Edit tour

Windows Analysis Report
SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Analysis ID:	1431434
MD5:	ffb4c4458546447f3bee304de21cd2eb
SHA1:	002c2f32ee46dacb422e75f687d8f74690184d31
SHA256:	2e823662bd36d30faea424591d4bf1557224007d9ee859917bb769a45cd4c0c6
Tags:	exe
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Creates files in alternative data streams (ADS)

AV process strings found (often used to terminate AV products)

Creates files inside the system directory

Detected potential crypto function

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe (PID: 2172 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe" MD5: FFB4C4458546447F3BEE304DE21CD2EB)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Jump to behavior

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://blog.aloaha.com
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://www.aloaha.com/shop-en/aloaha-smart-login.php
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://www.aloaha.com/shop-en/aloaha-smart-login.php$Leaving
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2470982431.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2214764796.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1992240817.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2407966143.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1896431358.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1928775661.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2181469819.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2342547839.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2247901875.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2311192642.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2118500796.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1928655788.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1960719350.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2533960764.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2279753063.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2023977033.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2087013980.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2023817636.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000002.2637451643.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2565522617.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2439512762.00000000007B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aloaha.com/shop-en/aloaha-smart-login.phpslator.dll945.exe:2172
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://www.aloaha.com/wi-software-en/uprade-your-aloaha-pdf-suite.php
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://www.startssl.com/0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	String found in binary or memory: http://www.startssl.com/sfsca.crt0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

File created: C:\Windows\FalseUserPass.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Code function: 0_2_004BDCB0	0_2_004BDCB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Code function: 0_2_004AC9C0	0_2_004AC9C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Code function: 0_2_004B4E60	0_2_004B4E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Code function: 0_2_004C5070	0_2_004C5070
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Code function: 0_2_004E3370	0_2_004E3370
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Code function: 0_2_004E8F90	0_2_004E8F90

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Code function: String function: 00523470 appears 33 times

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000000.1377279706.0000000000550000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecredentialprovider.exe vs SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Binary or memory string: OriginalFilenamecredentialprovider.exe vs SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus24.evad.winEXE@1/4@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

File created: C:\Users\user\Desktop\FalseUserPass.ini:SmartLogin.txt

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF7FC1D6B129264C8B.TMP

Jump to behavior

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

File read: C:\Windows\FalseUserPass.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Section loaded: wtsapi32.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

File written: C:\Windows\FalseUserPass.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Jump to behavior

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Static file information: File size 1772168 > 1048576

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14c000

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Code function: 0_2_004085C4 push es; ret		0_2_004085C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Code function: 0_2_00404206 push eax; iretd		0_2_00404231

Hooking and other Techniques for Hiding and Protection

Creates files in alternative data streams (ADS)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

File created: C:\Users\user\Desktop\FalseUserPass.ini:SmartLogin.txt

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Binary or memory string: Shell_TrayWnd

Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: ClamTray.exe
Source: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: ClamWin.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 NTFS File Attributes	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

URLs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.startssl.com/sfsca.crt0	0%	Avira URL Cloud	safe
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#	0%	Avira URL Cloud	safe
http://www.startssl.com/sfsca.crl0	0%	Avira URL Cloud	safe
http://www.startssl.com/policy.pdf04	0%	Avira URL Cloud	safe
http://ocsp.startssl.com/sub/class2/code/ca0	0%	Avira URL Cloud	safe
http://crl.startssl.com/sfsca.crl0	0%	Avira URL Cloud	safe
http://blog.aloaha.com	0%	Avira URL Cloud	safe
http://www.startssl.com/policy.pdf0	0%	Avira URL Cloud	safe
http://www.startssl.com/intermediate.pdf0	0%	Avira URL Cloud	safe
http://www.aloaha.com/shop-en/aloaha-smart-login.php	0%	Avira URL Cloud	safe
http://www.aloaha.com/shop-en/aloaha-smart-login.php$Leaving	0%	Avira URL Cloud	safe
http://www.startssl.com/0	0%	Avira URL Cloud	safe
http://crl.startssl.com/crtc2-crl.crl0	0%	Avira URL Cloud	safe
http://www.aloaha.com/wi-software-en/uprade-your-aloaha-pdf-suite.php	0%	Avira URL Cloud	safe
http://www.aloaha.com/shop-en/aloaha-smart-login.phpslator.dll945.exe:2172	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.startssl.com/sfsca.crt0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.startssl.com/sub/class2/code/ca0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false		high
http://www.startssl.com/sfsca.crl0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://www.startssl.com/policy.pdf04	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://blog.aloaha.com	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	URL Reputation: safe	unknown
http://crl.startssl.com/sfsca.crl0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://www.startssl.com/policy.pdf0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://www.startssl.com/intermediate.pdf0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://www.aloaha.com/shop-en/aloaha-smart-login.php	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://www.aloaha.com/shop-en/aloaha-smart-login.php$Leaving	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://www.startssl.com/0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://crl.startssl.com/crtc2-crl.crl0	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://www.aloaha.com/wi-software-en/uprade-your-aloaha-pdf-suite.php	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe	false	Avira URL Cloud: safe	unknown
http://www.aloaha.com/shop-en/aloaha-smart-login.phpslator.dll945.exe:2172	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2470982431.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2214764796.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1992240817.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2407966143.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1896431358.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1928775661.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2181469819.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2342547839.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2247901875.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2311192642.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2118500796.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1928655788.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.1960719350.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2533960764.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2279753063.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2023977033.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2087013980.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2023817636.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000002.2637451643.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2565522617.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe, 00000000.00000003.2439512762.00000000007B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431434
Start date and time:	2024-04-25 05:24:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Detection:	SUS
Classification:	sus24.evad.winEXE@1/4@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 59% Number of executed functions: 53 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:26:21	API Interceptor	1x Sleep call for process: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe modified

Joe Sandbox View / Context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF7FC1D6B129264C8B.TMP

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	409600
Entropy (8bit):	5.702032552150412
Encrypted:	false
SSDEEP:	3072:/RZEfPnavcu54Qj2C7eWifYJ1EIZ8qMBwYcsYFRT:HEfSPpeWEU1EIZ8ZwYcsYFRT
MD5:	5CB901EE88427DCDEF0BA031088CD891
SHA1:	7991EDA7E07B0C2F17E51C61025D27476B0C3AB4
SHA-256:	9E708CFCDF9457F34E4FBEE8ECC9015052D594E9D07A8445EFC9A53DC27A4E6E
SHA-512:	72641685B5B9C5497062A3108D36F5A1B81D46D4EA222373B87788E374C52D232C39681C94A0E144299C492BDB99253F277CDC833F6B67D1DA85A05682E5D26B
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\FalseUserPass.ini.lock

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:T:T
MD5:	9978B7063E297D84BB2AC8E46C1C845F
SHA1:	E78E1C8A184B06B3CFAAF828461FB13F7DE798A6
SHA-256:	77334823791BEA53E508BA59387C1287C8DA962026769657B4686756DB4B7BC8
SHA-512:	E6DFA974084410B109A7AD9126245EAEF6ED460E3888728C26281523309C12D41161A1B61C88ECC6FBE4B87E2B6ED3A6E8716E64221177EE475D5256151C28A3
Malicious:	false
Reputation:	low
Preview:	2172

C:\Users\user\Desktop\FalseUserPass.ini:SmartLogin.txt

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:O:O
MD5:	EEDC6ED006E6F49A7010013CC1FD8A3F
SHA1:	72577F813E0B1012A020FBDC28028FFD80B7EA7B
SHA-256:	0D02233B2626A00CC924AC6C228433C46EC307678AD1D70687831FDFE73B25F7
SHA-512:	AFB76E6C9D03DC508A093F07DAB123306B724DF121CAE29BCBD58DD901C2A07FDE980F5F1376AFFE6962E1338349957AF09AD889EF651EE8629AC75617054681
Malicious:	true
Reputation:	low
Preview:	8900

C:\Windows\FalseUserPass.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.098068512058838
Encrypted:	false
SSDEEP:	3:1MwECwJOn:1MO
MD5:	D14429A2A43420229ACCE2BA85BCE909
SHA1:	23312D958EB7DB8AA494B74171E90EA01F8877AF
SHA-256:	477B77CB74AD7ABFA6200153B9B95BA849871B6278C122273A338A7474A2FF7C
SHA-512:	48B9A0DF77265D7E599F1DD6821E45E0B89ABA272B1574DAC97B8EF3B3B4C8E8A6ADE5C8719C5E3A4933F68346ED06ABC17CCC28A43AE3114C10564CAC20BCE5
Malicious:	false
Reputation:	low
Preview:	[Generic]..MonitorCertOnly=0..

__vbaR8FixI4, __vbaVarSub, __vbaVarTstGt, __vbaStrI2, __vbaNextEachAry, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaRedimPreserveVar, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFpCDblR8, __vbaAryRecMove, __vbaVarIndexStore, __vbaNextEachVar, __vbaFreeObjList, __vbaVarIndexLoadRef, __vbaStrErrVarCopy, _adj_fprem1, __vbaRecAnsiToUni, __vbaI2Abs, __vbaCopyBytes, __vbaForEachCollAd, __vbaStrCat, __vbaVarCmpNe, __vbaBoolErrVar, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaLateMemSt, __vbaVarIndexLoadRefLock, __vbaVarForInit, __vbaExitProc, __vbaBoolStr, __vbaStrBool, __vbaI4Abs, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaVarIndexStoreObj, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaStrFixstr, __vbaBoolVar, __vbaVarTstLt, __vbaVargVar, __vbaRefVarAry, __vbaFpR8, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaVarAbs, __vbaGenerateBoundsError, __vbaExitEachColl, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaDateR8, __vbaI2I4, __vbaObjVar, DllFunctionCall, __vbaVarLateMemSt, __vbaVarOr, __vbaFpUI1, __vbaCastObjVar, __vbaStrR4, __vbaRedimPreserve, __vbaLbound, _adj_fpatan, __vbaFixstrConstruct, __vbaLateIdCallLd, __vbaRedim, __vbaStrR8, __vbaUI1ErrVar, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaUI1I4, __vbaStrUI1, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaDateStr, __vbaR4ErrVar, __vbaExitEachAry, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaR8ErrVar, __vbaFPException, __vbaInStrVar, __vbaUbound, __vbaStrVarVal, __vbaVarCat, __vbaDateVar, __vbaLsetFixstrFree, __vbaI2Var, __vbaExitEachVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVarLateMemCallLdRf, __vbaVar2Vec, __vbaInStr, __vbaNew2, __vbaR8Str, __vbaCyMulI2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, __vbaPowerR8, __vbaR8Var, _adj_fdiv_r, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaForEachAry, __vbaVarCmpEq, __vbaLateMemCall, __vbaVarAdd, __vbaAryLock, __vbaStrComp, __vbaStrToAnsi, __vbaVarDup, __vbaUnkVar, __vbaVarTstGe, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaFpI4, __vbaRecDestructAnsi, __vbaVarSetObjAddref, __vbaLateMemCallLd, _CIatan, __vbaUI1Str, __vbaI2ErrVar, __vbaCastObj, __vbaStrMove, __vbaAryCopy, __vbaR8IntI4, __vbaStrVarCopy, __vbaForEachVar, _allmul, __vbaLateIdSt, __vbaLateMemCallSt, __vbaAryRecCopy, _CItan, __vbaNextEachCollAd, __vbaFPInt, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaMidStmtBstr, __vbaRecAssign, __vbaFreeObj, __vbaFreeStr, __vbaI4ErrVar

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	05:25:30
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe"
Imagebase:	0x400000
File size:	1'772'168 bytes
MD5 hash:	FFB4C4458546447F3BEE304DE21CD2EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	215

Executed Functions

Function 004AC9C0 Relevance: 1946.7, APIs: 1023, Strings: 85, Instructions: 7654COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004AC9DE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004ACA25
__vbaObjSet.MSVBVM60(?,00000000), ref: 004ACA99
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004ACADF
__vbaFreeObj.MSVBVM60 ref: 004ACAFD
__vbaStrCopy.MSVBVM60 ref: 004ACB43
__vbaFreeStr.MSVBVM60(?), ref: 004ACB55

Part of subcall function 004D0AE0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00411816), ref: 004D0AFE
Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D0B2B
Part of subcall function 004D0AE0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D0B3A
Part of subcall function 004D0AE0: #520.MSVBVM60(?,00004008), ref: 004D0B68
Part of subcall function 004D0AE0: __vbaStrVarMove.MSVBVM60(?), ref: 004D0B72
Part of subcall function 004D0AE0: __vbaStrMove.MSVBVM60 ref: 004D0B7D
Part of subcall function 004D0AE0: __vbaFreeVar.MSVBVM60 ref: 004D0B86
Part of subcall function 004D0AE0: __vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D0B9C
Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60 ref: 004D0BB5
Part of subcall function 004D0AE0: __vbaStrCat.MSVBVM60(?,get:,?), ref: 004D0BC8
Part of subcall function 004D0AE0: __vbaStrMove.MSVBVM60 ref: 004D0BD3
Part of subcall function 004D0AE0: __vbaStrMove.MSVBVM60(00000000), ref: 004D0BE4
Part of subcall function 004D0AE0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D0BF4
Part of subcall function 004D0AE0: #520.MSVBVM60(?,00004008), ref: 004D0C19
Part of subcall function 004D0AE0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004D0C35
Part of subcall function 004D0AE0: __vbaFreeVar.MSVBVM60 ref: 004D0C42
Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60 ref: 004D0C5F

__vbaStrMove.MSVBVM60(CardLogon), ref: 004ACB87
__vbaStrCmp.MSVBVM60(true,00000000), ref: 004ACB93
__vbaFreeStr.MSVBVM60 ref: 004ACBAA
__vbaStrMove.MSVBVM60(MonitorI2C), ref: 004ACBED
__vbaStrCmp.MSVBVM60(true,00000000), ref: 004ACBF9
__vbaFreeStr.MSVBVM60 ref: 004ACC10
__vbaStrMove.MSVBVM60(MonitorKerberos), ref: 004ACC53
__vbaStrCmp.MSVBVM60(true,00000000), ref: 004ACC5F
__vbaFreeStr.MSVBVM60 ref: 004ACC76
__vbaStrCopy.MSVBVM60 ref: 004ACCC4
__vbaFreeStr.MSVBVM60(?), ref: 004ACCD6
#520.MSVBVM60(?,00004008), ref: 004ACD35
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004ACD5D
__vbaFreeVar.MSVBVM60 ref: 004ACD70
__vbaStrMove.MSVBVM60 ref: 004ACD92
__vbaStrCopy.MSVBVM60 ref: 004ACDA3
__vbaFreeStr.MSVBVM60 ref: 004ACDAC
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004ACDC8
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001), ref: 004ACDF0
__vbaStrMove.MSVBVM60 ref: 004ACE0F
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004ACE1B
__vbaFreeStr.MSVBVM60 ref: 004ACE33
__vbaStrMove.MSVBVM60 ref: 004ACE59
__vbaStrCat.MSVBVM60(004775E8,00000000), ref: 004ACE65
__vbaVarDup.MSVBVM60 ref: 004ACEAF
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 004ACED1
__vbaChkstk.MSVBVM60(00000008), ref: 004ACEE3
__vbaVarIndexLoad.MSVBVM60(?,?,00000001,00000008), ref: 004ACF1D
__vbaVarAdd.MSVBVM60(?,00000000,?,?,?,?,?,?,00411816), ref: 004ACF2E
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,00411816), ref: 004ACF35
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004ACF40
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004ACF51
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00411816), ref: 004ACF61
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004ACF8F
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004ACFAB
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001), ref: 004ACFD3
__vbaVarDup.MSVBVM60 ref: 004AD01C
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 004AD03E
__vbaChkstk.MSVBVM60 ref: 004AD049
__vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 004AD083
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,00411816), ref: 004AD08D
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004AD098
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004AD0A6
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004AD0AF
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,00411816), ref: 004AD0CC
__vbaStrCopy.MSVBVM60 ref: 004AD0ED
__vbaStrCat.MSVBVM60(?,UDomName: ), ref: 004AD109
__vbaStrMove.MSVBVM60 ref: 004AD114
__vbaFreeStr.MSVBVM60(?), ref: 004AD126
__vbaStrMove.MSVBVM60 ref: 004AD13D
__vbaStrCopy.MSVBVM60 ref: 004AD14B
__vbaStrCopy.MSVBVM60 ref: 004AD159
__vbaStrCopy.MSVBVM60 ref: 004AD167
#520.MSVBVM60(?,00000008,?,?,?,?), ref: 004AD1A0
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004AD1C8
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004AD1E7
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00411816), ref: 004AD200
__vbaStrMove.MSVBVM60(MonitorI2C,?,?,?,?,?,?,?,00411816), ref: 004AD22E
__vbaStrCmp.MSVBVM60(true,00000000,?,?,?,?,?,?,?,00411816), ref: 004AD23A
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00411816), ref: 004AD251
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00411816), ref: 004AD284
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004AD2CA
#520.MSVBVM60(?,00004008), ref: 004AD31B
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004AD343
__vbaFreeVar.MSVBVM60 ref: 004AD356
__vbaStrCat.MSVBVM60(?,MonitorI2C_), ref: 004AD381
__vbaStrMove.MSVBVM60 ref: 004AD38C
__vbaStrMove.MSVBVM60(00000000), ref: 004AD39D
__vbaStrCmp.MSVBVM60(true,00000000), ref: 004AD3A9
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004AD3C7
__vbaStrCat.MSVBVM60(?,MonitorPKI_,false), ref: 004AD429
__vbaStrMove.MSVBVM60 ref: 004AD434
__vbaFreeStr.MSVBVM60(00000000), ref: 004AD443
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00411816), ref: 004AD484
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00411816), ref: 004AD496
__vbaStrMove.MSVBVM60(MonitorKerberos,?,?,?,?,?,?,?,00411816), ref: 004AD4C5
__vbaStrCmp.MSVBVM60(true,00000000,?,?,?,?,?,?,?,00411816), ref: 004AD4D1
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00411816), ref: 004AD4E8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00411816), ref: 004AD51B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004AD561
__vbaFreeObj.MSVBVM60 ref: 004AD57F
__vbaStrCat.MSVBVM60(?,MonitorPKI_), ref: 004AD59B
__vbaStrMove.MSVBVM60 ref: 004AD5A6
__vbaStrMove.MSVBVM60(00000000), ref: 004AD5B7
__vbaStrCmp.MSVBVM60(true,00000000), ref: 004AD5C3
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004AD5E1
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00411816), ref: 004AD641
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00411816), ref: 004AD653
__vbaStrCopy.MSVBVM60 ref: 004AD68D
__vbaFreeStr.MSVBVM60(?), ref: 004AD69F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AD6C3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,00000064), ref: 004AD70C
__vbaFreeObj.MSVBVM60 ref: 004AD72A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AD74E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004AD794
__vbaFreeObj.MSVBVM60 ref: 004AD7B2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AD7DB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,00000058), ref: 004AD826
__vbaFreeObj.MSVBVM60 ref: 004AD85A
__vbaStrCopy.MSVBVM60 ref: 004AD87E
__vbaFreeStr.MSVBVM60(?), ref: 004AD890
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AD8B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004AD8FA
__vbaFreeObj.MSVBVM60 ref: 004AD918
__vbaStrCopy.MSVBVM60 ref: 004AD92F
__vbaFreeStr.MSVBVM60(?), ref: 004AD941
__vbaStrCopy.MSVBVM60 ref: 004AD97B
__vbaFreeStr.MSVBVM60(?), ref: 004AD98D
__vbaStrI4.MSVBVM60(00000000,readers counted: ), ref: 004AD9FE
__vbaStrMove.MSVBVM60 ref: 004ADA09
__vbaStrCat.MSVBVM60(00000000), ref: 004ADA10
__vbaStrMove.MSVBVM60 ref: 004ADA1B
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004ADA34
__vbaStrCopy.MSVBVM60 ref: 004ADA71
__vbaFreeStr.MSVBVM60(?), ref: 004ADA83
__vbaObjSet.MSVBVM60(?,00000000), ref: 004ADAA7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004ADAED
__vbaFreeObj.MSVBVM60 ref: 004ADB0B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004ADB2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,00000058), ref: 004ADB7A
__vbaFreeObj.MSVBVM60 ref: 004ADBAE
__vbaStrCopy.MSVBVM60 ref: 004ADBD2
__vbaFreeStr.MSVBVM60(?), ref: 004ADBE4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004ADC08
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004ADC4E
__vbaFreeObj.MSVBVM60 ref: 004ADC6C
__vbaStrCopy.MSVBVM60 ref: 004ADC83
__vbaFreeStr.MSVBVM60(?), ref: 004ADC95
__vbaObjSet.MSVBVM60(?,00000000), ref: 004ADCB9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,00000058), ref: 004ADD04
__vbaFreeObj.MSVBVM60 ref: 004ADD47
__vbaObjSet.MSVBVM60(?,00000000), ref: 004ADD7A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004ADDC0
__vbaFreeObj.MSVBVM60 ref: 004ADDDE
__vbaStrCopy.MSVBVM60 ref: 004ADDF3
__vbaFreeStr.MSVBVM60(?), ref: 004ADE05
__vbaStrCopy.MSVBVM60 ref: 004ADE1F
__vbaFreeStr.MSVBVM60(?), ref: 004ADE31
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004ADE4D
__vbaStrCopy.MSVBVM60 ref: 004ADE6A
__vbaStrMove.MSVBVM60(?), ref: 004ADE7E
__vbaStrCopy.MSVBVM60 ref: 004ADE8F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004ADE9F
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,00411816), ref: 004ADEBE
__vbaStrCopy.MSVBVM60(?,?,00411816), ref: 004ADED7
__vbaStrMove.MSVBVM60(?,?,?,00411816), ref: 004ADEEB
__vbaStrCopy.MSVBVM60(?,?,00411816), ref: 004ADEFC
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00411816), ref: 004ADF0C
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,00411816), ref: 004ADF2B
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,00411816), ref: 004ADF45
__vbaStrMove.MSVBVM60(?,?,00411816), ref: 004ADF6B
__vbaStrCopy.MSVBVM60(?,?,00411816), ref: 004ADF79
__vbaStrCopy.MSVBVM60(?,?,00411816), ref: 004ADF87
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004ADFAA
__vbaStrCopy.MSVBVM60(?,?,00411816), ref: 004ADFBB
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,?,00411816), ref: 004ADFD3
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,00411816), ref: 004ADFF2
__vbaStrCopy.MSVBVM60(?,?,00411816), ref: 004AE011
#518.MSVBVM60(?,00004008), ref: 004AE045
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 004AE08C
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 004AE09A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004AE0B7
__vbaStrCmp.MSVBVM60(true,?), ref: 004AE106
__vbaStrCopy.MSVBVM60 ref: 004AE11F
__vbaFreeStr.MSVBVM60(?), ref: 004AE131
__vbaStrCmp.MSVBVM60(true,?), ref: 004AE14A
__vbaStrCopy.MSVBVM60 ref: 004AE16A
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004AE18E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004AE1D4
__vbaFreeObj.MSVBVM60 ref: 004AE1F2
__vbaFreeVar.MSVBVM60 ref: 004AE21B
__vbaSetSystemError.MSVBVM60(000000C8), ref: 004AE2A6

Part of subcall function 004CC360: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,?,00411816), ref: 004CC37E
Part of subcall function 004CC360: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004CC3AE
Part of subcall function 004CC360: __vbaStrToAnsi.MSVBVM60(00000000,screen-saver,00000000,00000000,00000040), ref: 004CC3D7
Part of subcall function 004CC360: __vbaSetSystemError.MSVBVM60(00000000), ref: 004CC3E6
Part of subcall function 004CC360: __vbaFreeStr.MSVBVM60 ref: 004CC3F5
Part of subcall function 004CC360: __vbaSetSystemError.MSVBVM60(00000000), ref: 004CC428
Part of subcall function 004CC360: #685.MSVBVM60 ref: 004CC55A
Part of subcall function 004CC360: __vbaObjSet.MSVBVM60(?,00000000), ref: 004CC565
Part of subcall function 004CC360: __vbaFreeObj.MSVBVM60 ref: 004CC57D

#520.MSVBVM60(?,00004008), ref: 004AE32C
__vbaVarCmpEq.MSVBVM60(?,00008008,?,0000000B), ref: 004AE362
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004AE370
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004AE377
__vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 004AE394
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,?,00411816), ref: 004AE3BF
__vbaStrMove.MSVBVM60(?,?,?,?,?,00411816), ref: 004AE3F7
__vbaStrCopy.MSVBVM60(?,?,?,?,?,00411816), ref: 004AE405
__vbaStrCopy.MSVBVM60(?,?,?,?,?,00411816), ref: 004AE413
#520.MSVBVM60(?,00000008), ref: 004AE44F
__vbaStrVarMove.MSVBVM60(?), ref: 004AE45C
__vbaStrMove.MSVBVM60 ref: 004AE467
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004AE47B
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AE494
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AE4AD
__vbaStrCopy.MSVBVM60 ref: 004AE4FA
__vbaStrMove.MSVBVM60 ref: 004AE511
__vbaStrCopy.MSVBVM60 ref: 004AE51F
__vbaStrCopy.MSVBVM60 ref: 004AE52D
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 004AE559
__vbaStrMove.MSVBVM60 ref: 004AE573
__vbaStrCopy.MSVBVM60 ref: 004AE581
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?), ref: 004AE5A5
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AE5C1
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AE5E0
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AE5EE
__vbaStrMove.MSVBVM60(?,?,?,?), ref: 004AE61F
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AE62D
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004AE645
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004AE661
__vbaStrCopy.MSVBVM60 ref: 004AE67E
__vbaAryMove.MSVBVM60(?,?), ref: 004AE6D6
__vbaVarDup.MSVBVM60 ref: 004AE703
__vbaVarDup.MSVBVM60 ref: 004AE73C
#710.MSVBVM60(00006008,?), ref: 004AE763
__vbaStrMove.MSVBVM60 ref: 004AE76E
__vbaStrCat.MSVBVM60(004787B4,00000000), ref: 004AE77A
__vbaStrMove.MSVBVM60 ref: 004AE785
#710.MSVBVM60(00006008,?,00000000), ref: 004AE79A
__vbaStrMove.MSVBVM60 ref: 004AE7A5
__vbaStrCat.MSVBVM60(00000000), ref: 004AE7AC
__vbaStrMove.MSVBVM60 ref: 004AE7B7
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004AE7CB
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004AE7E4
#518.MSVBVM60(?,00004008), ref: 004AE815
#617.MSVBVM60(?,00004008,00000002), ref: 004AE841
#518.MSVBVM60(?,?), ref: 004AE855
__vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 004AE888
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 004AE896
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004AE8C1
#685.MSVBVM60 ref: 004AE8E0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AE8EE
__vbaFreeObj.MSVBVM60 ref: 004AE912
#617.MSVBVM60(?,00004008,00000001), ref: 004AE945
__vbaVarAdd.MSVBVM60(?,00000008,?,00000000), ref: 004AE976
#645.MSVBVM60(00000000), ref: 004AE97D
__vbaStrMove.MSVBVM60 ref: 004AE988
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004AE994
__vbaFreeStr.MSVBVM60 ref: 004AE9AC
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004AE9C2
#685.MSVBVM60 ref: 004AE9E1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AE9EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004AEA3A
__vbaFreeObj.MSVBVM60 ref: 004AEA6D
#617.MSVBVM60(?,00004008,00000001), ref: 004AEAAF
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 004AEADE
__vbaStrVarMove.MSVBVM60(00000000), ref: 004AEAE5
__vbaStrMove.MSVBVM60 ref: 004AEAF0
__vbaStrCopy.MSVBVM60 ref: 004AEAFE
__vbaFreeStr.MSVBVM60 ref: 004AEB07
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004AEB1D
__vbaStrCopy.MSVBVM60 ref: 004AEB3A
__vbaStrCopy.MSVBVM60 ref: 004AEB54
__vbaStrCopy.MSVBVM60 ref: 004AEB6E
__vbaStrCopy.MSVBVM60 ref: 004AEB83
__vbaFreeStr.MSVBVM60(?), ref: 004AEB95
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004AEEF4
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004AEF0D
#518.MSVBVM60(?,00004008), ref: 004AEF3E
#617.MSVBVM60(?,00004008,00000002), ref: 004AEF6A
#518.MSVBVM60(?,?), ref: 004AEF7E
__vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 004AEFB1
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 004AEFBF
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004AEFEA
#685.MSVBVM60 ref: 004AF009
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AF017
__vbaFreeObj.MSVBVM60 ref: 004AF03B
#617.MSVBVM60(?,00004008,00000001), ref: 004AF06E
__vbaVarAdd.MSVBVM60(?,00000008,?,00000000), ref: 004AF09F
#645.MSVBVM60(00000000), ref: 004AF0A6
__vbaStrMove.MSVBVM60 ref: 004AF0B1
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004AF0BD
__vbaFreeStr.MSVBVM60 ref: 004AF0D5
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004AF0EB
#685.MSVBVM60 ref: 004AF10A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AF118
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004AF163
__vbaFreeObj.MSVBVM60 ref: 004AF196
#617.MSVBVM60(?,00004008,00000001), ref: 004AF1D8
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 004AF207
__vbaStrVarMove.MSVBVM60(00000000), ref: 004AF20E
__vbaStrMove.MSVBVM60 ref: 004AF219
__vbaStrCopy.MSVBVM60 ref: 004AF227
__vbaFreeStr.MSVBVM60 ref: 004AF230
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004AF246
__vbaStrCopy.MSVBVM60 ref: 004AF263
__vbaStrCopy.MSVBVM60 ref: 004AF27D
__vbaStrCopy.MSVBVM60 ref: 004AF297
__vbaStrCopy.MSVBVM60 ref: 004AF2AC
__vbaFreeStr.MSVBVM60(?), ref: 004AF2BE
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004AF2D7
__vbaAryMove.MSVBVM60(?,?), ref: 004AF314
__vbaAryMove.MSVBVM60(?,?), ref: 004AE6B3

Part of subcall function 004CDEB0: __vbaChkstk.MSVBVM60(00000000,00411816), ref: 004CDECE
Part of subcall function 004CDEB0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004CDEFE
Part of subcall function 004CDEB0: __vbaAryMove.MSVBVM60(?,?,?,?,?,00000000,00411816), ref: 004CDF1B
Part of subcall function 004CDEB0: __vbaAryCopy.MSVBVM60(?,?,?,00000003,?,?,?,00000000,00411816), ref: 004CDF42
Part of subcall function 004CDEB0: #685.MSVBVM60(?,?,?,00000000,00411816), ref: 004CDF4F
Part of subcall function 004CDEB0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 004CDF5A
Part of subcall function 004CDEB0: __vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 004CDF72
Part of subcall function 004CDEB0: __vbaAryDestruct.MSVBVM60(00000000,?,004CDFB8,?,?,?,00000000,00411816), ref: 004CDFA5
Part of subcall function 004CDEB0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 004CDFB1

__vbaFreeStr.MSVBVM60(?), ref: 004AE690

Part of subcall function 004CDFD0: __vbaChkstk.MSVBVM60(?,00411816), ref: 004CDFEE
Part of subcall function 004CDFD0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004CE01E
Part of subcall function 004CDFD0: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004CE03B
Part of subcall function 004CDFD0: __vbaAryCopy.MSVBVM60(?,?,?,00000002,?,?,?,?,00411816), ref: 004CE062
Part of subcall function 004CDFD0: #685.MSVBVM60(?,?,?,?,00411816), ref: 004CE06F
Part of subcall function 004CDFD0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00411816), ref: 004CE07A
Part of subcall function 004CDFD0: __vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 004CE092
Part of subcall function 004CDFD0: __vbaAryDestruct.MSVBVM60(00000000,?,004CE0D8,?,?,?,?,00411816), ref: 004CE0C5
Part of subcall function 004CDFD0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,00411816), ref: 004CE0D1

__vbaStrMove.MSVBVM60(0000FFFF,?,?,?), ref: 004AED48
__vbaStrCopy.MSVBVM60 ref: 004AED56
__vbaFreeStrList.MSVBVM60(00000004,0000FFFF,?,?,?), ref: 004AED6E
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004AED8A
__vbaStrCopy.MSVBVM60 ref: 004AEDA7
__vbaFreeStr.MSVBVM60(?), ref: 004AEDB9
__vbaAryMove.MSVBVM60(?,?), ref: 004AEDDC
__vbaAryMove.MSVBVM60(?,?), ref: 004AEDFF
__vbaVarDup.MSVBVM60 ref: 004AEE2C
__vbaVarDup.MSVBVM60 ref: 004AEE65
#710.MSVBVM60(00006008,?), ref: 004AEE8C
__vbaStrMove.MSVBVM60 ref: 004AEE97
__vbaStrCat.MSVBVM60(004787B4,00000000), ref: 004AEEA3
__vbaStrMove.MSVBVM60 ref: 004AEEAE
#710.MSVBVM60(00006008,?,00000000), ref: 004AEEC3
__vbaStrMove.MSVBVM60 ref: 004AEECE
__vbaStrCat.MSVBVM60(00000000), ref: 004AEED5
__vbaStrMove.MSVBVM60 ref: 004AEEE0
__vbaAryMove.MSVBVM60(?,?), ref: 004AF337
__vbaVarDup.MSVBVM60 ref: 004AF364
__vbaVarDup.MSVBVM60 ref: 004AF39D
#710.MSVBVM60(00006008,?), ref: 004AF3C4
__vbaStrMove.MSVBVM60 ref: 004AF3CF
__vbaStrCat.MSVBVM60(004787B4,00000000), ref: 004AF3DB
__vbaStrMove.MSVBVM60 ref: 004AF3E6
#710.MSVBVM60(00006008,?,00000000), ref: 004AF3FB
__vbaStrMove.MSVBVM60 ref: 004AF406
__vbaStrCat.MSVBVM60(00000000), ref: 004AF40D
__vbaStrMove.MSVBVM60 ref: 004AF418
__vbaFreeStrList.MSVBVM60(00000003,0000FFFF,?,?), ref: 004AF42C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004AF445
#518.MSVBVM60(?,00004008), ref: 004AF476
#617.MSVBVM60(?,00004008,00000002), ref: 004AF4A2
#518.MSVBVM60(?,?), ref: 004AF4B6
__vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 004AF4E9
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 004AF4F7
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004AF522
#685.MSVBVM60 ref: 004AF541
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AF54F
__vbaFreeObj.MSVBVM60 ref: 004AF573
#645.MSVBVM60(00004008,00000000), ref: 004AF59F
__vbaStrMove.MSVBVM60 ref: 004AF5AA
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004AF5B6
__vbaFreeStr.MSVBVM60 ref: 004AF5CE
#685.MSVBVM60 ref: 004AF5EA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AF5F8
__vbaStrMove.MSVBVM60 ref: 004AF69D
__vbaStrCopy.MSVBVM60 ref: 004AF6AB
__vbaStrCopy.MSVBVM60 ref: 004AF6B9
__vbaStrMove.MSVBVM60 ref: 004AF6FF
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?), ref: 004AF731
__vbaStrCopy.MSVBVM60 ref: 004AF74C
__vbaStrCopy.MSVBVM60 ref: 004AF781
__vbaStrCopy.MSVBVM60 ref: 004AF796
__vbaFreeStr.MSVBVM60(?), ref: 004AF7A8
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 004AFBEE
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004AFC0A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AFC41
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AFC4F
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AFC5D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AFC6B
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,?,?,?), ref: 004AFC98
__vbaAryMove.MSVBVM60(?,?), ref: 004AFE1A
#685.MSVBVM60 ref: 004AFE27
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AFE35
__vbaFreeObj.MSVBVM60 ref: 004AFE59
__vbaGenerateBoundsError.MSVBVM60 ref: 004AFE9D
__vbaGenerateBoundsError.MSVBVM60 ref: 004AFEBA
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004AFEDB
#685.MSVBVM60 ref: 004AFEF0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AFEFE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004AFF49
__vbaFreeObj.MSVBVM60 ref: 004AFF7C
__vbaUbound.MSVBVM60(00000001,00000000), ref: 004AFF9E
__vbaVarDup.MSVBVM60 ref: 004AFFE4
#710.MSVBVM60(00006008,?), ref: 004B000B
__vbaStrMove.MSVBVM60 ref: 004B0016
__vbaFreeVar.MSVBVM60 ref: 004B0022
#619.MSVBVM60(?,00004008,00000001), ref: 004B0052
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004B007A
__vbaFreeVar.MSVBVM60 ref: 004B008D
__vbaLenBstr.MSVBVM60(?), ref: 004B00BC
#617.MSVBVM60(?,00004008,-00000001), ref: 004B00DA
__vbaStrVarMove.MSVBVM60(?), ref: 004B00E7
__vbaStrMove.MSVBVM60 ref: 004B00F2
__vbaFreeVar.MSVBVM60 ref: 004B00FE
#617.MSVBVM60(?,00004008,00000001), ref: 004B012E
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004B0156
__vbaFreeVar.MSVBVM60 ref: 004B0169
__vbaLenBstr.MSVBVM60(?), ref: 004B0198
#619.MSVBVM60(?,00004008,-00000001), ref: 004B01B6
__vbaStrVarMove.MSVBVM60(?), ref: 004B01C3
__vbaStrMove.MSVBVM60 ref: 004B01CE
__vbaFreeVar.MSVBVM60 ref: 004B01DA
__vbaLenBstr.MSVBVM60(?), ref: 004B01EB
__vbaStrCmp.MSVBVM60(true,?), ref: 004B0208
__vbaUbound.MSVBVM60(00000001,00000000), ref: 004B022A
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AFC2A

Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60 ref: 0051C666
Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60 ref: 0051C67D
Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C694
Part of subcall function 0051C3A0: #685.MSVBVM60 ref: 0051C798
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0051C7A3
Part of subcall function 0051C3A0: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0051C7EE
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60 ref: 0051C81E
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C87B
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051C886
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C8A7
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00000000,00411816), ref: 0051C8BD
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00000000,00411816), ref: 0051C8DB
Part of subcall function 0051C3A0: #520.MSVBVM60(?,00004008), ref: 0051C90E
Part of subcall function 0051C3A0: #518.MSVBVM60(?,?), ref: 0051C91C

__vbaStrMove.MSVBVM60 ref: 004AFCDD
__vbaStrCopy.MSVBVM60 ref: 004AFCEB
__vbaStrCopy.MSVBVM60 ref: 004AFCF9
__vbaStrMove.MSVBVM60(?,0000FFFF,?,?), ref: 004AFD1C
__vbaStrCmp.MSVBVM60(004740D4,00000000), ref: 004AFD28
__vbaFreeStrList.MSVBVM60(00000004,0000FFFF,?,?,?), ref: 004AFD4F
__vbaStrMove.MSVBVM60 ref: 004AFD78
__vbaStrCopy.MSVBVM60 ref: 004AFD86
__vbaStrCopy.MSVBVM60 ref: 004AFD94
__vbaStrMove.MSVBVM60(?,?,?,?), ref: 004AFDB7
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004AFDCB
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004AFDE4
__vbaStrCopy.MSVBVM60 ref: 004AF70D

Part of subcall function 00508110: __vbaChkstk.MSVBVM60(?,00411816,?,?,0049F441,?,?,?), ref: 0050812E
Part of subcall function 00508110: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 0050815E
Part of subcall function 00508110: __vbaStrCat.MSVBVM60(.lock,?,?,?,?,?,00411816), ref: 00508176
Part of subcall function 00508110: __vbaStrMove.MSVBVM60(?,?,?,?,?,00411816), ref: 00508181
Part of subcall function 00508110: __vbaStrCmp.MSVBVM60(true,007C07AC,00000000,?,?,?,?,?,00411816), ref: 005081AC
Part of subcall function 00508110: __vbaStrCmp.MSVBVM60(true,007C07AC), ref: 00508212
Part of subcall function 00508110: __vbaSetSystemError.MSVBVM60(00000064), ref: 0050822A
Part of subcall function 00508110: #598.MSVBVM60 ref: 00508237
Part of subcall function 00508110: __vbaStrCopy.MSVBVM60 ref: 00508266
Part of subcall function 00508110: #685.MSVBVM60 ref: 00508273
Part of subcall function 00508110: __vbaObjSet.MSVBVM60(?,00000000), ref: 0050827E
Part of subcall function 00508110: __vbaFreeObj.MSVBVM60 ref: 0050829F
Part of subcall function 00508110: #645.MSVBVM60(00004008,00000000), ref: 005082C5
Part of subcall function 00508110: __vbaStrMove.MSVBVM60 ref: 005082D0
Part of subcall function 00508110: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 005082DC

__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 004AF6E5

Part of subcall function 0051C3A0: #685.MSVBVM60 ref: 0051C5BE
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0051C5C9
Part of subcall function 0051C3A0: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0051C614
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60 ref: 0051C644
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C6A1
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051C6AC
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C6CD
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C6DA
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051C6E5
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C706
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00000000,00411816), ref: 0051C71C
Part of subcall function 0051C3A0: #645.MSVBVM60(00004008,00000000), ref: 0051C74D
Part of subcall function 0051C3A0: __vbaStrMove.MSVBVM60 ref: 0051C758
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0051C764
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60 ref: 0051C77C

__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004AF643

Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051C43A
Part of subcall function 0051C3A0: #520.MSVBVM60(?,00000008), ref: 0051C45B
Part of subcall function 0051C3A0: __vbaStrVarMove.MSVBVM60(?), ref: 0051C465
Part of subcall function 0051C3A0: __vbaStrMove.MSVBVM60 ref: 0051C470
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60 ref: 0051C479
Part of subcall function 0051C3A0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0051C489
Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,00000000,00411816), ref: 0051C4A1
Part of subcall function 0051C3A0: #520.MSVBVM60(?,00000008), ref: 0051C4C2
Part of subcall function 0051C3A0: __vbaStrVarMove.MSVBVM60(?), ref: 0051C4CC
Part of subcall function 0051C3A0: __vbaStrMove.MSVBVM60 ref: 0051C4D7
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60 ref: 0051C4E0
Part of subcall function 0051C3A0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0051C4F0
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C500
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051C50B
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C52C
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00000000,00411816), ref: 0051C542
Part of subcall function 0051C3A0: #645.MSVBVM60(00004008,00000000), ref: 0051C573
Part of subcall function 0051C3A0: __vbaStrMove.MSVBVM60 ref: 0051C57E
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0051C58A
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60 ref: 0051C5A2

__vbaFreeObj.MSVBVM60 ref: 004AF676
__vbaStrMove.MSVBVM60 ref: 004AF7C4
__vbaStrCopy.MSVBVM60 ref: 004AF7D2
__vbaStrCopy.MSVBVM60 ref: 004AF7E0
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 004AF80C
__vbaStrMove.MSVBVM60 ref: 004AF826
__vbaStrCopy.MSVBVM60 ref: 004AF834
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?), ref: 004AF858
__vbaStrCopy.MSVBVM60 ref: 004AF873
__vbaStrCopy.MSVBVM60 ref: 004AF8A5
__vbaFreeStr.MSVBVM60(?), ref: 004AF8B7
__vbaStrCopy.MSVBVM60 ref: 004AF8CF
#685.MSVBVM60 ref: 004AF8DC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AF8EA
__vbaFreeObj.MSVBVM60 ref: 004AF90E
__vbaStrMove.MSVBVM60 ref: 004AF92A
__vbaStrCopy.MSVBVM60 ref: 004AF938
__vbaStrCopy.MSVBVM60 ref: 004AF946
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 004AF972
__vbaStrMove.MSVBVM60 ref: 004AF98C
__vbaStrCopy.MSVBVM60 ref: 004AF99A
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?), ref: 004AF9BE
__vbaStrCopy.MSVBVM60 ref: 004AF9D9
__vbaStrCopy.MSVBVM60 ref: 004AFA0B
__vbaFreeStr.MSVBVM60(?), ref: 004AFA1D
__vbaStrCopy.MSVBVM60 ref: 004AFA35
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004AFA4E
__vbaStrCopy.MSVBVM60 ref: 004AFA7D
__vbaStrMove.MSVBVM60(0000FFFF), ref: 004AFA91
__vbaStrCopy.MSVBVM60 ref: 004AFA9F
__vbaFreeStrList.MSVBVM60(00000002,0000FFFF,?), ref: 004AFAAF
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004AFACB
__vbaStrCopy.MSVBVM60 ref: 004AFAE7
__vbaStrCopy.MSVBVM60 ref: 004AFAFC
__vbaStrCopy.MSVBVM60 ref: 004AFB0A
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 004AFB27
__vbaStrCmp.MSVBVM60(004740DC,?), ref: 004AFB43
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00411816), ref: 004AFB63
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00411816), ref: 004AFB7A
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00411816), ref: 004AFB88
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00411816), ref: 004AFB96
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00411816), ref: 004AFBA4
__vbaStrMove.MSVBVM60(?,?,?,?), ref: 004AFBC4
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00411816), ref: 004AFBD2
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004AE5FC

Part of subcall function 00506210: __vbaChkstk.MSVBVM60(?,00411816,?,005309BD,?,?,?,?,?,00000000,?,00000000,00411816), ref: 0050622E
Part of subcall function 00506210: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 0050625E
Part of subcall function 00506210: #619.MSVBVM60(?,00004008,00000001), ref: 0050628B
Part of subcall function 00506210: #608.MSVBVM60(?,00000022), ref: 00506297
Part of subcall function 00506210: #617.MSVBVM60(?,00004008,00000001), ref: 005062C0
Part of subcall function 00506210: #608.MSVBVM60(?,00000022), ref: 005062CF
Part of subcall function 00506210: __vbaVarCmpEq.MSVBVM60(?,?,?), ref: 005062E4
Part of subcall function 00506210: __vbaVarCmpEq.MSVBVM60(?,?,?,00000000), ref: 00506300
Part of subcall function 00506210: __vbaVarAnd.MSVBVM60(?,00000000), ref: 0050630E
Part of subcall function 00506210: __vbaBoolVarNull.MSVBVM60(00000000), ref: 00506315
Part of subcall function 00506210: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0050633A
Part of subcall function 00506210: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00411816), ref: 0050635D
Part of subcall function 00506210: #619.MSVBVM60(?,00004008,00000001), ref: 005063D5

__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004AEBFA
__vbaStrCat.MSVBVM60(?,FCert: ), ref: 004AEC29
__vbaStrMove.MSVBVM60 ref: 004AEC34
__vbaFreeStr.MSVBVM60(0000FFFF), ref: 004AEC46
__vbaStrCopy.MSVBVM60 ref: 004AECAF
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004AECD8
__vbaStrMove.MSVBVM60 ref: 004AED09
__vbaStrCopy.MSVBVM60 ref: 004AED17
__vbaStrCopy.MSVBVM60 ref: 004AED25

Part of subcall function 0051C3A0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00530973,?,00000000,?,00000000,00411816), ref: 0051C3BE
Part of subcall function 0051C3A0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 0051C3EE
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,00773364,?,00000000,?,00000000,00411816), ref: 0051C406
Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051C420
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE34
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051CE3F
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE60
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(0051CED1,?,?,?,?,00000000,00411816), ref: 0051CEB8
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CEC1
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CECA

__vbaFreeObj.MSVBVM60 ref: 004AD2E8

Part of subcall function 004D5390: __vbaChkstk.MSVBVM60(00000000,00411816,004B1C27), ref: 004D53AE
Part of subcall function 004D5390: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,004B1C27), ref: 004D53DE
Part of subcall function 004D5390: __vbaStrCmp.MSVBVM60(00473D9C,0077EF34), ref: 004D5410
Part of subcall function 004D5390: __vbaStrCmp.MSVBVM60(null,0077EF34), ref: 004D542D
Part of subcall function 004D5390: __vbaStrCopy.MSVBVM60 ref: 004D5447
Part of subcall function 004D5390: #685.MSVBVM60 ref: 004D6690
Part of subcall function 004D5390: __vbaObjSet.MSVBVM60(?,00000000), ref: 004D669B
Part of subcall function 004D5390: __vbaFreeObj.MSVBVM60 ref: 004D66BC
Part of subcall function 004D5390: __vbaFreeStr.MSVBVM60(004D673B), ref: 004D6722
Part of subcall function 004D5390: __vbaFreeStr.MSVBVM60 ref: 004D672B
Part of subcall function 004D5390: __vbaFreeStr.MSVBVM60 ref: 004D6734

__vbaStrCopy.MSVBVM60 ref: 004B18D4
__vbaFreeStr.MSVBVM60(?), ref: 004B18E6
#685.MSVBVM60 ref: 004B18F3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004B1901
__vbaFreeObj.MSVBVM60 ref: 004B1925
__vbaAryDestruct.MSVBVM60(00000000,?,004B1A7E), ref: 004B199C
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004B19AB
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004B19BA
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004B19C9
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004B19D8
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004B19E7
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004B19F6

Part of subcall function 00531FD0: __vbaChkstk.MSVBVM60(00000000,00411816,004CB93C,?,00000001,?,00000000,00411816), ref: 00531FEE
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053201E
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053202D
Part of subcall function 00531FD0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,004CB93C), ref: 0053203C
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 0053206B
Part of subcall function 00531FD0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532093
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 005320A6
Part of subcall function 00531FD0: __vbaStrCopy.MSVBVM60 ref: 005320CA
Part of subcall function 00531FD0: #520.MSVBVM60(?,00000008,?), ref: 005320F7
Part of subcall function 00531FD0: __vbaStrVarMove.MSVBVM60(?), ref: 00532104
Part of subcall function 00531FD0: __vbaStrMove.MSVBVM60 ref: 00532111
Part of subcall function 00531FD0: __vbaFreeStr.MSVBVM60 ref: 0053211A
Part of subcall function 00531FD0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532130
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 00532162
Part of subcall function 00531FD0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053218A
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 0053219D

Strings

RemoveAction: , xrefs: 004B3348
Doing Timer1, xrefs: 004ADE17
doing action 1, xrefs: 004B124E
timer is locked, xrefs: 004AE117
MonitorI2C, xrefs: 004ACB0F, 004ACBDE, 004AD21F
Cert is gone, xrefs: 004B12CC
Entering Action, xrefs: 004B1B0B
readers counted: , xrefs: 004AD9F5
SoftToken is gone, xrefs: 004AF78E, 004AF89D, 004AFA03
AloahaPKCS11.Connector, xrefs: 004B40A3
Reset, xrefs: 004B40D4
IDVal, xrefs: 004B1682, 004B171E, 004B31F2, 004B328E
Is System Process, xrefs: 004B132D
Aloaha Smart Login, xrefs: 004B337B
going to disable the timer, xrefs: 004ADA69
localnetwork, xrefs: 004B235D
Disable I2c_PKI Monitor, xrefs: 004AD876
true, xrefs: 004ACB20, 004ACB8E, 004ACBF4, 004ACC5A, 004AD235, 004AD3A4, 004AD4CC, 004AD5BE, 004AE101, 004AE145, 004AE15F, 004B0203, 004B0336, 004B0424, 004B07E8, 004B1000, 004B28CE, 004B38FF, 004B3CA5, 004B403A, 004B4054
UserNameAndDomain is empty, xrefs: 004B1EA6
Hash, xrefs: 004AE40B, 004AE525, 004AE579, 004B1590, 004B30B4, 004B36DB
WasLoggedOff = True, xrefs: 004B137B
false, xrefs: 004ACB0A, 004AD415
UDomName: , xrefs: 004AD0FA
null, xrefs: 004AE003
Settings, xrefs: 004B1690, 004B172C, 004B1787, 004B3200, 004B329C, 004B32F7
Action because Card Counter changed, xrefs: 004B1146
Action: is system process, xrefs: 004B3A9D
AllowI2c, xrefs: 004AD151
MonitorCertOnly, xrefs: 004AFB8E, 004AFC55
LastCardCount: , xrefs: 004B1188
HKLM\Software\Aloaha\GINA\MonitorCertOnly, xrefs: 004AFA75, 004AFB02
.dll, xrefs: 004AE04B, 004B3FB1
CloseToken, xrefs: 004B42DE
HKLM\Software\Aloaha\CSP\PKCS11Lib, xrefs: 004ADE62
Stopping Timer1, xrefs: 004ADDEB
StickLogon, xrefs: 004AE5F4, 004AED1D, 004AF6B1, 004AF705, 004AF7D8, 004AF82C, 004AF93E, 004AF992, 004B314C
LightTimer: , xrefs: 004B3990, 004B3D36
Action: Screen is locked already, xrefs: 004B3B06
FCert: , xrefs: 004AEC1D
network, xrefs: 004B22D7
PolicyAction, xrefs: 004B26F0, 004B2B07
system, xrefs: 004B21CB
HKCU\Software\Aloaha\csp\RemoveAction, xrefs: 004B1407, 004B2FA0, 004B35C7
UserLoggedOnViaI2c = true, xrefs: 004AD639
HKLM\Software\Aloaha\csp\RemoveAction, xrefs: 004B2C1E, 004B2CEB, 004B2DE8, 004B2EBD
PKLib, xrefs: 004ADF7F
PKCS11Path, xrefs: 004B4123
AutoLock, xrefs: 004B15DC, 004B252B, 004B262F, 004B26FE, 004B2B15, 004B2BB8, 004B2D4C, 004B2E49, 004B2F46, 004B3100, 004B3727
doing action 2, xrefs: 004B128D
HKCU\Software\Aloaha\CSP\PKCS11Lib, xrefs: 004ADECF
going to enable I2c_PKI_Monitor, xrefs: 004ADBCA
UserNameAndDomain: , xrefs: 004B1DBC
LastReaderCount: , xrefs: 004B11DA
RemoveAction, xrefs: 004AFCF1, 004B143C, 004B1544, 004B245A, 004B2FD5, 004B3068, 004B35FC, 004B368F
RemoveActionM, xrefs: 004B2621, 004B2BAA, 004B2D3E, 004B2E3B, 004B2F38
localsystem, xrefs: 004B2251
Aloaha Smartlogin, xrefs: 004B3394
CardLogon, xrefs: 004ACB78
:\SmartToken.ini, xrefs: 004AE94B, 004AEAB5, 004AF074, 004AF1DE
Leaving the timer, xrefs: 004B18CC
PKCSLock, xrefs: 004AFD8C, 004B1628, 004B3198, 004B3773
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\scremoveoption, xrefs: 004B2A57
Action because no Card found, xrefs: 004B10E7
MonitorI2C_, xrefs: 004AD372
Done trying USB Softtoken/Sticklogon, xrefs: 004AF2A4
I2c_PKI_Monitor already enabled, xrefs: 004ADC7B
Trying USB Softtoken/Sticklogon, xrefs: 004AED9F
~, xrefs: 004B3341
Using USB Softtoken/Sticklogon, xrefs: 004AE676
found a reader, xrefs: 004B0B70
MonitorKerberos, xrefs: 004ACB25, 004ACC44, 004AD4B6
Entering the Timer, xrefs: 004ACB3B
Enable I2c_PKI Monitor, xrefs: 004AD685
going to count readers, xrefs: 004AD973
I2c_PKI Monitor was already disabled, xrefs: 004AD927
HKLM\SOFTWARE\Aloaha\CSP\NoRemoveAction, xrefs: 004B2840
Considering I2C or Kerberos, xrefs: 004ACCBC
Generic, xrefs: 004AD15F, 004AFB9C, 004AFC63
Software\Aloaha\csp, xrefs: 004B1462, 004B2FF8, 004B361F
MonitorCertOnly <> 1 And PKMode = False, xrefs: 004B0775
Card went missing. Will do Action: , xrefs: 004B3399
Done USB Softtoken/Sticklogon, xrefs: 004AEB7B
AllowI2c = true, xrefs: 004AD47C
tokenList, xrefs: 004B413B
MonitorPKI_, xrefs: 004AD41A, 004AD58C

