
#619.MSVBVM60(?,00004008,00000000), ref: 004361E4
__vbaStrVarMove.MSVBVM60(?), ref: 004361EE
__vbaStrMove.MSVBVM60 ref: 004361FB
__vbaFreeVar.MSVBVM60 ref: 00436204
__vbaStrCopy.MSVBVM60 ref: 00436219
__vbaStrMove.MSVBVM60(00000000), ref: 0043622D
__vbaStrCopy.MSVBVM60 ref: 0043623B
__vbaStrMove.MSVBVM60 ref: 0043625A
__vbaStrMove.MSVBVM60(?,?), ref: 00436272
__vbaAryLock.MSVBVM60(?,006E4528), ref: 00436283
__vbaGenerateBoundsError.MSVBVM60 ref: 004362BF
__vbaGenerateBoundsError.MSVBVM60 ref: 004362D9
__vbaGenerateBoundsError.MSVBVM60 ref: 00436325
__vbaGenerateBoundsError.MSVBVM60 ref: 0043633F
__vbaStrMove.MSVBVM60(006E4528), ref: 00436377
__vbaStrCat.MSVBVM60(00000000), ref: 0043637E
__vbaStrMove.MSVBVM60 ref: 00436389
__vbaStrMove.MSVBVM60(?,?), ref: 004363AA
__vbaAryUnlock.MSVBVM60(00000000), ref: 004363B4
__vbaFreeStrList.MSVBVM60(00000008,00000000,?,?,?,?,?,00000000,00000000), ref: 004363DC
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 004363F8
__vbaStrCat.MSVBVM60(004055A8,00673F04), ref: 00436414
__vbaStrMove.MSVBVM60 ref: 0043641F
__vbaStrCat.MSVBVM60(0065A3F4,00000000), ref: 0043642D
__vbaStrMove.MSVBVM60 ref: 00436438
__vbaStrCat.MSVBVM60(Cookies.json,00000000), ref: 00436444
__vbaStrMove.MSVBVM60 ref: 0043644F
__vbaFreeStrList.MSVBVM60(00000003,00000000,?,?,?,0043D04C), ref: 00436471
__vbaErrorOverflow.MSVBVM60 ref: 004375DC

Strings

Profiles, xrefs: 00436ECF
1E08152C02383D211B080A200F030836, xrefs: 00435F64, 00436211
b, xrefs: 0043754E
(En, xrefs: 00435FCB, 00435FD4, 00435FE7, 00435FF2, 00436042, 004360FE, 00436107, 00436119, 00436125, 00436174, 00436278, 004362E5, 004362EE, 00436300, 0043630C, 0043635B, 004364E8, 004364F1, 00436504, 0043650F, 0043655F, 0043661B, 00436624, 00436636, 00436642, 00436691, 00436795, 00436802, 0043680B, 0043681D, 00436829, 00436878, 0043699E, 004369A7, 004369B9, 004369C5, 00436A04, 00436A96, 00436A9F, 00436AB1, 00436ABD, 00436AFC, 00436B05, 00436B17, 00436B23, 00436B62, 00436BE4, 00436C08, 00436C69, 00436C72, 00436C85, 00436C90, 00436CD0, 00436CF9, 00436D02, 00436D15, 00436D21, 00436D61, 00436E55, 00436E5E, 00436E70, 00436E7C, 00436EBD, 00436EEB, 00436FA7, 00436FB0, 00436FC3, 00436FCE, 0043701E, 00437150, 00437159, 0043716C, 00437178, 004371B8, 00437234, 0043723D, 00437250, 0043725C, 0043729C, 004372EB, 004372F4, 00437307, 00437312, 00437352, 0043735B, 0043736E, 00437379, 004373B9, 0043743C, 00437460
\User Data, xrefs: 0043616F, 0043668C, 00436CE3
\User Data\Default\Cookies, xrefs: 00436A16, 00436D74
JBLpJcMQUGKeOdjmEdqOvwF, xrefs: 00435F86, 00436233
Cookies.json, xrefs: 0043643F, 0043694A, 00436E13, 004370FC, 00437501
\Profiles, xrefs: 00437019, 004371CB, 004372AF
DEmYVhVfpKtLM, xrefs: 004364A3, 00436750
192E3639033F0303, xrefs: 00436481, 0043672E

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Error$BoundsGenerate$Copy$BstrList$#516#631$#537#608#619#632#645#709#712LockOverflowUnlock
String ID: (En$192E3639033F0303$1E08152C02383D211B080A200F030836$Cookies.json$DEmYVhVfpKtLM$JBLpJcMQUGKeOdjmEdqOvwF$Profiles$\Profiles$\User Data$\User Data\Default\Cookies$b
API String ID: 121712971-1767295083
Opcode ID: c688742e48fdc2bde714b1ae885d0ed570618a750a7e81700eeb62e295415456
Instruction ID: d02d6aebbe5c00b9f8010c82a8c5ec97ae720bc9df8b383985e729ed6a906b3a
Opcode Fuzzy Hash: c688742e48fdc2bde714b1ae885d0ed570618a750a7e81700eeb62e295415456
Instruction Fuzzy Hash: 6AD26F70D00205DFDB18DF94ED88AEEB7B5FB48704F20916AE506B72A0DB749986CF58

Function 0040FDA1 Relevance: 225.2, APIs: 118, Strings: 10, Instructions: 1228COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 0040FE2D
__vbaGenerateBoundsError.MSVBVM60 ref: 0040FE4A
__vbaStrCat.MSVBVM60(004055A8,006597C0), ref: 0040FE6E
__vbaStrMove.MSVBVM60 ref: 0040FE7C
__vbaAryMove.MSVBVM60((En,?,?,0043D064), ref: 0040FEA5
__vbaFreeStr.MSVBVM60 ref: 0040FEB1
__vbaUbound.MSVBVM60(00000001,006E4528), ref: 0040FEDC
__vbaI2I4.MSVBVM60 ref: 0040FEE4
__vbaStrCopy.MSVBVM60 ref: 0040FF44
__vbaStrMove.MSVBVM60(?), ref: 0040FF5E
__vbaStrCopy.MSVBVM60 ref: 0040FF6F
__vbaStrMove.MSVBVM60 ref: 0040FF97
__vbaStrMove.MSVBVM60(?,?), ref: 0040FFB8
__vbaStrMove.MSVBVM60(006E4528), ref: 00410062
__vbaStrCat.MSVBVM60(00000000), ref: 00410069
__vbaNew2.MSVBVM60(00405678,00000000), ref: 004115DD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405668,0000002C), ref: 00411644
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002), ref: 004116B6
__vbaNew2.MSVBVM60(00405678,00000000), ref: 00411BEF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405668,0000002C), ref: 00411C56
__vbaErrorOverflow.MSVBVM60 ref: 00412DD7

Strings

Profiles, xrefs: 00410EAA
S, xrefs: 0041159B
333D2D2928333C13241805111D34572E34002C, xrefs: 0040FF39, 00410245
\User Data\Default\Login Data, xrefs: 00410501, 00410855
(En, xrefs: 0040FEA0, 0040FED3, 0040FFBE, 0040FFC7, 0040FFD9, 0040FFE8, 00410043, 00410115, 0041011E, 00410131, 00410140, 00410196, 00410315, 0041031E, 00410331, 00410340, 0041039C, 0041047D, 00410486, 00410499, 004104A8, 004104EE, 00410582, 0041058B, 0041059E, 004105AD, 004105F3, 004105FC, 0041060F, 0041061E, 00410664, 004106F6, 00410719, 004107D1, 004107DA, 004107ED, 004107FC, 00410842, 00410966, 0041096F, 00410982, 00410991, 004109ED, 00410ABE, 00410AC7, 00410ADA, 00410AE8, 00410B3E, 00410CBD, 00410CC6, 00410CD9, 00410CE7, 00410D43, 00410E25, 00410E2E, 00410E41, 00410E4F, 00410E97, 00410EC6, 00410ECF, 00410EE2, 00410EF1, 00410F47, 00411041, 00411142, 0041114B, 0041115E, 0041116C, 004111B2, 00411246, 0041124F, 00411262, 00411270, 004112B6, 004112BF, 004112D2, 004112E0, 00411326, 004113B8, 004113DC, 00411493, 0041149C, 004114AF, 004114BD, 00411503
\User Data, xrefs: 00410191, 00410B39
EoyHOIFPgxTjvtZwjUtMeZQ, xrefs: 0040FF64, 00410270
\Profiles, xrefs: 00410F42, 004111C5, 00411516
1D012D3D2A24701E0A2738, xrefs: 004108E1, 00410BED
jAMBZCJPZkSYHclvQlTnjDT, xrefs: 0041090C, 00410C18

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Error$BoundsCheckCopyGenerateHresultNew2$FreeInitOverflowUbound
String ID: (En$1D012D3D2A24701E0A2738$333D2D2928333C13241805111D34572E34002C$EoyHOIFPgxTjvtZwjUtMeZQ$Profiles$S$\Profiles$\User Data$\User Data\Default\Login Data$jAMBZCJPZkSYHclvQlTnjDT
API String ID: 206581572-2554719228
Opcode ID: b02953c6d4b098427cfe7971ad73c2316b6130e92c63ceccd69bd8c9d5b4b218
Instruction ID: 7710c38e92e9a32fe6f3a9a92c0a7591f780a35324375b11a03e7ee2546e520b
Opcode Fuzzy Hash: b02953c6d4b098427cfe7971ad73c2316b6130e92c63ceccd69bd8c9d5b4b218
Instruction Fuzzy Hash: 8ED21870A01218DFEB24CF54DD84BEAB7B1FB49704F1081EAE549A72A0DB745AC6CF58

Function 0042D140 Relevance: 223.0, APIs: 110, Strings: 17, Instructions: 777
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6,0040CC83), ref: 0042D15E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004030D6,0040CC83), ref: 0042D18E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004030D6,0040CC83), ref: 0042D1A3

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?,?,?,?,00000000,004030D6,0040CC83), ref: 0042D1B7
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004030D6,0040CC83), ref: 0042D1C5
__vbaStrMove.MSVBVM60 ref: 0042D1E4

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

#666.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042D209
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0042D23E
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042D245
__vbaStrMove.MSVBVM60 ref: 0042D250

Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042F35E
Part of subcall function 0042ECB0: __vbaOnError.MSVBVM60(000000FF,6D42D8B1,?,6D41A323,00000000,004030D6), ref: 0042F38E
Part of subcall function 0042ECB0: #645.MSVBVM60(00004008,00000010), ref: 0042F3B5
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F3C0
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(00405638,?), ref: 0042F3E3
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(00407034,?), ref: 0042F401
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(0040B454,?), ref: 0042F417
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(?,00000001), ref: 0042F43D
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F448
Part of subcall function 0042ECB0: #579.MSVBVM60(00000000), ref: 0042F44F
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60 ref: 0042F469
Part of subcall function 0042ECB0: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 0042F498

__vbaAryMove.MSVBVM60(0043D05C,?,?,0000FFFF), ref: 0042D278
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0042D294
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,00000000,004030D6,0040CC83), ref: 0042D2AE
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004030D6,0040CC83), ref: 0042D2C6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004030D6,0040CC83), ref: 0042D2DA
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004030D6,0040CC83), ref: 0042D2E8
__vbaStrMove.MSVBVM60 ref: 0042D307

Part of subcall function 0042DDC0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 0042DF0A
Part of subcall function 0042DDC0: __vbaStrCopy.MSVBVM60 ref: 0042DF29
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(0042DF6C), ref: 0042DF65

#666.MSVBVM60(?,00000008), ref: 0042D32C
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0042D361
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042D368
__vbaStrMove.MSVBVM60 ref: 0042D373

Part of subcall function 0042ECB0: __vbaGenerateBoundsError.MSVBVM60 ref: 0042F4D8
Part of subcall function 0042ECB0: __vbaGenerateBoundsError.MSVBVM60 ref: 0042F4EC
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(?), ref: 0042F4FF
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F50A
Part of subcall function 0042ECB0: __vbaStrCopy.MSVBVM60 ref: 0042F51B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60 ref: 0042F524
Part of subcall function 0042ECB0: #645.MSVBVM60(0000000A,00000000), ref: 0042F56D
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F578
Part of subcall function 0042ECB0: __vbaFreeVar.MSVBVM60 ref: 0042F581
Part of subcall function 0042ECB0: __vbaAryMove.MSVBVM60(?,?), ref: 0042F59B
Part of subcall function 0042ECB0: __vbaAryDestruct.MSVBVM60(00000000,?,0042F5E7), ref: 0042F5D7
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60 ref: 0042F5E0

__vbaAryMove.MSVBVM60(0043D060,?,?,0000FFFF), ref: 0042D39B
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0042D3B7
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?), ref: 0042D3D1
#526.MSVBVM60(?,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 0042D3EA
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 0042D3F4
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0042D401
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0042D40A
__vbaStrToAnsi.MSVBVM60(?,006725EC,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 0042D426
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0042D438
__vbaStrToUnicode.MSVBVM60(%g,?,?,?,?,?,?,?,?,?,?,?), ref: 0042D447
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0042D45B
#616.MSVBVM60(006725EC,00000013,?,?,?,?,?,?,?,?,?,?), ref: 0042D476
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0042D483
__vbaLenBstr.MSVBVM60(006725EC), ref: 0042D4AA
#709.MSVBVM60(006725EC,004055A8,000000FF,00000000), ref: 0042D4C2
#619.MSVBVM60(?,00004008,00000000), ref: 0042D4DC
__vbaStrVarVal.MSVBVM60(?,?,00405638,00000001,000000FF,00000000), ref: 0042D4F5
#712.MSVBVM60(006725EC,00000000), ref: 0042D502
__vbaStrMove.MSVBVM60 ref: 0042D50D
__vbaStrCat.MSVBVM60(\winsqlite3.dll,006725EC), ref: 0042D51F
__vbaStrMove.MSVBVM60 ref: 0042D548
__vbaStrCat.MSVBVM60(SysWOW64\winsqlite3.dll,00000000), ref: 0042D554
#645.MSVBVM60(00000008,00000000), ref: 0042D56D
__vbaStrMove.MSVBVM60 ref: 0042D578
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0042D584
#645.MSVBVM60(00000008,00000000), ref: 0042D59D
__vbaStrMove.MSVBVM60 ref: 0042D5A8
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0042D5B4
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0042D5E2
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 0042D5FC
__vbaVarDup.MSVBVM60 ref: 0042D649
#645.MSVBVM60(00000008,00000000), ref: 0042D655
__vbaStrMove.MSVBVM60 ref: 0042D660
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0042D66C
__vbaFreeStr.MSVBVM60 ref: 0042D683
__vbaFreeVar.MSVBVM60 ref: 0042D68C
__vbaStrCopy.MSVBVM60 ref: 0042D6B7
__vbaStrMove.MSVBVM60(?), ref: 0042D6CB
__vbaStrCopy.MSVBVM60 ref: 0042D6D9
__vbaStrMove.MSVBVM60 ref: 0042D6F8
__vbaStrMove.MSVBVM60(?,?), ref: 0042D710
__vbaNew2.MSVBVM60(0040B3CC,0043D7AC), ref: 0042D729
__vbaChkstk.MSVBVM60(?), ref: 0042D790
__vbaChkstk.MSVBVM60(?), ref: 0042D7B3
__vbaStrCopy.MSVBVM60 ref: 0042D8D2
__vbaStrMove.MSVBVM60(?), ref: 0042D8E6
__vbaStrCopy.MSVBVM60 ref: 0042D8F4
__vbaStrMove.MSVBVM60(?), ref: 0042D908
__vbaStrCopy.MSVBVM60 ref: 0042D916
__vbaStrMove.MSVBVM60(?), ref: 0042D92A
__vbaStrCopy.MSVBVM60 ref: 0042D938
__vbaStrMove.MSVBVM60 ref: 0042D957
#666.MSVBVM60(?,00000008,?,?), ref: 0042D97C
__vbaStrCopy.MSVBVM60 ref: 0042D99E
__vbaStrMove.MSVBVM60 ref: 0042D9BD
#666.MSVBVM60(?,00000008,00000000,?), ref: 0042D9EE
__vbaStrCopy.MSVBVM60 ref: 0042DA10
__vbaStrMove.MSVBVM60 ref: 0042DA2F
#666.MSVBVM60(?,00000008,?,?), ref: 0042DA60
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0042DA78
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042DA8D
__vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0042DAA2
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0042DAB7
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042DABE
__vbaStrMove.MSVBVM60 ref: 0042DACB
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 0042DB03
__vbaFreeVarList.MSVBVM60(0000000A,00000008,?,00000008,?,?,?,?,?,?,?), ref: 0042DB4E
#645.MSVBVM60(00004008,00000010), ref: 0042DB7B
__vbaStrMove.MSVBVM60 ref: 0042DB86
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0042DB92
__vbaFreeStr.MSVBVM60 ref: 0042DBA9
#531.MSVBVM60(00673F04), ref: 0042DBC7
__vbaStrMove.MSVBVM60 ref: 0042DBEC
__vbaNew2.MSVBVM60(00403DD8,0043D010), ref: 0042DC28
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DC62
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B41C,0000005C), ref: 0042DCA8
__vbaFreeObj.MSVBVM60 ref: 0042DCC3
__vbaAryDestruct.MSVBVM60(00000000,?,0042DD9D), ref: 0042DD7B
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042DD8A
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042DD96
__vbaErrorOverflow.MSVBVM60 ref: 0042DDAE

Strings

\winsqlite3.dll, xrefs: 0042D51A
1436100C0604, xrefs: 0042D6AF
ZYbKuIAfZGABKZsrrWeOuYJ, xrefs: 0042D996
yWcCXIIGnvCBcQstMiqFXgUUsmGHJcqv, xrefs: 0042D6D1
%g, xrefs: 0042D3FC, 0042D41C, 0042D442, 0042D46F, 0042D47E, 0042D490, 0042D4A4, 0042D4BB, 0042D4FC, 0042D513
ycjdNikmPGuofJBlFuYhiU, xrefs: 0042D1BD
C:\Users\Public\Libraries\vbsqlite3.dll, xrefs: 0042D62C, 0042D888
1A2D06251C15230809000F0E, xrefs: 0042D8EC
2F25270F252A3D0003343B27, xrefs: 0042D19B
4_l, xrefs: 0042DBE7
0B3D0937293712, xrefs: 0042D2BE, 0042D8CA
g, xrefs: 0042D773
\Microsoft\Windows\Templates\, xrefs: 0042D982
221B0C3A05152A30, xrefs: 0042D90E
wwHIhKTguiXEm, xrefs: 0042DA08
AJMysHCsjcSZXddJaKcAAE, xrefs: 0042D2E0, 0042D930
SysWOW64\winsqlite3.dll, xrefs: 0042D54F

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Copy$List$#645Error$#666$BstrChkstkDestruct$#516#631BoundsGenerateNew2$#526#531#537#579#608#616#619#632#709#712AnsiCheckHresultOverflowPreserveRedimSystemUnicode
String ID: 0B3D0937293712$1436100C0604$1A2D06251C15230809000F0E$221B0C3A05152A30$2F25270F252A3D0003343B27$4_l$AJMysHCsjcSZXddJaKcAAE$C:\Users\Public\Libraries\vbsqlite3.dll$SysWOW64\winsqlite3.dll$ZYbKuIAfZGABKZsrrWeOuYJ$\Microsoft\Windows\Templates\$\winsqlite3.dll$g$wwHIhKTguiXEm$yWcCXIIGnvCBcQstMiqFXgUUsmGHJcqv$ycjdNikmPGuofJBlFuYhiU$%g
API String ID: 1145599605-2924875536
Opcode ID: 1c4c9723e3632eaab8d782c727ded8ef2507de139138fbb15002e82db8fa7e92
Instruction ID: 75a5cb7136a121762e864e28ed6e0ca6a937ff8320533cc3b60a5d382a7ac27a
Opcode Fuzzy Hash: 1c4c9723e3632eaab8d782c727ded8ef2507de139138fbb15002e82db8fa7e92
Instruction Fuzzy Hash: 3172FB75901218DBDB14DFA0DD88BDEBBB8BF48304F1085AAE146B72A0DB745A89CF54

Function 0040FF05 Relevance: 214.7, APIs: 112, Strings: 10, Instructions: 1168COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0040FF44

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?), ref: 0040FF5E
__vbaStrCopy.MSVBVM60 ref: 0040FF6F
__vbaStrMove.MSVBVM60 ref: 0040FF97

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 0040FFB8
__vbaGenerateBoundsError.MSVBVM60 ref: 00410004
__vbaGenerateBoundsError.MSVBVM60 ref: 00410021
__vbaStrMove.MSVBVM60(006E4528), ref: 00410062
__vbaStrCat.MSVBVM60(00000000), ref: 00410069
#645.MSVBVM60(00000008,00000000), ref: 00410088
__vbaStrMove.MSVBVM60 ref: 00410096
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 004100A2
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,00000000,00000000), ref: 004100EA
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000000,004030D6), ref: 004100F9
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00000000,004030D6), ref: 0041015D
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00000000,004030D6), ref: 0041017A
#712.MSVBVM60(006E4528,\User Data,00405638,00000001,000000FF,00000000,?,?,?,?,?,?,00000000,004030D6), ref: 004101A9
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004030D6), ref: 004101B6
__vbaLenBstr.MSVBVM60(00678914), ref: 004101DD
#709.MSVBVM60(00678914,004055A8,000000FF,00000000), ref: 004101F5
#619.MSVBVM60(?,00004008,00000000), ref: 00410212
__vbaStrVarMove.MSVBVM60(?), ref: 0041021F
__vbaStrMove.MSVBVM60 ref: 0041022C
__vbaFreeVar.MSVBVM60 ref: 00410238
__vbaStrCopy.MSVBVM60 ref: 00410250
__vbaStrMove.MSVBVM60(?), ref: 0041026A
__vbaStrCopy.MSVBVM60 ref: 0041027B
__vbaStrMove.MSVBVM60 ref: 004102A3
__vbaStrMove.MSVBVM60(?,?), ref: 004102C4
__vbaNew2.MSVBVM60(00405678,00000000), ref: 004102D9
__vbaGenerateBoundsError.MSVBVM60 ref: 0041035D
__vbaGenerateBoundsError.MSVBVM60 ref: 0041037A
__vbaStrMove.MSVBVM60(006E4528), ref: 004103BA
__vbaStrCat.MSVBVM60(00000000), ref: 004103C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405668,00000028), ref: 0041041D
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 00410461
__vbaFreeVar.MSVBVM60 ref: 00410470
__vbaStrCat.MSVBVM60(\User Data\Default\Login Data,006E4528,?,?,?,?,?,?,00000000,004030D6), ref: 00410506
#645.MSVBVM60(00000008,00000000), ref: 00410525
__vbaStrMove.MSVBVM60 ref: 00410533
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0041053F
__vbaFreeStr.MSVBVM60 ref: 0041055A
__vbaFreeVar.MSVBVM60 ref: 00410566
__vbaErrorOverflow.MSVBVM60 ref: 00412DD7

Strings

Profiles, xrefs: 00410EAA
S, xrefs: 0041159B
333D2D2928333C13241805111D34572E34002C, xrefs: 0040FF39, 00410245
\User Data\Default\Login Data, xrefs: 00410501, 00410855
(En, xrefs: 0040FFBE, 0040FFC7, 0040FFD9, 0040FFE8, 00410043, 00410115, 0041011E, 00410131, 00410140, 00410196, 00410315, 0041031E, 00410331, 00410340, 0041039C, 0041047D, 00410486, 00410499, 004104A8, 004104EE, 00410582, 0041058B, 0041059E, 004105AD, 004105F3, 004105FC, 0041060F, 0041061E, 00410664, 004106F6, 00410719, 004107D1, 004107DA, 004107ED, 004107FC, 00410842, 00410966, 0041096F, 00410982, 00410991, 004109ED, 00410ABE, 00410AC7, 00410ADA, 00410AE8, 00410B3E, 00410CBD, 00410CC6, 00410CD9, 00410CE7, 00410D43, 00410E25, 00410E2E, 00410E41, 00410E4F, 00410E97, 00410EC6, 00410ECF, 00410EE2, 00410EF1, 00410F47, 00411041, 00411142, 0041114B, 0041115E, 0041116C, 004111B2, 00411246, 0041124F, 00411262, 00411270, 004112B6, 004112BF, 004112D2, 004112E0, 00411326, 004113B8, 004113DC, 00411493, 0041149C, 004114AF, 004114BD, 00411503
\User Data, xrefs: 00410191, 00410B39
EoyHOIFPgxTjvtZwjUtMeZQ, xrefs: 0040FF64, 00410270
\Profiles, xrefs: 00410F42, 004111C5, 00411516
1D012D3D2A24701E0A2738, xrefs: 004108E1, 00410BED
jAMBZCJPZkSYHclvQlTnjDT, xrefs: 0041090C, 00410C18

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Error$BoundsGenerate$BstrCopy$List$#516#631#645$#537#608#619#632#709#712CheckHresultNew2Overflow
String ID: (En$1D012D3D2A24701E0A2738$333D2D2928333C13241805111D34572E34002C$EoyHOIFPgxTjvtZwjUtMeZQ$Profiles$S$\Profiles$\User Data$\User Data\Default\Login Data$jAMBZCJPZkSYHclvQlTnjDT
API String ID: 3691625242-2554719228
Opcode ID: 11e00ef95b24a0c2a8609bbae7b963d32d1441d4c4473df5024f34398dd7c4ae
Instruction ID: 88bcc81e1a817e0464b53eb0a68279d7e96d2726d39273a4a03c0112dedafa3a
Opcode Fuzzy Hash: 11e00ef95b24a0c2a8609bbae7b963d32d1441d4c4473df5024f34398dd7c4ae
Instruction Fuzzy Hash: F5C21870A01218DFEB24CF54DD84BEAB7B1FB49704F1081EAE549A72A0DB745AC6CF58

Function 0042ECB0 Relevance: 193.4, APIs: 104, Strings: 6, Instructions: 853
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
#632.MSVBVM60(?,?,?,?), ref: 0042ED52
__vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
__vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
#537.MSVBVM60(00000000), ref: 0042ED76
__vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
__vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
__vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
__vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8
__vbaErrorOverflow.MSVBVM60 ref: 0042EE14
__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042EE3E
__vbaOnError.MSVBVM60(000000FF,6D42D8B1,?,6D41A323,00000000,004030D6), ref: 0042EE6E
__vbaVarVargNofree.MSVBVM60 ref: 0042EE8F
__vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 0042EE9E
__vbaI2Var.MSVBVM60(00000000), ref: 0042EEA5
__vbaChkstk.MSVBVM60 ref: 0042EF2B
__vbaChkstk.MSVBVM60 ref: 0042EF4E
__vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 0042EF76
__vbaChkstk.MSVBVM60 ref: 0042EF86

