Play interactive tour

Edit tour

Analysis Report http://covid19vaccine.hopto.org/march%20OG.exe

Overview

General Information

Sample URL:	http://covid19vaccine.hopto.org/march%20OG.exe
Analysis ID:	365439
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

PE file contains strange resources

Potential browser exploit detected (process start blacklist hit)

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

iexplore.exe (PID: 4340 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4436 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4340 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

march OG.exe (PID: 4844 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe' MD5: B75B990AC5990F1B6B0127540DE4EC30)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: march OG.exe PID: 4844	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: march OG.exe PID: 4844	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: http://covid19vaccine.hopto.org/march%20OG.exe

Avira URL Cloud: detection malicious, Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe.l6tc81k.partial	Metadefender: Detection: 24%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe.l6tc81k.partial	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\march%20OG[1].exe	Metadefender: Detection: 24%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\march%20OG[1].exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Show sources

Source: http://covid19vaccine.hopto.org/march%20OG.exe

Virustotal: Detection: 17%

Perma Link

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe

Jump to behavior

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 09 Mar 2021 14:38:11 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.2Last-Modified: Wed, 03 Mar 2021 00:26:30 GMTETag: "17000-5bc96e70c1a4b"Accept-Ranges: bytesContent-Length: 94208Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 5d 2f 4d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 30 00 00 00 00 00 00 14 17 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 10 00 00 67 77 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 46 01 00 28 00 00 00 00 70 01 00 ac 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2c 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 12 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 09 00 00 00 70 01 00 00 10 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /march%20OG.exe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: covid19vaccine.hopto.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: covid19vaccine.hopto.org

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe

Code function: 16_2_02106A72 NtProtectVirtualMemory,

16_2_02106A72

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe

Code function: 16_2_0040A0CB

16_2_0040A0CB

Source: march%20OG[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: march OG.exe.l6tc81k.partial.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal88.troj.evad.win@5/9@1/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{813E1F67-8130-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF27A6466E5B9B4110.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4340 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4340 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe'	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: march OG.exe PID: 4844, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: march OG.exe PID: 4844, type: MEMORY

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_0040A0CB pushfd ; retn 2B2Fh	16_2_0040A0CA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_004070BF push esi; retf	16_2_004070C0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_00403B43 push cs; retf	16_2_00403B91
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_00409B29 push eax; retf	16_2_00409B34
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_00403B94 push cs; retf	16_2_00403B91

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe.l6tc81k.partial			Jump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\march%20OG[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	RDTSC instruction interceptor: First address: 0000000002105A4C second address: 00000000021059D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FC40CA30608h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, A4B7h 0x00000022 test bl, FFFFFFE9h 0x00000025 add edi, edx 0x00000027 jmp 00007FC40CA3061Eh 0x00000029 pushad 0x0000002a mov edi, 00000097h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	RDTSC instruction interceptor: First address: 00000000021059EC second address: 0000000002105A8B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edi, 00E4E1C0h 0x00000010 jnl 00007FC40CA30592h 0x00000012 test dh, ch 0x00000014 ret 0x00000015 cmp dx, B20Dh 0x0000001a test dh, ah 0x0000001c mov dword ptr [ebp+0000009Ch], 00000000h 0x00000026 test dl, bl 0x00000028 xor edi, edi 0x0000002a cmp dh, dh 0x0000002c cmp bx, ax 0x0000002f mov ecx, 000186A0h 0x00000034 push ecx 0x00000035 jmp 00007FC40CA3061Ah 0x00000037 cmp eax, eax 0x00000039 call 00007FC40CA30697h 0x0000003e call 00007FC40CA30764h 0x00000043 lfence 0x00000046 rdtsc

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: march OG.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	RDTSC instruction interceptor: First address: 0000000002105A4C second address: 00000000021059D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FC40CA30608h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, A4B7h 0x00000022 test bl, FFFFFFE9h 0x00000025 add edi, edx 0x00000027 jmp 00007FC40CA3061Eh 0x00000029 pushad 0x0000002a mov edi, 00000097h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	RDTSC instruction interceptor: First address: 00000000021059D3 second address: 00000000021059D3 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 dec dword ptr [ebp+000000F8h] 0x00000009 nop 0x0000000a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000011 jne 00007FC40CA305FCh 0x00000013 call 00007FC40CA306E4h 0x00000018 call 00007FC40CA30658h 0x0000001d lfence 0x00000020 mov edx, dword ptr [7FFE0014h] 0x00000026 lfence 0x00000029 ret 0x0000002a mov esi, edx 0x0000002c pushad 0x0000002d nop 0x0000002e nop 0x0000002f xor eax, eax 0x00000031 inc eax 0x00000032 nop 0x00000033 nop 0x00000034 popad 0x00000035 mov edx, 00000001h 0x0000003a nop 0x0000003b nop 0x0000003c ret 0x0000003d test dx, A4B7h 0x00000042 test bl, FFFFFFE9h 0x00000045 add edi, edx 0x00000047 jmp 00007FC40CA3065Eh 0x00000049 pushad 0x0000004a mov edi, 00000097h 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	RDTSC instruction interceptor: First address: 00000000021059EC second address: 0000000002105A8B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edi, 00E4E1C0h 0x00000010 jnl 00007FC40CA30592h 0x00000012 test dh, ch 0x00000014 ret 0x00000015 cmp dx, B20Dh 0x0000001a test dh, ah 0x0000001c mov dword ptr [ebp+0000009Ch], 00000000h 0x00000026 test dl, bl 0x00000028 xor edi, edi 0x0000002a cmp dh, dh 0x0000002c cmp bx, ax 0x0000002f mov ecx, 000186A0h 0x00000034 push ecx 0x00000035 jmp 00007FC40CA3061Ah 0x00000037 cmp eax, eax 0x00000039 call 00007FC40CA30697h 0x0000003e call 00007FC40CA30764h 0x00000043 lfence 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	RDTSC instruction interceptor: First address: 0000000002105A8B second address: 0000000002105A8B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FC40CA30BCDh 0x0000001d popad 0x0000001e call 00007FC40CA3078Ch 0x00000023 lfence 0x00000026 rdtsc

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe

Code function: 16_2_02102230 rdtsc

16_2_02102230

Source: march OG.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe

Code function: 16_2_02102230 rdtsc

16_2_02102230

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_02102230 mov eax, dword ptr fs:[00000030h]	16_2_02102230
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_02102254 mov eax, dword ptr fs:[00000030h]	16_2_02102254
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_02102ED0 mov eax, dword ptr fs:[00000030h]	16_2_02102ED0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_0210574D mov eax, dword ptr fs:[00000030h]	16_2_0210574D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_02106071 mov eax, dword ptr fs:[00000030h]	16_2_02106071
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_02101CDA mov eax, dword ptr fs:[00000030h]	16_2_02101CDA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_021060DD mov eax, dword ptr fs:[00000030h]	16_2_021060DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_021060FB mov eax, dword ptr fs:[00000030h]	16_2_021060FB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe	Code function: 16_2_021051D5 mov eax, dword ptr fs:[00000030h]	16_2_021051D5

Source: march OG.exe, 00000010.00000002.492079328.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: march OG.exe, 00000010.00000002.492079328.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: march OG.exe, 00000010.00000002.492079328.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: march OG.exe, 00000010.00000002.492079328.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe

Code function: 16_2_02103D0A cpuid

16_2_02103D0A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution1	Path Interception	Process Injection2	Masquerading1	OS Credential Dumping	Security Software Discovery411	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection2	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://covid19vaccine.hopto.org/march%20OG.exe	18%	Virustotal		Browse
http://covid19vaccine.hopto.org/march%20OG.exe	100%	Avira URL Cloud	malware