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Copy$Move$List$#685$CheckHresult$Error$#520$Chkstk$Destruct$#617$#518$#710$#645$#619System$Bstr$#608#711BoolBoundsConstructFixstrGenerateIndexLoadNullUbound$#598Ansi
String ID: .dll$:\SmartToken.ini$Action because Card Counter changed$Action because no Card found$Action: Screen is locked already$Action: is system process$AllowI2c$AllowI2c = true$Aloaha Smart Login$Aloaha Smartlogin$AloahaPKCS11.Connector$AutoLock$Card went missing. Will do Action: $CardLogon$Cert is gone$CloseToken$Considering I2C or Kerberos$Disable I2c_PKI Monitor$Doing Timer1$Done USB Softtoken/Sticklogon$Done trying USB Softtoken/Sticklogon$Enable I2c_PKI Monitor$Entering Action$Entering the Timer$FCert: $Generic$HKCU\Software\Aloaha\CSP\PKCS11Lib$HKCU\Software\Aloaha\csp\RemoveAction$HKLM\SOFTWARE\Aloaha\CSP\NoRemoveAction$HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\scremoveoption$HKLM\Software\Aloaha\CSP\PKCS11Lib$HKLM\Software\Aloaha\GINA\MonitorCertOnly$HKLM\Software\Aloaha\csp\RemoveAction$Hash$I2c_PKI Monitor was already disabled$I2c_PKI_Monitor already enabled$IDVal$Is System Process$LastCardCount: $LastReaderCount: $Leaving the timer$LightTimer: $MonitorCertOnly$MonitorCertOnly <> 1 And PKMode = False$MonitorI2C$MonitorI2C_$MonitorKerberos$MonitorPKI_$PKCS11Path$PKCSLock$PKLib$PolicyAction$RemoveAction$RemoveAction: $RemoveActionM$Reset$Settings$SoftToken is gone$Software\Aloaha\csp$StickLogon$Stopping Timer1$Trying USB Softtoken/Sticklogon$UDomName: $UserLoggedOnViaI2c = true$UserNameAndDomain is empty$UserNameAndDomain: $Using USB Softtoken/Sticklogon$WasLoggedOff = True$doing action 1$doing action 2$false$found a reader$going to count readers$going to disable the timer$going to enable I2c_PKI_Monitor$localnetwork$localsystem$network$null$readers counted: $system$timer is locked$tokenList$true$~
API String ID: 126214151-1364562389
Opcode ID: 9181668cd58c5a572318712952539cf6c71b8bd9b66fb1e705a2819cd31e2125
Instruction ID: 4ee7b796960acc7e304f822095a0738ff651d840935a446d35c40f36c76a3f86
Opcode Fuzzy Hash: 9181668cd58c5a572318712952539cf6c71b8bd9b66fb1e705a2819cd31e2125
Instruction Fuzzy Hash: 27F32A75900218EFDB14DFA0DD48BEEBBB4FF48305F1081A9E50AA72A1DB749A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004B4E60 Relevance: 1695.3, APIs: 918, Strings: 47, Instructions: 6540COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004B4E7E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004B4EB7
__vbaStrCopy.MSVBVM60 ref: 004B4EE9
__vbaFreeStr.MSVBVM60(?), ref: 004B4F01
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004B4F1D
__vbaStrMove.MSVBVM60 ref: 004B4F3F
__vbaStrCopy.MSVBVM60 ref: 004B4F50
__vbaFreeStr.MSVBVM60 ref: 004B4F5C
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004B4F78
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001), ref: 004B4FA0
__vbaStrMove.MSVBVM60 ref: 004B4FC2
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004B4FCE
__vbaFreeStr.MSVBVM60 ref: 004B4FE9
__vbaStrMove.MSVBVM60 ref: 004B5012
__vbaStrCat.MSVBVM60(004775E8,00000000), ref: 004B501E
__vbaVarDup.MSVBVM60 ref: 004B5068
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 004B508A
__vbaChkstk.MSVBVM60(00000008), ref: 004B509C
__vbaVarIndexLoad.MSVBVM60(?,?,00000001,00000008), ref: 004B50D6
__vbaVarAdd.MSVBVM60(?,00000000,?,?,?,?,?,?,00411816), ref: 004B50E7
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,00411816), ref: 004B50EE
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004B50FC
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004B510D
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00411816), ref: 004B5123
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B5151
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004B516D
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001), ref: 004B5195
__vbaVarDup.MSVBVM60 ref: 004B51DE
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 004B5200
__vbaChkstk.MSVBVM60 ref: 004B520B
__vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 004B5245
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,00411816), ref: 004B524F
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004B525D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004B526B
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004B5277
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,00411816), ref: 004B5294
__vbaStrCopy.MSVBVM60 ref: 004B52B5
__vbaInStr.MSVBVM60(00000000,00477B8C,?,00000001), ref: 004B52D5
__vbaStrCopy.MSVBVM60 ref: 004B52F4
#520.MSVBVM60(?,00004008), ref: 004B5328
#518.MSVBVM60(?,?), ref: 004B533C
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004B5364
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004B5381
__vbaStrCopy.MSVBVM60(?,?,00411816), ref: 004B53AA
#520.MSVBVM60(?,00004008), ref: 004B53DE
#518.MSVBVM60(?,?), ref: 004B53F2
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004B541A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004B5437
__vbaStrCopy.MSVBVM60(?,?,?,?,?,00411816), ref: 004B5460

Part of subcall function 0052D4C0: __vbaChkstk.MSVBVM60(?,00411816,004B1BE8), ref: 0052D4DE
Part of subcall function 0052D4C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816,004B1BE8), ref: 0052D50E
Part of subcall function 0052D4C0: __vbaStrCmp.MSVBVM60(00473D9C,00772F2C,?,?,?,?,00411816,004B1BE8), ref: 0052D526
Part of subcall function 0052D4C0: __vbaStrCmp.MSVBVM60(null,00772F2C,?,?,?,?,00411816,004B1BE8), ref: 0052D53F
Part of subcall function 0052D4C0: __vbaStrCopy.MSVBVM60(?,?,?,?,00411816,004B1BE8), ref: 0052D560
Part of subcall function 0052D4C0: #685.MSVBVM60(?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D916
Part of subcall function 0052D4C0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D921
Part of subcall function 0052D4C0: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D942
Part of subcall function 0052D4C0: __vbaFreeStr.MSVBVM60(0052D9B8,?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D99F
Part of subcall function 0052D4C0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D9A8
Part of subcall function 0052D4C0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D9B1

#520.MSVBVM60(?,00004008), ref: 004B5493
#518.MSVBVM60(?,?), ref: 004B54A7
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004B54CF
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004B54EC
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00411816), ref: 004B5515
__vbaStrCmp.MSVBVM60(true,?,?,?,?,?,?,?,?,?,00411816), ref: 004B5531
#520.MSVBVM60(?,00004008), ref: 004B5576
#520.MSVBVM60(?,00004008), ref: 004B55B6
__vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 004B560F
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B561D
__vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 004B5639
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B5647
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 004B565C
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004B5663
__vbaFreeVarList.MSVBVM60(00000004,?,0000000B,?,0000000B), ref: 004B568E
__vbaStrCmp.MSVBVM60(true,?), ref: 004B57F7

Part of subcall function 004D5390: __vbaChkstk.MSVBVM60(00000000,00411816,004B1C27), ref: 004D53AE
Part of subcall function 004D5390: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,004B1C27), ref: 004D53DE
Part of subcall function 004D5390: __vbaStrCmp.MSVBVM60(00473D9C,0077EF34), ref: 004D5410
Part of subcall function 004D5390: __vbaStrCmp.MSVBVM60(null,0077EF34), ref: 004D542D
Part of subcall function 004D5390: __vbaStrCopy.MSVBVM60 ref: 004D5447
Part of subcall function 004D5390: #685.MSVBVM60 ref: 004D6690
Part of subcall function 004D5390: __vbaObjSet.MSVBVM60(?,00000000), ref: 004D669B
Part of subcall function 004D5390: __vbaFreeObj.MSVBVM60 ref: 004D66BC
Part of subcall function 004D5390: __vbaFreeStr.MSVBVM60(004D673B), ref: 004D6722
Part of subcall function 004D5390: __vbaFreeStr.MSVBVM60 ref: 004D672B
Part of subcall function 004D5390: __vbaFreeStr.MSVBVM60 ref: 004D6734

__vbaStrCat.MSVBVM60(?,Not doing Checkreader: ,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B56BD
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B56CB
__vbaStrCat.MSVBVM60(00477FFC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B56D7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B56E5
__vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B56F6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B5704
__vbaStrCat.MSVBVM60(00477FFC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B5710
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B571E
__vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B572F
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B573D
__vbaStrCat.MSVBVM60(00477FFC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B5749
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B5757
__vbaStrBool.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B5769
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B5777
__vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B577E
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004B578C
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?), ref: 004B57D8
#520.MSVBVM60(?,00004008), ref: 004B583D
#520.MSVBVM60(?,00004008), ref: 004B587E
__vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 004B58D7
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B58E5
__vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 004B5901
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B590F
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 004B5924
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004B592B
__vbaFreeVarList.MSVBVM60(00000004,?,0000000B,?,0000000B), ref: 004B5956
__vbaStrCopy.MSVBVM60 ref: 004B5983

Part of subcall function 004CC360: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,?,00411816), ref: 004CC37E
Part of subcall function 004CC360: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004CC3AE
Part of subcall function 004CC360: __vbaStrToAnsi.MSVBVM60(00000000,screen-saver,00000000,00000000,00000040), ref: 004CC3D7
Part of subcall function 004CC360: __vbaSetSystemError.MSVBVM60(00000000), ref: 004CC3E6
Part of subcall function 004CC360: __vbaFreeStr.MSVBVM60 ref: 004CC3F5
Part of subcall function 004CC360: __vbaSetSystemError.MSVBVM60(00000000), ref: 004CC428
Part of subcall function 004CC360: #685.MSVBVM60 ref: 004CC55A
Part of subcall function 004CC360: __vbaObjSet.MSVBVM60(?,00000000), ref: 004CC565
Part of subcall function 004CC360: __vbaFreeObj.MSVBVM60 ref: 004CC57D

__vbaSetSystemError.MSVBVM60(000000C8), ref: 004B59ED

Part of subcall function 004CC360: __vbaStrToAnsi.MSVBVM60(00000000,Default,00000000,00000000,00000100), ref: 004CC452
Part of subcall function 004CC360: __vbaSetSystemError.MSVBVM60(00000000), ref: 004CC461
Part of subcall function 004CC360: __vbaFreeStr.MSVBVM60 ref: 004CC470

#518.MSVBVM60(?,00004008), ref: 004B5A6B
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,0000000B), ref: 004B5AD7
__vbaVarCmpEq.MSVBVM60(?,00008002,00000000), ref: 004B5AEC
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B5AFA
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 004B5B0F
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004B5B16
__vbaFreeVarList.MSVBVM60(00000004,?,?,0000000B,0000000B), ref: 004B5B41
__vbaStrCopy.MSVBVM60 ref: 004B5B6A
__vbaStrCopy.MSVBVM60 ref: 004B5B82
__vbaFreeStr.MSVBVM60(?), ref: 004B5B9A
#518.MSVBVM60(?,00004008), ref: 004B5BFA
__vbaStrCmp.MSVBVM60(true,?), ref: 004B5C55
__vbaStrCmp.MSVBVM60(true,?), ref: 004B5C83
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,0000000B), ref: 004B5CC1
__vbaVarCmpEq.MSVBVM60(?,00008002,00000000), ref: 004B5CD6
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B5CE4
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 004B5CF9
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 004B5D0E
__vbaVarOr.MSVBVM60(?,0000000B,00000000), ref: 004B5D23
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004B5D2A
__vbaFreeVarList.MSVBVM60(00000006,?,?,0000000B,0000000B,0000000B,0000000B), ref: 004B5D63
__vbaStrBool.MSVBVM60(00000000,abort the timer: ), ref: 004B5D8E
__vbaStrMove.MSVBVM60 ref: 004B5D9C
__vbaStrCat.MSVBVM60(00000000), ref: 004B5DA3
__vbaStrMove.MSVBVM60 ref: 004B5DB1
__vbaStrCat.MSVBVM60(00477FFC,00000000), ref: 004B5DBD
__vbaStrMove.MSVBVM60 ref: 004B5DCB

Part of subcall function 0051D000: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,00000000,00411816), ref: 0051D01E
Part of subcall function 0051D000: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 0051D04E
Part of subcall function 0051D000: __vbaStrCmp.MSVBVM60(true,0077F45C,?,?,?,?,00411816), ref: 0051D066
Part of subcall function 0051D000: #685.MSVBVM60 ref: 0051D326
Part of subcall function 0051D000: __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0051D331
Part of subcall function 0051D000: __vbaFreeObj.MSVBVM60 ref: 0051D352
Part of subcall function 0051D000: __vbaFreeStr.MSVBVM60(0051D393), ref: 0051D383
Part of subcall function 0051D000: __vbaFreeStr.MSVBVM60 ref: 0051D38C

__vbaStrBool.MSVBVM60(00000000,00000000), ref: 004B5DD8
__vbaStrMove.MSVBVM60 ref: 004B5DE6
__vbaStrCat.MSVBVM60(00000000), ref: 004B5DED
__vbaStrMove.MSVBVM60 ref: 004B5DFB
__vbaStrCat.MSVBVM60(00477FFC,00000000), ref: 004B5E07
__vbaStrMove.MSVBVM60 ref: 004B5E15
__vbaStrCat.MSVBVM60(0075AC14,00000000), ref: 004B5E23
__vbaStrMove.MSVBVM60 ref: 004B5E31
__vbaStrCat.MSVBVM60(00477FFC,00000000), ref: 004B5E3D
__vbaStrMove.MSVBVM60 ref: 004B5E4B
__vbaStrBool.MSVBVM60(00000000,00000000), ref: 004B5E58
__vbaStrMove.MSVBVM60 ref: 004B5E66
__vbaStrCat.MSVBVM60(00000000), ref: 004B5E6D
__vbaStrMove.MSVBVM60 ref: 004B5E7B
__vbaStrCat.MSVBVM60(00477FFC,00000000), ref: 004B5E87
__vbaStrMove.MSVBVM60 ref: 004B5E95
__vbaStrCat.MSVBVM60(?,00000000), ref: 004B5EA6
__vbaStrMove.MSVBVM60 ref: 004B5EB4
__vbaStrCat.MSVBVM60(00477FFC,00000000), ref: 004B5EC0
__vbaStrMove.MSVBVM60 ref: 004B5ECE
__vbaStrCat.MSVBVM60(?,00000000), ref: 004B5EDF
__vbaStrMove.MSVBVM60 ref: 004B5EED
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004B5F63
#518.MSVBVM60(?,00004008), ref: 004B5FC6
__vbaStrCmp.MSVBVM60(true,?), ref: 004B6021
__vbaStrCmp.MSVBVM60(true,?), ref: 004B604F
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,0000000B), ref: 004B608D
__vbaVarCmpEq.MSVBVM60(?,00008002,00000000), ref: 004B60A2
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B60B0
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 004B60C5

Part of subcall function 004CC360: __vbaSetSystemError.MSVBVM60(00000000), ref: 004CC49B
Part of subcall function 004CC360: #685.MSVBVM60 ref: 004CC4AE
Part of subcall function 004CC360: __vbaObjSet.MSVBVM60(?,00000000), ref: 004CC4B9
Part of subcall function 004CC360: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000004C), ref: 004CC4EC
Part of subcall function 004CC360: __vbaFreeObj.MSVBVM60 ref: 004CC507
Part of subcall function 004CC360: __vbaSetSystemError.MSVBVM60(00000000), ref: 004CC547

__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 004B60DA
__vbaVarOr.MSVBVM60(?,0000000B,00000000), ref: 004B60EF
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004B60F6
__vbaFreeVarList.MSVBVM60(00000006,?,?,0000000B,0000000B,0000000B,0000000B), ref: 004B612F
__vbaStrCopy.MSVBVM60 ref: 004B6159
__vbaFreeStr.MSVBVM60(?), ref: 004B6171
#520.MSVBVM60(?,00004008), ref: 004B61A5
#520.MSVBVM60(?,00004008), ref: 004B61D2
#617.MSVBVM60(?,?,00000001), ref: 004B61E8
#619.MSVBVM60(?,?,00000001), ref: 004B6212
__vbaVarCmpNe.MSVBVM60(?,00008008,?), ref: 004B6241
__vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 004B625D
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B626B
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004B6272
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004B629D
__vbaStrMove.MSVBVM60 ref: 004B62C9
__vbaStrCopy.MSVBVM60 ref: 004B62DA
__vbaStrMove.MSVBVM60(?,?,?,?), ref: 004B631A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004B6337

Part of subcall function 004D0AE0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00411816), ref: 004D0AFE
Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D0B2B
Part of subcall function 004D0AE0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D0B3A
Part of subcall function 004D0AE0: #520.MSVBVM60(?,00004008), ref: 004D0B68
Part of subcall function 004D0AE0: __vbaStrVarMove.MSVBVM60(?), ref: 004D0B72
Part of subcall function 004D0AE0: __vbaStrMove.MSVBVM60 ref: 004D0B7D
Part of subcall function 004D0AE0: __vbaFreeVar.MSVBVM60 ref: 004D0B86
Part of subcall function 004D0AE0: __vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D0B9C
Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60 ref: 004D0BB5
Part of subcall function 004D0AE0: __vbaStrCat.MSVBVM60(?,get:,?), ref: 004D0BC8
Part of subcall function 004D0AE0: __vbaStrMove.MSVBVM60 ref: 004D0BD3
Part of subcall function 004D0AE0: __vbaStrMove.MSVBVM60(00000000), ref: 004D0BE4
Part of subcall function 004D0AE0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D0BF4
Part of subcall function 004D0AE0: #520.MSVBVM60(?,00004008), ref: 004D0C19
Part of subcall function 004D0AE0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004D0C35
Part of subcall function 004D0AE0: __vbaFreeVar.MSVBVM60 ref: 004D0C42
Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60 ref: 004D0C5F

#520.MSVBVM60(?,00000008,LastUCN), ref: 004B6501
#518.MSVBVM60(?,?), ref: 004B6515
__vbaStrVarMove.MSVBVM60(?), ref: 004B6522
__vbaStrMove.MSVBVM60 ref: 004B6530
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 004B654D

Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60 ref: 004D0C72
Part of subcall function 004D0AE0: #685.MSVBVM60 ref: 004D0C7F
Part of subcall function 004D0AE0: __vbaObjSet.MSVBVM60(?,00000000), ref: 004D0C8A
Part of subcall function 004D0AE0: __vbaFreeObj.MSVBVM60 ref: 004D0CAB
Part of subcall function 004D0AE0: __vbaFreeStr.MSVBVM60(004D0D0E), ref: 004D0CFE
Part of subcall function 004D0AE0: __vbaFreeStr.MSVBVM60 ref: 004D0D07

#520.MSVBVM60(?,00000008,LastUCN), ref: 004B6585
#518.MSVBVM60(?,?), ref: 004B6599
__vbaStrVarMove.MSVBVM60(?), ref: 004B65A6
__vbaStrMove.MSVBVM60 ref: 004B65B1
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 004B65CE
__vbaInStr.MSVBVM60(00000000,\\.\,?,00000001), ref: 004B65EB
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004B6608
__vbaStrCopy.MSVBVM60 ref: 004B6622
#520.MSVBVM60(00000008,00004008), ref: 004B6688
#518.MSVBVM60(?,00000008), ref: 004B669C
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004B66C4
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004B66E1
#520.MSVBVM60(?,00000008,CardLogon), ref: 004B6728
#518.MSVBVM60(?,?), ref: 004B673C
__vbaStrVarMove.MSVBVM60(?), ref: 004B6749
__vbaStrMove.MSVBVM60 ref: 004B6757
__vbaStrCopy.MSVBVM60 ref: 004B6768
__vbaFreeStr.MSVBVM60 ref: 004B6774
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 004B6791
#520.MSVBVM60(00000008,00004008), ref: 004B67C7
#518.MSVBVM60(?,00000008), ref: 004B67DB
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004B6803
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004B6820
#520.MSVBVM60(?,00000008,CardLogon), ref: 004B6867
#518.MSVBVM60(?,?), ref: 004B687B
__vbaStrVarMove.MSVBVM60(?), ref: 004B6888
__vbaStrMove.MSVBVM60 ref: 004B6896
__vbaStrCopy.MSVBVM60 ref: 004B68A7
__vbaFreeStr.MSVBVM60 ref: 004B68B3
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 004B68D0
#520.MSVBVM60(00000008,00004008), ref: 004B6906
#518.MSVBVM60(?,00000008), ref: 004B691A
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004B6942
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004B695F
#520.MSVBVM60(?,00000008,CardLogon), ref: 004B69A6
#518.MSVBVM60(?,?), ref: 004B69BA
__vbaStrVarMove.MSVBVM60(?), ref: 004B69C7
__vbaStrMove.MSVBVM60 ref: 004B69D5
__vbaStrCopy.MSVBVM60 ref: 004B69E6
__vbaFreeStr.MSVBVM60 ref: 004B69F2
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 004B6A0F
#520.MSVBVM60(00000008,00004008), ref: 004B6A78
#518.MSVBVM60(?,00000008), ref: 004B6A8C
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004B6AB4
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004B6AD1
__vbaNew2.MSVBVM60(00477E14,0054ED28), ref: 004B6B03
__vbaHresultCheckObj.MSVBVM60(00000000,?,00477E04,00000014), ref: 004B6B6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0047A994,00000058), ref: 004B6BCF
#518.MSVBVM60(?,00000008), ref: 004B6C21
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 004B6C68
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 004B6C76
__vbaFreeObj.MSVBVM60 ref: 004B6C89
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 004B6CA6
__vbaStrCopy.MSVBVM60 ref: 004B6CCF
#520.MSVBVM60(00000008,00004008), ref: 004B6D19
#518.MSVBVM60(?,00000008), ref: 004B6D2D
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004B6D55
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004B6D72
#518.MSVBVM60(?,00000008), ref: 004B6DB4
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 004B6DFB
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 004B6E09
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 004B6E2D
__vbaStrCopy.MSVBVM60 ref: 004B6E56
#520.MSVBVM60(00000008,00004008), ref: 004B6EA0
#518.MSVBVM60(?,00000008), ref: 004B6EB4
__vbaStrCmp.MSVBVM60(true,?), ref: 004B6EDD
__vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 004B6F10
__vbaVarOr.MSVBVM60(?,0000000B,00000000), ref: 004B6F25
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004B6F2C
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,0000000B), ref: 004B6F50
__vbaStrCopy.MSVBVM60 ref: 004B6F7A
__vbaFreeStr.MSVBVM60(?), ref: 004B6F92
__vbaStrCopy.MSVBVM60 ref: 004B6FAD
__vbaAryRecMove.MSVBVM60(004741C8,?,?), ref: 004B6FD8
#520.MSVBVM60(00000008,00004008), ref: 004B700C
__vbaVarTstNe.MSVBVM60(00008008,00000008), ref: 004B7034
__vbaFreeVar.MSVBVM60 ref: 004B7047
__vbaStrCopy.MSVBVM60 ref: 004B706D
__vbaStrCopy.MSVBVM60 ref: 004B7085
#520.MSVBVM60(00000008,00004008), ref: 004B70B2
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000), ref: 004B70E9
__vbaFreeVar.MSVBVM60 ref: 004B70F8
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004B710E
#520.MSVBVM60(00000008,00004008), ref: 004B714A
__vbaVarAdd.MSVBVM60(?,00000008,00000008), ref: 004B7179
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 004B7187
__vbaStrMove.MSVBVM60(00000000), ref: 004B719B
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004B71A7
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004B71CB
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004B71E4
#520.MSVBVM60(00000008,00004008), ref: 004B722A
__vbaVarAdd.MSVBVM60(?,00000008,00000008,?), ref: 004B725D
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 004B726B
__vbaFreeStr.MSVBVM60(00000000), ref: 004B727D
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004B7293
#520.MSVBVM60(00000008,00004008), ref: 004B72DD
__vbaVarAdd.MSVBVM60(?,00000008,00000008), ref: 004B731F
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004B7334
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004B7349
__vbaStrVarMove.MSVBVM60(00000000), ref: 004B7350
__vbaStrMove.MSVBVM60 ref: 004B735E
__vbaFreeStr.MSVBVM60(?), ref: 004B7376
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 004B739A
__vbaStrCopy.MSVBVM60 ref: 004B73B4
__vbaGenerateBoundsError.MSVBVM60 ref: 004B7443
__vbaGenerateBoundsError.MSVBVM60 ref: 004B7460
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004B75A9
__vbaFreeObj.MSVBVM60 ref: 004B75DC
__vbaAryRecCopy.MSVBVM60(004741C8,?,00000000), ref: 004B760B
__vbaUbound.MSVBVM60(00000001,00000000), ref: 004B7621
__vbaLbound.MSVBVM60(00000001,00000000), ref: 004B7640
#685.MSVBVM60 ref: 004B7673
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B7681
__vbaFreeObj.MSVBVM60 ref: 004B76A5
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004B7737
#685.MSVBVM60 ref: 004B774C
__vbaStrVarVal.MSVBVM60(?,00000008,?), ref: 004B70CD

Part of subcall function 004D1700: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,004BACFC,00000000), ref: 004D171E
Part of subcall function 004D1700: __vbaStrCopy.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 004D174B
Part of subcall function 004D1700: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,00000000,00411816), ref: 004D175A
Part of subcall function 004D1700: __vbaStrMove.MSVBVM60 ref: 004D178B
Part of subcall function 004D1700: __vbaNew2.MSVBVM60(00477E14,0054ED28), ref: 004D17AB
Part of subcall function 004D1700: __vbaHresultCheckObj.MSVBVM60(00000000,?,00477E04,00000014), ref: 004D1811
Part of subcall function 004D1700: __vbaHresultCheckObj.MSVBVM60(00000000,?,0047A994,00000058), ref: 004D186E
Part of subcall function 004D1700: __vbaStrMove.MSVBVM60 ref: 004D189F
Part of subcall function 004D1700: __vbaFreeObj.MSVBVM60 ref: 004D18A8
Part of subcall function 004D1700: __vbaStrCmp.MSVBVM60(true,00000000), ref: 004D18C1

#685.MSVBVM60 ref: 004B73C1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B73CF
__vbaFreeObj.MSVBVM60 ref: 004B73F3
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004B7484
#520.MSVBVM60(00000008,00004008), ref: 004B74C9
__vbaVarCmpNe.MSVBVM60(?,00008008,00000008,0000000B), ref: 004B74FF
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B750D
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004B7514
__vbaFreeVarList.MSVBVM60(00000002,00000008,0000000B), ref: 004B7531
#685.MSVBVM60 ref: 004B7550
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B755E
__vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 004BAF20
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004BAF2E
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004BAF35
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004BAF60
__vbaStrMove.MSVBVM60 ref: 004BAF8C
__vbaStrCopy.MSVBVM60 ref: 004BAF9D
__vbaStrCopy.MSVBVM60 ref: 004BAFAE
__vbaStrCopy.MSVBVM60 ref: 004B62EB

Part of subcall function 00506210: __vbaChkstk.MSVBVM60(?,00411816,?,005309BD,?,?,?,?,?,00000000,?,00000000,00411816), ref: 0050622E
Part of subcall function 00506210: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 0050625E
Part of subcall function 00506210: #619.MSVBVM60(?,00004008,00000001), ref: 0050628B
Part of subcall function 00506210: #608.MSVBVM60(?,00000022), ref: 00506297
Part of subcall function 00506210: #617.MSVBVM60(?,00004008,00000001), ref: 005062C0
Part of subcall function 00506210: #608.MSVBVM60(?,00000022), ref: 005062CF
Part of subcall function 00506210: __vbaVarCmpEq.MSVBVM60(?,?,?), ref: 005062E4
Part of subcall function 00506210: __vbaVarCmpEq.MSVBVM60(?,?,?,00000000), ref: 00506300
Part of subcall function 00506210: __vbaVarAnd.MSVBVM60(?,00000000), ref: 0050630E
Part of subcall function 00506210: __vbaBoolVarNull.MSVBVM60(00000000), ref: 00506315
Part of subcall function 00506210: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0050633A
Part of subcall function 00506210: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00411816), ref: 0050635D
Part of subcall function 00506210: #619.MSVBVM60(?,00004008,00000001), ref: 005063D5

__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004B6350
#518.MSVBVM60(?,00004008), ref: 004B6386
#518.MSVBVM60(?,00004008), ref: 004B63D8
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 004B640B
__vbaVarCmpGt.MSVBVM60(?,00008002,00000000), ref: 004B6420
__vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 004B643C
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004B644A
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004B6451
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004B6475
__vbaStrCopy.MSVBVM60 ref: 004B649B
__vbaStrCopy.MSVBVM60(NoCardMissingDialog,true), ref: 004B64C7
__vbaInStr.MSVBVM60(00000000,\\.\,?,00000001), ref: 004B663C
__vbaStrMove.MSVBVM60(?,?,?,?), ref: 004BAFE0
__vbaStrCopy.MSVBVM60 ref: 004BAFF1
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004BB015
__vbaInStr.MSVBVM60(00000000,004778FC,?,00000001), ref: 004BB038
__vbaStrCopy.MSVBVM60 ref: 004BB057
#520.MSVBVM60(?,00004008), ref: 004BB08A
__vbaStrCopy.MSVBVM60 ref: 004B6655

Part of subcall function 0051C3A0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00530973,?,00000000,?,00000000,00411816), ref: 0051C3BE
Part of subcall function 0051C3A0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 0051C3EE
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,00773364,?,00000000,?,00000000,00411816), ref: 0051C406
Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051C420
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE34
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051CE3F
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE60
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(0051CED1,?,?,?,?,00000000,00411816), ref: 0051CEB8
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CEC1
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CECA

#520.MSVBVM60(?,00004008), ref: 004BAD65
#520.MSVBVM60(?,00004008), ref: 004BADA5
__vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 004BADD4
__vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 004BADF0
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004BADFE
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004BAE05
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004BAE22
#520.MSVBVM60(?,00004008), ref: 004BAE68
#520.MSVBVM60(?,00004008), ref: 004BAE95
#617.MSVBVM60(?,?,00000001), ref: 004BAEAB
#619.MSVBVM60(?,?,00000001), ref: 004BAED5
__vbaVarCmpNe.MSVBVM60(?,00008008,?), ref: 004BAF04
__vbaStrCopy.MSVBVM60 ref: 004BBAC8
__vbaFreeStr.MSVBVM60(?), ref: 004BBAE0
#685.MSVBVM60 ref: 004BBAED
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BBAFB
__vbaFreeObj.MSVBVM60 ref: 004BBB1F
__vbaAryDestruct.MSVBVM60(004741C8,?,004BBCCD), ref: 004BBC1E
__vbaFreeStr.MSVBVM60 ref: 004BBC27
__vbaFreeStr.MSVBVM60 ref: 004BBC30
__vbaFreeStr.MSVBVM60 ref: 004BBC39
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004BBC45
__vbaFreeStr.MSVBVM60 ref: 004BBC4E
__vbaFreeStr.MSVBVM60 ref: 004BBC57
__vbaFreeStr.MSVBVM60 ref: 004BBC60
__vbaFreeStr.MSVBVM60 ref: 004BBC69
__vbaFreeStr.MSVBVM60 ref: 004BBC72
__vbaFreeStr.MSVBVM60 ref: 004BBC7B
__vbaFreeStr.MSVBVM60 ref: 004BBC84
__vbaFreeStr.MSVBVM60 ref: 004BBC8D
__vbaFreeObj.MSVBVM60 ref: 004BBC96
__vbaFreeStr.MSVBVM60 ref: 004BBC9F
__vbaFreeStr.MSVBVM60 ref: 004BBCA8
__vbaFreeStr.MSVBVM60 ref: 004BBCB4
__vbaAryDestruct.MSVBVM60(004741C8,?), ref: 004BBCC6

Strings

vb6, xrefs: 004B6C27, 004B6DBA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword, xrefs: 004BBD77, 004BBED5, 004BBF40, 004BBFAC
LastUCN, xrefs: 004B64D9, 004B655D
Splash, xrefs: 004BA791
Entering CheckReader, xrefs: 004B4EDE
RetrievContainerNameDoNotUseCache, xrefs: 004B846D, 004B860E, 004B89AF, 004B8B50
_UCNs, xrefs: 004B7150, 004B7230, 004BA330, 004BA410
disconnect, xrefs: 004B888F
WasLoggedOnViaCard is true, xrefs: 004B6F6F
_UCNs = , xrefs: 004B72E3, 004BA642
NoCardMissingDialog, xrefs: 004B64AD, 004B8368, 004B9371
Could not find Kerberos Card, xrefs: 004B9193
Found Kerberos Card: , xrefs: 004B9155
AloahaCredentialsDLL.Provider, xrefs: 004B892F
_LogonCard, xrefs: 004B7F95, 004B9A9E
localsystem, xrefs: 004B5342
true, xrefs: 004B552C, 004B57F2, 004B5975, 004B5C50, 004B5C7E, 004B601C, 004B604A, 004B63DE, 004B6490, 004B64A8, 004B66A2, 004B67E1, 004B6920, 004B6A92, 004B6CC1, 004B6CDC, 004B6D33, 004B6E48, 004B6E63, 004B6EBA, 004B6ED8, 004B7063, 004B79C0, 004B8299, 004B834B, 004B8363, 004B91C3, 004B92A2, 004B9354, 004B936C, 004B9E2A, 004BA2EC, 004BA803, 004BAC86
CardLogon, xrefs: 004B6700, 004B683F, 004B697E, 004B6CE1, 004B6E68
LogonPKICard is equal UCNs, xrefs: 004BA1E1
abort the timer: , xrefs: 004B5D83
Not doing Checkreader: , xrefs: 004B56AE
UCNS, xrefs: 004B62E0, 004B9056, 004B978D, 004B97EC, 004BAAE5, 004BABFB, 004BAFA3, 004BB2B7, 004BBA42
WriteUCN , xrefs: 004BA601
Going to try AloahaCredentials.Provider, xrefs: 004B83BB
RetrievContainerName, xrefs: 004B858D, 004B8ACF
Leaving CheckReader, xrefs: 004BBABD
WasLoggedOnViaCard = true, xrefs: 004B6A21
(T, xrefs: 004B6B1F
CapiUser from NativeCryptAPI is: , xrefs: 004B93C1
~, xrefs: 004B77ED
Writing userpass: , xrefs: 004BA9BF
CapiUser: , xrefs: 004B96F7
RealUCN, xrefs: 004B86B9, 004B8735, 004B884F, 004B8BFB, 004B8C77, 004B8D91
/ , xrefs: 004B9715, 004BA9DD
aloaha_, xrefs: 004B638C, 004B8247, 004B9250
Workstation is locked, clearing UserWasLoggedON, xrefs: 004B5B77
Going to try AloahaCredentialsDLL.Provider, xrefs: 004B88FD
Workstation is NOT locked, reading WasLoggedOnViaCard, UserWasLoggedOn <> true, xrefs: 004B614E
AloahaCredentialsdll.Provider, xrefs: 004B83ED
UdomName: , xrefs: 004BB9ED
_ATRs, xrefs: 004B9E6E
network, xrefs: 004B54AD
LastRealUCN , xrefs: 004B72A3
system, xrefs: 004B53F8, 004B5A71, 004B5C00, 004B5FCC
HKLM\Software\Aloaha\CSP\DisableChangePassword, xrefs: 004BBDFF
_UCNsStamp, xrefs: 004BA23D, 004BA4AF, 004BA571
\\.\, xrefs: 004B65E4, 004B6635, 004B81B5, 004B81F2, 004B8396, 004B8648, 004B8709, 004B88D8, 004B8B8A, 004B8C4B, 004B9A18, 004B9B3A, 004BA157, 004BA748

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Copy$List$#520$#518$Error$Bool$#685Null$Chkstk$CheckHresultSystem$#619$#617Destruct$#608#711AnsiBoundsGenerateIndexLoadNew2$LboundUbound
String ID: / $(T$AloahaCredentialsDLL.Provider$AloahaCredentialsdll.Provider$CapiUser from NativeCryptAPI is: $CapiUser: $CardLogon$Could not find Kerberos Card$Entering CheckReader$Found Kerberos Card: $Going to try AloahaCredentials.Provider$Going to try AloahaCredentialsDLL.Provider$HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword$HKLM\Software\Aloaha\CSP\DisableChangePassword$LastRealUCN $LastUCN$Leaving CheckReader$LogonPKICard is equal UCNs$NoCardMissingDialog$Not doing Checkreader: $RealUCN$RetrievContainerName$RetrievContainerNameDoNotUseCache$Splash$UCNS$UdomName: $WasLoggedOnViaCard = true$WasLoggedOnViaCard is true$Workstation is NOT locked, reading WasLoggedOnViaCard, UserWasLoggedOn <> true$Workstation is locked, clearing UserWasLoggedON$WriteUCN $Writing userpass: $\\.\$_ATRs$_LogonCard$_UCNs$_UCNs = $_UCNsStamp$abort the timer: $aloaha_$disconnect$localsystem$network$system$true$vb6$~
API String ID: 1858184382-2722706244
Opcode ID: 9acb626a01edd8320fa53069d4b1519c6511411dc49d00bf076651c396ea74f3
Instruction ID: 835fc3f60f703cbd504f9c3ca1998a452352655656a13418400faedb9303a1bf
Opcode Fuzzy Hash: 9acb626a01edd8320fa53069d4b1519c6511411dc49d00bf076651c396ea74f3
Instruction Fuzzy Hash: 55E3EA75900219DFDB24DFA0DD48BDEB778BB48305F00C5EAE60AB6260DB745A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004BDCB0 Relevance: 442.9, APIs: 251, Strings: 1, Instructions: 1894COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 004BDD2B

Part of subcall function 004BD9C0: __vbaChkstk.MSVBVM60(00000000,00411816,?,004C0046,00000000,?,00000000), ref: 004BD9DE
Part of subcall function 004BD9C0: __vbaStrCopy.MSVBVM60(00000000,?,?,00000000,00411816), ref: 004BDA0B
Part of subcall function 004BD9C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00411816), ref: 004BDA1A
Part of subcall function 004BD9C0: #685.MSVBVM60(?,00000000,00411816), ref: 004BDA27
Part of subcall function 004BD9C0: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004BDA32
Part of subcall function 004BD9C0: __vbaFreeObj.MSVBVM60(?,00000000,00411816), ref: 004BDA4A
Part of subcall function 004BD9C0: #578.MSVBVM60(?), ref: 004BDA69
Part of subcall function 004BD9C0: #685.MSVBVM60 ref: 004BDA79
Part of subcall function 004BD9C0: __vbaObjSet.MSVBVM60(?,00000000), ref: 004BDA84
Part of subcall function 004BD9C0: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004BDAB7
Part of subcall function 004BD9C0: __vbaFreeObj.MSVBVM60 ref: 004BDAE9
Part of subcall function 004BD9C0: #685.MSVBVM60 ref: 004BDB02
Part of subcall function 004BD9C0: __vbaObjSet.MSVBVM60(?,00000000), ref: 004BDB0D
Part of subcall function 004BD9C0: __vbaFreeObj.MSVBVM60 ref: 004BDB25

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,00000000), ref: 004BDD50
__vbaStrToAnsi.MSVBVM60(?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDD78
__vbaSetSystemError.MSVBVM60(00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDD86
__vbaStrToUnicode.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDD97
__vbaFreeStr.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDDA5
__vbaAryLock.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDDBD
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDDDA
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDDE7
__vbaSetSystemError.MSVBVM60(000000FF,00000000,00000000,?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE0C
__vbaAryUnlock.MSVBVM60(?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE16
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE22
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE2F
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE3A
__vbaUbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE46
__vbaUbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE64
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE77
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE81
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE97
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDE9E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDEBE
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDED8
__vbaLbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDEED
__vbaUbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDEFB
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDF14
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDF1B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDF3F
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDF65
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000003,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDF91
__vbaAryLock.MSVBVM60(?,?), ref: 004BDFA2
__vbaGenerateBoundsError.MSVBVM60 ref: 004BDFBF
__vbaGenerateBoundsError.MSVBVM60 ref: 004BDFCD
__vbaAryLock.MSVBVM60(?,?), ref: 004BDFE1
__vbaGenerateBoundsError.MSVBVM60 ref: 004BDFFE
__vbaGenerateBoundsError.MSVBVM60 ref: 004BE00B
__vbaSetSystemError.MSVBVM60(00000000,?,-00000002), ref: 004BE036
__vbaAryUnlock.MSVBVM60(?), ref: 004BE046
__vbaAryUnlock.MSVBVM60(?), ref: 004BE04C
#685.MSVBVM60 ref: 004BE04E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BE055
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C), ref: 004BE079
__vbaFreeObj.MSVBVM60 ref: 004BE093
__vbaAryCopy.MSVBVM60(?,?), ref: 004BE0A6
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 004BE0BF
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE0CE
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE0D5
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE0E6
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE0E8
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE0EF
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE0FA
__vbaAryCopy.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE104
__vbaUbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE110
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE11F
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE126
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE146
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE160
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE18C
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE19F
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE1C1
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE1CA
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE1E8
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE1F5
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE217
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE224
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE246
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE253
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE275
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE282
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE2A4
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE2AD
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE2CF
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE2D7
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE389
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE396
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE3B6
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE3DA
__vbaVar2Vec.MSVBVM60(?,?,?,00000000,?,00000004,00000080,00000000), ref: 004BE430
__vbaAryMove.MSVBVM60(?,?,?,00000004,00000080,00000000), ref: 004BE441
__vbaFreeVar.MSVBVM60(?,00000004,00000080,00000000), ref: 004BE44A
#685.MSVBVM60(?,00000004,00000080,00000000), ref: 004BE450
__vbaObjSet.MSVBVM60(?,00000000,?,00000004,00000080,00000000), ref: 004BE457
__vbaFreeObj.MSVBVM60(?,00000004,00000080,00000000), ref: 004BE462
__vbaUbound.MSVBVM60(00000001,?,?,00000004,00000080,00000000), ref: 004BE46A
#685.MSVBVM60(?,00000004,00000080,00000000), ref: 004BE475
__vbaObjSet.MSVBVM60(?,00000000,?,00000004,00000080,00000000), ref: 004BE47C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C,?,00000004,00000080,00000000), ref: 004BE49C
__vbaFreeObj.MSVBVM60(?,00000004,00000080,00000000), ref: 004BE4B6
__vbaAryCopy.MSVBVM60(?,?,?,00000004,00000080,00000000), ref: 004BE4C9
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,?,00000004,00000080,00000000), ref: 004BE4E2
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE4EB
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE4F2
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE501
#518.MSVBVM60(?,00004008,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE525
#619.MSVBVM60(?,?,00000004,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE535
__vbaVarTstEq.MSVBVM60(00008008,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE55A
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE56C
__vbaStrMove.MSVBVM60(?,00000004,00000080,00000000), ref: 004BE592
__vbaStrCopy.MSVBVM60 ref: 004BE5A7
__vbaSetSystemError.MSVBVM60(000000FF), ref: 004BE5B6
__vbaStrToAnsi.MSVBVM60(?,00000000,80000000,00000000,00000000,00000004,00000080,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE5DD
__vbaSetSystemError.MSVBVM60(00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE5EB
__vbaStrToUnicode.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE5F9
__vbaFreeStr.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE607
__vbaAryLock.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE61F
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE63C
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE649
__vbaSetSystemError.MSVBVM60(000000FF,00000000,00000000,?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE66E
__vbaAryUnlock.MSVBVM60(?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE678
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE684
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE691
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE69C
__vbaUbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE6A8
__vbaUbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE6C6
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE6D9
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE6E3
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE6F9
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE700
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE720
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE73A
__vbaLbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE74F
__vbaUbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE75D
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE776
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE77D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE7A1
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE7C7
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000003,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE7F3
__vbaAryLock.MSVBVM60(?,?), ref: 004BE804
__vbaGenerateBoundsError.MSVBVM60 ref: 004BE821
__vbaGenerateBoundsError.MSVBVM60 ref: 004BE82F
__vbaAryLock.MSVBVM60(?,?), ref: 004BE843
__vbaGenerateBoundsError.MSVBVM60 ref: 004BE860
__vbaGenerateBoundsError.MSVBVM60 ref: 004BE86D
__vbaSetSystemError.MSVBVM60(00000000,?,-00000002), ref: 004BE898
__vbaAryUnlock.MSVBVM60(?), ref: 004BE8A8
__vbaAryUnlock.MSVBVM60(?), ref: 004BE8AE
#685.MSVBVM60 ref: 004BE8B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BE8B7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C), ref: 004BE8DB
__vbaFreeObj.MSVBVM60 ref: 004BE8F5
__vbaAryCopy.MSVBVM60(?,?), ref: 004BE908
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 004BE921
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE930
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE937
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE948
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE94A
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE951
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE95C
__vbaAryCopy.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE966
__vbaUbound.MSVBVM60(00000001,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE972
#685.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE981
__vbaObjSet.MSVBVM60(?,00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE988
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE9A8
__vbaFreeObj.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE9C2
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BE9EE
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEA01
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEA23
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEA30
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEA52
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEA5F
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEA81
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEA8E
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEAB0
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEABD
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEADF
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEAEC
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEB0E
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEB1B
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEB3D
__vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BEB41
__vbaVar2Vec.MSVBVM60(?,?,?,00000000,?,00000004,00000080,00000000), ref: 004BEC3C
__vbaAryMove.MSVBVM60(?,?,?,00000004,00000080,00000000), ref: 004BEC4D
__vbaFreeVar.MSVBVM60(?,00000004,00000080,00000000), ref: 004BEC56
#685.MSVBVM60(?,00000004,00000080,00000000), ref: 004BEC62
__vbaObjSet.MSVBVM60(?,00000000,?,00000004,00000080,00000000), ref: 004BEC6F
__vbaFreeObj.MSVBVM60(?,00000004,00000080,00000000), ref: 004BEC80
__vbaUbound.MSVBVM60(00000001,?,?,00000004,00000080,00000000), ref: 004BEC88
#685.MSVBVM60(?,00000004,00000080,00000000), ref: 004BEC97
__vbaObjSet.MSVBVM60(?,00000000,?,00000004,00000080,00000000), ref: 004BEC9E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C,?,00000004,00000080,00000000), ref: 004BECBE
__vbaFreeObj.MSVBVM60(?,00000004,00000080,00000000), ref: 004BECD8

Part of subcall function 004F1A10: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,004C015E), ref: 004F1A2E
Part of subcall function 004F1A10: __vbaOnError.MSVBVM60(000000FF,?,?,6D641654,00000000,00411816), ref: 004F1A5E
Part of subcall function 004F1A10: __vbaStrCopy.MSVBVM60 ref: 004F1A73
Part of subcall function 004F1A10: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004F1A8B
Part of subcall function 004F1A10: __vbaStrCopy.MSVBVM60 ref: 004F1AA5
Part of subcall function 004F1A10: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004F1D97
Part of subcall function 004F1A10: __vbaStrMove.MSVBVM60(00000000), ref: 004F1DBA
Part of subcall function 004F1A10: __vbaStrCopy.MSVBVM60 ref: 004F1DCD
Part of subcall function 004F1A10: #685.MSVBVM60 ref: 004F1DDA
Part of subcall function 004F1A10: __vbaObjSet.MSVBVM60(?,00000000), ref: 004F1DE5
Part of subcall function 004F1A10: __vbaFreeObj.MSVBVM60 ref: 004F1E06
Part of subcall function 004F1A10: __vbaFreeStr.MSVBVM60(004F1E5F), ref: 004F1E4F
Part of subcall function 004F1A10: __vbaFreeStr.MSVBVM60 ref: 004F1E58

__vbaStrMove.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BECFD

Part of subcall function 005114A0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,004C0171,00000000), ref: 005114BE
Part of subcall function 005114A0: __vbaOnError.MSVBVM60(000000FF,6D62D8B1,?,6D641654,00000000,00411816), ref: 005114EE
Part of subcall function 005114A0: __vbaSetSystemError.MSVBVM60(?), ref: 00511504
Part of subcall function 005114A0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000027,00000000), ref: 00511546
Part of subcall function 005114A0: __vbaAryLock.MSVBVM60(?,?), ref: 0051155E
Part of subcall function 005114A0: #644.MSVBVM60(?), ref: 005115CE
Part of subcall function 005114A0: __vbaAryUnlock.MSVBVM60(00000000), ref: 005115DE
Part of subcall function 005114A0: __vbaSetSystemError.MSVBVM60(?,?,?), ref: 005115FE
Part of subcall function 005114A0: __vbaStrVarCopy.MSVBVM60(00002011,?), ref: 0051163B

__vbaStrMove.MSVBVM60(00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BED0E
__vbaStrCat.MSVBVM60(00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BED15
__vbaStrMove.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BED20
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BED30

Part of subcall function 004C2E80: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,00000000,00000000,?,00411816), ref: 004C2E9E
Part of subcall function 004C2E80: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816,?), ref: 004C2ECE
Part of subcall function 004C2E80: __vbaStrCmp.MSVBVM60(00473D9C,?,?,00000000,00000000,00000000,00411816,?), ref: 004C2EE6
Part of subcall function 004C2E80: #518.MSVBVM60(?,00004008), ref: 004C2F17
Part of subcall function 004C2E80: __vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 004C2F3E
Part of subcall function 004C2E80: __vbaVarAnd.MSVBVM60(?,00000000), ref: 004C2F49
Part of subcall function 004C2E80: __vbaBoolVarNull.MSVBVM60(00000000), ref: 004C2F50
Part of subcall function 004C2E80: __vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 004C2F6A
Part of subcall function 004C2E80: __vbaInStr.MSVBVM60(00000000,004775E8,?,00000001,00000000,00000000,00411816,?), ref: 004C2F98
Part of subcall function 004C2E80: #685.MSVBVM60(?,00000001,00000000,00000000,00411816,?), ref: 004C2FAD
Part of subcall function 004C2E80: __vbaObjSet.MSVBVM60(00000001,00000000,?,00000001,00000000,00000000,00411816,?), ref: 004C2FB8
Part of subcall function 004C2E80: __vbaFreeObj.MSVBVM60(?,00000001,00000000,00000000,00411816,?), ref: 004C2FD9
Part of subcall function 004C2E80: __vbaChkstk.MSVBVM60 ref: 004C3006

Part of subcall function 004C1250: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,0051C9A3,?,?,?,?,?,?,?,?,?,?), ref: 004C126E
Part of subcall function 004C1250: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 004C129E
Part of subcall function 004C1250: #685.MSVBVM60 ref: 004C12B8
Part of subcall function 004C1250: __vbaObjSet.MSVBVM60(?,00000000), ref: 004C12C3
Part of subcall function 004C1250: __vbaFreeObj.MSVBVM60 ref: 004C12E4
Part of subcall function 004C1250: #632.MSVBVM60(?,00004008,00000003,00000002), ref: 004C1323
Part of subcall function 004C1250: #617.MSVBVM60(?,00004008,00000002), ref: 004C1360
Part of subcall function 004C1250: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 004C1389
Part of subcall function 004C1250: __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 004C13A5
Part of subcall function 004C1250: __vbaVarOr.MSVBVM60(?,00000000), ref: 004C13B3
Part of subcall function 004C1250: __vbaBoolVarNull.MSVBVM60(00000000), ref: 004C13BA
Part of subcall function 004C1250: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 004C13D8

Part of subcall function 004C43A0: __vbaChkstk.MSVBVM60(?,00411816,?,004C01B5,?,?,?,?), ref: 004C43BE
Part of subcall function 004C43A0: __vbaOnError.MSVBVM60(000000FF,6D62D8B1,?,6D641654,?,00411816), ref: 004C43EE
Part of subcall function 004C43A0: #518.MSVBVM60(?,00004008), ref: 004C4410
Part of subcall function 004C43A0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004C4432
Part of subcall function 004C43A0: __vbaFreeVar.MSVBVM60 ref: 004C4442
Part of subcall function 004C43A0: #685.MSVBVM60(?), ref: 004C455B
Part of subcall function 004C43A0: __vbaObjSet.MSVBVM60(?,00000000), ref: 004C4566
Part of subcall function 004C43A0: __vbaFreeObj.MSVBVM60 ref: 004C4587

__vbaStrToAnsi.MSVBVM60(?,?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000004,00000080,00000000), ref: 004BED7C
__vbaSetSystemError.MSVBVM60(00000000), ref: 004BED8A
__vbaStrToUnicode.MSVBVM60(?,?), ref: 004BED98
__vbaFreeStr.MSVBVM60 ref: 004BEDA6
__vbaAryLock.MSVBVM60(?,?), ref: 004BEDBD
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEDDA
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEDE7
__vbaSetSystemError.MSVBVM60(000000FF,00000000,00000000,?,00000000), ref: 004BEE0C
__vbaAryUnlock.MSVBVM60(?), ref: 004BEE16
#685.MSVBVM60 ref: 004BEE22
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BEE2F
__vbaFreeObj.MSVBVM60 ref: 004BEE3A
__vbaAryCopy.MSVBVM60(?,?), ref: 004BEE48
__vbaUbound.MSVBVM60(00000001,?), ref: 004BEE54
#685.MSVBVM60 ref: 004BEE63
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BEE6A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C), ref: 004BEE8A
__vbaFreeObj.MSVBVM60 ref: 004BEEA4
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEED0
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEEE3
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEF05
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEF12
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEF34
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEF41
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEF63
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEF70
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEF92
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEF9F
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEFC1
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEFCE
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEFF0
__vbaGenerateBoundsError.MSVBVM60 ref: 004BEFFD
__vbaGenerateBoundsError.MSVBVM60 ref: 004BF01F
__vbaGenerateBoundsError.MSVBVM60 ref: 004BF023
__vbaVar2Vec.MSVBVM60(?,?,?,00000000), ref: 004BF11A
__vbaAryMove.MSVBVM60(?,?), ref: 004BF12B
__vbaFreeVar.MSVBVM60 ref: 004BF134
#685.MSVBVM60 ref: 004BF140
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BF14D
__vbaFreeObj.MSVBVM60 ref: 004BF158
__vbaUbound.MSVBVM60(00000001,?), ref: 004BF164
#685.MSVBVM60 ref: 004BF173
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BF17A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004747A8,0000001C), ref: 004BF19A
__vbaFreeObj.MSVBVM60 ref: 004BF1B4
__vbaAryCopy.MSVBVM60(?,?), ref: 004BF1C7
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 004BF1E0
#685.MSVBVM60 ref: 004BF1F7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BF1FE
__vbaFreeObj.MSVBVM60 ref: 004BF209
#518.MSVBVM60(?,00004008), ref: 004BF22D
#619.MSVBVM60(?,?,00000004), ref: 004BF23D
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004BF262
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004BF274
__vbaStrMove.MSVBVM60(?), ref: 004BF29A
__vbaStrCopy.MSVBVM60 ref: 004BF2AF
__vbaSetSystemError.MSVBVM60(000000FF), ref: 004BF2BE
#685.MSVBVM60(?,?,?,?,?,00000004,00000080,00000000), ref: 004BF2CD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BF2D8
__vbaFreeObj.MSVBVM60 ref: 004BF2E7
__vbaExitProc.MSVBVM60 ref: 004BF2ED
__vbaAryDestruct.MSVBVM60(00000000,?,004BF388), ref: 004BF36D
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004BF375
__vbaFreeStr.MSVBVM60 ref: 004BF380
__vbaFreeStr.MSVBVM60 ref: 004BF385
__vbaErrorOverflow.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BF39E