Strings

053B206F2A0D2B06655B, xrefs: 0042F790
08575C, xrefs: 0042F688
ZgRNAHlXcSoVXdhgprKFHpdSWtelPhhsR, xrefs: 0042F7B2
'@, xrefs: 0042ECF0, 0042ED24
0'@, xrefs: 0042EEF0
ujahrMBxeDdcZkqUOaGiTpm, xrefs: 0042F6AA

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Chkstk$ErrorFreeMove$#537#632BstrIndexListLoadNofreeOverflowVarg
String ID: '@$0'@$053B206F2A0D2B06655B$08575C$ZgRNAHlXcSoVXdhgprKFHpdSWtelPhhsR$ujahrMBxeDdcZkqUOaGiTpm
API String ID: 2129149374-2207246312
Opcode ID: 7d7038b396ac691d7125a89312b94afd9eb6d567a36b56c488185f786d440747
Instruction ID: c7fb5383da4a6bb42bf5c3581b000506b043ba3aefaeaf35e6ebb9f43ff5013a
Opcode Fuzzy Hash: 7d7038b396ac691d7125a89312b94afd9eb6d567a36b56c488185f786d440747
Instruction Fuzzy Hash: 9F8219B5900218EFDB04DFA4DA88BDEBBB5FF48304F608169E506B72A0DB746A45CF54

Function 00412E6C Relevance: 189.8, APIs: 97, Strings: 11, Instructions: 816COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 00412EE8
__vbaGenerateBoundsError.MSVBVM60 ref: 00412F05
__vbaStrCat.MSVBVM60(\accounts.xml,006597C0), ref: 00412F28
#645.MSVBVM60(00000008,00000000), ref: 00412F47
__vbaStrMove.MSVBVM60 ref: 00412F52
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 00412F5E
__vbaFreeStr.MSVBVM60 ref: 00412F76
__vbaFreeVar.MSVBVM60 ref: 00412F82
__vbaNew2.MSVBVM60(00405800,00000000), ref: 00412FAD
__vbaGenerateBoundsError.MSVBVM60 ref: 0041301D
__vbaGenerateBoundsError.MSVBVM60 ref: 0041303A
__vbaStrCat.MSVBVM60(\accounts.xml,006597C0), ref: 0041305E
__vbaChkstk.MSVBVM60(?), ref: 00413080
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405810,000000E8), ref: 004130E8
__vbaFreeVar.MSVBVM60 ref: 00413106
__vbaNew2.MSVBVM60(00405800,00000000), ref: 00413122
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405810,000000B4), ref: 0041318F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00405940,00000030), ref: 004131F2
__vbaObjSet.MSVBVM60(?,?), ref: 0041322E
__vbaForEachCollObj.MSVBVM60(00405940,?,?,00000000), ref: 00413245
__vbaFreeObj.MSVBVM60 ref: 00413257
__vbaStrCopy.MSVBVM60 ref: 00413271
__vbaStrMove.MSVBVM60(?), ref: 00413285
__vbaStrCopy.MSVBVM60 ref: 00413293
__vbaStrMove.MSVBVM60(?), ref: 004132A7
__vbaStrCopy.MSVBVM60 ref: 004132B5
__vbaStrMove.MSVBVM60 ref: 004132D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405940,00000030), ref: 00413310
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406444,0000001C), ref: 00413375
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,00415489), ref: 00415431
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,00000000,004030D6), ref: 00415443
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,00000000,004030D6), ref: 00415452
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 0041545B
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,00000000,004030D6), ref: 00415467
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 00415470
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 00415479
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 00415482
__vbaErrorOverflow.MSVBVM60 ref: 0041549D

Strings

Server, xrefs: 00413C33, 00414957
===============DARKCLOUD===============, xrefs: 00414654, 00415301
xSlwZiQnRQDmDXCuhsXxuBZdyNiiKUGCJV, xrefs: 00414535
\sitemanager.xml, xrefs: 00414729, 0041485F
%, xrefs: 0041534E
\accounts.xml, xrefs: 00412F23, 00413059
Application : FileZilla, xrefs: 00415284
TcDrGNJvvKjh, xrefs: 00414508, 0041520A
121C073600320F26382B0364626333011F3D221C2E3605, xrefs: 004144E6
\recentservers.xml, xrefs: 00413A06, 00413B3B
33250134392504126B5048, xrefs: 004144C4, 004151E8

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckErrorHresult$BoundsGenerateMove$CopyDestruct$New2$#645ChkstkCollEachListOverflow
String ID: %$121C073600320F26382B0364626333011F3D221C2E3605$33250134392504126B5048$===============DARKCLOUD===============$Application : FileZilla$Server$TcDrGNJvvKjh$\accounts.xml$\recentservers.xml$\sitemanager.xml$xSlwZiQnRQDmDXCuhsXxuBZdyNiiKUGCJV
API String ID: 1698869595-1275540205
Opcode ID: 2e7bde6b2d52f9b7f3cda0c4dad9eff4c73b88cce3b37dbf6a456e6fe0f647c5
Instruction ID: b3b07d2a290f5b17187a8344e554760907bdeca9801f3f9a4b2dfbb524d15034
Opcode Fuzzy Hash: 2e7bde6b2d52f9b7f3cda0c4dad9eff4c73b88cce3b37dbf6a456e6fe0f647c5
Instruction Fuzzy Hash: CF822975D00218DFDB14DF90DE88BEEB7B5FB48301F1081AAE50AA72A0DB745A85CF59

Function 0040CBA0 Relevance: 173.9, APIs: 79, Strings: 20, Instructions: 626
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004030D6), ref: 0040CBBE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004030D6), ref: 0040CC05
__vbaSetSystemError.MSVBVM60(00000100), ref: 0040CC5E
__vbaErrorOverflow.MSVBVM60 ref: 0040CCB5
__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0040CCDE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004030D6), ref: 0040CD25
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004030D6), ref: 0040CD50
__vbaStrMove.MSVBVM60(?,?,?,?,00000000,004030D6), ref: 0040CD64
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004030D6), ref: 0040CD72
__vbaStrMove.MSVBVM60 ref: 0040CD91
__vbaStrMove.MSVBVM60(?,?), ref: 0040CDA9
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040CDD2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,004030D6), ref: 0040CDDE
__vbaStrCopy.MSVBVM60(?,?,?,?,?,004030D6), ref: 0040CDF3

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?,?,?,?,?,?,004030D6), ref: 0040CE07
__vbaStrCopy.MSVBVM60(?,?,?,?,?,004030D6), ref: 0040CE15
__vbaStrMove.MSVBVM60 ref: 0040CE34

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 0040CE4C

Part of subcall function 0042CE60: __vbaChkstk.MSVBVM60(?,004030D6,?,?,?,?,00000000,004030D6), ref: 0042CE7E
Part of subcall function 0042CE60: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004030D6), ref: 0042CEAE
Part of subcall function 0042CE60: __vbaStrCat.MSVBVM60(004055A8,00673F04,?,?,?,?,004030D6), ref: 0042CECD
Part of subcall function 0042CE60: #645.MSVBVM60(00000008,00000000), ref: 0042CEE3
Part of subcall function 0042CE60: __vbaVarMove.MSVBVM60 ref: 0042CEF9
Part of subcall function 0042CE60: __vbaFreeVar.MSVBVM60 ref: 0042CF02
Part of subcall function 0042CE60: __vbaVarTstGt.MSVBVM60(00008008,?), ref: 0042CF2E
Part of subcall function 0042CE60: __vbaInStrVar.MSVBVM60(00000008,00000000,00000008,?,00000001), ref: 0042CF6E
Part of subcall function 0042CE60: __vbaBoolVarNull.MSVBVM60(00000000), ref: 0042CF75
Part of subcall function 0042CE60: __vbaFreeVar.MSVBVM60 ref: 0042CF85
Part of subcall function 0042CE60: __vbaStrCat.MSVBVM60(004055A8,00673F04), ref: 0042CFAD
Part of subcall function 0042CE60: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 0042CFC9
Part of subcall function 0042CE60: __vbaStrVarMove.MSVBVM60(00000000), ref: 0042CFD0
Part of subcall function 0042CE60: __vbaStrMove.MSVBVM60 ref: 0042CFDB
Part of subcall function 0042CE60: __vbaVarAdd.MSVBVM60(0000000A,?,00000008), ref: 0042D004

__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040CE75
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0040CE81
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0040CE96
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0040CEAA
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0040CEB8
__vbaStrMove.MSVBVM60 ref: 0040CED7

Part of subcall function 0042DDC0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 0042DF0A
Part of subcall function 0042DDC0: __vbaStrCopy.MSVBVM60 ref: 0042DF29
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(0042DF6C), ref: 0042DF65

__vbaStrMove.MSVBVM60(?,?), ref: 0040CEEF

Part of subcall function 0042CE60: __vbaStrVarMove.MSVBVM60(00000000), ref: 0042D00B
Part of subcall function 0042CE60: __vbaStrMove.MSVBVM60 ref: 0042D016
Part of subcall function 0042CE60: __vbaStrCopy.MSVBVM60 ref: 0042D024
Part of subcall function 0042CE60: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?), ref: 0042D049
Part of subcall function 0042CE60: __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,004030D6), ref: 0042D060
Part of subcall function 0042CE60: #645.MSVBVM60(0000000A,00000000), ref: 0042D084
Part of subcall function 0042CE60: __vbaVarMove.MSVBVM60 ref: 0042D09A
Part of subcall function 0042CE60: __vbaFreeVar.MSVBVM60 ref: 0042D0A3
Part of subcall function 0042CE60: __vbaFreeVar.MSVBVM60(0042D101), ref: 0042D0FA

__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040CF18
__vbaFreeVar.MSVBVM60 ref: 0040CF24
__vbaStrCopy.MSVBVM60 ref: 0040CF39
__vbaStrMove.MSVBVM60(?), ref: 0040CF4D
__vbaStrCopy.MSVBVM60 ref: 0040CF5B
__vbaStrMove.MSVBVM60 ref: 0040CF7A
__vbaStrMove.MSVBVM60(?,?), ref: 0040CF92
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040CFBB
__vbaFreeVar.MSVBVM60 ref: 0040CFC7
__vbaStrCopy.MSVBVM60 ref: 0040CFDC
__vbaStrMove.MSVBVM60(?), ref: 0040CFF0
__vbaStrCopy.MSVBVM60 ref: 0040CFFE
__vbaStrMove.MSVBVM60(?), ref: 0040D012
__vbaStrCopy.MSVBVM60 ref: 0040D020
__vbaStrMove.MSVBVM60 ref: 0040D03F
#666.MSVBVM60(?,00000008,?,?), ref: 0040D064
__vbaStrCopy.MSVBVM60 ref: 0040D086
__vbaStrMove.MSVBVM60 ref: 0040D0A5
#666.MSVBVM60(?,00000008,00000000,?), ref: 0040D0D3
__vbaVarCat.MSVBVM60(?,00000008,?), ref: 0040D0E8
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0040D0FD
__vbaStrVarMove.MSVBVM60(00000000), ref: 0040D104
__vbaStrMove.MSVBVM60 ref: 0040D10F
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,00000000,?,?,00000000,00000000,?,?), ref: 0040D14B
__vbaFreeVarList.MSVBVM60(00000007,00000008,?,00000008,?,?,?,?), ref: 0040D17E
__vbaStrCopy.MSVBVM60 ref: 0040D196
__vbaStrMove.MSVBVM60(?), ref: 0040D1AA
__vbaStrCopy.MSVBVM60 ref: 0040D1B8
__vbaStrMove.MSVBVM60 ref: 0040D1D7
__vbaStrMove.MSVBVM60(?,?), ref: 0040D1EF
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040D218
__vbaFreeVar.MSVBVM60 ref: 0040D224
__vbaStrCopy.MSVBVM60 ref: 0040D239
__vbaStrMove.MSVBVM60(?), ref: 0040D24D
__vbaStrCopy.MSVBVM60 ref: 0040D25B
__vbaStrMove.MSVBVM60 ref: 0040D27A
__vbaStrMove.MSVBVM60(?,?), ref: 0040D292
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040D2BB
__vbaFreeVar.MSVBVM60 ref: 0040D2C7
__vbaStrCopy.MSVBVM60 ref: 0040D2DC
__vbaStrMove.MSVBVM60(?), ref: 0040D2F0
__vbaStrCopy.MSVBVM60 ref: 0040D2FE
__vbaStrMove.MSVBVM60 ref: 0040D31D
__vbaStrMove.MSVBVM60(?,?), ref: 0040D335
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040D35E
__vbaFreeVar.MSVBVM60 ref: 0040D36A
__vbaStrCopy.MSVBVM60 ref: 0040D37F
__vbaStrMove.MSVBVM60(?), ref: 0040D393
__vbaStrCopy.MSVBVM60 ref: 0040D3A1
__vbaStrMove.MSVBVM60 ref: 0040D3C0
__vbaStrMove.MSVBVM60(?,?), ref: 0040D3D8
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040D401
__vbaFreeVar.MSVBVM60 ref: 0040D40D

Strings

MBRISsSbyuoqjWefuJNDccaatoSYiiTqdLJPpuLFyvnv, xrefs: 0040D1B0
351520333D051C351A34123F29, xrefs: 0040D2D4
gjoUkezPmYZiUeOCSpjyIcGuCPCtzARw, xrefs: 0040CE0D
qlAvrOpVvgNuRDODSmKeLFgIKPpgDHEYi, xrefs: 0040CF53
ZYbKuIAfZGABKZsrrWeOuYJ, xrefs: 0040D018
0004083D222D1116, xrefs: 0040CE8E
270A2618041D351E, xrefs: 0040CDEB
29073609033F1E, xrefs: 0040CD48
0F3313162A1E221F062206, xrefs: 0040CF31
xvgYCIjKTvXwKZvOGENTBKktGKyOWJn, xrefs: 0040D2F6
1A2D06251C15230809000F0E, xrefs: 0040CFD4
2124001F06, xrefs: 0040D377
DCkfICNeeuVDZ, xrefs: 0040CEB0
qgMlzuMfFjvipKlYxNNzLIifDrLSvOGWlDcBZTEOTDL, xrefs: 0040D399
vjhYbjZmdRZBHfvQqGvzEsedtDPkrRQYO, xrefs: 0040CD6A
221B0C3A05152A30, xrefs: 0040CFF6
wwHIhKTguiXEm, xrefs: 0040D07E
YpIJTmeQqsCvYsheQHZGgcXBtLRtCuPRz, xrefs: 0040D253
11313B36163D11111A1B, xrefs: 0040D18E
3B2C33100C1130, xrefs: 0040D231

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Copy$List$Error$BstrChkstk$#516#631#645#666$#537#608#632BoolNullOverflowSystem
String ID: 0004083D222D1116$0F3313162A1E221F062206$11313B36163D11111A1B$1A2D06251C15230809000F0E$2124001F06$221B0C3A05152A30$270A2618041D351E$29073609033F1E$351520333D051C351A34123F29$3B2C33100C1130$DCkfICNeeuVDZ$MBRISsSbyuoqjWefuJNDccaatoSYiiTqdLJPpuLFyvnv$YpIJTmeQqsCvYsheQHZGgcXBtLRtCuPRz$ZYbKuIAfZGABKZsrrWeOuYJ$gjoUkezPmYZiUeOCSpjyIcGuCPCtzARw$qgMlzuMfFjvipKlYxNNzLIifDrLSvOGWlDcBZTEOTDL$qlAvrOpVvgNuRDODSmKeLFgIKPpgDHEYi$vjhYbjZmdRZBHfvQqGvzEsedtDPkrRQYO$wwHIhKTguiXEm$xvgYCIjKTvXwKZvOGENTBKktGKyOWJn
API String ID: 2234777198-1085237787
Opcode ID: aab4f0af046433a418a7b600d1cec99bd54f309aefc2f7edc806784fb364b369
Instruction ID: cc898633ca16ca78fe1c839a4bcb39ffdc4a13f726c3fd9bc436b6fc38c88b36
Opcode Fuzzy Hash: aab4f0af046433a418a7b600d1cec99bd54f309aefc2f7edc806784fb364b369
Instruction Fuzzy Hash: 9752EC76901108DBCB04DFE4DA94EDEB7B9FF48304F10856AE106B71A4DB746A49CF64

Function 004040C1 Relevance: 166.8, APIs: 74, Strings: 21, Instructions: 542
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0040CCDE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004030D6), ref: 0040CD25
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004030D6), ref: 0040CD50

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?,?,?,?,00000000,004030D6), ref: 0040CD64
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004030D6), ref: 0040CD72
__vbaStrMove.MSVBVM60 ref: 0040CD91

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 0040CDA9

Part of subcall function 0042CE60: __vbaChkstk.MSVBVM60(?,004030D6,?,?,?,?,00000000,004030D6), ref: 0042CE7E
Part of subcall function 0042CE60: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004030D6), ref: 0042CEAE
Part of subcall function 0042CE60: __vbaStrCat.MSVBVM60(004055A8,00673F04,?,?,?,?,004030D6), ref: 0042CECD
Part of subcall function 0042CE60: #645.MSVBVM60(00000008,00000000), ref: 0042CEE3
Part of subcall function 0042CE60: __vbaVarMove.MSVBVM60 ref: 0042CEF9
Part of subcall function 0042CE60: __vbaFreeVar.MSVBVM60 ref: 0042CF02
Part of subcall function 0042CE60: __vbaVarTstGt.MSVBVM60(00008008,?), ref: 0042CF2E
Part of subcall function 0042CE60: __vbaInStrVar.MSVBVM60(00000008,00000000,00000008,?,00000001), ref: 0042CF6E
Part of subcall function 0042CE60: __vbaBoolVarNull.MSVBVM60(00000000), ref: 0042CF75
Part of subcall function 0042CE60: __vbaFreeVar.MSVBVM60 ref: 0042CF85
Part of subcall function 0042CE60: __vbaStrCat.MSVBVM60(004055A8,00673F04), ref: 0042CFAD
Part of subcall function 0042CE60: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 0042CFC9
Part of subcall function 0042CE60: __vbaStrVarMove.MSVBVM60(00000000), ref: 0042CFD0
Part of subcall function 0042CE60: __vbaStrMove.MSVBVM60 ref: 0042CFDB
Part of subcall function 0042CE60: __vbaVarAdd.MSVBVM60(0000000A,?,00000008), ref: 0042D004

__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040CDD2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,004030D6), ref: 0040CDDE
__vbaStrCopy.MSVBVM60(?,?,?,?,?,004030D6), ref: 0040CDF3
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,004030D6), ref: 0040CE07
__vbaStrCopy.MSVBVM60(?,?,?,?,?,004030D6), ref: 0040CE15
__vbaStrMove.MSVBVM60 ref: 0040CE34

Part of subcall function 0042DDC0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 0042DF0A
Part of subcall function 0042DDC0: __vbaStrCopy.MSVBVM60 ref: 0042DF29
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(0042DF6C), ref: 0042DF65

__vbaStrMove.MSVBVM60(?,?), ref: 0040CE4C

Part of subcall function 0042CE60: __vbaStrVarMove.MSVBVM60(00000000), ref: 0042D00B
Part of subcall function 0042CE60: __vbaStrMove.MSVBVM60 ref: 0042D016
Part of subcall function 0042CE60: __vbaStrCopy.MSVBVM60 ref: 0042D024
Part of subcall function 0042CE60: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?), ref: 0042D049
Part of subcall function 0042CE60: __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,004030D6), ref: 0042D060
Part of subcall function 0042CE60: #645.MSVBVM60(0000000A,00000000), ref: 0042D084
Part of subcall function 0042CE60: __vbaVarMove.MSVBVM60 ref: 0042D09A
Part of subcall function 0042CE60: __vbaFreeVar.MSVBVM60 ref: 0042D0A3
Part of subcall function 0042CE60: __vbaFreeVar.MSVBVM60(0042D101), ref: 0042D0FA

__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040CE75
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0040CE81
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0040CE96
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0040CEAA
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0040CEB8
__vbaStrMove.MSVBVM60 ref: 0040CED7
__vbaStrMove.MSVBVM60(?,?), ref: 0040CEEF
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040CF18
__vbaFreeVar.MSVBVM60 ref: 0040CF24
__vbaStrCopy.MSVBVM60 ref: 0040CF39
__vbaStrMove.MSVBVM60(?), ref: 0040CF4D
__vbaStrCopy.MSVBVM60 ref: 0040CF5B
__vbaStrMove.MSVBVM60 ref: 0040CF7A
__vbaStrMove.MSVBVM60(?,?), ref: 0040CF92
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0040CFBB
__vbaFreeVar.MSVBVM60 ref: 0040CFC7
__vbaStrCopy.MSVBVM60 ref: 0040CFDC
__vbaStrMove.MSVBVM60(?), ref: 0040CFF0
__vbaStrCopy.MSVBVM60 ref: 0040CFFE
__vbaStrMove.MSVBVM60(?), ref: 0040D012
__vbaStrCopy.MSVBVM60 ref: 0040D020
__vbaStrMove.MSVBVM60 ref: 0040D03F
#666.MSVBVM60(?,00000008,?,?), ref: 0040D064
__vbaStrCopy.MSVBVM60 ref: 0040D086
__vbaStrMove.MSVBVM60 ref: 0040D0A5
#666.MSVBVM60(?,00000008,00000000,?), ref: 0040D0D3
__vbaVarCat.MSVBVM60(?,00000008,?), ref: 0040D0E8
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0040D0FD
__vbaStrVarMove.MSVBVM60(00000000), ref: 0040D104
__vbaStrMove.MSVBVM60 ref: 0040D10F
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,00000000,?,?,00000000,00000000,?,?), ref: 0040D14B
__vbaFreeVarList.MSVBVM60(00000007,00000008,?,00000008,?,?,?,?), ref: 0040D17E
__vbaStrCopy.MSVBVM60 ref: 0040D196
__vbaStrMove.MSVBVM60(?), ref: 0040D1AA
__vbaStrCopy.MSVBVM60 ref: 0040D1B8
__vbaStrMove.MSVBVM60 ref: 0040D1D7
__vbaStrMove.MSVBVM60(?,?), ref: 0040D1EF
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040D218
__vbaFreeVar.MSVBVM60 ref: 0040D224
__vbaStrCopy.MSVBVM60 ref: 0040D239
__vbaStrMove.MSVBVM60(?), ref: 0040D24D
__vbaStrCopy.MSVBVM60 ref: 0040D25B
__vbaStrMove.MSVBVM60 ref: 0040D27A
__vbaStrMove.MSVBVM60(?,?), ref: 0040D292
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040D2BB
__vbaFreeVar.MSVBVM60 ref: 0040D2C7
__vbaStrCopy.MSVBVM60 ref: 0040D2DC
__vbaStrMove.MSVBVM60(?), ref: 0040D2F0
__vbaStrCopy.MSVBVM60 ref: 0040D2FE
__vbaStrMove.MSVBVM60 ref: 0040D31D
__vbaStrMove.MSVBVM60(?,?), ref: 0040D335
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040D35E
__vbaFreeVar.MSVBVM60 ref: 0040D36A
__vbaStrCopy.MSVBVM60 ref: 0040D37F
__vbaStrMove.MSVBVM60(?), ref: 0040D393
__vbaStrCopy.MSVBVM60 ref: 0040D3A1
__vbaStrMove.MSVBVM60 ref: 0040D3C0
__vbaStrMove.MSVBVM60(?,?), ref: 0040D3D8
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0040D401
__vbaFreeVar.MSVBVM60 ref: 0040D40D

Strings

MBRISsSbyuoqjWefuJNDccaatoSYiiTqdLJPpuLFyvnv, xrefs: 0040D1B0
351520333D051C351A34123F29, xrefs: 0040D2D4
gjoUkezPmYZiUeOCSpjyIcGuCPCtzARw, xrefs: 0040CE0D
qlAvrOpVvgNuRDODSmKeLFgIKPpgDHEYi, xrefs: 0040CF53
ZYbKuIAfZGABKZsrrWeOuYJ, xrefs: 0040D018
0004083D222D1116, xrefs: 0040CE8E
270A2618041D351E, xrefs: 0040CDEB
C, xrefs: 004040C1
29073609033F1E, xrefs: 0040CD48
0F3313162A1E221F062206, xrefs: 0040CF31
xvgYCIjKTvXwKZvOGENTBKktGKyOWJn, xrefs: 0040D2F6
1A2D06251C15230809000F0E, xrefs: 0040CFD4
2124001F06, xrefs: 0040D377
DCkfICNeeuVDZ, xrefs: 0040CEB0
qgMlzuMfFjvipKlYxNNzLIifDrLSvOGWlDcBZTEOTDL, xrefs: 0040D399
vjhYbjZmdRZBHfvQqGvzEsedtDPkrRQYO, xrefs: 0040CD6A
221B0C3A05152A30, xrefs: 0040CFF6
wwHIhKTguiXEm, xrefs: 0040D07E
YpIJTmeQqsCvYsheQHZGgcXBtLRtCuPRz, xrefs: 0040D253
11313B36163D11111A1B, xrefs: 0040D18E
3B2C33100C1130, xrefs: 0040D231

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Copy$List$Bstr$#516#631#645#666ChkstkError$#537#608#632BoolNull
String ID: 0004083D222D1116$0F3313162A1E221F062206$11313B36163D11111A1B$1A2D06251C15230809000F0E$2124001F06$221B0C3A05152A30$270A2618041D351E$29073609033F1E$351520333D051C351A34123F29$3B2C33100C1130$C$DCkfICNeeuVDZ$MBRISsSbyuoqjWefuJNDccaatoSYiiTqdLJPpuLFyvnv$YpIJTmeQqsCvYsheQHZGgcXBtLRtCuPRz$ZYbKuIAfZGABKZsrrWeOuYJ$gjoUkezPmYZiUeOCSpjyIcGuCPCtzARw$qgMlzuMfFjvipKlYxNNzLIifDrLSvOGWlDcBZTEOTDL$qlAvrOpVvgNuRDODSmKeLFgIKPpgDHEYi$vjhYbjZmdRZBHfvQqGvzEsedtDPkrRQYO$wwHIhKTguiXEm$xvgYCIjKTvXwKZvOGENTBKktGKyOWJn
API String ID: 1362582428-2783218559
Opcode ID: 03ad8300bbc931f3e5bbc3b588e01116fe2f86b9a21fa74b57f8051877ca3065
Instruction ID: 6b8bad3854a6ca5e0ffeccc7b4a47edcfcffc914371e1be11cf640ca11b9979d
Opcode Fuzzy Hash: 03ad8300bbc931f3e5bbc3b588e01116fe2f86b9a21fa74b57f8051877ca3065
Instruction Fuzzy Hash: D432CA76911109EBCB04DFE0DE94EDEB7B9FF48304F10856AE102B61A4EB746A49CF64

Function 00420E20 Relevance: 144.0, APIs: 73, Strings: 9, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004030D6,?,?,?,00411F0F,?,?), ref: 00420E3E
__vbaAryMove.MSVBVM60(?,?,?,0043D064,?,?,?,?,004030D6), ref: 00420EAA
__vbaUbound.MSVBVM60(00000001,?,?,?,?,?,004030D6), ref: 00420EBD
__vbaI2I4.MSVBVM60(?,?,?,?,004030D6), ref: 00420EC5
__vbaStrCopy.MSVBVM60 ref: 00420F24