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe.l6tc81k.partial	24%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe.l6tc81k.partial	82%	ReversingLabs	Win32.Trojan.VBObfuse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\march%20OG[1].exe	24%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\march%20OG[1].exe	82%	ReversingLabs	Win32.Trojan.VBObfuse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
covid19vaccine.hopto.org	46.183.222.6	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://covid19vaccine.hopto.org/march%20OG.exe	true		unknown
0	true		low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.183.222.6	covid19vaccine.hopto.org	Latvia		52048	DATACLUBLV	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	365439
Start date:	09.03.2021
Start time:	15:37:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://covid19vaccine.hopto.org/march%20OG.exe
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.win@5/9@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 104.108.39.131, 23.57.80.111, 13.64.90.137, 51.104.144.132, 152.199.19.161, 104.42.151.234, 2.20.142.210, 2.20.142.209, 51.103.5.186, 40.88.32.150, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 13.88.21.125, 168.61.161.212 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{813E1F67-8130-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	32344
Entropy (8bit):	1.7940541219870676
Encrypted:	false
SSDEEP:	192:rUZbZ22KWXt0if6j9zM61BPv/k1WAl5p2:rENNJ9Jn80o
MD5:	C6362859B5CB475AADB05A8FF8A63B82
SHA1:	197324A4CCE901D243928ED5ABA0E0311E2DFF0D
SHA-256:	EE4D461DBE6EE3B57F9AEB3BC792EA6543A18D018B42B52CC917D24E6629332E
SHA-512:	6A48B3D6B62D5DE0BF6C531B2538E125981B741AD8520A60D2BA6DAB2478C174D63A71ECB832F69529AC73FD6D38946B06B13B28C1E068D968267548C501ADB8
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{813E1F69-8130-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.599271845016993
Encrypted:	false
SSDEEP:	48:IwEGcprdGwpaxG4pQOGrapbSsGQpBGGHHpc3TGUpQweGcpm:rYZHQj6ABSkjF2B6vg
MD5:	80481B7A27B1D6C0DEF3782C8DE52A26
SHA1:	EC36C5CDABB593C404B5F3908A18029A893B04F4
SHA-256:	DBF8D767C2220C5B9EB6A760EBD206A7A5F8A6515C5CF652E6A9FF5BE690C90C
SHA-512:	8972A04D820B5E433E8B197EC5BF266E3C5B63CD8C43F321826A02189A8B3EA851726BA8298F5CBB3CB11EA980C3AE486EED27280F009E1705BDAA35B8FCC251
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe.l6tc81k.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	5.559510350020854
Encrypted:	false
SSDEEP:	1536:61oJy7aGTvIaUZNcddsm3dE+WE2i5JjyI+h91mR4E:6v7aGTUcddaMrjyIA1jE
MD5:	B75B990AC5990F1B6B0127540DE4EC30
SHA1:	66DD5A9D359FAF4ABDFF9B53B8E96280EFF58038
SHA-256:	F7ABA1C5E66938EFC7A722F98344A70A2443391668283F08DA1202BDE6C9B925
SHA-512:	E2009B8E6AD35C60F08EFB6514C18C650929F343B01A14F2AAB8D5EAEC880520C67BCF6795ED21BE8C462A2C32EB31E80A7A3A1C9767776CE18F208B4F89FF45
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....]/M.................@...0...............P....@.................................gw.......................................F..(....p......................................................................(... ....................................text...,=.......@.................. ..`.data........P.......P..............@....rsrc........p.......`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe.l6tc81k.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\march%20OG[1].exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	5.559510350020854
Encrypted:	false
SSDEEP:	1536:61oJy7aGTvIaUZNcddsm3dE+WE2i5JjyI+h91mR4E:6v7aGTUcddaMrjyIA1jE
MD5:	B75B990AC5990F1B6B0127540DE4EC30
SHA1:	66DD5A9D359FAF4ABDFF9B53B8E96280EFF58038
SHA-256:	F7ABA1C5E66938EFC7A722F98344A70A2443391668283F08DA1202BDE6C9B925
SHA-512:	E2009B8E6AD35C60F08EFB6514C18C650929F343B01A14F2AAB8D5EAEC880520C67BCF6795ED21BE8C462A2C32EB31E80A7A3A1C9767776CE18F208B4F89FF45
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....]/M.................@...0...............P....@.................................gw.......................................F..(....p......................................................................(... ....................................text...,=.......@.................. ..`.data........P.......P..............@....rsrc........p.......`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.366670544419046
Encrypted:	false
SSDEEP:	3:oVXU0NFUNW8JOGXnE0NFpULun:o9UoqEqUC
MD5:	967DEE776D313F3030F12D257AC94577
SHA1:	AC966037240676B799CDF5FE28716255C1B4303B
SHA-256:	DF6ACB284F6483CE0D3914A5A0985D7F0DC1613DE0F645F6A982F8D109F284F3
SHA-512:	17F91D81F08AF61C7C94490399F09D3F6FE89E1C895DD7E685050026CB017AF48C264A689713FE529740B9EA8F174605E20A7AECF054C767BBEB25F2BDBE8614
Malicious:	false
Reputation:	low
Preview:	[2021/03/09 15:38:11.105] Latest deploy version: ..[2021/03/09 15:38:11.105] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF27A6466E5B9B4110.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12981
Entropy (8bit):	0.4430559335601269
Encrypted:	false
SSDEEP:	12:c9lCg5/9lCgeK9l26an9l26an9l8fR+k9l8fR+09lTq+CVduiryUuNsqNxrt:c9lLh9lLh9lIn9lIn9loL9loL9lWjDoZ
MD5:	1895B7B06EBF1C0546E5EFA39D637A9D
SHA1:	3FC35A4F370B898F686C0B48A1FEBC564772E619
SHA-256:	C94BD6E9E78D006EFC4EDCFDEA87C15220EFA0DBEFC9371A4857BF2B8F1AEDB6
SHA-512:	8A9EE4BFE5AD0632B4E2A81390D64EBBF917C8BBC2660722D21D9D9EFB9CF32849F2814E642C728ED01AD78A79407D5E21C0B2E1D7FA9F63FE26D1E2B9C3EE82
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF761A8E80D89A84E5.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.3309272852524987
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwTK/9lwTi9l2Tc/9l2d:kBqoxKAuvScS+B/I+hwy
MD5:	F5EBE47B4CE8A5D9978C360417688828
SHA1:	1D3A7AE1BD8B90F828A0EC66CB23A58CA2AB2AEE
SHA-256:	FE4D22A9CDA7116C1FF6417B55D84C78FBA5C5A6415D8495E79FD1ED59A8BB42
SHA-512:	2DA20731BA721409FA74CD8F14755B90A0BA4F7990CA41A966BB1E70A8BE80B2BB5A79BE9DE9929B2635B1846DF2659E78BB2EAC28800F3691E3ABC4E1C26FF4
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2021 15:38:12.546500921 CET	49700	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.546504021 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.614873886 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.615099907 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.615778923 CET	80	49700	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.616731882 CET	49700	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.622627020 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.690965891 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.691025019 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.691123962 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.691157103 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.758311033 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.758338928 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.758357048 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.758373976 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.758438110 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.825692892 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.825736046 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.825762033 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.825787067 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.825809956 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.825817108 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.825834990 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.825859070 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.825881004 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.825892925 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.825932980 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.893600941 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893641949 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893672943 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893692970 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893712044 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.893722057 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893745899 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893762112 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.893768072 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893790960 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893812895 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893824100 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.893841028 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893851995 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.893874884 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893897057 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.893908024 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893909931 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.893934011 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.893939018 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893963099 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893965960 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.893985033 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.893997908 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.894006968 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.894016981 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.894043922 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.894073963 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.961520910 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961580992 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961627007 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961630106 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.961657047 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.961683989 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961688042 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.961740017 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961755991 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.961796045 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961810112 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.961839914 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961857080 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.961874008 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961884975 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.961909056 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961924076 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.961945057 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961987019 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.961992025 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962029934 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962038994 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962080956 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962083101 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962135077 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962150097 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962188005 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962193012 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962229013 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962235928 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962265968 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962272882 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962302923 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962325096 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962344885 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962351084 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962383032 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962388992 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962418079 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962434053 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962452888 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962466955 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962505102 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962503910 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962558031 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962562084 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962608099 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962642908 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962649107 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962661028 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962693930 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962697029 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962732077 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962744951 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962766886 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962783098 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962802887 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962815046 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962838888 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962853909 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962888956 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:12.962888956 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:12.962941885 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:13.030400038 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:13.030459881 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:13.030502081 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:13.030540943 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:13.030580997 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:13.030628920 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:13.030673981 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:13.030713081 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:13.030750036 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:13.031100988 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:18.177714109 CET	80	49699	46.183.222.6	192.168.2.7
Mar 9, 2021 15:38:18.182138920 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:24.340822935 CET	49699	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:24.393989086 CET	49700	80	192.168.2.7	46.183.222.6
Mar 9, 2021 15:38:24.425024986 CET	80	49699	46.183.222.6	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2021 15:38:04.209747076 CET	60501	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:04.268192053 CET	53	60501	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:11.293840885 CET	53775	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:11.350908995 CET	53	53775	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:12.472520113 CET	51837	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:12.534859896 CET	53	51837	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:30.674083948 CET	55411	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:30.732253075 CET	53	55411	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:33.830120087 CET	63668	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:33.876199007 CET	53	63668	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:41.172713995 CET	54640	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:41.219281912 CET	53	54640	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:41.298634052 CET	58739	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:41.345556021 CET	53	58739	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:42.301479101 CET	58739	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:42.348711967 CET	53	58739	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:43.330921888 CET	58739	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:43.376823902 CET	53	58739	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:45.346986055 CET	58739	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:45.392901897 CET	53	58739	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:49.363078117 CET	58739	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:49.409126997 CET	53	58739	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:54.034775019 CET	60338	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:54.080661058 CET	53	60338	8.8.8.8	192.168.2.7
Mar 9, 2021 15:38:59.562648058 CET	58717	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:38:59.619684935 CET	53	58717	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:02.104366064 CET	59762	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:02.159679890 CET	53	59762	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:02.893915892 CET	54329	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:02.940005064 CET	53	54329	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:26.152199030 CET	58052	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:26.207998991 CET	53	58052	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:33.796916008 CET	54008	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:33.851068974 CET	53	54008	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:44.002993107 CET	59451	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:44.072282076 CET	53	59451	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:44.924587965 CET	52914	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:44.981726885 CET	53	52914	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:46.029555082 CET	64569	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:46.084809065 CET	53	64569	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:47.728049994 CET	52816	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:47.805243015 CET	53	52816	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:48.353799105 CET	50781	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:48.411199093 CET	53	50781	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:49.070045948 CET	54230	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:49.117367029 CET	53	54230	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:49.791652918 CET	54911	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:49.846575975 CET	53	54911	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:51.306799889 CET	49958	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:51.363261938 CET	53	49958	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:52.744709969 CET	50860	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:52.801925898 CET	53	50860	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:53.230261087 CET	50452	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:53.286919117 CET	53	50452	8.8.8.8	192.168.2.7
Mar 9, 2021 15:39:53.457514048 CET	59730	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:39:53.525835991 CET	53	59730	8.8.8.8	192.168.2.7
Mar 9, 2021 15:40:06.724911928 CET	59310	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:40:06.773703098 CET	53	59310	8.8.8.8	192.168.2.7
Mar 9, 2021 15:40:11.621453047 CET	51919	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:40:11.667619944 CET	53	51919	8.8.8.8	192.168.2.7
Mar 9, 2021 15:40:22.522402048 CET	64296	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:40:22.568308115 CET	53	64296	8.8.8.8	192.168.2.7
Mar 9, 2021 15:40:24.529536009 CET	56680	53	192.168.2.7	8.8.8.8
Mar 9, 2021 15:40:24.586733103 CET	53	56680	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 9, 2021 15:38:12.472520113 CET	192.168.2.7	8.8.8.8	0xe69e	Standard query (0)	covid19vaccine.hopto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 9, 2021 15:38:12.534859896 CET	8.8.8.8	192.168.2.7	0xe69e	No error (0)	covid19vaccine.hopto.org		46.183.222.6	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

covid19vaccine.hopto.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49699	46.183.222.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 15:38:12.622627020 CET	915	OUT	GET /march%20OG.exe HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: covid19vaccine.hopto.org Connection: Keep-Alive
Mar 9, 2021 15:38:12.690965891 CET	917	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 14:38:11 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.2 Last-Modified: Wed, 03 Mar 2021 00:26:30 GMT ETag: "17000-5bc96e70c1a4b" Accept-Ranges: bytes Content-Length: 94208 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 5d 2f 4d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 30 00 00 00 00 00 00 14 17 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 10 00 00 67 77 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 46 01 00 28 00 00 00 00 70 01 00 ac 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2c 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 12 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 09 00 00 00 70 01 00 00 10 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#BBBL^B`BdBRichBPEL]/M@0P@gwF(p( .text,=@ `.dataPP@.rsrcp`@@IMSVBVM60.DLL
Mar 9, 2021 15:38:12.691025019 CET	918	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 9, 2021 15:38:12.758311033 CET	919	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 9, 2021 15:38:12.758338928 CET	921	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 9, 2021 15:38:12.758357048 CET	922	IN	Data Raw: 07 00 08 00 e4 2a 41 00 f5 2a 41 00 ec 2a 41 00 04 00 04 00 00 00 00 00 00 00 00 00 91 2c 41 00 06 00 04 00 00 00 00 00 84 2d 41 00 7b 2d 41 00 06 00 04 00 00 00 00 00 b1 2e 41 00 a8 2e 41 00 07 00 08 00 3b 30 41 00 5d 30 41 00 42 30 41 00 07 00 Data Ascii: AAA,A-A{-A.A.A;0A]0AB0A1A1A1A2A2A2A75A>5A";A:A=Ad=A2=A>A>A@A@A@AAABAlCACAtCA(DADA
Mar 9, 2021 15:38:12.758373976 CET	924	IN	Data Raw: af 05 3b 01 0c 08 00 53 75 62 73 74 61 6e 38 00 13 00 00 ff 03 4f 00 00 00 07 05 00 44 61 74 61 31 00 25 02 20 0d 88 0e 74 04 2c 01 12 0c 00 41 00 63 00 63 00 65 00 73 00 73 00 20 00 32 00 30 00 30 00 30 00 3b 00 13 00 00 16 00 17 00 18 00 00 19 Data Ascii: ;Substan8OData1% t,Access 2000;Data1%,-1@(@VB5!6&*~8@0 @@@ @xOPSGT
Mar 9, 2021 15:38:12.825692892 CET	925	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@&@@T&@PA@@\|'@@@@@&hl8 @lZAhN}bord'@'@@4'@
Mar 9, 2021 15:38:12.825736046 CET	926	IN	Data Raw: 00 00 00 00 00 00 e8 1f 40 00 74 1e 40 00 fa 16 40 00 00 17 40 00 06 17 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @t@@@@ @t@@@@l$l$Gl$Gl$
Mar 9, 2021 15:38:12.825762033 CET	928	IN	Data Raw: 6f 6e 32 00 3a 4f ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 00 00 00 00 46 6f 72 6d 00 00 00 00 4f 70 74 69 6f 6e 33 00 f2 4e ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 43 6f 6d 6d 61 6e 64 31 00 00 00 00 09 00 00 00 6b 65 72 6e 65 6c 33 32 00 00 Data Ascii: on2:O3f`FormOption3N3f`Command1kernel32GetEnvironmentVariableA(@(@<SADSAth(@P@GetEnvironmentVarAlgys2udgivelsesdageneGinneyAGNISESbertasequator
Mar 9, 2021 15:38:12.825787067 CET	929	IN	Data Raw: ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 12 00 00 00 54 00 72 00 69 00 6f 00 72 00 63 00 68 00 69 00 73 00 00 00 49 00 58 00 69 00 65 00 32 00 75 00 74 00 48 00 52 00 78 00 30 00 68 00 53 00 42 00 4c 00 72 00 6e 00 6c 00 32 00 6c 00 4d 00 34 00 Data Ascii: 3f`TriorchisIXie2utHRx0hSBLrnl2lM4fNpqMGsjbukbu73oU84spisestelleneassFuWexospheres Marginalposition1
Mar 9, 2021 15:38:12.825809956 CET	930	IN	Data Raw: 6b 4f 62 6a 00 00 00 00 5f 5f 76 62 61 53 74 72 43 6f 70 79 00 00 00 00 5f 5f 76 62 61 45 72 72 6f 72 4f 76 65 72 66 6c 6f 77 00 00 5f 5f 76 62 61 53 74 72 43 61 74 00 5f 5f 76 62 61 49 6e 53 74 72 00 00 5f 5f 76 62 61 46 72 65 65 53 74 72 4c 69 Data Ascii: kObj__vbaStrCopy__vbaErrorOverflow__vbaStrCat__vbaInStr__vbaFreeStrList__vbaStrToUnicode__vbaSetSystemError__vbaStrToAnsi__vbaFreeVarList__vbaStrVarMove__vbaStrMoveS_0>I*JMPCsKES6#Gc&

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 4340 Parent PID: 792

General

Start time:	15:38:09
Start date:	09/03/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6bb910000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 4436 Parent PID: 4340

General

Start time:	15:38:10
Start date:	09/03/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4340 CREDAT:17410 /prefetch:2
Imagebase:	0xde0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: march OG.exe PID: 4844 Parent PID: 4340

General

Start time:	15:38:41
Start date:	09/03/2021
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\march OG.exe'
Imagebase:	0x400000
File size:	94208 bytes
MD5 hash:	B75B990AC5990F1B6B0127540DE4EC30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: march OG.exe PID: 4844 Parent PID: 4340 march OG.exeCOMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	0%
Total number of Nodes:	272
Total number of Limit Nodes:	78