Strings

.pdf, xrefs: 004BE53B, 004BF243

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Error$BoundsGenerate$Free$#685$CheckCopyHresult$SystemUbound$Move$LockRedimUnlock$Chkstk$List$#518$AnsiUnicodeVar2$#619BoolDestructLboundNull$#578#617#632#644ExitOverflowProc
String ID: .pdf
API String ID: 1123823117-2417493391
Opcode ID: da0f265534499804ef5066421521ed21883d48636a4419ec4844a939776b25e9
Instruction ID: 7a0ddeacd2a6f6e9b1e2d193799c705364be4a3597f37b9405b9559b03db540c
Opcode Fuzzy Hash: da0f265534499804ef5066421521ed21883d48636a4419ec4844a939776b25e9
Instruction Fuzzy Hash: 05E29D31A002189FDB24DFA5CD44BEEB7B5BF88700F1485A9E506BB250DB74AD85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0053D500 Relevance: 419.9, APIs: 228, Strings: 11, Instructions: 1615COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 0053D51E
__vbaFixstrConstruct.MSVBVM60(00000800,?,?,?,?,?,00411816), ref: 0053D551
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 0053D560
#685.MSVBVM60(?,?,?,?,00411816), ref: 0053D56D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00411816), ref: 0053D57B
__vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 0053D59F

Part of subcall function 00531FD0: __vbaChkstk.MSVBVM60(00000000,00411816,004CB93C,?,00000001,?,00000000,00411816), ref: 00531FEE
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053201E
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053202D
Part of subcall function 00531FD0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,004CB93C), ref: 0053203C
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 0053206B
Part of subcall function 00531FD0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532093
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 005320A6
Part of subcall function 00531FD0: __vbaStrCopy.MSVBVM60 ref: 005320CA
Part of subcall function 00531FD0: #520.MSVBVM60(?,00000008,?), ref: 005320F7
Part of subcall function 00531FD0: __vbaStrVarMove.MSVBVM60(?), ref: 00532104
Part of subcall function 00531FD0: __vbaStrMove.MSVBVM60 ref: 00532111
Part of subcall function 00531FD0: __vbaFreeStr.MSVBVM60 ref: 0053211A
Part of subcall function 00531FD0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532130
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 00532162
Part of subcall function 00531FD0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053218A
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 0053219D

__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000), ref: 0053D602
__vbaUbound.MSVBVM60(00000001,00000000), ref: 0053D631
#685.MSVBVM60 ref: 0053D646
__vbaObjSet.MSVBVM60(?,00000000), ref: 0053D654
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0053D69F
__vbaFreeObj.MSVBVM60 ref: 0053D6D2
__vbaAryLock.MSVBVM60(?), ref: 0053D6FB
__vbaGenerateBoundsError.MSVBVM60 ref: 0053D744
__vbaGenerateBoundsError.MSVBVM60 ref: 0053D75E
__vbaGenerateBoundsError.MSVBVM60 ref: 0053D78C
__vbaUbound.MSVBVM60(00000001), ref: 0053D7A0
__vbaSetSystemError.MSVBVM60(?,?,-00000001), ref: 0053D7D3
__vbaAryUnlock.MSVBVM60(00000000), ref: 0053D7E0
__vbaLenBstr.MSVBVM60(?), ref: 0053D7F4
__vbaStrToAnsi.MSVBVM60(?,?,?), ref: 0053D830
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,00000000), ref: 0053D854
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0053D868
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0053D878
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0053D897
__vbaStrToAnsi.MSVBVM60(?,?,?), ref: 0053D8C1
__vbaSetSystemError.MSVBVM60(?,?,00000000,00000000,00000000), ref: 0053D8E2
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0053D8F6
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0053D906
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0053D925
#608.MSVBVM60(?,00000000), ref: 0053D94F
__vbaStrCopy.MSVBVM60(00477FFC,00473D9C,00000001,000000FF,00000000), ref: 0053D971
#712.MSVBVM60(00000000), ref: 0053D978
__vbaStrMove.MSVBVM60 ref: 0053D986
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0053D99C
__vbaStrVarVal.MSVBVM60(?,?,00473D9C,00000001,000000FF,00000000), ref: 0053D9BB
__vbaStrCopy.MSVBVM60(00000000), ref: 0053D9CE
#712.MSVBVM60(00000000), ref: 0053D9D5
__vbaStrMove.MSVBVM60 ref: 0053D9E3
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0053D9F9
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 0053DA0B
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 0053DA27
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0053DA64
__vbaFreeVar.MSVBVM60 ref: 0053DA73
__vbaStrCopy.MSVBVM60 ref: 0053DADF
#608.MSVBVM60(?,00000000), ref: 0053DAF5
__vbaStrCopy.MSVBVM60(?,000000FF,00000000), ref: 0053DB26
#711.MSVBVM60(?,00000000), ref: 0053DB34
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0053DB4A
__vbaChkstk.MSVBVM60 ref: 0053DB55
__vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 0053DB96
#520.MSVBVM60(?,00000000), ref: 0053DBA7
__vbaAryUnlock.MSVBVM60(?), ref: 0053DBB4
#608.MSVBVM60(?,00000000), ref: 0053DBC3
__vbaStrVarVal.MSVBVM60(?,?,00473D9C,00000001,000000FF,00000000), ref: 0053DBE2
__vbaStrVarVal.MSVBVM60(?,?,00000000), ref: 0053DBF7
#712.MSVBVM60(00000000), ref: 0053DBFE
__vbaStrMove.MSVBVM60 ref: 0053DC0C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0053DC29
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0053DC57
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 0053DC73
__vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,?,00000000), ref: 0053DCA0
__vbaGenerateBoundsError.MSVBVM60 ref: 0053DCEB
__vbaGenerateBoundsError.MSVBVM60 ref: 0053DD08
__vbaStrCopy.MSVBVM60 ref: 0053DD26
__vbaStrCopy.MSVBVM60 ref: 0053DD3F
__vbaLenBstr.MSVBVM60(?), ref: 0053DD62
__vbaLenBstr.MSVBVM60(?), ref: 0053DD71
#619.MSVBVM60(?,00004008,-00000001), ref: 0053DD97
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0053DDAD
__vbaStrVarMove.MSVBVM60(?), ref: 0053DDBA
__vbaLsetFixstrFree.MSVBVM60(00000000,?,00000000), ref: 0053DDCA
__vbaFreeStr.MSVBVM60 ref: 0053DDD6
__vbaFreeVar.MSVBVM60 ref: 0053DDE2
__vbaSetSystemError.MSVBVM60(00000000), ref: 0053DE37
__vbaAryCopy.MSVBVM60(?,?), ref: 0053DE60
#685.MSVBVM60 ref: 0053DE6D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0053DE7B
__vbaFreeObj.MSVBVM60 ref: 0053DE9F
__vbaAryDestruct.MSVBVM60(00000000,?,0053DF63), ref: 0053DF44
__vbaFreeStr.MSVBVM60 ref: 0053DF50
__vbaFreeStr.MSVBVM60 ref: 0053DF5C

Strings

#, xrefs: 0053EEEF
Entering Readers, xrefs: 0053EA5D
$, xrefs: 0053E677
true, xrefs: 0053EC8D
0u, xrefs: 0053DA8F
Readers found: , xrefs: 0053EE50
Could not get context to winscard: , xrefs: 0053F144
got context to winscard in hcontext: , xrefs: 0053F1B9
in readers , xrefs: 0053ECD7
SCardListReaders returned , xrefs: 0053ECA4
Invalid Context in Readers, xrefs: 0053EEC6

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Error$Fixstr$Copy$Lset$ListMove$BoundsGenerateSystem$#520$#608#685#712BstrChkstkConstruct$AnsiLockUboundUnicodeUnlock$#619#711CheckDestructHresultIndexLoadPreserveRedim
String ID: in readers $#$$$0u$Could not get context to winscard: $Entering Readers$Invalid Context in Readers$Readers found: $SCardListReaders returned $got context to winscard in hcontext: $true
API String ID: 1375779911-1287176704
Opcode ID: aa5e615aac95572ac477ed67de3b1d9ef24a5dcd2dd719f00966636214f75fb1
Instruction ID: 37d4ff7eb3e29ecd8366f5e0f85b7e179589c9740587ea566e4df71f9dcad29b
Opcode Fuzzy Hash: aa5e615aac95572ac477ed67de3b1d9ef24a5dcd2dd719f00966636214f75fb1
Instruction Fuzzy Hash: 8DF2F775900219EFDB24DFA0DE89BDDBBB4BB48305F1081D9E50AB72A0DB745A84CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004D5390 Relevance: 419.5, APIs: 227, Strings: 12, Instructions: 1292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,004B1C27), ref: 004D53AE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,004B1C27), ref: 004D53DE
__vbaStrCmp.MSVBVM60(00473D9C,0077EF34), ref: 004D5410
__vbaStrCmp.MSVBVM60(null,0077EF34), ref: 004D542D
__vbaStrCopy.MSVBVM60 ref: 004D5447
__vbaStrCopy.MSVBVM60 ref: 004D545E
__vbaStrCopy.MSVBVM60 ref: 004D5478
#520.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D5499
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D54A3
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D54AE
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D54B7
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D54C7
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D54E0
#520.MSVBVM60(?,00000008), ref: 004D550C
__vbaStrVarMove.MSVBVM60(?), ref: 004D5516
__vbaStrMove.MSVBVM60 ref: 004D5521
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004D5531
__vbaStrCopy.MSVBVM60 ref: 004D5558
__vbaStrMove.MSVBVM60(?,?,?), ref: 004D556F
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D5585
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,?), ref: 004D559F
__vbaStrMove.MSVBVM60(?,?,?), ref: 004D55AA
#520.MSVBVM60(?,00000008), ref: 004D55CB
__vbaStrVarMove.MSVBVM60(?), ref: 004D55D5
__vbaStrMove.MSVBVM60 ref: 004D55E0
__vbaFreeStr.MSVBVM60 ref: 004D55E9
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004D55F9
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D5612
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei\HH,HKLM\), ref: 004D5631
__vbaStrMove.MSVBVM60(?,?,?), ref: 004D563C
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000), ref: 004D5648
__vbaStrMove.MSVBVM60(?,?,?), ref: 004D5653
#520.MSVBVM60(?,00000008), ref: 004D5674
__vbaStrVarMove.MSVBVM60(?), ref: 004D567E
__vbaStrMove.MSVBVM60 ref: 004D5689
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D5699
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 004D56AC
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D56C5
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei,HKLM\), ref: 004D56E4
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 004D56EF
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000), ref: 004D56FB
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 004D5706
#520.MSVBVM60(?,00000008), ref: 004D5727
__vbaStrVarMove.MSVBVM60(?), ref: 004D5731
__vbaStrMove.MSVBVM60 ref: 004D573C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D574C
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 004D575F
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D5778
__vbaStrCat.MSVBVM60(?,LogonDomain: ), ref: 004D5796
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D57A1
__vbaFreeStr.MSVBVM60(?), ref: 004D57B3
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D57C9
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei,HKLM\), ref: 004D5801
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D580C
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000), ref: 004D5818
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D5823
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D5831
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?), ref: 004D5852
__vbaStrCat.MSVBVM60(?,LogonDomain: ), ref: 004D587F
__vbaStrMove.MSVBVM60 ref: 004D588A
__vbaFreeStr.MSVBVM60(?), ref: 004D589C
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D58B2
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei\HH,HKLM\), ref: 004D58EA
__vbaStrMove.MSVBVM60 ref: 004D58F5
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000), ref: 004D5901
__vbaStrMove.MSVBVM60 ref: 004D590C
__vbaStrCopy.MSVBVM60 ref: 004D591A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?), ref: 004D593B
__vbaStrCat.MSVBVM60(?,LogonDomain: ), ref: 004D5959
__vbaStrMove.MSVBVM60 ref: 004D5964
__vbaFreeStr.MSVBVM60(?), ref: 004D5976
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D598C
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,?), ref: 004D59BF
__vbaStrMove.MSVBVM60 ref: 004D59CA
__vbaStrCopy.MSVBVM60 ref: 004D59D8
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 004D59F5
__vbaStrCopy.MSVBVM60 ref: 004D5A1F
#520.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D5A40
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D5A4A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D5A55
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D5A5E
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D5A6E
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D5A87
__vbaStrCopy.MSVBVM60 ref: 004D5AA4
__vbaStrCopy.MSVBVM60 ref: 004D5AB2
__vbaStrCopy.MSVBVM60 ref: 004D5AC0
#520.MSVBVM60(?,00000008), ref: 004D5AED
__vbaStrVarMove.MSVBVM60(?), ref: 004D5AF7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D5B02
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004D5B16
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 004D5B29
__vbaStrCopy.MSVBVM60 ref: 004D5B5D
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D5B73
__vbaStrCopy.MSVBVM60 ref: 004D5B90
__vbaStrCopy.MSVBVM60 ref: 004D5B9E
__vbaStrCopy.MSVBVM60 ref: 004D5BAC
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei\HH,HKLM\,?,?,?), ref: 004D5BC8
__vbaStrMove.MSVBVM60 ref: 004D5BD3
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000), ref: 004D5BDF
__vbaStrMove.MSVBVM60 ref: 004D5BEA
#520.MSVBVM60(?,00000008), ref: 004D5C08
__vbaStrVarMove.MSVBVM60(?), ref: 004D5C12
__vbaStrMove.MSVBVM60 ref: 004D5C1D
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 004D5C39
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000000), ref: 004D5C4C
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,?,?,?,?,00000000), ref: 004D5C65
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 004D5C82
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 004D5C90
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 004D5C9E
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei,HKLM\,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004D5CBA
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 004D5CC5
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004D5CD1
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 004D5CDC
#520.MSVBVM60(?,00000008), ref: 004D5CFA
__vbaStrVarMove.MSVBVM60(?), ref: 004D5D04
__vbaStrMove.MSVBVM60 ref: 004D5D0F
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 004D5D2B
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D5D3E
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D5D57
__vbaStrCat.MSVBVM60(?,LogonDomain: ), ref: 004D5D75
__vbaStrMove.MSVBVM60 ref: 004D5D80
__vbaFreeStr.MSVBVM60(?), ref: 004D5D92
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D5DA8
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei,HKLM\), ref: 004D5DE8
__vbaStrMove.MSVBVM60 ref: 004D5DF3
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000), ref: 004D5DFF
__vbaStrMove.MSVBVM60 ref: 004D5E0A
__vbaStrCopy.MSVBVM60 ref: 004D5E18
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?), ref: 004D5E39
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei,HKLM\), ref: 004D5E53
__vbaStrMove.MSVBVM60 ref: 004D5E5E
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000), ref: 004D5E6A
__vbaStrMove.MSVBVM60 ref: 004D5E75
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 004D5E92
__vbaStrCat.MSVBVM60(?,LogonDomain: ,?,?,?,?,?,?,?,?,00000000), ref: 004D5EBF
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 004D5ECA
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000), ref: 004D5EDC
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,?,?,?,?,00000000), ref: 004D5EF2
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei\HH,HKLM\,?,?,?,?,?,?,?,?,00000000), ref: 004D5F32
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 004D5F3D
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004D5F49
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 004D5F54
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 004D5F62
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004D5F83
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei\HH,HKLM\,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004D5F9D
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004D5FA8
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004D5FB4
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004D5FBF
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 004D5FDC
__vbaStrCat.MSVBVM60(?,LogonDomain: ), ref: 004D5FFA
__vbaStrMove.MSVBVM60 ref: 004D6005
__vbaFreeStr.MSVBVM60(?), ref: 004D6017
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D602D
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,?), ref: 004D606C
__vbaStrMove.MSVBVM60 ref: 004D6077
__vbaStrCopy.MSVBVM60 ref: 004D6085
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 004D60A2
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,?), ref: 004D60BB
__vbaStrMove.MSVBVM60 ref: 004D60C6
__vbaFreeStr.MSVBVM60(?,?), ref: 004D60DC
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D60F2
__vbaStrCopy.MSVBVM60 ref: 004D6116
#520.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D6137
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D6141
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D614C
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D6155
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D6165
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D617E
__vbaStrCopy.MSVBVM60 ref: 004D619B
__vbaStrCopy.MSVBVM60 ref: 004D61A9
__vbaStrCopy.MSVBVM60 ref: 004D61B7
#520.MSVBVM60(?,00000008), ref: 004D61E5
__vbaStrVarMove.MSVBVM60(?), ref: 004D61EF
__vbaStrMove.MSVBVM60 ref: 004D61FA
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004D620E
__vbaFreeVarList.MSVBVM60(00000002,?,?,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName,?,?,?), ref: 004D6221
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D623A
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,HKLM\SOFTWARE\Aloaha\RKK\Settings), ref: 004D626F
__vbaStrMove.MSVBVM60 ref: 004D627A
__vbaStrCopy.MSVBVM60 ref: 004D6288
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 004D62A5
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,HKLM\SOFTWARE\Aloaha\RKK\Settings), ref: 004D62BF
__vbaStrMove.MSVBVM60 ref: 004D62CA
__vbaFreeStr.MSVBVM60(?,?), ref: 004D62E0
__vbaStrCopy.MSVBVM60 ref: 004D62F5
__vbaStrCopy.MSVBVM60 ref: 004D6303
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 004D6320
__vbaStrCopy.MSVBVM60 ref: 004D6338
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D634E
__vbaStrMove.MSVBVM60 ref: 004D636D
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001), ref: 004D6387
__vbaStrCopy.MSVBVM60 ref: 004D63A0
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D63B6
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001), ref: 004D63D8
__vbaVarDup.MSVBVM60 ref: 004D641E
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 004D6434
__vbaChkstk.MSVBVM60 ref: 004D643F
__vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 004D6476
__vbaStrVarMove.MSVBVM60(00000000), ref: 004D6480
__vbaStrMove.MSVBVM60 ref: 004D648B
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004D64A2
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D64BB
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,HKLM\SOFTWARE\Aloaha\RKK\Settings), ref: 004D64F0
__vbaStrMove.MSVBVM60 ref: 004D64FB
__vbaStrCopy.MSVBVM60 ref: 004D6509
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 004D6526
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,HKLM\SOFTWARE\Aloaha\RKK\Settings), ref: 004D6540
__vbaStrMove.MSVBVM60 ref: 004D654B
__vbaFreeStr.MSVBVM60(?,?), ref: 004D6561
__vbaStrCopy.MSVBVM60 ref: 004D6576
__vbaStrCopy.MSVBVM60 ref: 004D6584
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 004D65A1
__vbaStrCopy.MSVBVM60 ref: 004D65B9
__vbaStrCopy.MSVBVM60 ref: 004D65D0
__vbaStrCopy.MSVBVM60 ref: 004D65E7
__vbaStrCopy.MSVBVM60 ref: 004D65FE
__vbaStrCopy.MSVBVM60 ref: 004D6615
__vbaStrCopy.MSVBVM60 ref: 004D6628
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D663E
__vbaStrCopy.MSVBVM60 ref: 004D6659
__vbaStrCopy.MSVBVM60 ref: 004D6670
__vbaStrCopy.MSVBVM60 ref: 004D6683
#685.MSVBVM60 ref: 004D6690
__vbaObjSet.MSVBVM60(?,00000000), ref: 004D669B
__vbaFreeObj.MSVBVM60 ref: 004D66BC
__vbaFreeStr.MSVBVM60(004D673B), ref: 004D6722
__vbaFreeStr.MSVBVM60 ref: 004D672B
__vbaFreeStr.MSVBVM60 ref: 004D6734

Strings

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName, xrefs: 004D610E, 004D61C9
HKLM\Software\Aloaha\RKK\StandardHive, xrefs: 004D4F12, 004D50D9, 004D5128, 004D5177, 004D62FB, 004D657C
HKLM\Software\Aloaha\RKK\LogonDomain, xrefs: 004D5470, 004D5829, 004D5912, 004D59D0, 004D5A17, 004D5E10, 004D5F5A, 004D607D, 004D6280, 004D6501
~, xrefs: 004D65C1
SOFTWARE\Polizei\HH, xrefs: 004D4F67, 004D515A, 004D562C, 004D58E5, 004D5BC3, 004D5F2D, 004D5F98
HKLM\SOFTWARE\Aloaha\RKK\Settings, xrefs: 004D50C4, 004D51BC, 004D6265, 004D62B5, 004D62ED, 004D64E6, 004D6536, 004D656E
4w, xrefs: 004D5405, 004D5421, 004D543E, 004D6333, 004D65B4, 004D6610, 004D6654, 004D666B
SOFTWARE\Polizei, xrefs: 004D501A, 004D510B, 004D56DF, 004D57FC, 004D5CB5, 004D5DE3, 004D5E4E
LogonDomain: , xrefs: 004D578D, 004D5876, 004D5950, 004D5D6C, 004D5EB6, 004D5FF1
\Logon\Standard\LogonDomain, xrefs: 004D4F7E, 004D5031, 004D559A, 004D5643, 004D56F6, 004D5813, 004D58FC, 004D59BA, 004D5BDA, 004D5CCC, 004D5DFA, 004D5E65, 004D5F44, 004D5FAF, 004D6067, 004D60B6, 004D626A, 004D62BA, 004D64EB, 004D653B
null, xrefs: 004D5428, 004D664F
HKLM\, xrefs: 004D4F62, 004D5015, 004D5106, 004D5155, 004D5627, 004D56DA, 004D57F7, 004D58E0, 004D5BBE, 004D5CB0, 004D5DDE, 004D5E49, 004D5F28, 004D5F93

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Copy$List$#520$Chkstk$#685#711ErrorIndexLoad
String ID: 4w$HKLM\$HKLM\SOFTWARE\Aloaha\RKK\Settings$HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName$HKLM\Software\Aloaha\RKK\LogonDomain$HKLM\Software\Aloaha\RKK\StandardHive$LogonDomain: $SOFTWARE\Polizei$SOFTWARE\Polizei\HH$\Logon\Standard\LogonDomain$null$~
API String ID: 98941349-2821057421
Opcode ID: cac0364168061781c48d229a3665889d81515ba5e33f946cbab644c751a32c17
Instruction ID: 7a4856617ab015afe4e6ab81a340d9d2a7f9265a438b746efddb3f08a71f5103
Opcode Fuzzy Hash: cac0364168061781c48d229a3665889d81515ba5e33f946cbab644c751a32c17
Instruction Fuzzy Hash: 04C21C75900209DFDB14DFE0DE58AEEB778FF44305F20812AE506B76A0EB745A4ACB58

Uniqueness

Uniqueness Score: -1.00%

Function 00546B10 Relevance: 379.6, APIs: 207, Strings: 9, Instructions: 1580COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,00546A11,?,?,?,00000000,00411816), ref: 00546B2E
__vbaAryConstruct2.MSVBVM60(?,004982B0,00000008,?,?,?,00000000,00411816,00546A11), ref: 00546B60
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,00546A11), ref: 00546B6F

Part of subcall function 0054A720: __vbaChkstk.MSVBVM60(00000000,00411816,00546B91,?,?,?,00000000,00411816,00546A11), ref: 0054A73E
Part of subcall function 0054A720: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,00546B91), ref: 0054A76E
Part of subcall function 0054A720: #520.MSVBVM60(?,00004008), ref: 0054A7A7
Part of subcall function 0054A720: #518.MSVBVM60(?,00004008), ref: 0054A7E0
Part of subcall function 0054A720: #520.MSVBVM60(?,?), ref: 0054A7EE
Part of subcall function 0054A720: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 0054A817
Part of subcall function 0054A720: __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 0054A830
Part of subcall function 0054A720: __vbaVarOr.MSVBVM60(?,00000000), ref: 0054A83E
Part of subcall function 0054A720: __vbaBoolVarNull.MSVBVM60(00000000), ref: 0054A845
Part of subcall function 0054A720: __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0054A860
Part of subcall function 0054A720: __vbaStrCopy.MSVBVM60 ref: 0054A887
Part of subcall function 0054A720: __vbaStrMove.MSVBVM60(?), ref: 0054A89D
Part of subcall function 0054A720: __vbaFreeStr.MSVBVM60 ref: 0054A8A6
Part of subcall function 0054A720: __vbaInStr.MSVBVM60(00000000,0047BCF8,0075AB4C,00000001), ref: 0054A8C2

__vbaAryMove.MSVBVM60(?,?,?,?,?,00000000,00411816,00546A11), ref: 00546BB8
#685.MSVBVM60(?,?,?,00000000,00411816,00546A11), ref: 00546BC5
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816,00546A11), ref: 00546BD3
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816,00546A11), ref: 00546BF7
__vbaGenerateBoundsError.MSVBVM60 ref: 00546C3B
__vbaGenerateBoundsError.MSVBVM60 ref: 00546C58
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00546C79
#685.MSVBVM60 ref: 00546C8E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00546C9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00546CE7
__vbaFreeObj.MSVBVM60 ref: 00546D1A
__vbaAryCopy.MSVBVM60(?,00000000), ref: 00546D3A
__vbaAryCopy.MSVBVM60(0054D8DC,00000000), ref: 00546D50
__vbaStrCopy.MSVBVM60 ref: 00546D69
__vbaStrCopy.MSVBVM60 ref: 00546D80
__vbaStrCopy.MSVBVM60 ref: 00546D99
__vbaStrCopy.MSVBVM60 ref: 00546DB0
__vbaAryCopy.MSVBVM60(?,?,?,?,?,00000000,00411816,00546A11), ref: 00546DD6
#685.MSVBVM60(?,?,?,00000000,00411816,00546A11), ref: 00546E05
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816,00546A11), ref: 00546E13
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816,00546A11), ref: 00546E37
#520.MSVBVM60(?,00004008), ref: 00546E66
__vbaGenerateBoundsError.MSVBVM60 ref: 00546EC2
__vbaGenerateBoundsError.MSVBVM60 ref: 00546EDF
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00546F03
__vbaVarCmpNe.MSVBVM60(?,00008008,?), ref: 00546F37
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 00546F4C
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00546F53
__vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 00546F70
#685.MSVBVM60(?,00000000,00411816,00546A11), ref: 00546F8F
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00411816,00546A11), ref: 00546F9D

Part of subcall function 0054ABF0: __vbaChkstk.MSVBVM60(00000000,00411816,00546BA7,?,?,?,00000000,00411816,00546A11), ref: 0054AC0E
Part of subcall function 0054ABF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,00546BA7), ref: 0054AC3E
Part of subcall function 0054ABF0: __vbaInStr.MSVBVM60(00000000,0047BCF8,0075AB4C,00000001,?,?,?,00000000,00411816,00546BA7), ref: 0054AC70
Part of subcall function 0054ABF0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816,00546BA7), ref: 0054AC8D
Part of subcall function 0054ABF0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816,00546BA7), ref: 0054AC9B
Part of subcall function 0054ABF0: __vbaObjSet.MSVBVM60(?,00000000,0075AB4C,00000000,?,?), ref: 0054ACC4
Part of subcall function 0054ABF0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0054ACD4
Part of subcall function 0054ABF0: __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 0054AD01
Part of subcall function 0054ABF0: __vbaVarTstGt.MSVBVM60(?,00000000,?,?,?,?,?,00000000,00411816,00546BA7), ref: 0054AD0F
Part of subcall function 0054ABF0: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,00411816,00546BA7), ref: 0054AD1C
Part of subcall function 0054ABF0: #685.MSVBVM60(?,?,?,?,?,00000000,00411816,00546BA7), ref: 0054AD35
Part of subcall function 0054ABF0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00000000,00411816,00546BA7), ref: 0054AD40

__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00546FE8
__vbaFreeObj.MSVBVM60 ref: 0054701B
#546.MSVBVM60(?), ref: 0054703E
__vbaStrR8.MSVBVM60(?,?,?,00000000,00411816,00546A11), ref: 00547056
__vbaStrMove.MSVBVM60(?,?,?,00000000,00411816,00546A11), ref: 00547061
__vbaFreeVar.MSVBVM60(?,?,?,00000000,00411816,00546A11), ref: 0054706D
#520.MSVBVM60(?,00004008), ref: 0054709B
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 005470C3
__vbaFreeVar.MSVBVM60 ref: 005470D6
#685.MSVBVM60 ref: 005470F2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00547100
__vbaFreeObj.MSVBVM60 ref: 00547124
__vbaR8Str.MSVBVM60(?), ref: 00547135
__vbaR8Str.MSVBVM60(0077F5EC), ref: 00547147
__vbaFpCDblR8.MSVBVM60 ref: 0054715F
#685.MSVBVM60 ref: 0054716F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0054717D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 005471C8
__vbaFreeObj.MSVBVM60 ref: 005471FB
__vbaAryCopy.MSVBVM60(?,0054D8DC), ref: 005472E1

Part of subcall function 00545DF0: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,?,?,?,?,?,00000000,00411816,00546A11), ref: 00545E0E
Part of subcall function 00545DF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 00545E3E
Part of subcall function 00545DF0: __vbaStrMove.MSVBVM60 ref: 00545E62
Part of subcall function 00545DF0: __vbaStrCmp.MSVBVM60(00473D9C,?), ref: 00545E78
Part of subcall function 00545DF0: __vbaStrCat.MSVBVM60(?,MiniCSP SessionID: ), ref: 00545E96
Part of subcall function 00545DF0: __vbaStrMove.MSVBVM60 ref: 00545EA1
Part of subcall function 00545DF0: __vbaFreeStr.MSVBVM60(?), ref: 00545EB3
Part of subcall function 00545DF0: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00545ECB
Part of subcall function 00545DF0: __vbaStrCmp.MSVBVM60(?,00000000), ref: 00545EEB
Part of subcall function 00545DF0: __vbaStrCopy.MSVBVM60 ref: 00545F0A
Part of subcall function 00545DF0: __vbaStrCopy.MSVBVM60 ref: 00545F21
Part of subcall function 00545DF0: __vbaStrCopy.MSVBVM60 ref: 00545F38
Part of subcall function 00545DF0: __vbaStrCopy.MSVBVM60 ref: 00545F4F
Part of subcall function 00545DF0: __vbaRedim.MSVBVM60(00000180,00000004,0054D854,00000008,00000001,00000000,00000000), ref: 00545F70
Part of subcall function 00545DF0: __vbaRedim.MSVBVM60(00000180,00000004,0054D8DC,00000008,00000001,00000000,00000000), ref: 00545F94

__vbaStrCopy.MSVBVM60 ref: 00547260
__vbaFreeStr.MSVBVM60(?), ref: 00547272
#685.MSVBVM60 ref: 005472F3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00547301
__vbaFreeObj.MSVBVM60 ref: 00547325
__vbaStrCopy.MSVBVM60 ref: 0054733A
__vbaStrCopy.MSVBVM60 ref: 00547348
__vbaObjSet.MSVBVM60(?,00000000,AloahaInter.SemaPhore,00000000,?,?), ref: 00547375
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00547385
#685.MSVBVM60(?,?,?,?,00000000,00411816,00546A11), ref: 00547395
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816,00546A11), ref: 005473A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 005473EE
__vbaFreeObj.MSVBVM60 ref: 00547421
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00547443
#685.MSVBVM60 ref: 00547450
__vbaObjSet.MSVBVM60(?,00000000), ref: 0054745E
__vbaFreeObj.MSVBVM60 ref: 00547482
__vbaStrMove.MSVBVM60 ref: 00547499
__vbaChkstk.MSVBVM60 ref: 005474C8
__vbaStrMove.MSVBVM60 ref: 005474FB
__vbaStrCat.MSVBVM60(AloahaInter.dll,00000000), ref: 00547507
__vbaStrMove.MSVBVM60 ref: 00547512

Part of subcall function 0050D740: __vbaChkstk.MSVBVM60(00000000,00411816), ref: 0050D75E
Part of subcall function 0050D740: __vbaStrCopy.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0050D78B
Part of subcall function 0050D740: __vbaVarDup.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0050D797
Part of subcall function 0050D740: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,00000000,00411816), ref: 0050D7A6
Part of subcall function 0050D740: __vbaStrCmp.MSVBVM60(true,00000000,?,00000001,00000000,00000000,00411816), ref: 0050D7BE
Part of subcall function 0050D740: #520.MSVBVM60(?,00004008), ref: 0050D7FB
Part of subcall function 0050D740: __vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 0050D82B
Part of subcall function 0050D740: __vbaVarAnd.MSVBVM60(?,00000000), ref: 0050D839
Part of subcall function 0050D740: __vbaBoolVarNull.MSVBVM60(00000000), ref: 0050D840
Part of subcall function 0050D740: __vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 0050D85A
Part of subcall function 0050D740: __vbaStrCopy.MSVBVM60(00000000,00000000,00411816), ref: 0050D883
Part of subcall function 0050D740: #518.MSVBVM60(?,00004008), ref: 0050D8AE
Part of subcall function 0050D740: #619.MSVBVM60(?,?,00000004), ref: 0050D8BE
Part of subcall function 0050D740: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0050D8E3

__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000), ref: 0054752C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00411816,00546A11), ref: 00547546
__vbaChkstk.MSVBVM60 ref: 00547575
__vbaStrMove.MSVBVM60 ref: 005475A8
__vbaStrCat.MSVBVM60(aloaha\AloahaInter.dll,00000000), ref: 005475B4
__vbaStrMove.MSVBVM60 ref: 005475BF

Part of subcall function 0050D740: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0050D8FA
Part of subcall function 0050D740: __vbaBoolVar.MSVBVM60(?), ref: 0050D919
Part of subcall function 0050D740: __vbaStrCopy.MSVBVM60 ref: 0050DC8C
Part of subcall function 0050D740: #685.MSVBVM60(00000000,00000000,00411816), ref: 0050DC99
Part of subcall function 0050D740: __vbaObjSet.MSVBVM60(?,00000000), ref: 0050DCA4
Part of subcall function 0050D740: __vbaFreeObj.MSVBVM60 ref: 0050DCC5
Part of subcall function 0050D740: __vbaFreeVar.MSVBVM60(0050DD12), ref: 0050DD02
Part of subcall function 0050D740: __vbaFreeStr.MSVBVM60 ref: 0050DD0B

__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000), ref: 005475D9
#685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816,00546A11), ref: 005475E9
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 005475F7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816,00546A11), ref: 0054761B
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816,00546A11), ref: 00547630
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816,00546A11), ref: 0054763E

Part of subcall function 00523380: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 0052348E
Part of subcall function 00523380: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00411816), ref: 005234BB
Part of subcall function 00523380: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 005234CA
Part of subcall function 00523380: #518.MSVBVM60(?,00004008), ref: 00523515
Part of subcall function 00523380: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00523556
Part of subcall function 00523380: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00523564
Part of subcall function 00523380: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0052357B
Part of subcall function 00523380: #518.MSVBVM60(?,00004008), ref: 005235D4
Part of subcall function 00523380: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00523615
Part of subcall function 00523380: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00523623

__vbaObjSet.MSVBVM60(?,00000000,AloahaInter.SemaPhore,00000000,?,?), ref: 0054766B
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0054767B
__vbaChkstk.MSVBVM60 ref: 005476CC
__vbaChkstk.MSVBVM60 ref: 005476FB
__vbaChkstk.MSVBVM60 ref: 0054772A
__vbaLateMemCall.MSVBVM60(?,WaitingForSemaphore,00000003), ref: 0054775F
#685.MSVBVM60 ref: 0054776F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0054777D
__vbaFreeObj.MSVBVM60 ref: 005477A1
__vbaVarDup.MSVBVM60 ref: 00547813
#607.MSVBVM60(?,00000200,?), ref: 0054782C
__vbaStrVarMove.MSVBVM60(?), ref: 00547839
__vbaLsetFixstrFree.MSVBVM60(00000000,0077108C,00000000), ref: 00547849
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0054785F
__vbaAryCopy.MSVBVM60(?,?), ref: 00547936
__vbaVarMove.MSVBVM60 ref: 0054798E
__vbaLenBstr.MSVBVM60(0077108C), ref: 005479A1
__vbaStrCopy.MSVBVM60 ref: 005479BC
__vbaLsetFixstr.MSVBVM60(00000000,0077108C,?,00000000,00000000,?,0054D8D8), ref: 005479F0
__vbaFreeStr.MSVBVM60 ref: 00547A04
__vbaStrCopy.MSVBVM60(00477FFC,00473D9C,00000001,000000FF,00000000), ref: 00547A6F
#712.MSVBVM60(00000000), ref: 00547A76
__vbaStrMove.MSVBVM60 ref: 00547A81
__vbaLsetFixstr.MSVBVM60(00000000,0077108C,?), ref: 00547A94
#520.MSVBVM60(?,00000008), ref: 00547ACE
#608.MSVBVM60(?,00000000), ref: 00547ADD
__vbaStrVarVal.MSVBVM60(?,?,00473D9C,00000001,000000FF,00000000), ref: 00547AFC
__vbaStrVarVal.MSVBVM60(?,?,00000000), ref: 00547B0E
#712.MSVBVM60(00000000), ref: 00547B15
__vbaStrMove.MSVBVM60 ref: 00547B23
__vbaStrMove.MSVBVM60(00480108,00473D9C,00000001,000000FF,00000000), ref: 00547B5B
#712.MSVBVM60(00000000), ref: 00547B62
__vbaStrMove.MSVBVM60 ref: 00547B70
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00547B7C
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,00000000), ref: 00547BB7
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00547BD7
__vbaStrCopy.MSVBVM60 ref: 00547C01
__vbaStrCopy.MSVBVM60 ref: 00547C19

Part of subcall function 0054B1E0: __vbaChkstk.MSVBVM60(00000001,00411816), ref: 0054B1FE
Part of subcall function 0054B1E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000001,00411816), ref: 0054B22E
Part of subcall function 0054B1E0: __vbaStrCmp.MSVBVM60(true,0077F2F4), ref: 0054B291
Part of subcall function 0054B1E0: __vbaStrErrVarCopy.MSVBVM60(?,MiniCSP_HID get_ScardContext returned: ), ref: 0054B2AB
Part of subcall function 0054B1E0: __vbaStrMove.MSVBVM60 ref: 0054B2B6
Part of subcall function 0054B1E0: __vbaStrCat.MSVBVM60(00000000), ref: 0054B2BD
Part of subcall function 0054B1E0: __vbaStrMove.MSVBVM60 ref: 0054B2C8
Part of subcall function 0054B1E0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 0054B2E1
Part of subcall function 0054B1E0: #685.MSVBVM60(?,?,?,00000001,00411816), ref: 0054B32E
Part of subcall function 0054B1E0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000001,00411816), ref: 0054B339
Part of subcall function 0054B1E0: __vbaFreeObj.MSVBVM60(?,?,?,00000001,00411816), ref: 0054B351
Part of subcall function 0054B1E0: __vbaFreeVar.MSVBVM60(0054B385,?,?,?,00000001,00411816), ref: 0054B37E

__vbaStrCopy.MSVBVM60 ref: 00547C2F

Part of subcall function 00548720: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,00547C3B,00000000), ref: 0054873E
Part of subcall function 00548720: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 0054876B
Part of subcall function 00548720: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 0054877A
Part of subcall function 00548720: #712.MSVBVM60(000000FF,00477FFC,00473D9C,00000001,000000FF,00000000,?,?,?,00000000,00411816), ref: 0054879B
Part of subcall function 00548720: #520.MSVBVM60(?,00000008), ref: 005487B3
Part of subcall function 00548720: #608.MSVBVM60(?,00000000), ref: 005487C2
Part of subcall function 00548720: __vbaStrVarVal.MSVBVM60(?,?,00473D9C,00000001,000000FF,00000000), ref: 005487DE
Part of subcall function 00548720: __vbaStrVarVal.MSVBVM60(?,?,00000000), ref: 005487ED
Part of subcall function 00548720: #712.MSVBVM60(00000000), ref: 005487F4
Part of subcall function 00548720: __vbaStrMove.MSVBVM60 ref: 005487FF
Part of subcall function 00548720: __vbaStrMove.MSVBVM60(00480108,00473D9C,00000001,000000FF,00000000), ref: 0054882E
Part of subcall function 00548720: #712.MSVBVM60(00000000), ref: 00548835
Part of subcall function 00548720: __vbaStrMove.MSVBVM60 ref: 00548840
Part of subcall function 00548720: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0054884C
Part of subcall function 00548720: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00548877

__vbaLsetFixstr.MSVBVM60(00000000,0077108C,?,00000000), ref: 00547C4D
__vbaAryMove.MSVBVM60(?,?), ref: 00547C6A
__vbaFreeStr.MSVBVM60 ref: 00547C73
#685.MSVBVM60 ref: 00547C80
__vbaObjSet.MSVBVM60(?,00000000), ref: 00547C8E
__vbaFreeObj.MSVBVM60 ref: 00547CB2
__vbaGenerateBoundsError.MSVBVM60 ref: 00547CF6
__vbaGenerateBoundsError.MSVBVM60 ref: 00547D13
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00547D34
#685.MSVBVM60 ref: 00547D49
__vbaObjSet.MSVBVM60(?,00000000), ref: 00547D57
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00547DA2
__vbaFreeObj.MSVBVM60 ref: 00547DD5
__vbaAryCopy.MSVBVM60(?,00000000), ref: 00547E01
__vbaAryCopy.MSVBVM60(?,00000000), ref: 00547E22
__vbaAryCopy.MSVBVM60(?,00000000), ref: 00547E39
__vbaAryCopy.MSVBVM60(?,00000000), ref: 00547E4E
__vbaAryCopy.MSVBVM60(?,?), ref: 00547E71
__vbaAryCopy.MSVBVM60(?,?), ref: 00547E92
__vbaAryCopy.MSVBVM60(?,?), ref: 00547EB5
__vbaAryCopy.MSVBVM60(?,?), ref: 00547ED6
#685.MSVBVM60 ref: 00547F67
__vbaObjSet.MSVBVM60(?,00000000), ref: 00547F75
__vbaFreeObj.MSVBVM60 ref: 00547F99
__vbaAryLock.MSVBVM60(?,?), ref: 00547FAE
__vbaGenerateBoundsError.MSVBVM60 ref: 00547FEB
__vbaGenerateBoundsError.MSVBVM60 ref: 00548008
#520.MSVBVM60(?,00004008), ref: 0054803E
__vbaAryUnlock.MSVBVM60(00000000), ref: 00548048
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00548070
__vbaFreeVar.MSVBVM60 ref: 00548083
#685.MSVBVM60 ref: 0054809F
__vbaObjSet.MSVBVM60(?,00000000), ref: 005480AD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 005480F8
__vbaFreeObj.MSVBVM60 ref: 0054812B
__vbaAryCopy.MSVBVM60(?,?), ref: 0054814B
__vbaAryCopy.MSVBVM60(?,?), ref: 00548160
#685.MSVBVM60 ref: 00548172
__vbaObjSet.MSVBVM60(?,00000000), ref: 00548180
__vbaFreeObj.MSVBVM60 ref: 005481A4
__vbaAryLock.MSVBVM60(00000000,?), ref: 005481B9
__vbaGenerateBoundsError.MSVBVM60 ref: 005481F6
__vbaGenerateBoundsError.MSVBVM60 ref: 00548213
#520.MSVBVM60(?,00004008), ref: 00548249
__vbaAryUnlock.MSVBVM60(00000000), ref: 00548253
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0054827B
__vbaFreeVar.MSVBVM60 ref: 0054828E
#685.MSVBVM60 ref: 005482AA
__vbaObjSet.MSVBVM60(?,00000000), ref: 005482B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00548303
__vbaFreeObj.MSVBVM60 ref: 00548336
#685.MSVBVM60 ref: 00548350
__vbaObjSet.MSVBVM60(?,00000000), ref: 0054835E
__vbaFreeObj.MSVBVM60 ref: 00548382
__vbaGenerateBoundsError.MSVBVM60 ref: 00548434
__vbaGenerateBoundsError.MSVBVM60 ref: 00548451
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00548472
#685.MSVBVM60 ref: 00548487
__vbaObjSet.MSVBVM60(?,00000000), ref: 00548495
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 005484E0
__vbaFreeObj.MSVBVM60 ref: 00548513
#546.MSVBVM60(?), ref: 00548532
__vbaStrR8.MSVBVM60 ref: 0054854A
__vbaStrMove.MSVBVM60 ref: 00548557
__vbaFreeVar.MSVBVM60 ref: 00548563
__vbaAryCopy.MSVBVM60(0054D8DC,00000000), ref: 00548579
__vbaStrCopy.MSVBVM60 ref: 00548592
__vbaStrCopy.MSVBVM60 ref: 005485AB
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005485BE
#685.MSVBVM60 ref: 005485CB
__vbaObjSet.MSVBVM60(?,00000000), ref: 005485D9
__vbaFreeObj.MSVBVM60 ref: 005485FD
__vbaAryDestruct.MSVBVM60(00000000,?,005486F8), ref: 00548697
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 005486A6
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 005486BE
__vbaFreeObj.MSVBVM60 ref: 005486C7
__vbaAryDestruct.MSVBVM60(00000000,00000000), ref: 005486D3

Strings

WaitingForSemaphore, xrefs: 00547756
AloahaInter.SemaPhore, xrefs: 00547366, 0054765C
Using MiniCSP Readers from Cache, xrefs: 00547258
PCSCCardReaders, xrefs: 0054768B
null, xrefs: 00546D5F, 00546D8F
}, xrefs: 00547F4F
AloahaInter.dll, xrefs: 00547502
aloaha\AloahaInter.dll, xrefs: 005475AF
c, xrefs: 00547971

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Copy$Move$#685$Error$List$Chkstk$BoundsGenerate$#520$CheckHresult$#712$#518BoolDestructFixstrLset$Null$#546#608AddrefCallLateLockRedimUnlock$#607#619BstrConstruct2
String ID: AloahaInter.SemaPhore$AloahaInter.dll$PCSCCardReaders$Using MiniCSP Readers from Cache$WaitingForSemaphore$aloaha\AloahaInter.dll$c$null$}
API String ID: 1480323436-1235721303
Opcode ID: 73e9851ffd989a5c4bdefee8ea63de6df8a06c0aff590f61d1ffed411da96872
Instruction ID: 1b7c3f4d082794a5ba59352de44e835b2d36676df4636629d4ad14bb59d1d13d
Opcode Fuzzy Hash: 73e9851ffd989a5c4bdefee8ea63de6df8a06c0aff590f61d1ffed411da96872
Instruction Fuzzy Hash: FBF21875900218DFDB24DFA0DE48BEDBBB4FF48305F108599E60AA72A0DB745A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0051DAE0 Relevance: 372.4, APIs: 203, Strings: 9, Instructions: 1361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,004EC716,?,?), ref: 0051DAFE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 0051DB2E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 0051DB43
__vbaStrCmp.MSVBVM60(00473D9C), ref: 0051DB68
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001), ref: 0051DB8C
__vbaVarDup.MSVBVM60 ref: 0051DBBE
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 0051DBD6
__vbaRefVarAry.MSVBVM60(?,?,?,000000FF,00000000), ref: 0051DBE0
__vbaUbound.MSVBVM60(00000001,?,?,?,000000FF,00000000), ref: 0051DBEB
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,000000FF,00000000), ref: 0051DC1E
#711.MSVBVM60(?,?,?,000000FF,00000000,?,?,?,?,?,?,000000FF,00000000), ref: 0051DC39
__vbaChkstk.MSVBVM60(?,?,000000FF,00000000,?,?,?,?,?,?,000000FF,00000000), ref: 0051DC44
__vbaVarIndexLoad.MSVBVM60(?,?,00000001,?,?,000000FF,00000000,?,?,?,?,?,?,000000FF,00000000), ref: 0051DC7E
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,00000000,00411816), ref: 0051DC88
__vbaStrMove.MSVBVM60(?,?,?,?,?,00000000,00411816), ref: 0051DC93
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 0051DCB5
__vbaLenBstr.MSVBVM60(00000000), ref: 0051DCDE
__vbaLenBstr.MSVBVM60 ref: 0051DCF5
#617.MSVBVM60(?,00004008,-00000001), ref: 0051DD0F
__vbaStrVarMove.MSVBVM60(?), ref: 0051DD19
__vbaStrMove.MSVBVM60 ref: 0051DD24
__vbaFreeVar.MSVBVM60 ref: 0051DD2D
__vbaStrCmp.MSVBVM60(00473D9C), ref: 0051DD45
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0051DD5D
__vbaVarDup.MSVBVM60 ref: 0051DDAA
#711.MSVBVM60(?,00000000,?,000000FF,00000000), ref: 0051DDC2
__vbaChkstk.MSVBVM60 ref: 0051DDCD
__vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 0051DE05
#518.MSVBVM60(?,00000000), ref: 0051DE16
__vbaAryUnlock.MSVBVM60(?), ref: 0051DE20
__vbaStrVarMove.MSVBVM60(?), ref: 0051DE2D
__vbaStrMove.MSVBVM60 ref: 0051DE38
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0051DE53
__vbaLenBstr.MSVBVM60 ref: 0051DE7C
__vbaLenBstr.MSVBVM60(?), ref: 0051DE88
#619.MSVBVM60(?,00004008,-00000001), ref: 0051DEAB
__vbaStrVarMove.MSVBVM60(?), ref: 0051DEB5
__vbaStrMove.MSVBVM60 ref: 0051DEC0
__vbaFreeVar.MSVBVM60 ref: 0051DEC9
__vbaStrCopy.MSVBVM60 ref: 0051DEDF
__vbaStrCmp.MSVBVM60(hklm,?), ref: 0051DEF8
__vbaStrCmp.MSVBVM60(hkcu,?), ref: 0051DF28
__vbaStrCmp.MSVBVM60(hkcr,?), ref: 0051DF58
__vbaStrCopy.MSVBVM60 ref: 0051DFE9
__vbaStrCopy.MSVBVM60 ref: 0051DFFE
__vbaStrCopy.MSVBVM60 ref: 0051E013
#518.MSVBVM60(?,00004008), ref: 0051E03E
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 0051E07F
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 0051E08D
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0051E0A4
#712.MSVBVM60(?,Software,SOFTWARE,00000001,000000FF,00000000), ref: 0051E0D3
__vbaStrMove.MSVBVM60 ref: 0051E0DE
#712.MSVBVM60(?,software,SOFTWARE,00000001,000000FF,00000000), ref: 0051E0FF
__vbaStrMove.MSVBVM60 ref: 0051E10A
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00020006,?), ref: 0051E12A
__vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 0051E140
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0051E14E
__vbaFreeStr.MSVBVM60 ref: 0051E16C
__vbaStrToAnsi.MSVBVM60(?,?), ref: 0051E191
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0051E1A7
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0051E1B5
__vbaFreeStr.MSVBVM60 ref: 0051E1D0
__vbaSetSystemError.MSVBVM60(00000000), ref: 0051E1F3
__vbaStrCopy.MSVBVM60 ref: 0051E214
#685.MSVBVM60 ref: 0051E221
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051E22C
__vbaFreeObj.MSVBVM60 ref: 0051E24D
__vbaFreeStr.MSVBVM60(0051E2CD), ref: 0051E2A2
__vbaFreeStr.MSVBVM60 ref: 0051E2AB
__vbaFreeStr.MSVBVM60 ref: 0051E2B4
__vbaFreeStr.MSVBVM60 ref: 0051E2BD
__vbaFreeStr.MSVBVM60 ref: 0051E2C6
__vbaErrorOverflow.MSVBVM60 ref: 0051E2E4
__vbaChkstk.MSVBVM60(00000000,00411816,HKLM\Software\Aloaha\forceHKLM,?,?,00000000,00000000,00411816,0050FC37), ref: 0051E30E
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00411816,HKLM\Software\Aloaha\forceHKLM), ref: 0051E33B
__vbaOnError.MSVBVM60(000000FF,?,?,00000000,00000000,00411816,HKLM\Software\Aloaha\forceHKLM), ref: 0051E34A
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00411816,HKLM\Software\Aloaha\forceHKLM), ref: 0051E35D
#518.MSVBVM60(?,00004008), ref: 0051E388
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 0051E3CC
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 0051E3DA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0051E3F4
#712.MSVBVM60(?,Software,SOFTWARE,00000001,000000FF,00000000,?,00000000,00411816), ref: 0051E423
__vbaStrMove.MSVBVM60(?,00000000,00411816), ref: 0051E42E
#712.MSVBVM60(?,software,SOFTWARE,00000001,000000FF,00000000,?,00000000,00411816), ref: 0051E44F
__vbaStrMove.MSVBVM60(?,00000000,00411816), ref: 0051E45A
__vbaVarDup.MSVBVM60 ref: 0051E498
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 0051E4B1
__vbaChkstk.MSVBVM60 ref: 0051E4BC
__vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 0051E4FA
#518.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00411816,HKLM\Software\Aloaha\forceHKLM), ref: 0051E50B
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00000000,00411816,HKLM\Software\Aloaha\forceHKLM), ref: 0051E515
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00000000,00411816,HKLM\Software\Aloaha\forceHKLM), ref: 0051E522
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00411816,HKLM\Software\Aloaha\forceHKLM), ref: 0051E52D
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00411816), ref: 0051E54E
__vbaLenBstr.MSVBVM60(?), ref: 0051E575
__vbaLenBstr.MSVBVM60(?), ref: 0051E581
#619.MSVBVM60(?,00004008,-00000001), ref: 0051E5A4
__vbaStrVarMove.MSVBVM60(?), ref: 0051E5AE
__vbaStrMove.MSVBVM60 ref: 0051E5B9
__vbaFreeVar.MSVBVM60 ref: 0051E5C2
__vbaVarDup.MSVBVM60 ref: 0051E5EC
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 0051E605

Strings

G, xrefs: 0051F023
hkcu, xrefs: 0051DF23, 0051E7E5
hkcr, xrefs: 0051DF53, 0051E815
hklm, xrefs: 0051DEF3, 0051E7B5
SOFTWARE, xrefs: 0051E0C5, 0051E0F1, 0051E415, 0051E441
Software, xrefs: 0051E0CA, 0051E41A
hkcc, xrefs: 0051DFAD, 0051E86F
hku, xrefs: 0051DF80, 0051E842
software, xrefs: 0051E044, 0051E0F6, 0051E38E, 0051E446

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$FreeMove$Copy$BstrError$#711ChkstkList$#518#712$IndexLoadSystem$#619AnsiLockUnicodeUnlock$#617#685OverflowUbound
String ID: G$SOFTWARE$Software$hkcc$hkcr$hkcu$hklm$hku$software
API String ID: 3325186235-4133662486
Opcode ID: c29337e6679869b13eba084e544c75a92605dfc60ddc59e6625f03eb072d3662
Instruction ID: eefe90d2ab6bb5cecb8d98e018882a98682701749757069dec786a6ebc3639a7
Opcode Fuzzy Hash: c29337e6679869b13eba084e544c75a92605dfc60ddc59e6625f03eb072d3662
Instruction Fuzzy Hash: BDD2F675900218EFDB14DFA0DD88BDDBBB5FB48304F1085A9E50ABB2A0DB745A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00531FD0 Relevance: 314.4, APIs: 170, Strings: 9, Instructions: 1186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,004CB93C,?,00000001,?,00000000,00411816), ref: 00531FEE
__vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053201E
__vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053202D
__vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,004CB93C), ref: 0053203C
#520.MSVBVM60(?,00004008), ref: 0053206B
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532093
__vbaFreeVar.MSVBVM60 ref: 005320A6
__vbaStrCopy.MSVBVM60 ref: 005320CA
#520.MSVBVM60(?,00000008,?), ref: 005320F7
__vbaStrVarMove.MSVBVM60(?), ref: 00532104
__vbaStrMove.MSVBVM60 ref: 00532111
__vbaFreeStr.MSVBVM60 ref: 0053211A
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532130
#520.MSVBVM60(?,00004008), ref: 00532162
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053218A
__vbaFreeVar.MSVBVM60 ref: 0053219D
__vbaStrCopy.MSVBVM60 ref: 005321BD
#520.MSVBVM60(?,00000008,?), ref: 005321EA
__vbaStrVarMove.MSVBVM60(?), ref: 005321F7
__vbaStrMove.MSVBVM60 ref: 00532204
__vbaFreeStr.MSVBVM60 ref: 0053220D
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532223