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004030D6), ref: 00420E6E

Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042F35E
Part of subcall function 0042ECB0: __vbaOnError.MSVBVM60(000000FF,6D42D8B1,?,6D41A323,00000000,004030D6), ref: 0042F38E
Part of subcall function 0042ECB0: #645.MSVBVM60(00004008,00000010), ref: 0042F3B5
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F3C0
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(00405638,?), ref: 0042F3E3
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(00407034,?), ref: 0042F401
Part of subcall function 0042ECB0: __vbaStrCmp.MSVBVM60(0040B454,?), ref: 0042F417
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(?,00000001), ref: 0042F43D
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60 ref: 0042F448
Part of subcall function 0042ECB0: #579.MSVBVM60(00000000), ref: 0042F44F
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60 ref: 0042F469
Part of subcall function 0042ECB0: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 0042F498

__vbaStrMove.MSVBVM60(?), ref: 00420F38
__vbaStrCopy.MSVBVM60 ref: 00420F46
__vbaStrMove.MSVBVM60 ref: 00420F65

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 00420F7D
__vbaGenerateBoundsError.MSVBVM60 ref: 00420FBF
__vbaGenerateBoundsError.MSVBVM60 ref: 00420FDC
__vbaStrMove.MSVBVM60(00000000), ref: 00421011
__vbaStrCat.MSVBVM60(00000000), ref: 00421018
__vbaGenerateBoundsError.MSVBVM60 ref: 00421064
__vbaGenerateBoundsError.MSVBVM60 ref: 00421081
__vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 004210A2
#645.MSVBVM60(00000008,00000000), ref: 004210BE
__vbaStrMove.MSVBVM60 ref: 004210C9
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 004210D5
#645.MSVBVM60(00000008,00000000), ref: 004210EE
__vbaStrMove.MSVBVM60 ref: 004210F9
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 00421105
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000), ref: 0042113F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00421155
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 0042117F
__vbaVarZero.MSVBVM60 ref: 0042118E
__vbaGenerateBoundsError.MSVBVM60 ref: 004211E3
__vbaGenerateBoundsError.MSVBVM60 ref: 00421200
__vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 00421221
__vbaStrCat.MSVBVM60(\keyDBPath.db,00673F04), ref: 0042123D
__vbaChkstk.MSVBVM60 ref: 00421258
__vbaChkstk.MSVBVM60 ref: 0042127B
__vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 004212B3
__vbaLateMemCall.MSVBVM60(00000000), ref: 004212BA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004212D0
__vbaStrCopy.MSVBVM60 ref: 004212F9
__vbaStrMove.MSVBVM60(?), ref: 0042130D
__vbaStrCopy.MSVBVM60 ref: 0042131B
__vbaStrMove.MSVBVM60 ref: 0042133A
__vbaStrMove.MSVBVM60(?,?), ref: 00421352
__vbaStrCat.MSVBVM60(\keyDBPath.db,00673F04), ref: 00421364
__vbaStrMove.MSVBVM60 ref: 0042136F
__vbaGenerateBoundsError.MSVBVM60 ref: 004213B1
__vbaGenerateBoundsError.MSVBVM60 ref: 004213CE
__vbaStrMove.MSVBVM60(00000000), ref: 00421403
__vbaStrCat.MSVBVM60(00000000), ref: 0042140A
__vbaStrMove.MSVBVM60 ref: 00421415
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 0042144E
__vbaStrCat.MSVBVM60(\keyDBPath.db,00673F04), ref: 00421469
#529.MSVBVM60(00000008), ref: 0042147D
__vbaFreeVar.MSVBVM60 ref: 00421486
__vbaStrCopy.MSVBVM60 ref: 0042149B
__vbaStrMove.MSVBVM60(?), ref: 004214AF
__vbaStrCopy.MSVBVM60 ref: 004214BD
__vbaStrMove.MSVBVM60 ref: 004214DC

Part of subcall function 0042DDC0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 0042DF0A
Part of subcall function 0042DDC0: __vbaStrCopy.MSVBVM60 ref: 0042DF29
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(0042DF6C), ref: 0042DF65

__vbaStrMove.MSVBVM60(?,?), ref: 004214F4
__vbaVarCat.MSVBVM60(?,00000008,?,00000000), ref: 0042153F
#645.MSVBVM60(00000000), ref: 00421546
__vbaStrMove.MSVBVM60 ref: 00421551
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0042155D
__vbaVarCat.MSVBVM60(?,00000008,?,00000000), ref: 00421581
#645.MSVBVM60(00000000), ref: 00421588
__vbaStrMove.MSVBVM60 ref: 00421593
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 0042159F
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,00000000,?), ref: 004215E7
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00421604
__vbaFreeVar.MSVBVM60(004216C2), ref: 00421682
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00421691
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042169D
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004216A9
__vbaFreeVar.MSVBVM60 ref: 004216B2
__vbaFreeStr.MSVBVM60 ref: 004216BB

Strings

CopyFile, xrefs: 004212A7
37380F1522091E257810143A0B1F2E, xrefs: 00421493
29033A0D0100345E0422172A, xrefs: 00420F1C, 004212F1
Scripting.FileSystemObject, xrefs: 00421176
\key4.db, xrefs: 0042109D, 0042121C
\key3.db, xrefs: 0042151A
euoUjhnGpnQxDvQttwCcdwzCOgunCrxjN, xrefs: 00420F3E, 00421313
bkKfrLfpVVceV, xrefs: 004214B5
\keyDBPath.db, xrefs: 00421238, 0042135F, 00421464

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Error$BoundsGenerateList$Copy$#645$Chkstk$BstrDestruct$#516#631$#529#537#579#608#632#716CallLatePreserveRedimUboundZero
String ID: 29033A0D0100345E0422172A$37380F1522091E257810143A0B1F2E$CopyFile$Scripting.FileSystemObject$\key3.db$\key4.db$\keyDBPath.db$bkKfrLfpVVceV$euoUjhnGpnQxDvQttwCcdwzCOgunCrxjN
API String ID: 2306589352-2695434336
Opcode ID: ce2dd66f753731c41b740c509cec5fc3a98635359d3c7b3eb54ed915e418490d
Instruction ID: 148a07b3f33077ca753af487e9c8b8e8542d9f074098d1a966a3e0b7b1e41e4b
Opcode Fuzzy Hash: ce2dd66f753731c41b740c509cec5fc3a98635359d3c7b3eb54ed915e418490d
Instruction Fuzzy Hash: 7F320A75900218DFDB14CFA4DD88BDEB7B5FB48304F1082AAE50AB72A4DB745A85CF58

Function 00420EE6 Relevance: 112.5, APIs: 55, Strings: 9, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60 ref: 00420F24

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?), ref: 00420F38
__vbaStrCopy.MSVBVM60 ref: 00420F46
__vbaStrMove.MSVBVM60 ref: 00420F65

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 00420F7D
__vbaGenerateBoundsError.MSVBVM60 ref: 00420FBF
__vbaGenerateBoundsError.MSVBVM60 ref: 00420FDC
__vbaStrMove.MSVBVM60(00000000), ref: 00421011
__vbaStrCat.MSVBVM60(00000000), ref: 00421018
__vbaGenerateBoundsError.MSVBVM60 ref: 00421064
__vbaGenerateBoundsError.MSVBVM60 ref: 00421081
__vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 004210A2
#645.MSVBVM60(00000008,00000000), ref: 004210BE
__vbaStrMove.MSVBVM60 ref: 004210C9
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 004210D5
#645.MSVBVM60(00000008,00000000), ref: 004210EE
__vbaStrMove.MSVBVM60 ref: 004210F9
__vbaStrCmp.MSVBVM60(00405638,00000000), ref: 00421105
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000), ref: 0042113F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00421155
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 0042117F
__vbaVarZero.MSVBVM60 ref: 0042118E
__vbaGenerateBoundsError.MSVBVM60 ref: 004211E3
__vbaGenerateBoundsError.MSVBVM60 ref: 00421200
__vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 00421221
__vbaStrCat.MSVBVM60(\keyDBPath.db,00673F04), ref: 0042123D
__vbaChkstk.MSVBVM60 ref: 00421258
__vbaChkstk.MSVBVM60 ref: 0042127B
__vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 004212B3
__vbaLateMemCall.MSVBVM60(00000000), ref: 004212BA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004212D0
__vbaStrCopy.MSVBVM60 ref: 004212F9
__vbaStrMove.MSVBVM60(?), ref: 0042130D
__vbaStrCopy.MSVBVM60 ref: 0042131B
__vbaStrMove.MSVBVM60 ref: 0042133A
__vbaStrMove.MSVBVM60(?,?), ref: 00421352
__vbaStrCat.MSVBVM60(\keyDBPath.db,00673F04), ref: 00421364
__vbaStrMove.MSVBVM60 ref: 0042136F
__vbaStrMove.MSVBVM60(00000000), ref: 00421403
__vbaStrCat.MSVBVM60(00000000), ref: 0042140A
__vbaStrMove.MSVBVM60 ref: 00421415
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 0042144E
__vbaFreeVar.MSVBVM60(004216C2), ref: 00421682
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00421691
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042169D
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004216A9
__vbaFreeVar.MSVBVM60 ref: 004216B2
__vbaFreeStr.MSVBVM60 ref: 004216BB
__vbaErrorOverflow.MSVBVM60 ref: 004216D8

Strings

CopyFile, xrefs: 004212A7
37380F1522091E257810143A0B1F2E, xrefs: 00421493
29033A0D0100345E0422172A, xrefs: 00420F1C, 004212F1
Scripting.FileSystemObject, xrefs: 00421176
\key4.db, xrefs: 0042109D, 0042121C
\key3.db, xrefs: 0042151A
euoUjhnGpnQxDvQttwCcdwzCOgunCrxjN, xrefs: 00420F3E, 00421313
bkKfrLfpVVceV, xrefs: 004214B5
\keyDBPath.db, xrefs: 00421238, 0042135F, 00421464

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Error$BoundsGenerate$List$Copy$BstrDestruct$#516#631#645Chkstk$#537#608#632#716CallLateOverflowZero
String ID: 29033A0D0100345E0422172A$37380F1522091E257810143A0B1F2E$CopyFile$Scripting.FileSystemObject$\key3.db$\key4.db$\keyDBPath.db$bkKfrLfpVVceV$euoUjhnGpnQxDvQttwCcdwzCOgunCrxjN
API String ID: 4274892437-2695434336
Opcode ID: 4a8cfb37dafc87ae9aab9f92088b38fb63c1abf269a135699b79c9f0f8529efe
Instruction ID: 2866e22a18ea5c61690ed582eb5cfe9d80f456b7f23b2903a5a637e82f7acd54
Opcode Fuzzy Hash: 4a8cfb37dafc87ae9aab9f92088b38fb63c1abf269a135699b79c9f0f8529efe
Instruction Fuzzy Hash: 2422EA75900218DFDB14CFA4DD84BDEB7B5FB48304F1082AAE50ABB264DB745A89CF58

Function 0043B450 Relevance: 63.3, APIs: 32, Strings: 4, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60(?,00000000), ref: 0043B4AA

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043B4C0
__vbaStrCopy.MSVBVM60(?,00000000), ref: 0043B4CA
__vbaStrMove.MSVBVM60(?,00000000), ref: 0043B4D5

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 0043B4E9

Part of subcall function 00432D60: __vbaFixstrConstruct.MSVBVM60(00000100,?,6D41A323,6D42D8B1,00402BF8), ref: 00432DAC
Part of subcall function 00432D60: __vbaNew2.MSVBVM60(0040B3CC,0043D7AC), ref: 00432DC4
Part of subcall function 00432D60: __vbaHresultCheckObj.MSVBVM60(00000000,021D004C,0040B3BC,00000014), ref: 00432DE9
Part of subcall function 00432D60: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B924,00000060), ref: 00432E0D
Part of subcall function 00432D60: __vbaStrToAnsi.MSVBVM60(?,?,00000001,00000000,00000000,00000000), ref: 00432E20
Part of subcall function 00432D60: __vbaSetSystemError.MSVBVM60(00000000), ref: 00432E34
Part of subcall function 00432D60: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00432E46
Part of subcall function 00432D60: __vbaFreeObj.MSVBVM60 ref: 00432E4E
Part of subcall function 00432D60: __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,04000000,00000000), ref: 00432E6D

__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043B4F9
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000), ref: 0043B511
__vbaLenBstr.MSVBVM60(?), ref: 0043B51E
__vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0043B53B
__vbaNew2.MSVBVM60(0040B590,?), ref: 0043B551
__vbaNew2.MSVBVM60(0040B590,?), ref: 0043B56A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B580,00000024), ref: 0043B58E
__vbaStrCopy.MSVBVM60 ref: 0043B5C9
__vbaStrMove.MSVBVM60(?), ref: 0043B5D9
__vbaStrCopy.MSVBVM60 ref: 0043B5E3
__vbaStrMove.MSVBVM60 ref: 0043B5EE
__vbaStrMove.MSVBVM60(?,?), ref: 0043B602
__vbaStrMove.MSVBVM60(?), ref: 0043B612
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0043B62A
__vbaLenBstr.MSVBVM60(?), ref: 0043B637
__vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0043B654
__vbaNew2.MSVBVM60(0040B590,?), ref: 0043B66A
__vbaNew2.MSVBVM60(0040B590,?), ref: 0043B683
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B580,00000024), ref: 0043B6A7

Part of subcall function 0043B130: __vbaChkstk.MSVBVM60(00000000,004030D6,?,?,?,0043B64F,?,00000000), ref: 0043B14E
Part of subcall function 0043B130: __vbaOnError.MSVBVM60(00000001,6D42D8B1,6D42D83C,00000000,00000000,004030D6), ref: 0043B17E
Part of subcall function 0043B130: __vbaInStr.MSVBVM60(00000000,00407034,?,00000001), ref: 0043B1A1
Part of subcall function 0043B130: __vbaNew.MSVBVM60(0040B590,?,00000001), ref: 0043B1B6
Part of subcall function 0043B130: __vbaObjSet.MSVBVM60(?,00000000,?,00000001), ref: 0043B1C1
Part of subcall function 0043B130: #631.MSVBVM60(?,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 0043B261
Part of subcall function 0043B130: __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000), ref: 0043B26C
Part of subcall function 0043B130: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000), ref: 0043B275
Part of subcall function 0043B130: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,00000000), ref: 0043B286

__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B580,0000001C), ref: 0043B6DA
__vbaStrVarMove.MSVBVM60(?), ref: 0043B6E4
__vbaStrMove.MSVBVM60 ref: 0043B6EF
__vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 0043B6FB
__vbaCastObj.MSVBVM60(00000000,0040B580), ref: 0043B70A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043B715
__vbaFreeObj.MSVBVM60(0043B774), ref: 0043B764
__vbaFreeStr.MSVBVM60 ref: 0043B76D

Strings

243224056D594B0F1A1C7E1F2F282527331A3B1A011F0845331D2763252824102518010C421E241B2625382F350678050C171A463902643F24323D19, xrefs: 0043B5C1
LLFPuWvdxmkPrJ, xrefs: 0043B5DB
SpPNKQwBzuVGaGhvnlwxFaZxbOUrNHuL, xrefs: 0043B4C2
18243A3B6B586D091D3930083746180B18, xrefs: 0043B481

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Bstr$CheckHresultListNew2$Copy$#631$#516AnsiError$#537#608#632CastChkstkConstructFixstrSystem
String ID: 18243A3B6B586D091D3930083746180B18$243224056D594B0F1A1C7E1F2F282527331A3B1A011F0845331D2763252824102518010C421E241B2625382F350678050C171A463902643F24323D19$LLFPuWvdxmkPrJ$SpPNKQwBzuVGaGhvnlwxFaZxbOUrNHuL
API String ID: 506135884-254834455
Opcode ID: c7ca0da1a820324615540ce11aef674412e4f0e6bfef45e80b03f87704290eb7
Instruction ID: 7d141aa7d3ed1d9da838c4570f9a9e6872d5fd1a0e93dfffe954eccb862b3cd6
Opcode Fuzzy Hash: c7ca0da1a820324615540ce11aef674412e4f0e6bfef45e80b03f87704290eb7
Instruction Fuzzy Hash: 5AA10AB5D00208ABCB04DFA4DD85DEEBBB9FF58304F50452AE501B3294EB74A949CBA4

Function 0042CE60 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004030D6,?,?,?,?,00000000,004030D6), ref: 0042CE7E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004030D6), ref: 0042CEAE
__vbaStrCat.MSVBVM60(004055A8,00673F04,?,?,?,?,004030D6), ref: 0042CECD
#645.MSVBVM60(00000008,00000000), ref: 0042CEE3
__vbaVarMove.MSVBVM60 ref: 0042CEF9
__vbaFreeVar.MSVBVM60 ref: 0042CF02
__vbaVarTstGt.MSVBVM60(00008008,?), ref: 0042CF2E
__vbaInStrVar.MSVBVM60(00000008,00000000,00000008,?,00000001), ref: 0042CF6E
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0042CF75
__vbaFreeVar.MSVBVM60 ref: 0042CF85
__vbaStrCat.MSVBVM60(004055A8,00673F04), ref: 0042CFAD
__vbaVarCat.MSVBVM60(?,?,00000008), ref: 0042CFC9
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042CFD0
__vbaStrMove.MSVBVM60 ref: 0042CFDB
__vbaVarAdd.MSVBVM60(0000000A,?,00000008), ref: 0042D004
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042D00B
__vbaStrMove.MSVBVM60 ref: 0042D016
__vbaStrCopy.MSVBVM60 ref: 0042D024
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?), ref: 0042D049
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,004030D6), ref: 0042D060
#645.MSVBVM60(0000000A,00000000), ref: 0042D084
__vbaVarMove.MSVBVM60 ref: 0042D09A
__vbaFreeVar.MSVBVM60 ref: 0042D0A3
__vbaFreeVar.MSVBVM60(0042D101), ref: 0042D0FA

Strings

DC-, xrefs: 0042CFE1

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$FreeMove$#645List$BoolChkstkCopyErrorNull
String ID: DC-
API String ID: 3297433690-374979773
Opcode ID: 26c508b0efb7a3f2dd2bc1a794d53deebec9bbb108115986b4b8cf92c67ff8c4
Instruction ID: 1db37241595eed83e49b42a545dd208904091c7f2e3788530489d51feca028ad
Opcode Fuzzy Hash: 26c508b0efb7a3f2dd2bc1a794d53deebec9bbb108115986b4b8cf92c67ff8c4
Instruction Fuzzy Hash: 0C61E5B5D01208DBDB04DFD0DA48BDEBBB8BB44305F10816AE156B72A4DB785A4ACF64

Function 00434340 Relevance: 27.2, APIs: 18, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 0043438E

Part of subcall function 00433FD0: #644.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 00434010
Part of subcall function 00433FD0: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00434026
Part of subcall function 00433FD0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00434049
Part of subcall function 00433FD0: #644.MSVBVM60 ref: 00434055
Part of subcall function 00433FD0: __vbaAryLock.MSVBVM60(?,?), ref: 00434061
Part of subcall function 00433FD0: __vbaGenerateBoundsError.MSVBVM60 ref: 00434080
Part of subcall function 00433FD0: #644.MSVBVM60(00000000), ref: 0043409C
Part of subcall function 00433FD0: __vbaAryUnlock.MSVBVM60(?), ref: 004340A8
Part of subcall function 00433FD0: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 004340C8
Part of subcall function 00433FD0: __vbaAryMove.MSVBVM60(?,?), ref: 004340DA

__vbaAryMove.MSVBVM60(?,?,004030D6), ref: 004343AB
__vbaLbound.MSVBVM60(00000001,?), ref: 004343B7
__vbaUbound.MSVBVM60(00000001,?), ref: 004343C5
__vbaAryLock.MSVBVM60(?,?), ref: 004343E6
__vbaGenerateBoundsError.MSVBVM60 ref: 00434405
__vbaGenerateBoundsError.MSVBVM60 ref: 00434412
#644.MSVBVM60(00000000), ref: 00434427
__vbaAryUnlock.MSVBVM60(?), ref: 00434430
__vbaSetSystemError.MSVBVM60(?,?,-00000001,?,?), ref: 0043444E
__vbaAryLock.MSVBVM60(?,?), ref: 0043445C
__vbaGenerateBoundsError.MSVBVM60 ref: 0043447B
__vbaGenerateBoundsError.MSVBVM60 ref: 00434488
#644.MSVBVM60(00000000), ref: 00434497
__vbaAryUnlock.MSVBVM60(?), ref: 004344A0
__vbaAryDestruct.MSVBVM60(00000000,?,004344DC), ref: 004344D2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004344D9
__vbaErrorOverflow.MSVBVM60 ref: 004344F2

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Error$#644BoundsGenerate$LockSystemUnlock$DestructMoveRedim$LboundOverflowUbound
String ID:
API String ID: 797121997-0
Opcode ID: 0ff4f9c375fc9a002e708f26a3e64313d63bac8ad865b8ed3364c11f8407c5a4
Instruction ID: 88a4fe5662ae132e369218b539252e1528eab087a0082d5dac4710f8b3e33bee
Opcode Fuzzy Hash: 0ff4f9c375fc9a002e708f26a3e64313d63bac8ad865b8ed3364c11f8407c5a4
Instruction Fuzzy Hash: CA514175D00208AFCB04DFA4D984AEEBBB9FF9C311F10916AE901B7250D775A981CBB4

Function 00403594 Relevance: 1.6, APIs: 1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(0040395C), ref: 00403599

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: 9e375ff4bd4ff85bb6d024bd5d01d59783b55c289b3890a78a95727a28be94a2
Instruction ID: ad94f3499f5236c38dba45d96a2030cf6345d8244fc78b2f63b5b467db205825
Opcode Fuzzy Hash: 9e375ff4bd4ff85bb6d024bd5d01d59783b55c289b3890a78a95727a28be94a2
Instruction Fuzzy Hash: D14103A644E7C19FD7038B749C662817FB09E13215B1E45EBC4C1CF5E3E22E490AC726

Non-executed Functions

Function 00426E80 Relevance: 629.2, APIs: 328, Strings: 30, Instructions: 2744COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,6D4F595C,00000000,6D441654), ref: 00426F07
__vbaUbound.MSVBVM60(00000001,00000000), ref: 00426F1E
__vbaI2I4.MSVBVM60 ref: 00426F22
__vbaAryLock.MSVBVM60(?), ref: 00426F42
__vbaGenerateBoundsError.MSVBVM60 ref: 00426F66
__vbaGenerateBoundsError.MSVBVM60 ref: 00426F77
#573.MSVBVM60(?,00004011), ref: 00426F97
__vbaAryUnlock.MSVBVM60(?), ref: 00426FA1
__vbaVarMove.MSVBVM60 ref: 00426FB0
__vbaVarTstEq.MSVBVM60(00008002,?), ref: 00426FCF
__vbaUbound.MSVBVM60(00000001,?), ref: 00426FE4
__vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00426FF0
__vbaGenerateBoundsError.MSVBVM60 ref: 00427030
__vbaGenerateBoundsError.MSVBVM60 ref: 0042703E
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00427060
__vbaUbound.MSVBVM60(00000001,?), ref: 0042706F
__vbaUbound.MSVBVM60(00000001), ref: 00427080
__vbaUbound.MSVBVM60(00000001,?), ref: 004270A9
__vbaUbound.MSVBVM60(00000001,?), ref: 004270D1
#681.MSVBVM60(?,0000000B,00000003,00000003), ref: 004270FD
__vbaI2Var.MSVBVM60(?), ref: 00427107
__vbaFreeVarList.MSVBVM60(00000004,0000000B,00000003,00000003,?), ref: 00427122
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0042714B
__vbaAryMove.MSVBVM60(?,?,?,0000000B,?,?,00000000,00004002), ref: 004271E0
__vbaVarTstEq.MSVBVM60(00008002,?), ref: 0042720A
__vbaAryLock.MSVBVM60(?), ref: 00427220
__vbaGenerateBoundsError.MSVBVM60 ref: 00427251
__vbaGenerateBoundsError.MSVBVM60 ref: 00427262
__vbaUbound.MSVBVM60(00000001), ref: 00427285
__vbaGenerateBoundsError.MSVBVM60 ref: 004272D3
__vbaGenerateBoundsError.MSVBVM60 ref: 004272E7
__vbaUbound.MSVBVM60(00000001), ref: 004272F8
#681.MSVBVM60(?,0000000B,00000003,00004011), ref: 0042734A
__vbaAryUnlock.MSVBVM60(?), ref: 00427354
__vbaI2Var.MSVBVM60(?), ref: 0042735E
__vbaFreeVarList.MSVBVM60(00000003,0000000B,00000003,?), ref: 00427375
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 0042739E
__vbaStrMove.MSVBVM60(?,?,?,0000000B,?,?,00000000,00004002), ref: 00427440
__vbaFreeStr.MSVBVM60(00000008,00006008), ref: 00427480
__vbaFreeVar.MSVBVM60 ref: 00427489
__vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,?,00000000), ref: 004274B9
__vbaGenerateBoundsError.MSVBVM60 ref: 004274F1
__vbaGenerateBoundsError.MSVBVM60 ref: 0042750C
__vbaStrMove.MSVBVM60(?,?,?), ref: 00427534
__vbaVarTstEq.MSVBVM60(00008002,?), ref: 00427566
__vbaAryLock.MSVBVM60(?), ref: 0042757C
__vbaGenerateBoundsError.MSVBVM60 ref: 004275AD
__vbaGenerateBoundsError.MSVBVM60 ref: 004275BE
__vbaUbound.MSVBVM60(00000001), ref: 004275E1
__vbaGenerateBoundsError.MSVBVM60 ref: 0042762F
__vbaGenerateBoundsError.MSVBVM60 ref: 00427643
__vbaUbound.MSVBVM60(00000001), ref: 00427654
#681.MSVBVM60(?,0000000B,00000003,00004011), ref: 004276A6
__vbaAryUnlock.MSVBVM60(?), ref: 004276B0
__vbaI2Var.MSVBVM60(?), ref: 004276BA
__vbaFreeVarList.MSVBVM60(00000003,0000000B,00000003,?), ref: 004276D1
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 004276FA
__vbaStrMove.MSVBVM60(?,?,?,0000000B,?,?,00000000,00004002), ref: 0042779C
__vbaFreeStr.MSVBVM60(00000008,00006008), ref: 004277DC
__vbaFreeVar.MSVBVM60 ref: 004277E5
__vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,?,00000000), ref: 00427815
__vbaGenerateBoundsError.MSVBVM60 ref: 0042784D
__vbaGenerateBoundsError.MSVBVM60 ref: 00427868
__vbaStrMove.MSVBVM60(?,?,?), ref: 00427890
__vbaVarTstEq.MSVBVM60(00008002,?), ref: 004278C2
__vbaAryLock.MSVBVM60(?), ref: 004278D8
__vbaGenerateBoundsError.MSVBVM60 ref: 00427909
__vbaGenerateBoundsError.MSVBVM60 ref: 0042791A
__vbaUbound.MSVBVM60(00000001), ref: 0042793D
__vbaGenerateBoundsError.MSVBVM60 ref: 0042798B
__vbaGenerateBoundsError.MSVBVM60 ref: 0042799F
__vbaUbound.MSVBVM60(00000001), ref: 004279B0
#681.MSVBVM60(?,0000000B,00000003,00004011), ref: 00427A02
__vbaAryUnlock.MSVBVM60(?), ref: 00427A0C
__vbaI2Var.MSVBVM60(?), ref: 00427A16
__vbaFreeVarList.MSVBVM60(00000003,0000000B,00000003,?), ref: 00427A2D
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00427A56
__vbaStrMove.MSVBVM60(?,?,?,0000000B,?,?,00000000,00004002), ref: 00427AF8
__vbaFreeStr.MSVBVM60(00000008,00006008), ref: 00427B38
__vbaFreeVar.MSVBVM60 ref: 00427B41
__vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,?,00000000), ref: 00427B71
__vbaGenerateBoundsError.MSVBVM60 ref: 00427BA9
__vbaGenerateBoundsError.MSVBVM60 ref: 00427BC4
__vbaStrMove.MSVBVM60(?,?,?), ref: 00427BEC
__vbaStrCopy.MSVBVM60 ref: 00427C02
__vbaFreeStr.MSVBVM60 ref: 00427C0B
__vbaAryMove.MSVBVM60(?,?), ref: 00427C49
__vbaExitProc.MSVBVM60 ref: 00427C4F
__vbaFreeVar.MSVBVM60(00427CC7), ref: 00427C9F
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00427CB4
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00427CBC
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00427CC4
__vbaErrorOverflow.MSVBVM60 ref: 00427CDD
__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 00427D0E
__vbaOnError.MSVBVM60(000000FF,?,00000000,6D4245C1,00000000,004030D6), ref: 00427D3E
__vbaStrMove.MSVBVM60(00000000), ref: 00427D88
#712.MSVBVM60(?,0040A43C,00405638,00000001,000000FF,00000000), ref: 00427DA9
__vbaStrMove.MSVBVM60 ref: 00427DB4
__vbaAryMove.MSVBVM60(?,?,?), ref: 00427DD4
__vbaFreeStr.MSVBVM60 ref: 00427DDD
__vbaUbound.MSVBVM60(00000001,00000000,00000000), ref: 00427DFB
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000002), ref: 00427E1A