Executed Functions

Function 0040A0CB, Relevance: 2.3, APIs: 1, Instructions: 1096
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af999bf652ef452ba6a75e124921a586b504a57ffd848da4c5b764abe152492
Instruction ID: 5ec0887be7f3cc5f52953df30326b3c1168f9988ec1c7f7ff65615b0ce89810f
Opcode Fuzzy Hash: 5af999bf652ef452ba6a75e124921a586b504a57ffd848da4c5b764abe152492
Instruction Fuzzy Hash: F272EADB94E7E20FE3031674ED663D62F658B63365F0B02B7D8449B9D7D01D0B8982A2

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2CA, Relevance: 274.8, APIs: 143, Strings: 13, Instructions: 1811COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(?,?,00402ABC,00000068), ref: 0040F2DD
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,00402ABC,00000068), ref: 0040F304
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F33D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,00000168), ref: 0040F38A
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F3B1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F3ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000068), ref: 0040F434
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000720,?,?,?,BF8D7BB0,00005B03,00795422,0019C96F,?,00000003,32BFFE00,00005B04,?), ref: 0040F4FC
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,BF8D7BB0,00005B03,00795422,0019C96F,?,00000003,32BFFE00,00005B04), ref: 0040F525
__vbaFreeVar.MSVBVM60 ref: 0040F533
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F54B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F584
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000068), ref: 0040F5CB
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F5F2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F62B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000158), ref: 0040F678
__vbaChkstk.MSVBVM60(?,?), ref: 0040F6B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000724), ref: 0040F6F3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040F71C
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F737
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F770
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000158), ref: 0040F7BD
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F7E4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F81D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,000000F8), ref: 0040F867
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F88E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F8CA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000138), ref: 0040F917
__vbaChkstk.MSVBVM60(0077A407,?), ref: 0040F987
__vbaChkstk.MSVBVM60(?,6EB06DA0,00005AFA,00000009,0077A407,?), ref: 0040F9B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000728), ref: 0040F9F3
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040FA23
__vbaFreeVar.MSVBVM60 ref: 0040FA31
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FA49
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA82
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000178), ref: 0040FACF
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FAF6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FB2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000188), ref: 0040FB7C
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FBA3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FBDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000138), ref: 0040FC29
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FC50
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FC8C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000088), ref: 0040FCD9
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FD00
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FD3C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000058), ref: 0040FD83
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FDAA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FDE6

Strings

symmetriegenskabernes, xrefs: 0040F964
diskless, xrefs: 00410084
p:, xrefs: 00410042
UNSQUEAMISHNESS, xrefs: 0041007B
dmrings, xrefs: 00410CA7
Britskas, xrefs: 00410C18
If, xrefs: 004110C3
pizzarestaurant, xrefs: 00410035
Pidgins, xrefs: 00410056
Fregatternes5, xrefs: 004104A4
BRODDENES, xrefs: 00410877
TILBAGESENDTES, xrefs: 004108B8
Rideable7, xrefs: 00410623

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckHresult$New2$Free$ChkstkList
String ID: BRODDENES$Britskas$Fregatternes5$If$Pidgins$Rideable7$TILBAGESENDTES$UNSQUEAMISHNESS$diskless$dmrings$pizzarestaurant$p:$symmetriegenskabernes
API String ID: 335668265-4230584830
Opcode ID: 641f40870c6376b4afe055af6e06c49f333c8d78e4992794b83fc62f3d5c8de0
Instruction ID: cb1fe708451b9b0f0296a1835d5ebb1cef097ceba4c5fd5db3c5e4a38acf3413
Opcode Fuzzy Hash: 641f40870c6376b4afe055af6e06c49f333c8d78e4992794b83fc62f3d5c8de0
Instruction Fuzzy Hash: D9030870900628DFDB21DFA0CC89BD9B7B8BB08304F1045EAE509BB2A1DB795AC5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD8F, Relevance: 190.2, APIs: 96, Strings: 12, Instructions: 1221COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FDAA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FDE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000198), ref: 0040FE33
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FE5A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FE96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000070), ref: 0040FEDD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,0000072C,?,00000003,004DE577,?,?,?), ref: 0040FFC0
__vbaVarMove.MSVBVM60(?,00000003,004DE577,?,?,?), ref: 0040FFDD
__vbaFreeObjList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,00000003,004DE577,?,?,?), ref: 0041000C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00410024
__vbaStrCopy.MSVBVM60 ref: 0041003D
__vbaChkstk.MSVBVM60(?,?,3AE8E970,diskless,?,UNSQUEAMISHNESS,000060CE,035926C0,00005AFD), ref: 0041009E
__vbaFreeStr.MSVBVM60(?,?,3AE8E970,diskless,?,UNSQUEAMISHNESS,000060CE,035926C0,00005AFD), ref: 004100C0
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,3AE8E970,diskless,?,UNSQUEAMISHNESS,000060CE,035926C0,00005AFD), ref: 004100D8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410111
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000160), ref: 0041015E
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410185
__vbaObjSet.MSVBVM60(?,00000000), ref: 004101BE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,00000150), ref: 00410208
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041022A
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410245
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410281
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000110), ref: 004102CE
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004102F3
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0041030E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041034A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000160), ref: 00410397
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004103BC
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004103D7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410413
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000140), ref: 00410460
__vbaI4Var.MSVBVM60(?), ref: 00410489
__vbaI4Var.MSVBVM60(?,Fregatternes5,?,?), ref: 004104B0
__vbaStrVarMove.MSVBVM60(?,00002DA8,?,?,?,4B16F6C0,00005AFA,00000000,?,Fregatternes5,?,?), ref: 004104E0
__vbaStrMove.MSVBVM60(?,00002DA8,?,?,?,4B16F6C0,00005AFA,00000000,?,Fregatternes5,?,?), ref: 004104EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000730,?,?,00000000,?,00002DA8,?,?,?,4B16F6C0,00005AFA,00000000,?), ref: 00410531
__vbaFreeStr.MSVBVM60(?,?,00000000,?,00002DA8,?,?,?,4B16F6C0,00005AFA,00000000,?,Fregatternes5,?,?), ref: 00410548
__vbaFreeObjList.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,00000000,?,00002DA8), ref: 0041057E
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041059D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000740), ref: 004105DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040276C,000002B4), ref: 00410678
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004106DA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410713
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402A8C,00000218), ref: 0041075D
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410784
__vbaObjSet.MSVBVM60(?,00000000), ref: 004107BD

Strings

TILBAGESENDTES, xrefs: 004108B8
diskless, xrefs: 00410084
p:, xrefs: 00410042
UNSQUEAMISHNESS, xrefs: 0041007B
dmrings, xrefs: 00410CA7
Britskas, xrefs: 00410C18
Rideable7, xrefs: 00410623
If, xrefs: 004110C3
pizzarestaurant, xrefs: 00410035
Pidgins, xrefs: 00410056
Fregatternes5, xrefs: 004104A4
BRODDENES, xrefs: 00410877

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckHresult$New2$Free$List$CallLateMove$ChkstkCopy
String ID: BRODDENES$Britskas$Fregatternes5$If$Pidgins$Rideable7$TILBAGESENDTES$UNSQUEAMISHNESS$diskless$dmrings$pizzarestaurant$p:
API String ID: 509946452-3977931801
Opcode ID: ff14f9794626594913155d9e9e10155addd991d68529996314f651acf93662e2
Instruction ID: 4b5bf704dcc98bbc6b9f295d43f8bec579e800b4a25319a3208693eaa3c36b83
Opcode Fuzzy Hash: ff14f9794626594913155d9e9e10155addd991d68529996314f651acf93662e2
Instruction Fuzzy Hash: 2FC21971900628EFDB21DF50CC89BD9B7B8BB08304F1045EAE609BB2A1DB795AC4DF55

Uniqueness

Uniqueness Score: -1.00%

Function 004106A6, Relevance: 119.7, APIs: 62, Strings: 6, Instructions: 723
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004106DA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410713
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402A8C,00000218), ref: 0041075D
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410784
__vbaObjSet.MSVBVM60(?,00000000), ref: 004107BD
__vbaHresultCheckObj.MSVBVM60(?,?,00402A8C,000001A0,00408161), ref: 0041080A
__vbaVarDup.MSVBVM60(00000000,?,00402A8C,000001A0), ref: 00410897
__vbaFreeVar.MSVBVM60(00411337), ref: 00411331
__vbaErrorOverflow.MSVBVM60 ref: 00411356
__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411377
__vbaI4Str.MSVBVM60(00402D70,?,?,?,?,004014C6), ref: 004113A0
#697.MSVBVM60(00000000,00402D70,?,?,?,?,004014C6), ref: 004113A6
__vbaStrMove.MSVBVM60(00000000,00402D70,?,?,?,?,004014C6), ref: 004113B0
__vbaStrCmp.MSVBVM60(00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113BB
__vbaFreeStr.MSVBVM60(00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113CF
#580.MSVBVM60(HJDE,00000001,00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113E3

Strings

TILBAGESENDTES, xrefs: 004108B8
dmrings, xrefs: 00410CA7
Britskas, xrefs: 00410C18
HJDE, xrefs: 004113DE
If, xrefs: 004110C3
BRODDENES, xrefs: 00410877

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2$#580#697ChkstkErrorMoveOverflow
String ID: BRODDENES$Britskas$HJDE$If$TILBAGESENDTES$dmrings
API String ID: 2705637564-1969145881
Opcode ID: f14d4cd94f79623259cac24463c8c615014540e173036e35def236904aca4a87
Instruction ID: 09187d55962f989a4aaaf0f2b7058c11881010cbe5f6498cba40d882f44503fd
Opcode Fuzzy Hash: f14d4cd94f79623259cac24463c8c615014540e173036e35def236904aca4a87
Instruction Fuzzy Hash: C6621970900618DFDB21DFA0CC89BD9B7B8BB09304F1045EAE509BB2A1DB795AC5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004107EA, Relevance: 95.1, APIs: 49, Strings: 5, Instructions: 629
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaHresultCheckObj.MSVBVM60(?,?,00402A8C,000001A0,00408161), ref: 0041080A
__vbaVarDup.MSVBVM60(00000000,?,00402A8C,000001A0), ref: 00410897
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004108DC
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004108FB
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410916
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041094F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000130), ref: 00410999
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004109BB
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004109D6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410A0F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,000000F8), ref: 00410A5C
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00410A81
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410A9C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410AD8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000130), ref: 00410B25
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410B4C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410B88
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000060), ref: 00410BCF
__vbaStrVarMove.MSVBVM60(?), ref: 00410C33
__vbaStrMove.MSVBVM60(?), ref: 00410C3D
__vbaI4Var.MSVBVM60(?,00000009,?,00003A7A,?), ref: 00410C70
__vbaChkstk.MSVBVM60(00000000,?,00000009,?,00003A7A,?), ref: 00410C79
__vbaChkstk.MSVBVM60(003AD305,?,00000000,?,00000009,?,00003A7A,?), ref: 00410C96
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000734), ref: 00410CDC
__vbaFreeStr.MSVBVM60(00000000,?,0040279C,00000734), ref: 00410CF3
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00410D1B
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00410D3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000738), ref: 00410D82
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410DA9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410DE2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402AF8,00000080), ref: 00410E2F
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410E56
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410E8F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000170), ref: 00410ED9
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410F00
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410F39
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000158), ref: 00410F83
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410FAA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410FE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000138), ref: 00411033
__vbaChkstk.MSVBVM60(4C805220,?,00000008,?), ref: 004110EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,0000073C), ref: 00411145
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041116E
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00411186
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004111A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004111DA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,00000070), ref: 00411221
__vbaFreeObj.MSVBVM60(?,?,00000003,?,?,D18F62D0,00005B01), ref: 00411294
__vbaFreeVar.MSVBVM60(?,?,00000003,?,?,D18F62D0,00005B01), ref: 0041129F

Strings

TILBAGESENDTES, xrefs: 004108B8
dmrings, xrefs: 00410CA7
Britskas, xrefs: 00410C18
If, xrefs: 004110C3
BRODDENES, xrefs: 00410877