Part of subcall function 004F0CA0: __vbaChkstk.MSVBVM60(?,00411816), ref: 004F0CBE
Part of subcall function 004F0CA0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00411816), ref: 004F0CEE
Part of subcall function 004F0CA0: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004F0D21
Part of subcall function 004F0CA0: #712.MSVBVM60(?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D54
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D5F
Part of subcall function 004F0CA0: #712.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D82
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D8D
Part of subcall function 004F0CA0: #712.MSVBVM60(00000000,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001), ref: 004F0DB0
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0DBB
Part of subcall function 004F0CA0: #712.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001), ref: 004F0DDE
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001), ref: 004F0DE9
Part of subcall function 004F0CA0: #712.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F0E0C

#520.MSVBVM60(?,00004008), ref: 00532255
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0053227D
__vbaFreeVar.MSVBVM60 ref: 00532290
__vbaStrCopy.MSVBVM60 ref: 005322BA
__vbaFreeStr.MSVBVM60(?,?), ref: 005322D3
__vbaStrCopy.MSVBVM60 ref: 005322F2
__vbaFreeStr.MSVBVM60(?,?), ref: 0053230B
#520.MSVBVM60(?,00004008), ref: 0053233A
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00532362
__vbaFreeVar.MSVBVM60 ref: 00532375
__vbaStrCopy.MSVBVM60 ref: 00532397
#520.MSVBVM60(?,00004008), ref: 005323C6
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 005323EE
__vbaFreeVar.MSVBVM60 ref: 00532401
__vbaStrCopy.MSVBVM60 ref: 00532425
#520.MSVBVM60(?,00000008,?), ref: 00532452
__vbaStrVarMove.MSVBVM60(?), ref: 0053245F
__vbaStrMove.MSVBVM60 ref: 0053246C
__vbaFreeStr.MSVBVM60 ref: 00532475
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0053248B
#520.MSVBVM60(?,00004008), ref: 005324BD
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 005324E5
__vbaFreeVar.MSVBVM60 ref: 005324F8
__vbaStrCopy.MSVBVM60 ref: 00532518
#520.MSVBVM60(?,00000008,?), ref: 00532545
__vbaStrVarMove.MSVBVM60(?), ref: 00532552
__vbaStrMove.MSVBVM60 ref: 0053255F
__vbaFreeStr.MSVBVM60 ref: 00532568
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0053257E
#520.MSVBVM60(?,00004008), ref: 005325B0
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 005325D8
__vbaFreeVar.MSVBVM60 ref: 005325EB
__vbaStrCopy.MSVBVM60 ref: 00532615
__vbaFreeStr.MSVBVM60(?,?), ref: 0053262E
__vbaStrCopy.MSVBVM60 ref: 0053264D

Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F0E17
Part of subcall function 004F0CA0: #712.MSVBVM60(00000000,Software\,SOFTWARE\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001), ref: 004F0E3A
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F0E45
Part of subcall function 004F0CA0: #712.MSVBVM60(?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001), ref: 004F0E68
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001), ref: 004F0E73
Part of subcall function 004F0CA0: #712.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F0E96
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F0EA1
Part of subcall function 004F0CA0: __vbaStrCopy.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F0EB6
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(00000001,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\), ref: 004F0ECA
Part of subcall function 004F0CA0: __vbaFreeStr.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F0ED3
Part of subcall function 004F0CA0: #712.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F0EF6
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F0F01
Part of subcall function 004F0CA0: __vbaStrCopy.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F0F18
Part of subcall function 004F0CA0: __vbaStrCmp.MSVBVM60(00473D9C,007B8E94,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F0F3D
Part of subcall function 004F0CA0: __vbaStrCmp.MSVBVM60(00473D9C,?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F0F59
Part of subcall function 004F0CA0: __vbaStrCmp.MSVBVM60(007B8E94,00000000,?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F0F8B

__vbaFreeStr.MSVBVM60(?,?), ref: 00532666
#520.MSVBVM60(?,00004008), ref: 00532695
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 005326BD
__vbaFreeVar.MSVBVM60 ref: 005326D0
__vbaStrCopy.MSVBVM60 ref: 005326F2
#520.MSVBVM60(?,00004008), ref: 00532721
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532749
__vbaFreeVar.MSVBVM60 ref: 0053275C
__vbaStrCmp.MSVBVM60(004740D4,0077F024), ref: 005327AF
__vbaStrCopy.MSVBVM60 ref: 00533503
#685.MSVBVM60 ref: 00533510
__vbaObjSet.MSVBVM60(?,00000000), ref: 0053351B
__vbaFreeObj.MSVBVM60 ref: 0053353C
__vbaAryDestruct.MSVBVM60(00000000,?,005335E5), ref: 005335AE
__vbaFreeStr.MSVBVM60 ref: 005335B7
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 005335C3
__vbaFreeStr.MSVBVM60 ref: 005335CC
__vbaFreeStr.MSVBVM60 ref: 005335D5
__vbaFreeStr.MSVBVM60 ref: 005335DE

Strings

HKLM\Software\Aloaha\CSP\ForceHID, xrefs: 0053241D, 0053260D
c, xrefs: 00532E74
true, xrefs: 0053283E, 00532879, 00532CFA, 005333FF
HKLM\Software\Aloaha\CSP\AllowHID, xrefs: 005320C2, 005322B2
HKLM\Software\Aloaha\CSP\UseCSPReg, xrefs: 00532A6F
HKCU\Software\Aloaha\CSP\UseCSPReg, xrefs: 00532B62
HKCU\Software\Aloaha\CSP\AllowHID, xrefs: 005321B5, 005322EA
HKCU\Software\Aloaha\CSP\ForceHID, xrefs: 00532510, 00532645
}, xrefs: 0053342B

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$#520Copy$#712$List$ChkstkConstructDestructErrorFixstr$#685
String ID: HKCU\Software\Aloaha\CSP\AllowHID$HKCU\Software\Aloaha\CSP\ForceHID$HKCU\Software\Aloaha\CSP\UseCSPReg$HKLM\Software\Aloaha\CSP\AllowHID$HKLM\Software\Aloaha\CSP\ForceHID$HKLM\Software\Aloaha\CSP\UseCSPReg$c$true$}
API String ID: 2189096737-3431907794
Opcode ID: 8f1efa809be1b47e29a893329d55eb50f54468ca3da5245536f26fff67b0e5bc
Instruction ID: 3d3e2d1ac360625775707747988ee26c51c76dbd5c17377a486424ac71e44daf
Opcode Fuzzy Hash: 8f1efa809be1b47e29a893329d55eb50f54468ca3da5245536f26fff67b0e5bc
Instruction Fuzzy Hash: B5D2D675801218DBDB14DFA0DE48BEDBBB4FF48305F1085AAE509B72A0DB745A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 005006B0 Relevance: 300.2, APIs: 151, Strings: 20, Instructions: 929
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,0052D608,?,?,?,?,00411816,004B1BE8), ref: 005006CE
__vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00411816,0052D608), ref: 00500725
#526.MSVBVM60(?,000000FF,?,00000001,?,00000000,00411816,0052D608), ref: 00500740
__vbaStrVarMove.MSVBVM60(?,?,00000001,?,00000000,00411816,0052D608), ref: 0050074A
__vbaStrMove.MSVBVM60(?,00000001,?,00000000,00411816,0052D608), ref: 00500755
__vbaFreeVar.MSVBVM60(?,00000001,?,00000000,00411816,0052D608), ref: 0050075E
__vbaStrToAnsi.MSVBVM60(000000FF,?,000000FF), ref: 00500785
__vbaSetSystemError.MSVBVM60(00000000), ref: 00500794
__vbaStrToUnicode.MSVBVM60(?,?), ref: 005007A2
__vbaFreeStr.MSVBVM60 ref: 005007BA
#616.MSVBVM60(?,000000FE), ref: 005007E0
__vbaStrMove.MSVBVM60 ref: 005007EB
#685.MSVBVM60 ref: 0050080F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050081A
__vbaFreeObj.MSVBVM60 ref: 00500832
__vbaFreeStr.MSVBVM60(00500878), ref: 00500871
__vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,0052D608), ref: 005006FE

Part of subcall function 0051F160: __vbaChkstk.MSVBVM60(00000000,00411816), ref: 0051F17E
Part of subcall function 0051F160: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 0051F1AE
Part of subcall function 0051F160: __vbaStrCmp.MSVBVM60(true,0075A9E4), ref: 0051F1E0
Part of subcall function 0051F160: __vbaStrCmp.MSVBVM60(false,0075A9E4), ref: 0051F1FA

Strings

SOFTWARE\Aloaha\pdf, xrefs: 00500CE0
local system, xrefs: 00501381
local service, xrefs: 00501421
username, xrefs: 00500A1A
localservice, xrefs: 00501471
usernotfound, xrefs: 005012DA, 005015C2
Software\Microsoft\Windows\CurrentVersion\Explorer, xrefs: 00500B5A
P, xrefs: 005012D3
winpe, xrefs: 0050071D, 00500965
true, xrefs: 0050091B, 0050093C, 00500BE0, 00500D66, 0050113D, 005015A4
Qh|GG, xrefs: 0050091A
network, xrefs: 005013D1
HKCU\SOFTWARE\Aloaha\pdf\, xrefs: 00500D7C, 00500DD3, 00501157, 005011CC, 0050120A, 00501278
system, xrefs: 0050133A
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon User Name, xrefs: 00500BF6, 00500C2D
USERNAME, xrefs: 00500AD7
NWUSERNAME, xrefs: 00500E41
alias, xrefs: 00500CD2, 00500D81, 00500DD8, 0050115C, 005011D1, 0050120F, 0050127D
Logon User Name, xrefs: 00500B4C
Z, xrefs: 005015E8

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$ErrorMove$Chkstk$#526#616#685AnsiCopySystemUnicode
String ID: HKCU\SOFTWARE\Aloaha\pdf\$HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon User Name$Logon User Name$NWUSERNAME$P$Qh|GG$SOFTWARE\Aloaha\pdf$Software\Microsoft\Windows\CurrentVersion\Explorer$USERNAME$Z$alias$local service$local system$localservice$network$system$true$username$usernotfound$winpe
API String ID: 3916836903-3299935217
Opcode ID: be0db7e2fa4d07a1ef1cf2f2dcae3907a2b178d877658b4a3810346d30624071
Instruction ID: 7f06321d92f5faa0d0fcf736e03f437fc9aa4c669c5addd304c33c4bdaa734da
Opcode Fuzzy Hash: be0db7e2fa4d07a1ef1cf2f2dcae3907a2b178d877658b4a3810346d30624071
Instruction Fuzzy Hash: 89923975A00209DBDB14DFA0DE48BEEBBB8FB48305F14816DE506B72A0DB745A49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004F0CA0 Relevance: 242.3, APIs: 112, Strings: 26, Instructions: 817
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004F0CBE
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00411816), ref: 004F0CEE

Part of subcall function 0051CEF0: __vbaChkstk.MSVBVM60(00000000,00411816), ref: 0051CF0E
Part of subcall function 0051CEF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 0051CF3E
Part of subcall function 0051CEF0: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00411816), ref: 0051CF56
Part of subcall function 0051CEF0: #685.MSVBVM60 ref: 0051CFAF
Part of subcall function 0051CEF0: __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0051CFBA
Part of subcall function 0051CEF0: __vbaFreeObj.MSVBVM60 ref: 0051CFD2

__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004F0D21
#712.MSVBVM60(?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D54
__vbaStrMove.MSVBVM60(?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D5F
#712.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D82
__vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D8D
#712.MSVBVM60(00000000,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001), ref: 004F0DB0
__vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0DBB
#712.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001), ref: 004F0DDE
__vbaStrMove.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001), ref: 004F0DE9
#712.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F0E0C
__vbaStrMove.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F0E17
#712.MSVBVM60(00000000,Software\,SOFTWARE\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001), ref: 004F0E3A
__vbaStrMove.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F0E45
#712.MSVBVM60(?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001), ref: 004F0E68
__vbaStrMove.MSVBVM60(?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001), ref: 004F0E73
#712.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F0E96
__vbaStrMove.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F0EA1
__vbaStrCopy.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F0EB6
__vbaStrMove.MSVBVM60(00000001,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\), ref: 004F0ECA
__vbaFreeStr.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F0ED3
#712.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F0EF6
__vbaStrMove.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F0F01
__vbaStrCopy.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F0F18
__vbaStrCmp.MSVBVM60(00473D9C,007B8E94,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F0F3D
__vbaStrCmp.MSVBVM60(00473D9C,?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F0F59
__vbaStrCmp.MSVBVM60(007B8E94,00000000,?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F0F8B
__vbaStrMove.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F1016
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F1022
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F103C
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F1058
__vbaFreeStr.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F1072
#518.MSVBVM60(00000001,00004008,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F10D6
#617.MSVBVM60(00000000,00000001,00000004,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F10E6
__vbaVarTstEq.MSVBVM60(00008008,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F110B
__vbaFreeVarList.MSVBVM60(00000002,00000001,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F1122
__vbaStrCopy.MSVBVM60(00000000,?,00411816), ref: 004F1146
__vbaStrCopy.MSVBVM60(00000000,?,00411816), ref: 004F115E
__vbaStrCopy.MSVBVM60(?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\), ref: 004F1195
__vbaStrCopy.MSVBVM60(?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\), ref: 004F11CF
__vbaFreeStr.MSVBVM60(00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\), ref: 004F11E7
__vbaStrCmp.MSVBVM60(true,0075AE44,?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F1200
__vbaInStr.MSVBVM60(00000000,HKLM\SOFTWARE\Aloaha\pdf,?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F1245
#712.MSVBVM60(00000000,HKLM\SOFTWARE\Aloaha\pdf,HKCU\SOFTWARE\Aloaha\pdf,00000001,000000FF,00000000,?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\), ref: 004F1270
__vbaStrMove.MSVBVM60(?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F127B
__vbaStrCopy.MSVBVM60(?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F1290
__vbaStrMove.MSVBVM60(00000001,?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F12A4
__vbaFreeStr.MSVBVM60(?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F12AD
#518.MSVBVM60(00000001,00004008,?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F12E4
#617.MSVBVM60(00000000,00000001,00000004,?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF), ref: 004F12F4
__vbaVarTstEq.MSVBVM60(00008008,00000000,?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F1319
__vbaFreeVarList.MSVBVM60(00000002,00000001,00000000,?,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF), ref: 004F1330
__vbaStrCopy.MSVBVM60(00000000,?,00411816), ref: 004F1354
__vbaStrCopy.MSVBVM60(00000000,?,00411816), ref: 004F136C
__vbaStrCopy.MSVBVM60 ref: 004F138F
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F13A5
#685.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F13C5
__vbaObjSet.MSVBVM60(?,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F13D0
__vbaFreeObj.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F13F1
__vbaChkstk.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F1411
__vbaLateMemCallLd.MSVBVM60(00000001,022C1040,RegRead,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F1441
__vbaStrVarMove.MSVBVM60(00000000,00000001), ref: 004F144B
__vbaStrMove.MSVBVM60 ref: 004F1456
__vbaFreeVar.MSVBVM60 ref: 004F145F
#685.MSVBVM60 ref: 004F146C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F1477
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004F14C2
__vbaFreeObj.MSVBVM60 ref: 004F14F2
#685.MSVBVM60 ref: 004F150E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F1519
__vbaFreeObj.MSVBVM60 ref: 004F153A
__vbaObjSetAddref.MSVBVM60(0054D554,00000000), ref: 004F154E
#716.MSVBVM60(?,WScript.Shell,00000000), ref: 004F1566
__vbaObjVar.MSVBVM60(?), ref: 004F1570
__vbaObjSetAddref.MSVBVM60(0054D554,00000000), ref: 004F157C
__vbaFreeVar.MSVBVM60 ref: 004F1585
#685.MSVBVM60 ref: 004F1592
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F159D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004F15E8
__vbaFreeObj.MSVBVM60 ref: 004F1618
__vbaStrCopy.MSVBVM60 ref: 004F1638
__vbaFreeStr.MSVBVM60(?), ref: 004F164A
#685.MSVBVM60 ref: 004F1657
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F1662
__vbaFreeObj.MSVBVM60 ref: 004F1683
#685.MSVBVM60 ref: 004F1690
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F169B
__vbaFreeObj.MSVBVM60 ref: 004F16BC
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004F16D2
__vbaChkstk.MSVBVM60 ref: 004F172B
__vbaChkstk.MSVBVM60 ref: 004F174E
__vbaChkstk.MSVBVM60 ref: 004F177D
__vbaLateMemCall.MSVBVM60(022C1040,Regwrite,00000003), ref: 004F17B5
__vbaStrI4.MSVBVM60(00000000), ref: 004F17CD
__vbaStrMove.MSVBVM60 ref: 004F17D8
__vbaStrCopy.MSVBVM60 ref: 004F17E6
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000), ref: 004F180B
#685.MSVBVM60 ref: 004F181B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F1826
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004F1871
__vbaFreeObj.MSVBVM60 ref: 004F18A1
#685.MSVBVM60 ref: 004F18D5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F18E0
__vbaFreeObj.MSVBVM60 ref: 004F1901
__vbaStrCopy.MSVBVM60 ref: 004F1918
__vbaStrCopy.MSVBVM60 ref: 004F1940
#685.MSVBVM60 ref: 004F196F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F197A
__vbaFreeObj.MSVBVM60 ref: 004F199B
__vbaFreeStr.MSVBVM60(004F19EF), ref: 004F19DF
__vbaFreeStr.MSVBVM60 ref: 004F19E8

Strings

HKLM\SOFTWARE\Aloaha\pdf, xrefs: 004F123E, 004F1265
HKCU\, xrefs: 004F0DA0
PDF, xrefs: 004F17DE
hklm\, xrefs: 004F0D77
hkcu, xrefs: 004F10EC, 004F12FA
true, xrefs: 004F11FB
System\, xrefs: 004F0E8B
hYH, xrefs: 004F1423
hlcr\, xrefs: 004F0DD3
Software\, xrefs: 004F0D44, 004F0E2F
Regwrite, xrefs: 004F17A9
system\, xrefs: 004F0E5D
Sofware\, xrefs: 004F0D49
HKLM\SOFTWARE\Aloaha\ctest, xrefs: 004F13FE
HKCR\, xrefs: 004F0DCE
hkcu\, xrefs: 004F0DA5
SOFTWARE\, xrefs: 004F0DFC, 004F0E2A
HKLM\, xrefs: 004F0D72
REG_DWORD, xrefs: 004F1712
SYSTEM\, xrefs: 004F0E58, 004F0E86
regi.CreateCOMObject wscript.shell failed in regwrite_dw, xrefs: 004F1630
RegRead, xrefs: 004F1431
j, xrefs: 004F1968
HKCU\SOFTWARE\Aloaha\pdf, xrefs: 004F1260
software\, xrefs: 004F0E01
WScript.Shell, xrefs: 004F155D

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Copy$#685#712$Chkstk$CheckHresultList$#518#617AddrefCallErrorLate$#716
String ID: HKCR\$HKCU\$HKCU\SOFTWARE\Aloaha\pdf$HKLM\$HKLM\SOFTWARE\Aloaha\ctest$HKLM\SOFTWARE\Aloaha\pdf$PDF$REG_DWORD$RegRead$Regwrite$SOFTWARE\$SYSTEM\$Software\$Sofware\$System\$WScript.Shell$hYH$hkcu$hkcu\$hklm\$hlcr\$j$regi.CreateCOMObject wscript.shell failed in regwrite_dw$software\$system\$true
API String ID: 2945476557-1962897271
Opcode ID: 8a25559b589aaa2dec2b92b0df61e715c9e38d457ab28f282ca4db867e3d01a0
Instruction ID: b1efe63cbbb945048ad09546138e8bbcaaeec40a80b12b684528fba53bdd7763
Opcode Fuzzy Hash: 8a25559b589aaa2dec2b92b0df61e715c9e38d457ab28f282ca4db867e3d01a0
Instruction Fuzzy Hash: 1B825C74A00208EFDB14DFA0DD48BEEBBB5FF48705F1081A9E509AB2A0DB749A45DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004CF630 Relevance: 221.3, APIs: 114, Strings: 12, Instructions: 778
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 004CF64E
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 004CF67E
__vbaStrCmp.MSVBVM60(true,0077F59C,?,00000000,?,00000000,00411816), ref: 004CF696
#685.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004CF6AB
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,00411816), ref: 004CF6B6
__vbaFreeObj.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004CF6D7

Part of subcall function 00519660: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 0051967E
Part of subcall function 00519660: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816), ref: 005196AE
Part of subcall function 00519660: __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00411816), ref: 005196C3
Part of subcall function 00519660: __vbaFreeStr.MSVBVM60(?,?,00000001,?,00000000,00411816), ref: 005196D5
Part of subcall function 00519660: __vbaStrCmp.MSVBVM60(true,0077F574,?,00000001,?,00000000,00411816), ref: 005196EE
Part of subcall function 00519660: __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0051970D
Part of subcall function 00519660: #685.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0051971A
Part of subcall function 00519660: __vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,00000000,00411816), ref: 00519725
Part of subcall function 00519660: __vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00519746
Part of subcall function 00519660: __vbaLateMemCallLd.MSVBVM60(?,00000000,info,00000000), ref: 00519772
Part of subcall function 00519660: __vbaVarTstLt.MSVBVM60(?,00000000,00000001,?,00000000,00411816), ref: 00519780
Part of subcall function 00519660: __vbaFreeVar.MSVBVM60(?,00000000,00411816), ref: 0051978D
Part of subcall function 00519660: __vbaObjSetAddref.MSVBVM60(0054D334,00000000,?,00000000,00411816), ref: 005197A9
Part of subcall function 00519660: #685.MSVBVM60 ref: 0051988B
Part of subcall function 00519660: __vbaObjSet.MSVBVM60(?,00000000), ref: 00519896
Part of subcall function 00519660: __vbaFreeObj.MSVBVM60 ref: 005198B7

#685.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004CF6F3
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,00411816), ref: 004CF6FE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004CF749
__vbaFreeObj.MSVBVM60 ref: 004CF779
#685.MSVBVM60 ref: 004CF79F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004CF7AA
__vbaFreeObj.MSVBVM60 ref: 004CF7CB
__vbaStrMove.MSVBVM60 ref: 004CF800
__vbaInStr.MSVBVM60(00000000,smart,007C035C,00000001), ref: 004CF81C
__vbaInStr.MSVBVM60(00000000,login,007C035C,00000001), ref: 004CF839
__vbaStrCopy.MSVBVM60 ref: 004CF85F
#520.MSVBVM60(?,00000008,?), ref: 004CF880
__vbaStrVarMove.MSVBVM60(?), ref: 004CF88A
__vbaStrMove.MSVBVM60 ref: 004CF895
__vbaFreeStr.MSVBVM60 ref: 004CF89E
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004CF8AE
__vbaStrCmp.MSVBVM60(00473D9C,?,?,00000000,00411816), ref: 004CF8C7
__vbaStrCmp.MSVBVM60(004740D4,?,?,00000000,00411816), ref: 004CF8DE
__vbaStrCopy.MSVBVM60(?,00000000,00411816), ref: 004CF8FF
#520.MSVBVM60(?,00000008), ref: 004CF920
__vbaStrVarMove.MSVBVM60(?), ref: 004CF92A
__vbaStrMove.MSVBVM60 ref: 004CF935
__vbaFreeStr.MSVBVM60 ref: 004CF93E
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004CF94E
__vbaStrCopy.MSVBVM60 ref: 004CF96B
#520.MSVBVM60(?,00000008,?), ref: 004CF98C
__vbaStrVarMove.MSVBVM60(?), ref: 004CF996
__vbaStrMove.MSVBVM60 ref: 004CF9A1
__vbaFreeStr.MSVBVM60 ref: 004CF9AA
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004CF9BA
__vbaStrCmp.MSVBVM60(00473D9C,?,?,00000000,00411816), ref: 004CF9D3
__vbaStrCmp.MSVBVM60(004740D4,?,?,00000000,00411816), ref: 004CF9EA
__vbaStrCopy.MSVBVM60(?,00000000,00411816), ref: 004CFA0B
#520.MSVBVM60(?,00000008), ref: 004CFA2C
__vbaStrVarMove.MSVBVM60(?), ref: 004CFA36
__vbaStrMove.MSVBVM60 ref: 004CFA41
__vbaFreeStr.MSVBVM60 ref: 004CFA4A
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004CFA5A
__vbaStrCmp.MSVBVM60(00473D9C,?,?,00000000,00411816), ref: 004CFA73
__vbaStrCmp.MSVBVM60(004740D4,?,?,00000000,00411816), ref: 004CFA8A
__vbaStrCopy.MSVBVM60(?,00000000,00411816), ref: 004CFAA9
#685.MSVBVM60(?,00000000,00411816), ref: 004CFAC3
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004CFACE
__vbaFreeObj.MSVBVM60(?,00000000,00411816), ref: 004CFAEF
__vbaR8Str.MSVBVM60(?,?,00000000,00411816), ref: 004CFB00
__vbaStrR8.MSVBVM60(?,?,?,?,00411816), ref: 004CFB0C
__vbaStrMove.MSVBVM60(?,?,?,?,00411816), ref: 004CFB17
#685.MSVBVM60(?,?,?,?,00411816), ref: 004CFB24
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00411816), ref: 004CFB2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004CFB7A
__vbaFreeObj.MSVBVM60 ref: 004CFBAA
__vbaStrCopy.MSVBVM60 ref: 004CFBC8
#685.MSVBVM60 ref: 004CFBE2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004CFBED
__vbaFreeObj.MSVBVM60 ref: 004CFC0E
#685.MSVBVM60 ref: 004CFC1B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004CFC26
__vbaFreeObj.MSVBVM60 ref: 004CFC47
__vbaI4Str.MSVBVM60(?), ref: 004CFC58
__vbaI4Str.MSVBVM60(?), ref: 004CFC64
__vbaI4Abs.MSVBVM60 ref: 004CFC74
__vbaStrI4.MSVBVM60(00000007,Do Action: ), ref: 004CFCA6
__vbaStrMove.MSVBVM60 ref: 004CFCB1
__vbaStrCat.MSVBVM60(00000000), ref: 004CFCB8
__vbaStrMove.MSVBVM60 ref: 004CFCC3
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004CFCDC
#685.MSVBVM60(?,?,?,?,?,?,?,00411816), ref: 004CFCEC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004CFCF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004CFD42
__vbaFreeObj.MSVBVM60 ref: 004CFD72
__vbaStrCopy.MSVBVM60 ref: 004CFD9E
#685.MSVBVM60 ref: 004CFDB8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004CFDC3
__vbaFreeObj.MSVBVM60 ref: 004CFDE4
__vbaInStr.MSVBVM60(00000000,smart,007C035C,00000001), ref: 004CFE12
__vbaInStr.MSVBVM60(00000000,login,007C035C,00000001), ref: 004CFE2F
__vbaStrCopy.MSVBVM60 ref: 004CFE51
__vbaFreeStr.MSVBVM60(?,?), ref: 004CFE67
__vbaStrCopy.MSVBVM60 ref: 004CFE7C
__vbaFreeStr.MSVBVM60(?,?), ref: 004CFE92
__vbaStrCopy.MSVBVM60 ref: 004CFEA9
__vbaFreeStr.MSVBVM60(?,?), ref: 004CFEBF
__vbaStrCopy.MSVBVM60 ref: 004CFED4
__vbaFreeStr.MSVBVM60(?,?), ref: 004CFEEA
#518.MSVBVM60(?,00004008), ref: 004CFF37
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 004CFF78
__vbaVarTstEq.MSVBVM60(00008002,00000000), ref: 004CFF86
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004CFF9D
#685.MSVBVM60 ref: 004CFFD3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004CFFDE
__vbaFreeObj.MSVBVM60 ref: 004CFFFF

Part of subcall function 00518950: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,004D0011), ref: 0051896E
Part of subcall function 00518950: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 0051899E
Part of subcall function 00518950: #594.MSVBVM60(0000000A), ref: 005189BD
Part of subcall function 00518950: __vbaFreeVar.MSVBVM60 ref: 005189C6
Part of subcall function 00518950: #593.MSVBVM60(0000000A), ref: 005189E5
Part of subcall function 00518950: __vbaFpI4.MSVBVM60 ref: 005189FB
Part of subcall function 00518950: #573.MSVBVM60(?,00000003), ref: 00518A13
Part of subcall function 00518950: __vbaStrErrVarCopy.MSVBVM60(?,00478678), ref: 00518A36
Part of subcall function 00518950: __vbaStrMove.MSVBVM60 ref: 00518A41
Part of subcall function 00518950: __vbaStrCat.MSVBVM60(00000000), ref: 00518A48
Part of subcall function 00518950: #619.MSVBVM60(?,00000008,00000002), ref: 00518A62
Part of subcall function 00518950: __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00518A7A
Part of subcall function 00518950: __vbaStrVarVal.MSVBVM60(?,00000000), ref: 00518A85
Part of subcall function 00518950: #581.MSVBVM60(00000000), ref: 00518A8C
Part of subcall function 00518950: __vbaFpI4.MSVBVM60 ref: 00518A92
Part of subcall function 00518950: __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 00518AA5

__vbaI4Abs.MSVBVM60 ref: 004D0067
__vbaI4Abs.MSVBVM60 ref: 004D0098
__vbaI4Abs.MSVBVM60 ref: 004D011B
__vbaStrI4.MSVBVM60(?,Random: ), ref: 004D0150
__vbaStrMove.MSVBVM60 ref: 004D015B
__vbaStrCat.MSVBVM60(00000000), ref: 004D0162
__vbaStrMove.MSVBVM60 ref: 004D016D
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004D0186
__vbaStrCopy.MSVBVM60 ref: 004D01B9
__vbaStrCopy.MSVBVM60 ref: 004D01D0
#685.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004D01DD
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,00411816), ref: 004D01E8
__vbaFreeObj.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004D0209
__vbaFreeStr.MSVBVM60(004D0267,?,00000000,?,00000000,00411816), ref: 004D024E
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004D0257
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004D0260
__vbaErrorOverflow.MSVBVM60 ref: 004D0278

Strings

true, xrefs: 004CF691, 004D01AF, 004D01C6
HKCU\Software\Aloaha\csp\Permissions, xrefs: 004CF8F7, 004CFE74
HKLM\Software\Aloaha\pdf\FinePrint, xrefs: 004CF963, 004CFEA1
HKLM\Software\Aloaha\csp\Permissions, xrefs: 004CF857, 004CFE49
Random: , xrefs: 004D0147
system, xrefs: 004CFF3D
login, xrefs: 004CF832, 004CFE28
smart, xrefs: 004CF815, 004CFE0B
[, xrefs: 004D01D6
HKCU\Software\Aloaha\pdf\FinePrint, xrefs: 004CFA03, 004CFECC
Do Action: , xrefs: 004CFC9D
3, xrefs: 004D0196

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Copy$Move$#685$List$#520Error$CheckChkstkHresult$#518#573#581#593#594#619AddrefCallLateOverflow
String ID: 3$Do Action: $HKCU\Software\Aloaha\csp\Permissions$HKCU\Software\Aloaha\pdf\FinePrint$HKLM\Software\Aloaha\csp\Permissions$HKLM\Software\Aloaha\pdf\FinePrint$Random: $[$login$smart$system$true
API String ID: 3176523432-1327735644
Opcode ID: 6f84bc1d9eef428c178aadc373e140c3cffc7facf171b05321b38d72bf8117f9
Instruction ID: 84a6524aecff1442f9ac6403fa0d15472be6eec4c0ac4778de55105c61d5b656
Opcode Fuzzy Hash: 6f84bc1d9eef428c178aadc373e140c3cffc7facf171b05321b38d72bf8117f9
Instruction Fuzzy Hash: 05726875900209DFDB14DFA0DA48BDEBBB5FF48305F1081AAE506B72A0DB785A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00506210 Relevance: 212.4, APIs: 116, Strings: 5, Instructions: 698
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,005309BD,?,?,?,?,?,00000000,?,00000000,00411816), ref: 0050622E
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 0050625E
#619.MSVBVM60(?,00004008,00000001), ref: 0050628B
#608.MSVBVM60(?,00000022), ref: 00506297
#617.MSVBVM60(?,00004008,00000001), ref: 005062C0
#608.MSVBVM60(?,00000022), ref: 005062CF
__vbaVarCmpEq.MSVBVM60(?,?,?), ref: 005062E4
__vbaVarCmpEq.MSVBVM60(?,?,?,00000000), ref: 00506300
__vbaVarAnd.MSVBVM60(?,00000000), ref: 0050630E
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00506315
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0050633A
__vbaStrCopy.MSVBVM60(?,00000000,?,?,00411816), ref: 0050635D
#520.MSVBVM60(?,00004008), ref: 0050638A
__vbaStrVarMove.MSVBVM60(?), ref: 00506394
__vbaStrMove.MSVBVM60 ref: 0050639F
__vbaFreeVar.MSVBVM60 ref: 005063A8
#619.MSVBVM60(?,00004008,00000001), ref: 005063D5
#608.MSVBVM60(?,00000022), ref: 005063E1
#617.MSVBVM60(?,00004008,00000001), ref: 0050640A
#608.MSVBVM60(?,00000022), ref: 00506419
__vbaVarCmpEq.MSVBVM60(?,?,?), ref: 0050642E
__vbaVarCmpEq.MSVBVM60(?,?,?,00000000), ref: 0050644A
__vbaVarAnd.MSVBVM60(?,00000000), ref: 00506458
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0050645F
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00506484
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00000000,?,?,00411816), ref: 005064A7
#520.MSVBVM60(?,00004008), ref: 005064D4
__vbaStrVarMove.MSVBVM60(?), ref: 005064DE
__vbaStrMove.MSVBVM60 ref: 005064E9
__vbaFreeVar.MSVBVM60 ref: 005064F2
#608.MSVBVM60(?,00000009), ref: 00506518
__vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 00506545
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00506553
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0050656A
#608.MSVBVM60(?,00000009,?,?,?,?,?,?,?,?,?,00000000,?,?,00411816), ref: 0050658B
__vbaStrVarVal.MSVBVM60(?,?,@@tab@@,00000001,000000FF,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 005065A4
#712.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00000000,?,?,00411816), ref: 005065AF
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,00411816), ref: 005065BA
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,00411816), ref: 005065C3
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,00411816), ref: 005065CC
__vbaInStr.MSVBVM60(00000000,0047C158,?,00000001,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005065E6
#712.MSVBVM60(?,0047C158,@@vbcrlf@@,00000001,000000FF,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0050660B
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,00411816), ref: 00506616
#520.MSVBVM60(?,00004008), ref: 00506641
__vbaStrVarMove.MSVBVM60(?), ref: 0050664B
__vbaStrMove.MSVBVM60 ref: 00506656
__vbaFreeVar.MSVBVM60 ref: 0050665F
#520.MSVBVM60(?,00004008), ref: 0050668A
__vbaStrVarMove.MSVBVM60(?), ref: 00506694
__vbaStrMove.MSVBVM60 ref: 0050669F
__vbaFreeVar.MSVBVM60 ref: 005066A8
__vbaInStr.MSVBVM60(00000000,004866E4,?,00000001), ref: 005066C4
#518.MSVBVM60(?,00004008,?,00000001), ref: 005066F7
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,?,?,?,?,?,?,?,00000001), ref: 00506738
__vbaVarTstEq.MSVBVM60(00008002,00000000,?,?,?,?,?,?,?,00000001), ref: 00506746
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,00000001), ref: 0050675D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00411816), ref: 00506780
__vbaStrCmp.MSVBVM60(00473D9C,?,?,00000001), ref: 00506798
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,0000000B,?,?,?,?,?,?,?,00000001), ref: 005067F8
__vbaVarCmpGt.MSVBVM60(?,00008002,00000000,?,?,?,?,?,?,?,00000001), ref: 0050680A
__vbaVarAnd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00000001), ref: 00506818
__vbaBoolVarNull.MSVBVM60(00000000,?,?,?,?,?,?,?,00000001), ref: 0050681F
__vbaFreeVarList.MSVBVM60(00000002,?,0000000B,?,?,?,?,?,?,?,00000001), ref: 00506839
__vbaStrVarCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506858
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00411816), ref: 00506863
#525.MSVBVM60(00000800,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506875
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00411816), ref: 00506880
__vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506891
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005068AC
__vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005068CB
__vbaStrToAnsi.MSVBVM60(?,?,?,00000000), ref: 005068DE
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 005068ED
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 005068FC
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0050690D
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 0050691F
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0050692D
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0050693B
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00506949
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00506957
__vbaStrToUnicode.MSVBVM60(0040AF78,?,?,00000000), ref: 00506965
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000), ref: 0050698A
#616.MSVBVM60(?,00000000), ref: 005069B3
__vbaStrMove.MSVBVM60 ref: 005069BE
#617.MSVBVM60(?,00000008,00000001), ref: 005069EE
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 00506A13
__vbaFreeStr.MSVBVM60 ref: 00506A23
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00506A33
#616.MSVBVM60(?,00000000), ref: 00506A56
__vbaStrMove.MSVBVM60 ref: 00506A61
#616.MSVBVM60(?,00000000), ref: 00506A78
#520.MSVBVM60(00000008,00000008), ref: 00506A90
__vbaStrVarMove.MSVBVM60(?), ref: 00506A9A
__vbaStrMove.MSVBVM60 ref: 00506AA5
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00506AB5
__vbaStrCopy.MSVBVM60 ref: 00506ACF
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506AE6
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00506AFC
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506B17
__vbaInStr.MSVBVM60(00000000,@@vbcrlf@@,?,00000001), ref: 00506B31
#712.MSVBVM60(?,@@vbcrlf@@,0047C158,00000001,000000FF,00000000), ref: 00506B56
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506B61
__vbaInStr.MSVBVM60(00000000,@@tab@@,?,00000001), ref: 00506B7B
#608.MSVBVM60(?,00000009,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00506B92
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000), ref: 00506BA6
#712.MSVBVM60(?,@@tab@@,00000000), ref: 00506BB6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506BC1
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506BCA
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506BD3
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506BE6
#685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506C03
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00506C0E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506C2F
__vbaFreeVar.MSVBVM60(00506CD3,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00506CB1
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506CBA
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00506CC3

Strings

8, xrefs: 00506BFC
@@vbcrlf@@, xrefs: 005065FD, 00506B2A, 00506B4D
@@tab@@, xrefs: 00506597, 00506B74, 00506BAD
\vos\, xrefs: 005066FD
.ini, xrefs: 005067B6

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$CopyList$#608$#520AnsiUnicode$#712$#616#617BoolNull$#619Error$#518#525#685BstrChkstkSystem
String ID: .ini$8$@@tab@@$@@vbcrlf@@$\vos\
API String ID: 2289446423-692020445
Opcode ID: e6339e9e0a6bd0ae2461222e536a9c8628c8d1339660b8d63db6603d21d46588
Instruction ID: 57df3c725ae645480cfa056dc30c1f447576bb434099fc8a57575f8490cccaa2
Opcode Fuzzy Hash: e6339e9e0a6bd0ae2461222e536a9c8628c8d1339660b8d63db6603d21d46588
Instruction Fuzzy Hash: 85621AB5900218EFDB14DFA0DD88BEEBBB8BB48701F10859DE606B71A0DB745A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00530720 Relevance: 210.8, APIs: 111, Strings: 9, Instructions: 829
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 0053073E
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 0053076E
#518.MSVBVM60(?,00004008), ref: 005307B5
#520.MSVBVM60(?,?), ref: 005307C3
#518.MSVBVM60(?,00004008), ref: 005307FF
#520.MSVBVM60(?,?), ref: 00530813
__vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 0053083F
__vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 0053085B
__vbaVarOr.MSVBVM60(?,00000000), ref: 00530869
__vbaBoolVarNull.MSVBVM60(00000000), ref: 00530870
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00530895
#518.MSVBVM60(?,00004008), ref: 005308D3
#520.MSVBVM60(?,?), ref: 005308E1
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 00530906
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0053091D
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00530961
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00530978
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00530986
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00530994
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 005309A2
#520.MSVBVM60(?,00000008), ref: 005309CF
#518.MSVBVM60(?,?), ref: 005309E0
__vbaStrVarMove.MSVBVM60(?), ref: 005309ED
__vbaStrMove.MSVBVM60 ref: 005309F8
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00530A10
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00411816), ref: 00530A2A
__vbaStrCmp.MSVBVM60(004740DC,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00411816), ref: 00530A43
__vbaStrCmp.MSVBVM60(true,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00411816), ref: 00530A5A
__vbaStrCmp.MSVBVM60(wahr,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00411816), ref: 00530A77
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00411816), ref: 00530A98
__vbaStrCopy.MSVBVM60 ref: 00530ABC

Part of subcall function 0051C3A0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00530973,?,00000000,?,00000000,00411816), ref: 0051C3BE
Part of subcall function 0051C3A0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 0051C3EE
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,00773364,?,00000000,?,00000000,00411816), ref: 0051C406
Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051C420
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE34
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051CE3F
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE60
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(0051CED1,?,?,?,?,00000000,00411816), ref: 0051CEB8
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CEC1
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CECA

#645.MSVBVM60(00000008,00000000), ref: 00530ADE
__vbaStrMove.MSVBVM60 ref: 00530AE9
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00530AF5
__vbaStrCmp.MSVBVM60(004740DC,00000000), ref: 00530B0E
__vbaFreeStr.MSVBVM60 ref: 00530B29
__vbaFreeVar.MSVBVM60 ref: 00530B32
#685.MSVBVM60 ref: 00530B4E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530B59
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00530BA4
__vbaFreeObj.MSVBVM60 ref: 00530BD4
__vbaStrMove.MSVBVM60 ref: 00530BFA
__vbaStrCopy.MSVBVM60 ref: 00530C08
#520.MSVBVM60(?,00000008,?,?), ref: 00530C2D
__vbaStrVarMove.MSVBVM60(?), ref: 00530C37
__vbaStrMove.MSVBVM60 ref: 00530C42
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00530C52
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00530C65
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 00530C7E
__vbaInStr.MSVBVM60(00000000,004740DC,?,00000001), ref: 00530CA0
#685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00530CB5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530CC0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00530CE1
#608.MSVBVM60(?,00000000), ref: 00530CF4
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 00530D0A
__vbaAryVar.MSVBVM60(00002008,?), ref: 00530D19
__vbaAryCopy.MSVBVM60(?,?), ref: 00530D30
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00530D40
__vbaUbound.MSVBVM60(00000001,?), ref: 00530D56
#685.MSVBVM60 ref: 00530D6B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530D76
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00530DC1
__vbaFreeObj.MSVBVM60 ref: 00530DF1
__vbaUbound.MSVBVM60(00000001,?), ref: 00530E20
__vbaLbound.MSVBVM60(00000001,?), ref: 00530E3C
__vbaStrCopy.MSVBVM60 ref: 00530E77
__vbaStrCopy.MSVBVM60 ref: 00530E8C
#685.MSVBVM60 ref: 00530E99
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530EA4
__vbaFreeObj.MSVBVM60 ref: 00530EC5
__vbaInStr.MSVBVM60(00000000,0047B29C,00000000,00000001), ref: 00530F4C
#685.MSVBVM60 ref: 00530F61
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530F6C
__vbaStrCopy.MSVBVM60 ref: 0053137F
__vbaStrCopy.MSVBVM60 ref: 00531398
#685.MSVBVM60 ref: 005313A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 005313B0
__vbaFreeObj.MSVBVM60 ref: 005313D1
__vbaFreeStr.MSVBVM60(0053146A), ref: 0053143C
__vbaFreeStr.MSVBVM60 ref: 00531445
__vbaFreeStr.MSVBVM60 ref: 0053144E
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0053145A
__vbaFreeStr.MSVBVM60 ref: 00531463

Strings

d, xrefs: 0053133D
true, xrefs: 005307C9, 005308E7, 00530A55, 00531375
d, xrefs: 0053132E
Generic, xrefs: 0053099A
DisableKerberos, xrefs: 0053098C
false, xrefs: 00530819, 00530AB2, 0053138E
Kerberos, xrefs: 00530C00
C, xrefs: 0053139E
wahr, xrefs: 00530A72

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Copy$#685ListMove$#520$#518$CheckChkstkErrorHresultUbound$#608#645#711BoolDestructLboundNull
String ID: C$DisableKerberos$Generic$Kerberos$d$d$false$true$wahr
API String ID: 1763576159-3137797705
Opcode ID: 52030bb9977dd941f3a13e3a88f33a979aaf03ae8b5a29fc43eeddff16f063ba
Instruction ID: bbee9b466fd957961ff4d7ab2087b4f87df83c884bf0bf364d3d54db21c2fca0
Opcode Fuzzy Hash: 52030bb9977dd941f3a13e3a88f33a979aaf03ae8b5a29fc43eeddff16f063ba
Instruction Fuzzy Hash: 3182F875900218DFDB14DFA0DE48BDDBBB4BF48305F1085A9E60ABB2A0DB745A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004ABD10 Relevance: 198.5, APIs: 100, Strings: 13, Instructions: 792
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004ABD2E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004ABD5E
__vbaStrCopy.MSVBVM60 ref: 004ABDF4
__vbaAryRecMove.MSVBVM60(004741C8,?,?), ref: 004ABE16
#685.MSVBVM60 ref: 004ABE3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004ABE4A
__vbaFreeObj.MSVBVM60 ref: 004ABE62
__vbaGenerateBoundsError.MSVBVM60 ref: 004ABE9D
__vbaGenerateBoundsError.MSVBVM60 ref: 004ABEB1
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004ABECC
#685.MSVBVM60 ref: 004ABEE1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004ABEEC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004ABF1F
__vbaFreeObj.MSVBVM60 ref: 004ABF43
__vbaUbound.MSVBVM60(00000001,00000000), ref: 004ABF62
#685.MSVBVM60 ref: 004ABF7B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004ABF86
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004ABFB9
__vbaFreeObj.MSVBVM60 ref: 004ABFDD
#685.MSVBVM60 ref: 004AC02D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004AC038
__vbaFreeObj.MSVBVM60 ref: 004AC050
__vbaAryDestruct.MSVBVM60(004741C8,?,004AC086), ref: 004AC070
__vbaAryDestruct.MSVBVM60(004741C8,00000000), ref: 004AC07F

Part of subcall function 00531FD0: __vbaChkstk.MSVBVM60(00000000,00411816,004CB93C,?,00000001,?,00000000,00411816), ref: 00531FEE
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053201E
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053202D
Part of subcall function 00531FD0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,004CB93C), ref: 0053203C
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 0053206B
Part of subcall function 00531FD0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532093
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 005320A6
Part of subcall function 00531FD0: __vbaStrCopy.MSVBVM60 ref: 005320CA
Part of subcall function 00531FD0: #520.MSVBVM60(?,00000008,?), ref: 005320F7
Part of subcall function 00531FD0: __vbaStrVarMove.MSVBVM60(?), ref: 00532104
Part of subcall function 00531FD0: __vbaStrMove.MSVBVM60 ref: 00532111
Part of subcall function 00531FD0: __vbaFreeStr.MSVBVM60 ref: 0053211A
Part of subcall function 00531FD0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532130
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 00532162
Part of subcall function 00531FD0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053218A
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 0053219D

Strings

@@LIGHTLOGIN@@, xrefs: 004AC775
Entering LightTimer, xrefs: 004AC156
MonitorI2C, xrefs: 004ABDBE
MonitorKerberos, xrefs: 004ABDD4
http://www.aloaha.com/shop-en/aloaha-smart-login.php, xrefs: 004AC7ED
CardMonitor.log, xrefs: 004ABDEA, 004AC122
Do Action if no license, xrefs: 004AC476
true, xrefs: 004ABDCF, 004AC140, 004AC1BC, 004AC460, 004AC6F5, 004AC82D, 004AC8CD, 004AC90A
Leaving LightTimer, xrefs: 004AC8E3
system, xrefs: 004AC2D2
No License, xrefs: 004AC70B
2, xrefs: 004AC91B
false, xrefs: 004ABDB9

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685Error$#520Move$BoundsCheckChkstkConstructCopyDestructFixstrGenerateHresult$ListUbound
String ID: 2$@@LIGHTLOGIN@@$CardMonitor.log$Do Action if no license$Entering LightTimer$Leaving LightTimer$MonitorI2C$MonitorKerberos$No License$false$http://www.aloaha.com/shop-en/aloaha-smart-login.php$system$true
API String ID: 2711117452-2474159113
Opcode ID: 15bf1acabe08494757112df98fd75d29658c54f6b85c878a0e1a1e4a18e31c9b
Instruction ID: 1e5812541a77607f3e7246cc6a51f9f6836a12feb8b85faa6f964d097e51f32f
Opcode Fuzzy Hash: 15bf1acabe08494757112df98fd75d29658c54f6b85c878a0e1a1e4a18e31c9b
Instruction Fuzzy Hash: B8723D75900218EFDB14DFA4D948BDEBBB4FF48305F10819AE506B72A0DB789A85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0051C3A0 Relevance: 196.7, APIs: 106, Strings: 6, Instructions: 676
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00530973,?,00000000,?,00000000,00411816), ref: 0051C3BE
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 0051C3EE
__vbaStrCmp.MSVBVM60(00473D9C,00773364,?,00000000,?,00000000,00411816), ref: 0051C406
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051C420
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051C43A
#520.MSVBVM60(?,00000008), ref: 0051C45B
__vbaStrVarMove.MSVBVM60(?), ref: 0051C465
__vbaStrMove.MSVBVM60 ref: 0051C470
__vbaFreeStr.MSVBVM60 ref: 0051C479
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0051C489
__vbaStrCopy.MSVBVM60(?,00000000,00411816), ref: 0051C4A1
#520.MSVBVM60(?,00000008), ref: 0051C4C2
__vbaStrVarMove.MSVBVM60(?), ref: 0051C4CC
__vbaStrMove.MSVBVM60 ref: 0051C4D7
__vbaFreeStr.MSVBVM60 ref: 0051C4E0
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0051C4F0
#685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C500
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051C50B
__vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C52C
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00000000,00411816), ref: 0051C542
#645.MSVBVM60(00004008,00000000), ref: 0051C573
__vbaStrMove.MSVBVM60 ref: 0051C57E
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0051C58A
__vbaFreeStr.MSVBVM60 ref: 0051C5A2
#685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE34
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051CE3F
__vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE60
__vbaFreeStr.MSVBVM60(0051CED1,?,?,?,?,00000000,00411816), ref: 0051CEB8
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CEC1
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CECA

Strings

HKLM\Software\Aloaha\CSP\MasterUserPassIni, xrefs: 0051C499
UserPass.ini, xrefs: 0051CC26
J, xrefs: 0051CE2D
(T, xrefs: 0051CA7A
HKLM\Software\Aloaha\CSP\UserPassIni, xrefs: 0051C432, 0051CD9B
d3w, xrefs: 0051C3FB, 0051C417, 0051CE0B

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Copy$#520#685List$#645ChkstkError
String ID: (T$HKLM\Software\Aloaha\CSP\MasterUserPassIni$HKLM\Software\Aloaha\CSP\UserPassIni$J$UserPass.ini$d3w
API String ID: 3178620943-504289576
Opcode ID: 2c8d53685e3d8852a9695350982d8cc644bfc7455ce966deaa9f51a9821c8105
Instruction ID: da3f37fccf87a46a9599642f315e91d1b0f9fb416be4b4b3b62a06e5f522cec0
Opcode Fuzzy Hash: 2c8d53685e3d8852a9695350982d8cc644bfc7455ce966deaa9f51a9821c8105
Instruction Fuzzy Hash: 5B623C75900218EFDB14DFA0DA48BDEBBB5FF48305F1081A9E50AB7260DB749A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00518B80 Relevance: 194.9, APIs: 105, Strings: 6, Instructions: 699
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,00000000,00411816), ref: 00518B9E
__vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816), ref: 00518BCE
#685.MSVBVM60 ref: 00518BE8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00518BF3
__vbaFreeObj.MSVBVM60 ref: 00518C14
__vbaLateMemCallLd.MSVBVM60(?,00000000,info,00000000), ref: 00518C41
__vbaVarTstGt.MSVBVM60(?,00000000), ref: 00518C4F
__vbaFreeVar.MSVBVM60 ref: 00518C5C
#685.MSVBVM60 ref: 00518C75
__vbaObjSet.MSVBVM60(?,00000000), ref: 00518C80
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00518CBC
__vbaFreeObj.MSVBVM60 ref: 00518CE9
#685.MSVBVM60 ref: 00518D30
__vbaObjSet.MSVBVM60(?,00000000), ref: 00518D3B
__vbaFreeObj.MSVBVM60 ref: 00518D5C
__vbaStrCopy.MSVBVM60 ref: 00518D71
__vbaStrCopy.MSVBVM60 ref: 00518D7F
__vbaObjSet.MSVBVM60(0054D334,00000000,AloahaLic.Licensing,00000000,?,?), ref: 00518DA7
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00518DB7
__vbaLateMemCallLd.MSVBVM60(?,00000000,info,00000000), ref: 00518DE6
__vbaVarTstGt.MSVBVM60(?,00000000), ref: 00518DF4
__vbaFreeVar.MSVBVM60 ref: 00518E01
#685.MSVBVM60 ref: 00518E1A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00518E25
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00518E61
__vbaFreeObj.MSVBVM60 ref: 00518E8E
#685.MSVBVM60 ref: 00518EC6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00518ED1
__vbaFreeObj.MSVBVM60 ref: 00518EF2
__vbaStrMove.MSVBVM60 ref: 00518F09
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 00518F1F
#619.MSVBVM60(?,00004008,00000001), ref: 00518F4B
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00518F67
__vbaFreeVar.MSVBVM60 ref: 00518F74
__vbaStrCat.MSVBVM60(004775E8,?), ref: 00518F92
__vbaStrMove.MSVBVM60 ref: 00518F9D
#685.MSVBVM60 ref: 00518FAA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00518FB5
__vbaFreeObj.MSVBVM60 ref: 00518FD6
__vbaStrCat.MSVBVM60(AloahaLic.dll,?), ref: 00518FEC
#645.MSVBVM60(00000008,00000000), ref: 00519002
__vbaStrMove.MSVBVM60 ref: 0051900D
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00519019
__vbaFreeStr.MSVBVM60 ref: 0051902E
__vbaFreeVar.MSVBVM60 ref: 00519037
#685.MSVBVM60 ref: 00519050
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051905B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00519097
__vbaFreeObj.MSVBVM60 ref: 005190C4
__vbaChkstk.MSVBVM60 ref: 005190F3
__vbaStrCat.MSVBVM60(alosecurcom.dll,?), ref: 0051911A
__vbaStrMove.MSVBVM60 ref: 00519125
__vbaFreeStr.MSVBVM60(00000000), ref: 00519134
__vbaChkstk.MSVBVM60 ref: 00519154
__vbaStrCat.MSVBVM60(AloahaLic.dll,?), ref: 0051917B
__vbaStrMove.MSVBVM60 ref: 00519186
__vbaFreeStr.MSVBVM60(00000000), ref: 00519195
#685.MSVBVM60 ref: 005191A2
__vbaObjSet.MSVBVM60(?,00000000), ref: 005191AD
__vbaFreeObj.MSVBVM60 ref: 005191CE
__vbaStrCat.MSVBVM60(aloaha\,?), ref: 005191E4
__vbaStrMove.MSVBVM60 ref: 005191EF
__vbaStrCat.MSVBVM60(AloahaLic.dll,00000000), ref: 005191FB
#645.MSVBVM60(00000008,00000000), ref: 00519211
__vbaStrMove.MSVBVM60 ref: 0051921C
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00519228
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00519244
__vbaFreeVar.MSVBVM60 ref: 00519250
#685.MSVBVM60 ref: 00519269
__vbaObjSet.MSVBVM60(?,00000000), ref: 00519274
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 005192B0
__vbaFreeObj.MSVBVM60 ref: 005192DD
__vbaChkstk.MSVBVM60 ref: 0051930C
__vbaStrCat.MSVBVM60(aloaha\,?), ref: 00519333
__vbaStrMove.MSVBVM60 ref: 0051933E
__vbaStrCat.MSVBVM60(alosecurcom.dll,00000000), ref: 0051934A
__vbaStrMove.MSVBVM60 ref: 00519355
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000), ref: 0051936B
__vbaChkstk.MSVBVM60 ref: 0051938E
__vbaStrCat.MSVBVM60(aloaha\,?), ref: 005193B5
__vbaStrMove.MSVBVM60 ref: 005193C0
__vbaStrCat.MSVBVM60(AloahaLic.dll,00000000), ref: 005193CC
__vbaStrMove.MSVBVM60 ref: 005193D7