Strings

===============DARKCLOUD===============, xrefs: 004293B6
fZCnjHnpIGuWYufYFuJTsZzMYQpNVmCSBggClUwgmL, xrefs: 0042932B
TransformFinalBlock, xrefs: 004282C2
TcDrGNJvvKjh, xrefs: 0042927C
Mode, xrefs: 0042803A
lTHVnVqKJBd, xrefs: 004291CD
Key, xrefs: 00428161
uEBZFSmshDumGXdYuWpcplOStFWJkCkRfazgXDZGVGf, xrefs: 00428653
BlockSize, xrefs: 00428084
CreateDecryptor, xrefs: 004281CC
202C39342A1D070D20201E222A0A381832, xrefs: 0042861C
, xrefs: 00427D66
172C3A023905, xrefs: 0042852D
System.Security.Cryptography.RijndaelManaged, xrefs: 00427FD8
33250134392504126B5048, xrefs: 00429262
0, xrefs: 00426FB6
vyIBvpaiHxuLZzjYMbEbfFd, xrefs: 0042854D
MNTVLbJTXiVBquwyZcTsld, xrefs: 0042886D
2B3A353E1B3A203D0D0623020600162807, xrefs: 00428836
04233E1F1F312632, xrefs: 00428F80
`!@, xrefs: 00427DF3, 00427F64
UyaPQrUXaRqkVqBTuLemrVD, xrefs: 00428689, 004288AD, 0042900E
Url : , xrefs: 00428FBB
Padding, xrefs: 00428118
013B331C3810262F625E4C, xrefs: 004291B3
150E37381C26, xrefs: 00428636, 00428850, 00428F9A
keySize, xrefs: 004280CE
Item, xrefs: 0042859E, 004286EF, 0042871A, 00428743, 00428913, 0042893F, 00428968, 00429086, 004290B1, 004290DA
1B331E06210D113D2E1A39794F46, xrefs: 00429311
VlLMkqPKWxGJQEliJlPhUt, xrefs: 00428FD8

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Error$BoundsGenerate$Ubound$Free$Move$Redim$#681ListLockUnlock$DestructPreserve$#573#712ChkstkCopyExitOverflowProc
String ID: $0$013B331C3810262F625E4C$04233E1F1F312632$150E37381C26$172C3A023905$1B331E06210D113D2E1A39794F46$202C39342A1D070D20201E222A0A381832$2B3A353E1B3A203D0D0623020600162807$33250134392504126B5048$===============DARKCLOUD===============$BlockSize$CreateDecryptor$Item$Key$MNTVLbJTXiVBquwyZcTsld$Mode$Padding$System.Security.Cryptography.RijndaelManaged$TcDrGNJvvKjh$TransformFinalBlock$Url : $UyaPQrUXaRqkVqBTuLemrVD$VlLMkqPKWxGJQEliJlPhUt$`!@$fZCnjHnpIGuWYufYFuJTsZzMYQpNVmCSBggClUwgmL$keySize$lTHVnVqKJBd$uEBZFSmshDumGXdYuWpcplOStFWJkCkRfazgXDZGVGf$vyIBvpaiHxuLZzjYMbEbfFd
API String ID: 2339242223-2799284628
Opcode ID: 0aa991530f0138b0e912fbe64848bef25baf898777cbad4e2a8bc505298c3c53
Instruction ID: 69a27fba8a8bb1aa44ce51dd9ea69ca7944159238cb36973c334c165effb367a
Opcode Fuzzy Hash: 0aa991530f0138b0e912fbe64848bef25baf898777cbad4e2a8bc505298c3c53
Instruction Fuzzy Hash: DB434A75E002189FDB14DFA4D984BEEBBB5FF48300F1081AEE50AAB291DB745A85CF54

Function 0040421E Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c8975d0672eb8d9febd7d473504c5da8353890e5506594f0392ecb3feca656
Instruction ID: bd41cdccd1b3342421176d3f0e086dba6e5a083b99d036acf6137c76ee296033
Opcode Fuzzy Hash: b8c8975d0672eb8d9febd7d473504c5da8353890e5506594f0392ecb3feca656
Instruction Fuzzy Hash: 01B133A008E3C05FD7178774496A5A27FB0AE8321470E46EBC9C4DF5F3D26C995AC32A

Function 00433740 Relevance: 147.4, APIs: 73, Strings: 11, Instructions: 400COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004030D6,?,?,0043347C,?,00402BF8,00000000), ref: 0043375E
__vbaOnError.MSVBVM60(000000FF,6D41A323,6D42D8B1,6D42D8F4,?,004030D6), ref: 0043378E
#648.MSVBVM60(0000000A), ref: 004337AD
__vbaFreeVar.MSVBVM60 ref: 004337BA
__vbaFileOpen.MSVBVM60(00000120,000000FF,?), ref: 004337D9
#570.MSVBVM60(?), ref: 004337EB
#570.MSVBVM60(?,00000000), ref: 00433807
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001), ref: 00433826
__vbaGetOwner3.MSVBVM60(0040A444,?,?), ref: 00433844
#717.MSVBVM60(?,00006011,00000040,00000000), ref: 00433870
__vbaStrVarMove.MSVBVM60(?), ref: 0043387A
__vbaStrMove.MSVBVM60 ref: 00433885
__vbaFreeVar.MSVBVM60 ref: 0043388E
__vbaFileClose.MSVBVM60(?), ref: 004338A0
#709.MSVBVM60(00000000,004055A8,000000FF,00000000), ref: 004338BC
__vbaStrCat.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,0040BBD8), ref: 004338E0
__vbaStrMove.MSVBVM60 ref: 004338EB
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004338F7
__vbaStrMove.MSVBVM60 ref: 00433902
__vbaStrCat.MSVBVM60(Content-Disposition: form-data; name="document"; filename=",00000000), ref: 0043390E
__vbaStrMove.MSVBVM60 ref: 00433919
#631.MSVBVM60(0000000A,?,0000000A,00000000), ref: 0043393A
__vbaStrMove.MSVBVM60 ref: 00433945
__vbaStrCat.MSVBVM60(00000000), ref: 0043394C
__vbaStrMove.MSVBVM60 ref: 00433957
__vbaStrCat.MSVBVM60(00409DD4,00000000), ref: 00433963
__vbaStrMove.MSVBVM60 ref: 0043396E
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 0043397A
__vbaStrMove.MSVBVM60 ref: 00433985
__vbaStrCat.MSVBVM60(Content-Type: application/octet-stream,00000000), ref: 00433991
__vbaStrMove.MSVBVM60 ref: 0043399C
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004339A8
__vbaStrMove.MSVBVM60 ref: 004339B3
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004339BF
__vbaStrMove.MSVBVM60 ref: 004339CA
__vbaStrCat.MSVBVM60(?,00000000), ref: 004339D5
__vbaStrMove.MSVBVM60 ref: 004339E0
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 004339EC
__vbaStrMove.MSVBVM60 ref: 004339F7
__vbaStrCat.MSVBVM60(0040BBD8,00000000), ref: 00433A03
__vbaStrMove.MSVBVM60 ref: 00433A0E
__vbaStrCat.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,00000000), ref: 00433A1A
__vbaStrMove.MSVBVM60 ref: 00433A25
__vbaStrCat.MSVBVM60(0040BBD8,00000000), ref: 00433A31
__vbaStrMove.MSVBVM60 ref: 00433A3C
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00433A7C
__vbaFreeVar.MSVBVM60 ref: 00433A88
#716.MSVBVM60(?,Microsoft.XMLHTTP,00000000), ref: 00433AA0
__vbaVarZero.MSVBVM60 ref: 00433AAF
__vbaChkstk.MSVBVM60 ref: 00433B04
__vbaChkstk.MSVBVM60 ref: 00433B2D
__vbaChkstk.MSVBVM60 ref: 00433B5C
__vbaObjVar.MSVBVM60(?,Open,00000003), ref: 00433B94
__vbaLateMemCall.MSVBVM60(00000000), ref: 00433B9B
__vbaStrCat.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,multipart/form-data; boundary=), ref: 00433BC6
__vbaChkstk.MSVBVM60 ref: 00433BDB
__vbaChkstk.MSVBVM60 ref: 00433C04
__vbaObjVar.MSVBVM60(?,SetRequestHeader,00000002), ref: 00433C30
__vbaLateMemCall.MSVBVM60(00000000), ref: 00433C37
__vbaFreeVar.MSVBVM60 ref: 00433C43

Part of subcall function 00433DC0: #717.MSVBVM60(?,?,00000080,00000000,6D41A323,6D42D8B1,6D42D8F4), ref: 00433E0F
Part of subcall function 00433DC0: __vbaVar2Vec.MSVBVM60(?,?), ref: 00433E1D
Part of subcall function 00433DC0: __vbaAryMove.MSVBVM60(?,?), ref: 00433E2B
Part of subcall function 00433DC0: __vbaFreeVar.MSVBVM60 ref: 00433E34

__vbaChkstk.MSVBVM60(?), ref: 00433C68
__vbaObjVar.MSVBVM60(?,Send,00000001,?), ref: 00433C94
__vbaLateMemCall.MSVBVM60(00000000), ref: 00433C9B
__vbaFreeVar.MSVBVM60 ref: 00433CA7
__vbaVarLateMemCallLd.MSVBVM60(00002011,?,ResponseText,00000000), ref: 00433CD5
__vbaStrVarMove.MSVBVM60(00000000), ref: 00433CDF
__vbaStrMove.MSVBVM60 ref: 00433CEA
__vbaFreeVar.MSVBVM60 ref: 00433CF3
__vbaFreeVar.MSVBVM60(00433DA2), ref: 00433D77
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00433D86
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00433D92
__vbaFreeStr.MSVBVM60 ref: 00433D9B
__vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00433DB8

Strings

Send, xrefs: 00433C88
POST, xrefs: 00433AC8
Open, xrefs: 00433B88
multipart/form-data; boundary=, xrefs: 00433BBC
Content-Type: application/octet-stream, xrefs: 0043398C
3fbd04f5-b1ed-4060-99b9-fca7ff59c113, xrefs: 004338DB, 00433A15, 00433BC1
SetRequestHeader, xrefs: 00433C24
ResponseText, xrefs: 00433CC5
Content-Disposition: form-data; name="document"; filename=", xrefs: 00433909
Microsoft.XMLHTTP, xrefs: 00433A97
Content-Type, xrefs: 00433BAB

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Chkstk$CallLate$#570#717DestructErrorFile$#631#648#709#716CloseListOpenOverflowOwner3RedimVar2Zero
String ID: 3fbd04f5-b1ed-4060-99b9-fca7ff59c113$Content-Disposition: form-data; name="document"; filename="$Content-Type$Content-Type: application/octet-stream$Microsoft.XMLHTTP$Open$POST$ResponseText$Send$SetRequestHeader$multipart/form-data; boundary=
API String ID: 2419222664-2892837455
Opcode ID: 9b3dd352fb8597096a7947ced147fcab4abf5c339d60ff12e7058089d33db6f1
Instruction ID: 843c1557afdae08a8ab1e1ceb0dcaac502338ed626f3d5af09d51046d44df673
Opcode Fuzzy Hash: 9b3dd352fb8597096a7947ced147fcab4abf5c339d60ff12e7058089d33db6f1
Instruction Fuzzy Hash: 2F02D675900208DFDB14DFA4DD88BDEBBB5FB48301F20826AE506B72A1DB745A85CF58

Function 00430E90 Relevance: 131.7, APIs: 72, Strings: 3, Instructions: 480COMMON

Download Yara Rule

APIs

Part of subcall function 00432090: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 004320ED
Part of subcall function 00432090: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00432131
Part of subcall function 00432090: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00432140
Part of subcall function 00432090: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00432149
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00432169
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00432189
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 004321A9
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321C9
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321E9

#632.MSVBVM60(?,?,?,?,H*@,?,6D51C2DA,00000000,?), ref: 00430F1F
__vbaStrVarMove.MSVBVM60(?,?,?,H*@,?,6D51C2DA,00000000,?), ref: 00430F29
__vbaStrMove.MSVBVM60(?,?,H*@,?,6D51C2DA,00000000,?), ref: 00430F3A
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,H*@,?,6D51C2DA,00000000,?), ref: 00430F46
__vbaLenBstr.MSVBVM60(00000000,6D51C2DA,00000000,?), ref: 00430F64
#632.MSVBVM60(?,00004008,?,00000002), ref: 00430FA8
__vbaStrVarMove.MSVBVM60(?), ref: 00430FB2
__vbaStrMove.MSVBVM60 ref: 00430FBD
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00430FC9
__vbaStrCopy.MSVBVM60 ref: 00430FD8
__vbaStrCmp.MSVBVM60(004055A8,?), ref: 00430FED
#632.MSVBVM60(?,00004008,-00000001,00000002), ref: 0043102C
__vbaStrVarMove.MSVBVM60(?), ref: 00431036
__vbaStrMove.MSVBVM60 ref: 00431041
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0043104D
__vbaStrCopy.MSVBVM60 ref: 0043105F
__vbaStrCmp.MSVBVM60(00409DD4,?), ref: 00431071
__vbaStrCmp.MSVBVM60(004055A8,?), ref: 00431087
__vbaStrCmp.MSVBVM60(0040505C,?), ref: 0043109D
__vbaStrCmp.MSVBVM60(0040B69C,?), ref: 004310B3
__vbaStrCmp.MSVBVM60(0040B6B4,?), ref: 004310C9
__vbaStrCat.MSVBVM60(0040B6BC,?), ref: 004310D8
__vbaStrMove.MSVBVM60 ref: 004310E3
__vbaStrCmp.MSVBVM60(0040B6AC,?), ref: 004310F6
__vbaStrCat.MSVBVM60(0040B6C4,?), ref: 00431105
__vbaStrMove.MSVBVM60 ref: 00431110
__vbaStrCopy.MSVBVM60 ref: 0043111F

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?), ref: 00431133
__vbaStrCopy.MSVBVM60 ref: 0043113D
__vbaStrMove.MSVBVM60 ref: 00431150

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?,?), ref: 0043116B
__vbaStrCmp.MSVBVM60(00000000), ref: 0043116E
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043118F
__vbaStrCat.MSVBVM60(0040B6CC,?), ref: 004311A6
__vbaStrMove.MSVBVM60 ref: 004311B1
__vbaStrCopy.MSVBVM60 ref: 004311D3
__vbaStrMove.MSVBVM60(?), ref: 004311E3
__vbaStrCopy.MSVBVM60 ref: 004311ED
__vbaStrMove.MSVBVM60 ref: 004311FC
__vbaStrMove.MSVBVM60(?,?,?), ref: 00431217
__vbaStrCmp.MSVBVM60(00000000), ref: 0043121A
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043123F
__vbaStrCat.MSVBVM60(0040B6D4,?), ref: 00431256
__vbaStrMove.MSVBVM60 ref: 00431261
__vbaStrCmp.MSVBVM60(0040B6A4,?), ref: 00431287
__vbaStrCat.MSVBVM60(004075A8,?), ref: 00431296
__vbaStrMove.MSVBVM60 ref: 004312A1
__vbaStrCmp.MSVBVM60(0040B6DC,?), ref: 004312C1
#632.MSVBVM60(?,00004008,-00000001,00000002), ref: 00431300
__vbaStrVarMove.MSVBVM60(?), ref: 00431310
__vbaStrMove.MSVBVM60 ref: 00431317
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00431323
__vbaStrCat.MSVBVM60(?,0040B6E4), ref: 00431342
__vbaStrMove.MSVBVM60 ref: 0043134D
#581.MSVBVM60(00000000), ref: 00431350
__vbaFpI4.MSVBVM60 ref: 00431356
#698.MSVBVM60(00000002,00000000), ref: 00431361
__vbaVarAdd.MSVBVM60(?,00000002,00000008), ref: 00431373
__vbaStrVarMove.MSVBVM60(00000000), ref: 0043137A
__vbaStrMove.MSVBVM60 ref: 00431381
__vbaFreeStr.MSVBVM60 ref: 00431386
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00431396
__vbaStrCat.MSVBVM60(?,?), ref: 004313B1
__vbaStrMove.MSVBVM60 ref: 004313BC
__vbaStrCmp.MSVBVM60(?,?), ref: 004313CB
__vbaStrCat.MSVBVM60(?,?), ref: 004313D9
__vbaStrMove.MSVBVM60 ref: 004313E4
__vbaFreeStrList.MSVBVM60(00000002,?,?,00431478), ref: 00431459
__vbaFreeStr.MSVBVM60 ref: 0043146B
__vbaFreeStr.MSVBVM60 ref: 00431470
__vbaFreeStr.MSVBVM60 ref: 00431475
__vbaErrorOverflow.MSVBVM60(6D51C2DA,00000000,?), ref: 0043148E

Strings

xkkmUOcnApOwfnMrtRiLqYdmoMgvcQZQmvQyWtcMFt, xrefs: 004311E5
IKtURdOrQrJTUtVlROvWiJksPlxjRXfYF, xrefs: 00431135
H*@, xrefs: 00430EBF, 00430F5C, 00430F80, 00430FF9, 004312CD, 00430EC5

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$List$#632Copy$Bstr$#516#631$#537#581#608#698ErrorOverflow
String ID: H*@$IKtURdOrQrJTUtVlROvWiJksPlxjRXfYF$xkkmUOcnApOwfnMrtRiLqYdmoMgvcQZQmvQyWtcMFt
API String ID: 2359777993-3665930674
Opcode ID: cd28e77be0078b63d90f20bfcb5e4e65dae47d6d4f20bbb5590f6c8db0beaba6
Instruction ID: b9b5ffc12ea54c4bd0cdd54bfa319bf6882a5c54f90221c1218fe6ef8a3543d2
Opcode Fuzzy Hash: cd28e77be0078b63d90f20bfcb5e4e65dae47d6d4f20bbb5590f6c8db0beaba6
Instruction Fuzzy Hash: A1022AB19002099FDB14DFA4DD85EEEBBB8FF58300F10412AE546B7264EB74A945CF68

Function 0041B890 Relevance: 124.7, APIs: 70, Strings: 1, Instructions: 476COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0041B8AE
__vbaOnError.MSVBVM60(000000FF,004019D0,-00000001,6D4FEC2C,00000000,004030D6), ref: 0041B8DE
__vbaStrCat.MSVBVM60(00000000), ref: 0041B8FE
__vbaVarMove.MSVBVM60 ref: 0041B91D
__vbaLenBstr.MSVBVM60 ref: 0041B930
__vbaStrCat.MSVBVM60(0040796C,?), ref: 0041B9A0
__vbaStrMove.MSVBVM60 ref: 0041B9AE
#631.MSVBVM60(00000002,-00000001,00000002,00000000), ref: 0041B9CF
__vbaStrMove.MSVBVM60 ref: 0041B9DD
__vbaStrCat.MSVBVM60(00000000), ref: 0041B9E4
__vbaStrMove.MSVBVM60 ref: 0041B9F2
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041BA08
__vbaFreeVar.MSVBVM60 ref: 0041BA17
__vbaAryMove.MSVBVM60(?,?,?), ref: 0041BA4D
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041BA6D
__vbaRecAssign.MSVBVM60(004050BC,?,?,?), ref: 0041BA98
__vbaAryCopy.MSVBVM60(?,?), ref: 0041BAC4
__vbaUI1I2.MSVBVM60 ref: 0041BADA
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041BB10
__vbaAryCopy.MSVBVM60(?,?,?), ref: 0041BB36
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041BB56
__vbaRecAssign.MSVBVM60(004050BC,?,?,?), ref: 0041BB81
__vbaAryCopy.MSVBVM60(?,?), ref: 0041BBA3
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041BBD5
__vbaRecAssign.MSVBVM60(004050BC,?,?,?), ref: 0041BC00
__vbaVarMove.MSVBVM60 ref: 0041BC30
__vbaAryCopy.MSVBVM60(?,?), ref: 0041BC45
__vbaUbound.MSVBVM60(00000001,?), ref: 0041BC5F
__vbaVarMul.MSVBVM60(00000008,00000002,?,00000003,00000000), ref: 0041BCA4
__vbaVarSub.MSVBVM60(?,00000000), ref: 0041BCB2
__vbaI4Var.MSVBVM60(00000000), ref: 0041BCB9
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000), ref: 0041BCCF
__vbaUbound.MSVBVM60(00000001,?), ref: 0041BCE5
__vbaVarMul.MSVBVM60(?,00000002,?), ref: 0041BD65
__vbaI2Var.MSVBVM60(00000000), ref: 0041BD6C
__vbaVarMul.MSVBVM60(?,00000002,?,00000003), ref: 0041BDA5
__vbaVarSub.MSVBVM60(?,00000000), ref: 0041BDB3
__vbaVarAdd.MSVBVM60(?,00000002,00000000), ref: 0041BDC8

Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042EE3E
Part of subcall function 0042ECB0: __vbaOnError.MSVBVM60(000000FF,6D42D8B1,?,6D41A323,00000000,004030D6), ref: 0042EE6E
Part of subcall function 0042ECB0: __vbaVarVargNofree.MSVBVM60 ref: 0042EE8F
Part of subcall function 0042ECB0: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 0042EE9E
Part of subcall function 0042ECB0: __vbaI2Var.MSVBVM60(00000000), ref: 0042EEA5
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF2B
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF4E
Part of subcall function 0042ECB0: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 0042EF76
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF86
Part of subcall function 0042ECB0: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 0042EFA9

__vbaFreeVar.MSVBVM60(00006011,?,00006011,00000000,00000000), ref: 0041BDF6
__vbaUI1I2.MSVBVM60 ref: 0041BE12
__vbaUI1I2.MSVBVM60 ref: 0041BE27
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041BE66

Part of subcall function 0041C100: __vbaUbound.MSVBVM60(00000001,?,004019D0,-00000001,6D4FEC2C), ref: 0041C17A
Part of subcall function 0041C100: __vbaUI1I2.MSVBVM60(?,004019D0,-00000001,6D4FEC2C), ref: 0041C182
Part of subcall function 0041C100: __vbaAryCopy.MSVBVM60(?,00401AA8,?,004019D0,-00000001,6D4FEC2C), ref: 0041C190
Part of subcall function 0041C100: __vbaFreeVar.MSVBVM60(0041C3EE), ref: 0041C3DA
Part of subcall function 0041C100: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C3E2
Part of subcall function 0041C100: __vbaFreeVar.MSVBVM60 ref: 0041C3EB

__vbaRecAssign.MSVBVM60(004050BC,?,?,?), ref: 0041BE91
__vbaAryCopy.MSVBVM60(?,?), ref: 0041BEB3
#698.MSVBVM60(?,?), ref: 0041BEE4
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0041BEFF
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041BF06
__vbaStrMove.MSVBVM60 ref: 0041BF11
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041BF27
__vbaStrVarVal.MSVBVM60(?,?,00405638,00000001,000000FF,00000000), ref: 0041BF6F
#712.MSVBVM60(?,00000000), ref: 0041BF7A
__vbaStrMove.MSVBVM60 ref: 0041BF85
__vbaFreeStr.MSVBVM60 ref: 0041BF91
__vbaRecDestruct.MSVBVM60(004050BC,?,0041C0D7), ref: 0041BFFE
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C010
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C022
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C034
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C046
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C055
__vbaFreeVar.MSVBVM60 ref: 0041C05E
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C06D
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C079
__vbaFreeVar.MSVBVM60 ref: 0041C082
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C091
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C0A0
__vbaFreeStr.MSVBVM60 ref: 0041C0A9
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C0B5
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C0C4
__vbaFreeStr.MSVBVM60 ref: 0041C0D0
__vbaErrorOverflow.MSVBVM60 ref: 0041C0ED

Strings

(, xrefs: 0041BF52

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Destruct$Free$Move$Copy$Chkstk$Assign$ErrorUbound$IndexList$#631#698#712BstrLoadNofreeOverflowRedimStoreVarg
String ID: (
API String ID: 3448099741-3887548279
Opcode ID: 372140f08f9110ff51498c2efa7867ff54b94c95a344d1a0f8c53bcfddb587c8
Instruction ID: 9c946a5c36d8e76db4a453bad724209bbb6818a340ec16e979af2b719301cd18
Opcode Fuzzy Hash: 372140f08f9110ff51498c2efa7867ff54b94c95a344d1a0f8c53bcfddb587c8
Instruction Fuzzy Hash: 0622FCB1901259EFDB14DFA0DE88BEEBBB4FB48304F108199E14AB7151DB741A88CF55