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2$List$Chkstk$CallLateMove
String ID: BRODDENES$Britskas$If$TILBAGESENDTES$dmrings
API String ID: 3604166182-1692888291
Opcode ID: 54ef1f018802b19c984a47ce9cb66c42b1b2a75c776f8ac2aa50383b8001863a
Instruction ID: ab1f8e69898914df29d759dcb10daa11fc0fb502cf2ea95188d2280444960f4a
Opcode Fuzzy Hash: 54ef1f018802b19c984a47ce9cb66c42b1b2a75c776f8ac2aa50383b8001863a
Instruction Fuzzy Hash: 6B521AB1900628DFDB21DF50CC89BD9B7B8BB08304F1045EAE649BB2A1DB755AC4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004135A5, Relevance: 94.9, APIs: 45, Strings: 9, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004135C2
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004135DA
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 004135E5
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 004135F0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040276C,00000218), ref: 0041364D
__vbaChkstk.MSVBVM60(00000000,?,0040276C,00000218), ref: 00413664
__vbaChkstk.MSVBVM60(00000000,?,0040276C,00000218), ref: 00413675
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00413694
__vbaObjVar.MSVBVM60(00000000), ref: 0041369D
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 004136A7
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 004136AF
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 004136B7
__vbaNew2.MSVBVM60(00401E74,00415010,?,00000000,00000000), ref: 004136CF
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00413708
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000108), ref: 00413752
__vbaChkstk.MSVBVM60(00000000,?,00402A9C,00000108), ref: 00413786
__vbaLateMemSt.MSVBVM60(?,Text), ref: 0041379C
__vbaFreeObj.MSVBVM60(?,Text), ref: 004137A4
__vbaFreeVar.MSVBVM60(?,Text), ref: 004137AC
__vbaNew2.MSVBVM60(00401E74,00415010,?,Text), ref: 004137C4
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004137FD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,000001D8), ref: 0041384A
__vbaChkstk.MSVBVM60(00000000,?,00402A8C,000001D8), ref: 00413873
__vbaLateMemSt.MSVBVM60(?,Left), ref: 00413889
__vbaFreeObj.MSVBVM60(?,Left), ref: 00413891
__vbaChkstk.MSVBVM60(?,Left), ref: 004138A7
__vbaLateMemSt.MSVBVM60(?,Top,?,Left), ref: 004138BD
__vbaChkstk.MSVBVM60(?,Top,?,Left), ref: 004138D0
__vbaLateMemSt.MSVBVM60(?,Visible,?,Top,?,Left), ref: 004138E6
__vbaLateMemCallLd.MSVBVM60(00000008,?,Text,00000000,?,Visible,?,Top,?,Left), ref: 00413907
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 00413914
__vbaFreeVar.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 00413923
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040276C,00000160), ref: 0041396D
__vbaNew2.MSVBVM60(00402DB0,00415348), ref: 00413994
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004139D0
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00413A09
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,00000110), ref: 00413A53
__vbaObjSet.MSVBVM60(?,?,00000000), ref: 00413A81
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 00413ABC
__vbaFreeStr.MSVBVM60(00000000,?,00402DA0,00000040), ref: 00413AD3
__vbaFreeObjList.MSVBVM60(00000002,00000000,?), ref: 00413AE2
__vbaFreeStr.MSVBVM60(00413B43,?,00000000,?,?,00000000,00000000), ref: 00413B25
__vbaFreeVar.MSVBVM60(00413B43,?,00000000,?,?,00000000,00000000), ref: 00413B2D
__vbaFreeObj.MSVBVM60(00413B43,?,00000000,?,?,00000000,00000000), ref: 00413B35
__vbaFreeStr.MSVBVM60(00413B43,?,00000000,?,?,00000000,00000000), ref: 00413B3D

Strings

SVIGERSNNEN, xrefs: 004138EB
Visible, xrefs: 004138DE
Text, xrefs: 00413794, 004138FB
Top, xrefs: 004138B5
Add, xrefs: 00413688
Left, xrefs: 00413881
HSA, xrefs: 004139AF
VB.TextBox, xrefs: 004135F5
markgreve, xrefs: 00413603

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Chkstk$CheckHresultLate$New2$CallCopy$AddrefList
String ID: Add$HSA$Left$SVIGERSNNEN$Text$Top$VB.TextBox$Visible$markgreve
API String ID: 2480442511-4046506366
Opcode ID: de72c1650f230a0aee99d5c18e78e0f77014958a48ed26159c05417a0b84c354
Instruction ID: a69d5e83040a22f6baccc720c669d2476e6f1031d89c652fa090be399f7f65f3
Opcode Fuzzy Hash: de72c1650f230a0aee99d5c18e78e0f77014958a48ed26159c05417a0b84c354
Instruction Fuzzy Hash: FBE12870A01218EFDB10EF90CC45BDDBBB5AF09305F1044AAF549BB2A1CBB95A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C314, Relevance: 57.9, APIs: 32, Strings: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0040C330
#607.MSVBVM60(?,000000FF,00000002), ref: 0040C372
__vbaStrVarMove.MSVBVM60(?,?,000000FF,00000002), ref: 0040C37B
__vbaStrMove.MSVBVM60(?,?,000000FF,00000002), ref: 0040C385
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,000000FF,00000002), ref: 0040C394
__vbaLenBstr.MSVBVM60(?,?,?,004014C6), ref: 0040C39F
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,?,?,004014C6), ref: 0040C3AC
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3BB
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3C6
__vbaStrToUnicode.MSVBVM60(?,?,00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3D1
__vbaStrToUnicode.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3DD
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,?,00000000,?,?,00000000,?,?,00000000,00000000,?,00000000,?), ref: 0040C3EC
#537.MSVBVM60(00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C3FB
__vbaStrMove.MSVBVM60(00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C405
__vbaInStr.MSVBVM60(00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C40D
__vbaFreeStr.MSVBVM60(00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C422
#537.MSVBVM60(00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C436
__vbaStrMove.MSVBVM60(00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C440
__vbaInStr.MSVBVM60(00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C448
#616.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C45A
__vbaStrMove.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C464
__vbaFreeStr.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C46C
__vbaStrCat.MSVBVM60(00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C47B
__vbaStrMove.MSVBVM60(00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C485
__vbaStrCat.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C48E
__vbaStrMove.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C498
__vbaFreeStr.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C4A0
__vbaErrorOverflow.MSVBVM60(00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C50B
__vbaChkstk.MSVBVM60(00000000,004014C6,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C52C
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004014C6,00000000), ref: 0040C563
__vbaHresultCheckObj.MSVBVM60(00000000,004011A0,0040279C,000006F8), ref: 0040C597
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C5AF

Strings

USERNAME, xrefs: 0040C55B

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Move$Free$List$#537AnsiChkstkErrorUnicode$#607#616BstrCheckCopyHresultOverflowSystem
String ID: USERNAME
API String ID: 1401190187-1047370299
Opcode ID: 81d8ea3eacccc889fa38942028c023c7d609be47b29976974265f14a2066c110
Instruction ID: 43f9ebd694a6e34167ded0a25cf51c16c46c1cf94341b2ca8444a5c0773e21fe
Opcode Fuzzy Hash: 81d8ea3eacccc889fa38942028c023c7d609be47b29976974265f14a2066c110
Instruction Fuzzy Hash: 4A610A71900209AFDB01EFA1CC86FEE7BB8AF04704F14853AF515B71E1DB7999458B98

Uniqueness

Uniqueness Score: -1.00%

Function 00411F61, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411F7E
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411F96
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411FA1
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00411FAC
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00411FB7
__vbaVarDup.MSVBVM60 ref: 00411FD0
#543.MSVBVM60(?,?), ref: 00411FDD
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00412001
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00412017
__vbaNew2.MSVBVM60(00402DB0,00415348), ref: 00412041
__vbaCastObj.MSVBVM60(?,00402EE0,Homoplasy), ref: 00412077
__vbaObjSet.MSVBVM60(?,00000000,?,00402EE0,Homoplasy), ref: 00412081
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 004120BC
__vbaFreeObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 004120D3
__vbaFreeObj.MSVBVM60(00412127), ref: 00412101
__vbaFreeStr.MSVBVM60(00412127), ref: 00412109
__vbaFreeVar.MSVBVM60(00412127), ref: 00412111
__vbaFreeStr.MSVBVM60(00412127), ref: 00412119
__vbaFreeVar.MSVBVM60(00412127), ref: 00412121

Strings

HSA, xrefs: 0041205C
Homoplasy, xrefs: 0041206A
14:14:14, xrefs: 00411FBC

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Copy$#543CastCheckChkstkHresultListNew2
String ID: 14:14:14$HSA$Homoplasy
API String ID: 2559661485-3487747675
Opcode ID: 41478cb700f60b29f6471828fc27585e42762e766cc98e2e47ceacbf02cc5430
Instruction ID: e484cfba8a4e81124a40dcde2717f9d014197f4040bb8fba99ea8b2e8966670f
Opcode Fuzzy Hash: 41478cb700f60b29f6471828fc27585e42762e766cc98e2e47ceacbf02cc5430
Instruction Fuzzy Hash: 61411D7090021C9FCB10DBA1CD46FEEB7B8BF14304F54456AE109B71A1DBB95A89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411836, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411852
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 0041187C
#692.MSVBVM60(?,exospheres,Marginalposition,?,?,?,?,004014C6), ref: 0041188F
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004118A7
__vbaFreeVar.MSVBVM60(00008008,?), ref: 004118B3
#571.MSVBVM60(000000D3,00008008,?), ref: 004118C5
__vbaFreeStr.MSVBVM60(004118F3,00008008,?), ref: 004118ED

Strings

Marginalposition, xrefs: 00411881
exospheres, xrefs: 00411886

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#571#692ChkstkCopy
String ID: Marginalposition$exospheres
API String ID: 3621861193-2891326796
Opcode ID: aefe0329804d131029e785a7ff6b982b269221e1b4108a7647cf26c567d78ce6
Instruction ID: 62ee4990a67bcc75ea5b8ee160afd48da7059f49fcbc34a0bd79d1efe4ee82c7
Opcode Fuzzy Hash: aefe0329804d131029e785a7ff6b982b269221e1b4108a7647cf26c567d78ce6
Instruction Fuzzy Hash: 62114C74901248ABDB00EFD1C946FEEBBB8AF00B04F10842AF501B71E0D77D9A45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004143B5, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004143D0
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004143F6
#645.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00414401
__vbaStrMove.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041440B
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00414413
__vbaFreeStr.MSVBVM60(00414431,?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041442B

Strings

RESPONDER, xrefs: 004143E2

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#645ChkstkMove
String ID: RESPONDER
API String ID: 769593574-468911128
Opcode ID: e3df1314072516b17679cfdaf96e696ec864ac636f28d76576c0831631c43160
Instruction ID: 623a2e9b44232dd63997e88e693712c8ce0067b854bce3e221dec5aad6ff09f6
Opcode Fuzzy Hash: e3df1314072516b17679cfdaf96e696ec864ac636f28d76576c0831631c43160
Instruction Fuzzy Hash: 9AF03171901208ABDB00EB91CD56FDEB7B8EB54708F60892EF001775E0DB796E04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040241D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,004014C6,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C52C
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004014C6,00000000), ref: 0040C563
__vbaHresultCheckObj.MSVBVM60(00000000,004011A0,0040279C,000006F8), ref: 0040C597
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C5AF

Strings

USERNAME, xrefs: 0040C55B
G, xrefs: 0040241D

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckChkstkCopyFreeHresultList
String ID: G$USERNAME
API String ID: 3070489859-465494610
Opcode ID: 3077c11547f5f0d3d7c2db014c4cf2d4f8c93d40167859c243ac57e2044c823c
Instruction ID: a866738bb26e572f9d2f0443212f154c423d73a6f910d0efb92d6ad17d685401
Opcode Fuzzy Hash: 3077c11547f5f0d3d7c2db014c4cf2d4f8c93d40167859c243ac57e2044c823c
Instruction Fuzzy Hash: 2D213875940208FFCB00DF95CC86BDE7BB8AB08744F108136F509AB2A0D778A6418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00401714, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401719

Strings

VB5!6&*, xrefs: 00401714

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 1ebfa7cea9b78e9819895b1e379a45de5423944a1e15eb1bc593f88b1c4642cd
Instruction ID: fcf28688819d7af4624bc1326912388632d7491fd93b70435748f7e10a3165c3
Opcode Fuzzy Hash: 1ebfa7cea9b78e9819895b1e379a45de5423944a1e15eb1bc593f88b1c4642cd
Instruction Fuzzy Hash: A4D09BA594E3D15ED7272375082250A2F309C4364532F45E7D091EB4F3D5298809D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0FB, Relevance: 2.3, APIs: 1, Instructions: 1040
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5336acb9d27bb8715b184a83e315ed92e50f5d9a50ed947bd5d6ef2ec70028
Instruction ID: 74fc88bdf8f110d95e0f2c1a6a86e28da7ef9fc0ec45090476b6deb5aa66567c
Opcode Fuzzy Hash: 7e5336acb9d27bb8715b184a83e315ed92e50f5d9a50ed947bd5d6ef2ec70028
Instruction Fuzzy Hash: 0C72AADB94E7E10FE3031674ED663E62FA58B63365F0B02F7D8449A9D7D01D0B898292

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1CB, Relevance: 2.3, APIs: 1, Instructions: 1020
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,0000C000,00001000,00000040), ref: 0040AA81