Part of subcall function 0050D740: __vbaChkstk.MSVBVM60(00000000,00411816), ref: 0050D75E
Part of subcall function 0050D740: __vbaStrCopy.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0050D78B
Part of subcall function 0050D740: __vbaVarDup.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0050D797
Part of subcall function 0050D740: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,00000000,00411816), ref: 0050D7A6
Part of subcall function 0050D740: __vbaStrCmp.MSVBVM60(true,00000000,?,00000001,00000000,00000000,00411816), ref: 0050D7BE
Part of subcall function 0050D740: #520.MSVBVM60(?,00004008), ref: 0050D7FB
Part of subcall function 0050D740: __vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 0050D82B
Part of subcall function 0050D740: __vbaVarAnd.MSVBVM60(?,00000000), ref: 0050D839
Part of subcall function 0050D740: __vbaBoolVarNull.MSVBVM60(00000000), ref: 0050D840
Part of subcall function 0050D740: __vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 0050D85A
Part of subcall function 0050D740: __vbaStrCopy.MSVBVM60(00000000,00000000,00411816), ref: 0050D883
Part of subcall function 0050D740: #518.MSVBVM60(?,00004008), ref: 0050D8AE
Part of subcall function 0050D740: #619.MSVBVM60(?,?,00000004), ref: 0050D8BE
Part of subcall function 0050D740: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0050D8E3

__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000), ref: 005193ED
#685.MSVBVM60 ref: 005193FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00519408
__vbaFreeObj.MSVBVM60 ref: 00519429
#685.MSVBVM60 ref: 00519449
__vbaObjSet.MSVBVM60(?,00000000), ref: 00519454
__vbaFreeObj.MSVBVM60 ref: 00519475
__vbaStrCopy.MSVBVM60 ref: 0051948A
__vbaStrCopy.MSVBVM60 ref: 00519498

Part of subcall function 00523380: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 0052348E
Part of subcall function 00523380: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00411816), ref: 005234BB
Part of subcall function 00523380: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 005234CA
Part of subcall function 00523380: #518.MSVBVM60(?,00004008), ref: 00523515
Part of subcall function 00523380: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00523556
Part of subcall function 00523380: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00523564
Part of subcall function 00523380: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0052357B
Part of subcall function 00523380: #518.MSVBVM60(?,00004008), ref: 005235D4
Part of subcall function 00523380: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00523615
Part of subcall function 00523380: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00523623

__vbaObjSet.MSVBVM60(0054D334,00000000,AloahaLic.Licensing,00000000,?,?), ref: 005194C0
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005194D0
__vbaLateMemCallLd.MSVBVM60(?,00000000,info,00000000), ref: 00519500
__vbaVarTstGt.MSVBVM60(?,00000000), ref: 0051950E
__vbaFreeVar.MSVBVM60 ref: 0051951B
#685.MSVBVM60 ref: 00519534
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051953F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0051957B
__vbaFreeObj.MSVBVM60 ref: 005195A8
#685.MSVBVM60 ref: 005195CD
__vbaObjSet.MSVBVM60(?,00000000), ref: 005195D8
__vbaFreeObj.MSVBVM60 ref: 005195F9
__vbaFreeStr.MSVBVM60(00519640), ref: 00519639

Strings

aloaha\, xrefs: 005191DF, 0051932E, 005193B0
6, xrefs: 005195C6
alosecurcom.dll, xrefs: 00519115, 00519345
AloahaLic.dll, xrefs: 00518FE7, 00519176, 005191F6, 005193C7
info, xrefs: 00518C31, 00518DD7, 005194F0
AloahaLic.Licensing, xrefs: 00518D97, 005194B0

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685$Move$ChkstkCopyList$CheckHresult$#518CallErrorLate$#619#645$#520BoolNull
String ID: 6$AloahaLic.Licensing$AloahaLic.dll$aloaha\$alosecurcom.dll$info
API String ID: 151962266-3584654631
Opcode ID: 826cc7a79ce24b7554634e8dc2c8fab9c09f906f9dd95ec3701061265b258dff
Instruction ID: 5ba21848b0a5b777e4b3ee2ce72f5b73617dc6c4302841b0a0da0ad9a6f170ab
Opcode Fuzzy Hash: 826cc7a79ce24b7554634e8dc2c8fab9c09f906f9dd95ec3701061265b258dff
Instruction Fuzzy Hash: A4623675900208DFDB14DFA4DA88BEEBBB5FF48705F208169E506A72A0DB745A88CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004D4360 Relevance: 184.5, APIs: 96, Strings: 9, Instructions: 745
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004D437E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004D43BA
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 004D43CF
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00411816), ref: 004D43E1
__vbaStrToAnsi.MSVBVM60(?,ServicesActive,000F003F,?,?,?,?,00411816), ref: 004D43FC
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,?,?,?,?,00411816), ref: 004D440D
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,00411816), ref: 004D441C
__vbaStrToUnicode.MSVBVM60(00000000,?,?,?,?,?,00411816), ref: 004D442A
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00411816), ref: 004D4440
__vbaStrToAnsi.MSVBVM60(?,?,00000004), ref: 004D446D
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000004), ref: 004D4480
__vbaStrToUnicode.MSVBVM60(00000000,?,?,00000004), ref: 004D448E
__vbaFreeStr.MSVBVM60(?,00000004), ref: 004D449D
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,?,00000004), ref: 004D44DC
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004D44F4
__vbaGenerateBoundsError.MSVBVM60 ref: 004D452B
__vbaGenerateBoundsError.MSVBVM60 ref: 004D4542
__vbaSetSystemError.MSVBVM60(?,?,?,?), ref: 004D456F
__vbaAryUnlock.MSVBVM60(00000000), ref: 004D4579
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 004D45B7
__vbaAryLock.MSVBVM60(?,?), ref: 004D45CF
__vbaGenerateBoundsError.MSVBVM60 ref: 004D4606
__vbaGenerateBoundsError.MSVBVM60 ref: 004D461D
__vbaSetSystemError.MSVBVM60(?,?,?,?), ref: 004D464A
__vbaAryUnlock.MSVBVM60(00000000), ref: 004D4654
__vbaAryLock.MSVBVM60(00000000,?), ref: 004D466F
__vbaGenerateBoundsError.MSVBVM60 ref: 004D46A6
__vbaGenerateBoundsError.MSVBVM60 ref: 004D46BD
__vbaSetSystemError.MSVBVM60(?,?,00000024), ref: 004D46E1
__vbaAryUnlock.MSVBVM60(00000000), ref: 004D46EB
__vbaSetSystemError.MSVBVM60(?), ref: 004D470E
__vbaSetSystemError.MSVBVM60(00000000,?,00000004), ref: 004D4724
#685.MSVBVM60 ref: 004D4731
__vbaObjSet.MSVBVM60(?,00000000), ref: 004D473C
__vbaFreeObj.MSVBVM60 ref: 004D475D
__vbaAryDestruct.MSVBVM60(00000000,?,004D479E), ref: 004D4797

Strings

AloahaCredentialsServiceCommand:entering ServiceAutoStart , xrefs: 004D4845
Got service handle, xrefs: 004D496A
Got number of bytes needed, xrefs: 004D4A7D
ServicesActive, xrefs: 004D43F3, 004D489F
Got service Status, xrefs: 004D4C2B
", xrefs: 004D4DD7
Got service Status: , xrefs: 004D4CE3
c, xrefs: 004D4837
AloahaCredentialsServiceCommand:QueryStatus, xrefs: 004D43C7

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Error$System$BoundsGenerate$Free$AnsiLockUnlock$RedimUnicode$#685ChkstkCopyDestructList
String ID: "$AloahaCredentialsServiceCommand:QueryStatus$AloahaCredentialsServiceCommand:entering ServiceAutoStart $Got number of bytes needed$Got service Status$Got service Status: $Got service handle$ServicesActive$c
API String ID: 1712364497-2849272966
Opcode ID: fb19e729292218d29c61c97ade2854a97c423d81066074491149e51e1bbd2131
Instruction ID: ce088f840b82409eca24fa4ffe7676b1420648b3f3fea42552ce9b8abf51c55a
Opcode Fuzzy Hash: fb19e729292218d29c61c97ade2854a97c423d81066074491149e51e1bbd2131
Instruction Fuzzy Hash: A5722774D00208EFDB14DFA4D988BDEBBB5BF48305F20855EE506AB2A1DB749A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004D22A0 Relevance: 180.8, APIs: 96, Strings: 7, Instructions: 589
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,00000000,00411816), ref: 004D22BE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D22EB
__vbaAryConstruct2.MSVBVM60(?,004842F4,00000011,?,?,?,00000000,00411816), ref: 004D22FC
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D230B
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D232C
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,00000000,00411816), ref: 004D2344
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001,?,?,?,?,00000000,00411816), ref: 004D2364
__vbaStrCopy.MSVBVM60(?,00000001,?,?,?,?,00000000,00411816), ref: 004D237D
__vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2392
__vbaLenBstr.MSVBVM60(?,?,?,?,?,00000000,00411816), ref: 004D23A3
__vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D23C0
__vbaStrMove.MSVBVM60(?,?,encrypted:,?,?,?,?,00000000,00411816), ref: 004D23DD
__vbaStrCat.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 004D23E4
__vbaStrMove.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D23EF
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00411816), ref: 004D23FF
__vbaInStr.MSVBVM60(00000000,0047C158,?,00000001,?,00000000,00411816), ref: 004D241C
#712.MSVBVM60(?,0047C158,{{{vbcrlf}}},00000001,000000FF,00000000,?,00000000,00411816), ref: 004D2441
__vbaStrMove.MSVBVM60(?,00000000,00411816), ref: 004D244C
__vbaStrCat.MSVBVM60(0047C158,?,?,00000000,00411816), ref: 004D2462
#717.MSVBVM60(?,00000008,00000080,00000000), ref: 004D248D
__vbaVar2Vec.MSVBVM60(?,?), ref: 004D24A1
__vbaAryMove.MSVBVM60(?,?), ref: 004D24B2
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004D24C8
__vbaUbound.MSVBVM60(00000001,?,?,?,?,?,00000000,00411816), ref: 004D24DE
__vbaGenerateBoundsError.MSVBVM60 ref: 004D2519
__vbaAryLock.MSVBVM60(?,?), ref: 004D252D
__vbaGenerateBoundsError.MSVBVM60 ref: 004D256A
__vbaGenerateBoundsError.MSVBVM60 ref: 004D2584
__vbaStrToAnsi.MSVBVM60(?,?,?,?,00030D40,00030D40,?,0000000A), ref: 004D25BE
__vbaSetSystemError.MSVBVM60(00000000), ref: 004D25D0
__vbaStrToUnicode.MSVBVM60(?,?), ref: 004D25DE
__vbaAryUnlock.MSVBVM60(00000000), ref: 004D25E8
__vbaFreeStr.MSVBVM60 ref: 004D25FA
#717.MSVBVM60(?,00006011,00000040,00000000), ref: 004D265A
#617.MSVBVM60(?,?,00000000), ref: 004D2672
__vbaStrVarMove.MSVBVM60(?), ref: 004D267F
__vbaStrMove.MSVBVM60 ref: 004D268A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D26A0
#619.MSVBVM60(?,00004008,00000003), ref: 004D26D3
#608.MSVBVM60(?,00000000), ref: 004D26F6
__vbaVarAdd.MSVBVM60(?,?,00000008,?), ref: 004D2718
__vbaVarTstEq.MSVBVM60(00000000), ref: 004D271F
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004D2743
__vbaLenBstr.MSVBVM60(?), ref: 004D2775
#617.MSVBVM60(?,00004008,-00000003), ref: 004D2793
__vbaStrVarMove.MSVBVM60(?), ref: 004D27A0
__vbaStrMove.MSVBVM60 ref: 004D27AB
__vbaFreeVar.MSVBVM60 ref: 004D27B7
#619.MSVBVM60(?,00004008,00000002), ref: 004D27E7
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004D280F
__vbaFreeVar.MSVBVM60 ref: 004D2822
__vbaLenBstr.MSVBVM60(?), ref: 004D2851
#617.MSVBVM60(?,00004008,-00000002), ref: 004D286F
__vbaStrVarMove.MSVBVM60(?), ref: 004D287C
__vbaStrMove.MSVBVM60 ref: 004D2887
__vbaFreeVar.MSVBVM60 ref: 004D2893
__vbaInStr.MSVBVM60(00000000,{{{vbcrlf}}},?,00000001), ref: 004D28AD
#712.MSVBVM60(?,{{{vbcrlf}}},0047C158,00000001,000000FF,00000000), ref: 004D28D2
__vbaStrMove.MSVBVM60 ref: 004D28DD
#617.MSVBVM60(?,00004008,0000000A), ref: 004D290D
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004D2935
__vbaFreeVar.MSVBVM60 ref: 004D2948
__vbaLenBstr.MSVBVM60(?), ref: 004D297B
#619.MSVBVM60(?,00004008,-0000000A), ref: 004D2999
__vbaStrVarMove.MSVBVM60(?), ref: 004D29A6
__vbaStrMove.MSVBVM60 ref: 004D29B1
__vbaFreeVar.MSVBVM60 ref: 004D29BD
__vbaStrCopy.MSVBVM60 ref: 004D29D2

Part of subcall function 0050EF90: __vbaChkstk.MSVBVM60(?,00411816), ref: 0050EFAE
Part of subcall function 0050EF90: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 0050EFDE
Part of subcall function 0050EF90: __vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 0050EFF3
Part of subcall function 0050EF90: __vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 0050F008
Part of subcall function 0050EF90: #685.MSVBVM60(?,?,?,?,00411816), ref: 0050F015
Part of subcall function 0050EF90: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00411816), ref: 0050F020
Part of subcall function 0050EF90: __vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 0050F041
Part of subcall function 0050EF90: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,?,00411816), ref: 0050F05A
Part of subcall function 0050EF90: __vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 0050F079
Part of subcall function 0050EF90: __vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 0050F08E
Part of subcall function 0050EF90: #520.MSVBVM60(?,00004008), ref: 0050F0B0
Part of subcall function 0050EF90: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0050F0D2
Part of subcall function 0050EF90: __vbaFreeVar.MSVBVM60 ref: 0050F0E2
Part of subcall function 0050EF90: __vbaStrMove.MSVBVM60(Decrypt: ), ref: 0050F10D
Part of subcall function 0050EF90: __vbaStrCat.MSVBVM60(00000000), ref: 0050F114
Part of subcall function 0050EF90: __vbaStrMove.MSVBVM60 ref: 0050F11F
Part of subcall function 0050EF90: __vbaStrCat.MSVBVM60(00477FFC,00000000), ref: 0050F12B
Part of subcall function 0050EF90: __vbaStrMove.MSVBVM60 ref: 0050F136

__vbaStrMove.MSVBVM60(?,?), ref: 004D29EA
__vbaFreeStr.MSVBVM60 ref: 004D29F3
__vbaInStr.MSVBVM60(00000000,{{{vbcrlf}}},?,00000001), ref: 004D2A0D
#712.MSVBVM60(?,{{{vbcrlf}}},0047C158,00000001,000000FF,00000000), ref: 004D2A32
__vbaStrMove.MSVBVM60 ref: 004D2A3D
__vbaStrCopy.MSVBVM60 ref: 004D2A50
#685.MSVBVM60 ref: 004D2A62
__vbaObjSet.MSVBVM60(?,00000000), ref: 004D2A6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000004C), ref: 004D2AB8
__vbaStrI4.MSVBVM60(?,Pipe Error: Error number ), ref: 004D2ADC
__vbaStrMove.MSVBVM60 ref: 004D2AE7
__vbaStrCat.MSVBVM60(00000000), ref: 004D2AEE
__vbaStrMove.MSVBVM60 ref: 004D2AF9
__vbaStrCat.MSVBVM60( attempting to call CallNamedPipe.,00000000), ref: 004D2B05
__vbaStrMove.MSVBVM60 ref: 004D2B10
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?), ref: 004D2B2D
__vbaFreeObj.MSVBVM60 ref: 004D2B39
#685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2B46
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 004D2B51
__vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2B72
__vbaFreeStr.MSVBVM60(004D2C45,?,?,?,?,00000000,00411816), ref: 004D2BF6
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2BFF
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2C08
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,00000000,00411816), ref: 004D2C14
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2C1D
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2C26
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,00000000,00411816), ref: 004D2C3E
__vbaErrorOverflow.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2C5B

Strings

Pipe Error: Error number , xrefs: 004D2AD0
\\.\pipe\AloahaCPMPipe, xrefs: 004D2324
encrypted:, xrefs: 004D23C6, 004D2913
attempting to call CallNamedPipe., xrefs: 004D2B00
1alsfj92348sv|@x2vs2asdaddwd, xrefs: 004D23B8, 004D29CA
{{{vbcrlf}}}, xrefs: 004D2433, 004D28A6, 004D28C9, 004D2A06, 004D2A29
,, xrefs: 004D2B3F

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$FreeMove$Copy$Error$List$#617Bstr$#619#685#712BoundsGenerate$#717ChkstkDestruct$#520#608AnsiCheckConstruct2HresultLockOverflowSystemUboundUnicodeUnlockVar2
String ID: attempting to call CallNamedPipe.$,$1alsfj92348sv|@x2vs2asdaddwd$Pipe Error: Error number $\\.\pipe\AloahaCPMPipe$encrypted:${{{vbcrlf}}}
API String ID: 2813674213-4232403591
Opcode ID: 2447b3db1bf7eeae4f01e45a3841cf8626c167b0673d84f0518624c82721d6ea
Instruction ID: ab875d80d86e2f2424f840362790ff141281ccfb63c6b2ce818fab208bb2c1ba
Opcode Fuzzy Hash: 2447b3db1bf7eeae4f01e45a3841cf8626c167b0673d84f0518624c82721d6ea
Instruction Fuzzy Hash: 16422A75900219DBEB14DFA0DE48FDDB7B8BB44301F10C5AAE50AB72A0DB745A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0050E600 Relevance: 177.4, APIs: 90, Strings: 11, Instructions: 609
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,00000000,00411816), ref: 0050E61E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 0050E64E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 0050E663
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 0050E678
#685.MSVBVM60(?,?,?,00000000,00411816), ref: 0050E685
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 0050E690
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 0050E6B1
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,?,?,00000000,00411816), ref: 0050E6C9
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 0050E6E2
#685.MSVBVM60(?,?,?,00000000,00411816), ref: 0050E6EF
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 0050E6FA
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 0050E71B
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 0050E72E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 0050E743
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 0050E751
__vbaObjSet.MSVBVM60(?,00000000,CAPICOM.EncryptedData,00000000,?,?), ref: 0050E778
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0050E788
__vbaChkstk.MSVBVM60 ref: 0050E7AB
__vbaLateMemSt.MSVBVM60(?,Algorithm), ref: 0050E7D2
__vbaChkstk.MSVBVM60 ref: 0050E7F2
__vbaLateMemCallLd.MSVBVM60(?,?,Algorithm,00000000,KeyLength), ref: 0050E824
__vbaVarLateMemSt.MSVBVM60(00000000,?,?,?,?,?,00000000,00411816), ref: 0050E82E
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,00411816), ref: 0050E837
__vbaChkstk.MSVBVM60 ref: 0050E857
__vbaLateMemCallLd.MSVBVM60(?,?,Algorithm,00000000,Name), ref: 0050E889
__vbaVarLateMemSt.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 0050E893
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 0050E89C
__vbaChkstk.MSVBVM60 ref: 0050E8C9
__vbaChkstk.MSVBVM60 ref: 0050E8EC
__vbaLateMemCall.MSVBVM60(?,SetSecret,00000002), ref: 0050E915
__vbaChkstk.MSVBVM60 ref: 0050E939
__vbaLateMemSt.MSVBVM60(?,Content), ref: 0050E960
__vbaChkstk.MSVBVM60 ref: 0050E980
__vbaLateMemCallLd.MSVBVM60(?,?,encrypt,00000001), ref: 0050E9AD
__vbaStrVarMove.MSVBVM60(00000000), ref: 0050E9B7
__vbaStrMove.MSVBVM60 ref: 0050E9C2
__vbaFreeVar.MSVBVM60 ref: 0050E9CB
#685.MSVBVM60 ref: 0050E9D8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050E9E3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050EA2B
__vbaFreeObj.MSVBVM60 ref: 0050EA58
#685.MSVBVM60 ref: 0050EA74
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050EA7F
__vbaFreeObj.MSVBVM60 ref: 0050EAA0
__vbaStrCopy.MSVBVM60 ref: 0050EAB5
__vbaStrCopy.MSVBVM60 ref: 0050EAC8
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0050EADB
__vbaStrCopy.MSVBVM60 ref: 0050EAF0
__vbaStrCopy.MSVBVM60 ref: 0050EAFE
__vbaObjSet.MSVBVM60(?,00000000,CAPICOM.EncryptedData,00000000,?,?), ref: 0050EB25
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0050EB35
__vbaChkstk.MSVBVM60 ref: 0050EB58
__vbaLateMemSt.MSVBVM60(?,Algorithm), ref: 0050EB7F
__vbaChkstk.MSVBVM60 ref: 0050EB9F
__vbaLateMemCallLd.MSVBVM60(?,?,Algorithm,00000000,KeyLength), ref: 0050EBD1
__vbaVarLateMemSt.MSVBVM60(00000000), ref: 0050EBDB
__vbaFreeVar.MSVBVM60 ref: 0050EBE4
__vbaChkstk.MSVBVM60 ref: 0050EC04
__vbaLateMemCallLd.MSVBVM60(?,?,Algorithm,00000000,Name), ref: 0050EC36
__vbaVarLateMemSt.MSVBVM60(00000000), ref: 0050EC40
__vbaFreeVar.MSVBVM60 ref: 0050EC49
__vbaChkstk.MSVBVM60 ref: 0050EC76
__vbaChkstk.MSVBVM60 ref: 0050EC99
__vbaLateMemCall.MSVBVM60(?,SetSecret,00000002), ref: 0050ECC2
__vbaChkstk.MSVBVM60 ref: 0050ECE6
__vbaLateMemSt.MSVBVM60(?,Content), ref: 0050ED0D
__vbaChkstk.MSVBVM60 ref: 0050ED2D
__vbaLateMemCallLd.MSVBVM60(?,?,encrypt,00000001), ref: 0050ED5A
__vbaStrVarMove.MSVBVM60(00000000), ref: 0050ED64
__vbaStrMove.MSVBVM60 ref: 0050ED6F
__vbaFreeVar.MSVBVM60 ref: 0050ED78
__vbaLenBstr.MSVBVM60(?), ref: 0050ED89
__vbaStrCopy.MSVBVM60 ref: 0050EDA2
__vbaFreeStr.MSVBVM60(?), ref: 0050EDB4
__vbaStrCopy.MSVBVM60 ref: 0050EDCB
__vbaFreeStr.MSVBVM60(?), ref: 0050EDDD
#685.MSVBVM60 ref: 0050EDEA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050EDF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050EE3D
__vbaFreeObj.MSVBVM60 ref: 0050EE6A
__vbaStrCopy.MSVBVM60 ref: 0050EE8A
__vbaStrCopy.MSVBVM60 ref: 0050EE9F
__vbaFreeStr.MSVBVM60(?), ref: 0050EEB1
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0050EEC4
__vbaStrCopy.MSVBVM60 ref: 0050EED9
#685.MSVBVM60 ref: 0050EEE6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050EEF1
__vbaFreeObj.MSVBVM60 ref: 0050EF12
__vbaFreeObj.MSVBVM60(0050EF6B), ref: 0050EF5B
__vbaFreeStr.MSVBVM60 ref: 0050EF64

Strings

@@NULL@@, xrefs: 0050E6DA
Algorithm, xrefs: 0050E7C9, 0050E817, 0050E87C, 0050EB76, 0050EBC4, 0050EC29
*, xrefs: 0050EEDF
Encrypted, xrefs: 0050ED9A
encrypt, xrefs: 0050E9A0, 0050ED4D
Name, xrefs: 0050E875, 0050EC22
CAPICOM.EncryptedData, xrefs: 0050E769, 0050EB16
Encryption Error, xrefs: 0050EDC3, 0050EE97
Content, xrefs: 0050E957, 0050ED04
KeyLength, xrefs: 0050E810, 0050EBBD
SetSecret, xrefs: 0050E90C, 0050ECB9

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Late$Chkstk$Copy$Call$#685$Move$Addref$CheckHresultList$BstrError
String ID: *$@@NULL@@$Algorithm$CAPICOM.EncryptedData$Content$Encrypted$Encryption Error$KeyLength$Name$SetSecret$encrypt
API String ID: 2850594790-706667730
Opcode ID: f8cd9d973d8f6d43779a5d348d49e2d377e15f75c94424f51ebc49f01c54d04f
Instruction ID: c88af309dd1543ae8c0fd230ab5a268b05ad11ca566684005a2a8fabfe85d2c7
Opcode Fuzzy Hash: f8cd9d973d8f6d43779a5d348d49e2d377e15f75c94424f51ebc49f01c54d04f
Instruction Fuzzy Hash: E352C3B4A00208DFDB04DF94D988BDDBBB5FF48304F20C569E505AB2A5DB74AA89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004F92B0 Relevance: 177.3, APIs: 80, Strings: 21, Instructions: 568
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004F92CE
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00411816), ref: 004F92FE
__vbaStrCmp.MSVBVM60(00485A8C,0077F04C,?,00000000,00000000,?,00411816), ref: 004F9316

Part of subcall function 0051CEF0: __vbaChkstk.MSVBVM60(00000000,00411816), ref: 0051CF0E
Part of subcall function 0051CEF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 0051CF3E
Part of subcall function 0051CEF0: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00411816), ref: 0051CF56
Part of subcall function 0051CEF0: #685.MSVBVM60 ref: 0051CFAF
Part of subcall function 0051CEF0: __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0051CFBA
Part of subcall function 0051CEF0: __vbaFreeObj.MSVBVM60 ref: 0051CFD2

__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,?,00411816), ref: 004F9345
__vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004F936C
#712.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,00000000,00000000,?,00411816), ref: 004F938F
__vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,00000000,00000000,?,00411816), ref: 004F939A
#712.MSVBVM60(00000000,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,00000000,00000000,?), ref: 004F93BD
__vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,00000000,00000000,?,00411816), ref: 004F93C8
#712.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,00000000,00000000,?), ref: 004F93EB
__vbaStrMove.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,00000000,00000000,?), ref: 004F93F6
#712.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F9419
__vbaStrMove.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F9424
#712.MSVBVM60(00000000,Software\,SOFTWARE\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001), ref: 004F9447
__vbaStrMove.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F9452
#712.MSVBVM60(?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001), ref: 004F9475
__vbaStrMove.MSVBVM60(?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001), ref: 004F9480
#712.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F94A3
__vbaStrMove.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F94AE
__vbaStrCopy.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F94C3
__vbaStrMove.MSVBVM60(000000FF,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\), ref: 004F94D7
__vbaFreeStr.MSVBVM60(?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001), ref: 004F94E0
#712.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F9503
__vbaStrMove.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F950E
__vbaStrCopy.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F9525
__vbaStrMove.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F955F
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F956B
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F9586
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F95A2
__vbaFreeStr.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F95BC
#518.MSVBVM60(000000FF,00004008,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F9620
#617.MSVBVM60(?,000000FF,00000004,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F9630
__vbaVarTstEq.MSVBVM60(00008008,?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F9655
__vbaFreeVarList.MSVBVM60(00000002,000000FF,?,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F966C
__vbaStrCopy.MSVBVM60(00000000,?,00411816), ref: 004F9690
__vbaStrCopy.MSVBVM60(00000000,?,00411816), ref: 004F96A8
__vbaStrCopy.MSVBVM60(00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\), ref: 004F96DF
__vbaStrCmp.MSVBVM60(00473D9C,00000000,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F96F5
#685.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F9715
__vbaObjSet.MSVBVM60(?,00000000,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\), ref: 004F9720
__vbaFreeObj.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F9741
__vbaChkstk.MSVBVM60(?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000,?,system\,SYSTEM\,00000001), ref: 004F9761
__vbaLateMemCallLd.MSVBVM60(000000FF,022C1040,RegRead,00000001,?,004778FC,004775E8,00000001,000000FF,00000000,?,System\,SYSTEM\,00000001,000000FF,00000000), ref: 004F9790

Part of subcall function 004F2D70: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,00000000,00000000,?,00411816), ref: 004F2D8E
Part of subcall function 004F2D70: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 004F2DBE
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816), ref: 004F2DD6
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(00473D9C,0075ACDC,?,00000000,00000000,00000000,00411816), ref: 004F2DF7
Part of subcall function 004F2D70: __vbaStrCopy.MSVBVM60 ref: 004F2E22
Part of subcall function 004F2D70: __vbaStrCopy.MSVBVM60 ref: 004F2E30
Part of subcall function 004F2D70: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004F2E4C
Part of subcall function 004F2D70: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004F2E5C
Part of subcall function 004F2D70: __vbaFreeVar.MSVBVM60(00000000,00000000,00411816), ref: 004F2E68
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004F2E7E
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(004740D4,?), ref: 004F2E95
Part of subcall function 004F2D70: __vbaStrCopy.MSVBVM60 ref: 004F2ED6
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816), ref: 004F2F04

__vbaStrVarMove.MSVBVM60(00000000,00000001,000000FF), ref: 004F979A
__vbaStrMove.MSVBVM60 ref: 004F97A5
__vbaFreeVar.MSVBVM60 ref: 004F97AE
#685.MSVBVM60 ref: 004F97BB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F97C6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004F9811
__vbaFreeObj.MSVBVM60 ref: 004F9841
#685.MSVBVM60 ref: 004F985D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F9868
__vbaFreeObj.MSVBVM60 ref: 004F9889
__vbaObjSetAddref.MSVBVM60(0054D554,00000000), ref: 004F989D
#716.MSVBVM60(?,WScript.Shell,00000000), ref: 004F98B5
__vbaObjVar.MSVBVM60(?), ref: 004F98BF
__vbaObjSetAddref.MSVBVM60(0054D554,00000000), ref: 004F98CB
__vbaFreeVar.MSVBVM60 ref: 004F98D4
#685.MSVBVM60 ref: 004F98E1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F98EC
__vbaFreeObj.MSVBVM60 ref: 004F990D
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004F9923
__vbaChkstk.MSVBVM60 ref: 004F997C
__vbaChkstk.MSVBVM60 ref: 004F999F
__vbaChkstk.MSVBVM60 ref: 004F99CB
__vbaLateMemCall.MSVBVM60(022C1040,Regwrite,00000003), ref: 004F9A03
__vbaStrI4.MSVBVM60(00000000), ref: 004F9A1B
__vbaStrMove.MSVBVM60 ref: 004F9A26
__vbaStrCopy.MSVBVM60 ref: 004F9A34
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,00000000), ref: 004F9A59
#685.MSVBVM60 ref: 004F9A69
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F9A74
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004F9ABF
__vbaFreeObj.MSVBVM60 ref: 004F9AEF
__vbaStrCopy.MSVBVM60 ref: 004F9B2D
#685.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004F9B3A
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,00411816), ref: 004F9B45
__vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004F9B66
__vbaFreeStr.MSVBVM60(004F9BBA,?,00000000,00000000,?,00411816), ref: 004F9BAA
__vbaFreeStr.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004F9BB3

Strings

HKLM\SOFTWARE\Aloaha\ctest, xrefs: 004F974E
HKCU\, xrefs: 004F93AD
hkcu\, xrefs: 004F93B2
HKCR\, xrefs: 004F93DB
SOFTWARE\, xrefs: 004F9409, 004F9437
HKLM\, xrefs: 004F937F
REG_DWORD, xrefs: 004F9963
SYSTEM\, xrefs: 004F9465, 004F9493
PDF, xrefs: 004F9A2C
hklm\, xrefs: 004F9384
hkcu, xrefs: 004F9636
RegRead, xrefs: 004F9781
System\, xrefs: 004F9498
hlcr\, xrefs: 004F93E0
Software\, xrefs: 004F943C
Regwrite, xrefs: 004F99F7
system\, xrefs: 004F946A
hYH, xrefs: 004F9773
7, xrefs: 004F9B33
software\, xrefs: 004F940E
WScript.Shell, xrefs: 004F98AC

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Copy$#712$#685Chkstk$ErrorList$AddrefCallCheckHresultLate$#518#617#716
String ID: 7$HKCR\$HKCU\$HKLM\$HKLM\SOFTWARE\Aloaha\ctest$PDF$REG_DWORD$RegRead$Regwrite$SOFTWARE\$SYSTEM\$Software\$System\$WScript.Shell$hYH$hkcu$hkcu\$hklm\$hlcr\$software\$system\
API String ID: 4162271779-1415178065
Opcode ID: 033c7a41dca3a870541966c81299968ee05bdfd75140c06fcd8ca8b5d35e8b18
Instruction ID: 482b755cb55fa00f188f28bb2234017ff7e4b0549eb935024b2e55b9ae5dcc78
Opcode Fuzzy Hash: 033c7a41dca3a870541966c81299968ee05bdfd75140c06fcd8ca8b5d35e8b18
Instruction Fuzzy Hash: 4A423A74A00208EFDB14DFA4DD48BDDBBB5FF48705F2081A9E90AA72A0DB749A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004B4400 Relevance: 173.9, APIs: 90, Strings: 9, Instructions: 627COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004B441E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004B444E
__vbaStrCmp.MSVBVM60(true,?), ref: 004B4477
__vbaStrCmp.MSVBVM60(false,?), ref: 004B4494
__vbaStrCmp.MSVBVM60(true,?), ref: 004B44BC
__vbaStrMove.MSVBVM60 ref: 004B4506
__vbaStrCopy.MSVBVM60 ref: 004B4511
__vbaFreeStr.MSVBVM60 ref: 004B451A
#685.MSVBVM60 ref: 004B4527
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B4532
__vbaFreeObj.MSVBVM60 ref: 004B4553
__vbaStrCopy.MSVBVM60 ref: 004B4576
__vbaStrMove.MSVBVM60(?), ref: 004B458A
__vbaI4Str.MSVBVM60(00000000), ref: 004B4591
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004B45A4
#685.MSVBVM60 ref: 004B45B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B45BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004B460A
__vbaFreeObj.MSVBVM60 ref: 004B4648
__vbaI4Str.MSVBVM60(?), ref: 004B4664
__vbaStrCopy.MSVBVM60 ref: 004B4678
__vbaFreeStr.MSVBVM60(?,00000000), ref: 004B4691
#685.MSVBVM60 ref: 004B46BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B46C5
__vbaFreeObj.MSVBVM60 ref: 004B46E6
__vbaStrCopy.MSVBVM60 ref: 004B4709
__vbaStrMove.MSVBVM60(?), ref: 004B471D
__vbaI4Str.MSVBVM60(00000000), ref: 004B4724
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004B4737
#685.MSVBVM60 ref: 004B4747
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B4752
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004B479D
__vbaFreeObj.MSVBVM60 ref: 004B47DB
__vbaI4Str.MSVBVM60(?), ref: 004B47F7
__vbaStrCopy.MSVBVM60 ref: 004B480B
__vbaFreeStr.MSVBVM60(?,00000000), ref: 004B4824
#685.MSVBVM60 ref: 004B484D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B4858
__vbaFreeObj.MSVBVM60 ref: 004B4879

Part of subcall function 0051C3A0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00530973,?,00000000,?,00000000,00411816), ref: 0051C3BE
Part of subcall function 0051C3A0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 0051C3EE
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,00773364,?,00000000,?,00000000,00411816), ref: 0051C406
Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051C420
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE34
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051CE3F
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE60
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(0051CED1,?,?,?,?,00000000,00411816), ref: 0051CEB8
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CEC1
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CECA

__vbaStrMove.MSVBVM60 ref: 004B489E
__vbaStrCat.MSVBVM60(:SmartLogin.txt,00000000), ref: 004B48AA
__vbaStrMove.MSVBVM60 ref: 004B48B5

Part of subcall function 004BD720: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,0052029D,?,?,?,00000000,00411816), ref: 004BD73E
Part of subcall function 004BD720: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004BD76E
Part of subcall function 004BD720: __vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 004BD783
Part of subcall function 004BD720: #685.MSVBVM60(?,?,?,?,00411816), ref: 004BD790
Part of subcall function 004BD720: __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00411816), ref: 004BD79B
Part of subcall function 004BD720: __vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 004BD7B3
Part of subcall function 004BD720: #685.MSVBVM60(00000000,?,?,?,?,00411816), ref: 004BD7DC
Part of subcall function 004BD720: __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00411816), ref: 004BD7E7
Part of subcall function 004BD720: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004BD81A
Part of subcall function 004BD720: __vbaFreeObj.MSVBVM60 ref: 004BD83E
Part of subcall function 004BD720: __vbaVar2Vec.MSVBVM60(?,?,?,0052029D), ref: 004BD868
Part of subcall function 004BD720: __vbaAryMove.MSVBVM60(?,?), ref: 004BD876

__vbaStrMove.MSVBVM60(?), ref: 004B48C9
__vbaI4Str.MSVBVM60(00000000), ref: 004B48D0
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004B48E7
#685.MSVBVM60 ref: 004B48F7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B4902
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004B494D
__vbaFreeObj.MSVBVM60 ref: 004B498B
__vbaStrMove.MSVBVM60 ref: 004B49B1
__vbaStrMove.MSVBVM60 ref: 004B49D9
__vbaStrCat.MSVBVM60(:SmartLogin.txt,00000000), ref: 004B49E5
__vbaStrMove.MSVBVM60 ref: 004B49F0
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,?,?,00000000), ref: 004B4A18
#685.MSVBVM60 ref: 004B4A44
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B4A4F
__vbaFreeObj.MSVBVM60 ref: 004B4A70
__vbaR8Str.MSVBVM60(?), ref: 004B4A8A
__vbaFpI4.MSVBVM60 ref: 004B4AA2
#685.MSVBVM60 ref: 004B4AC3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B4ACE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004B4B19
__vbaFreeObj.MSVBVM60 ref: 004B4B49
__vbaStrCopy.MSVBVM60 ref: 004B4B7C
__vbaStrCopy.MSVBVM60 ref: 004B4BA6
__vbaStrCopy.MSVBVM60 ref: 004B4BD0
__vbaVarDup.MSVBVM60 ref: 004B4C0C
#667.MSVBVM60(?), ref: 004B4C16
#520.MSVBVM60(?,00000008), ref: 004B4C2E
#518.MSVBVM60(?,?), ref: 004B4C3F
__vbaStrVarMove.MSVBVM60(?), ref: 004B4C4C
__vbaStrMove.MSVBVM60 ref: 004B4C57
__vbaFreeVarList.MSVBVM60(00000004,?,00000008,?,?), ref: 004B4C72
__vbaVarDup.MSVBVM60 ref: 004B4C9F
#667.MSVBVM60(?), ref: 004B4CA9
#520.MSVBVM60(?,00000008), ref: 004B4CC1
#518.MSVBVM60(?,?), ref: 004B4CD2
__vbaStrVarMove.MSVBVM60(?), ref: 004B4CDF
__vbaStrMove.MSVBVM60 ref: 004B4CEA
__vbaFreeVarList.MSVBVM60(00000004,?,00000008,?,?), ref: 004B4D05
__vbaInStr.MSVBVM60(00000000,thales,?,00000001), ref: 004B4D22
__vbaStrCopy.MSVBVM60 ref: 004B4D4E
__vbaInStr.MSVBVM60(00000000,thales,?,00000001), ref: 004B4D68
__vbaStrCopy.MSVBVM60 ref: 004B4D94
#685.MSVBVM60 ref: 004B4DA1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004B4DAC
__vbaFreeObj.MSVBVM60 ref: 004B4DCD
__vbaFreeStr.MSVBVM60(004B4E36), ref: 004B4E1D
__vbaFreeStr.MSVBVM60 ref: 004B4E26
__vbaFreeStr.MSVBVM60 ref: 004B4E2F

Part of subcall function 004F0CA0: __vbaChkstk.MSVBVM60(?,00411816), ref: 004F0CBE
Part of subcall function 004F0CA0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00411816), ref: 004F0CEE
Part of subcall function 004F0CA0: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004F0D21
Part of subcall function 004F0CA0: #712.MSVBVM60(?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D54
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D5F
Part of subcall function 004F0CA0: #712.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D82
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0D8D
Part of subcall function 004F0CA0: #712.MSVBVM60(00000000,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001), ref: 004F0DB0
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001,000000FF,00000000), ref: 004F0DBB
Part of subcall function 004F0CA0: #712.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001), ref: 004F0DDE
Part of subcall function 004F0CA0: __vbaStrMove.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,Sofware\,Software\,00000001), ref: 004F0DE9
Part of subcall function 004F0CA0: #712.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 004F0E0C

Strings

:SmartLogin.txt, xrefs: 004B48A5, 004B49E0
USERDNSDOMAIN, xrefs: 004B4BEF
true, xrefs: 004B4472, 004B44B7, 004B4B6E
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[119D030E-70FA-4F86-A944-ECAF4495A798], xrefs: 004B4701, 004B4803
USERDOMAIN, xrefs: 004B4C82
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[119D030E-70FA-4F86-A944-ECAF4495A798], xrefs: 004B456E, 004B4670
C, xrefs: 004B4D9A
false, xrefs: 004B448F, 004B4B98, 004B4BC2, 004B4D40, 004B4D86
thales, xrefs: 004B4D1B, 004B4D61

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$#685Copy$List$#712CheckHresult$ChkstkError$#518#520#667$Var2
String ID: :SmartLogin.txt$C$HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[119D030E-70FA-4F86-A944-ECAF4495A798]$HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[119D030E-70FA-4F86-A944-ECAF4495A798]$USERDNSDOMAIN$USERDOMAIN$false$thales$true
API String ID: 353099511-246192409
Opcode ID: 28b22e0c01ad7bf04c83a4551f7d6948837b333cbaf182212bba683c35ad6839
Instruction ID: f49eb719054b8a7060e955ae29fb01a696a803020c5230ea065ad7c5839b1c64
Opcode Fuzzy Hash: 28b22e0c01ad7bf04c83a4551f7d6948837b333cbaf182212bba683c35ad6839
Instruction Fuzzy Hash: E5522875900218EFDB14DFA0DA48BEEBBB5BF48305F1081A9E50AB72A0DB745A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004D3770 Relevance: 165.0, APIs: 78, Strings: 16, Instructions: 526COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004D378E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004D37CA
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 004D37DF
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00411816), ref: 004D37F1
#520.MSVBVM60(?,00004008), ref: 004D381F
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004D3847
__vbaFreeVar.MSVBVM60 ref: 004D385A
#520.MSVBVM60(?,00000008), ref: 004D3895
__vbaStrVarMove.MSVBVM60(?), ref: 004D38A2
__vbaStrMove.MSVBVM60 ref: 004D38AD
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004D38C3
#518.MSVBVM60(?,00004008), ref: 004D38F4
#518.MSVBVM60(?,00004008), ref: 004D392F
#518.MSVBVM60(?,00004008), ref: 004D396A
__vbaStrCmp.MSVBVM60(true,?), ref: 004D3990
__vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 004D39C3
__vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 004D39DF
__vbaVarOr.MSVBVM60(?,00000000), ref: 004D39ED
__vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 004D3A09
__vbaVarOr.MSVBVM60(?,00000000), ref: 004D3A17
__vbaVarOr.MSVBVM60(?,0000000B,00000000), ref: 004D3A2C
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004D3A33
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,0000000B), ref: 004D3A5E

Part of subcall function 005006B0: __vbaChkstk.MSVBVM60(00000000,00411816,0050A09D,?,00000000,00000000,00000000,00411816), ref: 005008BE
Part of subcall function 005006B0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816,0050A09D), ref: 005008EE
Part of subcall function 005006B0: __vbaStrCmp.MSVBVM60(00473D9C,0075AA5C,?,00000000,00000000,00000000,00411816,0050A09D), ref: 00500906
Part of subcall function 005006B0: __vbaStrCmp.MSVBVM60(true,007796A4,?,00000000,00000000,00000000,00411816,0050A09D), ref: 00500920
Part of subcall function 005006B0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816,0050A09D), ref: 00500946
Part of subcall function 005006B0: __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0050096F
Part of subcall function 005006B0: __vbaStrCmp.MSVBVM60(00473D9C,0075AA5C,?,00000000,00000000,00000000,00411816,0050A09D), ref: 00500988
Part of subcall function 005006B0: __vbaStrCmp.MSVBVM60(00473D9C,0075AC14,?,00000001,?,00000000,00411816), ref: 005009A4
Part of subcall function 005006B0: __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00411816), ref: 005009C0
Part of subcall function 005006B0: __vbaStrCmp.MSVBVM60(00473D9C,0075AA5C,?,00000001,?,00000000,00411816), ref: 00500A09
Part of subcall function 005006B0: __vbaVarDup.MSVBVM60 ref: 00500A37
Part of subcall function 005006B0: #667.MSVBVM60(?), ref: 00500A41
Part of subcall function 005006B0: __vbaStrMove.MSVBVM60 ref: 00500A4E
Part of subcall function 005006B0: __vbaFreeVar.MSVBVM60 ref: 00500A57

__vbaStrCmp.MSVBVM60(true,?,?,?,?,?,00411816), ref: 004D3A89
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 004D3AA5
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00411816), ref: 004D3ABE
#518.MSVBVM60(?,00004008), ref: 004D3B00
#518.MSVBVM60(?,00004008), ref: 004D3B27
__vbaStrCmp.MSVBVM60(00473D9C), ref: 004D3B38
__vbaVarCmpNe.MSVBVM60(?,?,?,0000000B), ref: 004D3B73
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 004D3B88
__vbaVarOr.MSVBVM60(?,00000000), ref: 004D3B96
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004D3B9D
__vbaFreeVarList.MSVBVM60(00000004,?,?,0000000B,0000000B), ref: 004D3BC8
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00411816), ref: 004D3BF2
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00411816), ref: 004D3C07
__vbaInStr.MSVBVM60(00000000,00477FFC,?,00000001,?,?,?,?,?,?,?,?,?,00411816), ref: 004D3C23
__vbaStrCopy.MSVBVM60(?,00000001,?,?,?,?,?,?,?,?,?,00411816), ref: 004D3C3C
__vbaFreeStr.MSVBVM60(?,?,00000001,?,?,?,?,?,?,?,?,?,00411816), ref: 004D3C4E
__vbaFreeStr.MSVBVM60(004D406A,?,?,?,?,00411816), ref: 004D405A
__vbaFreeStr.MSVBVM60(?,?,?,?,00411816), ref: 004D4063

Strings

Could not retrieve Service Handle for Service, xrefs: 004D3F1C
Service Status is 0, xrefs: 004D3EA5
Starting Service : , xrefs: 004D3E6E
Could not retrieve Service Handle for ServiceManager, xrefs: 004D3F5B
going to start: , xrefs: 004D3C62
HKLM\Software\Aloaha\CSP\AloahaCPMRunning, xrefs: 004D3EEC
1, xrefs: 004D3FB0
Service names cannot contain spaces. Use the 'Service Name' of the service, not the 'Display Name', xrefs: 004D3C34
localsystem, xrefs: 004D3970
true, xrefs: 004D398B, 004D3A84
network, xrefs: 004D3935
ServicesActive, xrefs: 004D3C9C
system, xrefs: 004D38FA
AloahaCredentialsServiceCommand:Start_Service, xrefs: 004D37D7
Unpausing : , xrefs: 004D3E0E
Started: , xrefs: 004D3F82

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Copy$#518$ListMove$#520BoolChkstkErrorNull$#667
String ID: 1$AloahaCredentialsServiceCommand:Start_Service$Could not retrieve Service Handle for Service$Could not retrieve Service Handle for ServiceManager$HKLM\Software\Aloaha\CSP\AloahaCPMRunning$Service Status is 0$Service names cannot contain spaces. Use the 'Service Name' of the service, not the 'Display Name'$ServicesActive$Started: $Starting Service : $Unpausing : $going to start: $localsystem$network$system$true
API String ID: 3860041542-4268503911
Opcode ID: 5cd116b31090af3c97ba774067e002c9bd0ae9543a51b805f06a2be2fb78b4fb
Instruction ID: 8edad0c6d253505bba0838b01763dd033b10d6ccdc65f6a2f4e54b97dd005d61
Opcode Fuzzy Hash: 5cd116b31090af3c97ba774067e002c9bd0ae9543a51b805f06a2be2fb78b4fb
Instruction Fuzzy Hash: 6932F9B5900218EFDB24DFA0DE48BDDB778BF48305F1085AAE50AA7660DB745B48CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00546030 Relevance: 147.7, APIs: 82, Strings: 2, Instructions: 663COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816), ref: 0054604E
__vbaAryConstruct2.MSVBVM60(?,00497A3C,00000011,?,?,?,00000000,00411816), ref: 00546083
__vbaAryConstruct2.MSVBVM60(?,00497A3C,00000011,?,?,?,00000000,00411816), ref: 00546097
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 005460A6

Part of subcall function 00531FD0: __vbaChkstk.MSVBVM60(00000000,00411816,004CB93C,?,00000001,?,00000000,00411816), ref: 00531FEE
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053201E
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053202D
Part of subcall function 00531FD0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,004CB93C), ref: 0053203C
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 0053206B
Part of subcall function 00531FD0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532093
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 005320A6
Part of subcall function 00531FD0: __vbaStrCopy.MSVBVM60 ref: 005320CA
Part of subcall function 00531FD0: #520.MSVBVM60(?,00000008,?), ref: 005320F7
Part of subcall function 00531FD0: __vbaStrVarMove.MSVBVM60(?), ref: 00532104
Part of subcall function 00531FD0: __vbaStrMove.MSVBVM60 ref: 00532111
Part of subcall function 00531FD0: __vbaFreeStr.MSVBVM60 ref: 0053211A
Part of subcall function 00531FD0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532130
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 00532162
Part of subcall function 00531FD0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053218A
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 0053219D

__vbaAryMove.MSVBVM60(?,?,?,?,?,00000000,00411816), ref: 005460D9
#685.MSVBVM60(?,?,?,00000000,00411816), ref: 005460F6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 00546101
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 00546122
__vbaGenerateBoundsError.MSVBVM60 ref: 00546160
__vbaGenerateBoundsError.MSVBVM60 ref: 0054617A
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0054619B
#685.MSVBVM60 ref: 005461B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 005461BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 005461EE
__vbaFreeObj.MSVBVM60 ref: 00546218
__vbaAryCopy.MSVBVM60(0054D854,00000000), ref: 0054623A
__vbaStrCopy.MSVBVM60 ref: 00546288
__vbaStrCopy.MSVBVM60 ref: 005462FF
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 00546315
__vbaAryMove.MSVBVM60(?,?,?,?,?,00000000,00411816), ref: 00546A1C
#685.MSVBVM60(?,?,?,00000000,00411816), ref: 00546A29
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 00546A34
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 00546A55
__vbaAryDestruct.MSVBVM60(00000000,?,00546AF4,?,?,?,00000000,00411816), ref: 00546AA5
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 00546AB1
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 00546AC0
__vbaFreeStr.MSVBVM60(?,?,?,00000000,00411816), ref: 00546AC9
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 00546AD5
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 00546AE1
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 00546AED

Part of subcall function 00536150: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,00000001), ref: 0053616E
Part of subcall function 00536150: __vbaAryConstruct2.MSVBVM60(?,00496A00,00000011,?,00000001,?,00000000,00411816), ref: 005361A0
Part of subcall function 00536150: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816), ref: 005361AF
Part of subcall function 00536150: #685.MSVBVM60(?,00000001,?,00000000,00411816), ref: 005361D1
Part of subcall function 00536150: __vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,00000000,00411816), ref: 005361DC
Part of subcall function 00536150: __vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 005361FD
Part of subcall function 00536150: __vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000001,?,00000000,00411816), ref: 0053628D
Part of subcall function 00536150: #685.MSVBVM60(?,00000001,?,00000000,00411816), ref: 005362A2
Part of subcall function 00536150: __vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,00000000,00411816), ref: 005362AD
Part of subcall function 00536150: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 005362F8

Strings

+, xrefs: 00546A22
$, xrefs: 005467A7

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Destruct$#685Error$CopyMove$#520ChkstkConstruct2$BoundsCheckConstructFixstrGenerateHresult$List
String ID: $$+
API String ID: 156982937-2639343560
Opcode ID: a7516d9c11d82ff9e8849a977aa7a92a5cfc63cd9075ab21fd8ffdba9afec736
Instruction ID: 17e7b93128e3f0d459893d1fc6b35e20561e1e825f0e64e4e5d9986d31467aca
Opcode Fuzzy Hash: a7516d9c11d82ff9e8849a977aa7a92a5cfc63cd9075ab21fd8ffdba9afec736
Instruction Fuzzy Hash: 2D622974D00209DFDB18CF90DA88BEDBBB1FB49308F1084A9E506BB264DB709A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004BC710 Relevance: 145.7, APIs: 70, Strings: 13, Instructions: 413COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004BC72E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004BC767

Part of subcall function 004CC360: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,?,00411816), ref: 004CC37E
Part of subcall function 004CC360: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004CC3AE
Part of subcall function 004CC360: __vbaStrToAnsi.MSVBVM60(00000000,screen-saver,00000000,00000000,00000040), ref: 004CC3D7
Part of subcall function 004CC360: __vbaSetSystemError.MSVBVM60(00000000), ref: 004CC3E6
Part of subcall function 004CC360: __vbaFreeStr.MSVBVM60 ref: 004CC3F5
Part of subcall function 004CC360: __vbaSetSystemError.MSVBVM60(00000000), ref: 004CC428
Part of subcall function 004CC360: #685.MSVBVM60 ref: 004CC55A
Part of subcall function 004CC360: __vbaObjSet.MSVBVM60(?,00000000), ref: 004CC565
Part of subcall function 004CC360: __vbaFreeObj.MSVBVM60 ref: 004CC57D