Function 0042C490 Relevance: 89.6, APIs: 45, Strings: 6, Instructions: 342COMMON

Download Yara Rule

APIs

#644.MSVBVM60(AES,6D4245C1,00000000,($@), ref: 0042C4EA
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 0042C501
__vbaStrCopy.MSVBVM60 ref: 0042C510
#644.MSVBVM60(ChainingMode), ref: 0042C520
#644.MSVBVM60(ChainingModeGCM), ref: 0042C52A
__vbaSetSystemError.MSVBVM60(?,?,00000000,00000020,00000000), ref: 0042C53F
__vbaAryLock.MSVBVM60(?), ref: 0042C553
__vbaGenerateBoundsError.MSVBVM60 ref: 0042C572
#644.MSVBVM60(00000000), ref: 0042C594
__vbaAryUnlock.MSVBVM60(?), ref: 0042C5A2
__vbaUbound.MSVBVM60(00000001,?,00000000), ref: 0042C5AE
__vbaSetSystemError.MSVBVM60(?,?,00000000,00000000,00000000,-00000001,?,00000000), ref: 0042C5D2
__vbaAryLock.MSVBVM60(?,?,?,00000000), ref: 0042C5F8
__vbaGenerateBoundsError.MSVBVM60(?,?,00000000), ref: 0042C617
#644.MSVBVM60(00000000,?,?,00000000), ref: 0042C633
__vbaAryUnlock.MSVBVM60(?,?,?,00000000), ref: 0042C63B
__vbaSetSystemError.MSVBVM60(?), ref: 0042C814
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0042C824
__vbaFreeStr.MSVBVM60(0042C84A), ref: 0042C843

Strings

@, xrefs: 0042C5E6
ChainingModeGCM, xrefs: 0042C522
BCryptOpenAlgorithmProvider, xrefs: 0042C508
($@, xrefs: 0042C4AF
ChainingMode, xrefs: 0042C51B
AES, xrefs: 0042C4CE

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Error$#644System$BoundsGenerateLockUnlock$CopyFreeUbound
String ID: ($@$@$AES$BCryptOpenAlgorithmProvider$ChainingMode$ChainingModeGCM
API String ID: 254650619-520117607
Opcode ID: 883f4903e4fc28569d65dd1089cd8e235f438f38af8bfe614b31c9d891ce6949
Instruction ID: 0ec7adf32517d4817a3f048ae053f653f8606d26ef8940e0aedf8418c99413eb
Opcode Fuzzy Hash: 883f4903e4fc28569d65dd1089cd8e235f438f38af8bfe614b31c9d891ce6949
Instruction Fuzzy Hash: 32C12C74E003199FCB14DFA4D9C4AAEB7B9FF49304F60852AE905AB350DB75A841CF98

Function 0041B290 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 268COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0041B2AE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004030D6), ref: 0041B2DE
#716.MSVBVM60(?,System.Security.Cryptography.RijndaelManaged,00000000,?,?,?,00000000,004030D6), ref: 0041B2FD
__vbaVarSetVar.MSVBVM60(?,?,?,?,?,00000000,004030D6), ref: 0041B30B
__vbaChkstk.MSVBVM60 ref: 0041B32E
__vbaVarLateMemSt.MSVBVM60(?,keySize), ref: 0041B358
__vbaChkstk.MSVBVM60 ref: 0041B37B
__vbaVarLateMemSt.MSVBVM60(?,Padding), ref: 0041B3A5
__vbaChkstk.MSVBVM60 ref: 0041B3C8
__vbaVarLateMemSt.MSVBVM60(?,Mode), ref: 0041B3F2
__vbaStrCopy.MSVBVM60 ref: 0041B407

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?), ref: 0041B41B
__vbaStrCopy.MSVBVM60 ref: 0041B429
__vbaStrMove.MSVBVM60 ref: 0041B448

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?), ref: 0041B460

Part of subcall function 0041B6F0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 0041B733
Part of subcall function 0041B6F0: __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,00000000), ref: 0041B742
Part of subcall function 0041B6F0: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0041B758
Part of subcall function 0041B6F0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 0041B784
Part of subcall function 0041B6F0: #644.MSVBVM60(00000000), ref: 0041B790
Part of subcall function 0041B6F0: __vbaAryLock.MSVBVM60(?,?), ref: 0041B79C
Part of subcall function 0041B6F0: __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B7BB
Part of subcall function 0041B6F0: __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,00000000), ref: 0041B7E2
Part of subcall function 0041B6F0: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000), ref: 0041B7F6
Part of subcall function 0041B6F0: __vbaAryUnlock.MSVBVM60(?), ref: 0041B800

__vbaChkstk.MSVBVM60(?), ref: 0041B47E
__vbaVarLateMemSt.MSVBVM60(?,Key,?), ref: 0041B4A5
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041B4C1
__vbaFreeVar.MSVBVM60(?,?,?,?,00000000,004030D6), ref: 0041B4CD
__vbaVarLateMemCallLd.MSVBVM60(?,?,CreateDecryptor,00000000,?,?,?,?,00000000,004030D6), ref: 0041B4F0
__vbaVarSetVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 0041B4FE
__vbaUbound.MSVBVM60(00000001), ref: 0041B53E
__vbaChkstk.MSVBVM60 ref: 0041B562
__vbaChkstk.MSVBVM60 ref: 0041B588
__vbaChkstk.MSVBVM60 ref: 0041B5B7
__vbaVarLateMemCallLd.MSVBVM60(?,?,TransformFinalBlock,00000003), ref: 0041B5F0
__vbaVar2Vec.MSVBVM60(?,00000000), ref: 0041B5FE
__vbaAryMove.MSVBVM60(?,?), ref: 0041B60C
__vbaFreeVar.MSVBVM60 ref: 0041B615
__vbaUbound.MSVBVM60(00000001,?), ref: 0041B628

Part of subcall function 0042E8C0: __vbaStrCopy.MSVBVM60(6D42D8B1,00000000,00000000), ref: 0042E902
Part of subcall function 0042E8C0: __vbaGenerateBoundsError.MSVBVM60 ref: 0042E941
Part of subcall function 0042E8C0: __vbaStrUI1.MSVBVM60(?), ref: 0042E95A
Part of subcall function 0042E8C0: __vbaStrMove.MSVBVM60 ref: 0042E965
Part of subcall function 0042E8C0: __vbaStrCmp.MSVBVM60(0040796C,00000000), ref: 0042E96D
Part of subcall function 0042E8C0: __vbaFreeStr.MSVBVM60 ref: 0042E980
Part of subcall function 0042E8C0: __vbaGenerateBoundsError.MSVBVM60 ref: 0042E9B7
Part of subcall function 0042E8C0: #608.MSVBVM60(?,00000000), ref: 0042E9D6
Part of subcall function 0042E8C0: __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0042E9E8
Part of subcall function 0042E8C0: __vbaStrVarMove.MSVBVM60(00000000), ref: 0042E9EF

__vbaStrMove.MSVBVM60(?,?), ref: 0041B649
__vbaAryDestruct.MSVBVM60(00000000,?,0041B6CC), ref: 0041B6A7
__vbaFreeVar.MSVBVM60 ref: 0041B6B0
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041B6BC
__vbaFreeVar.MSVBVM60 ref: 0041B6C5
__vbaErrorOverflow.MSVBVM60 ref: 0041B6E2

Strings

keySize, xrefs: 0041B34F
TransformFinalBlock, xrefs: 0041B5E3
Mode, xrefs: 0041B3E9
Key, xrefs: 0041B49C
System.Security.Cryptography.RijndaelManaged, xrefs: 0041B2F4
Padding, xrefs: 0041B39C
03232A13323A390411150D2E291A3B18, xrefs: 0041B3FF
lkGLiBCJraodCFhSsSyLssH, xrefs: 0041B421
CreateDecryptor, xrefs: 0041B4E3

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Chkstk$Error$Late$Bstr$BoundsCopyGenerate$#516#608#631#644CallDestructListSystemUbound$#537#632#716LockOverflowRedimUnlockVar2
String ID: 03232A13323A390411150D2E291A3B18$CreateDecryptor$Key$Mode$Padding$System.Security.Cryptography.RijndaelManaged$TransformFinalBlock$keySize$lkGLiBCJraodCFhSsSyLssH
API String ID: 2183829440-3496722723
Opcode ID: b7be1e0d36a248b2c2fa9d1a1faaec0d50a151d1bc0f0b5491b987813e270084
Instruction ID: f19a22bf987f14454c8906640cef14a2538f408df6e713c948ff2376e9f49332
Opcode Fuzzy Hash: b7be1e0d36a248b2c2fa9d1a1faaec0d50a151d1bc0f0b5491b987813e270084
Instruction Fuzzy Hash: 29C1E4B4900209DFDB14DFA4C949BDDBBB4FF48304F1082AAE509AB391DB75AA85CF54

Function 0042C870 Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 275COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004030D6,?,?,?,?,0042C113,00000000), ref: 0042C88E
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004030D6), ref: 0042C8BE
__vbaStrCopy.MSVBVM60(?,00000000,?,?,004030D6), ref: 0042C8D3

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?,?,00000000,?,?,004030D6), ref: 0042C8E7
__vbaStrCopy.MSVBVM60(?,00000000,?,?,004030D6), ref: 0042C8F5
__vbaStrMove.MSVBVM60 ref: 0042C914

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?,00000000), ref: 0042C932
__vbaStrCat.MSVBVM60(00000000), ref: 0042C939
__vbaStrMove.MSVBVM60 ref: 0042C944

Part of subcall function 0042CCD0: __vbaChkstk.MSVBVM60(?,004030D6,?,?,00000000,?,?,004030D6), ref: 0042CCEE
Part of subcall function 0042CCD0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004030D6), ref: 0042CD1E
Part of subcall function 0042CCD0: #645.MSVBVM60(00004008,00000000), ref: 0042CD3E
Part of subcall function 0042CCD0: __vbaStrMove.MSVBVM60 ref: 0042CD49
Part of subcall function 0042CCD0: __vbaLenBstrB.MSVBVM60(00000000), ref: 0042CD50
Part of subcall function 0042CCD0: __vbaFreeStr.MSVBVM60 ref: 0042CD66
Part of subcall function 0042CCD0: #648.MSVBVM60(0000000A), ref: 0042CD91
Part of subcall function 0042CCD0: __vbaFreeVar.MSVBVM60 ref: 0042CD9E
Part of subcall function 0042CCD0: __vbaFileOpen.MSVBVM60(00000020,000000FF,?,00000000), ref: 0042CDBA
Part of subcall function 0042CCD0: #570.MSVBVM60(?), ref: 0042CDCC
Part of subcall function 0042CCD0: #525.MSVBVM60(00000000), ref: 0042CDD3
Part of subcall function 0042CCD0: __vbaStrMove.MSVBVM60 ref: 0042CDDE
Part of subcall function 0042CCD0: __vbaGet3.MSVBVM60(00000000,00000000,?), ref: 0042CDF6
Part of subcall function 0042CCD0: __vbaFileClose.MSVBVM60(?), ref: 0042CE08

__vbaStrMove.MSVBVM60(?), ref: 0042C958

Part of subcall function 0042F9E0: __vbaChkstk.MSVBVM60(00000000,004030D6,?,?,00000000,?,?,004030D6), ref: 0042F9FE
Part of subcall function 0042F9E0: __vbaStrCopy.MSVBVM60(?,00000000), ref: 0042FA44
Part of subcall function 0042F9E0: __vbaOnError.MSVBVM60(000000FF,?,00000000), ref: 0042FA53
Part of subcall function 0042F9E0: #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0042FA9F
Part of subcall function 0042F9E0: __vbaVarMove.MSVBVM60 ref: 0042FAAB
Part of subcall function 0042F9E0: __vbaFreeVar.MSVBVM60 ref: 0042FAB4
Part of subcall function 0042F9E0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0042FAD7
Part of subcall function 0042F9E0: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001), ref: 0042FAFD
Part of subcall function 0042F9E0: __vbaFreeVar.MSVBVM60(0042FB9F), ref: 0042FB98

__vbaObjSet.MSVBVM60(?,00000000,?), ref: 0042C96C
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,00000000), ref: 0042C990
__vbaObjIs.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?,004030D6), ref: 0042C9A6
__vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,?,004030D6), ref: 0042C9C8
__vbaStrCmp.MSVBVM60(00405638,00000000,?,?,?,?,00000000,?,?,004030D6), ref: 0042C9D4
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,?,?,004030D6), ref: 0042C9EB
__vbaChkstk.MSVBVM60 ref: 0042CA31
__vbaChkstk.MSVBVM60(Item,00000001), ref: 0042CA67
__vbaLateMemCallLd.MSVBVM60(?,?,Item,00000001,Item,00000001), ref: 0042CA9A
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042CAA8
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042CAB2
__vbaStrMove.MSVBVM60 ref: 0042CABD
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042CACD
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,00000000,?,?,004030D6), ref: 0042CAF7
__vbaUbound.MSVBVM60(00000001,?,00000000,?,?,?,?,00000000,?,?,004030D6), ref: 0042CB0C
__vbaRedim.MSVBVM60(00000080,00000001,00000000,00000011,00000001,-00000005,?,?,?,?,00000000,?,?,004030D6), ref: 0042CB2B
__vbaUbound.MSVBVM60(00000001,?), ref: 0042CB41
__vbaFreeVar.MSVBVM60(00006011,00000005,00006011,00000000,00000003), ref: 0042CBB7
__vbaStrCopy.MSVBVM60 ref: 0042CBC9
__vbaAryMove.MSVBVM60(?,?,?,?,00000000,00000000,00000004,00000000), ref: 0042CBF5
__vbaFreeStr.MSVBVM60 ref: 0042CBFE
__vbaAryDestruct.MSVBVM60(00000000,?,0042CCAE), ref: 0042CC65
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042CC74
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042CC80
__vbaFreeStr.MSVBVM60 ref: 0042CC89
__vbaFreeObj.MSVBVM60 ref: 0042CC92
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042CC9E

Part of subcall function 00432300: __vbaStrCopy.MSVBVM60(6D51C2DA,00008008), ref: 00432339

Strings

os_crypt, xrefs: 0042CA1B
Item, xrefs: 0042CA5D, 0042CA8D
encrypted_key, xrefs: 0042CA07
ozCoFwlOKLcRmecFWpLTtuxSeDlWViCWz, xrefs: 0042C8ED
260F002516006F1838022608, xrefs: 0042C8CB

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$ChkstkCopy$BstrDestruct$ErrorList$#516#631#632CallFileLateUbound$#525#537#570#608#645#648CloseGet3OpenRedim
String ID: 260F002516006F1838022608$Item$encrypted_key$os_crypt$ozCoFwlOKLcRmecFWpLTtuxSeDlWViCWz
API String ID: 676153682-3451917358
Opcode ID: dcaa2bf406cac54e3a72378371b563db0a58a20fd04280cf107219ca44a10f55
Instruction ID: e189bd2c2074f57eec86499cefa1468d7c2627c00626a82b59dd18930deab3e7
Opcode Fuzzy Hash: dcaa2bf406cac54e3a72378371b563db0a58a20fd04280cf107219ca44a10f55
Instruction Fuzzy Hash: 88C1F971900218EBDB04DFA4DD89BDEBBB9FF44305F108169E10AB72A0DB745A89CF58

Function 0042A560 Relevance: 66.7, APIs: 32, Strings: 6, Instructions: 238COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,00000000,-00000001,6D4245C1), ref: 0042A5DE

Part of subcall function 0042EA80: __vbaLenBstr.MSVBVM60(00000000,00402700,00000000,6D42D8B1), ref: 0042EAC9
Part of subcall function 0042EA80: __vbaLenBstr.MSVBVM60 ref: 0042EAD7
Part of subcall function 0042EA80: __vbaFpI4.MSVBVM60 ref: 0042EB11
Part of subcall function 0042EA80: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 0042EB31
Part of subcall function 0042EA80: __vbaUbound.MSVBVM60(00000001,?), ref: 0042EB40
Part of subcall function 0042EA80: __vbaGenerateBoundsError.MSVBVM60 ref: 0042EB80
Part of subcall function 0042EA80: #631.MSVBVM60(?,?,?,0040A4B0), ref: 0042EBB4
Part of subcall function 0042EA80: __vbaStrMove.MSVBVM60 ref: 0042EBBF
Part of subcall function 0042EA80: __vbaStrCat.MSVBVM60(00000000), ref: 0042EBC2
Part of subcall function 0042EA80: __vbaStrMove.MSVBVM60 ref: 0042EBCD

__vbaAryMove.MSVBVM60(?,?,00402308), ref: 0042A5FE
#716.MSVBVM60(?,System.Security.Cryptography.TripleDESCryptoServiceProvider,00000000), ref: 0042A60E
__vbaVarZero.MSVBVM60 ref: 0042A61D
__vbaVarLateMemSt.MSVBVM60(?,Mode), ref: 0042A655
__vbaVarLateMemSt.MSVBVM60(?,Padding), ref: 0042A67D
__vbaVarLateMemSt.MSVBVM60(?,Key), ref: 0042A6A5

Part of subcall function 0042EA80: _adj_fdiv_m64.MSVBVM60 ref: 0042EB02
Part of subcall function 0042EA80: __vbaGenerateBoundsError.MSVBVM60 ref: 0042EB88
Part of subcall function 0042EA80: #581.MSVBVM60(00000000), ref: 0042EBD0
Part of subcall function 0042EA80: __vbaFpUI1.MSVBVM60 ref: 0042EBD6
Part of subcall function 0042EA80: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042EBEF
Part of subcall function 0042EA80: __vbaFreeVar.MSVBVM60 ref: 0042EBFB
Part of subcall function 0042EA80: __vbaAryCopy.MSVBVM60(?,?), ref: 0042EC1F
Part of subcall function 0042EA80: __vbaAryDestruct.MSVBVM60(00000000,?,0042EC89), ref: 0042EC7E
Part of subcall function 0042EA80: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042EC86

__vbaVarLateMemSt.MSVBVM60(?,0040A658), ref: 0042A6DD
__vbaFreeVar.MSVBVM60 ref: 0042A6E8
__vbaVarLateMemCallLd.MSVBVM60(?,?,CreateDecryptor,00000000), ref: 0042A6FC
__vbaObjVar.MSVBVM60(00000000), ref: 0042A706
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0042A711
__vbaFreeVar.MSVBVM60 ref: 0042A71A
__vbaUbound.MSVBVM60(00000001,?), ref: 0042A729
__vbaLateMemCallLd.MSVBVM60(?,?,TransformFinalBlock,00000003), ref: 0042A79B
__vbaVar2Vec.MSVBVM60(?,00000000), ref: 0042A7A9
__vbaAryMove.MSVBVM60(?,?), ref: 0042A7B7
__vbaFreeVar.MSVBVM60 ref: 0042A7C0
__vbaUbound.MSVBVM60(00000001,?), ref: 0042A7C8

Part of subcall function 0042E8C0: __vbaStrCopy.MSVBVM60(6D42D8B1,00000000,00000000), ref: 0042E902
Part of subcall function 0042E8C0: __vbaGenerateBoundsError.MSVBVM60 ref: 0042E941
Part of subcall function 0042E8C0: __vbaStrUI1.MSVBVM60(?), ref: 0042E95A
Part of subcall function 0042E8C0: __vbaStrMove.MSVBVM60 ref: 0042E965
Part of subcall function 0042E8C0: __vbaStrCmp.MSVBVM60(0040796C,00000000), ref: 0042E96D
Part of subcall function 0042E8C0: __vbaFreeStr.MSVBVM60 ref: 0042E980
Part of subcall function 0042E8C0: __vbaGenerateBoundsError.MSVBVM60 ref: 0042E9B7
Part of subcall function 0042E8C0: #608.MSVBVM60(?,00000000), ref: 0042E9D6
Part of subcall function 0042E8C0: __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0042E9E8
Part of subcall function 0042E8C0: __vbaStrVarMove.MSVBVM60(00000000), ref: 0042E9EF

__vbaStrMove.MSVBVM60(?,?), ref: 0042A844
__vbaExitProc.MSVBVM60 ref: 0042A84A
__vbaFreeVar.MSVBVM60(0042A8E4), ref: 0042A882
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042A897
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042A8A2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042A8AD
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042A8B8
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042A8C0
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042A8C8
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042A8D0
__vbaFreeObj.MSVBVM60 ref: 0042A8D5
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042A8E1
__vbaErrorOverflow.MSVBVM60 ref: 0042A8FA

Strings

TransformFinalBlock, xrefs: 0042A78E
System.Security.Cryptography.TripleDESCryptoServiceProvider, xrefs: 0042A605
Mode, xrefs: 0042A643
Key, xrefs: 0042A699
Padding, xrefs: 0042A671
CreateDecryptor, xrefs: 0042A6EC

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Destruct$Free$Move$ErrorLate$BoundsGenerate$Ubound$BstrCallCopy$#581#608#631#716AddrefExitListOverflowProcRedimVar2Zero_adj_fdiv_m64
String ID: CreateDecryptor$Key$Mode$Padding$System.Security.Cryptography.TripleDESCryptoServiceProvider$TransformFinalBlock
API String ID: 1384324460-2358055711
Opcode ID: 1d750582bf1ea40b676b8e4ff6ce9f9953aaa87f8a4cf24ddf3ffd135e8502ba
Instruction ID: 01a5032805ddd56ad328cc477738bf7d68bd4cdd90ae44a414f0d5a95c3ad2fb
Opcode Fuzzy Hash: 1d750582bf1ea40b676b8e4ff6ce9f9953aaa87f8a4cf24ddf3ffd135e8502ba
Instruction Fuzzy Hash: 19A13BB1D10218DFDB04DFA8DD45B9DFBB8FB48700F10829AE509A7291D774AA84CFA5

Function 00429620 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,00000000,6D4245C1,?,?,?,?,?,?,?,?,?,?,?,6D4245C1,004030D6), ref: 0042965F
#573.MSVBVM60(?,?), ref: 00429680
__vbaStrVarMove.MSVBVM60(?), ref: 0042968C
__vbaStrMove.MSVBVM60 ref: 00429699
__vbaFreeVar.MSVBVM60 ref: 0042969E
__vbaLenBstr.MSVBVM60(?), ref: 004296A8
__vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,00000009,?), ref: 004296C7
#573.MSVBVM60(?,00004003), ref: 004296E2
__vbaStrVarMove.MSVBVM60(?), ref: 004296E8
__vbaStrMove.MSVBVM60 ref: 004296EF
__vbaFreeVar.MSVBVM60 ref: 004296F4
__vbaLenBstr.MSVBVM60(?), ref: 004296FE
__vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,00000012,?), ref: 0042971D
#573.MSVBVM60(?,00004003), ref: 00429738
__vbaStrVarMove.MSVBVM60(?), ref: 0042973E
__vbaStrMove.MSVBVM60 ref: 00429745
__vbaFreeVar.MSVBVM60 ref: 0042974A
__vbaLenBstr.MSVBVM60(?), ref: 00429754
__vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,0000001B,?), ref: 00429773
#573.MSVBVM60(?,00004003), ref: 0042978E
__vbaStrVarMove.MSVBVM60(?), ref: 00429794
__vbaStrMove.MSVBVM60 ref: 0042979B
__vbaFreeVar.MSVBVM60 ref: 004297A0
__vbaLenBstr.MSVBVM60(?), ref: 004297AA
__vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,00000024,?), ref: 004297C9
#573.MSVBVM60(?,00004003), ref: 004297E4
__vbaStrVarMove.MSVBVM60(?), ref: 004297EA
__vbaStrMove.MSVBVM60 ref: 004297F1
__vbaFreeVar.MSVBVM60 ref: 004297F6
__vbaLenBstr.MSVBVM60(?), ref: 00429800
__vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,0000002D,?), ref: 0042981B
__vbaFreeStr.MSVBVM60(0042984B), ref: 00429844
__vbaErrorOverflow.MSVBVM60(?), ref: 00429861

Strings

00000000 00000000 00000000 00000000 00000000, xrefs: 0042964B

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$BstrMove$Free$#573Stmt$CopyErrorOverflow
String ID: 00000000 00000000 00000000 00000000 00000000
API String ID: 4201252254-3035815846
Opcode ID: 41cf33ce675ed9976c58cbf419c0021008f704f953fe3d26b9af8e41ebfd7848
Instruction ID: 38b625a2d4f95f3f97c8a4323f0217025cab8143b4f66fbd1494fae116b0ca2c
Opcode Fuzzy Hash: 41cf33ce675ed9976c58cbf419c0021008f704f953fe3d26b9af8e41ebfd7848
Instruction Fuzzy Hash: B361C7B1910119AFDF04EFA4DD88EEEBBB8FF88701F00452AE506B3164EB746945CB64

Function 0042BF40 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 210COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004030D6), ref: 0042BF5E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004030D6), ref: 0042BF8E
__vbaUbound.MSVBVM60(00000001,?,?,?,?,?,004030D6), ref: 0042BFAA

Part of subcall function 0042E8C0: __vbaStrCopy.MSVBVM60(6D42D8B1,00000000,00000000), ref: 0042E902
Part of subcall function 0042E8C0: __vbaGenerateBoundsError.MSVBVM60 ref: 0042E941
Part of subcall function 0042E8C0: __vbaStrUI1.MSVBVM60(?), ref: 0042E95A
Part of subcall function 0042E8C0: __vbaStrMove.MSVBVM60 ref: 0042E965
Part of subcall function 0042E8C0: __vbaStrCmp.MSVBVM60(0040796C,00000000), ref: 0042E96D
Part of subcall function 0042E8C0: __vbaFreeStr.MSVBVM60 ref: 0042E980
Part of subcall function 0042E8C0: __vbaGenerateBoundsError.MSVBVM60 ref: 0042E9B7
Part of subcall function 0042E8C0: #608.MSVBVM60(?,00000000), ref: 0042E9D6
Part of subcall function 0042E8C0: __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0042E9E8
Part of subcall function 0042E8C0: __vbaStrVarMove.MSVBVM60(00000000), ref: 0042E9EF

__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,004030D6), ref: 0042BFC5
__vbaStrCopy.MSVBVM60(?,?,?,?,?,004030D6), ref: 0042BFDA

Part of subcall function 0042ECB0: __vbaLenBstr.MSVBVM60(?), ref: 0042ECF6
Part of subcall function 0042ECB0: #632.MSVBVM60(?,?,?,?), ref: 0042ED52
Part of subcall function 0042ECB0: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 0042ED68
Part of subcall function 0042ECB0: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0042ED6F
Part of subcall function 0042ECB0: #537.MSVBVM60(00000000), ref: 0042ED76
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED81
Part of subcall function 0042ECB0: __vbaStrCat.MSVBVM60(00000000), ref: 0042ED84
Part of subcall function 0042ECB0: __vbaStrMove.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED8B
Part of subcall function 0042ECB0: __vbaFreeStr.MSVBVM60(?,6D41E251,00402710,00000000), ref: 0042ED90
Part of subcall function 0042ECB0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042EDA8