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ebcb4cf11cced5ed508bbf8c6fbd3bd6ff05167eb289bddf0d578dd5e171f4eb
Instruction ID: e252c782743f26cbad6073e4c949e9d5248cfb67d323fff3ba520539c152fffe
Opcode Fuzzy Hash: ebcb4cf11cced5ed508bbf8c6fbd3bd6ff05167eb289bddf0d578dd5e171f4eb
Instruction Fuzzy Hash: 236298DB94E7E10FE3031674ED263E62FA58B53365F1B02F7D8849A9D7D01D0B898292

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02103D0A, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

rX4, xrefs: 02103D80

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID: rX4
API String ID: 0-805084833
Opcode ID: 4a73ffdef601368dc9eefd72bb7bdc5cb8df7069adc4f74046159a1db4aa907c
Instruction ID: 8495d65bee99a05eaac6e5fb65ac79d4fc639ee299daeae84c86cec51cd4d14f
Opcode Fuzzy Hash: 4a73ffdef601368dc9eefd72bb7bdc5cb8df7069adc4f74046159a1db4aa907c
Instruction Fuzzy Hash: 10E09279644707AF9B186FA4A4D12E927A36F193A0BD0416ABC2192284EBB1C845DB11

Uniqueness

Uniqueness Score: -1.00%

Function 02101CDA, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb1145b58625a29be9886dd26205ffbaa0369be71f88ba98b22e4b6ba21c648
Instruction ID: 38f90e402a184d19601563570752a707fcbfbd5bd0326e183e5342f1f955f1c0
Opcode Fuzzy Hash: afb1145b58625a29be9886dd26205ffbaa0369be71f88ba98b22e4b6ba21c648
Instruction Fuzzy Hash: D9A10931780706EFD7189E28CDD4BD673A6BF06350F594329ECA9932C0D7B5A899CB90

Uniqueness

Uniqueness Score: -1.00%

Function 021060DD, Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb7aca369959c3e2a2d789d0b2917db1d653747dcaa1fe0e48505e64afd4768
Instruction ID: c7d1d38faf95a836c16f134c60ca76066e23f7e08bc36599432decd8585f77fe
Opcode Fuzzy Hash: bfb7aca369959c3e2a2d789d0b2917db1d653747dcaa1fe0e48505e64afd4768
Instruction Fuzzy Hash: 31A12B70A843828EDB24DF3885D476ABB959F56360F4582A9DDE6CF2DAC3B0C452C712

Uniqueness

Uniqueness Score: -1.00%

Function 02106071, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e650449d3cd74665b521b835a95441db521d9e268a35fa966e6771cd53ef7b
Instruction ID: 1ded4bcc688219cdd566a8c781e22779cab1a8942806211178f0e119737127c6
Opcode Fuzzy Hash: b6e650449d3cd74665b521b835a95441db521d9e268a35fa966e6771cd53ef7b
Instruction Fuzzy Hash: 6B716C70A84382CEDB14DF7884D4759BBA5EF66360F49815DCDA68F2D6C3B1C042CB62

Uniqueness

Uniqueness Score: -1.00%

Function 021060FB, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd1f324c439cc3332c8f46072fd008ca8107cc3dd24a1e105e2ef5f1224dddc
Instruction ID: 64a62bd2010ac5a93b778c4fe0e3b53e267efc6adbda6bec9145b3a8ddec53d5
Opcode Fuzzy Hash: 8bd1f324c439cc3332c8f46072fd008ca8107cc3dd24a1e105e2ef5f1224dddc
Instruction Fuzzy Hash: 73511774A84382CEDB15DF3884D4B56BB91EF56364F49829DCDA68F2D6C3B1C042CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02102230, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016a7bc9c12dadf8f5c3cdb13f60eaaba319ad17c6171b437c01b2550f13f640
Instruction ID: c622275c965c9f945c15123e7285285e4b6d094aa8d63208e39cca74b285b100
Opcode Fuzzy Hash: 016a7bc9c12dadf8f5c3cdb13f60eaaba319ad17c6171b437c01b2550f13f640
Instruction Fuzzy Hash: 4541D170684304AEEB246A208CDCBE577A6BF0A764F964145EC669B1E2C7F5C8C4CA11

Uniqueness

Uniqueness Score: -1.00%

Function 02102254, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65968fd5ac6444f8be60e74caf84c52efc77d9edbd1fd828b227a2e1747197af
Instruction ID: 0d1ba2b0c585ed4176e1ec81208392563a036a91c289001d606dd57ffd64ef07
Opcode Fuzzy Hash: 65968fd5ac6444f8be60e74caf84c52efc77d9edbd1fd828b227a2e1747197af
Instruction Fuzzy Hash: 5421D3306C0301EEEB246B6098D9FD93767EF45B10F8A8145ED666F0D2C7F29884CA11

Uniqueness

Uniqueness Score: -1.00%

Function 0210574D, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819ab78417e819bc863569baa5bf56a28bffc5c72c66d9649581e3290eac7ccb
Instruction ID: 331dc770059b1a055e52f02b20765f758ec287c20051d44758e9e91f850ae060
Opcode Fuzzy Hash: 819ab78417e819bc863569baa5bf56a28bffc5c72c66d9649581e3290eac7ccb
Instruction Fuzzy Hash: 57F05E34381300DFD729DE18C5D0B6A73B7BBA4B50FC58469D8068B1D6C764E840EE11

Uniqueness

Uniqueness Score: -1.00%

Function 02102ED0, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a8d8264201017a1d51e18f219bed2ec61f8b951a981a192e44d16de404805b
Instruction ID: 3717ead56cfc4a482ff82f4e731c99a1f087b73de58fc83daf9d4b067904a33e
Opcode Fuzzy Hash: 57a8d8264201017a1d51e18f219bed2ec61f8b951a981a192e44d16de404805b
Instruction Fuzzy Hash: 53C08CB2345480CFFB84CE08C481F0033B1FB10A48F0800A4E8028FA82C334E820C600

Uniqueness

Uniqueness Score: -1.00%

Function 021051D5, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed2511702d7b69225ed1970ee9bd7944878a4dc7cb4fa9e3b54f5268025ccd5
Instruction ID: 5c9b83513dbec638cdb96462a82d9224053ac555cbf1cc7b43e47a7eeea745a4
Opcode Fuzzy Hash: 5ed2511702d7b69225ed1970ee9bd7944878a4dc7cb4fa9e3b54f5268025ccd5
Instruction Fuzzy Hash: 9FB0927825A540CFCA5DDA0CC0D4E54B3B2FF48A10BC69491F463CBE6AC364EC81C900

Uniqueness

Uniqueness Score: -1.00%

Function 02106A72, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.492581683.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2100000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01119da225e315b075405612d5ceddb45e15ab1b91e9dc2fc9138637cda8dbf
Instruction ID: d423e7d8e3b1d011b6385be6b950d1c950a69758382fdbfcbf6f8257127aefa3
Opcode Fuzzy Hash: a01119da225e315b075405612d5ceddb45e15ab1b91e9dc2fc9138637cda8dbf
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C316, Relevance: 40.6, APIs: 27, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0040C330
#607.MSVBVM60(?,000000FF,00000002), ref: 0040C372
__vbaStrVarMove.MSVBVM60(?,?,000000FF,00000002), ref: 0040C37B
__vbaStrMove.MSVBVM60(?,?,000000FF,00000002), ref: 0040C385
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,000000FF,00000002), ref: 0040C394
__vbaLenBstr.MSVBVM60(?,?,?,004014C6), ref: 0040C39F
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,?,?,004014C6), ref: 0040C3AC
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3BB
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3C6
__vbaStrToUnicode.MSVBVM60(?,?,00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3D1
__vbaStrToUnicode.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3DD
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,?,00000000,?,?,00000000,?,?,00000000,00000000,?,00000000,?), ref: 0040C3EC
#537.MSVBVM60(00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C3FB
__vbaStrMove.MSVBVM60(00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C405
__vbaInStr.MSVBVM60(00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C40D
__vbaFreeStr.MSVBVM60(00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C422
#537.MSVBVM60(00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C436
__vbaStrMove.MSVBVM60(00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C440
__vbaInStr.MSVBVM60(00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C448
#616.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C45A
__vbaStrMove.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C464
__vbaFreeStr.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C46C
__vbaStrCat.MSVBVM60(00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C47B
__vbaStrMove.MSVBVM60(00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C485
__vbaStrCat.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C48E
__vbaStrMove.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C498
__vbaFreeStr.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C4A0
__vbaErrorOverflow.MSVBVM60(00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C50B
__vbaChkstk.MSVBVM60(00000000,004014C6,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C52C
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004014C6,00000000), ref: 0040C563
__vbaHresultCheckObj.MSVBVM60(00000000,004011A0,0040279C,000006F8), ref: 0040C597
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C5AF

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Move$Free$List$#537AnsiChkstkErrorUnicode$#607#616BstrCheckCopyHresultOverflowSystem
String ID:
API String ID: 1401190187-0
Opcode ID: 75d9e12d4025ff665aff680624f197e169ac2b3f35a384fef7339d418a4cdd82
Instruction ID: 43ba1e99afc4c7bb6831e2b235b490e52bf668ee3e3b7d1a55e175ed0f668d86
Opcode Fuzzy Hash: 75d9e12d4025ff665aff680624f197e169ac2b3f35a384fef7339d418a4cdd82
Instruction Fuzzy Hash: AA412A71D00109ABDF01ABE1CC96FEF7BB8AF04304F14493AB611B61F1DE7A99458B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041261A, Relevance: 36.8, APIs: 18, Strings: 3, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412635
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 0041264D
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412658
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412663
#670.MSVBVM60(?,?,?,?,?,004014C6), ref: 0041266C
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 00412687
__vbaFreeVar.MSVBVM60(00008008,?), ref: 00412693
__vbaNew2.MSVBVM60(00402DB0,00415348,00008008,?), ref: 004126B7
__vbaLateMemCallLd.MSVBVM60(?,?,mDddaTHbiK109,00000000,?,?,00008008,?), ref: 004126E2
__vbaObjVar.MSVBVM60(00000000), ref: 004126EB
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 004126F5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000000C), ref: 0041271E
__vbaFreeObj.MSVBVM60(00000000,?,00402DA0,0000000C), ref: 0041272F
__vbaFreeVar.MSVBVM60(00000000,?,00402DA0,0000000C), ref: 00412737
__vbaFreeObj.MSVBVM60(0041277F,00008008,?), ref: 00412761
__vbaFreeStr.MSVBVM60(0041277F,00008008,?), ref: 00412769
__vbaFreeVar.MSVBVM60(0041277F,00008008,?), ref: 00412771
__vbaFreeVar.MSVBVM60(0041277F,00008008,?), ref: 00412779

Strings

HSA, xrefs: 004126CC
Ferskvandsomraaderne4, xrefs: 00412671
mDddaTHbiK109, xrefs: 004126D6

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#670AddrefCallCheckChkstkCopyHresultLateNew2
String ID: Ferskvandsomraaderne4$HSA$mDddaTHbiK109
API String ID: 1327288182-1825278231
Opcode ID: 926d05d7b37add073712cf40af82349a97cc49529074da5a5ce751f4a91e4093
Instruction ID: b8e5183ea26046bdba3ff3c6e95c6c2f9b62bae2e2c04f476e05be9ac922925d
Opcode Fuzzy Hash: 926d05d7b37add073712cf40af82349a97cc49529074da5a5ce751f4a91e4093
Instruction Fuzzy Hash: 02310B70C00208ABCB14EBE1CD46EDEB7B8AF14748F60452EF411B71E1DBB95945CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00413B56, Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00413B74
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00413B9E
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00413BA9
#610.MSVBVM60(?,?,?,?,?,004014C6), ref: 00413BB2
#661.MSVBVM60(?,00403098,?,?,?,?,?,?,?,?,004014C6), ref: 00413BCB
#610.MSVBVM60(?,?,00403098,?,?,?,?,?,?,?,?,004014C6), ref: 00413BD4
__vbaVarAdd.MSVBVM60(?,00000002,?,?), ref: 00413C00
__vbaVarTstNe.MSVBVM60(00000000,?,00000002,?,?), ref: 00413C06
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000000,?,00000002,?,?), ref: 00413C24
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00413C4E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413C87
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,000000E0), ref: 00413CD1
#666.MSVBVM60(?,00000008), ref: 00413D0A
__vbaVarMove.MSVBVM60(?,00000008), ref: 00413D15
__vbaFreeObj.MSVBVM60(?,00000008), ref: 00413D1D
__vbaFreeVar.MSVBVM60(?,00000008), ref: 00413D25
__vbaFreeVar.MSVBVM60(00413D7D,?,?,?,?,004014C6), ref: 00413D67
__vbaFreeStr.MSVBVM60(00413D7D,?,?,?,?,004014C6), ref: 00413D6F
__vbaFreeStr.MSVBVM60(00413D7D,?,?,?,?,004014C6), ref: 00413D77