Part of subcall function 0051D000: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,00000000,00411816), ref: 0051D01E
Part of subcall function 0051D000: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 0051D04E
Part of subcall function 0051D000: __vbaStrCmp.MSVBVM60(true,0077F45C,?,?,?,?,00411816), ref: 0051D066
Part of subcall function 0051D000: #685.MSVBVM60 ref: 0051D326
Part of subcall function 0051D000: __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0051D331
Part of subcall function 0051D000: __vbaFreeObj.MSVBVM60 ref: 0051D352
Part of subcall function 0051D000: __vbaFreeStr.MSVBVM60(0051D393), ref: 0051D383
Part of subcall function 0051D000: __vbaFreeStr.MSVBVM60 ref: 0051D38C

Part of subcall function 00531FD0: __vbaChkstk.MSVBVM60(00000000,00411816,004CB93C,?,00000001,?,00000000,00411816), ref: 00531FEE
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053201E
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053202D
Part of subcall function 00531FD0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,004CB93C), ref: 0053203C
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 0053206B
Part of subcall function 00531FD0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532093
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 005320A6
Part of subcall function 00531FD0: __vbaStrCopy.MSVBVM60 ref: 005320CA
Part of subcall function 00531FD0: #520.MSVBVM60(?,00000008,?), ref: 005320F7
Part of subcall function 00531FD0: __vbaStrVarMove.MSVBVM60(?), ref: 00532104
Part of subcall function 00531FD0: __vbaStrMove.MSVBVM60 ref: 00532111
Part of subcall function 00531FD0: __vbaFreeStr.MSVBVM60 ref: 0053211A
Part of subcall function 00531FD0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532130
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 00532162
Part of subcall function 00531FD0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053218A
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 0053219D

__vbaStrI4.MSVBVM60(00000000,Splash,?,?,?,?,00411816), ref: 004BC7C2
__vbaStrMove.MSVBVM60(?,?,?,?,00411816), ref: 004BC7CD
__vbaStrCat.MSVBVM60(00000000,?,?,?,?,00411816), ref: 004BC7D4
__vbaStrMove.MSVBVM60(?,?,?,?,00411816), ref: 004BC7DF
__vbaStrCat.MSVBVM60( is false,00000000,?,?,?,?,00411816), ref: 004BC7EB
__vbaStrMove.MSVBVM60(?,?,?,?,00411816), ref: 004BC7F6
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00411816), ref: 004BC813
#716.MSVBVM60(?,AloahaCredentialsdll.Provider,00000000,?,?,?,00411816), ref: 004BC82E
__vbaObjVar.MSVBVM60(?,?,?,?,00411816), ref: 004BC838
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,00411816), ref: 004BC843
__vbaFreeVar.MSVBVM60(?,?,?,00411816), ref: 004BC84C
#685.MSVBVM60(?,?,?,00411816), ref: 004BC859
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00411816), ref: 004BC864
__vbaFreeObj.MSVBVM60(?,?,?,00411816), ref: 004BC885
__vbaLateMemCallLd.MSVBVM60(?,?,CardReaderWithI2c,00000000,?,?,?,00411816), ref: 004BC8A1
__vbaI4ErrVar.MSVBVM60(00000000), ref: 004BC8AB
__vbaFreeVar.MSVBVM60 ref: 004BC8B7
__vbaStrI4.MSVBVM60(?,FirstCard is: ), ref: 004BC8CD
__vbaStrMove.MSVBVM60 ref: 004BC8D8
__vbaStrCat.MSVBVM60(00000000), ref: 004BC8DF
__vbaStrMove.MSVBVM60 ref: 004BC8EA
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004BC903
__vbaStrI4.MSVBVM60(0000000A,Found I2c Card: ), ref: 004BC937
__vbaStrMove.MSVBVM60 ref: 004BC942
__vbaStrCat.MSVBVM60(00000000), ref: 004BC949
__vbaStrMove.MSVBVM60 ref: 004BC954
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004BC96D
__vbaChkstk.MSVBVM60 ref: 004BC98F
__vbaLateMemCallLd.MSVBVM60(?,?,SmartCardNumber,00000001), ref: 004BC9BC
__vbaStrVarMove.MSVBVM60(00000000), ref: 004BC9C6
__vbaStrMove.MSVBVM60 ref: 004BC9D1
__vbaFreeVar.MSVBVM60 ref: 004BC9DA
__vbaStrCat.MSVBVM60(?,StackID is: ), ref: 004BC9F0
__vbaStrMove.MSVBVM60 ref: 004BC9FB
__vbaFreeStr.MSVBVM60(?), ref: 004BCA0D
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004BCA23
__vbaStrCat.MSVBVM60(?,Found for User: ), ref: 004BCA47
__vbaStrMove.MSVBVM60 ref: 004BCA52
__vbaStrCat.MSVBVM60( CardID ,00000000), ref: 004BCA5E
__vbaStrMove.MSVBVM60 ref: 004BCA69
__vbaStrCat.MSVBVM60(?,00000000), ref: 004BCA74
__vbaStrMove.MSVBVM60 ref: 004BCA7F
__vbaStrCat.MSVBVM60( in ,00000000), ref: 004BCA8B
__vbaStrMove.MSVBVM60 ref: 004BCA96
__vbaStrI4.MSVBVM60(0000000A,00000000), ref: 004BCAA1
__vbaStrMove.MSVBVM60 ref: 004BCAAC
__vbaStrCat.MSVBVM60(00000000), ref: 004BCAB3
__vbaStrMove.MSVBVM60 ref: 004BCABE
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?), ref: 004BCAE7
__vbaStrCopy.MSVBVM60 ref: 004BCAFD
__vbaLateMemCall.MSVBVM60(?,disconnect,00000000), ref: 004BCB15
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004BCB2B
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004BCB47
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004BCB65
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BCB8E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00474890,0000005C), ref: 004BCBC8
__vbaFreeObj.MSVBVM60 ref: 004BCBE3
__vbaStrMove.MSVBVM60 ref: 004BCBFA
__vbaStrCopy.MSVBVM60 ref: 004BCC08
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 004BCC32
__vbaStrMove.MSVBVM60 ref: 004BCC4C
__vbaStrCopy.MSVBVM60 ref: 004BCC5A
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 004BCC85
#685.MSVBVM60(?,?,?,?,00411816), ref: 004BCC95
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00411816), ref: 004BCCA0
__vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 004BCCC1
__vbaFreeStr.MSVBVM60(004BCD2A,?,?,?,?,00411816), ref: 004BCD1A
__vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 004BCD23

Part of subcall function 004D2C70: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,004A7331), ref: 004D2C8E
Part of subcall function 004D2C70: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D2CBE
Part of subcall function 004D2C70: #685.MSVBVM60(?,?,?,00000000,00411816), ref: 004D2CCB
Part of subcall function 004D2C70: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 004D2CD6
Part of subcall function 004D2C70: __vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 004D2CEE
Part of subcall function 004D2C70: __vbaSetSystemError.MSVBVM60(?,?,?,00000000,00411816), ref: 004D2D03
Part of subcall function 004D2C70: __vbaSetSystemError.MSVBVM60(0000087C,0054D658,?,?,?,00000000,00411816), ref: 004D2D2A
Part of subcall function 004D2C70: #685.MSVBVM60(?,?,?,00000000,00411816), ref: 004D2D46
Part of subcall function 004D2C70: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 004D2D51
Part of subcall function 004D2C70: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004D2D84
Part of subcall function 004D2C70: __vbaFreeObj.MSVBVM60 ref: 004D2DA8
Part of subcall function 004D2C70: #685.MSVBVM60 ref: 004D2DCB
Part of subcall function 004D2C70: __vbaObjSet.MSVBVM60(?,00000000), ref: 004D2DD6

Strings

FirstCard is: , xrefs: 004BC8C4
Splash, xrefs: 004BC7B7
disconnect, xrefs: 004BCB0C
CardReaderWithI2c, xrefs: 004BC894
Found I2c Card: , xrefs: 004BC92E
CardID , xrefs: 004BCA59
AloahaCredentialsdll.Provider, xrefs: 004BC825
is false, xrefs: 004BC7E6
in , xrefs: 004BCA86
Found for User: , xrefs: 004BCA38
SmartCardNumber, xrefs: 004BC9AF
StackID is: , xrefs: 004BC9E7
I2CS, xrefs: 004BCC00, 004BCC52

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Error$#685List$Chkstk$CopySystem$#520CallLate$AddrefCheckConstructFixstrHresult$#716Ansi
String ID: CardID $ in $ is false$AloahaCredentialsdll.Provider$CardReaderWithI2c$FirstCard is: $Found I2c Card: $Found for User: $I2CS$SmartCardNumber$Splash$StackID is: $disconnect
API String ID: 316601251-1124518436
Opcode ID: 354a119ca8310ef90918f269b6173e736b913ab154d35cf9f4eacbe3b0ff264c
Instruction ID: 17bdf1e011723c5cd01b2597caae88ef8d9138b36573ed85175c1a84f1945115
Opcode Fuzzy Hash: 354a119ca8310ef90918f269b6173e736b913ab154d35cf9f4eacbe3b0ff264c
Instruction Fuzzy Hash: AD022A75900208EFDB04DFA0EE48BDEBBB9FF48305F108169F506A76A0DB745A45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00523380 Relevance: 142.4, APIs: 66, Strings: 15, Instructions: 616COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 0052339E
__vbaOnError.MSVBVM60(000000FF,6D65285F,6D721D9E,6D6517CC,?,00411816), ref: 005233CE
__vbaSetSystemError.MSVBVM60(?,00000000,00000001), ref: 005233EC
#685.MSVBVM60(?,00000000,00000001), ref: 0052340F
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000001), ref: 0052341A
__vbaFreeObj.MSVBVM60(?,00000000,00000001), ref: 00523432
__vbaErrorOverflow.MSVBVM60(?,00000000,00000001), ref: 0052345D
__vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 0052348E
__vbaStrCopy.MSVBVM60(?,00000000,?,?,00411816), ref: 005234BB
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 005234CA
#518.MSVBVM60(?,00004008), ref: 00523515
__vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00523556
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00523564
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0052357B
#518.MSVBVM60(?,00004008), ref: 005235D4

Strings

msxml, xrefs: 00523B13
certinstaller, xrefs: 0052351B
wscript, xrefs: 00523758
Qh|GG, xrefs: 00523D1F
scripting, xrefs: 005238D6
cdo., xrefs: 005235DA
adodb, xrefs: 00523817
8, xrefs: 00523D05
microsoft, xrefs: 00523A54
xml2csv, xrefs: 00523995
aloahapopup, xrefs: 00523699
true, xrefs: 00523D20
xmlhttp, xrefs: 00523BD2
<, xrefs: 00523D36
winhttp, xrefs: 00523C91

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Error$#518ChkstkFree$#685CopyListOverflowSystem
String ID: 8$<$Qh|GG$adodb$aloahapopup$cdo.$certinstaller$microsoft$msxml$scripting$true$winhttp$wscript$xml2csv$xmlhttp
API String ID: 2292410906-2525992247
Opcode ID: 4feea5b8cc2b4a284e519558808c6758656ec438384714f7b52e8e3010b32d99
Instruction ID: 9766edd9eb3996ccca7d33dab98fd766162e2851dd9909ec08af54ebe7e51b54
Opcode Fuzzy Hash: 4feea5b8cc2b4a284e519558808c6758656ec438384714f7b52e8e3010b32d99
Instruction Fuzzy Hash: 6552F7B1901258EADB50CF90DD48BDEBBB8FF04704F108699E149BB1A0EBB55B88CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004D4E80 Relevance: 140.4, APIs: 71, Strings: 9, Instructions: 389COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,004D556A), ref: 004D4E9E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D4ECE
__vbaStrCmp.MSVBVM60(00473D9C,007802FC,?,?,?,00000000,00411816), ref: 004D4EE6
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D4F00
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D4F1A
__vbaStrMove.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D4F2E
__vbaFreeStr.MSVBVM60(?,?,?,00000000,00411816), ref: 004D4F37
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,00000000,00411816), ref: 004D4F4D
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei\HH,HKLM\,?,?,?,00000000,00411816), ref: 004D4F6C
__vbaStrMove.MSVBVM60(?,?,?,00000000,00411816), ref: 004D4F77
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000,?,?,?,00000000,00411816), ref: 004D4F83
__vbaStrMove.MSVBVM60(?,?,?,00000000,00411816), ref: 004D4F8E
#520.MSVBVM60(?,00000008), ref: 004D4FAF
__vbaStrVarMove.MSVBVM60(?), ref: 004D4FB9
__vbaStrMove.MSVBVM60 ref: 004D4FC4
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D4FD4
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000000,00411816), ref: 004D4FE7
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D5000
__vbaStrCat.MSVBVM60(SOFTWARE\Polizei,HKLM\), ref: 004D501F
__vbaStrMove.MSVBVM60 ref: 004D502A
__vbaStrCat.MSVBVM60(\Logon\Standard\LogonDomain,00000000), ref: 004D5036
__vbaStrMove.MSVBVM60 ref: 004D5041
#520.MSVBVM60(?,00000008), ref: 004D5062
__vbaStrVarMove.MSVBVM60(?), ref: 004D506C
__vbaStrMove.MSVBVM60 ref: 004D5077
#685.MSVBVM60(?,?,?,00000000,00411816), ref: 004D52DA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 004D52E5
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 004D5306
__vbaFreeStr.MSVBVM60(004D5369,?,?,?,00000000,00411816), ref: 004D5359
__vbaFreeStr.MSVBVM60(?,?,?,00000000,00411816), ref: 004D5362

Strings

HKLM\Software\Aloaha\RKK\StandardHive, xrefs: 004D4F12, 004D50D9, 004D5128, 004D5177
SOFTWARE\Polizei\HH, xrefs: 004D4F67, 004D515A
HKLM\SOFTWARE\Aloaha\RKK\Settings, xrefs: 004D50C4, 004D51BC
4w, xrefs: 004D5405, 004D5421, 004D543E
SOFTWARE\Polizei, xrefs: 004D501A, 004D510B
\Logon\Standard\LogonDomain, xrefs: 004D4F7E, 004D5031
$, xrefs: 004D52D3
null, xrefs: 004D5428
HKLM\, xrefs: 004D4F62, 004D5015, 004D5106, 004D5155

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$#520CopyList$#685ChkstkError
String ID: $$4w$HKLM\$HKLM\SOFTWARE\Aloaha\RKK\Settings$HKLM\Software\Aloaha\RKK\StandardHive$SOFTWARE\Polizei$SOFTWARE\Polizei\HH$\Logon\Standard\LogonDomain$null
API String ID: 2309052633-4154475983
Opcode ID: 3598d41e47d2fe804a7bdd6dfc4e2779b6f03ab700c26e4934d4ee04ff925116
Instruction ID: 53908c96de9d9482387fcc2d48368804342b4ce569a7f890d608871c2705f88a
Opcode Fuzzy Hash: 3598d41e47d2fe804a7bdd6dfc4e2779b6f03ab700c26e4934d4ee04ff925116
Instruction Fuzzy Hash: 00F12871900209EBDB04DFA0EA58BDEBB78FF08705F10806AE506B76A0DB745A49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00519660 Relevance: 115.9, APIs: 59, Strings: 7, Instructions: 380COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 0051967E
__vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816), ref: 005196AE
__vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00411816), ref: 005196C3
__vbaFreeStr.MSVBVM60(?,?,00000001,?,00000000,00411816), ref: 005196D5
__vbaStrCmp.MSVBVM60(true,0077F574,?,00000001,?,00000000,00411816), ref: 005196EE
__vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0051970D
#685.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0051971A
__vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,00000000,00411816), ref: 00519725
__vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00519746
__vbaLateMemCallLd.MSVBVM60(?,00000000,info,00000000), ref: 00519772
__vbaVarTstLt.MSVBVM60(?,00000000,00000001,?,00000000,00411816), ref: 00519780
__vbaFreeVar.MSVBVM60(?,00000000,00411816), ref: 0051978D
__vbaObjSetAddref.MSVBVM60(0054D334,00000000,?,00000000,00411816), ref: 005197A9
#685.MSVBVM60(?,00000000,00411816), ref: 005197BB
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00411816), ref: 005197C6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 005197F9
__vbaFreeObj.MSVBVM60 ref: 00519826
__vbaObjSetAddref.MSVBVM60(0054D334,00000000), ref: 00519845
#685.MSVBVM60 ref: 00519852
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051985D
__vbaFreeObj.MSVBVM60 ref: 0051987E
#685.MSVBVM60 ref: 0051988B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00519896
__vbaFreeObj.MSVBVM60 ref: 005198B7
__vbaChkstk.MSVBVM60 ref: 005198ED
__vbaLateMemSt.MSVBVM60(00000000,AnaCalled), ref: 00519916
#685.MSVBVM60 ref: 00519923
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051992E
__vbaFreeObj.MSVBVM60 ref: 0051994F
__vbaLateMemCallLd.MSVBVM60(?,00000000,HighestLicenseCount,00000000), ref: 0051996E
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,00000000,00411816), ref: 00519978
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000000,00411816), ref: 00519984
#685.MSVBVM60(?,?,?,?,?,?,00000000,00411816), ref: 005199A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 005199AC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 005199DF
__vbaFreeObj.MSVBVM60 ref: 00519A0C
#685.MSVBVM60 ref: 00519A32
__vbaObjSet.MSVBVM60(?,00000000), ref: 00519A3D
__vbaFreeObj.MSVBVM60 ref: 00519A5E
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00519A77
__vbaI4Str.MSVBVM60(00000000), ref: 00519A92
__vbaI4Str.MSVBVM60(00000000), ref: 00519AAE
#685.MSVBVM60 ref: 00519AC4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00519ACF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00519B02
__vbaFreeObj.MSVBVM60 ref: 00519B2F
__vbaI4Str.MSVBVM60(00000000), ref: 00519B4E
#685.MSVBVM60 ref: 00519B5E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00519B69
__vbaFreeObj.MSVBVM60 ref: 00519B8A
__vbaStrCopy.MSVBVM60 ref: 00519BA1
__vbaStrI4.MSVBVM60(?,highest license count: ,?,00000001,?,00000000,00411816), ref: 00519BC4
__vbaStrMove.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00519BCF
__vbaStrCat.MSVBVM60(00000000,?,00000001,?,00000000,00411816), ref: 00519BD6
__vbaStrMove.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00519BE1
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00000001,?,00000000,00411816), ref: 00519BFA
#685.MSVBVM60(?,00000000,00411816), ref: 00519C0A
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00519C15
__vbaFreeObj.MSVBVM60(?,00000000,00411816), ref: 00519C36

Strings

), xrefs: 00519C03
highest license count: , xrefs: 00519BBB
HighestLicenseCount, xrefs: 0051995E
AnaCalled, xrefs: 0051990B
true, xrefs: 005196E9, 00519703
info, xrefs: 00519763
going to find highest license count, xrefs: 005196BB

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685$CheckCopyHresultLate$AddrefCallChkstkMove$ErrorList
String ID: )$AnaCalled$HighestLicenseCount$going to find highest license count$highest license count: $info$true
API String ID: 754081290-3881071883
Opcode ID: f7debca005518700aba3e27149140df188f5f3c446fa4977de6c84be161b36f0
Instruction ID: af87369607805730326605d3909c552a80991829f514a1ce16ada7f528050750
Opcode Fuzzy Hash: f7debca005518700aba3e27149140df188f5f3c446fa4977de6c84be161b36f0
Instruction Fuzzy Hash: 76023975D01208EFEB14DFA4DA48BDEBBB5FF48305F2081A9E506A72A0DB749A44DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0050CF40 Relevance: 114.1, APIs: 59, Strings: 6, Instructions: 399fileCOMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,?,00000001,00000000,00000000,00411816,004F38EA), ref: 0050CF5E
__vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,?,00411816,?), ref: 0050CF8E
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000001,00000000,?,00411816,?), ref: 0050CFA6
#685.MSVBVM60(?,00000001,00000000,?,00411816,?), ref: 0050CFE1
__vbaObjSet.MSVBVM60(00000000,00000000,?,00000001,00000000,?,00411816,?), ref: 0050CFEC
__vbaFreeObj.MSVBVM60(?,00000001,00000000,?,00411816,?), ref: 0050D00D
__vbaStrCopy.MSVBVM60 ref: 0050D030
__vbaStrCopy.MSVBVM60 ref: 0050D03E
__vbaStrMove.MSVBVM60(00000001,?,0000000A), ref: 0050D05A
__vbaFreeStrList.MSVBVM60(00000002,00000001,?), ref: 0050D06A
__vbaFreeVar.MSVBVM60(00000000,?,00411816,?), ref: 0050D076
#685.MSVBVM60 ref: 0050D083
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050D08E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050D0C1
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 0050D0E2
__vbaFreeObj.MSVBVM60 ref: 0050D104
__vbaStrCopy.MSVBVM60 ref: 0050D121
__vbaI4Str.MSVBVM60(?), ref: 0050D132
__vbaStrCmp.MSVBVM60(00473D9C,?,?,00000001,00000000,?,00411816,?), ref: 0050D14F
#685.MSVBVM60(?,?,00000001,00000000,?,00411816,?), ref: 0050D171
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000001,00000000,?,00411816,?), ref: 0050D17C
__vbaFreeObj.MSVBVM60(?,?,00000001,00000000,?,00411816,?), ref: 0050D19D
__vbaFileOpen.MSVBVM60(00000008,000000FF,00000001,c:\aloaha.log,?,?,00000001,00000000,?,00411816,?), ref: 0050D1D5
#685.MSVBVM60(?,?,00000001,00000000,?,00411816,?), ref: 0050D1E2
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000001,00000000,?,00411816,?), ref: 0050D1ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050D220
__vbaFreeObj.MSVBVM60 ref: 0050D24A
__vbaFileClose.MSVBVM60(00000001), ref: 0050D261
#685.MSVBVM60 ref: 0050D26E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050D279
__vbaFreeObj.MSVBVM60 ref: 0050D29A
__vbaFileOpen.MSVBVM60(00000008,000000FF,00000001,d:\aloaha.log), ref: 0050D2B2
#685.MSVBVM60 ref: 0050D2BF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050D2CA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050D2FD
__vbaFreeObj.MSVBVM60 ref: 0050D327
__vbaFileClose.MSVBVM60(00000001), ref: 0050D33E
#685.MSVBVM60 ref: 0050D34B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050D356
__vbaFreeObj.MSVBVM60 ref: 0050D377
__vbaFileOpen.MSVBVM60(00000008,000000FF,00000001,e:\aloaha.log), ref: 0050D38F
#685.MSVBVM60 ref: 0050D39C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050D3A7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050D3DA
__vbaFreeObj.MSVBVM60 ref: 0050D404
#712.MSVBVM60(?,0047C158,00473D9C,00000001,000000FF,00000000), ref: 0050D433
#520.MSVBVM60(?,00000008,?,0047C158,00473D9C,00000001,000000FF,00000000), ref: 0050D44B
__vbaStrVarMove.MSVBVM60(?,?,0047C158,00473D9C,00000001,000000FF,00000000), ref: 0050D455
__vbaStrMove.MSVBVM60(?,0047C158,00473D9C,00000001,000000FF,00000000), ref: 0050D460
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,0047C158,00473D9C,00000001,000000FF,00000000), ref: 0050D470
__vbaPrintFile.MSVBVM60(00484480,00000001,?,00000000,?,00411816,?), ref: 0050D48D
__vbaFileClose.MSVBVM60(00000001), ref: 0050D49F
#685.MSVBVM60(?,?,?,?,?,00411816,?), ref: 0050D4AC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050D4B7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00411816,?), ref: 0050D4D8
#685.MSVBVM60(?,00000001,00000000,?,00411816,?), ref: 0050D4E5
__vbaObjSet.MSVBVM60(00000000,00000000,?,00000001,00000000,?,00411816,?), ref: 0050D4F0
__vbaFreeObj.MSVBVM60(?,00000001,00000000,?,00411816,?), ref: 0050D511
__vbaFreeStr.MSVBVM60(0050D558,?,00000001,00000000,?,00411816,?), ref: 0050D551

Strings

e:\aloaha.log, xrefs: 0050D384
$, xrefs: 0050D4DE
d:\aloaha.log, xrefs: 0050D2A7
c:\aloaha.log, xrefs: 0050D1CA
clog, xrefs: 0050D028
Software\Aloaha\pdf, xrefs: 0050D036

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685$File$CheckHresult$CloseCopyMoveOpen$List$#520#712ChkstkErrorPrint
String ID: $$Software\Aloaha\pdf$c:\aloaha.log$clog$d:\aloaha.log$e:\aloaha.log
API String ID: 504476220-1490951336
Opcode ID: 16488c1b217ba50f9db8ce51de278bf525abf4c0f0c4292a9f0746d90d485f0e
Instruction ID: aaf877663dc4545fba403a8b3a3959a0b6ab3d3627320e85fe1798df9a22910a
Opcode Fuzzy Hash: 16488c1b217ba50f9db8ce51de278bf525abf4c0f0c4292a9f0746d90d485f0e
Instruction Fuzzy Hash: B2020475900318EFDB14DFA0DE48BDEBBB4BF48705F108169E50AAB2A0DBB45A44DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0053F3D0 Relevance: 93.4, APIs: 62, Instructions: 401COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,?,00000001,?,?,00411816), ref: 0053F3EE
__vbaOnError.MSVBVM60(000000FF,?,00000001,?,?,00411816), ref: 0053F41E
__vbaGenerateBoundsError.MSVBVM60 ref: 0053F4BF
__vbaGenerateBoundsError.MSVBVM60 ref: 0053F4D9
_adj_fdiv_m64.MSVBVM60 ref: 0053F53C
__vbaR8FixI4.MSVBVM60 ref: 0053F54B
#607.MSVBVM60(?,00000001,00000003), ref: 0053F5A9
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0053F5BE
__vbaStrVarMove.MSVBVM60(00000000), ref: 0053F5C5
__vbaStrMove.MSVBVM60 ref: 0053F5D0
__vbaFreeVarList.MSVBVM60(00000003,00000003,?,?), ref: 0053F5E4
#607.MSVBVM60(?,00000001,00000003), ref: 0053F643
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0053F658
__vbaStrVarMove.MSVBVM60(00000000), ref: 0053F65F
__vbaStrMove.MSVBVM60 ref: 0053F66A
__vbaFreeVarList.MSVBVM60(00000003,00000003,?,?), ref: 0053F67E
#607.MSVBVM60(?,00000001,00000002), ref: 0053F6FE
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0053F713
__vbaStrVarMove.MSVBVM60(00000000), ref: 0053F71A
__vbaStrMove.MSVBVM60 ref: 0053F725
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 0053F739
#607.MSVBVM60(?,00000001,00000002), ref: 0053F7A1
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0053F7B6
__vbaStrVarMove.MSVBVM60(00000000), ref: 0053F7BD
__vbaStrMove.MSVBVM60 ref: 0053F7C8
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 0053F7DC
__vbaStrCat.MSVBVM60(00477FFC,?), ref: 0053F7F5
__vbaStrMove.MSVBVM60 ref: 0053F800
__vbaStrCopy.MSVBVM60 ref: 0053F81F
#685.MSVBVM60 ref: 0053F82C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0053F837
__vbaFreeObj.MSVBVM60 ref: 0053F858
__vbaFreeStr.MSVBVM60(0053F8A4), ref: 0053F89D
__vbaErrorOverflow.MSVBVM60(?,00000001,?,?,00411816), ref: 0053F8BF
__vbaChkstk.MSVBVM60(?,00411816), ref: 0053F8EE
__vbaOnError.MSVBVM60(000000FF,?,00000001,?,?,00411816), ref: 0053F91E
__vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0053F958
#685.MSVBVM60(?,00000001,?,00000000,00411816), ref: 005445BB
__vbaObjSet.MSVBVM60(?,00000000), ref: 005445C9
__vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 005445ED
__vbaFreeObj.MSVBVM60(005447C9), ref: 005446F0
__vbaAryDestruct.MSVBVM60(004741C8,?), ref: 00544702
__vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0054470B
__vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544714
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0054471D
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544726
__vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0054472F
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544738
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544741
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0054474A
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544753
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0054475C
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544765
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 0054476E
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544777
__vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544780
__vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544789
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00544792

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Error$#607List$#685BoundsChkstkCopyGenerate$DestructOverflow_adj_fdiv_m64
String ID:
API String ID: 3471061930-0
Opcode ID: 90955c64f4c339ff3a23cfb0b7edb520c12bf5ea6736a6b0f075adc3aa2ba04b
Instruction ID: 3ea0dd90c2d85410f175e6fa0dda96c02a9998031f539c8c8f7562fb50ff3f92
Opcode Fuzzy Hash: 90955c64f4c339ff3a23cfb0b7edb520c12bf5ea6736a6b0f075adc3aa2ba04b
Instruction Fuzzy Hash: 86022675C00209EFEB04DFA0DA48BDDBBB4FF04305F1081A9E516A76A0DB746A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0052D4C0 Relevance: 93.0, APIs: 49, Strings: 4, Instructions: 297COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,004B1BE8), ref: 0052D4DE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816,004B1BE8), ref: 0052D50E
__vbaStrCmp.MSVBVM60(00473D9C,00772F2C,?,?,?,?,00411816,004B1BE8), ref: 0052D526
__vbaStrCmp.MSVBVM60(null,00772F2C,?,?,?,?,00411816,004B1BE8), ref: 0052D53F
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816,004B1BE8), ref: 0052D560
__vbaStrMove.MSVBVM60(?,?,?,?,00411816,004B1BE8), ref: 0052D57C
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001,?,?,?,?,00411816,004B1BE8), ref: 0052D596
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816,004B1BE8), ref: 0052D5AF
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00411816,004B1BE8), ref: 0052D5C5
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816,004B1BE8), ref: 0052D5DE
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816,004B1BE8), ref: 0052D5F1
#685.MSVBVM60(?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D916
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D921
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D942
__vbaFreeStr.MSVBVM60(0052D9B8,?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D99F
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D9A8
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00411816,004B1BE8), ref: 0052D9B1

Strings

USERDOMAIN, xrefs: 0052D6DB, 0052D7EA
USERNAME, xrefs: 0052D669
null, xrefs: 0052D53A, 0052D8EA
,/w, xrefs: 0052D51B, 0052D533, 0052D557, 0052D5D9, 0052D897, 0052D8D2, 0052D8EF

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CopyFree$#685ChkstkErrorMove
String ID: ,/w$USERDOMAIN$USERNAME$null
API String ID: 3359174267-1620325221
Opcode ID: 30da333b105c3e64b37d43671934e97d0b4f9fc030355e0cc7228c5563f0cf97
Instruction ID: e0f11b7ed9490c396aeee1661230520942dcf7ca1f18e7877b83b4eb6f909733
Opcode Fuzzy Hash: 30da333b105c3e64b37d43671934e97d0b4f9fc030355e0cc7228c5563f0cf97
Instruction Fuzzy Hash: B0D11776900209DBDB14DFA0DE48BDEBBB8FB08305F1085A9E606B71A0DB745B49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00506CF0 Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(0040B120,00411816,?,?,00000000,00000000,?,00411816), ref: 00506D0E
__vbaStrCopy.MSVBVM60(?,00000000,00000000,0040B120,00411816), ref: 00506D3B
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,0040B120,00411816), ref: 00506D4A
__vbaStrCat.MSVBVM60(.lock,00000000,?,00000000,00000000,0040B120,00411816), ref: 00506D60
__vbaStrMove.MSVBVM60(?,00000000,00000000,0040B120,00411816), ref: 00506D6B
#645.MSVBVM60(00004008,00000000), ref: 00506D8B
__vbaStrMove.MSVBVM60 ref: 00506D96
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00506DA2
__vbaFreeStr.MSVBVM60 ref: 00506DB7
#685.MSVBVM60 ref: 00506DD0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00506DDB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00506E0E
__vbaFreeObj.MSVBVM60 ref: 00506E32
#685.MSVBVM60 ref: 00506E84
__vbaObjSet.MSVBVM60(?,00000000), ref: 00506E8F
__vbaFreeObj.MSVBVM60 ref: 00506EA7
#645.MSVBVM60(00004008,00000000), ref: 00506EC7
__vbaStrMove.MSVBVM60 ref: 00506ED2
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00506EDE
__vbaFreeStr.MSVBVM60 ref: 00506EF3
#685.MSVBVM60 ref: 00506F0C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00506F17
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 00506F4A
__vbaFreeObj.MSVBVM60 ref: 00506F6E
__vbaSetSystemError.MSVBVM60(00000064), ref: 00506F8E
#598.MSVBVM60 ref: 00506F9B
#685.MSVBVM60 ref: 00507162
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050716D
__vbaFreeObj.MSVBVM60 ref: 0050718E
__vbaFreeStr.MSVBVM60(005071C1), ref: 005071B1
__vbaFreeStr.MSVBVM60 ref: 005071BA

Strings

Z, xrefs: 00506FA8
d, xrefs: 00506E4B
.lock, xrefs: 00506D5B

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685$Move$#645CheckErrorHresult$#598ChkstkCopySystem
String ID: .lock$Z$d
API String ID: 3495278122-3276679207
Opcode ID: cb18210faf9e05ff2e9ba7645b02ec4141777525903ea09fa90143d99de494aa
Instruction ID: ba1c5f1086975590c743d684263368a958f03391c478e0a4182efd6bfb00136f
Opcode Fuzzy Hash: cb18210faf9e05ff2e9ba7645b02ec4141777525903ea09fa90143d99de494aa
Instruction Fuzzy Hash: EBE1E475D00209EFDB14DFA0DA48BEEBBB4BF08706F208569E506B72A0DB745A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0054A720 Relevance: 89.5, APIs: 43, Strings: 8, Instructions: 299COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,00546B91,?,?,?,00000000,00411816,00546A11), ref: 0054A73E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,00546B91), ref: 0054A76E
#520.MSVBVM60(?,00004008), ref: 0054A7A7
#518.MSVBVM60(?,00004008), ref: 0054A7E0
#520.MSVBVM60(?,?), ref: 0054A7EE
__vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 0054A817
__vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 0054A830
__vbaVarOr.MSVBVM60(?,00000000), ref: 0054A83E
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0054A845
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0054A860
__vbaStrCopy.MSVBVM60 ref: 0054A887
__vbaStrMove.MSVBVM60(?), ref: 0054A89D
__vbaFreeStr.MSVBVM60 ref: 0054A8A6
__vbaInStr.MSVBVM60(00000000,0047BCF8,0075AB4C,00000001), ref: 0054A8C2
__vbaStrCopy.MSVBVM60 ref: 0054A8DD

Part of subcall function 005088A0: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,0054A98F,?,?), ref: 005088BE
Part of subcall function 005088A0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,?,00411816), ref: 005088EE
Part of subcall function 005088A0: __vbaStrCat.MSVBVM60(.lock,?,?,00000001,?,?,00411816), ref: 00508906
Part of subcall function 005088A0: __vbaStrMove.MSVBVM60(?,?,00000001,?,?,00411816), ref: 00508911
Part of subcall function 005088A0: __vbaStrCmp.MSVBVM60(true,007C07AC,00000000,?,?,00000001,?,?,00411816), ref: 0050893C
Part of subcall function 005088A0: __vbaStrCmp.MSVBVM60(true,007C07AC), ref: 005089A2
Part of subcall function 005088A0: __vbaSetSystemError.MSVBVM60(00000064), ref: 005089BA
Part of subcall function 005088A0: #598.MSVBVM60 ref: 005089C7
Part of subcall function 005088A0: __vbaStrCopy.MSVBVM60 ref: 005089F6
Part of subcall function 005088A0: #685.MSVBVM60 ref: 00508A03
Part of subcall function 005088A0: __vbaObjSet.MSVBVM60(?,00000000), ref: 00508A0E
Part of subcall function 005088A0: __vbaFreeObj.MSVBVM60 ref: 00508A2F
Part of subcall function 005088A0: #645.MSVBVM60(00004008,00000000), ref: 00508A55
Part of subcall function 005088A0: __vbaStrMove.MSVBVM60 ref: 00508A60
Part of subcall function 005088A0: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 00508A6C

__vbaStrCmp.MSVBVM60(00473D9C,0075AB4C), ref: 0054A8F6
__vbaStrCopy.MSVBVM60 ref: 0054A911
__vbaStrCmp.MSVBVM60(00473D9C,0075AB4C), ref: 0054A92A
__vbaInStr.MSVBVM60(00000000,0047BCF8,0075AB4C,00000001), ref: 0054A946
__vbaStrMove.MSVBVM60 ref: 0054A96E
__vbaStrCopy.MSVBVM60 ref: 0054A97C
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 0054A999
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00411816,00546B91), ref: 0054A9B3
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00411816,00546B91), ref: 0054A9C1
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,00411816,00546B91), ref: 0054A9DE
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00411816,00546B91), ref: 0054A9F8
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00411816,00546B91), ref: 0054AA06
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816,00546B91), ref: 0054AA23
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00411816,00546B91), ref: 0054AA3D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00411816,00546B91), ref: 0054AA4B
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 0054AA68

Part of subcall function 00510480: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,0049F35F,?,?,?,?,?,?,00411816), ref: 0051049E
Part of subcall function 00510480: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 005104CE
Part of subcall function 00510480: __vbaStrCmp.MSVBVM60(00473D9C,00000000,?,?,?,00000000,00411816), ref: 005104E6
Part of subcall function 00510480: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 00510500
Part of subcall function 00510480: #685.MSVBVM60(?,?,?,00000000,00411816), ref: 0051076C
Part of subcall function 00510480: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 00510777
Part of subcall function 00510480: __vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 00510798
Part of subcall function 00510480: __vbaFreeStr.MSVBVM60(005107F1,?,?,?,00000000,00411816), ref: 005107E1
Part of subcall function 00510480: __vbaFreeStr.MSVBVM60(?,?,?,00000000,00411816), ref: 005107EA

__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 0054AA82
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 0054AA90
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 0054AAAD

Part of subcall function 00510480: __vbaStrMove.MSVBVM60(?,?,?,00000000,00411816), ref: 0051051C
Part of subcall function 00510480: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,00000000,00411816), ref: 00510532
Part of subcall function 00510480: __vbaStrMove.MSVBVM60(?,?,?,00000000,00411816), ref: 0051054D
Part of subcall function 00510480: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,00000000,00411816), ref: 00510563
Part of subcall function 00510480: __vbaNew2.MSVBVM60(00477E14,0054ED28,?,?,?,00000000,00411816), ref: 0051058B
Part of subcall function 00510480: __vbaHresultCheckObj.MSVBVM60(00000000,?,00477E04,00000014), ref: 005105DC
Part of subcall function 00510480: __vbaHresultCheckObj.MSVBVM60(00000000,?,0047A994,00000050), ref: 0051062D
Part of subcall function 00510480: __vbaStrMove.MSVBVM60 ref: 0051065E
Part of subcall function 00510480: __vbaFreeObj.MSVBVM60 ref: 00510667
Part of subcall function 00510480: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,00000000,00411816), ref: 0051067D

__vbaStrMove.MSVBVM60 ref: 0054AAC7
__vbaStrCopy.MSVBVM60 ref: 0054AAD5
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 0054AAF2
__vbaStrCmp.MSVBVM60(00473D9C,0075AB4C), ref: 0054AB0E
__vbaInStr.MSVBVM60(00000000,0047BCF8,0075AB4C,00000001), ref: 0054AB2A
#685.MSVBVM60 ref: 0054AB51
__vbaObjSet.MSVBVM60(?,00000000), ref: 0054AB5C
__vbaFreeObj.MSVBVM60 ref: 0054AB7D
__vbaFreeStr.MSVBVM60(0054ABDA), ref: 0054ABD3

Strings

Global, xrefs: 0054AA88
Reader, xrefs: 0054A9B9
Certificates, xrefs: 0054AA43
CertificatesCtype, xrefs: 0054A974
FingerPrints, xrefs: 0054A9FE
null, xrefs: 0054A7F4, 0054A907
HKLM\Software\Aloaha\csp\plugin, xrefs: 0054A87F
LastReaderNames, xrefs: 0054AACD

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Copy$List$Error$#685Chkstk$#520CheckHresult$#518#598#645BoolNew2NullSystem
String ID: Certificates$CertificatesCtype$FingerPrints$Global$HKLM\Software\Aloaha\csp\plugin$LastReaderNames$Reader$null
API String ID: 1277236490-3177415632
Opcode ID: c06f29fe32006f1bff200080b6da762bbfb209beeff0fbbc10078cd7e937160e
Instruction ID: 1433fe4c36b94c09f2db299f276f5d3647102819e8d5d13ae204a24ada6f5ada
Opcode Fuzzy Hash: c06f29fe32006f1bff200080b6da762bbfb209beeff0fbbc10078cd7e937160e
Instruction Fuzzy Hash: 57C13B76900209ABDB14DFA0DE48BEEBB78FF48705F10C169E606B65A0DB745A08DF64

Uniqueness

Uniqueness Score: -1.00%

Function 004BD210 Relevance: 87.8, APIs: 49, Strings: 1, Instructions: 343COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,?,00000000,00000000,?,00411816), ref: 004BD22E
__vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004BD25B
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00411816), ref: 004BD26A
#685.MSVBVM60(?,?,00000000,00000000,?,00411816), ref: 004BD29C
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,00411816), ref: 004BD2A7
__vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004BD2BF
#645.MSVBVM60(00004008,00000000), ref: 004BD2DF
__vbaStrMove.MSVBVM60 ref: 004BD2EA
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004BD2F6
__vbaFreeStr.MSVBVM60 ref: 004BD30B
#685.MSVBVM60 ref: 004BD324
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BD32F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004BD362
__vbaFreeObj.MSVBVM60 ref: 004BD386
#529.MSVBVM60(00004008), ref: 004BD3AC
#685.MSVBVM60 ref: 004BD3B9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BD3C4
__vbaFreeObj.MSVBVM60 ref: 004BD3DC
#685.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004BD3E9
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,00411816), ref: 004BD3F4
__vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004BD415
#645.MSVBVM60(00004008,00000000), ref: 004BD449
__vbaStrMove.MSVBVM60 ref: 004BD454
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004BD460
__vbaFreeStr.MSVBVM60 ref: 004BD475
#685.MSVBVM60 ref: 004BD48E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BD499
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004BD4CC
__vbaFreeObj.MSVBVM60 ref: 004BD4F6
__vbaFreeStr.MSVBVM60(004BD702), ref: 004BD6FB

Part of subcall function 004C2E80: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,00000000,00000000,?,00411816), ref: 004C2E9E
Part of subcall function 004C2E80: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816,?), ref: 004C2ECE
Part of subcall function 004C2E80: __vbaStrCmp.MSVBVM60(00473D9C,?,?,00000000,00000000,00000000,00411816,?), ref: 004C2EE6
Part of subcall function 004C2E80: #518.MSVBVM60(?,00004008), ref: 004C2F17
Part of subcall function 004C2E80: __vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 004C2F3E
Part of subcall function 004C2E80: __vbaVarAnd.MSVBVM60(?,00000000), ref: 004C2F49
Part of subcall function 004C2E80: __vbaBoolVarNull.MSVBVM60(00000000), ref: 004C2F50
Part of subcall function 004C2E80: __vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 004C2F6A
Part of subcall function 004C2E80: __vbaInStr.MSVBVM60(00000000,004775E8,?,00000001,00000000,00000000,00411816,?), ref: 004C2F98
Part of subcall function 004C2E80: #685.MSVBVM60(?,00000001,00000000,00000000,00411816,?), ref: 004C2FAD
Part of subcall function 004C2E80: __vbaObjSet.MSVBVM60(00000001,00000000,?,00000001,00000000,00000000,00411816,?), ref: 004C2FB8
Part of subcall function 004C2E80: __vbaFreeObj.MSVBVM60(?,00000001,00000000,00000000,00411816,?), ref: 004C2FD9
Part of subcall function 004C2E80: __vbaChkstk.MSVBVM60 ref: 004C3006

#685.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004BD510
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,00411816), ref: 004BD51B
__vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004BD53C
__vbaLenBstr.MSVBVM60(?,?,00000000,00000000,?,00411816), ref: 004BD54D
__vbaStrToAnsi.MSVBVM60(00000000,00000000,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000,00000000,?,00411816), ref: 004BD579
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,?,00411816), ref: 004BD588
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,00000000,?,00411816), ref: 004BD596
__vbaFreeStr.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004BD5A5
__vbaStrToAnsi.MSVBVM60(?,?,?,00000000,00000000), ref: 004BD5D5
__vbaSetSystemError.MSVBVM60(000000FF,00000000), ref: 004BD5E8
__vbaStrToUnicode.MSVBVM60(?,?), ref: 004BD5F6
__vbaFreeStr.MSVBVM60 ref: 004BD610
__vbaSetSystemError.MSVBVM60(000000FF), ref: 004BD636
__vbaSetSystemError.MSVBVM60(000000FF), ref: 004BD655
__vbaSetSystemError.MSVBVM60(000000FF), ref: 004BD673
__vbaSetSystemError.MSVBVM60(000000FF), ref: 004BD689
#685.MSVBVM60 ref: 004BD6AC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BD6B7
__vbaFreeObj.MSVBVM60 ref: 004BD6D8

Strings

$, xrefs: 004BD6A5

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685Error$System$Chkstk$#645AnsiCheckHresultMoveUnicode$#518#529BoolBstrCopyListNull
String ID: $
API String ID: 1614413082-3993045852
Opcode ID: 8291f8f37f810a4de2e6f2d0b1704e329a57b79a631b40e38a7507e30da4c21c
Instruction ID: e4b8471c3a8923e26fae9ac223887bf74711bf0fd3675cffb62b20b0176dfe29
Opcode Fuzzy Hash: 8291f8f37f810a4de2e6f2d0b1704e329a57b79a631b40e38a7507e30da4c21c
Instruction Fuzzy Hash: BAE10775D00208EFDB14DFE0DA88BDEBBB4BF08705F108169E506AB2A4DB789A45DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0052D9D0 Relevance: 87.8, APIs: 46, Strings: 4, Instructions: 252COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,0052EC3F), ref: 0052D9EE
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 0052DA1E
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DA33
__vbaStrCmp.MSVBVM60(true,0077F204,?,00000000,?,00000000,00411816), ref: 0052DA4B
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DA6A
__vbaStrCmp.MSVBVM60(00473D9C,0077F1DC,?,00000000,?,00000000,00411816), ref: 0052DA83
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DA9D
__vbaStrCmp.MSVBVM60(true,0077F40C,?,00000000,?,00000000,00411816), ref: 0052DABB
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DAD4
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DAEB
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DB02
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DB17
__vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,00411816), ref: 0052DB2B
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DB34
#520.MSVBVM60(?,00004008), ref: 0052DB56
__vbaStrVarMove.MSVBVM60(?), ref: 0052DB60
__vbaStrMove.MSVBVM60 ref: 0052DB6B
__vbaFreeVar.MSVBVM60 ref: 0052DB74
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 0052DB8A
#619.MSVBVM60(?,00004008,00000001), ref: 0052DBB6
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0052DBD2
__vbaFreeVar.MSVBVM60 ref: 0052DBDF
__vbaStrCat.MSVBVM60(004775E8,?), ref: 0052DBFD
__vbaStrMove.MSVBVM60 ref: 0052DC08
#531.MSVBVM60(?), ref: 0052DC19
#619.MSVBVM60(?,00004008,00000001), ref: 0052DC3D
__vbaStrCopy.MSVBVM60(?,00000000,00411816), ref: 0052DD8D
#685.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DD9A
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,00411816), ref: 0052DDA5
__vbaFreeObj.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0052DDC6
__vbaFreeStr.MSVBVM60(0052DE20,?,00000000,?,00000000,00411816), ref: 0052DE19

Strings

HKLM\Software\Aloaha\AlternativeWritePath, xrefs: 0052DB0F
true, xrefs: 0052DA46, 0052DA60, 0052DAB6, 0052DAF8
", xrefs: 0052DD93
HKLM\Software\Aloaha\debugpath, xrefs: 0052DCFD, 0052DD58

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$Free$Move$#619$#520#531#685ChkstkError
String ID: "$HKLM\Software\Aloaha\AlternativeWritePath$HKLM\Software\Aloaha\debugpath$true
API String ID: 3829872818-957309409
Opcode ID: 6b9f38b4ee14996dc19849ed08e803a19db7f2785aadd7f0e602cb1959fa560d
Instruction ID: a74e74d8edba39e26f7f793e021303dc174187127ba658051d712e29c9120581
Opcode Fuzzy Hash: 6b9f38b4ee14996dc19849ed08e803a19db7f2785aadd7f0e602cb1959fa560d
Instruction Fuzzy Hash: B5C129B5900208DFEB04DFA0DA58ADDBBB4FF48705F20806DE506B76A0DB759A09DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0050CA60 Relevance: 84.3, APIs: 44, Strings: 4, Instructions: 293COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,00000001), ref: 0050CA7E
__vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,00000000,00411816,00000001), ref: 0050CAAE
__vbaStrCopy.MSVBVM60(?,00000001,00000000,00000000,00411816,00000001), ref: 0050CAC3
#685.MSVBVM60(?,00000001,00000000,00000000,00411816,00000001), ref: 0050CAD0
__vbaObjSet.MSVBVM60(?,00000000,?,00000001,00000000,00000000,00411816,00000001), ref: 0050CADB
__vbaFreeObj.MSVBVM60(?,00000001,00000000,00000000,00411816,00000001), ref: 0050CAFC
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 0050CB79
__vbaI4Var.MSVBVM60(?), ref: 0050CBA3
#608.MSVBVM60(?,00000000), ref: 0050CBAE
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0050CBD4
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0050CBE6
__vbaStrVarMove.MSVBVM60(00000000), ref: 0050CBED
__vbaStrMove.MSVBVM60 ref: 0050CBF8
__vbaFreeStr.MSVBVM60(?), ref: 0050CC0A
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0050CC1E
#685.MSVBVM60(00000001,00000000,00000000,00411816,00000001), ref: 0050CC2E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050CC39
__vbaFreeObj.MSVBVM60 ref: 0050CC5A
__vbaI4Var.MSVBVM60(?), ref: 0050CC6B
#608.MSVBVM60(?,00000000), ref: 0050CC76
__vbaVarAdd.MSVBVM60(?,00000008,?,00000000), ref: 0050CC98
#645.MSVBVM60(00000000), ref: 0050CC9F
__vbaStrMove.MSVBVM60 ref: 0050CCAA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0050CCBA
#685.MSVBVM60 ref: 0050CCDA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050CCE5
__vbaI4Var.MSVBVM60(?), ref: 0050CDF9
#608.MSVBVM60(?,00000000), ref: 0050CE04
__vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0050CE2A
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0050CE3C
__vbaStrVarMove.MSVBVM60(00000000), ref: 0050CE43
__vbaStrMove.MSVBVM60 ref: 0050CE4E

Part of subcall function 0050CF40: __vbaChkstk.MSVBVM60(?,00411816,?,?,00000001,00000000,00000000,00411816,004F38EA), ref: 0050CF5E
Part of subcall function 0050CF40: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,?,00411816,?), ref: 0050CF8E
Part of subcall function 0050CF40: __vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000001,00000000,?,00411816,?), ref: 0050CFA6
Part of subcall function 0050CF40: #685.MSVBVM60(?,00000001,00000000,?,00411816,?), ref: 0050CFE1
Part of subcall function 0050CF40: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001,00000000,?,00411816,?), ref: 0050CFEC
Part of subcall function 0050CF40: __vbaFreeObj.MSVBVM60(?,00000001,00000000,?,00411816,?), ref: 0050D00D
Part of subcall function 0050CF40: __vbaStrCopy.MSVBVM60 ref: 0050D030
Part of subcall function 0050CF40: __vbaStrCopy.MSVBVM60 ref: 0050D03E
Part of subcall function 0050CF40: __vbaStrMove.MSVBVM60(00000001,?,0000000A), ref: 0050D05A
Part of subcall function 0050CF40: __vbaFreeStrList.MSVBVM60(00000002,00000001,?), ref: 0050D06A
Part of subcall function 0050CF40: __vbaFreeVar.MSVBVM60(00000000,?,00411816,?), ref: 0050D076
Part of subcall function 0050CF40: #685.MSVBVM60 ref: 0050D083
Part of subcall function 0050CF40: __vbaObjSet.MSVBVM60(?,00000000), ref: 0050D08E
Part of subcall function 0050CF40: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050D0C1

__vbaFreeStr.MSVBVM60(?), ref: 0050CE60
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0050CE74
#685.MSVBVM60(?,00000001,00000000,00000000,00411816,00000001), ref: 0050CE95
__vbaObjSet.MSVBVM60(?,00000000,?,00000001,00000000,00000000,00411816,00000001), ref: 0050CEA0
__vbaFreeObj.MSVBVM60(?,00000001,00000000,00000000,00411816,00000001), ref: 0050CEC1
__vbaFreeVarList.MSVBVM60(00000002,?,?,0050CF24,?,00000001,00000000,00000000,00411816,00000001), ref: 0050CF08
__vbaFreeVar.MSVBVM60(?,00000000,00411816,00000001), ref: 0050CF14
__vbaFreeStr.MSVBVM60(?,00000000,00411816,00000001), ref: 0050CF1D

Strings

Z, xrefs: 0050CB2D
C, xrefs: 0050CB41
entering shall I use dir: , xrefs: 0050CB91
finished shall I use dir: , xrefs: 0050CDE7

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685Move$List$#608Copy$ChkstkError$#645CheckHresultInit
String ID: C$Z$entering shall I use dir: $finished shall I use dir:
API String ID: 3837349526-861938115
Opcode ID: 09d17ff9a77a12cd107801166099c7e75e8189dd3ea97f2ae8b072260c26a258
Instruction ID: 55064201913ea73bc20bb8d54a6b8259368488e536aec993fd1c1447cb530e09
Opcode Fuzzy Hash: 09d17ff9a77a12cd107801166099c7e75e8189dd3ea97f2ae8b072260c26a258
Instruction Fuzzy Hash: 72D119B5800218EFDB14DFA0DD48BEEBBB8BF48305F1085ADE506A75A0DBB45A48DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0051F160 Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 290COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816), ref: 0051F17E
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 0051F1AE
__vbaStrCmp.MSVBVM60(true,0075A9E4), ref: 0051F1E0
__vbaStrCmp.MSVBVM60(false,0075A9E4), ref: 0051F1FA
__vbaStrCmp.MSVBVM60(true,0076557C), ref: 0051F287

Strings

winpe, xrefs: 0051F89B, 0051F8B2
true, xrefs: 0051F1DB, 0051F282, 0051F2AA, 0051F2C8, 0051F884, 0051F8C9, 0051F8E0
Software\Aloaha, xrefs: 0051F7EF
WinPE, xrefs: 0051F7E1
B, xrefs: 0051F961
false, xrefs: 0051F1F5, 0051F2E1, 0051F8F7, 0051F910
|Uv, xrefs: 0051F27B, 0051F2AF, 0051F956
bootmgr, xrefs: 0051F494
(T, xrefs: 0051F3A5