__vbaStrMove.MSVBVM60(?,?,?,?,?,?,004030D6), ref: 0042BFEE
__vbaStrCopy.MSVBVM60(?,?,?,?,?,004030D6), ref: 0042BFFC
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,004030D6), ref: 0042C010
__vbaStrCopy.MSVBVM60(?,?,?,?,?,004030D6), ref: 0042C01E
__vbaStrMove.MSVBVM60 ref: 0042C037
__vbaStrCopy.MSVBVM60 ref: 0042C045
__vbaStrMove.MSVBVM60 ref: 0042C064

Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,6D42D8B1,00000001,6D41A323), ref: 0042DE03
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?), ref: 0042DE39
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?), ref: 0042DE44
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,?), ref: 0042DE47
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0042DE52
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0042DE5B
Part of subcall function 0042DDC0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 0042DE79
Part of subcall function 0042DDC0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DE96
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEA1
Part of subcall function 0042DDC0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0042DEA4
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB0
Part of subcall function 0042DDC0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0042DEB9
Part of subcall function 0042DDC0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 0042DEDA
Part of subcall function 0042DDC0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,?,00000002,?,?,?), ref: 0042DEEC
Part of subcall function 0042DDC0: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000002,?,?,?), ref: 0042DEF3
Part of subcall function 0042DDC0: __vbaStrMove.MSVBVM60(?,?,?,00000002,?,?,?), ref: 0042DEFE

__vbaStrMove.MSVBVM60(?,?,?,00000001), ref: 0042C082
__vbaInStr.MSVBVM60(00000000,00000000), ref: 0042C08B

Part of subcall function 0042DDC0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,00000002,?,?,?), ref: 0042DF0A
Part of subcall function 0042DDC0: __vbaStrCopy.MSVBVM60 ref: 0042DF29
Part of subcall function 0042DDC0: __vbaFreeStr.MSVBVM60(0042DF6C), ref: 0042DF65

__vbaStrMove.MSVBVM60(?,?,?,00000001), ref: 0042C0AB
__vbaInStr.MSVBVM60(00000000,00000000), ref: 0042C0B4
__vbaFreeStrList.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C0F2
__vbaAryMove.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C11E

Part of subcall function 0042C260: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0000000B,00000000,?,00000000), ref: 0042C2B8
Part of subcall function 0042C260: __vbaUbound.MSVBVM60(00000001,?), ref: 0042C2CD
Part of subcall function 0042C260: __vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 0042C31C
Part of subcall function 0042C260: __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 0042C328
Part of subcall function 0042C260: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-0000001F,?,00000000), ref: 0042C34C
Part of subcall function 0042C260: __vbaUbound.MSVBVM60(00000001,?), ref: 0042C35B

__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C13D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C151
__vbaAryMove.MSVBVM60(?,?,?,?,00000000,00000000,00000004,00000000), ref: 0042C177
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C180
__vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C193
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C1AE
__vbaAryDestruct.MSVBVM60(00000000,?,0042C23C,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C208
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C214
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C220
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C229
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004030D6), ref: 0042C235

Part of subcall function 0042C870: __vbaChkstk.MSVBVM60(?,004030D6,?,?,?,?,0042C113,00000000), ref: 0042C88E
Part of subcall function 0042C870: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004030D6), ref: 0042C8BE
Part of subcall function 0042C870: __vbaStrCopy.MSVBVM60(?,00000000,?,?,004030D6), ref: 0042C8D3
Part of subcall function 0042C870: __vbaStrMove.MSVBVM60(?,?,00000000,?,?,004030D6), ref: 0042C8E7
Part of subcall function 0042C870: __vbaStrCopy.MSVBVM60(?,00000000,?,?,004030D6), ref: 0042C8F5
Part of subcall function 0042C870: __vbaStrMove.MSVBVM60 ref: 0042C914
Part of subcall function 0042C870: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0042C932
Part of subcall function 0042C870: __vbaStrCat.MSVBVM60(00000000), ref: 0042C939
Part of subcall function 0042C870: __vbaStrMove.MSVBVM60 ref: 0042C944
Part of subcall function 0042C870: __vbaStrMove.MSVBVM60(?), ref: 0042C958
Part of subcall function 0042C870: __vbaObjSet.MSVBVM60(?,00000000,?), ref: 0042C96C
Part of subcall function 0042C870: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,00000000), ref: 0042C990
Part of subcall function 0042C870: __vbaObjIs.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?,004030D6), ref: 0042C9A6
Part of subcall function 0042C870: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,?,004030D6), ref: 0042C9C8

Strings

ItwXjeKuthVRdpXyikTUBGFniKETOLdVtYpxoTfOnqQ, xrefs: 0042C016
024668, xrefs: 0042BFD2
HvFifFDbwWSESPfuPWaeSKl, xrefs: 0042C03D
007758, xrefs: 0042BFF4

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Copy$Ubound$DestructErrorList$Bstr$#516#608#631BoundsChkstkGenerateRedim$#537#632
String ID: 007758$024668$HvFifFDbwWSESPfuPWaeSKl$ItwXjeKuthVRdpXyikTUBGFniKETOLdVtYpxoTfOnqQ
API String ID: 1910222529-2368971541
Opcode ID: 73f5917d30d4189876d79a935cdd66be53b482578706a6bbf27b8e468115c2ab
Instruction ID: 9ac148aa2f327e291eef71a793c195be77bbb942f304428e9ff09502e44eaf3f
Opcode Fuzzy Hash: 73f5917d30d4189876d79a935cdd66be53b482578706a6bbf27b8e468115c2ab
Instruction Fuzzy Hash: 3391DC76D00208EBDB04DFE0DD89BDEBBB9EF44704F10816AE502B71A4DB746A45CBA4

Function 0042B0F0 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 292COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004030D6,?,?,0042A3EE,?,?,?), ref: 0042B10E
__vbaOnError.MSVBVM60(000000FF,00000000,-00000001,6D4245C1,?,004030D6), ref: 0042B13E
__vbaUbound.MSVBVM60(00000001,?,00000000), ref: 0042B155
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000004,?,00000000), ref: 0042B174
__vbaUbound.MSVBVM60(00000001), ref: 0042B18C

Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042EE3E
Part of subcall function 0042ECB0: __vbaOnError.MSVBVM60(000000FF,6D42D8B1,?,6D41A323,00000000,004030D6), ref: 0042EE6E
Part of subcall function 0042ECB0: __vbaVarVargNofree.MSVBVM60 ref: 0042EE8F
Part of subcall function 0042ECB0: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 0042EE9E
Part of subcall function 0042ECB0: __vbaI2Var.MSVBVM60(00000000), ref: 0042EEA5
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF2B
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF4E
Part of subcall function 0042ECB0: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 0042EF76
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF86
Part of subcall function 0042ECB0: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 0042EFA9

__vbaFreeVar.MSVBVM60(00006011,00000000,00006011,00000000,00000003), ref: 0042B1F3

Part of subcall function 0042B040: __vbaStrCopy.MSVBVM60(?,?,00000000), ref: 0042B07F
Part of subcall function 0042B040: __vbaAryMove.MSVBVM60(?,?,?), ref: 0042B099
Part of subcall function 0042B040: __vbaFreeStr.MSVBVM60 ref: 0042B0A2
Part of subcall function 0042B040: __vbaAryDestruct.MSVBVM60(00000000,?,0042B0D8), ref: 0042B0D1

__vbaAryMove.MSVBVM60(?,?,00000000), ref: 0042B21F
__vbaUbound.MSVBVM60(00000001), ref: 0042B23B
__vbaI2I4.MSVBVM60 ref: 0042B24C

Part of subcall function 0042ECB0: __vbaFreeVar.MSVBVM60 ref: 0042EFB5

__vbaFreeVarList.MSVBVM60(00000002,00002011,00000002,00002011,00000000,00006011,00000000,00000002), ref: 0042B2BE
__vbaErase.MSVBVM60(00000000,?), ref: 0042B2D0
__vbaStrCopy.MSVBVM60 ref: 0042B2E5

Part of subcall function 0042B610: __vbaAryConstruct2.MSVBVM60(?,0040AB14,00000011,00000000,-00000001,6D4245C1), ref: 0042B6F4
Part of subcall function 0042B610: #527.MSVBVM60(00000000), ref: 0042B700
Part of subcall function 0042B610: __vbaStrMove.MSVBVM60 ref: 0042B70E
Part of subcall function 0042B610: __vbaStrCmp.MSVBVM60(SHA256,?), ref: 0042B726
Part of subcall function 0042B610: __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000018,F0000000), ref: 0042B7D0
Part of subcall function 0042B610: #685.MSVBVM60 ref: 0042B7DE
Part of subcall function 0042B610: __vbaObjSet.MSVBVM60(?,00000000), ref: 0042B7EC
Part of subcall function 0042B610: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A9C4,0000004C), ref: 0042B810
Part of subcall function 0042B610: __vbaFreeObj.MSVBVM60 ref: 0042B828

__vbaFreeStr.MSVBVM60(?,?,?,?), ref: 0042B303
__vbaStrCopy.MSVBVM60 ref: 0042B363

Part of subcall function 0042B610: __vbaStrCmp.MSVBVM60(SHA384,?), ref: 0042B749
Part of subcall function 0042B610: __vbaStrCopy.MSVBVM60 ref: 0042B839
Part of subcall function 0042B610: __vbaSetSystemError.MSVBVM60(?), ref: 0042BD22
Part of subcall function 0042B610: __vbaSetSystemError.MSVBVM60(?), ref: 0042BD39
Part of subcall function 0042B610: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0042BD4C
Part of subcall function 0042B610: __vbaLenBstrB.MSVBVM60(?), ref: 0042BD55
Part of subcall function 0042B610: #681.MSVBVM60(?,?,?,?), ref: 0042BDCD
Part of subcall function 0042B610: #685.MSVBVM60 ref: 0042BDD3
Part of subcall function 0042B610: __vbaObjSet.MSVBVM60(?,00000000), ref: 0042BDE1
Part of subcall function 0042B610: __vbaI4Var.MSVBVM60(?,?,?,?,?), ref: 0042BE52

__vbaFreeStr.MSVBVM60(?,?,?,?), ref: 0042B381
__vbaGenerateBoundsError.MSVBVM60 ref: 0042B41D
__vbaGenerateBoundsError.MSVBVM60 ref: 0042B437
__vbaGenerateBoundsError.MSVBVM60 ref: 0042B47C
__vbaGenerateBoundsError.MSVBVM60 ref: 0042B496
__vbaGenerateBoundsError.MSVBVM60 ref: 0042B4DB
__vbaGenerateBoundsError.MSVBVM60 ref: 0042B4F5
__vbaAryMove.MSVBVM60(?,?), ref: 0042B571
__vbaAryDestruct.MSVBVM60(00000000,?,0042B5F4), ref: 0042B5BA
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042B5C9
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042B5D5
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042B5E1
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042B5ED
__vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0042B60A

Strings

SHA256, xrefs: 0042B2DD, 0042B35B

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Error$Free$BoundsDestructGenerate$Chkstk$CopyMoveSystem$Ubound$#685Index$#527#681BstrCheckConstruct2EraseHresultListLoadNofreeOverflowRedimStoreVarg
String ID: SHA256
API String ID: 3250730599-983011835
Opcode ID: d4f5b87386d137823817a7a53467dcafebe4e69871276b3ec8502508cdc87600
Instruction ID: 47bf7fd41cd0e64c9970cc7131b9fb1e9b697bcdad1a41c0218f7923622d5ba4
Opcode Fuzzy Hash: d4f5b87386d137823817a7a53467dcafebe4e69871276b3ec8502508cdc87600
Instruction Fuzzy Hash: 3CE15474900218EFDB14DF90EA88BDDBBB5FF48304F50809AE509BB291D7B45A85CF65

Function 00424690 Relevance: 45.2, APIs: 30, Instructions: 194COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 004246AE
__vbaOnError.MSVBVM60(000000FF,00000000,6D424558,6D4FDAF4,00000000,004030D6), ref: 004246DE
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000001), ref: 004246F7
#570.MSVBVM60(00000001), ref: 00424706
__vbaVarDup.MSVBVM60 ref: 00424723
#606.MSVBVM60(?,?), ref: 00424731
__vbaStrMove.MSVBVM60 ref: 0042473C
__vbaStr2Vec.MSVBVM60(?,00000000), ref: 00424747
__vbaAryMove.MSVBVM60(?,?), ref: 00424755
__vbaFreeStr.MSVBVM60 ref: 0042475E
__vbaFreeVar.MSVBVM60 ref: 00424767
__vbaGetOwner3.MSVBVM60(0040A444,?,00000001), ref: 0042477F
__vbaFileClose.MSVBVM60(00000001), ref: 0042478E
__vbaUbound.MSVBVM60(00000001,?), ref: 004247A1
__vbaGenerateBoundsError.MSVBVM60 ref: 0042480E
__vbaGenerateBoundsError.MSVBVM60 ref: 00424825
__vbaStrUI1.MSVBVM60(00000000), ref: 00424841
__vbaStrMove.MSVBVM60 ref: 0042484C
__vbaStrCmp.MSVBVM60(0040796C,00000000), ref: 00424858
__vbaFreeStr.MSVBVM60 ref: 0042486C
__vbaGenerateBoundsError.MSVBVM60 ref: 004248C5
__vbaGenerateBoundsError.MSVBVM60 ref: 004248DC
#608.MSVBVM60(?,00000000), ref: 004248FE
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00424910
__vbaStrVarMove.MSVBVM60(00000000), ref: 00424917
__vbaStrMove.MSVBVM60 ref: 00424922
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00424932
__vbaStrCopy.MSVBVM60 ref: 00424954
__vbaFreeStr.MSVBVM60(004249B3), ref: 004249A0
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004249AC

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$ErrorFreeMove$BoundsGenerate$File$#570#606#608ChkstkCloseCopyDestructListOpenOwner3Str2Ubound
String ID:
API String ID: 3136081494-0
Opcode ID: ce773839476eb44e80e8b30e9664ddbbbbb194b8b5faa7f6cd6155d312b3fc31
Instruction ID: 27b5a6cf581a68f32102f1097c0c9f5ab12dda25c652156dbf498cbea85f9006
Opcode Fuzzy Hash: ce773839476eb44e80e8b30e9664ddbbbbb194b8b5faa7f6cd6155d312b3fc31
Instruction Fuzzy Hash: 7D91E674E00218DFDB14DFA4DA88BDDBBB4FB48304F20816AE506B72A1DB745A85CF65

Function 00431650 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 00432090: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 004320ED
Part of subcall function 00432090: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00432131
Part of subcall function 00432090: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00432140
Part of subcall function 00432090: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00432149
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00432169
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00432189
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 004321A9
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321C9
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321E9

#632.MSVBVM60(?,?,?,?,?,?,?,?,6D42D8B1), ref: 004316D6
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,?,?,6D42D8B1), ref: 004316FB
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,?,6D42D8B1), ref: 00431711
#632.MSVBVM60(?,00004008,?,00000002,?,?,6D42D8B1), ref: 00431768
__vbaVarTstEq.MSVBVM60(00008008,?,?,00000002,?,?,6D42D8B1), ref: 0043178D
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,00000002,?,?,6D42D8B1), ref: 004317A3
__vbaErrorOverflow.MSVBVM60(00431904,?,?,?,?,?,6D42D8B1), ref: 0043191B

Strings

true, xrefs: 004316E7
: , xrefs: 0043180D
Invalid Boolean at position , xrefs: 004317D5
false, xrefs: 00431779

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$#632Free$List$BstrErrorMoveOverflow
String ID: : $Invalid Boolean at position $false$true
API String ID: 4277481792-1334132093
Opcode ID: 118e29937d2f2c8318f4028fb20154315495309dcc491b82954b1f47b02b4543
Instruction ID: 6e94324009c574fae37af947af28c3d2d5d841661daa388a78b32d593ddb6f74
Opcode Fuzzy Hash: 118e29937d2f2c8318f4028fb20154315495309dcc491b82954b1f47b02b4543
Instruction Fuzzy Hash: F781F5B1900219EFDB14DF94DD88AEEBBB8FF88304F14421EE145A7260DBB41A49CF65

Function 004324F0 Relevance: 39.2, APIs: 26, Instructions: 189COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0043250E
__vbaOnError.MSVBVM60(000000FF,00000000,?,00000001,00000000,004030D6), ref: 0043253E
__vbaStr2Vec.MSVBVM60(?), ref: 00432555
__vbaAryMove.MSVBVM60(?,?), ref: 00432563
__vbaUbound.MSVBVM60(00000001,?), ref: 00432576
__vbaGenerateBoundsError.MSVBVM60 ref: 004325E0
__vbaGenerateBoundsError.MSVBVM60 ref: 004325F1
__vbaUI1I2.MSVBVM60 ref: 00432615
__vbaUI1I2.MSVBVM60 ref: 00432629
__vbaUI1I2.MSVBVM60 ref: 0043263D
__vbaUI1I2.MSVBVM60 ref: 00432651
__vbaUI1I2.MSVBVM60 ref: 00432663
__vbaUI1I2.MSVBVM60 ref: 0043267B
__vbaUI1I2.MSVBVM60 ref: 0043268D
__vbaUI1I2.MSVBVM60 ref: 004326A5
__vbaUI1I2.MSVBVM60 ref: 004326B5
__vbaUI1I2.MSVBVM60 ref: 004326C7
__vbaGenerateBoundsError.MSVBVM60 ref: 00432712
__vbaGenerateBoundsError.MSVBVM60 ref: 00432723
__vbaUI1I2.MSVBVM60 ref: 0043272E
__vbaStrVarCopy.MSVBVM60(00002011,0040B44C,00000000,00000001,000000FF,00000000), ref: 00432771
__vbaStrMove.MSVBVM60 ref: 0043277C
#712.MSVBVM60(00000000), ref: 00432783
__vbaStrMove.MSVBVM60 ref: 0043278E
__vbaFreeStr.MSVBVM60 ref: 00432797
__vbaAryDestruct.MSVBVM60(00000000,?,004327DA), ref: 004327D3

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Error$BoundsGenerate$Move$#712ChkstkCopyDestructFreeStr2Ubound
String ID:
API String ID: 2409928056-0
Opcode ID: 1084910ace5bef600d200f0fdd586eebee336a10b7b1f30b88a0caf7ca925222
Instruction ID: f2c87915420c041b9cd31112f174744140c53ae4d996f20a6ece4dfcdb10a1e2
Opcode Fuzzy Hash: 1084910ace5bef600d200f0fdd586eebee336a10b7b1f30b88a0caf7ca925222
Instruction Fuzzy Hash: B3810974D01248DFDB14CFA8CA58BDDBBB1BF48300F14826AD552BB291CBB85985CF59

Function 0041C100 Relevance: 37.7, APIs: 25, Instructions: 202COMMON

Download Yara Rule

APIs

__vbaUbound.MSVBVM60(00000001,?,004019D0,-00000001,6D4FEC2C), ref: 0041C17A
__vbaUI1I2.MSVBVM60(?,004019D0,-00000001,6D4FEC2C), ref: 0041C182
__vbaAryCopy.MSVBVM60(?,00401AA8,?,004019D0,-00000001,6D4FEC2C), ref: 0041C190
__vbaGenerateBoundsError.MSVBVM60(?,004019D0,-00000001,6D4FEC2C), ref: 0041C1BE
__vbaVarMove.MSVBVM60(?,004019D0,-00000001,6D4FEC2C), ref: 0041C1F5
__vbaGenerateBoundsError.MSVBVM60(?,004019D0,-00000001,6D4FEC2C), ref: 0041C218
__vbaVarMove.MSVBVM60(?,004019D0,-00000001,6D4FEC2C), ref: 0041C24F
__vbaUbound.MSVBVM60(00000001,?,00000000,?,004019D0,-00000001,6D4FEC2C), ref: 0041C25B
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,?,00000000,?,004019D0,-00000001,6D4FEC2C), ref: 0041C26D
__vbaUbound.MSVBVM60(00000001,00000000), ref: 0041C27B
__vbaFreeVar.MSVBVM60(00000011,?,?,?,?), ref: 0041C2F0
__vbaI4Var.MSVBVM60(?,00000004), ref: 0041C2F8
__vbaFreeVar.MSVBVM60(0041C3EE), ref: 0041C3DA
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C3E2
__vbaFreeVar.MSVBVM60 ref: 0041C3EB

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$FreeUbound$BoundsErrorGenerateMove$CopyDestructRedim
String ID:
API String ID: 149760206-0
Opcode ID: 3baccdda1d2809d46bde41a25fc8a952dccf70afff562d7b6d9ffcace4006ba5
Instruction ID: f0e285f4063d10deed7c1c1aa1cdf9b5e6e788df8985767b1477617bc2fe476b
Opcode Fuzzy Hash: 3baccdda1d2809d46bde41a25fc8a952dccf70afff562d7b6d9ffcace4006ba5
Instruction Fuzzy Hash: 70814771D002189FDB14CFA4CE84BEDBBB9EF88300F10819AE549A7261D7B45A85CF65

Function 00430B60 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

Part of subcall function 00432090: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 004320ED
Part of subcall function 00432090: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00432131
Part of subcall function 00432090: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00432140
Part of subcall function 00432090: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00432149
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00432169
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00432189
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 004321A9
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321C9
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321E9

#632.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 00430BE3
__vbaVarMove.MSVBVM60(?,?,?,?,?,00000000), ref: 00430BF2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000), ref: 00430BFB
__vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,?,?,00000000), ref: 00430C20
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,00000000), ref: 00430C5F
__vbaVarSetObj.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00430C75
__vbaFreeVar.MSVBVM60(00430E59,?,?,?,?,?,00000000), ref: 00430E52

Part of subcall function 00430B60: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 004303EE
Part of subcall function 00430B60: __vbaNew.MSVBVM60(00405678,?,00000000,?,00000000,004030D6), ref: 00430421
Part of subcall function 00430B60: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,?,00000000,004030D6), ref: 0043042C
Part of subcall function 00430B60: #632.MSVBVM60(?,00004008,?,00000002), ref: 0043048A
Part of subcall function 00430B60: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 004304AF
Part of subcall function 00430B60: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 004304C6

Strings

IKtURdOrQrJTUtVlROvWiJksPlxjRXfYF, xrefs: 00430D37

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$#632$Move$BstrChkstkList
String ID: IKtURdOrQrJTUtVlROvWiJksPlxjRXfYF
API String ID: 2645352053-2368175096
Opcode ID: 2581f3fa900a6acd7c20e0f9bf1c55efdf7e9f461afda66f5801de3f617ee9ec
Instruction ID: 00ae64f3a83a768669833b1904382921f5590d997e121e677bf95f2f209db79e
Opcode Fuzzy Hash: 2581f3fa900a6acd7c20e0f9bf1c55efdf7e9f461afda66f5801de3f617ee9ec
Instruction Fuzzy Hash: BB81F8B590020DAFDF10DFD4CA94AEEB7B8FF48704F50855AE049A7254DB786A09CF68

Function 00426874 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 004268DA
__vbaGenerateBoundsError.MSVBVM60 ref: 004268F7
__vbaChkstk.MSVBVM60(?), ref: 0042693C
__vbaVarIndexLoad.MSVBVM60(?,?,00000001,?), ref: 00426970
__vbaVarSub.MSVBVM60(?,00000000), ref: 00426981
__vbaVarTstLt.MSVBVM60(00008002,00000000), ref: 0042698F
__vbaFreeVar.MSVBVM60 ref: 0042699F
__vbaGenerateBoundsError.MSVBVM60 ref: 004269F4
__vbaGenerateBoundsError.MSVBVM60 ref: 00426A11
__vbaGenerateBoundsError.MSVBVM60 ref: 00426A7D
__vbaGenerateBoundsError.MSVBVM60 ref: 00426A9A
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00426ABE
__vbaChkstk.MSVBVM60(00000000), ref: 00426ACA
__vbaVarIndexLoad.MSVBVM60(?,?,00000001,00000000), ref: 00426B01
__vbaVarSub.MSVBVM60(?,00000000), ref: 00426B12
__vbaVarMove.MSVBVM60 ref: 00426B26
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00426B39
__vbaChkstk.MSVBVM60(?), ref: 00426C37
__vbaVarIndexLoad.MSVBVM60(?,?,00000001,?), ref: 00426C6B
__vbaVarSub.MSVBVM60(?,00000000), ref: 00426C7C
__vbaVarMove.MSVBVM60 ref: 00426C90
__vbaFreeVar.MSVBVM60 ref: 00426C99
__vbaGenerateBoundsError.MSVBVM60 ref: 00426CF2
__vbaGenerateBoundsError.MSVBVM60 ref: 00426D0F
__vbaI4Var.MSVBVM60(?), ref: 00426D28
#608.MSVBVM60(?,00000000), ref: 00426D33
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00426D4B
__vbaStrVarMove.MSVBVM60(00000000), ref: 00426D52
__vbaStrMove.MSVBVM60 ref: 00426D5D
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00426D70
#712.MSVBVM60(?,0040A5D4,0040796C,00000001,000000FF,00000000), ref: 00426DA0
__vbaStrMove.MSVBVM60 ref: 00426DAB
__vbaFreeVar.MSVBVM60(00426E58), ref: 00426E0C
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426E18
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426E24
__vbaAryDestruct.MSVBVM60(00000000,00000000), ref: 00426E30
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426E3C
__vbaFreeStr.MSVBVM60 ref: 00426E45
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00426E51
__vbaErrorOverflow.MSVBVM60 ref: 00426E73

Strings

?, xrefs: 00426D79

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Error$BoundsGenerate$Free$DestructMove$ChkstkIndexLoad$List$#608#712Overflow
String ID: ?
API String ID: 2601914315-1684325040
Opcode ID: 60136c3ecd21dd9e1db791fc5e9bba66e31002cabf61c2bbf48c8e1ee5f85e0d
Instruction ID: 0528d71923e38258377bfa1d05c1f1432efa54e83b06e1ccfe4f43acf83de86b
Opcode Fuzzy Hash: 60136c3ecd21dd9e1db791fc5e9bba66e31002cabf61c2bbf48c8e1ee5f85e0d
Instruction Fuzzy Hash: BCA116B0A00228DFDB18DF94D988BEEB7B5FF44304F10819AE50AA7250DB74AAC5CF45

Function 004306E5 Relevance: 33.2, APIs: 22, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00431BC0: __vbaLenBstr.MSVBVM60(?,00402A88,?,?,00000000,00000000), ref: 00431C3C
Part of subcall function 00431BC0: #632.MSVBVM60(?,?,00000000,?,?,00402A88,?,?,00000000,00000000), ref: 00431C80
Part of subcall function 00431BC0: __vbaStrVarMove.MSVBVM60(?,?,00402A88,?,?,00000000,00000000), ref: 00431C8A
Part of subcall function 00431BC0: __vbaStrMove.MSVBVM60(?,00402A88,?,?,00000000,00000000), ref: 00431C95
Part of subcall function 00431BC0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,00402A88,?,?,00000000,00000000), ref: 00431CA1
Part of subcall function 00431BC0: __vbaStrCopy.MSVBVM60(?,00000000,00000000), ref: 00431CB3
Part of subcall function 00431BC0: __vbaStrCmp.MSVBVM60(00409DD4,?), ref: 00431CCB