Strings

}=A, xrefs: 00413D64

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#610Copy$#661#666CheckChkstkHresultListMoveNew2
String ID: }=A
API String ID: 1255821010-3361414057
Opcode ID: a7aa25c433e95d5f7ed8840ce532b04ff59121eb3d55a22c86960f40f3e51d4d
Instruction ID: 093f5e0fbf5057ec6d61d855e46b19d98a2cbec8d5aa33af4322b3192fd964b9
Opcode Fuzzy Hash: a7aa25c433e95d5f7ed8840ce532b04ff59121eb3d55a22c86960f40f3e51d4d
Instruction Fuzzy Hash: 8751ED71900208EFDB10EFA1CD95FDEB7B8AF04304F1045AAE509B71A1DB796A89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00412CC0, Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412CDB
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412CF3
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412CFE
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00412D0B
#712.MSVBVM60(?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D20
__vbaStrMove.MSVBVM60(?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D2A
__vbaStrCmp.MSVBVM60(00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D37
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000), ref: 00412D54
#667.MSVBVM60(?,?,?,?,?,?,?,?,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000), ref: 00412D5D
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000), ref: 00412D67
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000), ref: 00412D6F
__vbaFreeVar.MSVBVM60(00412DA5,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D87
__vbaFreeVar.MSVBVM60(00412DA5,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D8F
__vbaFreeStr.MSVBVM60(00412DA5,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D97
__vbaFreeStr.MSVBVM60(00412DA5,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D9F

Strings

cer, xrefs: 00412D03
Restproduktet6, xrefs: 00412D40

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Move$#667#712ChkstkCopy
String ID: Restproduktet6$cer
API String ID: 1621521382-3279456967
Opcode ID: 51a2cb30fd4d73b9e94e6b6b7ddd9e0ca597fe406f55029c84651346528b7e16
Instruction ID: 69e45d2cfcd18ff73cfd476d852d8b40ed88bd269eddb023bbd4675536ab821e
Opcode Fuzzy Hash: 51a2cb30fd4d73b9e94e6b6b7ddd9e0ca597fe406f55029c84651346528b7e16
Instruction Fuzzy Hash: A5211830910249ABCB04EBA1DD52EDDBB74AF10748F54493EB002760F1EFB96949CA48

Uniqueness

Uniqueness Score: -1.00%

Function 00413085, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004130A1
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004130CB
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 004130D8
#523.MSVBVM60(?,?,?,?,?,004014C6), ref: 004130E0
__vbaStrMove.MSVBVM60(?,?,?,?,?,004014C6), ref: 004130EA
__vbaStrCmp.MSVBVM60(00402FCC,00000000,?,?,?,?,?,004014C6), ref: 004130F5
__vbaFreeStr.MSVBVM60(00402FCC,00000000,?,?,?,?,?,004014C6), ref: 00413109
__vbaNew2.MSVBVM60(00402DB0,00415348,00402FCC,00000000,?,?,?,?,?,004014C6), ref: 0041312D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000001C), ref: 00413171
__vbaChkstk.MSVBVM60(00000000,?,00402DA0,0000001C), ref: 00413196
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F08,00000060), ref: 004131CC
__vbaFreeObj.MSVBVM60(00000000,?,00402F08,00000060), ref: 004131DD
__vbaFreeVar.MSVBVM60(0041320B,00402FCC,00000000,?,?,?,?,?,004014C6), ref: 004131FD
__vbaFreeStr.MSVBVM60(0041320B,00402FCC,00000000,?,?,?,?,?,004014C6), ref: 00413205

Strings

Hin7, xrefs: 004131A4
HSA, xrefs: 00413142

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$#523CopyMoveNew2
String ID: HSA$Hin7
API String ID: 27921420-659015245
Opcode ID: c67f671d4824f325c2a00d634b41a3abf745553271e1ecc3202c89754d5008e4
Instruction ID: e5b06f73e85defc90c717eac996c81157e1fe345159a0436afd722830ff3169e
Opcode Fuzzy Hash: c67f671d4824f325c2a00d634b41a3abf745553271e1ecc3202c89754d5008e4
Instruction Fuzzy Hash: B7411570940208EFCF00EFA5C945BDDBBB5BF14705F24452AF405BB2A1DBB95A86DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004115B1, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004115CC
#646.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004115F0
__vbaStrMove.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004115FA
__vbaStrCmp.MSVBVM60(spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00411605
__vbaFreeStr.MSVBVM60(spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00411618
__vbaFreeVar.MSVBVM60(spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00411620
__vbaNew2.MSVBVM60(00402DB0,00415348,spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00411644
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000004C,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 00411688
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 004116B1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E5C,0000001C,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 004116E2
__vbaObjSet.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 00411701
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 00411709
__vbaFreeObj.MSVBVM60(00411741,spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041173B

Strings

HSA, xrefs: 00411659
spisestellene, xrefs: 00411600

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$#646MoveNew2
String ID: HSA$spisestellene
API String ID: 2019826511-4040083204
Opcode ID: 8672e1ce3e2c01730a305f817076942b53583e1e885915e656a17d18eab8e145
Instruction ID: 5fe6ec2fdcb64fafd825d929ac4f13983a0be50c74be57eaf57d36824d6874c9
Opcode Fuzzy Hash: 8672e1ce3e2c01730a305f817076942b53583e1e885915e656a17d18eab8e145
Instruction Fuzzy Hash: 3F41F470D50308EFDB00EFD1C955BEEBBB5AF04704F24452AE501BB2A1D7BA5946CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004122E8, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412303
#631.MSVBVM60(FGFG,00000002,00000002,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041232E
__vbaStrMove.MSVBVM60(FGFG,00000002,00000002,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00412338
__vbaStrCmp.MSVBVM60(00402F04,00000000,FGFG,00000002,00000002), ref: 00412343
__vbaFreeStr.MSVBVM60(00402F04,00000000,FGFG,00000002,00000002), ref: 00412357
__vbaFreeVar.MSVBVM60(00402F04,00000000,FGFG,00000002,00000002), ref: 0041235F
__vbaNew2.MSVBVM60(00401E74,00415010,00402F04,00000000,FGFG,00000002,00000002), ref: 00412383
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 004123B0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000108,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002), ref: 004123E5
#666.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 00412412
__vbaVarMove.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 0041241D
__vbaFreeObj.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 00412425
__vbaFreeVar.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 0041242D
__vbaFreeVar.MSVBVM60(00412465,00402F04,00000000,FGFG,00000002,00000002), ref: 0041245F

Strings

FGFG, xrefs: 00412329

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Move$#631#666CheckChkstkHresultNew2
String ID: FGFG
API String ID: 704291291-2759163656
Opcode ID: a7eaa0eaf7fe46571da90a485917c02c76e9570b96954f5f7e0d1b201f75b8b0
Instruction ID: 1348005867bcb56c377947b6fac47b7d3265205b25ed005b72191f799e6df17c
Opcode Fuzzy Hash: a7eaa0eaf7fe46571da90a485917c02c76e9570b96954f5f7e0d1b201f75b8b0
Instruction Fuzzy Hash: E0410871940208AFCF00EFE1C995BDDBBB8BF18704F14452AF405BB2A1DBBA5985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00413EE2, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00413EFE
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00413F28
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00413F33
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00413F3E
__vbaNew2.MSVBVM60(00402DB0,00415348,?,?,?,?,004014C6), ref: 00413F56
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000014), ref: 00413F9A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DC0,00000130), ref: 00413FDB
__vbaStrMove.MSVBVM60 ref: 00413FF9
__vbaFreeObj.MSVBVM60 ref: 00414001
__vbaFreeStr.MSVBVM60(0041403F), ref: 00414021
__vbaFreeVar.MSVBVM60(0041403F), ref: 00414029
__vbaFreeStr.MSVBVM60(0041403F), ref: 00414031
__vbaFreeVar.MSVBVM60(0041403F), ref: 00414039

Strings

HSA, xrefs: 00413F6B

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ChkstkCopyMoveNew2
String ID: HSA
API String ID: 3448594947-293960443
Opcode ID: 3383e6a8fb6001976ccdeb9d226c2eea9e708bb05f3108114c29e65f223af2c5
Instruction ID: 3965eb5541186d9e3fd1075af2c0ba8b23b1f2b3ec1b0926a082b8a15874e2d2
Opcode Fuzzy Hash: 3383e6a8fb6001976ccdeb9d226c2eea9e708bb05f3108114c29e65f223af2c5
Instruction Fuzzy Hash: 6441C570D00208DFCB00EFD5C955BDDBBB4BF18309F14852AE4157B2A1DBB96A8ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 00412ED5, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412EF1
__vbaVarDup.MSVBVM60 ref: 00412F29
#563.MSVBVM60(?), ref: 00412F32
__vbaFreeVar.MSVBVM60(?), ref: 00412F48
__vbaNew2.MSVBVM60(00402DB0,00415348,?), ref: 00412F6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000001C,?,?,?,?,?,?,?), ref: 00412FB0
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?), ref: 00412FD2
__vbaCastObj.MSVBVM60(?,00402EE0,?,?,?,?,?,?,?), ref: 00412FE8
__vbaObjSet.MSVBVM60(?,00000000,?,00402EE0,?,?,?,?,?,?,?), ref: 00412FF2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F08,00000058,?,?,?,?,?,?,?), ref: 0041301B
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?), ref: 00413033
__vbaFreeObj.MSVBVM60(00413066,?), ref: 00413060

Strings

HSA, xrefs: 00412F81

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$#563CastListNew2
String ID: HSA
API String ID: 4064276064-293960443
Opcode ID: bd06443c3f1632cb0f12b1bc094df87c4b677b7c87bb16fad8fb999cc30f709a
Instruction ID: 8c285f0052f7ee2791d4b4e28a6b00bcf7454a03f830b03d8b2a1e9821a72987
Opcode Fuzzy Hash: bd06443c3f1632cb0f12b1bc094df87c4b677b7c87bb16fad8fb999cc30f709a
Instruction Fuzzy Hash: CB41E170900618EFCB00EFD4C94ABDEBBB8BF08745F10452AF401BB2A1D7B95986DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041405E, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041407C
__vbaVarDup.MSVBVM60 ref: 004140B4
#564.MSVBVM60(?,?), ref: 004140C1
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?), ref: 004140D2
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004140FC
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041410F
__vbaHresultCheckObj.MSVBVM60(00000000,00401460,0040276C,00000160), ref: 00414150
__vbaNew2.MSVBVM60(00402DB0,00415348), ref: 00414177
__vbaObjSet.MSVBVM60(?,?,GAARDHUSET), ref: 004141B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 004141E2
__vbaFreeObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 004141F9

Strings

GAARDHUSET, xrefs: 004141AA
HSA, xrefs: 00414192

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckHresult$Free$#564ChkstkListNew2
String ID: GAARDHUSET$HSA
API String ID: 851593083-2964492987
Opcode ID: f3474c0c2beaf9490de55d71a4bb8be780808cdc08f33bef5e71a6b54484271b
Instruction ID: f41ee5d753e93676b5138cc95c73b84fa4cbcc48cf45b7652e970b0ba98902de
Opcode Fuzzy Hash: f3474c0c2beaf9490de55d71a4bb8be780808cdc08f33bef5e71a6b54484271b
Instruction Fuzzy Hash: D6510770D00218EFDB10DFA5C849BDDBBB8BB14704F20856AE509B72A1DB795A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00412478, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412493
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004124B9
#563.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004124C2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004124D8
__vbaNew2.MSVBVM60(00402DB0,00415348,?), ref: 004124FC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000001C,?,?,?,?,?,?), ref: 00412540
__vbaChkstk.MSVBVM60(?,?,?,?,?,?), ref: 00412565
__vbaCastObj.MSVBVM60(?,00402EE0,?,?,?,?,?,?), ref: 0041257B
__vbaObjSet.MSVBVM60(?,00000000,?,00402EE0,?,?,?,?,?,?), ref: 00412585
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F08,00000058,?,?,?,?,?,?), ref: 004125AE
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?), ref: 004125C6
__vbaFreeObj.MSVBVM60(004125F9,?), ref: 004125F3

Strings

HSA, xrefs: 00412511

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$#563CastListNew2
String ID: HSA
API String ID: 4064276064-293960443
Opcode ID: 21390c43d88d2e1f1048f87a93f5e9d506f96e34b691568b3dc78f71824cfa1f
Instruction ID: 1b85c62744a4e3610a7a2c3e7991478a83d02ce6b2c1230d40da447b3bed7837
Opcode Fuzzy Hash: 21390c43d88d2e1f1048f87a93f5e9d506f96e34b691568b3dc78f71824cfa1f
Instruction Fuzzy Hash: 1541E470D00618AFCB00DFD1C986BDEBBB9BF08745F24442AF401BB1A1D7B95955DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00411418, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411434
__vbaNew2.MSVBVM60(00402DB0,00415348,?,?,?,?,004014C6), ref: 0041146B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000014), ref: 004114AF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DC0,00000128), ref: 004114F6
__vbaFreeObj.MSVBVM60(00000000,?,00402DC0,00000128), ref: 0041151C
__vbaChkstk.MSVBVM60(00000000,?,00402DC0,00000128), ref: 00411548
__vbaChkstk.MSVBVM60(00000000,?,00402DC0,00000128), ref: 00411559
__vbaLateMemCall.MSVBVM60(?,IXie2utHRx0hSBLrnl2lM4fNpqMGsjbukbu73oU84,00000002), ref: 00411571
__vbaFreeObj.MSVBVM60(00411592), ref: 0041158C