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$ChkstkError
String ID: (T$B$Software\Aloaha$WinPE$bootmgr$false$true$winpe$|Uv
API String ID: 3554142864-978549697
Opcode ID: d08cc315d5142a3f7bf6893785e4d19295f43eacd448125daa7062d6958a89a4
Instruction ID: dc65e333dcd0516c2a213a2d112c6aa7bfe93a3a98688c474067f05a980d6c2b
Opcode Fuzzy Hash: d08cc315d5142a3f7bf6893785e4d19295f43eacd448125daa7062d6958a89a4
Instruction Fuzzy Hash: 8ED13974901208DFEB14DFA0DA48BEDBBB4FF48705F1081A9E506BB2A0DBB45A45DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004D2E30 Relevance: 69.3, APIs: 46, Instructions: 275COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004D2E4E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004D2E7E
#685.MSVBVM60(?,?,?,?,00411816), ref: 004D2E8B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00411816), ref: 004D2E96
__vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 004D2EB7
__vbaSetSystemError.MSVBVM60(?,?,?,?,00411816), ref: 004D2ECF
__vbaSetSystemError.MSVBVM60(0000087C,0054D658,?,?,?,?,00411816), ref: 004D2EF9
__vbaSetSystemError.MSVBVM60(00000000,00000001,0000000E,?,?,?,?,?,?,00411816), ref: 004D2F24
#685.MSVBVM60(?,?,?,?,00411816), ref: 004D2F3A
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00411816), ref: 004D2F45
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004D2F90
__vbaFreeObj.MSVBVM60 ref: 004D2FD0
__vbaSetSystemError.MSVBVM60(?,?,?), ref: 004D300A
__vbaSetSystemError.MSVBVM60(?), ref: 004D3020
__vbaGenerateBoundsError.MSVBVM60 ref: 004D304C
__vbaGenerateBoundsError.MSVBVM60 ref: 004D3077
__vbaGenerateBoundsError.MSVBVM60 ref: 004D30A2
__vbaGenerateBoundsError.MSVBVM60 ref: 004D30CD
__vbaStrUI1.MSVBVM60(?), ref: 004D30E4
__vbaStrMove.MSVBVM60 ref: 004D30EF
__vbaStrCat.MSVBVM60(0047BCF8,00000000), ref: 004D30FB
__vbaStrMove.MSVBVM60 ref: 004D3106
__vbaStrUI1.MSVBVM60(?,00000000), ref: 004D3118
__vbaStrMove.MSVBVM60 ref: 004D3123
__vbaStrCat.MSVBVM60(00000000), ref: 004D312A
__vbaStrMove.MSVBVM60 ref: 004D3135
__vbaStrCat.MSVBVM60(0047BCF8,00000000), ref: 004D3141
__vbaStrMove.MSVBVM60 ref: 004D314C
__vbaStrUI1.MSVBVM60(?,00000000), ref: 004D315E
__vbaStrMove.MSVBVM60 ref: 004D3169
__vbaStrCat.MSVBVM60(00000000), ref: 004D3170
__vbaStrMove.MSVBVM60 ref: 004D317B
__vbaStrCat.MSVBVM60(0047BCF8,00000000), ref: 004D3187
__vbaStrMove.MSVBVM60 ref: 004D3192
__vbaStrUI1.MSVBVM60(?,00000000), ref: 004D31A4
__vbaStrMove.MSVBVM60 ref: 004D31AF
__vbaStrCat.MSVBVM60(00000000), ref: 004D31B6
#520.MSVBVM60(?,00000008), ref: 004D31D7
__vbaStrVarMove.MSVBVM60(?), ref: 004D31E4
__vbaStrMove.MSVBVM60 ref: 004D31EF
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 004D321B
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004D3234
#685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004D325B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004D3266
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00411816), ref: 004D3287

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Error$FreeSystem$BoundsGenerate$#685$List$#520CheckChkstkHresult
String ID:
API String ID: 1664256157-0
Opcode ID: dae4933ae7d4d1316ea47641e56e66a8c6ea3fa9dee7b1aa07f924da64acadef
Instruction ID: 4beaf55a7378a895b72ecf20a83ea0352029b6b60a09dd0c5c19cf05b5c1ec6f
Opcode Fuzzy Hash: dae4933ae7d4d1316ea47641e56e66a8c6ea3fa9dee7b1aa07f924da64acadef
Instruction Fuzzy Hash: C6C11775900218DFDB14DFA0DE58BDEBBB4BF48301F1081AAE50AB7661DB745A88CF25

Uniqueness

Uniqueness Score: -1.00%

Function 004FF9B0 Relevance: 66.7, APIs: 30, Strings: 8, Instructions: 215COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816), ref: 004FF9CE
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 004FF9FE
__vbaStrCmp.MSVBVM60(true,0075AB24), ref: 004FFA23
__vbaStrCmp.MSVBVM60(00485A8C,0077EF5C), ref: 004FFA52
__vbaStrCopy.MSVBVM60 ref: 004FFA71

Strings

\w, xrefs: 004FFA46, 004FFA6C, 005005B2
localsystem, xrefs: 004FFB7D
true, xrefs: 004FFA1E
administrator, xrefs: 004FFB33
Software\Aloaha, xrefs: 004FFD54
system, xrefs: 004FFBCD
R, xrefs: 005005BD
service, xrefs: 004FFC1D

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$ChkstkCopyError
String ID: R$Software\Aloaha$\w$administrator$localsystem$service$system$true
API String ID: 3863658848-1761860351
Opcode ID: cd16dca36f6ed9bae4e82f970186e692ed2d96118a956c629b89946e0cfc5078
Instruction ID: 8595c13980977fb1240c153add120830e08a824e0dfc42339b40b4a68563db81
Opcode Fuzzy Hash: cd16dca36f6ed9bae4e82f970186e692ed2d96118a956c629b89946e0cfc5078
Instruction Fuzzy Hash: C3A1FCB6800218EFDB65DF90DD48BDEBBB8BF48305F008699E60AA7550DB745B88CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005110E0 Relevance: 59.7, APIs: 31, Strings: 3, Instructions: 220COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,00000000,00411816,004FA5C7), ref: 005110FE
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 0051112E
__vbaStrCmp.MSVBVM60(00473D9C,00773514,?,00000000,?,00000000,00411816), ref: 00511146
__vbaInStr.MSVBVM60(00000000,004775E8,00773514,00000001,?,00000000,?,00000000,00411816), ref: 00511163
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00511186
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,00411816), ref: 005111A2
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,00411816), ref: 005111B9
#712.MSVBVM60(00000000,?,00473D9C,00000001,000000FF,00000000,?,00000000,?,00000000,00411816), ref: 005111D9
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,00411816), ref: 005111E4
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,?,00000000,00411816), ref: 005111FA
__vbaNew2.MSVBVM60(00477E14,0054ED28,?,00000000,?,00000000,00411816), ref: 00511222
__vbaHresultCheckObj.MSVBVM60(00000000,?,00477E04,00000014), ref: 00511273
__vbaHresultCheckObj.MSVBVM60(00000000,?,0047A994,00000050), ref: 005112C4
__vbaStrMove.MSVBVM60 ref: 005112F5
__vbaFreeObj.MSVBVM60 ref: 005112FE
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,?,00000000,00411816), ref: 00511314
#685.MSVBVM60(?,00000000,?,00000000,00411816), ref: 005113FA
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,00411816), ref: 00511405
__vbaFreeObj.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00511426
__vbaFreeStr.MSVBVM60(0051147F,?,00000000,?,00000000,00411816), ref: 0051146F
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00511478

Strings

Processpath: , xrefs: 005113B2
|Gw, xrefs: 00510F1B, 00511024, 00511038
(T, xrefs: 0051123E

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$FreeMove$CheckHresult$#685#712ChkstkCopyErrorNew2
String ID: (T$Processpath: $|Gw
API String ID: 742036553-1548088333
Opcode ID: 25986c7e18b244eef12919234353fd1ebc836a14239759895a2e26a39d3cf8cb
Instruction ID: 81aa96a777040ceaae1781c100e25de1f45a36bd15a10a0a332891b140ff0ae3
Opcode Fuzzy Hash: 25986c7e18b244eef12919234353fd1ebc836a14239759895a2e26a39d3cf8cb
Instruction Fuzzy Hash: 35A13C75900208EFEB14DFA0DA48BDDBBB4FF48705F2085A9E506B76A0DBB45A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004F2FF0 Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 189COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,00000000), ref: 004F300E
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816,00000000), ref: 004F303E
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816,00000000), ref: 004F3056
__vbaStrCmp.MSVBVM60(00485A8C,00779704,?,00000000,00000000,00000000,00411816,00000000), ref: 004F3077
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816,00000000), ref: 004F3096
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816,00000000), ref: 004F30AB

Part of subcall function 0050CF40: __vbaChkstk.MSVBVM60(?,00411816,?,?,00000001,00000000,00000000,00411816,004F38EA), ref: 0050CF5E
Part of subcall function 0050CF40: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,?,00411816,?), ref: 0050CF8E
Part of subcall function 0050CF40: __vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000001,00000000,?,00411816,?), ref: 0050CFA6
Part of subcall function 0050CF40: #685.MSVBVM60(?,00000001,00000000,?,00411816,?), ref: 0050CFE1
Part of subcall function 0050CF40: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001,00000000,?,00411816,?), ref: 0050CFEC
Part of subcall function 0050CF40: __vbaFreeObj.MSVBVM60(?,00000001,00000000,?,00411816,?), ref: 0050D00D
Part of subcall function 0050CF40: __vbaStrCopy.MSVBVM60 ref: 0050D030
Part of subcall function 0050CF40: __vbaStrCopy.MSVBVM60 ref: 0050D03E
Part of subcall function 0050CF40: __vbaStrMove.MSVBVM60(00000001,?,0000000A), ref: 0050D05A
Part of subcall function 0050CF40: __vbaFreeStrList.MSVBVM60(00000002,00000001,?), ref: 0050D06A
Part of subcall function 0050CF40: __vbaFreeVar.MSVBVM60(00000000,?,00411816,?), ref: 0050D076
Part of subcall function 0050CF40: #685.MSVBVM60 ref: 0050D083
Part of subcall function 0050CF40: __vbaObjSet.MSVBVM60(?,00000000), ref: 0050D08E
Part of subcall function 0050CF40: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050D0C1

__vbaFreeStr.MSVBVM60(?,?,00000000,00000000,00000000,00411816,00000000), ref: 004F30BD

Part of subcall function 004F2D70: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,00000000,00000000,?,00411816), ref: 004F2D8E
Part of subcall function 004F2D70: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 004F2DBE
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816), ref: 004F2DD6
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(00473D9C,0075ACDC,?,00000000,00000000,00000000,00411816), ref: 004F2DF7
Part of subcall function 004F2D70: __vbaStrCopy.MSVBVM60 ref: 004F2E22
Part of subcall function 004F2D70: __vbaStrCopy.MSVBVM60 ref: 004F2E30
Part of subcall function 004F2D70: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004F2E4C
Part of subcall function 004F2D70: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004F2E5C
Part of subcall function 004F2D70: __vbaFreeVar.MSVBVM60(00000000,00000000,00411816), ref: 004F2E68
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004F2E7E
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(004740D4,?), ref: 004F2E95
Part of subcall function 004F2D70: __vbaStrCopy.MSVBVM60 ref: 004F2ED6
Part of subcall function 004F2D70: __vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816), ref: 004F2F04

__vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,00000000), ref: 004F30D4
__vbaStrCmp.MSVBVM60(00473D9C,?,?,00000000,00000000,00000000,00411816,00000000), ref: 004F3102
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,?,00000000,00000000,00000000,00411816,00000000), ref: 004F311E
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00000000,00411816,00000000), ref: 004F3138
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,?,00000000,00000000,00000000,00411816,00000000), ref: 004F3153
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00000000,00411816,00000000), ref: 004F316E
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,00000000,00000000,00000000,00411816,00000000), ref: 004F3186
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00000000,00000000,00411816,00000000), ref: 004F319F
__vbaStrCmp.MSVBVM60(true,0075AE44,?,00000001), ref: 004F3222
__vbaStrCopy.MSVBVM60 ref: 004F329E
__vbaFreeStr.MSVBVM60(?), ref: 004F32B0
__vbaStrCopy.MSVBVM60 ref: 004F32C7
__vbaStrCmp.MSVBVM60(true,0075AE44), ref: 004F32FF
#685.MSVBVM60(?,00000000,00000000,00000000,00411816,00000000), ref: 004F3320
__vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00411816,00000000), ref: 004F332B
__vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00411816,00000000), ref: 004F3343
__vbaFreeStr.MSVBVM60(004F336D,?,00000000,00000000,00000000,00411816,00000000), ref: 004F3366

Strings

finished permtest, xrefs: 004F3296
2, xrefs: 004F3319
true, xrefs: 004F321D, 004F32FA
HKLM\SOFTWARE\Aloaha\ctest, xrefs: 004F3197
entering permtest, xrefs: 004F30A3

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$Free$#685ChkstkErrorMove$List$CheckHresult
String ID: 2$HKLM\SOFTWARE\Aloaha\ctest$entering permtest$finished permtest$true
API String ID: 1325987103-472686419
Opcode ID: 3746e8495369085c8d29817987ff6da4cf1e2983adca173c45b2d99558cde612
Instruction ID: 687ff7720ea1f631f69a17531aff2719f294c881d718b9354260147d309a8830
Opcode Fuzzy Hash: 3746e8495369085c8d29817987ff6da4cf1e2983adca173c45b2d99558cde612
Instruction Fuzzy Hash: 4B914D74901208EFEB14DF90DA487ED7BB4FF05709F20805DE501AB2A0D7B94A09EB59

Uniqueness

Uniqueness Score: -1.00%

Function 004D13B0 Relevance: 50.9, APIs: 28, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,004D61D3,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName,?,?,?), ref: 004D13CE
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 004D13FB
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004D140A
#520.MSVBVM60(?,00004008), ref: 004D1441
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004D1466
__vbaFreeVar.MSVBVM60 ref: 004D1476
#608.MSVBVM60(?,00000000), ref: 004D1498
#608.MSVBVM60(?,00000000), ref: 004D14A7
__vbaStrCat.MSVBVM60(?,regread:), ref: 004D14B6
__vbaVarAdd.MSVBVM60(?,?,00000008,00406188), ref: 004D1500
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004D1512
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 004D1527
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004D153C
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 004D1547

Part of subcall function 004D22A0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,00000000,00411816), ref: 004D22BE
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D22EB
Part of subcall function 004D22A0: __vbaAryConstruct2.MSVBVM60(?,004842F4,00000011,?,?,?,00000000,00411816), ref: 004D22FC
Part of subcall function 004D22A0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D230B
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D232C
Part of subcall function 004D22A0: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,00000000,00411816), ref: 004D2344
Part of subcall function 004D22A0: __vbaInStr.MSVBVM60(00000000,004775E8,?,00000001,?,?,?,?,00000000,00411816), ref: 004D2364
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,00000001,?,?,?,?,00000000,00411816), ref: 004D237D
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2392
Part of subcall function 004D22A0: __vbaLenBstr.MSVBVM60(?,?,?,?,?,00000000,00411816), ref: 004D23A3
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D23C0
Part of subcall function 004D22A0: __vbaStrMove.MSVBVM60(?,?,encrypted:,?,?,?,?,00000000,00411816), ref: 004D23DD
Part of subcall function 004D22A0: __vbaStrCat.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 004D23E4
Part of subcall function 004D22A0: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D23EF
Part of subcall function 004D22A0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00411816), ref: 004D23FF
Part of subcall function 004D22A0: __vbaInStr.MSVBVM60(00000000,0047C158,?,00000001,?,00000000,00411816), ref: 004D241C

__vbaStrMove.MSVBVM60(00000000), ref: 004D1558
__vbaFreeStr.MSVBVM60 ref: 004D1561
__vbaFreeVarList.MSVBVM60(00000007,00000008,?,?,?,?,?,?), ref: 004D158E
__vbaLenBstr.MSVBVM60(regread:), ref: 004D15B6
#617.MSVBVM60(?,00004008,00000000), ref: 004D15C8
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004D15ED
__vbaFreeVar.MSVBVM60 ref: 004D15FD
__vbaStrCopy.MSVBVM60 ref: 004D161D
__vbaStrCopy.MSVBVM60 ref: 004D1630
#685.MSVBVM60 ref: 004D163D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004D1648
__vbaFreeObj.MSVBVM60 ref: 004D1669
__vbaFreeStr.MSVBVM60(004D16DF), ref: 004D16CF
__vbaFreeStr.MSVBVM60 ref: 004D16D8

Strings

regread:, xrefs: 004D14AD, 004D15B1, 004D15CE

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$CopyFree$Move$#608BstrChkstkErrorList$#520#617#685Construct2
String ID: regread:
API String ID: 1549070028-1179285436
Opcode ID: 83c893fb644eea8ea089ec7dff9268e91f9d82fa8e8c9815e12b2a686723371c
Instruction ID: cd445f6cb1f70d48e8a2c9005177e5c0f1c9a2d346c13d21ec1ad5d0bcde7b3e
Opcode Fuzzy Hash: 83c893fb644eea8ea089ec7dff9268e91f9d82fa8e8c9815e12b2a686723371c
Instruction Fuzzy Hash: 2681D8B6800218DFDB14DF90DE58FDEB778BB48305F10819AE606B7260DB745A48CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004BCF90 Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004BCFAE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004BCFDE
__vbaStrCopy.MSVBVM60 ref: 004BD02C

Part of subcall function 004D0AE0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00411816), ref: 004D0AFE
Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D0B2B
Part of subcall function 004D0AE0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D0B3A
Part of subcall function 004D0AE0: #520.MSVBVM60(?,00004008), ref: 004D0B68
Part of subcall function 004D0AE0: __vbaStrVarMove.MSVBVM60(?), ref: 004D0B72
Part of subcall function 004D0AE0: __vbaStrMove.MSVBVM60 ref: 004D0B7D
Part of subcall function 004D0AE0: __vbaFreeVar.MSVBVM60 ref: 004D0B86
Part of subcall function 004D0AE0: __vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D0B9C
Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60 ref: 004D0BB5
Part of subcall function 004D0AE0: __vbaStrCat.MSVBVM60(?,get:,?), ref: 004D0BC8
Part of subcall function 004D0AE0: __vbaStrMove.MSVBVM60 ref: 004D0BD3
Part of subcall function 004D0AE0: __vbaStrMove.MSVBVM60(00000000), ref: 004D0BE4
Part of subcall function 004D0AE0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D0BF4
Part of subcall function 004D0AE0: #520.MSVBVM60(?,00004008), ref: 004D0C19
Part of subcall function 004D0AE0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004D0C35
Part of subcall function 004D0AE0: __vbaFreeVar.MSVBVM60 ref: 004D0C42
Part of subcall function 004D0AE0: __vbaStrCopy.MSVBVM60 ref: 004D0C5F

#518.MSVBVM60(?,00000008,changepass), ref: 004BD055
#520.MSVBVM60(?,?), ref: 004BD063
__vbaStrVarMove.MSVBVM60(?), ref: 004BD06D
__vbaStrMove.MSVBVM60 ref: 004BD078
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 004BD08C
__vbaStrCmp.MSVBVM60(true,?), ref: 004BD0A5
__vbaStrCmp.MSVBVM60(wahr,?), ref: 004BD0BC
__vbaStrCmp.MSVBVM60(004740DC,?), ref: 004BD0D9
__vbaStrI4.MSVBVM60(00000001,WaitForChangePassTool: ), ref: 004BD0FB
__vbaStrMove.MSVBVM60 ref: 004BD106
__vbaStrCat.MSVBVM60(00000000), ref: 004BD10D
__vbaStrMove.MSVBVM60 ref: 004BD118
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004BD131
__vbaSetSystemError.MSVBVM60(000003E7,?,?,?,?,?,?,00411816), ref: 004BD14B
#598.MSVBVM60(?,?,?,?,?,?,00411816), ref: 004BD158
#685.MSVBVM60 ref: 004BD175
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BD180
__vbaFreeObj.MSVBVM60 ref: 004BD1A1
__vbaFreeStr.MSVBVM60(004BD1EC), ref: 004BD1E5

Strings

true, xrefs: 004BD0A0
changepass, xrefs: 004BD039
WaitForChangePassTool: , xrefs: 004BD0F2
0u, xrefs: 004BCFEB
wahr, xrefs: 004BD0B7

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Copy$#520ErrorList$Chkstk$#518#598#685System
String ID: 0u$WaitForChangePassTool: $changepass$true$wahr
API String ID: 2787215770-4038981338
Opcode ID: 614373412d2a5e02e90db36bc7c75db8934dd33cd647a6cfe5fdf78b74abb5d7
Instruction ID: 851abde453d84e3efe5a303c1680e15ba7bdb91d5a02ed750dbaf087682e5425
Opcode Fuzzy Hash: 614373412d2a5e02e90db36bc7c75db8934dd33cd647a6cfe5fdf78b74abb5d7
Instruction Fuzzy Hash: 5B512D71D00209EFDB04DFE4DE49BEEBBB8AB08705F208159E506B75A0DB785A49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00510B80 Relevance: 43.7, APIs: 29, Instructions: 194COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,00510F40,?,?,?,00000000,00411816,004FA5C7), ref: 00510B9E
__vbaAryConstruct2.MSVBVM60(?,0048B42C,00000003,?,?,?,00000000,00411816,00510F40), ref: 00510BD0
__vbaFixstrConstruct.MSVBVM60(00000104,?,?,?,?,00000000,00411816,00510F40), ref: 00510BDF
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,00510F40), ref: 00510BEE
__vbaStrCmp.MSVBVM60(00473D9C,00774F8C,?,?,?,00000000,00411816,00510F40), ref: 00510C07
__vbaSetSystemError.MSVBVM60(?,?,?,00000000,00411816,00510F40), ref: 00510C24
__vbaSetSystemError.MSVBVM60(00000410,00000000,?,?,?,?,00000000,00411816,00510F40), ref: 00510C4A
__vbaGenerateBoundsError.MSVBVM60 ref: 00510C8E
__vbaSetSystemError.MSVBVM60(00000000,?,000000C8,?), ref: 00510CB9
__vbaGenerateBoundsError.MSVBVM60 ref: 00510CFD
__vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 00510D16
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000), ref: 00510D33
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00510D41
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 00510D4E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00510D64
__vbaStrCopy.MSVBVM60(?,?,00000000,00411816,00510F40), ref: 00510D7E
#616.MSVBVM60(00000000,?,00000000,00411816,00510F40), ref: 00510D85
__vbaStrMove.MSVBVM60(?,00000000,00411816,00510F40), ref: 00510D90
__vbaLsetFixstr.MSVBVM60(00000000,?,?,?,00000000,00411816,00510F40), ref: 00510DA0
__vbaStrMove.MSVBVM60 ref: 00510DB9
__vbaFreeStr.MSVBVM60 ref: 00510DC2
__vbaStrCopy.MSVBVM60 ref: 00510DD7
__vbaSetSystemError.MSVBVM60(00000000), ref: 00510DF0
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816,00510F40), ref: 00510E0E
#685.MSVBVM60(?,?,?,00000000,00411816,00510F40), ref: 00510E1B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816,00510F40), ref: 00510E26
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816,00510F40), ref: 00510E47
__vbaAryDestruct.MSVBVM60(00000000,?,00510EA0,?,?,?,00000000,00411816,00510F40), ref: 00510E90
__vbaFreeStr.MSVBVM60(?,?,?,00000000,00411816,00510F40), ref: 00510E99

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Error$System$Free$CopyFixstr$BoundsGenerateLsetMove$#616#685AnsiChkstkConstructConstruct2DestructListUnicode
String ID:
API String ID: 1407977808-0
Opcode ID: 96d88efbd2c86c1bb7efa3df7a1d6dbb91e533e020dcb80b72a1b7b205e0db75
Instruction ID: 61aae459b20e88ee7b92aa73a2f2a7dbc075ece33f52a9c62382403083107cc6
Opcode Fuzzy Hash: 96d88efbd2c86c1bb7efa3df7a1d6dbb91e533e020dcb80b72a1b7b205e0db75
Instruction Fuzzy Hash: 5791E875D00208DFEB04DFE4DA48BDDBBB4FB48305F108169E506AB2A4DBB46A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004BD9C0 Relevance: 42.2, APIs: 28, Instructions: 199COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,004C0046,00000000,?,00000000), ref: 004BD9DE
__vbaStrCopy.MSVBVM60(00000000,?,?,00000000,00411816), ref: 004BDA0B
__vbaOnError.MSVBVM60(000000FF,?,00000000,00411816), ref: 004BDA1A
#685.MSVBVM60(?,00000000,00411816), ref: 004BDA27
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00411816), ref: 004BDA32
__vbaFreeObj.MSVBVM60(?,00000000,00411816), ref: 004BDA4A
#578.MSVBVM60(?), ref: 004BDA69
#685.MSVBVM60 ref: 004BDA79
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BDA84
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004BDAB7
__vbaFreeObj.MSVBVM60 ref: 004BDAE9
#685.MSVBVM60 ref: 004BDB02
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BDB0D
__vbaFreeObj.MSVBVM60 ref: 004BDB25
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 004BDB3C
__vbaSetSystemError.MSVBVM60(00000000), ref: 004BDB4B
__vbaStrToUnicode.MSVBVM60(?,?), ref: 004BDB59
__vbaFreeStr.MSVBVM60 ref: 004BDB68
#685.MSVBVM60 ref: 004BDB75
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BDB80
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004BDBB3
__vbaFreeObj.MSVBVM60 ref: 004BDBD7
__vbaSetSystemError.MSVBVM60(?,?), ref: 004BDBFC
__vbaSetSystemError.MSVBVM60(?), ref: 004BDC28
#685.MSVBVM60 ref: 004BDC42
__vbaObjSet.MSVBVM60(?,00000000), ref: 004BDC4D
__vbaFreeObj.MSVBVM60 ref: 004BDC65
__vbaFreeStr.MSVBVM60(004BDC8F), ref: 004BDC88

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685$Error$System$CheckHresult$#578AnsiChkstkCopyUnicode
String ID:
API String ID: 2269764201-0
Opcode ID: d6a6b8cf02c4de68ba2708724704ba57b623f65ff7b54e7bc68c7374617a1ef5
Instruction ID: a31f3be3b043828a8bf9a66bc95dffcb922f301b3e94250530a9b0130af5cdaa
Opcode Fuzzy Hash: d6a6b8cf02c4de68ba2708724704ba57b623f65ff7b54e7bc68c7374617a1ef5
Instruction Fuzzy Hash: A891C3B5D00208EFDB04DFE4EA48BDEBBB5BF48705F208569E502A72A0DB785A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004F9BE0 Relevance: 42.1, APIs: 22, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 004F9BFE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004F9C2E
#610.MSVBVM60(?,?,?,?,?,00411816), ref: 004F9C3F
#612.MSVBVM60(?,?,?,?,?,00411816), ref: 004F9C49
__vbaVarDup.MSVBVM60 ref: 004F9C63
__vbaVarDup.MSVBVM60 ref: 004F9C86
#650.MSVBVM60(?,?,00000001,00000001), ref: 004F9C98
__vbaStrMove.MSVBVM60 ref: 004F9CA3
#650.MSVBVM60(?,?,00000001,00000001,00000000), ref: 004F9CB6
__vbaStrMove.MSVBVM60 ref: 004F9CC1
__vbaStrCat.MSVBVM60(00000000), ref: 004F9CC8
__vbaStrMove.MSVBVM60 ref: 004F9CD3
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004F9CE3
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,?,00411816), ref: 004F9CFE
#685.MSVBVM60 ref: 004F9D0E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F9D19
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004F9D64
__vbaFreeObj.MSVBVM60 ref: 004F9D94
__vbaStrCopy.MSVBVM60 ref: 004F9DB4
#685.MSVBVM60 ref: 004F9DC1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F9DCC
__vbaFreeObj.MSVBVM60 ref: 004F9DED

Strings

hhnnss, xrefs: 004F9C69
yyyymmdd, xrefs: 004F9C4F

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$#650#685List$#610#612CheckChkstkCopyErrorHresult
String ID: hhnnss$yyyymmdd
API String ID: 1324253332-2771916313
Opcode ID: 9774cb22cb2649cc1a13a3ffe9263e82d818f625f11768f8ae98775c09b62eea
Instruction ID: c1e48578a573ce9100569cfcfb1de71f199c0a9e64b3ed6bd8797ff50b545682
Opcode Fuzzy Hash: 9774cb22cb2649cc1a13a3ffe9263e82d818f625f11768f8ae98775c09b62eea
Instruction Fuzzy Hash: D6512875900218DFDB10DFA4DD48BEEB7B8FB08705F1081A9E60AB76A1DB745A88CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0052D280 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000001,00411816,0052D577,?,?,?,?,00411816,004B1BE8), ref: 0052D29E
__vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000001,00411816,0052D577), ref: 0052D2CE
#607.MSVBVM60(?,00000100,00000002), ref: 0052D2F6
__vbaStrVarMove.MSVBVM60(?), ref: 0052D300
__vbaStrMove.MSVBVM60 ref: 0052D30B
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0052D31B
__vbaLenBstr.MSVBVM60(?,?,00000001,00411816,0052D577), ref: 0052D32F
__vbaStrToAnsi.MSVBVM60(?,?,?,?,00000001,00411816,0052D577), ref: 0052D34B
__vbaSetSystemError.MSVBVM60(00000002,00000000,?,00000001,00411816,0052D577), ref: 0052D35C
__vbaStrToUnicode.MSVBVM60(?,?,?,00000001,00411816,0052D577), ref: 0052D36A
__vbaFreeStr.MSVBVM60 ref: 0052D382
#616.MSVBVM60(?,?), ref: 0052D39F
__vbaStrMove.MSVBVM60 ref: 0052D3AA
__vbaStrCat.MSVBVM60(?,UNameDom: ), ref: 0052D3C0
__vbaStrMove.MSVBVM60 ref: 0052D3CB
__vbaFreeStr.MSVBVM60(?), ref: 0052D3DD
__vbaStrCopy.MSVBVM60 ref: 0052D3F4
__vbaStrCopy.MSVBVM60 ref: 0052D409
__vbaFreeStr.MSVBVM60(?), ref: 0052D41B
#685.MSVBVM60 ref: 0052D428
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052D433
__vbaFreeObj.MSVBVM60 ref: 0052D454
__vbaFreeStr.MSVBVM60(0052D4A4), ref: 0052D49D

Strings

UNameDom: , xrefs: 0052D3B7, 0052D401

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$CopyError$#607#616#685AnsiBstrChkstkListSystemUnicode
String ID: UNameDom:
API String ID: 1732254648-2483048728
Opcode ID: 4018fe286762d098fffb29d09dad441b8fc834295653304cf860b91b3e7a2bdb
Instruction ID: d54f3a41fcff9a8a446edc56c0d758d08d48c064899d315c6772de5799e9bf66
Opcode Fuzzy Hash: 4018fe286762d098fffb29d09dad441b8fc834295653304cf860b91b3e7a2bdb
Instruction Fuzzy Hash: 4D51EC71910208EFDB04DFE0EA48BDDBBB8FF48705F108569E506B75A0DB745A45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004D0AE0 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00411816), ref: 004D0AFE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D0B2B
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D0B3A
#520.MSVBVM60(?,00004008), ref: 004D0B68
__vbaStrVarMove.MSVBVM60(?), ref: 004D0B72
__vbaStrMove.MSVBVM60 ref: 004D0B7D
__vbaFreeVar.MSVBVM60 ref: 004D0B86
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D0B9C
__vbaStrCopy.MSVBVM60 ref: 004D0BB5
__vbaStrCat.MSVBVM60(?,get:,?), ref: 004D0BC8
__vbaStrMove.MSVBVM60 ref: 004D0BD3

Part of subcall function 004D22A0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,00000000,00411816), ref: 004D22BE
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D22EB
Part of subcall function 004D22A0: __vbaAryConstruct2.MSVBVM60(?,004842F4,00000011,?,?,?,00000000,00411816), ref: 004D22FC
Part of subcall function 004D22A0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D230B
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D232C
Part of subcall function 004D22A0: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,00000000,00411816), ref: 004D2344
Part of subcall function 004D22A0: __vbaInStr.MSVBVM60(00000000,004775E8,?,00000001,?,?,?,?,00000000,00411816), ref: 004D2364
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,00000001,?,?,?,?,00000000,00411816), ref: 004D237D
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2392
Part of subcall function 004D22A0: __vbaLenBstr.MSVBVM60(?,?,?,?,?,00000000,00411816), ref: 004D23A3
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D23C0
Part of subcall function 004D22A0: __vbaStrMove.MSVBVM60(?,?,encrypted:,?,?,?,?,00000000,00411816), ref: 004D23DD
Part of subcall function 004D22A0: __vbaStrCat.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 004D23E4
Part of subcall function 004D22A0: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D23EF
Part of subcall function 004D22A0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00411816), ref: 004D23FF
Part of subcall function 004D22A0: __vbaInStr.MSVBVM60(00000000,0047C158,?,00000001,?,00000000,00411816), ref: 004D241C

__vbaStrMove.MSVBVM60(00000000), ref: 004D0BE4
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D0BF4
#520.MSVBVM60(?,00004008), ref: 004D0C19
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004D0C35
__vbaFreeVar.MSVBVM60 ref: 004D0C42
__vbaStrCopy.MSVBVM60 ref: 004D0C5F
__vbaStrCopy.MSVBVM60 ref: 004D0C72
#685.MSVBVM60 ref: 004D0C7F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004D0C8A
__vbaFreeObj.MSVBVM60 ref: 004D0CAB
__vbaFreeStr.MSVBVM60(004D0D0E), ref: 004D0CFE
__vbaFreeStr.MSVBVM60 ref: 004D0D07

Strings

get:, xrefs: 004D0BBF

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$Free$Move$#520ChkstkErrorList$#685BstrConstruct2
String ID: get:
API String ID: 1155568759-1157004333
Opcode ID: 616730630219b9a10d74fced0ba62dbc29de93e0d4b17b5ac2ffc36577aa0d85
Instruction ID: 56806339efd6c9056578ed7e6bfb7bacbc4212b26187ff9dcdf57a3f763245b0
Opcode Fuzzy Hash: 616730630219b9a10d74fced0ba62dbc29de93e0d4b17b5ac2ffc36577aa0d85
Instruction Fuzzy Hash: FD51E575900209EFDB04DFA0DA58BDEBBB4FF08705F20816AE506B76A0DB745A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004F2D70 Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,00000000,00000000,?,00411816), ref: 004F2D8E
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 004F2DBE
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816), ref: 004F2DD6
__vbaStrCmp.MSVBVM60(00473D9C,0075ACDC,?,00000000,00000000,00000000,00411816), ref: 004F2DF7
__vbaStrCopy.MSVBVM60 ref: 004F2E22
__vbaStrCopy.MSVBVM60 ref: 004F2E30
__vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004F2E4C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004F2E5C
__vbaFreeVar.MSVBVM60(00000000,00000000,00411816), ref: 004F2E68
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004F2E7E
__vbaStrCmp.MSVBVM60(004740D4,?), ref: 004F2E95
__vbaStrCopy.MSVBVM60 ref: 004F2ED6
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004F2EEE
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816), ref: 004F2F04
__vbaStrCmp.MSVBVM60(004740D4,00000000,?,00000000,00000000,00000000,00411816), ref: 004F2F1B
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004F2F5A
#685.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004F2F67
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00411816), ref: 004F2F72
__vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004F2F8A
__vbaFreeStr.MSVBVM60(004F2FDA,?,00000000,00000000,00000000,00411816), ref: 004F2FD3

Strings

Software\Aloaha, xrefs: 004F2E28
useini, xrefs: 004F2E1A

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$Free$#685ChkstkErrorListMove
String ID: Software\Aloaha$useini
API String ID: 442541815-249623257
Opcode ID: a1e684f62844b2fab893522356771a9ada1a806333bc0d7f0c6aedbe042605da
Instruction ID: cfa25c6bf3be59ea39faf4443acacfd37063d57d86142dd94b79ecfa3a54d6a9
Opcode Fuzzy Hash: a1e684f62844b2fab893522356771a9ada1a806333bc0d7f0c6aedbe042605da
Instruction Fuzzy Hash: 53516F75900209DFDB10DF94DE49BEDBB74FF08709F208159E601BB2A0DBB45A09DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004BD720 Relevance: 37.7, APIs: 25, Instructions: 164COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,0052029D,?,?,?,00000000,00411816), ref: 004BD73E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 004BD76E
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 004BD783
#685.MSVBVM60(?,?,?,?,00411816), ref: 004BD790
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00411816), ref: 004BD79B
__vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 004BD7B3

Part of subcall function 00518650: __vbaChkstk.MSVBVM60(?,00411816), ref: 0051866E
Part of subcall function 00518650: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00411816), ref: 0051869B
Part of subcall function 00518650: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 005186AA
Part of subcall function 00518650: #518.MSVBVM60(?,00004008), ref: 005186E2
Part of subcall function 00518650: #518.MSVBVM60(?,00004008), ref: 00518706
Part of subcall function 00518650: #518.MSVBVM60(?,00004008), ref: 0051872D
Part of subcall function 00518650: #617.MSVBVM60(?,?,00000005), ref: 0051873D
Part of subcall function 00518650: #617.MSVBVM60(?,?,00000006), ref: 00518761
Part of subcall function 00518650: #617.MSVBVM60(?,?,00000004), ref: 0051878B
Part of subcall function 00518650: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005187B4
Part of subcall function 00518650: __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 005187CD
Part of subcall function 00518650: __vbaVarOr.MSVBVM60(?,00000000), ref: 005187DB

#685.MSVBVM60(00000000,?,?,?,?,00411816), ref: 004BD7DC
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00411816), ref: 004BD7E7
__vbaStrMove.MSVBVM60(0052029D), ref: 004BD8E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004BD81A

Part of subcall function 004BDCB0: __vbaOnError.MSVBVM60(00000001), ref: 004BDD2B
Part of subcall function 004BDCB0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,00000000), ref: 004BDD50
Part of subcall function 004BDCB0: __vbaStrToAnsi.MSVBVM60(?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDD78
Part of subcall function 004BDCB0: __vbaSetSystemError.MSVBVM60(00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDD86
Part of subcall function 004BDCB0: __vbaStrToUnicode.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDD97
Part of subcall function 004BDCB0: __vbaFreeStr.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDDA5
Part of subcall function 004BDCB0: __vbaAryLock.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDDBD
Part of subcall function 004BDCB0: __vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004BDDDA

__vbaFreeObj.MSVBVM60 ref: 004BD83E
__vbaVar2Vec.MSVBVM60(?,?,?,0052029D), ref: 004BD868
__vbaAryMove.MSVBVM60(?,?), ref: 004BD876
__vbaFreeVar.MSVBVM60 ref: 004BD87F
#717.MSVBVM60(?,00006011,00000040,00000000), ref: 004BD8A5
__vbaStrVarMove.MSVBVM60(?), ref: 004BD8AF
__vbaStrMove.MSVBVM60 ref: 004BD8BA
__vbaFreeVar.MSVBVM60 ref: 004BD8C3
__vbaStrMove.MSVBVM60(0052029D,00000000,?,?,?,?,00411816), ref: 004BD8FD
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 004BD910
#685.MSVBVM60(?,?,?,?,00411816), ref: 004BD91D
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00411816), ref: 004BD928
__vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 004BD949
__vbaAryDestruct.MSVBVM60(00000000,?,004BD99E,?,?,?,?,00411816), ref: 004BD98E
__vbaFreeStr.MSVBVM60(?,?,?,?,00411816), ref: 004BD997

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$ErrorMove$#518#617#685Copy$Chkstk$#717AnsiBoundsCheckDestructGenerateHresultLockRedimSystemUnicodeVar2
String ID:
API String ID: 2320873246-0
Opcode ID: 4a537bf709d4547368dfdc5ade77a81eaeb7a5ef9f13bbf33c9793888d514d4f
Instruction ID: 5d6043bca74229f17e930ae029f18018f7593ce28530b8955bcca7b5a99d8a74
Opcode Fuzzy Hash: 4a537bf709d4547368dfdc5ade77a81eaeb7a5ef9f13bbf33c9793888d514d4f
Instruction Fuzzy Hash: 8471D675D00209EFDB04DFA4DA48BDEBBB4BF48305F108569E502A72A0DB789A45DF64

Uniqueness

Uniqueness Score: -1.00%

Function 004D0280 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,00499C87,?,?,?,?,00411816), ref: 004D029E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,00499C87), ref: 004D02CE
__vbaStrCmp.MSVBVM60(true,0076575C,?,?,?,00000000,00411816,00499C87), ref: 004D02E6
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816,00499C87), ref: 004D0305
__vbaSetSystemError.MSVBVM60(?), ref: 004D0357
#685.MSVBVM60 ref: 004D0364
__vbaObjSet.MSVBVM60(?,00000000), ref: 004D036F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004D03A2
__vbaFreeObj.MSVBVM60 ref: 004D03C6
SetProcessDEPPolicy.KERNEL32(00000000), ref: 004D03DA
#685.MSVBVM60(?,?,?,00000000,00411816,00499C87), ref: 004D03E7
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,00000000,00411816,00499C87), ref: 004D03F2
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816,00499C87), ref: 004D040A

Strings

true, xrefs: 004D02E1, 004D02FB
\Wv, xrefs: 004D02DB, 004D0300

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$#685ErrorFree$CheckChkstkCopyHresultPolicyProcessSystem
String ID: \Wv$true
API String ID: 880356173-3025869392
Opcode ID: 21eaa26b84aafe2ad1668fbe8edf97d9f22b8005765ae6b72716fb84248a8161
Instruction ID: 0b39f65f23b400f194479823f842bfb30112e6d873ecb9f9bba753a7fd8ab2de
Opcode Fuzzy Hash: 21eaa26b84aafe2ad1668fbe8edf97d9f22b8005765ae6b72716fb84248a8161
Instruction Fuzzy Hash: 8341E4B5900208EFDB04EFE4DA48BDEBBB4FF08749F50815AE505A72A0CBB85A44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0054B1E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000001,00411816), ref: 0054B1FE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000001,00411816), ref: 0054B22E

Part of subcall function 00531FD0: __vbaChkstk.MSVBVM60(00000000,00411816,004CB93C,?,00000001,?,00000000,00411816), ref: 00531FEE
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053201E
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053202D
Part of subcall function 00531FD0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,004CB93C), ref: 0053203C
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 0053206B
Part of subcall function 00531FD0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532093
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 005320A6
Part of subcall function 00531FD0: __vbaStrCopy.MSVBVM60 ref: 005320CA
Part of subcall function 00531FD0: #520.MSVBVM60(?,00000008,?), ref: 005320F7
Part of subcall function 00531FD0: __vbaStrVarMove.MSVBVM60(?), ref: 00532104
Part of subcall function 00531FD0: __vbaStrMove.MSVBVM60 ref: 00532111
Part of subcall function 00531FD0: __vbaFreeStr.MSVBVM60 ref: 0053211A
Part of subcall function 00531FD0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532130
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 00532162
Part of subcall function 00531FD0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053218A
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 0053219D

__vbaStrCmp.MSVBVM60(true,0077F2F4), ref: 0054B291
__vbaStrErrVarCopy.MSVBVM60(?,MiniCSP_HID get_ScardContext returned: ), ref: 0054B2AB
__vbaStrMove.MSVBVM60 ref: 0054B2B6
__vbaStrCat.MSVBVM60(00000000), ref: 0054B2BD
__vbaStrMove.MSVBVM60 ref: 0054B2C8
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 0054B2E1
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,00411750,?,?,?,00000001,00411816), ref: 0054B31B
#685.MSVBVM60(?,?,?,00000001,00411816), ref: 0054B32E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000001,00411816), ref: 0054B339
__vbaFreeObj.MSVBVM60(?,?,?,00000001,00411816), ref: 0054B351
__vbaFreeVar.MSVBVM60(0054B385,?,?,?,00000001,00411816), ref: 0054B37E

Part of subcall function 005377E0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,00000001), ref: 005377FE
Part of subcall function 005377E0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816), ref: 0053782E
Part of subcall function 005377E0: __vbaStrCmp.MSVBVM60(true,00000000,?,00000001,?,00000000,00411816), ref: 0053785C
Part of subcall function 005377E0: #685.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00537A6F
Part of subcall function 005377E0: __vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,00000000,00411816), ref: 00537A7A
Part of subcall function 005377E0: __vbaFreeObj.MSVBVM60(?,00000001,?,00000000,00411816), ref: 00537A92

Strings

true, xrefs: 0054B28C
MiniCSP_HID get_ScardContext returned: , xrefs: 0054B2A2

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$ErrorMove$#520Chkstk$#685ConstructCopyFixstrList$System
String ID: MiniCSP_HID get_ScardContext returned: $true
API String ID: 1557156342-336068393
Opcode ID: c942b080303099fa1c939329039950d86ed2bc58302c5c6952c927f87a117c3f
Instruction ID: 2ff068b0ed3735216cb0f6a46c3d48c19f9f1c058544d7522cd5d41d6ddf4fc1
Opcode Fuzzy Hash: c942b080303099fa1c939329039950d86ed2bc58302c5c6952c927f87a117c3f
Instruction Fuzzy Hash: 79414FB5900209EFDB00DFD4DA48BEEBBB4FF48308F108459F505A76A0D7B85A05DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00545940 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816), ref: 0054595E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 0054598E

Part of subcall function 00531FD0: __vbaChkstk.MSVBVM60(00000000,00411816,004CB93C,?,00000001,?,00000000,00411816), ref: 00531FEE
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053201E
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053202D
Part of subcall function 00531FD0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,004CB93C), ref: 0053203C
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 0053206B
Part of subcall function 00531FD0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532093
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 005320A6
Part of subcall function 00531FD0: __vbaStrCopy.MSVBVM60 ref: 005320CA
Part of subcall function 00531FD0: #520.MSVBVM60(?,00000008,?), ref: 005320F7
Part of subcall function 00531FD0: __vbaStrVarMove.MSVBVM60(?), ref: 00532104
Part of subcall function 00531FD0: __vbaStrMove.MSVBVM60 ref: 00532111
Part of subcall function 00531FD0: __vbaFreeStr.MSVBVM60 ref: 0053211A
Part of subcall function 00531FD0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532130
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 00532162
Part of subcall function 00531FD0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053218A
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 0053219D

__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000,xA,?,?,?,00000000,00411816), ref: 005459C6
#685.MSVBVM60 ref: 00545A1B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00545A26
__vbaFreeObj.MSVBVM60 ref: 00545A3E

Strings

xA, xrefs: 005459FB, 005459AE, 005459B1

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#520Error$ChkstkConstructFixstrMove$#685CopyListSystem
String ID: xA
API String ID: 3365449785-299298737
Opcode ID: 90f0ee6a55c37e626c9b9ecd3654e388efea941e341bb048a015b941be6eb635
Instruction ID: 9a4ce7320b208d3379e7d468124d79811d07a1c97646c30e9bb1bbbb0227a054
Opcode Fuzzy Hash: 90f0ee6a55c37e626c9b9ecd3654e388efea941e341bb048a015b941be6eb635
Instruction Fuzzy Hash: EA315AB0901649EFDB00DFD4CA48BDEBBB4FF08349F208159E501BB291D7B99A44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00411DE8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00411DED

Strings

VB5!6&*, xrefs: 00411DE8

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: a915472e1d41b36aa2eec8b432f14369d9302e1397c4addb749c1587440f1ac4
Instruction ID: 4857fa7a8368d95cb3c5180038f1c91bfc8c94c82a72cd81e715389278c1ab62
Opcode Fuzzy Hash: a915472e1d41b36aa2eec8b432f14369d9302e1397c4addb749c1587440f1ac4
Instruction Fuzzy Hash: 625162A6A9E7C15FC70357B49A660913FB1AE2322430F44DBC581DF0B3E6984C4AC776

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004C5070 Relevance: 743.2, APIs: 379, Strings: 44, Instructions: 2965COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,?,?,004C1EA4,?,?,?,?,?,00000000,?,?,00411816), ref: 004C508E
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 004C50BE
#685.MSVBVM60(?,00000000), ref: 004C5109
__vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 004C5114
__vbaFreeObj.MSVBVM60(?,00000000), ref: 004C5135
#518.MSVBVM60(?,00004008), ref: 004C5160
#617.MSVBVM60(?,?,00000004), ref: 004C5173
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004C519B
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C51B5
__vbaStrCat.MSVBVM60(?,http://), ref: 004C51DB
__vbaStrMove.MSVBVM60(?,http://), ref: 004C51E6
__vbaStrCat.MSVBVM60(00000000,going to fetch: ), ref: 004C51FE
__vbaStrMove.MSVBVM60(?,http://), ref: 004C5209
__vbaFreeStr.MSVBVM60(?), ref: 004C521B
#685.MSVBVM60(?,http://), ref: 004C5228
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C5233
__vbaFreeObj.MSVBVM60(?,http://), ref: 004C5254
#716.MSVBVM60(?,WinHttp.WinHttpRequest,00000000), ref: 004C526C
__vbaObjVar.MSVBVM60(?), ref: 004C5276
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C5281
__vbaFreeVar.MSVBVM60(?,http://), ref: 004C528A
#685.MSVBVM60(?,http://), ref: 004C5297
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C52A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C52ED
__vbaFreeObj.MSVBVM60 ref: 004C531D
__vbaStrCopy.MSVBVM60 ref: 004C5341
__vbaFreeStr.MSVBVM60(?), ref: 004C5353
#685.MSVBVM60 ref: 004C5360
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C536B
__vbaFreeObj.MSVBVM60 ref: 004C538C
#716.MSVBVM60(?,Microsoft.XMLHTTP,00000000), ref: 004C53A4
__vbaObjVar.MSVBVM60(?), ref: 004C53AE
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C53B9
__vbaFreeVar.MSVBVM60 ref: 004C53C2
#685.MSVBVM60 ref: 004C53CF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C53DA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C5425
__vbaFreeObj.MSVBVM60 ref: 004C5455
__vbaStrCopy.MSVBVM60 ref: 004C5479
__vbaFreeStr.MSVBVM60(?), ref: 004C548B
#685.MSVBVM60 ref: 004C5498
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C54A3
__vbaFreeObj.MSVBVM60 ref: 004C54C4
#716.MSVBVM60(?,MSXML2.ServerXMLHTTP,00000000), ref: 004C54DC
__vbaObjVar.MSVBVM60(?), ref: 004C54E6
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C54F1
__vbaFreeVar.MSVBVM60 ref: 004C54FA
#685.MSVBVM60 ref: 004C5507
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C5512
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C555D
__vbaFreeObj.MSVBVM60 ref: 004C558D
__vbaStrCopy.MSVBVM60 ref: 004C55B1
__vbaFreeStr.MSVBVM60(?), ref: 004C55C3
#685.MSVBVM60 ref: 004C55D0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C55DB
__vbaFreeObj.MSVBVM60 ref: 004C55FC
#716.MSVBVM60(?,WinHttp.WinHttpRequest.5.1,00000000), ref: 004C5614
__vbaObjVar.MSVBVM60(?), ref: 004C561E
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C5629
__vbaFreeVar.MSVBVM60 ref: 004C5632
#685.MSVBVM60 ref: 004C563F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C564A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C5695
__vbaFreeObj.MSVBVM60 ref: 004C56C5
__vbaStrCopy.MSVBVM60 ref: 004C56E9
__vbaFreeStr.MSVBVM60(?), ref: 004C56FB
#685.MSVBVM60 ref: 004C5708
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C5713
__vbaFreeObj.MSVBVM60 ref: 004C5734
#716.MSVBVM60(?,WinHttp.WinHttpRequest,00000000), ref: 004C574C
__vbaObjVar.MSVBVM60(?), ref: 004C5756
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C5761
__vbaFreeVar.MSVBVM60 ref: 004C576A
#685.MSVBVM60 ref: 004C5777
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C5782
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C57CD
__vbaFreeObj.MSVBVM60 ref: 004C57FD
__vbaStrCopy.MSVBVM60 ref: 004C5821
__vbaFreeStr.MSVBVM60(?), ref: 004C5833
__vbaStrMove.MSVBVM60 ref: 004C585E
__vbaChkstk.MSVBVM60 ref: 004C5879
__vbaChkstk.MSVBVM60 ref: 004C58A8
__vbaLateMemCallSt.MSVBVM60(?,Option,00000001), ref: 004C58DD
__vbaFreeStr.MSVBVM60 ref: 004C58E9
#518.MSVBVM60(?,00004008), ref: 004C5914
#617.MSVBVM60(?,?,00000005), ref: 004C5927
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004C594F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5969
__vbaChkstk.MSVBVM60 ref: 004C59B5
__vbaChkstk.MSVBVM60 ref: 004C59E4
__vbaLateMemCallSt.MSVBVM60(?,Option,00000001), ref: 004C5A19
__vbaChkstk.MSVBVM60 ref: 004C5A69
__vbaChkstk.MSVBVM60 ref: 004C5A98
__vbaChkstk.MSVBVM60 ref: 004C5AC7
__vbaLateMemCall.MSVBVM60(?,Open,00000003), ref: 004C5AFC
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004C5B18
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004C5B30
__vbaChkstk.MSVBVM60 ref: 004C5B8D
__vbaChkstk.MSVBVM60 ref: 004C5BBC
__vbaChkstk.MSVBVM60 ref: 004C5BEB
__vbaLateMemCall.MSVBVM60(?,SetCredentials,00000003), ref: 004C5C20
__vbaChkstk.MSVBVM60 ref: 004C5C49
__vbaLateMemCall.MSVBVM60(?,SetAutoLogonPolicy,00000001), ref: 004C5C7E
__vbaChkstk.MSVBVM60 ref: 004C5CBB
__vbaChkstk.MSVBVM60 ref: 004C5CEA
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C5D1F
__vbaChkstk.MSVBVM60 ref: 004C5D5C
__vbaChkstk.MSVBVM60 ref: 004C5D8B
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C5DC0
__vbaChkstk.MSVBVM60 ref: 004C5DFD
__vbaChkstk.MSVBVM60 ref: 004C5E2C
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C5E61
__vbaLateMemCall.MSVBVM60(?,send,00000000), ref: 004C5E7C
__vbaChkstk.MSVBVM60 ref: 004C5EBE
__vbaChkstk.MSVBVM60 ref: 004C5EED
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C5F22
__vbaChkstk.MSVBVM60 ref: 004C5F5F
__vbaChkstk.MSVBVM60 ref: 004C5F8E
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C5FC3
__vbaChkstk.MSVBVM60 ref: 004C6000
__vbaChkstk.MSVBVM60 ref: 004C602F
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C6064
__vbaLateMemCallLd.MSVBVM60(?,?,Status,00000000,First answer: ), ref: 004C60A3
__vbaStrErrVarCopy.MSVBVM60(00000000), ref: 004C60AD
__vbaStrMove.MSVBVM60 ref: 004C60B8
__vbaStrCat.MSVBVM60(00000000), ref: 004C60BF
__vbaStrMove.MSVBVM60 ref: 004C60CA
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004C60E3
__vbaFreeVar.MSVBVM60 ref: 004C60EF
__vbaLateMemCallLd.MSVBVM60(?,?,responseText,00000000), ref: 004C610B
#617.MSVBVM60(?,?,00000064), ref: 004C6121
__vbaStrErrVarCopy.MSVBVM60(?,ResponseText: ), ref: 004C6133
__vbaStrMove.MSVBVM60 ref: 004C613E
__vbaStrCat.MSVBVM60(00000000), ref: 004C6145
__vbaStrMove.MSVBVM60 ref: 004C6150
__vbaStrCat.MSVBVM60( .....,00000000), ref: 004C615C
__vbaStrMove.MSVBVM60 ref: 004C6167
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?), ref: 004C6184
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004C61A1
#685.MSVBVM60 ref: 004C61B1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C61BC
__vbaFreeObj.MSVBVM60 ref: 004C61DD
__vbaLateMemCallLd.MSVBVM60(?,?,Status,00000000), ref: 004C61F9
__vbaStrErrVarCopy.MSVBVM60(?), ref: 004C6206
#617.MSVBVM60(?,00000008,00000001), ref: 004C6229
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004C6251
__vbaFreeVarList.MSVBVM60(00000003,?,00000008,?), ref: 004C6272
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004C629D
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004C62B7
__vbaStrMove.MSVBVM60(WEBUser), ref: 004C62E1