__vbaStrMove.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,00000000,004030D6), ref: 00430896
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,00000000,?,00000000,004030D6), ref: 004308A5

Part of subcall function 00430B60: #632.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 00430BE3
Part of subcall function 00430B60: __vbaVarMove.MSVBVM60(?,?,?,?,?,00000000), ref: 00430BF2
Part of subcall function 00430B60: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000), ref: 00430BFB
Part of subcall function 00430B60: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,?,?,00000000), ref: 00430C20

__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00405668,00000028), ref: 00430910
__vbaFreeVar.MSVBVM60 ref: 0043092B
#685.MSVBVM60 ref: 00430938
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430943
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A9C4,0000001C), ref: 0043098E
__vbaFreeObj.MSVBVM60 ref: 004309BE
#685.MSVBVM60 ref: 004309DA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004309E5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A9C4,0000002C), ref: 00430A2D
__vbaStrCat.MSVBVM60(?,00000000), ref: 00430A50
__vbaStrMove.MSVBVM60 ref: 00430A5B
__vbaStrCat.MSVBVM60(004074EC,00000000), ref: 00430A67
__vbaStrMove.MSVBVM60 ref: 00430A72
__vbaStrCat.MSVBVM60(?,00000000), ref: 00430A7D
__vbaStrMove.MSVBVM60 ref: 00430A88
__vbaStrCat.MSVBVM60(00405824,00000000), ref: 00430A94
__vbaStrMove.MSVBVM60 ref: 00430AA1

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$CheckHresult$#632#685$BstrCopyErrorList
String ID:
API String ID: 2070835150-0
Opcode ID: 8ff5959f58b09f67fed506e0d12086244c97f7b5544da6ede9f829fa9f7b643f
Instruction ID: 185329e081c2013b97245a50dd7e1eb17ebf67c8066c18f60764d50aac431cfd
Opcode Fuzzy Hash: 8ff5959f58b09f67fed506e0d12086244c97f7b5544da6ede9f829fa9f7b643f
Instruction Fuzzy Hash: BD61D875901218EFDB14DFA0DD58FDEB7B5BB48301F1086A9E60AB32A0DB345A85CF24

Function 0042FEDD Relevance: 31.7, APIs: 21, Instructions: 193COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(000000FF), ref: 0043007E

Part of subcall function 00430B60: #632.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 00430BE3
Part of subcall function 00430B60: __vbaVarMove.MSVBVM60(?,?,?,?,?,00000000), ref: 00430BF2
Part of subcall function 00430B60: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000), ref: 00430BFB
Part of subcall function 00430B60: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,?,?,00000000), ref: 00430C20

__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B580,00000020), ref: 00430105
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A), ref: 0043012F
#685.MSVBVM60 ref: 0043013F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043014A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A9C4,0000001C), ref: 00430195
__vbaFreeObj.MSVBVM60 ref: 004301C5
#685.MSVBVM60 ref: 004301E1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004301EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A9C4,0000002C), ref: 00430234
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00430257
__vbaStrMove.MSVBVM60 ref: 00430262
__vbaStrCat.MSVBVM60(004074EC,00000000), ref: 0043026E

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#685Move$#632ErrorList
String ID:
API String ID: 1838273782-0
Opcode ID: ff573a78c4137040f2519dd599cca3cc6dc9ac62e15350fc9f3a8d22924a19c2
Instruction ID: 95dd7ef1d4007deae355760f07fd42b620220de7d86b697b5d6566f3d6d0504e
Opcode Fuzzy Hash: ff573a78c4137040f2519dd599cca3cc6dc9ac62e15350fc9f3a8d22924a19c2
Instruction Fuzzy Hash: A681E6B5900218EFDB14DFD0DD88BDEB7B9BB48300F10869AE50AB7150DB745A89CF64

Function 0042C260 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0000000B,00000000,?,00000000), ref: 0042C2B8
__vbaUbound.MSVBVM60(00000001,?), ref: 0042C2CD
__vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 0042C31C
__vbaUbound.MSVBVM60(00000001,?,00000000), ref: 0042C328
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-0000001F,?,00000000), ref: 0042C34C
__vbaUbound.MSVBVM60(00000001,?), ref: 0042C35B

Part of subcall function 0042ECB0: __vbaFreeVar.MSVBVM60 ref: 0042EFB5

__vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 0042C3AA
__vbaUbound.MSVBVM60(00000001,00000000,00000010,?,00000000,00000000), ref: 0042C3BD
__vbaUbound.MSVBVM60(00000001,?,($@,-0000000F), ref: 0042C3D0

Part of subcall function 0042C490: #644.MSVBVM60(AES,6D4245C1,00000000,($@), ref: 0042C4EA
Part of subcall function 0042C490: __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 0042C501
Part of subcall function 0042C490: __vbaStrCopy.MSVBVM60 ref: 0042C510
Part of subcall function 0042C490: __vbaSetSystemError.MSVBVM60(?), ref: 0042C814
Part of subcall function 0042C490: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0042C824
Part of subcall function 0042C490: __vbaFreeStr.MSVBVM60(0042C84A), ref: 0042C843

#717.MSVBVM60(00000003,?,00000040,00000000,0042C138,?,?,00000000,-00000001), ref: 0042C40B
__vbaStrVarMove.MSVBVM60(00000003), ref: 0042C415
__vbaStrMove.MSVBVM60 ref: 0042C420
__vbaFreeVar.MSVBVM60 ref: 0042C429
__vbaAryDestruct.MSVBVM60(00000000,?,0042C46D,0042C138,?,?,00000000,-00000001), ref: 0042C45C
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042C463
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042C46A
__vbaErrorOverflow.MSVBVM60 ref: 0042C483

Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042EE3E
Part of subcall function 0042ECB0: __vbaOnError.MSVBVM60(000000FF,6D42D8B1,?,6D41A323,00000000,004030D6), ref: 0042EE6E
Part of subcall function 0042ECB0: __vbaVarVargNofree.MSVBVM60 ref: 0042EE8F
Part of subcall function 0042ECB0: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 0042EE9E
Part of subcall function 0042ECB0: __vbaI2Var.MSVBVM60(00000000), ref: 0042EEA5
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF2B
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF4E
Part of subcall function 0042ECB0: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 0042EF76
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF86
Part of subcall function 0042ECB0: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 0042EFA9

Strings

($@, xrefs: 0042C2D2, 0042C3CC

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$ErrorFreeUbound$Chkstk$DestructSystem$IndexMoveRedim$#644#717CopyLoadNofreeOverflowStoreVarg
String ID: ($@
API String ID: 161593248-1311469180
Opcode ID: 81ed0f519873673574c8bc33aec983e2e7658764fa2c227225f3d605abdfaf78
Instruction ID: a79e5abe41e453aa90ba99eeb10c5bb06b5eb38d77dcd0a54a6dbfc7723e8c11
Opcode Fuzzy Hash: 81ed0f519873673574c8bc33aec983e2e7658764fa2c227225f3d605abdfaf78
Instruction Fuzzy Hash: FA611BB1D01218AFDB04DFE4DD85EEEBBB9EF48700F10811AF505BA294D6B56A44CFA4

Function 0042EA80 Relevance: 31.7, APIs: 21, Instructions: 160COMMON

Download Yara Rule

APIs

__vbaLenBstr.MSVBVM60(00000000,00402700,00000000,6D42D8B1), ref: 0042EAC9
__vbaLenBstr.MSVBVM60 ref: 0042EAD7
_adj_fdiv_m64.MSVBVM60 ref: 0042EB02
__vbaFpI4.MSVBVM60 ref: 0042EB11
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 0042EB31
__vbaUbound.MSVBVM60(00000001,?), ref: 0042EB40
__vbaGenerateBoundsError.MSVBVM60 ref: 0042EB80
__vbaGenerateBoundsError.MSVBVM60 ref: 0042EB88
#631.MSVBVM60(?,?,?,0040A4B0), ref: 0042EBB4
__vbaStrMove.MSVBVM60 ref: 0042EBBF
__vbaStrCat.MSVBVM60(00000000), ref: 0042EBC2
__vbaStrMove.MSVBVM60 ref: 0042EBCD
#581.MSVBVM60(00000000), ref: 0042EBD0
__vbaFpUI1.MSVBVM60 ref: 0042EBD6
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042EBEF
__vbaFreeVar.MSVBVM60 ref: 0042EBFB
__vbaAryCopy.MSVBVM60(?,?), ref: 0042EC1F
__vbaAryCopy.MSVBVM60(?,?), ref: 0042EC35
__vbaAryDestruct.MSVBVM60(00000000,?,0042EC89), ref: 0042EC7E
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042EC86

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$BoundsBstrCopyDestructErrorFreeGenerateMove$#581#631ListRedimUbound_adj_fdiv_m64
String ID:
API String ID: 796740024-0
Opcode ID: 926c2a64c744023e314f35efbd6e670d23ae845769974af15881788388fed48a
Instruction ID: 711d211df41d8dde8c61da5d577fc3e3e83583ecd5aa9ed7bebc3896d50b31f3
Opcode Fuzzy Hash: 926c2a64c744023e314f35efbd6e670d23ae845769974af15881788388fed48a
Instruction Fuzzy Hash: 92517F70E00218EFDB04DFE6EE89AAEBBB9FB48701F50812AE505B7260D7745841CF59

Function 004314A0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 00432090: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 004320ED
Part of subcall function 00432090: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00432131
Part of subcall function 00432090: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 00432140
Part of subcall function 00432090: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00432149
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00432169
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00432189
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 004321A9
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321C9
Part of subcall function 00432090: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321E9

__vbaLenBstr.MSVBVM60(?,?,?,6D42D8B1,?,?), ref: 004314F8
#632.MSVBVM60(?,?,?,?,?,?,?,6D42D8B1,?,?), ref: 00431539
__vbaStrVarMove.MSVBVM60(?,?,?,?,6D42D8B1,?,?), ref: 00431543
__vbaStrMove.MSVBVM60(?,?,?,6D42D8B1,?,?), ref: 0043154E
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,6D42D8B1,?,?), ref: 0043155A
__vbaInStr.MSVBVM60(00000000,?,+-0123456789.eE,00000001,6D42D8B1,?,?), ref: 00431570
__vbaStrCat.MSVBVM60(?,?), ref: 00431582
__vbaStrMove.MSVBVM60 ref: 0043158D
#564.MSVBVM60(00004008,00000002), ref: 004315B9
__vbaHresultCheck.MSVBVM60(00000000), ref: 004315C4
__vbaVarMove.MSVBVM60 ref: 004315D0
__vbaFreeStr.MSVBVM60(00431611,?,?,?,6D42D8B1,?,?), ref: 00431609
__vbaFreeStr.MSVBVM60(?,?,?,6D42D8B1,?,?), ref: 0043160E
__vbaErrorOverflow.MSVBVM60 ref: 00431640

Strings

+-0123456789.eE, xrefs: 00431568

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$#632Bstr$#564CheckErrorHresultListOverflow
String ID: +-0123456789.eE
API String ID: 654446260-3706364263
Opcode ID: 5dd43ac8149da61bd8ee625107cdf0468f812e9e938102ad8eca6366f64d02fa
Instruction ID: 9136322a2119d5f1aacdf805f51ea8f6c0e77b3e43a1c18da83211084d42bebf
Opcode Fuzzy Hash: 5dd43ac8149da61bd8ee625107cdf0468f812e9e938102ad8eca6366f64d02fa
Instruction Fuzzy Hash: CF413CB1D00209AFCB04DFA5D985AEEBBB8FF48704F00812AE516B7264EB746945CF64

Function 0041B6F0 Relevance: 24.1, APIs: 16, Instructions: 128COMMON

Download Yara Rule

APIs

#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,004030D6), ref: 0041B733
__vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,00000000), ref: 0041B742
__vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0041B758
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 0041B784
#644.MSVBVM60(00000000), ref: 0041B790
__vbaAryLock.MSVBVM60(?,?), ref: 0041B79C
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B7BB
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B7C8
__vbaLenBstr.MSVBVM60(?,00000000,?,00000000,00000000), ref: 0041B7E2
__vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000), ref: 0041B7F6
__vbaAryUnlock.MSVBVM60(?), ref: 0041B800
__vbaStr2Vec.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00000000), ref: 0041B80C
__vbaAryMove.MSVBVM60(?,?,?,00000000,00000000,00000000,00000000), ref: 0041B81A
__vbaAryMove.MSVBVM60(?,?,?,00000000,00000000,00000000,00000000), ref: 0041B828
__vbaAryDestruct.MSVBVM60(00000000,?,0041B86B,?,00000000,00000000,00000000,00000000), ref: 0041B864
__vbaErrorOverflow.MSVBVM60(00000000,?,00000000,00000000,00000000,00000000), ref: 0041B881

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Error$#644BoundsBstrGenerateMoveSystem$DestructLockOverflowRedimStr2Unlock
String ID:
API String ID: 2297530715-0
Opcode ID: 03c2d34c5da55568346e7be3cdbf5c606209067d442dd6e03cb1af6a6e142cc3
Instruction ID: facbf0fad52eaf156f210e650c605653535b5a0f73e6edb35c62a4a7f24c37b0
Opcode Fuzzy Hash: 03c2d34c5da55568346e7be3cdbf5c606209067d442dd6e03cb1af6a6e142cc3
Instruction Fuzzy Hash: 49413074A00205AFDB14EFA4CD89FEE7BB8EB48B01F10451AF505B7290D774A881CBA8

Function 0042E8C0 Relevance: 22.6, APIs: 15, Instructions: 132COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6D42D8B1,00000000,00000000), ref: 0042E902
__vbaGenerateBoundsError.MSVBVM60 ref: 0042E941
__vbaGenerateBoundsError.MSVBVM60 ref: 0042E94B
__vbaStrUI1.MSVBVM60(?), ref: 0042E95A
__vbaStrMove.MSVBVM60 ref: 0042E965
__vbaStrCmp.MSVBVM60(0040796C,00000000), ref: 0042E96D
__vbaFreeStr.MSVBVM60 ref: 0042E980
__vbaGenerateBoundsError.MSVBVM60 ref: 0042E9B7
__vbaGenerateBoundsError.MSVBVM60 ref: 0042E9C1
#608.MSVBVM60(?,00000000), ref: 0042E9D6
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0042E9E8
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042E9EF
__vbaStrMove.MSVBVM60 ref: 0042E9FA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042EA06

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$BoundsErrorGenerate$Move$Free$#608CopyList
String ID:
API String ID: 1868846481-0
Opcode ID: 689ad2581e68a65f5267189d5a3a514159f27da0af016da24bbe7ed23ad52d35
Instruction ID: e8d1230953c0cc7c8dbdaf5d51543e40696701a6c72430354490b54089ba4e84
Opcode Fuzzy Hash: 689ad2581e68a65f5267189d5a3a514159f27da0af016da24bbe7ed23ad52d35
Instruction Fuzzy Hash: 4D4151B9E00129DFCB04DFA5D988AAEBB75FF48700F50816BE802B7350DB749841CB98

Function 00432090 Relevance: 21.2, APIs: 14, Instructions: 179COMMON

Download Yara Rule

APIs

__vbaLenBstr.MSVBVM60(?,?,00000000), ref: 004320ED
#632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 00432131
__vbaVarMove.MSVBVM60(?,?,00000000), ref: 00432140
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 00432149
__vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 00432169
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00432189
__vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 004321A9
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321C9
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 004321E9
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 00432209
__vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 00432229
__vbaFreeVar.MSVBVM60(004322E3,?,?,00000000), ref: 004322DC

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$#632BstrMove
String ID:
API String ID: 563547971-0
Opcode ID: d69d7a7ed1c3e84b224e5c63cf746238737397c264c58c835669f275f8c669d4
Instruction ID: f1d9c2993b85f621a844e2641b01aea619df5574dee56f8286fa71eb6718e8b7
Opcode Fuzzy Hash: d69d7a7ed1c3e84b224e5c63cf746238737397c264c58c835669f275f8c669d4
Instruction Fuzzy Hash: E8611CB1C0024ADEDF10DF95C944AEEBBB4FF48304F50C16AD415B7294DBB81A468FA9

Function 00432370 Relevance: 21.1, APIs: 14, Instructions: 103COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 004323BD
__vbaI2I4.MSVBVM60 ref: 004323CE
__vbaI2I4.MSVBVM60 ref: 004323DD
__vbaGenerateBoundsError.MSVBVM60(?,00000002), ref: 00432415
__vbaGenerateBoundsError.MSVBVM60 ref: 0043241D
#631.MSVBVM60(?,?,00000002), ref: 00432440
__vbaStrMove.MSVBVM60(?,00000002), ref: 0043244B
#516.MSVBVM60(00000000,?,00000002), ref: 00432452
__vbaUI1I2.MSVBVM60(?,00000002), ref: 0043245A
__vbaFreeStr.MSVBVM60(?,00000002), ref: 0043246C
__vbaFreeVar.MSVBVM60(?,00000002), ref: 00432475
__vbaAryMove.MSVBVM60(?,?), ref: 00432494
__vbaAryDestruct.MSVBVM60(00000000,?,004324D3), ref: 004324CC

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$BoundsErrorFreeGenerateMove$#516#631DestructRedim
String ID:
API String ID: 1468883768-0
Opcode ID: 8e631f4d0dfd48e904851e7128d924d225c8803be3d1f2a2066d7ef3ec56608a
Instruction ID: f059d1d64a4caf2315785085d9bb5da2f47f52e9a2ff60e3cdf4ce9db25721f7
Opcode Fuzzy Hash: 8e631f4d0dfd48e904851e7128d924d225c8803be3d1f2a2066d7ef3ec56608a
Instruction Fuzzy Hash: BC418275900204DFDB14DF64DA49AEEBBB9FF9C700F10412AE901B7260D7B89884CB64

Function 0042CCD0 Relevance: 21.1, APIs: 14, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004030D6,?,?,00000000,?,?,004030D6), ref: 0042CCEE
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004030D6), ref: 0042CD1E
#645.MSVBVM60(00004008,00000000), ref: 0042CD3E
__vbaStrMove.MSVBVM60 ref: 0042CD49
__vbaLenBstrB.MSVBVM60(00000000), ref: 0042CD50
__vbaFreeStr.MSVBVM60 ref: 0042CD66
#648.MSVBVM60(0000000A), ref: 0042CD91
__vbaFreeVar.MSVBVM60 ref: 0042CD9E
__vbaFileOpen.MSVBVM60(00000020,000000FF,?,00000000), ref: 0042CDBA
#570.MSVBVM60(?), ref: 0042CDCC
#525.MSVBVM60(00000000), ref: 0042CDD3
__vbaStrMove.MSVBVM60 ref: 0042CDDE
__vbaGet3.MSVBVM60(00000000,00000000,?), ref: 0042CDF6
__vbaFileClose.MSVBVM60(?), ref: 0042CE08

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$FileFreeMove$#525#570#645#648BstrChkstkCloseErrorGet3Open
String ID:
API String ID: 3431710322-0
Opcode ID: efe28cf266f4779aa3e85c190e8a90b86f89e250f0c2b8fe7fa525470041b901
Instruction ID: 1c0b31d22bf311f8ef879f7298e23bed5ff023f840c9435f0fcc43c9604807dd
Opcode Fuzzy Hash: efe28cf266f4779aa3e85c190e8a90b86f89e250f0c2b8fe7fa525470041b901
Instruction Fuzzy Hash: 7E310DB5901208EBDB04DFE4DA48BDEBBB8FF08705F108169F511B72A0DB795A44CB69

Function 0042A140 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042A15E
__vbaOnError.MSVBVM60(000000FF,00000000,-00000001,6D4245C1,00000000,004030D6), ref: 0042A18E
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0042A1C7
__vbaRedim.MSVBVM60(00000080,00000001,0043D0A0,00000011,00000001,00000000,00000000), ref: 0042A248
__vbaAryMove.MSVBVM60(?,?,00006011,0043D094,00006011,?,00004002), ref: 0042A30A
__vbaAryMove.MSVBVM60(0043D0A0,?,?,?,?), ref: 0042A3FA
__vbaAryMove.MSVBVM60(?,?,00006011,?,00006011,?,00004002), ref: 0042A508
__vbaAryDestruct.MSVBVM60(00000000,?,0042A542), ref: 0042A52F
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042A53B

Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042EE3E
Part of subcall function 0042ECB0: __vbaOnError.MSVBVM60(000000FF,6D42D8B1,?,6D41A323,00000000,004030D6), ref: 0042EE6E
Part of subcall function 0042ECB0: __vbaVarVargNofree.MSVBVM60 ref: 0042EE8F
Part of subcall function 0042ECB0: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 0042EE9E
Part of subcall function 0042ECB0: __vbaI2Var.MSVBVM60(00000000), ref: 0042EEA5
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF2B
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF4E
Part of subcall function 0042ECB0: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 0042EF76
Part of subcall function 0042ECB0: __vbaChkstk.MSVBVM60 ref: 0042EF86
Part of subcall function 0042ECB0: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 0042EFA9

__vbaErrorOverflow.MSVBVM60(00000000), ref: 0042A558

Strings

#, xrefs: 0042A4F9

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Chkstk$ErrorMove$DestructIndexRedim$LoadNofreeOverflowStoreVarg
String ID: #
API String ID: 2367531599-1885708031
Opcode ID: 649582f2c101eeefb12995c6e77167847e9fd0e8b36fc0774355831990dd8661
Instruction ID: 68efb111a1aeaa305ce79928a42c2be9ec804b758d3c92e546238b7b7467a383
Opcode Fuzzy Hash: 649582f2c101eeefb12995c6e77167847e9fd0e8b36fc0774355831990dd8661
Instruction Fuzzy Hash: BDB118B0D0120CEADB04DFD4EA48BDEBBB4FF08708F508059E6057B294D7B95A89DB59

Function 0042E770 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004030D6), ref: 0042E78E
__vbaOnError.MSVBVM60(000000FF,6D42D8B1,00000000,00000000,00000000,004030D6), ref: 0042E7BE
__vbaInStr.MSVBVM60(00000000,0040B44C,?,00000001), ref: 0042E7DA
#617.MSVBVM60(?,00004008,-00000001), ref: 0042E819
#520.MSVBVM60(?,?), ref: 0042E827
__vbaStrVarMove.MSVBVM60(?), ref: 0042E831
__vbaStrMove.MSVBVM60 ref: 0042E83C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042E84C
__vbaStrCopy.MSVBVM60 ref: 0042E866
__vbaErrorOverflow.MSVBVM60 ref: 0042E8B1

Strings

'@, xrefs: 0042ECF0, 0042ED24

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$ErrorMove$#520#617ChkstkCopyFreeListOverflow
String ID: '@
API String ID: 4098594408-1796566023
Opcode ID: dc6c3591c04bcd1dd1bec91034e11720fda355bd2d6d0f2a4beab6fd682a8556
Instruction ID: a1532009b3451ecea4eb63e4f999da68cff088f55a824ecb4ff241b6cbdba044
Opcode Fuzzy Hash: dc6c3591c04bcd1dd1bec91034e11720fda355bd2d6d0f2a4beab6fd682a8556
Instruction Fuzzy Hash: 53312F71900249EFDB00DF94DA49BDEBFB8FF04704F108159E505B7290D7796A84CB59

Function 0041BE32 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041BE66

Part of subcall function 0041C100: __vbaUbound.MSVBVM60(00000001,?,004019D0,-00000001,6D4FEC2C), ref: 0041C17A
Part of subcall function 0041C100: __vbaUI1I2.MSVBVM60(?,004019D0,-00000001,6D4FEC2C), ref: 0041C182
Part of subcall function 0041C100: __vbaAryCopy.MSVBVM60(?,00401AA8,?,004019D0,-00000001,6D4FEC2C), ref: 0041C190
Part of subcall function 0041C100: __vbaFreeVar.MSVBVM60(0041C3EE), ref: 0041C3DA
Part of subcall function 0041C100: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C3E2
Part of subcall function 0041C100: __vbaFreeVar.MSVBVM60 ref: 0041C3EB

__vbaRecAssign.MSVBVM60(004050BC,?,?,?), ref: 0041BE91
__vbaAryCopy.MSVBVM60(?,?), ref: 0041BEB3
#698.MSVBVM60(?,?), ref: 0041BEE4
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0041BEFF
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041BF06
__vbaStrMove.MSVBVM60 ref: 0041BF11
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041BF27
__vbaStrVarVal.MSVBVM60(?,?,00405638,00000001,000000FF,00000000), ref: 0041BF6F
#712.MSVBVM60(?,00000000), ref: 0041BF7A
__vbaStrMove.MSVBVM60 ref: 0041BF85
__vbaFreeStr.MSVBVM60 ref: 0041BF91
__vbaRecDestruct.MSVBVM60(004050BC,?,0041C0D7), ref: 0041BFFE
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C010
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C022
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C034
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C046
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C055
__vbaFreeVar.MSVBVM60 ref: 0041C05E
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C06D
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C079
__vbaFreeVar.MSVBVM60 ref: 0041C082
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C091
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C0A0
__vbaFreeStr.MSVBVM60 ref: 0041C0A9
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C0B5
__vbaRecDestruct.MSVBVM60(004050BC,?), ref: 0041C0C4
__vbaFreeStr.MSVBVM60 ref: 0041C0D0
__vbaErrorOverflow.MSVBVM60 ref: 0041C0ED

Strings

&, xrefs: 0041BF30

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Destruct$Free$Move$Copy$#698#712AssignErrorListOverflowUbound
String ID: &
API String ID: 3078955159-1010288
Opcode ID: 27a65ceba443ac56885d1e360dad413f939df5f43b2a35e08b0e7aebde89fb86
Instruction ID: b1479b74565a89c3dfe799059aee65bb52b9dea95223e59b27ede90fd81375a3
Opcode Fuzzy Hash: 27a65ceba443ac56885d1e360dad413f939df5f43b2a35e08b0e7aebde89fb86
Instruction Fuzzy Hash: 5F31F971801258AFDB11CBA0DE88BEEBBB8BB48300F14819EE14AB7151D7751A88CF65

Function 0043AF40 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

#631.MSVBVM60(?,004030D6,?,6D42D8B1,6D42D83C,00000000), ref: 0043AF98
__vbaStrMove.MSVBVM60(?,00000000,00000002), ref: 0043AFA3
__vbaFreeVar.MSVBVM60(?,00000000,00000002), ref: 0043AFAC
__vbaStrCmp.MSVBVM60(00407034,?), ref: 0043AFC8
#561.MSVBVM60(00004008), ref: 0043AFD9
__vbaFreeStr.MSVBVM60(0043B013,6D42D8B1,6D42D83C,00000000), ref: 0043B00C
__vbaErrorOverflow.MSVBVM60 ref: 0043B029

Strings

SpPNKQwBzuVGaGhvnlwxFaZxbOUrNHuL, xrefs: 0043B4C2
IP:, xrefs: 0043B2D2
18243A3B6B586D091D3930083746180B18, xrefs: 0043B481