Strings

IXie2utHRx0hSBLrnl2lM4fNpqMGsjbukbu73oU84, xrefs: 00411569
Triorchis, xrefs: 00411529
HSA, xrefs: 00411480

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Chkstk$CheckFreeHresult$CallLateNew2
String ID: HSA$IXie2utHRx0hSBLrnl2lM4fNpqMGsjbukbu73oU84$Triorchis
API String ID: 3443168283-3629061477
Opcode ID: 28352fdc2bf43e92c8d29c880d75b2a3155a7e921acb13d461446cf4fed1a66a
Instruction ID: a04313485f6c9a6e1c6e7e673818826ed8dab57f8a768214b5a687b4b7aac699
Opcode Fuzzy Hash: 28352fdc2bf43e92c8d29c880d75b2a3155a7e921acb13d461446cf4fed1a66a
Instruction Fuzzy Hash: 3C412774D00308EFCB10DFA5C949BDEBBB5BF08704F20852AE505BB2A1DBB95985DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412792, Relevance: 21.1, APIs: 14, Instructions: 92COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004127AE
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004127D8
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004127E3
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004127EE
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004127F9
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412811
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041283E
__vbaChkstk.MSVBVM60(?,00000000), ref: 00412857
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,000001B0), ref: 0041288E
__vbaFreeObj.MSVBVM60 ref: 004128A5
__vbaFreeVar.MSVBVM60(004128DB), ref: 004128BD
__vbaFreeVar.MSVBVM60(004128DB), ref: 004128C5
__vbaFreeVar.MSVBVM60(004128DB), ref: 004128CD
__vbaFreeVar.MSVBVM60(004128DB), ref: 004128D5

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Chkstk$CheckHresultNew2
String ID:
API String ID: 2096563423-0
Opcode ID: f63c9d142257c49606896ad5de17b2c4fc7c45eabb1b596ac6a2810d03d1b6ee
Instruction ID: 51fce569daac9b000fdf8a2d3f8868c4c6881ddf1b2f89bb75533612a9ab8d9f
Opcode Fuzzy Hash: f63c9d142257c49606896ad5de17b2c4fc7c45eabb1b596ac6a2810d03d1b6ee
Instruction Fuzzy Hash: C5310630900208DFCB10EFA5C995BDDBBB5BF14308F50496EF405BB2A1DBBA6A45CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00413D9C, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00413DB7
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00413DCF
#693.MSVBVM60(00402D7C,?,?,?,?,004014C6), ref: 00413DD9
__vbaHresultCheckObj.MSVBVM60(?,?,0040276C,00000160,?,?,?,?,004014C6), ref: 00413E19
__vbaNew2.MSVBVM60(00402DB0,00415348,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00413E3A
__vbaObjSet.MSVBVM60(?,?,stvendtes,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00413E6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000040,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00413E96
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00413EA7
__vbaFreeStr.MSVBVM60(00413ECF,00402D7C,?,?,?,?,004014C6), ref: 00413EC9

Strings

HSA, xrefs: 00413E4F
stvendtes, xrefs: 00413E61

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckFreeHresult$#693ChkstkCopyNew2
String ID: HSA$stvendtes
API String ID: 663426343-3571590191
Opcode ID: bc92d0e9f33bcc557ccc80453930d75329ca1324e7228c3cc07857dc1f7c84b0
Instruction ID: bafae0f77cf21ae2ad6b48ae06931612411d394296e492b563bc48efda18ccc3
Opcode Fuzzy Hash: bc92d0e9f33bcc557ccc80453930d75329ca1324e7228c3cc07857dc1f7c84b0
Instruction Fuzzy Hash: 5331E870940309EFCB00EF95C94ABDEBBB5EF08716F20452AF501B72A0D7B95A85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411A49, Relevance: 18.1, APIs: 12, Instructions: 123COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411A65
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411A8F
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00411AA7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411AD4
__vbaNew2.MSVBVM60(00401E74,00415010,?,00000000), ref: 00411AFD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411B2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000188), ref: 00411B5F
__vbaChkstk.MSVBVM60 ref: 00411B70
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,000001EC), ref: 00411BAA
__vbaFreeStr.MSVBVM60 ref: 00411BBB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00411BCA
__vbaFreeStr.MSVBVM60(00411BFD,?,?,004014C6), ref: 00411BF7

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$CopyList
String ID:
API String ID: 897315418-0
Opcode ID: a9c92f27b6d300a240f4ff8dea0719f2f2768b146f6a55f71697d83b2232d10e
Instruction ID: 15a12843fe16d59a9410e598b34cc931a5654bb9a015de64b6d6205cc9272b3e
Opcode Fuzzy Hash: a9c92f27b6d300a240f4ff8dea0719f2f2768b146f6a55f71697d83b2232d10e
Instruction Fuzzy Hash: 2C51D774900608EFCB10EFD0C895BDDBBB9BF09304F10456AF501BB2A1DB796985DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041213A, Relevance: 18.1, APIs: 12, Instructions: 119COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412155
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 0041216D
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412185
__vbaObjSet.MSVBVM60(?,00000000), ref: 004121B2
__vbaNew2.MSVBVM60(00401E74,00415010,?,00000000), ref: 004121DB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412208
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000050), ref: 00412237
__vbaChkstk.MSVBVM60 ref: 00412248
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,000001EC), ref: 00412282
__vbaFreeStr.MSVBVM60 ref: 00412293
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004122A2
__vbaFreeStr.MSVBVM60(004122D5), ref: 004122CF

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$CopyList
String ID:
API String ID: 897315418-0
Opcode ID: 442d0be792afeb568cac3133116538382786c5871fe6370b7809b3d93082ce4e
Instruction ID: 9c39b4a93efd2b246c38cd9a70899190072e546f4003c1938a1a71c11fb8842f
Opcode Fuzzy Hash: 442d0be792afeb568cac3133116538382786c5871fe6370b7809b3d93082ce4e
Instruction Fuzzy Hash: A541F970A00608EFCF10EFD0D995BDEBBB9BF08304F14452AF501BB2A1C7B959959B59

Uniqueness

Uniqueness Score: -1.00%

Function 00413234, Relevance: 18.1, APIs: 12, Instructions: 73COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00413250
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 0041327A
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00413285
__vbaAryConstruct2.MSVBVM60(?,00402FEC,00000008,?,?,?,?,004014C6), ref: 00413295
#708.MSVBVM60(?,00006008,00402FE4,000000FF,00000000), ref: 004132BE
__vbaAryVar.MSVBVM60(00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 004132CC
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 004132DC
__vbaFreeVar.MSVBVM60(?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 004132E4
__vbaFreeVar.MSVBVM60(00413326,?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 004132FC
__vbaFreeVar.MSVBVM60(00413326,?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 00413304
__vbaAryDestruct.MSVBVM60(00000000,?,00413326,?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 0041330F
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,00413326,?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 00413320

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Destruct$#708ChkstkConstruct2Copy
String ID:
API String ID: 2065015019-0
Opcode ID: a7e98dca05792bbfb9294d5c7de89a4f31ce9d1e896feb65d7e1ff97153676e1
Instruction ID: 5fd3a0376af6b4831edb9c1784ca8953cfd3ba7f9d9b9afee1427de3561f7e29
Opcode Fuzzy Hash: a7e98dca05792bbfb9294d5c7de89a4f31ce9d1e896feb65d7e1ff97153676e1
Instruction Fuzzy Hash: C021CA71D40208AADB10EFE5CC86FDDBBB8AF04704F50852BF515BB1E1DB78A6498B54

Uniqueness

Uniqueness Score: -1.00%

Function 00411D26, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411D42
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411D6C
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411D77
__vbaNew2.MSVBVM60(00402DB0,00415348,?,?,?,?,004014C6), ref: 00411D8F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000014), ref: 00411DD3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DC0,00000070), ref: 00411E0E
__vbaFreeObj.MSVBVM60 ref: 00411E27
__vbaFreeStr.MSVBVM60(00411E4D), ref: 00411E3F
__vbaFreeStr.MSVBVM60(00411E4D), ref: 00411E47

Strings

HSA, xrefs: 00411DA4

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckCopyHresult$ChkstkNew2
String ID: HSA
API String ID: 1408746023-293960443
Opcode ID: d35a7267d7bab395125bd5154981e6b88e69a57707672391361fe45ad145b51b
Instruction ID: 694568201b26c24086f10fa9518c170dc1d2100792ed9ab73e5cf16a42cd3a42
Opcode Fuzzy Hash: d35a7267d7bab395125bd5154981e6b88e69a57707672391361fe45ad145b51b
Instruction Fuzzy Hash: DA31E074900208EFCB00EFA5D985BDDBBB4AF08705F20852AF501B72A0D779A986CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412902, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041291D
#575.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,004014C6), ref: 00412945
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 00412960
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?), ref: 00412973
__vbaVarDup.MSVBVM60 ref: 00412997
#666.MSVBVM60(?,?), ref: 004129A4
__vbaVarMove.MSVBVM60(?,?), ref: 004129AF
__vbaFreeVar.MSVBVM60(?,?), ref: 004129B7
__vbaFreeVar.MSVBVM60(004129E3), ref: 004129DD

Strings

anita, xrefs: 00412983

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#575#666ChkstkListMove
String ID: anita
API String ID: 4276905740-2406036547
Opcode ID: af7119eaba4bc636348d1176c3786ffe1308f5c1b253a375e4f381587595821a
Instruction ID: 5abc7c8de29c695bcb5b1c9eee020a3b71707b42540106494db17bed3b415df4
Opcode Fuzzy Hash: af7119eaba4bc636348d1176c3786ffe1308f5c1b253a375e4f381587595821a
Instruction Fuzzy Hash: 8121B7B191025CAADB00EBE1CD8AEEEB7BCBB14704F54452EF101B71A1EB795909CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041334F, Relevance: 16.6, APIs: 11, Instructions: 127COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041336D
__vbaVarDup.MSVBVM60 ref: 004133AB
#717.MSVBVM60(?,?,00000003,00000000), ref: 004133BC
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,00000003,00000000), ref: 004133E0
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,00000003,00000000), ref: 004133F6
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0041344A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413483
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000158), ref: 004134CD
#595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 00413510
__vbaFreeObj.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 00413518
__vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A), ref: 0041352F

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$List$#595#717CheckChkstkHresultNew2
String ID:
API String ID: 4190091149-0
Opcode ID: d6f87d3d237522cbeb74a8414c4d70100449a3fd00935880fea83f72616c7313
Instruction ID: f328f09ebe807ae89d3453d8b797ffa87591f0cba10625b7ef86292635b940a3
Opcode Fuzzy Hash: d6f87d3d237522cbeb74a8414c4d70100449a3fd00935880fea83f72616c7313
Instruction Fuzzy Hash: E651E8B1D00218EFDB11DF90C845BDEBBB8BF08704F5085AAE105BB2A1DB799A45CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00412B25, Relevance: 15.1, APIs: 10, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412B40
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412B65
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412B92
__vbaNew2.MSVBVM60(00401E74,00415010,?,00000000), ref: 00412BBB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412BE8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000048), ref: 00412C17
__vbaChkstk.MSVBVM60 ref: 00412C28
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,000001EC), ref: 00412C62
__vbaFreeStr.MSVBVM60 ref: 00412C73
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00412C82

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2$List
String ID:
API String ID: 2926503497-0
Opcode ID: abbc911938682a9fde818ee73a22d18d20318346af242846ad90b0b427b7b0a8
Instruction ID: 3f7934e47d377584765f31b918ed1486fa1ad541a3f189e52025c8c828815165
Opcode Fuzzy Hash: abbc911938682a9fde818ee73a22d18d20318346af242846ad90b0b427b7b0a8
Instruction Fuzzy Hash: 90413C70900608EFCB10EFD0C995FDEBBB9AF08304F10452AF501B72A1D7B95981DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041424E, Relevance: 15.1, APIs: 10, Instructions: 88COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041426A
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00414294
__vbaStrComp.MSVBVM60(00000000,00402D7C,004030DC,?,?,?,?,004014C6), ref: 004142A5
__vbaNew2.MSVBVM60(00401E74,00415010,00000000,00402D7C,004030DC,?,?,?,?,004014C6), ref: 004142C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004142F4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000108), ref: 00414329
#600.MSVBVM60(00000008,00000002), ref: 00414354
__vbaFreeObj.MSVBVM60(00000008,00000002), ref: 0041435F
__vbaFreeVar.MSVBVM60(00000008,00000002), ref: 00414367
__vbaFreeVar.MSVBVM60(00414396,00000000,00402D7C,004030DC,?,?,?,?,004014C6), ref: 00414390

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#600CheckChkstkCompHresultNew2
String ID:
API String ID: 1824550057-0
Opcode ID: 563363eb8870310f5406d2de26f922f5d67c499fa5e611d6632c604bd8c79d5b
Instruction ID: ab0271479d9fd62e0c322ded4ee0be442299890642da9117d55afccfb72c866e
Opcode Fuzzy Hash: 563363eb8870310f5406d2de26f922f5d67c499fa5e611d6632c604bd8c79d5b
Instruction Fuzzy Hash: 90310770A40208EFCB00EFE5C959BDDBBB4AF48704F10842AF405BB2A1D7795986CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00412DB8, Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412DD3
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00412DEB
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412DF6
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412E0E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412E3B
__vbaChkstk.MSVBVM60(?,00000000), ref: 00412E54
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000200), ref: 00412E8B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00412E9C
__vbaFreeStr.MSVBVM60(00412EC2), ref: 00412EB4
__vbaFreeVar.MSVBVM60(00412EC2), ref: 00412EBC

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Chkstk$CheckCopyHresultNew2
String ID:
API String ID: 763330518-0
Opcode ID: 1c59f506fcd07a2097f901d8d18e6edc1694e66ef7e10e8c8bd7b23c6af108bb
Instruction ID: 3a682e4e2336f8fa0d0f715fecdc0c2a98c759ebaf6614acf20fc9f93ea4de51
Opcode Fuzzy Hash: 1c59f506fcd07a2097f901d8d18e6edc1694e66ef7e10e8c8bd7b23c6af108bb
Instruction Fuzzy Hash: E4314D70900308EFCB14EF91C996FDDBBB4AF08714F14492AF401B72A1CBB95945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041135B, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411377
__vbaI4Str.MSVBVM60(00402D70,?,?,?,?,004014C6), ref: 004113A0
#697.MSVBVM60(00000000,00402D70,?,?,?,?,004014C6), ref: 004113A6
__vbaStrMove.MSVBVM60(00000000,00402D70,?,?,?,?,004014C6), ref: 004113B0
__vbaStrCmp.MSVBVM60(00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113BB
__vbaFreeStr.MSVBVM60(00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113CF
#580.MSVBVM60(HJDE,00000001,00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113E3

Strings

HJDE, xrefs: 004113DE

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$#580#697ChkstkFreeMove
String ID: HJDE
API String ID: 1745895909-2420807878
Opcode ID: 191659900c395f655622b457f642a9924e153bc13b2ea6346444ab01fff29487
Instruction ID: a9d854f457f509e41ee73a495307342d01ac95b26604af36960ecbbd0c6a6c14
Opcode Fuzzy Hash: 191659900c395f655622b457f642a9924e153bc13b2ea6346444ab01fff29487
Instruction Fuzzy Hash: 48017530A40209ABCB00BBA5CC46FAE7AB8AF00B04F14453BB501F71E1DABD98418799

Uniqueness

Uniqueness Score: -1.00%

Function 004144FF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041451A
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 0041453F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041456C
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00414585
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,000001EC,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004145C1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004145D2

Strings

Fierding, xrefs: 00414593

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: Fierding
API String ID: 3189907775-2487161434
Opcode ID: 2c39dbfbed31bb04488af8aafec03f7044c56c601af5e4e73a0b5d7d7e9580cd
Instruction ID: 94dbcea938caceef3de172e441513509b2a2e7ed72a0855dfbea25bf12fdc542
Opcode Fuzzy Hash: 2c39dbfbed31bb04488af8aafec03f7044c56c601af5e4e73a0b5d7d7e9580cd
Instruction Fuzzy Hash: DC216D70A40608EFCB00DF95C895BDDBBB9EF49714F60452AF501BB2A0C7B95A80DF69

Uniqueness

Uniqueness Score: -1.00%

Function 004129F6, Relevance: 12.1, APIs: 8, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412A12
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00412A3C
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412A54
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412A81
__vbaChkstk.MSVBVM60(?,00000000), ref: 00412A97
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,000001C0), ref: 00412ACE
__vbaFreeObj.MSVBVM60 ref: 00412ADF
__vbaFreeStr.MSVBVM60(00412AFE), ref: 00412AF8

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$ChkstkFree$CheckCopyHresultNew2
String ID:
API String ID: 2888502551-0
Opcode ID: 9d8ec28c09ac5323956b174d0e9d89a93be222c3eecbb7e10a44741bd5c35610
Instruction ID: 639bbd743891c022fc813efb4fa65b065905c59b934d3e8f52eb3d7f5adb053f
Opcode Fuzzy Hash: 9d8ec28c09ac5323956b174d0e9d89a93be222c3eecbb7e10a44741bd5c35610
Instruction Fuzzy Hash: F4314A30900208EFCB10EF91C999BDDBBB5BF08704F50846AF401BB2A0CBB95985CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00411920, Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041193C
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00411966
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 0041197E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004119AB
__vbaChkstk.MSVBVM60(?,00000000), ref: 004119C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,000001B0), ref: 004119FB
__vbaFreeObj.MSVBVM60 ref: 00411A0C
__vbaFreeVar.MSVBVM60(00411A2A), ref: 00411A24

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$ChkstkFree$CheckHresultNew2
String ID:
API String ID: 2807847221-0
Opcode ID: 5319177e48b671fd447492f310eadbfb12fddb78db49abf348fb66627586bd11
Instruction ID: ee6bdefe8b03201f9af1867f2851c72aa8322a30027d9cdc305ea573b6534c12
Opcode Fuzzy Hash: 5319177e48b671fd447492f310eadbfb12fddb78db49abf348fb66627586bd11
Instruction Fuzzy Hash: 46313670A10248EFCB00EFA1C899BDDBBB4BF08304F10456AF501BB2A0DBB96941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411C1C, Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411C38
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411C62
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00411C7A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411CA7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,000001BC), ref: 00411CD8
__vbaFreeObj.MSVBVM60 ref: 00411CE9
__vbaFreeStr.MSVBVM60(00411D07), ref: 00411D01

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: c689be13148d7d97952d23c8ca15574de37f5d739943ad336758d680d82648ea
Instruction ID: 8b559e2c974dc90a981f84e6da7762af1da8cef9ba2aad0a763a9a9b08aca624
Opcode Fuzzy Hash: c689be13148d7d97952d23c8ca15574de37f5d739943ad336758d680d82648ea
Instruction Fuzzy Hash: 57213670A50208EFCB00EF94C899FDDBBB4BF08704F10856AF501BB2A1DB795941DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004145FB, Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00414616
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 0041462E
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00414646
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004014C6), ref: 00414673
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,000001F8,?,?,?,?,?,?,?,?,?,004014C6), ref: 004146A4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004014C6), ref: 004146B5
__vbaFreeStr.MSVBVM60(004146D4,?,?,?,?,?,?,?,?,?,004014C6), ref: 004146CE

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: f1e8f8421268710681b4d7b909abff5a9342223c74ae886be63e77a42720da72
Instruction ID: 4f42bb803efc79e3231652cbf8864f74bfc6b433eba0a0af2af481c6e3572edc
Opcode Fuzzy Hash: f1e8f8421268710681b4d7b909abff5a9342223c74ae886be63e77a42720da72
Instruction Fuzzy Hash: AF212A70950208EFCB00DF90C995FDDBBB4BB59708F20056AF001772A1CB7D5941CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00414444, Relevance: 9.0, APIs: 6, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00414460
#610.MSVBVM60(?,?,?,?,?,004014C6), ref: 00414488
#552.MSVBVM60(?,?,00000001,?,?,?,?,?,004014C6), ref: 00414497
__vbaVarMove.MSVBVM60(?,?,00000001,?,?,?,?,?,004014C6), ref: 004144A2
__vbaFreeVar.MSVBVM60(?,?,00000001,?,?,?,?,?,004014C6), ref: 004144AA
__vbaFreeVar.MSVBVM60(004144D2,?,?,00000001,?,?,?,?,?,004014C6), ref: 004144CC

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#552#610ChkstkMove
String ID:
API String ID: 3185064854-0
Opcode ID: c83aee9bd768ded6b6e2b428e1268cbb818669aab70bf8aefb8a521eeed86d30
Instruction ID: cec1c0d65296340e5066192e2bdeccca19a0566d1bbeeee6a083544c1faff110
Opcode Fuzzy Hash: c83aee9bd768ded6b6e2b428e1268cbb818669aab70bf8aefb8a521eeed86d30
Instruction Fuzzy Hash: E901FB71D00248BBCB00EFA5C946FCEBBB8EF44748F50856AF105B71A1DB79AA048B58

Uniqueness

Uniqueness Score: -1.00%

Function 00411E6C, Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411E87
#675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00411ED9
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00411EDE
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00411F0E
#568.MSVBVM60(0000005B), ref: 00411F20

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$#568#675ChkstkFreeList
String ID:
API String ID: 1539022685-0
Opcode ID: 9a9be583502cb285b3682d77fbbda0261ee2c1253ed11eb1aabbc1434aaccf6d
Instruction ID: 3135df5fad623a4d64432aa5dc4d96b7d496623d0eee38701d86474cd722be43
Opcode Fuzzy Hash: 9a9be583502cb285b3682d77fbbda0261ee2c1253ed11eb1aabbc1434aaccf6d
Instruction Fuzzy Hash: EC1160B1850708AADB01DFD1CD56FEEBBBCEB00B04F14462FF140A6290D7B955808B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041175E, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411779
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 0041179E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,004014C6), ref: 004117CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,000001E8,?,?,?,?,?,?,004014C6), ref: 004117FC
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,004014C6), ref: 0041180D

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 015c44f7705ab732d5046b414572d1a6288d58afd63225a76acf5ab488483512
Instruction ID: 3fd82a4276b81878de2ad4df0b6b3077b79da55f67544d0e1ab08b2a6a74b8fd
Opcode Fuzzy Hash: 015c44f7705ab732d5046b414572d1a6288d58afd63225a76acf5ab488483512
Instruction Fuzzy Hash: 61112E74940609EFCB10EF91C956BEEBBB8EB08704F60456AE101B72A0C7795981DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041353E, Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

__vbaFreeVar.MSVBVM60 ref: 0041354B
__vbaFreeStr.MSVBVM60 ref: 00413553
__vbaFreeObj.MSVBVM60 ref: 0041355B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00413572

Memory Dump Source

Source File: 00000010.00000002.491340106.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.491326222.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000010.00000002.491388105.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000010.00000002.491407524.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_march OG.jbxd

Similarity

API ID: Free__vba$List
String ID:
API String ID: 2192533141-0
Opcode ID: 224582a13ea8c32cc541a3df5c212782702287b61164d9f0fa4b3d08184edd22
Instruction ID: e06834df7ba98d5cb87bfe0573b2770e41a1c11be254f6c502cb2ca90ff59a8c
Opcode Fuzzy Hash: 224582a13ea8c32cc541a3df5c212782702287b61164d9f0fa4b3d08184edd22
Instruction Fuzzy Hash: AFE07D73C001089BDB05EBD5CCA2DDE73BCAB14304F54457AE512B60A1EA35AA49C664

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://covid19vaccine.hopto.org/march%20OG.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 4340 Parent PID: 792

General

Chronological Activities

Analysis Process: iexplore.exe PID: 4436 Parent PID: 4340

General

Chronological Activities

Function 0040A0CB, Relevance: 2.3, APIs: 1, Instructions: 1096
COMMON

Function 004106A6, Relevance: 119.7, APIs: 62, Strings: 6, Instructions: 723
COMMON

Function 004107EA, Relevance: 95.1, APIs: 49, Strings: 5, Instructions: 629
COMMON

Function 004135A5, Relevance: 94.9, APIs: 45, Strings: 9, Instructions: 355
COMMON

Function 0040C314, Relevance: 57.9, APIs: 32, Strings: 1, Instructions: 190
COMMON

Function 00411F61, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 106
COMMON

Function 00411836, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Function 004143B5, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 35
COMMON

Function 0040241D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
COMMON

Function 00401714, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Function 0040A0FB, Relevance: 2.3, APIs: 1, Instructions: 1040
COMMON

Function 0040A1CB, Relevance: 2.3, APIs: 1, Instructions: 1020
memoryCOMMON

Function 0040C316, Relevance: 40.6, APIs: 27, Instructions: 130
COMMON

Function 0041261A, Relevance: 36.8, APIs: 18, Strings: 3, Instructions: 97
COMMON