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$#561#631ErrorMoveOverflow
String ID: 18243A3B6B586D091D3930083746180B18$IP:$SpPNKQwBzuVGaGhvnlwxFaZxbOUrNHuL
API String ID: 3197503391-3402312904
Opcode ID: 689539cc900c512ed7c2de4426b804dbe95cca75c3d5b85bfcbf4413a336c79d
Instruction ID: a8be2a08f34082ea70e346f325686bb2978981354e8d8ee772627e2965dd18b0
Opcode Fuzzy Hash: 689539cc900c512ed7c2de4426b804dbe95cca75c3d5b85bfcbf4413a336c79d
Instruction Fuzzy Hash: 6E211075D00209AFCB14DFB8D945AEEBBB4EB0C741F10522AE516F72A0E7745904CFA5

Function 00433E80 Relevance: 16.6, APIs: 11, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,00000000), ref: 00433ED1
__vbaStrCopy.MSVBVM60(?,00000000), ref: 00433EE4
__vbaVarDup.MSVBVM60(?,00000000), ref: 00433F08
#607.MSVBVM60(?,-00000001,?,?,00000000), ref: 00433F22
__vbaStrVarMove.MSVBVM60(?,?,00000000), ref: 00433F2C
__vbaStrMove.MSVBVM60(?,00000000), ref: 00433F37
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000000), ref: 00433F47
#644.MSVBVM60(?), ref: 00433F54
__vbaSetSystemError.MSVBVM60(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00433F6C
__vbaFreeStr.MSVBVM60(00433FA6,?,000000FF,00000000,00000000), ref: 00433F9F

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$ErrorFreeMoveSystem$#607#644CopyList
String ID:
API String ID: 3415219340-0
Opcode ID: ff8d7aa729cfb73c50c8c0a12e9c749eb98539d600895a4b8492013cccc7201d
Instruction ID: 2ebdc42460f10a7874e9a21e244da2870e744d7b21d4e5efd8afa7d33b599f9e
Opcode Fuzzy Hash: ff8d7aa729cfb73c50c8c0a12e9c749eb98539d600895a4b8492013cccc7201d
Instruction Fuzzy Hash: 91318071D01149AFCB00EFA5DE49DAEBBB9EF84701F10812AF501B62A4DB785A05CF99

Function 0042AEF2 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

APIs

#685.MSVBVM60 ref: 0042AF1A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042AF25
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A9C4,0000002C), ref: 0042AF46
#595.MSVBVM60(00000008,00000000,?,?,?), ref: 0042AF78
__vbaFreeObj.MSVBVM60 ref: 0042AF81
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 0042AF9F
__vbaExitProc.MSVBVM60 ref: 0042AFA8
__vbaAryDestruct.MSVBVM60(00000000,?,0042B021), ref: 0042B016
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042B01E

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$DestructFree$#595#685CheckExitHresultListProc
String ID:
API String ID: 130669328-0
Opcode ID: 156c952465e4d8b0f93466572d7744051335726478247a17c838d61c3390b769
Instruction ID: 397696dcb7632f02b1bb0dc7fefe57b8feffa857172323e087aa0fe2694031d1
Opcode Fuzzy Hash: 156c952465e4d8b0f93466572d7744051335726478247a17c838d61c3390b769
Instruction Fuzzy Hash: FE21F8B1D00218DFEB14DBA4DD48FDE7BB8EB48300F10816AF659E7151DA745A48CF64

Function 0043B030 Relevance: 12.1, APIs: 8, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaLenBstr.MSVBVM60(00000000,?,004030D6,00000001), ref: 0043B06D
#631.MSVBVM60(?,?,?), ref: 0043B094
__vbaStrMove.MSVBVM60(?,?,?), ref: 0043B09F
__vbaFreeVar.MSVBVM60(?,?,?), ref: 0043B0A8
__vbaStrCmp.MSVBVM60(00407034,?,?,?,?), ref: 0043B0C4
#561.MSVBVM60(00004008,?,?,?), ref: 0043B0D5
__vbaFreeStr.MSVBVM60(0043B111), ref: 0043B10A
__vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0043B127

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$#561#631BstrErrorMoveOverflow
String ID:
API String ID: 1526774655-0
Opcode ID: e9c63996d72be22e29baa3bd0852e1fc6ddce946803e866fefab9b9c7cd9d20d
Instruction ID: 49de610ef46cc87c39e2099232fe8ef023a28c0e3241c1bbc0b3ba17b73fdb39
Opcode Fuzzy Hash: e9c63996d72be22e29baa3bd0852e1fc6ddce946803e866fefab9b9c7cd9d20d
Instruction Fuzzy Hash: 3F212AB1E00219EFCB00DFA4D989BAEBBB4FB08741F10512AE505F7260E7746945CBA5

Function 00432800 Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004030D6,?,?,?,00412AFF,?,0043D038), ref: 0043281E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004030D6), ref: 0043284E
#648.MSVBVM60(0000000A), ref: 00432874
__vbaFreeVar.MSVBVM60 ref: 00432881
__vbaFileOpen.MSVBVM60(00000220,000000FF,?), ref: 004328A0
__vbaPut3.MSVBVM60(00000000,00000000,?), ref: 004328B8
__vbaFileClose.MSVBVM60(?), ref: 004328CA

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$File$#648ChkstkCloseErrorFreeOpenPut3
String ID:
API String ID: 509661398-0
Opcode ID: 0ef7475797edf30ec01317cc771f0a3234e0fecae57e340572436e90524f820d
Instruction ID: aecf047652c9d7d6c4f3f8575439f32e195252a2907ea1a220e6fd4eeabd1e1f
Opcode Fuzzy Hash: 0ef7475797edf30ec01317cc771f0a3234e0fecae57e340572436e90524f820d
Instruction Fuzzy Hash: 84210AB4901248EBDB00DFD4DA09BDEBBB8FF08714F208159F515B7690C7B95A44CBA9

Function 00427C41 Relevance: 9.0, APIs: 6, Instructions: 24COMMON

Download Yara Rule

APIs

__vbaAryMove.MSVBVM60(?,?), ref: 00427C49
__vbaExitProc.MSVBVM60 ref: 00427C4F
__vbaFreeVar.MSVBVM60(00427CC7), ref: 00427C9F
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00427CB4
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00427CBC
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00427CC4

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Destruct$ExitFreeMoveProc
String ID:
API String ID: 3024875322-0
Opcode ID: 252ffab35d565f820a062c643350cd3d5e223aef7f8e375f11f824fd0d362014
Instruction ID: 0ee9ab54d7ed96c0eea76a83d3e41d5fd249ecba7a2cadf0a397b155064e65d1
Opcode Fuzzy Hash: 252ffab35d565f820a062c643350cd3d5e223aef7f8e375f11f824fd0d362014
Instruction Fuzzy Hash: A7E0ED72D04158EFEB04DBA0ED55FED7778EB88711F00816AE606764A4DA706A88CF78

Function 00433674 Relevance: 9.0, APIs: 6, Instructions: 16COMMON

Download Yara Rule

APIs

__vbaExitProc.MSVBVM60 ref: 0043367B
__vbaFreeStr.MSVBVM60(0043371C), ref: 00433705
__vbaFreeStr.MSVBVM60 ref: 0043370A
__vbaFreeStr.MSVBVM60 ref: 0043370F
__vbaFreeStr.MSVBVM60 ref: 00433714
__vbaFreeStr.MSVBVM60 ref: 00433719

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$ExitProc
String ID:
API String ID: 3697045878-0
Opcode ID: 813cebabebae72e028ed965fd31929d952929a793ccb0686672562710b9bf161
Instruction ID: 0de887b1f7609e67ed996d3fff853562c1a2b3736520d75970bf56b718fcbdc1
Opcode Fuzzy Hash: 813cebabebae72e028ed965fd31929d952929a793ccb0686672562710b9bf161
Instruction Fuzzy Hash: 23E04CB2C1412C9ACB04DFA0FD55ADC7B74EF58301F105066D813721A49F742F49CE95

Function 0042623B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 004262A1
__vbaGenerateBoundsError.MSVBVM60 ref: 004262BE
__vbaGenerateBoundsError.MSVBVM60 ref: 00426303
__vbaGenerateBoundsError.MSVBVM60 ref: 00426320
__vbaVarCopy.MSVBVM60 ref: 00426344
__vbaGenerateBoundsError.MSVBVM60 ref: 0042638A
__vbaGenerateBoundsError.MSVBVM60 ref: 004263A7
__vbaUbound.MSVBVM60(00000001,00000000), ref: 004263CC
__vbaGenerateBoundsError.MSVBVM60 ref: 00426400
__vbaGenerateBoundsError.MSVBVM60 ref: 0042641D
__vbaVarCopy.MSVBVM60 ref: 00426441
__vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00426462
__vbaRedim.MSVBVM60(00000880,00000010,00000000,0000000C,00000001,00000000), ref: 00426478
__vbaUbound.MSVBVM60(00000001,?), ref: 0042648E
__vbaI2I4.MSVBVM60 ref: 0042649F
__vbaVarCopy.MSVBVM60 ref: 004265C6
__vbaErrorOverflow.MSVBVM60 ref: 00426E73

Strings

-, xrefs: 00426447

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Error$BoundsGenerate$CopyUbound$OverflowRedim
String ID: -
API String ID: 2033917355-2547889144
Opcode ID: 4f804a14538f997de2660caca1c829d0c71d3d512e1e3cd9b4ae0a585c8aee2d
Instruction ID: 20ab15c86b360cd977ac607f42421b447cf8fa97bcca3867b883a7f3821cc118
Opcode Fuzzy Hash: 4f804a14538f997de2660caca1c829d0c71d3d512e1e3cd9b4ae0a585c8aee2d
Instruction Fuzzy Hash: F251C274A00169CBDB24DF94E688BEDBBB1BF54304F6141CAC4456B254C7B8AEC6CF49

Function 0042607E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 004260F7
__vbaGenerateBoundsError.MSVBVM60 ref: 00426114
__vbaChkstk.MSVBVM60 ref: 00426125
__vbaChkstk.MSVBVM60 ref: 00426160
__vbaVarIndexStore.MSVBVM60(?,00000001), ref: 00426183
__vbaUbound.MSVBVM60(00000001,?), ref: 004261A5
__vbaUbound.MSVBVM60(00000001,00000000), ref: 004261B3
__vbaUbound.MSVBVM60(00000001,00000000,00000000), ref: 004261D7
__vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,00000000), ref: 004261F6
__vbaUbound.MSVBVM60(00000001,00000000), ref: 0042620C
__vbaI2I4.MSVBVM60 ref: 0042621D
__vbaVarCopy.MSVBVM60 ref: 00426344
__vbaErrorOverflow.MSVBVM60 ref: 00426E73

Strings

&, xrefs: 0042618C

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Ubound$Error$BoundsChkstkGenerate$CopyIndexOverflowRedimStore
String ID: &
API String ID: 4100852208-1010288
Opcode ID: 337ef997032cfd7041f7c0e566d2042d6524589b80a5b7c29f582d1988f1cdba
Instruction ID: 87c31adde373bf2eb6dc2749c0cfd04140a65a80a58a4b24b1e3a7c7cba363c8
Opcode Fuzzy Hash: 337ef997032cfd7041f7c0e566d2042d6524589b80a5b7c29f582d1988f1cdba
Instruction Fuzzy Hash: BC31DFB4A012288FCB14CF48D984BA9BBB1BF48304F64C19AD409AB355D775AA82CF85

Function 0042B040 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,00000000), ref: 0042B07F

Part of subcall function 0042EA80: __vbaLenBstr.MSVBVM60(00000000,00402700,00000000,6D42D8B1), ref: 0042EAC9
Part of subcall function 0042EA80: __vbaLenBstr.MSVBVM60 ref: 0042EAD7
Part of subcall function 0042EA80: __vbaFpI4.MSVBVM60 ref: 0042EB11
Part of subcall function 0042EA80: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 0042EB31
Part of subcall function 0042EA80: __vbaUbound.MSVBVM60(00000001,?), ref: 0042EB40
Part of subcall function 0042EA80: __vbaGenerateBoundsError.MSVBVM60 ref: 0042EB80
Part of subcall function 0042EA80: #631.MSVBVM60(?,?,?,0040A4B0), ref: 0042EBB4
Part of subcall function 0042EA80: __vbaStrMove.MSVBVM60 ref: 0042EBBF
Part of subcall function 0042EA80: __vbaStrCat.MSVBVM60(00000000), ref: 0042EBC2
Part of subcall function 0042EA80: __vbaStrMove.MSVBVM60 ref: 0042EBCD

__vbaAryMove.MSVBVM60(?,?,?), ref: 0042B099
__vbaFreeStr.MSVBVM60 ref: 0042B0A2
__vbaAryDestruct.MSVBVM60(00000000,?,0042B0D8), ref: 0042B0D1

Strings

00000001, xrefs: 0042B06B

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Move$Bstr$#631BoundsCopyDestructErrorFreeGenerateRedimUbound
String ID: 00000001
API String ID: 444737788-3071262101
Opcode ID: 285cedaddd74574f3a58ee860496415716971eab8fc3649ecc90fad2a7758ff5
Instruction ID: b521214db3690c65d6e73f21a32fd0286170701ca874de809ca4144618c1f7ef
Opcode Fuzzy Hash: 285cedaddd74574f3a58ee860496415716971eab8fc3649ecc90fad2a7758ff5
Instruction Fuzzy Hash: 23011EB0D002199FCF00EFA5D949ADEBBB8FB08700F50852AE505B2190E7786546CBA5

Function 0042F959 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042F969
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0042F989
__vbaFreeObj.MSVBVM60 ref: 0042F995
__vbaFreeVar.MSVBVM60 ref: 0042F99E
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042F9AA

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$Destruct$List
String ID:
API String ID: 2788043521-0
Opcode ID: 774e740d36e89ab1da7056e326464c1258f523eb7dad053f830689987274bec1
Instruction ID: 9dfc4d001579ba4a57e8dca356d7c2928ede549cb238f806da69a51d0d2dad2c
Opcode Fuzzy Hash: 774e740d36e89ab1da7056e326464c1258f523eb7dad053f830689987274bec1
Instruction Fuzzy Hash: A1F0A972900109EFEF05DBD0DE49EEE7779FB44705F444129F202B60A0EA706649CB64

Function 00426650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 004266B6
__vbaGenerateBoundsError.MSVBVM60 ref: 004266D3
__vbaGenerateBoundsError.MSVBVM60 ref: 00426725
__vbaGenerateBoundsError.MSVBVM60 ref: 00426742
__vbaGenerateBoundsError.MSVBVM60 ref: 00426794
__vbaGenerateBoundsError.MSVBVM60 ref: 004267B1
__vbaVarXor.MSVBVM60(?,?,?), ref: 004267DB
__vbaVarMove.MSVBVM60 ref: 004267EF
__vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00426810
__vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000001), ref: 0042682F
__vbaUbound.MSVBVM60(00000001,?), ref: 00426845
__vbaI2I4.MSVBVM60 ref: 00426856
__vbaChkstk.MSVBVM60(?), ref: 0042693C
__vbaVarIndexLoad.MSVBVM60(?,?,00000001,?), ref: 00426970
__vbaVarSub.MSVBVM60(?,00000000), ref: 00426981
__vbaVarTstLt.MSVBVM60(00008002,00000000), ref: 0042698F
__vbaFreeVar.MSVBVM60 ref: 0042699F
__vbaErrorOverflow.MSVBVM60 ref: 00426E73

Strings

6, xrefs: 004267F5

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Error$BoundsGenerate$Ubound$ChkstkFreeIndexLoadMoveOverflowRedim
String ID: 6
API String ID: 2508272159-498629140
Opcode ID: dcda7f6a1a6aa45c44efed5217cbafc42648c99ca9e7325fcabdf1f98469febf
Instruction ID: bceabd354795514b790df7ea1cf86fc7ddd232b0925b039fa9110f537f0fbbc2
Opcode Fuzzy Hash: dcda7f6a1a6aa45c44efed5217cbafc42648c99ca9e7325fcabdf1f98469febf
Instruction Fuzzy Hash: C141E574E04129CBCB28CF54E988BEDB7B2BF94304F61819AD4456B254D778ADC2CF49

Function 00415364 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaFreeStr.MSVBVM60 ref: 00415371
__vbaFreeStrList.MSVBVM60(00000013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004153C8
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 004153EF
__vbaFreeVar.MSVBVM60 ref: 004153FE

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: Free__vba$List
String ID:
API String ID: 2192533141-0
Opcode ID: 0ef93480439c3593adf187f01e57955a02c23cb497b7f8bf33bb63a66e2c942f
Instruction ID: bf5a0212a107e6c496120b953605b6a79c55cb9775ada44c13d9f09bd637cec7
Opcode Fuzzy Hash: 0ef93480439c3593adf187f01e57955a02c23cb497b7f8bf33bb63a66e2c942f
Instruction Fuzzy Hash: F12186B780011CAADF1ACBD4CD94EEEB77DBB98700F04825EE217A6455EA706749CF60

Function 0041B038 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__vbaFreeStr.MSVBVM60 ref: 0041B048
__vbaAryUnlock.MSVBVM60(?), ref: 0041B055
__vbaFreeStrList.MSVBVM60(0000000D,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B0B8
__vbaFreeVarList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 0041B102

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$List$Unlock
String ID:
API String ID: 3250417665-0
Opcode ID: 2c8c26e3a8ae196fa61de17f3fdfe0a1696d4ea664124d68dd1f283861ee7ff6
Instruction ID: 7e61b8e8675a8c6171d39224ebb3579cd1b66b99f03ff23f460821e829af9c6d
Opcode Fuzzy Hash: 2c8c26e3a8ae196fa61de17f3fdfe0a1696d4ea664124d68dd1f283861ee7ff6
Instruction Fuzzy Hash: 5E21927781012CABDB6ACB80CD94FDAB37DAB48700F0445DAA61A66450EA706BC8CF60

Function 0042DCD3 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042DD05
__vbaFreeObj.MSVBVM60 ref: 0042DD11
__vbaFreeVarList.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?), ref: 0042DD59
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042DD6B

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$List$Destruct
String ID:
API String ID: 3099906924-0
Opcode ID: 9c4743fe5fd64e31a418b9edfa30fb3c5f8340ed85767d0da3274f40ffe131ff
Instruction ID: 55d1d4e1cf81e37f60003d51b04c3a4f789bb7a794f4b5337716c0246b998d34
Opcode Fuzzy Hash: 9c4743fe5fd64e31a418b9edfa30fb3c5f8340ed85767d0da3274f40ffe131ff
Instruction Fuzzy Hash: ED11AAB3810118AADB56CBD4CD84EDEB77DAB48700F04825AF21BA6454EA70678CCF60

Function 00430AD9 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

__vbaFreeObj.MSVBVM60 ref: 00430AE6
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00430AFE
__vbaFreeObj.MSVBVM60 ref: 00430B0A
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00430B29

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: Free__vba$List
String ID:
API String ID: 2192533141-0
Opcode ID: d0d1fd835cd3dbb3824f0bd55a23bedf2fd187601ebe4a0b58a60a0adf17e732
Instruction ID: c850daffb6054cbfabea4f767a34929617ee87e6d2dfeb2272f72e3ff4e3a1f1
Opcode Fuzzy Hash: d0d1fd835cd3dbb3824f0bd55a23bedf2fd187601ebe4a0b58a60a0adf17e732
Instruction Fuzzy Hash: FAF0F972C00109ABEF05EBD4DD85EDEB77CFF48300F44812AF622B6060EA70A608CB64

Function 0043034F Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaFreeObj.MSVBVM60 ref: 0043035C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043036C
__vbaFreeObj.MSVBVM60 ref: 00430378
__vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0043039B

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: Free__vba$List
String ID:
API String ID: 2192533141-0
Opcode ID: 2c1f03920155f9229acbc1fa31b91559145dcfe5ddf8c33a8cb8717936c6c9bb
Instruction ID: 4c93e2681fe14d81a84a6f15358bc169b3acc17d0bad170dcb720031593788ed
Opcode Fuzzy Hash: 2c1f03920155f9229acbc1fa31b91559145dcfe5ddf8c33a8cb8717936c6c9bb
Instruction Fuzzy Hash: 72F0F9728001189BEB09DBD4DD99EFEB378FF48304F48412DF606B6061E6706618CB64

Function 0042E46C Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042E47C
__vbaAryUnlock.MSVBVM60(?), ref: 0042E486
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042E496
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042E4B7

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$FreeList$DestructUnlock
String ID:
API String ID: 2365061390-0
Opcode ID: b976eeb8b01bf6bbd2b1c67b0b601db7319691de59a6152fcc1288b504aa0444
Instruction ID: 1c74f7a615ce89783975195d616b0dce286544e679f7ab07a05835a10af5f4c0
Opcode Fuzzy Hash: b976eeb8b01bf6bbd2b1c67b0b601db7319691de59a6152fcc1288b504aa0444
Instruction Fuzzy Hash: 7BF03AB2900219AFEF04DBD0DD49FFE7338FB44705F48402DF606A6451E6705649CB68

Function 0041B656 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

__vbaFreeStr.MSVBVM60 ref: 0041B663
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0041B67F
__vbaFreeVar.MSVBVM60 ref: 0041B68B
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041B697

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$DestructList
String ID:
API String ID: 1934303848-0
Opcode ID: 4c381e20840e96d985a5c350125a91bb2dcb7d6321214d76d9095062b82743bf
Instruction ID: e5d0b8a3776a3dba3310019961fdc3eea14e2a68a3adb64687ad0a5057425e60
Opcode Fuzzy Hash: 4c381e20840e96d985a5c350125a91bb2dcb7d6321214d76d9095062b82743bf
Instruction Fuzzy Hash: 9BF0F8768001099BEF09CBD0CE58EEE7778FB44301F04812DE603AA0A4EB702609CB64

Function 00427C5C Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00427C68
__vbaAryUnlock.MSVBVM60(?), ref: 00427C72
__vbaFreeStr.MSVBVM60 ref: 00427C7B
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00427C8F

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$DestructListUnlock
String ID:
API String ID: 676089279-0
Opcode ID: 31bf1b6fe516328315580394144083e8d644e915f7248a1d471ef65f966afb87
Instruction ID: 5e9e23fe7762367278ee47cc1a76238bf94153f7d4dabd616f12de43420dc81b
Opcode Fuzzy Hash: 31bf1b6fe516328315580394144083e8d644e915f7248a1d471ef65f966afb87
Instruction Fuzzy Hash: 99E0E575C00109AFEB09DBD0ED98BED7BBCEB44305F40805AF612A61A0EA746609CB24

Function 00424961 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

__vbaFreeStr.MSVBVM60 ref: 0042496E
__vbaFreeStr.MSVBVM60 ref: 00424977
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00424987
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00424996

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Free$DestructList
String ID:
API String ID: 1934303848-0
Opcode ID: 8f0de291f7086f06beb718ad37c345000d877fbadf8f12b1ad456e23a12260e4
Instruction ID: 0f8b304471d1c596ba7ebdd0e0d0cd925b6ca17a6b88493d71dc5e45ae08b694
Opcode Fuzzy Hash: 8f0de291f7086f06beb718ad37c345000d877fbadf8f12b1ad456e23a12260e4
Instruction Fuzzy Hash: 4FE01A719001099FEF00CBD0EE49AED7778EF40301F004025E502E55A0EB306A09CB64

Function 004264BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaUbound.MSVBVM60(00000001,?), ref: 004261A5
__vbaUbound.MSVBVM60(00000001,00000000), ref: 004261B3
__vbaUbound.MSVBVM60(00000001,00000000,00000000), ref: 004261D7
__vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,00000000), ref: 004261F6
__vbaUbound.MSVBVM60(00000001,00000000), ref: 0042620C
__vbaI2I4.MSVBVM60 ref: 0042621D
__vbaVarCopy.MSVBVM60 ref: 00426344
__vbaGenerateBoundsError.MSVBVM60 ref: 00426523
__vbaGenerateBoundsError.MSVBVM60 ref: 00426540
__vbaGenerateBoundsError.MSVBVM60 ref: 00426585
__vbaGenerateBoundsError.MSVBVM60 ref: 004265A2
__vbaVarCopy.MSVBVM60 ref: 004265C6
__vbaUbound.MSVBVM60(00000001,?,00000000), ref: 004265EC
__vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000001), ref: 0042660B
__vbaUbound.MSVBVM60(00000001,?), ref: 00426621
__vbaI2I4.MSVBVM60 ref: 00426632
__vbaErrorOverflow.MSVBVM60 ref: 00426E73

Strings

1, xrefs: 004265CC

Memory Dump Source

Source File: 00000000.00000002.2571034417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2571020447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571057684.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2571071086.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AGrsqxaSjd.jbxd

Yara matches

Similarity

API ID: __vba$Ubound$Error$BoundsGenerate$CopyRedim$Overflow
String ID: 1
API String ID: 2848970627-2212294583
Opcode ID: 245bf086c911639528bcd9db943c0ef147268c9c95a86ee915a36599f5c45521
Instruction ID: c4b28c7e0f72d7d28673526e39e426e6e2863f055672493c3652e105557e4f7a
Opcode Fuzzy Hash: 245bf086c911639528bcd9db943c0ef147268c9c95a86ee915a36599f5c45521
Instruction Fuzzy Hash: 2431B270A05128DBCB64DF84E6946EDBBB2FF54304F6541C9C44A6B258C7B8AEC1CF49

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AGrsqxaSjd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkCloud

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LoggraNoUCYctgwnrtnRFCefIupAVHcOBQqsTNNMrZheterostracan

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db-shm

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
AGrsqxaSjd.exe

Function 00432D60 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 236
filenetworkCOMMON

Function 0041C460 Relevance: 676.1, APIs: 353, Strings: 32, Instructions: 2376
COMMON

Function 004216E0 Relevance: 619.7, APIs: 308, Strings: 45, Instructions: 1933
COMMON

Function 004375F0 Relevance: 609.1, APIs: 319, Strings: 28, Instructions: 1839
COMMON

Function 0042D140 Relevance: 223.0, APIs: 110, Strings: 17, Instructions: 777
COMMON

Function 0042ECB0 Relevance: 193.4, APIs: 104, Strings: 6, Instructions: 853
COMMON

Function 0040CBA0 Relevance: 173.9, APIs: 79, Strings: 20, Instructions: 626
COMMON

Function 004040C1 Relevance: 166.8, APIs: 74, Strings: 21, Instructions: 542
COMMON

Function 00420E20 Relevance: 144.0, APIs: 73, Strings: 9, Instructions: 536
COMMON

Function 00420EE6 Relevance: 112.5, APIs: 55, Strings: 9, Instructions: 462
COMMON

Function 0043B450 Relevance: 63.3, APIs: 32, Strings: 4, Instructions: 260
COMMON

Function 0042CE60 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 153
COMMON

Function 00434340 Relevance: 27.2, APIs: 18, Instructions: 151
COMMON

Function 00403594 Relevance: 1.6, APIs: 1, Instructions: 149
COMMON