Part of subcall function 005130F0: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 005131F9
Part of subcall function 005130F0: __vbaStrCmp.MSVBVM60(00000000,00000000), ref: 00513210
Part of subcall function 005130F0: __vbaStrCopy.MSVBVM60 ref: 00513232

__vbaStrMove.MSVBVM60(WEBpass), ref: 004C62FF
#685.MSVBVM60 ref: 004C630C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C6317
__vbaFreeObj.MSVBVM60 ref: 004C6338
__vbaChkstk.MSVBVM60 ref: 004C6385
__vbaChkstk.MSVBVM60 ref: 004C63B4
__vbaChkstk.MSVBVM60 ref: 004C63E3
__vbaLateMemCall.MSVBVM60(?,Open,00000003), ref: 004C6418
__vbaChkstk.MSVBVM60 ref: 004C6469
__vbaChkstk.MSVBVM60 ref: 004C6498
__vbaChkstk.MSVBVM60 ref: 004C64C7

Part of subcall function 005130F0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,00515C4A,WEBUser), ref: 0051310E
Part of subcall function 005130F0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 0051313B
Part of subcall function 005130F0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 0051314A
Part of subcall function 005130F0: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0051316F
Part of subcall function 005130F0: __vbaStrCopy.MSVBVM60 ref: 005131A9
Part of subcall function 005130F0: __vbaStrMove.MSVBVM60(?), ref: 005131C4
Part of subcall function 005130F0: __vbaStrCopy.MSVBVM60 ref: 005131DB
Part of subcall function 005130F0: #685.MSVBVM60 ref: 0051380A
Part of subcall function 005130F0: __vbaObjSet.MSVBVM60(?,00000000), ref: 00513815
Part of subcall function 005130F0: __vbaFreeObj.MSVBVM60 ref: 00513836
Part of subcall function 005130F0: __vbaFreeObj.MSVBVM60(00513893), ref: 00513883
Part of subcall function 005130F0: __vbaFreeStr.MSVBVM60 ref: 0051388C

__vbaLateMemCall.MSVBVM60(?,SetCredentials,00000003), ref: 004C64FC
__vbaChkstk.MSVBVM60 ref: 004C6525
__vbaLateMemCall.MSVBVM60(?,SetAutoLogonPolicy,00000001), ref: 004C655A
__vbaChkstk.MSVBVM60 ref: 004C6597
__vbaChkstk.MSVBVM60 ref: 004C65C6
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C65FB
__vbaChkstk.MSVBVM60 ref: 004C6638
__vbaChkstk.MSVBVM60 ref: 004C6667
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C669C
__vbaChkstk.MSVBVM60 ref: 004C66D9
__vbaChkstk.MSVBVM60 ref: 004C6708
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C673D
__vbaLateMemCall.MSVBVM60(?,send,00000000), ref: 004C6758
__vbaLateMemCallLd.MSVBVM60(?,?,Status,00000000,Second answer: ), ref: 004C677C
__vbaStrErrVarCopy.MSVBVM60(00000000), ref: 004C6786
__vbaStrMove.MSVBVM60 ref: 004C6791
__vbaStrCat.MSVBVM60(00000000), ref: 004C6798
__vbaStrMove.MSVBVM60 ref: 004C67A3
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004C67BC
__vbaFreeVar.MSVBVM60 ref: 004C67C8
__vbaLateMemCallLd.MSVBVM60(?,?,Status,00000000), ref: 004C67E4
__vbaStrErrVarCopy.MSVBVM60(?), ref: 004C67F1
#617.MSVBVM60(?,00000008,00000001), ref: 004C6814
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004C683C
__vbaFreeVarList.MSVBVM60(00000003,?,00000008,?), ref: 004C685D
#685.MSVBVM60 ref: 004C687C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C6887
__vbaFreeObj.MSVBVM60 ref: 004C68A8
__vbaChkstk.MSVBVM60 ref: 004C68F5
__vbaChkstk.MSVBVM60 ref: 004C6924
__vbaChkstk.MSVBVM60 ref: 004C6953
__vbaLateMemCall.MSVBVM60(?,Open,00000003), ref: 004C6988
__vbaChkstk.MSVBVM60 ref: 004C69D9
__vbaChkstk.MSVBVM60 ref: 004C6A08
__vbaChkstk.MSVBVM60 ref: 004C6A37
__vbaLateMemCall.MSVBVM60(?,SetCredentials,00000003), ref: 004C6A6C
__vbaChkstk.MSVBVM60 ref: 004C6A95
__vbaLateMemCall.MSVBVM60(?,SetAutoLogonPolicy,00000001), ref: 004C6ACA
__vbaChkstk.MSVBVM60 ref: 004C6B07
__vbaChkstk.MSVBVM60 ref: 004C6B36
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C6B6B
__vbaChkstk.MSVBVM60 ref: 004C6BA8
__vbaChkstk.MSVBVM60 ref: 004C6BD7
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C6C0C
__vbaChkstk.MSVBVM60 ref: 004C6C49
__vbaChkstk.MSVBVM60 ref: 004C6C78
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C6CAD
__vbaLateMemCall.MSVBVM60(?,send,00000000), ref: 004C6CC8
__vbaLateMemCallLd.MSVBVM60(?,?,Status,00000000,Third answer: ), ref: 004C6CEC
__vbaStrErrVarCopy.MSVBVM60(00000000), ref: 004C6CF6
__vbaStrMove.MSVBVM60 ref: 004C6D01
__vbaStrCat.MSVBVM60(00000000), ref: 004C6D08
__vbaStrMove.MSVBVM60 ref: 004C6D13
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004C6D2C
__vbaFreeVar.MSVBVM60 ref: 004C6D38
__vbaLateMemCallLd.MSVBVM60(?,?,Status,00000000), ref: 004C6D54
__vbaStrErrVarCopy.MSVBVM60(?), ref: 004C6D61
#617.MSVBVM60(?,00000008,00000001), ref: 004C6D84
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004C6DAC
__vbaFreeVarList.MSVBVM60(00000003,?,00000008,?), ref: 004C6DCD
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C6DF2
#716.MSVBVM60(?,MSXML2.ServerXMLHTTP,00000000), ref: 004C6E0A
__vbaObjVar.MSVBVM60(?), ref: 004C6E14
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C6E1F
__vbaFreeVar.MSVBVM60 ref: 004C6E28
#685.MSVBVM60 ref: 004C6E35
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C6E40
__vbaFreeObj.MSVBVM60 ref: 004C6E61
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004C6E7A
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 004C6E93
__vbaChkstk.MSVBVM60 ref: 004C6F17
__vbaChkstk.MSVBVM60 ref: 004C6F46
__vbaChkstk.MSVBVM60 ref: 004C6F75
__vbaChkstk.MSVBVM60 ref: 004C6FA4
__vbaChkstk.MSVBVM60 ref: 004C6FD3
__vbaLateMemCall.MSVBVM60(?,Open,00000005), ref: 004C7008
__vbaChkstk.MSVBVM60 ref: 004C7045
__vbaChkstk.MSVBVM60 ref: 004C7074
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C70A9
__vbaChkstk.MSVBVM60 ref: 004C70E6
__vbaChkstk.MSVBVM60 ref: 004C7115
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C714A
__vbaChkstk.MSVBVM60 ref: 004C7187
__vbaChkstk.MSVBVM60 ref: 004C71B6
__vbaLateMemCall.MSVBVM60(?,setRequestHeader,00000002), ref: 004C71EB
__vbaChkstk.MSVBVM60 ref: 004C7214
__vbaLateMemCall.MSVBVM60(?,send,00000001), ref: 004C7249
#685.MSVBVM60 ref: 004C7259
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C7264
__vbaFreeObj.MSVBVM60 ref: 004C7285
__vbaLateMemCallLd.MSVBVM60(?,?,responseText,00000000), ref: 004C72B4
__vbaVarMove.MSVBVM60 ref: 004C72C2
__vbaStrCat.MSVBVM60(?,Response Text: ), ref: 004C72D8
__vbaStrMove.MSVBVM60 ref: 004C72E3
__vbaFreeStr.MSVBVM60(?), ref: 004C72F5
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004C7321
__vbaStrCopy.MSVBVM60 ref: 004C733D
__vbaFreeStr.MSVBVM60(?), ref: 004C734F
__vbaLateMemCallLd.MSVBVM60(?,?,responseBody,00000000), ref: 004C7370
__vbaVarMove.MSVBVM60 ref: 004C737E
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004C73AA
#685.MSVBVM60 ref: 004C73C2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C73CD
__vbaFreeObj.MSVBVM60 ref: 004C73EE
__vbaStrCopy.MSVBVM60 ref: 004C7403
__vbaStrCopy.MSVBVM60 ref: 004C7411
__vbaObjSet.MSVBVM60(?,00000000,CAPICOM.Utilities,00000000,?,?), ref: 004C743E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004C744E
__vbaChkstk.MSVBVM60 ref: 004C7476
__vbaLateMemCallLd.MSVBVM60(?,?,BinaryStringToByteArray,00000001), ref: 004C74AF
__vbaVar2Vec.MSVBVM60(?,00000000), ref: 004C74C0
__vbaAryMove.MSVBVM60(?,?), ref: 004C74D1
__vbaFreeVar.MSVBVM60 ref: 004C74DA
#685.MSVBVM60 ref: 004C74E7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C74F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C753D
__vbaFreeObj.MSVBVM60 ref: 004C756D
__vbaVarCopy.MSVBVM60 ref: 004C75A1
#685.MSVBVM60 ref: 004C75B3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C75BE
__vbaFreeObj.MSVBVM60 ref: 004C75DF
__vbaRefVarAry.MSVBVM60(?), ref: 004C75F0
__vbaUbound.MSVBVM60(00000001), ref: 004C75FB
#685.MSVBVM60 ref: 004C7611
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C761C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C7667
__vbaFreeObj.MSVBVM60 ref: 004C7697
__vbaVar2Vec.MSVBVM60(?,?), ref: 004C76BE
__vbaAryMove.MSVBVM60(?,?), ref: 004C76CF
#685.MSVBVM60 ref: 004C76DC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C76E7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C7732
__vbaFreeObj.MSVBVM60 ref: 004C7762
__vbaVar2Vec.MSVBVM60(?,?), ref: 004C7785
__vbaAryMove.MSVBVM60(?,?), ref: 004C7796
__vbaVarCopy.MSVBVM60 ref: 004C77BF
#685.MSVBVM60 ref: 004C77CC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C77D7
__vbaFreeObj.MSVBVM60 ref: 004C77F8
__vbaUbound.MSVBVM60(00000001,?), ref: 004C780B
#685.MSVBVM60 ref: 004C7821
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C782C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C7877
__vbaFreeObj.MSVBVM60 ref: 004C78A7
__vbaGenerateBoundsError.MSVBVM60 ref: 004C78FA
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7914
__vbaGenerateBoundsError.MSVBVM60 ref: 004C795A
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7974
__vbaGenerateBoundsError.MSVBVM60 ref: 004C79BA
__vbaGenerateBoundsError.MSVBVM60 ref: 004C79D4
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7A1A
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7A34
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7A7A
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7A94
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7ADA
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7AF4
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7B3A
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7B54
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7B9A
__vbaGenerateBoundsError.MSVBVM60 ref: 004C7BB4
__vbaChkstk.MSVBVM60 ref: 004C7CE9

Part of subcall function 004CA210: __vbaChkstk.MSVBVM60(00473D9C,00411816,?,?,004C7D1E,?,00000000), ref: 004CA22E
Part of subcall function 004CA210: __vbaVarDup.MSVBVM60(?,00000001,?,00473D9C,00411816), ref: 004CA25B
Part of subcall function 004CA210: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00473D9C,00411816), ref: 004CA26A
Part of subcall function 004CA210: #685.MSVBVM60(?,00000001,?,00473D9C,00411816), ref: 004CA277
Part of subcall function 004CA210: __vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,00473D9C,00411816), ref: 004CA282
Part of subcall function 004CA210: __vbaFreeObj.MSVBVM60(?,00000001,?,00473D9C,00411816), ref: 004CA2A3
Part of subcall function 004CA210: __vbaStrCopy.MSVBVM60(?,00000001,?,00473D9C,00411816), ref: 004CA2B8
Part of subcall function 004CA210: __vbaStrCopy.MSVBVM60(?,00000001,?,00473D9C,00411816), ref: 004CA2C6
Part of subcall function 004CA210: __vbaObjSet.MSVBVM60(?,00000000,CAPICOM.Utilities,00000000,?,?), ref: 004CA2F3
Part of subcall function 004CA210: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004CA303
Part of subcall function 004CA210: #685.MSVBVM60(?,00473D9C,00411816), ref: 004CA313
Part of subcall function 004CA210: __vbaObjSet.MSVBVM60(?,00000000,?,00473D9C,00411816), ref: 004CA31E
Part of subcall function 004CA210: __vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004CA369
Part of subcall function 004CA210: __vbaFreeObj.MSVBVM60 ref: 004CA399

__vbaVar2Vec.MSVBVM60(?,?,?,00000000), ref: 004C7D29
__vbaAryMove.MSVBVM60(00000000,?), ref: 004C7D3A
__vbaFreeVar.MSVBVM60 ref: 004C7D43
#685.MSVBVM60 ref: 004C7D50
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C7D5B
__vbaFreeObj.MSVBVM60 ref: 004C7D7C
__vbaUbound.MSVBVM60(00000001,00000000), ref: 004C7D8F
#685.MSVBVM60 ref: 004C7DA5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C7DB0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C7DFB
__vbaFreeObj.MSVBVM60 ref: 004C7E2B
__vbaVarCopy.MSVBVM60 ref: 004C7E5F
__vbaRedim.MSVBVM60(00000080,00000001,00000000,00000011,00000001,00000000,00000000), ref: 004C7E7F
#685.MSVBVM60 ref: 004C7E8F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C7E9A
__vbaFreeObj.MSVBVM60 ref: 004C7EBB
#685.MSVBVM60 ref: 004C7EC8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C7ED3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C7F1E
__vbaFreeObj.MSVBVM60 ref: 004C7F4E
#685.MSVBVM60 ref: 004C7F6A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C7F75
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000002C), ref: 004C7FBD
__vbaStrCat.MSVBVM60(?,Problems with CAPI: ), ref: 004C7FDE
__vbaStrMove.MSVBVM60 ref: 004C7FE9
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004C8002
__vbaFreeObj.MSVBVM60 ref: 004C800E
#685.MSVBVM60 ref: 004C801B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C8026
__vbaFreeObj.MSVBVM60 ref: 004C8047
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C805A
__vbaStrCopy.MSVBVM60 ref: 004C8071
__vbaFreeStr.MSVBVM60(?), ref: 004C8083
__vbaVarCopy.MSVBVM60 ref: 004C80AD
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C80C0
__vbaStrCopy.MSVBVM60 ref: 004C80D5
__vbaFreeStr.MSVBVM60(?), ref: 004C80E7
#685.MSVBVM60 ref: 004C80F9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C8104
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000002C), ref: 004C814C
__vbaStrCat.MSVBVM60(?,Couldnt fetch anything: ), ref: 004C816D
__vbaStrMove.MSVBVM60 ref: 004C8178
__vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 004C8191
__vbaFreeObj.MSVBVM60 ref: 004C819D
__vbaVarCopy.MSVBVM60 ref: 004C81C7
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C81DA
__vbaStrCopy.MSVBVM60 ref: 004C81F1
#685.MSVBVM60 ref: 004C81FE
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C8209
__vbaFreeObj.MSVBVM60 ref: 004C822A
__vbaAryDestruct.MSVBVM60(00000000,?,004C82DB), ref: 004C82A4
__vbaFreeVar.MSVBVM60 ref: 004C82AD
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004C82B9

Strings

4. Failed, xrefs: 004C56E1
WEBUser, xrefs: 004C62D0
going to fetch: , xrefs: 004C51F3
ResponseText: , xrefs: 004C6127
no-cache, xrefs: 004C5DE4, 004C5FE7, 004C66C0, 004C6C30, 004C716E
Third answer: , xrefs: 004C6CD8
http, xrefs: 004C5179
~, xrefs: 004C781A
Going finally to download, xrefs: 004C5819
BinaryStringToByteArray, xrefs: 004C74A2
3. Failed, xrefs: 004C55A9
CAPICOM.Utilities, xrefs: 004C742F
Response Text: , xrefs: 004C72CF
If-None-Match, xrefs: 004C5C8E, 004C5E91, 004C656A, 004C6ADA, 004C7018
Pragma, xrefs: 004C5DD0, 004C5FD3, 004C66AC, 004C6C1C, 004C715A
Response Body empty, xrefs: 004C7335, 004C8069
send, xrefs: 004C5E73, 004C6076, 004C674F, 004C6CBF, 004C7240
Couldnt fetch anything: , xrefs: 004C8164
responseBody, xrefs: 004C7363
Microsoft.XMLHTTP, xrefs: 004C539B
First Failed, xrefs: 004C5339
some-random-string, xrefs: 004C5CA2, 004C5EA5, 004C657E, 004C6AEE, 004C702C
Cache-Control, xrefs: 004C5D2F, 004C5F32, 004C660B, 004C6B7B, 004C70B9
2. Failed, xrefs: 004C5471
Second answer: , xrefs: 004C6768
https, xrefs: 004C592D
SetAutoLogonPolicy, xrefs: 004C5C75, 004C6551, 004C6AC1
Problems with CAPI: , xrefs: 004C7FD5
WinHttp.WinHttpRequest.5.1, xrefs: 004C560B
First answer: , xrefs: 004C608F
SetCredentials, xrefs: 004C5C17, 004C64F3, 004C6A63
Status, xrefs: 004C6096, 004C61EC, 004C676F, 004C67D7, 004C6CDF, 004C6D47
finished GetURL, xrefs: 004C80CD
....., xrefs: 004C6157
http://, xrefs: 004C51D0
setRequestHeader, xrefs: 004C5D16, 004C5DB7, 004C5E58, 004C5F19, 004C5FBA, 004C605B, 004C65F2, 004C6693, 004C6734, 004C6B62, 004C6C03, 004C6CA4, 004C70A0, 004C7141, 004C71E2
WEBpass, xrefs: 004C62EE
no-cache,max-age=0, xrefs: 004C5D43, 004C5F46, 004C661F, 004C6B8F, 004C70CD
Open, xrefs: 004C5AF3, 004C640F, 004C697F, 004C6FFF
MSXML2.ServerXMLHTTP, xrefs: 004C54D3, 004C6E01
WinHttp.WinHttpRequest, xrefs: 004C5263, 004C5743
GET, xrefs: 004C5A29, 004C6345, 004C68B5, 004C6EAF
responseText, xrefs: 004C60FE, 004C72A7
Option, xrefs: 004C58D4, 004C5A10

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Chkstk$CallLate$#685$Copy$Move$Error$BoundsGenerate$CheckHresultList$Addref$#617#716$Var2$Ubound$#518Destruct$Redim
String ID: .....$2. Failed$3. Failed$4. Failed$BinaryStringToByteArray$CAPICOM.Utilities$Cache-Control$Couldnt fetch anything: $First Failed$First answer: $GET$Going finally to download$If-None-Match$MSXML2.ServerXMLHTTP$Microsoft.XMLHTTP$Open$Option$Pragma$Problems with CAPI: $Response Body empty$Response Text: $ResponseText: $Second answer: $SetAutoLogonPolicy$SetCredentials$Status$Third answer: $WEBUser$WEBpass$WinHttp.WinHttpRequest$WinHttp.WinHttpRequest.5.1$finished GetURL$going to fetch: $http$http://$https$no-cache$no-cache,max-age=0$responseBody$responseText$send$setRequestHeader$some-random-string$~
API String ID: 2967018790-873753605
Opcode ID: e49fc00d2777c839704e27559e76bdb76555b5b02c5cbae913ceb393196c3bd5
Instruction ID: a4166873ffb9cce9754ed04abb86a683d9a70660b8c2eb06b651dc55454f42db
Opcode Fuzzy Hash: e49fc00d2777c839704e27559e76bdb76555b5b02c5cbae913ceb393196c3bd5
Instruction Fuzzy Hash: 9D63F674A00218DFDB54DFA4C988BDDBBB5FF48304F10C1AAE509AB2A1DB749A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005130F0 Relevance: 145.7, APIs: 70, Strings: 13, Instructions: 478COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,00515C4A,WEBUser), ref: 0051310E
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 0051313B
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 0051314A
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0051316F
__vbaStrCopy.MSVBVM60 ref: 005131A9

Part of subcall function 0051AEC0: __vbaChkstk.MSVBVM60(00000000,00411816,?), ref: 0051AEDE
Part of subcall function 0051AEC0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816,?), ref: 0051AF0B
Part of subcall function 0051AEC0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816,?), ref: 0051AF1A
Part of subcall function 0051AEC0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816,?), ref: 0051AF2D
Part of subcall function 0051AEC0: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,00000000,00411816,?), ref: 0051AF45
Part of subcall function 0051AEC0: #685.MSVBVM60(?,00000000,00000000,00000000,00411816,?), ref: 0051AF70
Part of subcall function 0051AEC0: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00411816,?), ref: 0051AF7B
Part of subcall function 0051AEC0: __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00411816,?), ref: 0051AF9C
Part of subcall function 0051AEC0: __vbaChkstk.MSVBVM60 ref: 0051AFC8
Part of subcall function 0051AEC0: __vbaChkstk.MSVBVM60 ref: 0051AFEB
Part of subcall function 0051AEC0: __vbaLateMemCallLd.MSVBVM60(?,00000000,scrmread,00000002), ref: 0051B01B
Part of subcall function 0051AEC0: __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00411816,?), ref: 0051B025
Part of subcall function 0051AEC0: __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00411816,?), ref: 0051B031
Part of subcall function 0051AEC0: #685.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00411816,?), ref: 0051B03E
Part of subcall function 0051AEC0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00411816,?), ref: 0051B049

__vbaStrMove.MSVBVM60(?), ref: 005131C4
__vbaStrCopy.MSVBVM60 ref: 005131DB
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 005131F9
__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 00513210
__vbaStrCopy.MSVBVM60 ref: 00513232
#685.MSVBVM60 ref: 0051380A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00513815
__vbaFreeObj.MSVBVM60 ref: 00513836
__vbaFreeObj.MSVBVM60(00513893), ref: 00513883
__vbaFreeStr.MSVBVM60 ref: 0051388C

Strings

WaitingForSemaphore, xrefs: 00513646
get_PIN, xrefs: 005136D6
AloahaInter.SemaPhore, xrefs: 005132B0, 00513570
crypterkey, xrefs: 00513776
saverkey, xrefs: 00513759
PermanentCache, xrefs: 0051359F
*, xrefs: 00513803
key, xrefs: 00513742
cspkey, xrefs: 00513793
true, xrefs: 0051319F, 0051324B, 00513265
AloahaInter.dll, xrefs: 0051342E
aloaha\AloahaInter.dll, xrefs: 005134C9
J\Q, xrefs: 00513135

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$Free$Chkstk$#685$Error$CallLateMove
String ID: *$AloahaInter.SemaPhore$AloahaInter.dll$J\Q$PermanentCache$WaitingForSemaphore$aloaha\AloahaInter.dll$crypterkey$cspkey$get_PIN$key$saverkey$true
API String ID: 635868966-1682404667
Opcode ID: 4effcf88229c56d175f70b0d8ea6cc2587eaa6fbf0b37200aa8d1c2e40efeeff
Instruction ID: 7b7c776a5e38135b2f859d6f1a6ed68aea7d87f58d87cc10409a646f1702d884
Opcode Fuzzy Hash: 4effcf88229c56d175f70b0d8ea6cc2587eaa6fbf0b37200aa8d1c2e40efeeff
Instruction Fuzzy Hash: C1224874A00219EFEB14DFA4DA48BDDBBB5FF48304F1081A9E506BB2A0DB749A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0051BCC0 Relevance: 140.4, APIs: 77, Strings: 3, Instructions: 435COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816), ref: 0051BCDE
__vbaStrCopy.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0051BD0B
__vbaStrCopy.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0051BD17
__vbaStrCopy.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0051BD23
__vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,00000000,00411816), ref: 0051BD32
__vbaStrCat.MSVBVM60(?,ProcessLauncher: ,?,00000001,00000000,00000000,00411816), ref: 0051BD48
__vbaStrMove.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0051BD53
__vbaStrCat.MSVBVM60( / ,00000000,?,00000001,00000000,00000000,00411816), ref: 0051BD5F
__vbaStrMove.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0051BD6A
__vbaStrCat.MSVBVM60(00000001,00000000,?,00000001,00000000,00000000,00411816), ref: 0051BD75
__vbaStrMove.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0051BD80
__vbaStrCat.MSVBVM60( / ,00000000,?,00000001,00000000,00000000,00411816), ref: 0051BD8C
__vbaStrMove.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0051BD97
__vbaStrCat.MSVBVM60(?,00000000,?,00000001,00000000,00000000,00411816), ref: 0051BDA2
__vbaStrMove.MSVBVM60(?,00000001,00000000,00000000,00411816), ref: 0051BDAD
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,?,00000001,00000000,00000000,00411816), ref: 0051BDD2
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 0051BDEB
#619.MSVBVM60(?,00004008,00000001), ref: 0051BE20
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0051BE45
__vbaFreeVar.MSVBVM60 ref: 0051BE55
__vbaStrCat.MSVBVM60(004775E8,?), ref: 0051BE76
__vbaStrMove.MSVBVM60 ref: 0051BE81
__vbaStrCopy.MSVBVM60 ref: 0051BE94
__vbaInStr.MSVBVM60(00000000,004775E8,?,00000001), ref: 0051BEAE
__vbaInStr.MSVBVM60(00000000,004775E8,00000001,00000001), ref: 0051BED0
#520.MSVBVM60(?,00004008), ref: 0051BF03
#520.MSVBVM60(?,00004008), ref: 0051BF27
__vbaVarAdd.MSVBVM60(?,?,?), ref: 0051BF39
__vbaStrVarMove.MSVBVM60(00000000), ref: 0051BF40
__vbaStrMove.MSVBVM60 ref: 0051BF4B
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0051BF5F
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 0051BF78
#685.MSVBVM60 ref: 0051BF8D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051BF98
__vbaFreeObj.MSVBVM60 ref: 0051BFB9
#520.MSVBVM60(?,00004008), ref: 0051BFE4
#645.MSVBVM60(?,00000000), ref: 0051BFF0
__vbaStrMove.MSVBVM60 ref: 0051BFFB
__vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0051C007
__vbaFreeStr.MSVBVM60 ref: 0051C01F
__vbaFreeVar.MSVBVM60 ref: 0051C028
#685.MSVBVM60 ref: 0051C044
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C04F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0051C09A
__vbaFreeObj.MSVBVM60 ref: 0051C0CA
#608.MSVBVM60(?,00000022), ref: 0051C0EC
#608.MSVBVM60(?,00000022), ref: 0051C10B
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0051C120
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0051C132
__vbaStrVarMove.MSVBVM60(00000000), ref: 0051C139
__vbaStrMove.MSVBVM60 ref: 0051C144
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0051C15F
__vbaStrCopy.MSVBVM60 ref: 0051C175
#619.MSVBVM60(?,00004008,00000001), ref: 0051C1A2
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0051C1C7
__vbaFreeVar.MSVBVM60 ref: 0051C1D7
__vbaStrCat.MSVBVM60(004775E8,?), ref: 0051C1F8
__vbaStrMove.MSVBVM60 ref: 0051C203
#520.MSVBVM60(?,00004008), ref: 0051C22E
__vbaStrToAnsi.MSVBVM60(?,?,00000001), ref: 0051C23E
__vbaStrVarVal.MSVBVM60(?,?,00000000), ref: 0051C24D
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0051C258
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0051C267
__vbaStrToAnsi.MSVBVM60(?,Open,00000000), ref: 0051C277
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0051C285
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0051C293
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0051C2A1
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0051C2BD
__vbaFreeVar.MSVBVM60 ref: 0051C2C9
#685.MSVBVM60 ref: 0051C2D6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C2E1
__vbaFreeObj.MSVBVM60 ref: 0051C302
__vbaFreeStr.MSVBVM60(0051C384), ref: 0051C359
__vbaFreeStr.MSVBVM60 ref: 0051C362
__vbaFreeStr.MSVBVM60 ref: 0051C36B
__vbaFreeStr.MSVBVM60 ref: 0051C374
__vbaFreeStr.MSVBVM60 ref: 0051C37D

Strings

ProcessLauncher: , xrefs: 0051BD3F
/ , xrefs: 0051BD5A, 0051BD87
Open, xrefs: 0051C26E

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Copy$#520AnsiList$#685$#608#619ErrorUnicode$#645CheckChkstkHresultSystem
String ID: / $Open$ProcessLauncher:
API String ID: 3165597936-1551329386
Opcode ID: 75c55a53eb253768d63508f386c46e002dd07f94a17613cdd003531365e4af04
Instruction ID: ea1ef4a85e0d3025dede44734f6f56361c5ed3474ec5343de6e0325b700a71c5
Opcode Fuzzy Hash: 75c55a53eb253768d63508f386c46e002dd07f94a17613cdd003531365e4af04
Instruction Fuzzy Hash: D912D675900208EFEB14DFE0DE48BDEBBB8BF48701F1085A9E606B6560DB745A49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004C9050 Relevance: 100.1, APIs: 49, Strings: 8, Instructions: 343COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,00411816), ref: 004C906E
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 004C909E
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C90B3
__vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C90D8
__vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C90F1
#685.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C90FE
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00411816), ref: 004C9109
__vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C912A
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816), ref: 004C9140
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C915D
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C916B
__vbaObjSet.MSVBVM60(00000000,00000000,CAPICOM.EncryptedData,00000000,?,?), ref: 004C9192
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004C91A2
#685.MSVBVM60(00000000,00000000,00411816), ref: 004C91B2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C91BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C91F0
__vbaFreeObj.MSVBVM60 ref: 004C921A
__vbaChkstk.MSVBVM60 ref: 004C9246

Part of subcall function 004C8C90: __vbaChkstk.MSVBVM60(00000000,00411816,004C90D3,?,00000000,00000000,00000000,00411816), ref: 004C8CAE
Part of subcall function 004C8C90: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8CDE
Part of subcall function 004C8C90: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8CF3
Part of subcall function 004C8C90: __vbaStrCat.MSVBVM60(MIIC3AYJKwYBBAGCN1gDoIICzTCCAskGCisGAQQBgjdYAwGgggK5MIICtQIDAgAB,00000000,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D09
Part of subcall function 004C8C90: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D14
Part of subcall function 004C8C90: __vbaStrCat.MSVBVM60(AgJoAQICAIAEAAQQeVSZOWEBLf6wbkOKaXH3mASCApDl+CWmeiJz7v3rqgTPuzdU,00000000,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D2A
Part of subcall function 004C8C90: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D35
Part of subcall function 004C8C90: __vbaStrCat.MSVBVM60(gI3dOWF1kcvcBmkkeMTmztgai9JdDKoz6XD/ydsKhFSuOqLUolyz8yxwpwfjLBbZ,00000000,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D4B
Part of subcall function 004C8C90: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D56
Part of subcall function 004C8C90: __vbaStrCat.MSVBVM60(oLKO85GUdQDMQbKZFEhGu2bjB1J3PjI3VlK1c+b+mtDLuga0SMZ1peGEGvQZlj5t,00000000,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D6C
Part of subcall function 004C8C90: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D77
Part of subcall function 004C8C90: __vbaStrCat.MSVBVM60(jdvHBwuI8WSP+MHAFIEoUklWOvM3yDR+DmbxoMyp+v04daNl7aKZL08na7VVTWAS,00000000,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D8D
Part of subcall function 004C8C90: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8D98
Part of subcall function 004C8C90: __vbaStrCat.MSVBVM60(yzD+Y7dDIiWbQf5FYjKijsF5xz7hNGIcZw/j60PjXsFVBv/uw7ZlkNiyrOFJuwy6,00000000,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8DAE
Part of subcall function 004C8C90: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8DB9
Part of subcall function 004C8C90: __vbaStrCat.MSVBVM60(fOlLZ7qpxbe1PVaB4CW00eBkRk2B2OPyCYVJ8W1k/Z56XDF3yBGxW8mZmjE0mJu7,00000000,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8DCF
Part of subcall function 004C8C90: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8DDA
Part of subcall function 004C8C90: __vbaStrCat.MSVBVM60(1pTrk2f6I8fFRaHt+a2Nt6Io38v25dx8kfKi9BN2juGslJ86SSGuhmQOKrKK3XLi,00000000,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8DF0
Part of subcall function 004C8C90: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8DFB
Part of subcall function 004C8C90: __vbaStrCat.MSVBVM60(0AQEildJ4rguV8NTVRF09JHDJUcHrrWkY4k+5r1of4CI7PMIbS3gjh48+tpkwaFf,00000000,?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8E11
Part of subcall function 004C8C90: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00411816,004C90D3), ref: 004C8E1C

__vbaLateMemSt.MSVBVM60(?,Algorithm), ref: 004C926D
__vbaChkstk.MSVBVM60 ref: 004C928D
__vbaLateMemCallLd.MSVBVM60(?,?,Algorithm,00000000,KeyLength), ref: 004C92BF
__vbaVarLateMemSt.MSVBVM60(00000000), ref: 004C92C9
__vbaFreeVar.MSVBVM60 ref: 004C92D2
__vbaChkstk.MSVBVM60 ref: 004C92F2
__vbaLateMemCallLd.MSVBVM60(?,?,Algorithm,00000000,Name), ref: 004C9324
__vbaVarLateMemSt.MSVBVM60(00000000), ref: 004C932E
__vbaFreeVar.MSVBVM60 ref: 004C9337
__vbaChkstk.MSVBVM60 ref: 004C9357
__vbaLateMemCall.MSVBVM60(?,SetSecret,00000001), ref: 004C9380
__vbaChkstk.MSVBVM60 ref: 004C93A2
__vbaLateMemCall.MSVBVM60(?,decrypt,00000001), ref: 004C93CB
__vbaLateMemCallLd.MSVBVM60(?,?,Content,00000000), ref: 004C93EA
__vbaStrVarMove.MSVBVM60(00000000), ref: 004C93F4
__vbaStrMove.MSVBVM60 ref: 004C93FF
__vbaFreeVar.MSVBVM60 ref: 004C9408
#685.MSVBVM60 ref: 004C9415
__vbaObjSet.MSVBVM60(?,00000000), ref: 004C9420
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004C9453
__vbaR8Str.MSVBVM60(?), ref: 004C946F
__vbaFreeObj.MSVBVM60 ref: 004C94B5
__vbaStrCopy.MSVBVM60 ref: 004C94D0
__vbaStrCopy.MSVBVM60 ref: 004C94E5
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004C94F8
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C950D
#685.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C951A
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00411816), ref: 004C9525
__vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C9546
__vbaFreeStr.MSVBVM60(004C95A0,?,00000000,00000000,00000000,00411816), ref: 004C9590
__vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004C9599

Strings

NielsPhillip, xrefs: 004C9344
Algorithm, xrefs: 004C9264, 004C92B2, 004C9317
Name, xrefs: 004C9310
CAPICOM.EncryptedData, xrefs: 004C9183
Content, xrefs: 004C93DD
KeyLength, xrefs: 004C92AB
SetSecret, xrefs: 004C9377
decrypt, xrefs: 004C93C2

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Late$ChkstkCopy$Call$#685$CheckErrorHresult$AddrefList
String ID: Algorithm$CAPICOM.EncryptedData$Content$KeyLength$Name$NielsPhillip$SetSecret$decrypt
API String ID: 3820706982-1097305013
Opcode ID: 645484c6b9f22cc4740680d799325c8672a2e0a668149622b0a923d6af68f687
Instruction ID: ef41ada4d9597a34c7aa585e7105d985f75176a0e485b540f55a5a5b4d540d74
Opcode Fuzzy Hash: 645484c6b9f22cc4740680d799325c8672a2e0a668149622b0a923d6af68f687
Instruction Fuzzy Hash: C3F10675900208EFDB14DFA4DA48BDDBBB4FF48305F208169E506BB2A1DBB89A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0050A800 Relevance: 89.6, APIs: 46, Strings: 5, Instructions: 305COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816), ref: 0050A81E
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 0050A84E
#685.MSVBVM60(?,00000000), ref: 0050A868
__vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 0050A873
__vbaFreeObj.MSVBVM60(?,00000000), ref: 0050A88B
__vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0050A89E
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,?,00000000), ref: 0050A8B6
__vbaStrCat.MSVBVM60(?,callit: ,?,?,00000000), ref: 0050A8DE
__vbaStrMove.MSVBVM60(?,callit: ,?,?,00000000), ref: 0050A8E9
__vbaFreeStr.MSVBVM60(?,?,callit: ,?,?,00000000), ref: 0050A8FB
#685.MSVBVM60(?,callit: ,?,?,00000000), ref: 0050A908
__vbaObjSet.MSVBVM60(?,00000000,?,callit: ,?,?,00000000), ref: 0050A913
__vbaFreeObj.MSVBVM60(?,callit: ,?,?,00000000), ref: 0050A934
__vbaChkstk.MSVBVM60 ref: 0050A961
__vbaLateMemCallLd.MSVBVM60(?,00000000,Run,00000001), ref: 0050A990
__vbaI4Var.MSVBVM60(00000000), ref: 0050A99A
__vbaFreeVar.MSVBVM60 ref: 0050A9A6
#685.MSVBVM60 ref: 0050A9B3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050A9BE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050A9F1
__vbaFreeObj.MSVBVM60 ref: 0050AA1B
__vbaObjSetAddref.MSVBVM60(0054D4D0,00000000), ref: 0050AA3B
__vbaStrCopy.MSVBVM60 ref: 0050AA50
__vbaFreeStr.MSVBVM60(?), ref: 0050AA62
#685.MSVBVM60 ref: 0050AA6F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050AA7A
__vbaFreeObj.MSVBVM60 ref: 0050AA9B
#716.MSVBVM60(?,WScript.Shell,00000000), ref: 0050AAB3
__vbaObjVar.MSVBVM60(?), ref: 0050AABD
__vbaObjSetAddref.MSVBVM60(0054D4D0,00000000), ref: 0050AAC9
__vbaFreeVar.MSVBVM60 ref: 0050AAD2
__vbaChkstk.MSVBVM60 ref: 0050AAFF
__vbaLateMemCallLd.MSVBVM60(?,00000000,Run,00000001), ref: 0050AB2F
__vbaI4Var.MSVBVM60(00000000), ref: 0050AB39
__vbaFreeVar.MSVBVM60 ref: 0050AB45
#685.MSVBVM60 ref: 0050AB52
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050AB5D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050AB90
__vbaFreeObj.MSVBVM60 ref: 0050ABBA
#600.MSVBVM60(00004008,00000001), ref: 0050ABE2
__vbaStrCat.MSVBVM60(00000000,Callit is false, but tried shell command: ), ref: 0050ABFD
__vbaStrMove.MSVBVM60 ref: 0050AC08
__vbaFreeStr.MSVBVM60(?), ref: 0050AC1A
#685.MSVBVM60(?,?,00000000), ref: 0050AC43
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000000), ref: 0050AC4E
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0050AC6F

Strings

Run, xrefs: 0050A981, 0050AB1F
ObjShell could not start, xrefs: 0050AA48
Callit is false, but tried shell command: , xrefs: 0050ABF2
callit: , xrefs: 0050A8D3
WScript.Shell, xrefs: 0050AAAA

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685$Chkstk$AddrefCallCheckHresultLateMove$#600#716BstrCopyError
String ID: Callit is false, but tried shell command: $ObjShell could not start$Run$WScript.Shell$callit:
API String ID: 3526936777-3259931088
Opcode ID: f39e765a6d917249ecb25ba914de0c7cb0e52ee16edd29a20d4aa4c39b5405df
Instruction ID: 738eb606141f0ae1670b20015f8f260ee3fd127e8a741ef7ab524e01c47d64be
Opcode Fuzzy Hash: f39e765a6d917249ecb25ba914de0c7cb0e52ee16edd29a20d4aa4c39b5405df
Instruction Fuzzy Hash: BFD114B5900308EFDB04DFA4DA88BDDBBB4FF48705F108569E506BB2A0DB749A49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0051D000 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 214COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,00000000,00411816), ref: 0051D01E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 0051D04E
__vbaStrCmp.MSVBVM60(true,0077F45C,?,?,?,?,00411816), ref: 0051D066
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 0051D093
__vbaStrCopy.MSVBVM60 ref: 0051D319
#685.MSVBVM60 ref: 0051D326
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0051D331
__vbaFreeObj.MSVBVM60 ref: 0051D352
__vbaFreeStr.MSVBVM60(0051D393), ref: 0051D383
__vbaFreeStr.MSVBVM60 ref: 0051D38C

Strings

true, xrefs: 0051D061, 0051D089, 0051D15D, 0051D18E, 0051D200, 0051D21D, 0051D2BF, 0051D2DD
&, xrefs: 0051D31F
lsass, xrefs: 0051D147, 0051D1C2
lsass.exe, xrefs: 0051D178

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Copy$#685ChkstkError
String ID: &$lsass$lsass.exe$true
API String ID: 1101828390-3999059111
Opcode ID: ae07d415715089976d9f77baadf9b76b40ae6dcf89cae4c95cadedc57f15a196
Instruction ID: 6d2f597387584afad4bd1751348410e65c0fb36b0c92df7013818375d9a0f238
Opcode Fuzzy Hash: ae07d415715089976d9f77baadf9b76b40ae6dcf89cae4c95cadedc57f15a196
Instruction Fuzzy Hash: 3E912C75900208DFEB14DFD0DE48BEDBBB8FB48704F108469E505B72A0DBB45A49DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00509000 Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 226COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00411816), ref: 0050901E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 0050904E
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0050907A
__vbaStrCat.MSVBVM60(INSTALLDIR,HKLM\Software\Aloaha\pdf\), ref: 00509098
__vbaStrMove.MSVBVM60 ref: 005090A3
__vbaVarMove.MSVBVM60(?), ref: 005090C2
__vbaFreeStr.MSVBVM60 ref: 005090CB
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 005090F7
__vbaNew2.MSVBVM60(00477E14,0054ED28), ref: 00509122
__vbaHresultCheckObj.MSVBVM60(00000000,?,00477E04,00000014), ref: 00509188
__vbaHresultCheckObj.MSVBVM60(00000000,?,0047A994,00000050), ref: 005091E5
__vbaVarMove.MSVBVM60 ref: 00509223
__vbaFreeObj.MSVBVM60 ref: 0050922C
#619.MSVBVM60(?,?,00000001), ref: 00509243
#619.MSVBVM60(?,?,00000004), ref: 00509267
__vbaVarCmpNe.MSVBVM60(?,00008008,?), ref: 00509290
__vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 005092A6
__vbaVarAnd.MSVBVM60(?,00000000), ref: 005092B4
__vbaBoolVarNull.MSVBVM60(00000000), ref: 005092BB
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005092D2
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00509310
__vbaVarMove.MSVBVM60 ref: 0050931B
#619.MSVBVM60(?,?,00000004,?,00000000,00411816), ref: 00509332
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00509357
__vbaFreeVar.MSVBVM60 ref: 00509367
__vbaVarAdd.MSVBVM60(?,00000008,?), ref: 005093A2
__vbaVarMove.MSVBVM60 ref: 005093AD
__vbaFreeVar.MSVBVM60(005093F9), ref: 005093F2

Strings

aloaha.ini, xrefs: 0050937F
HKLM\Software\Aloaha\pdf\, xrefs: 0050908E
INSTALLDIR, xrefs: 00509093
(T, xrefs: 0050913E
.ini, xrefs: 0050926D, 00509338

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$FreeMove$#619$CheckHresult$BoolChkstkErrorListNew2Null
String ID: (T$.ini$HKLM\Software\Aloaha\pdf\$INSTALLDIR$aloaha.ini
API String ID: 1677252627-4150857336
Opcode ID: 6a318e11e4d4fe1add5308877a476dc4cd8a147e759e6ee30b20991bdd73af6b
Instruction ID: 050aa982c7ff0609d2b4a7bcd2d69300489016b9d7f04e0556b4172e589369ca
Opcode Fuzzy Hash: 6a318e11e4d4fe1add5308877a476dc4cd8a147e759e6ee30b20991bdd73af6b
Instruction Fuzzy Hash: 4FB139B5900218EFDB14DFA0DD48BDEBBB4BF44304F1085AAE509B72A0DB745A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00531C50 Relevance: 57.2, APIs: 38, Instructions: 215COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816), ref: 00531C6E
__vbaFixstrConstruct.MSVBVM60(000000FF,00000000,6D62D8B1,00000000,6D62D8CD,00000000,00411816), ref: 00531C9E
__vbaOnError.MSVBVM60(000000FF), ref: 00531CAD
__vbaStrToAnsi.MSVBVM60(?,?), ref: 00531CC2
__vbaLenBstr.MSVBVM60(?,00000000), ref: 00531CCD
__vbaSetSystemError.MSVBVM60(00000000), ref: 00531CDF
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00531CED
__vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 00531CFA
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00531D13
#608.MSVBVM60(?,00000000), ref: 00531D3C
__vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 00531D69
__vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00531D77
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00531D8E
#608.MSVBVM60(?,00000000), ref: 00531DB3
__vbaStrCopy.MSVBVM60(?,000000FF,00000000), ref: 00531DDB
#711.MSVBVM60(?,00000000), ref: 00531DE6
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 00531DF6
__vbaChkstk.MSVBVM60 ref: 00531E01
__vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00531E39
#520.MSVBVM60(?,00000000), ref: 00531E47
__vbaAryUnlock.MSVBVM60(?), ref: 00531E51
__vbaStrVarMove.MSVBVM60(?), ref: 00531E5B
__vbaStrMove.MSVBVM60 ref: 00531E66
__vbaFreeStr.MSVBVM60 ref: 00531E6F
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00531E87
__vbaStrCopy.MSVBVM60 ref: 00531E9F
#520.MSVBVM60(?,00004008), ref: 00531EC3
__vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 00531ED3
__vbaStrVarMove.MSVBVM60(?), ref: 00531EDD
__vbaStrMove.MSVBVM60 ref: 00531EE8
__vbaFreeStr.MSVBVM60 ref: 00531EF1
__vbaFreeVar.MSVBVM60 ref: 00531EFA
__vbaStrCopy.MSVBVM60 ref: 00531F0D
#685.MSVBVM60 ref: 00531F1A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00531F25
__vbaFreeObj.MSVBVM60 ref: 00531F46
__vbaFreeStr.MSVBVM60(00531FBB), ref: 00531FAB
__vbaFreeStr.MSVBVM60 ref: 00531FB4

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$FixstrMove$CopyListLset$#520#608ChkstkError$#685#711AnsiBstrConstructIndexLoadLockSystemUnicodeUnlock
String ID:
API String ID: 756034873-0
Opcode ID: 123a9a798778a9c848f65578d24586875c36710e388746084d18dafff5c7861c
Instruction ID: cc4f320992b8934d00039fb8c0b3d1baa3e3d7c8fd715a6b6546f38c3e8b2e0b
Opcode Fuzzy Hash: 123a9a798778a9c848f65578d24586875c36710e388746084d18dafff5c7861c
Instruction Fuzzy Hash: 38A1D675900218EFDB04DFA0DD48BEEBB78BB48705F148169F606B72A0DB745A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004D0440 Relevance: 54.4, APIs: 30, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,004A735F,?,any,noreader,?), ref: 004D045E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D048B
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D0497
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D04A6
#520.MSVBVM60(?,00004008), ref: 004D04ED
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004D0510
__vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 004D0545
__vbaVarAnd.MSVBVM60(?,00000000), ref: 004D0550
__vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 004D0562
__vbaBoolVarNull.MSVBVM60(00000000), ref: 004D0569
__vbaFreeVarList.MSVBVM60(00000003,?,0000000B,0000000B), ref: 004D058A
#608.MSVBVM60(?,00000000,?,?,00000000,00411816), ref: 004D05BB
#608.MSVBVM60(?,00000000,?,?,00000000,00411816), ref: 004D05CA
__vbaStrI4.MSVBVM60(000000FF,doaction:,?,?,00000000,00411816), ref: 004D05D9
__vbaStrMove.MSVBVM60(?,?,00000000,00411816), ref: 004D05E4
__vbaStrCat.MSVBVM60(00000000,?,?,00000000,00411816), ref: 004D05EB
__vbaVarAdd.MSVBVM60(?,?,00000008,00405FA8), ref: 004D0631
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004D0643
__vbaVarAdd.MSVBVM60(?,?,00000000), ref: 004D0658
__vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004D066D
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 004D0678

Part of subcall function 004D22A0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,00000000,00411816), ref: 004D22BE
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D22EB
Part of subcall function 004D22A0: __vbaAryConstruct2.MSVBVM60(?,004842F4,00000011,?,?,?,00000000,00411816), ref: 004D22FC
Part of subcall function 004D22A0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D230B
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816), ref: 004D232C
Part of subcall function 004D22A0: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,00000000,00411816), ref: 004D2344
Part of subcall function 004D22A0: __vbaInStr.MSVBVM60(00000000,004775E8,?,00000001,?,?,?,?,00000000,00411816), ref: 004D2364
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,00000001,?,?,?,?,00000000,00411816), ref: 004D237D
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D2392
Part of subcall function 004D22A0: __vbaLenBstr.MSVBVM60(?,?,?,?,?,00000000,00411816), ref: 004D23A3
Part of subcall function 004D22A0: __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D23C0
Part of subcall function 004D22A0: __vbaStrMove.MSVBVM60(?,?,encrypted:,?,?,?,?,00000000,00411816), ref: 004D23DD
Part of subcall function 004D22A0: __vbaStrCat.MSVBVM60(00000000,?,?,?,?,00000000,00411816), ref: 004D23E4
Part of subcall function 004D22A0: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00411816), ref: 004D23EF
Part of subcall function 004D22A0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00411816), ref: 004D23FF
Part of subcall function 004D22A0: __vbaInStr.MSVBVM60(00000000,0047C158,?,00000001,?,00000000,00411816), ref: 004D241C

__vbaStrMove.MSVBVM60(00000000), ref: 004D0689
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D0699
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00411816), ref: 004D06C9
#685.MSVBVM60(?,?,00000000,00411816), ref: 004D06D9
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,00411816), ref: 004D06E4
__vbaFreeObj.MSVBVM60(?,?,00000000,00411816), ref: 004D0705
__vbaFreeStr.MSVBVM60(004D077B,?,?,00000000,00411816), ref: 004D0762
__vbaFreeStr.MSVBVM60(?,?,00000000,00411816), ref: 004D076B
__vbaFreeStr.MSVBVM60(?,?,00000000,00411816), ref: 004D0774

Strings

doaction:, xrefs: 004D05D0

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Copy$ListMove$#608ChkstkError$#520#685BoolBstrConstruct2Null
String ID: doaction:
API String ID: 616430837-2036965812
Opcode ID: dbfc6afe6ebab783b0244b79ca1a756d679931389d9a504d6005458c7ad58177
Instruction ID: b4d46bb93231143491e5caf5841957a6ddfbac34f7da2882b7b2ef3f5df3c879
Opcode Fuzzy Hash: dbfc6afe6ebab783b0244b79ca1a756d679931389d9a504d6005458c7ad58177
Instruction Fuzzy Hash: BF91DCB6800258ABDB15DFA0DD48FDEBB78BF48701F10859AF50AB7160DB745A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004E68D0 Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,?,?,004B93A3,?,?), ref: 004E68EE
__vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004E691B
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00411816), ref: 004E692A
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,?,00411816), ref: 004E6940
__vbaStrMove.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004E695F
__vbaStrCat.MSVBVM60(:UoDC,00000000,?,00000000,00000000,?,00411816), ref: 004E696B
__vbaStrMove.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004E6976
__vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004E6984
__vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004E6992

Part of subcall function 00506210: __vbaChkstk.MSVBVM60(?,00411816,?,005309BD,?,?,?,?,?,00000000,?,00000000,00411816), ref: 0050622E
Part of subcall function 00506210: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00411816), ref: 0050625E
Part of subcall function 00506210: #619.MSVBVM60(?,00004008,00000001), ref: 0050628B
Part of subcall function 00506210: #608.MSVBVM60(?,00000022), ref: 00506297
Part of subcall function 00506210: #617.MSVBVM60(?,00004008,00000001), ref: 005062C0
Part of subcall function 00506210: #608.MSVBVM60(?,00000022), ref: 005062CF
Part of subcall function 00506210: __vbaVarCmpEq.MSVBVM60(?,?,?), ref: 005062E4
Part of subcall function 00506210: __vbaVarCmpEq.MSVBVM60(?,?,?,00000000), ref: 00506300
Part of subcall function 00506210: __vbaVarAnd.MSVBVM60(?,00000000), ref: 0050630E
Part of subcall function 00506210: __vbaBoolVarNull.MSVBVM60(00000000), ref: 00506315
Part of subcall function 00506210: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0050633A
Part of subcall function 00506210: __vbaStrCopy.MSVBVM60(?,00000000,?,?,00411816), ref: 0050635D
Part of subcall function 00506210: #619.MSVBVM60(?,00004008,00000001), ref: 005063D5

__vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,00000000,?,00411816), ref: 004E69B2
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,00000000,?,00411816), ref: 004E69CA
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004E69E3
__vbaStrCat.MSVBVM60(?,providerIsUC:), ref: 004E6A07
__vbaStrMove.MSVBVM60 ref: 004E6A12

Part of subcall function 004E6B60: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,004E6A1E,00000000), ref: 004E6B7E
Part of subcall function 004E6B60: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004E6BAB
Part of subcall function 004E6B60: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 004E6BB7
Part of subcall function 004E6B60: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 004E6BC6
Part of subcall function 004E6B60: #518.MSVBVM60(?,00004008), ref: 004E6BF4
Part of subcall function 004E6B60: __vbaVarDup.MSVBVM60 ref: 004E6C1A
Part of subcall function 004E6B60: #518.MSVBVM60(?,?), ref: 004E6C2E
Part of subcall function 004E6B60: __vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 004E6C61
Part of subcall function 004E6B60: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 004E6C6F
Part of subcall function 004E6B60: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004E6C9A
Part of subcall function 004E6B60: __vbaLenBstr.MSVBVM60(?), ref: 004E6CD0
Part of subcall function 004E6B60: __vbaInStr.MSVBVM60(00000000,00477EEC,?,00000001), ref: 004E6CE5
Part of subcall function 004E6B60: #619.MSVBVM60(?,00004008,00000000), ref: 004E6D02
Part of subcall function 004E6B60: __vbaStrVarMove.MSVBVM60(?), ref: 004E6D0F

__vbaStrMove.MSVBVM60(00000000), ref: 004E6A23
__vbaFreeStr.MSVBVM60 ref: 004E6A2C
__vbaStrCmp.MSVBVM60(00473D9C,?), ref: 004E6A42

Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051C43A
Part of subcall function 0051C3A0: #520.MSVBVM60(?,00000008), ref: 0051C45B
Part of subcall function 0051C3A0: __vbaStrVarMove.MSVBVM60(?), ref: 0051C465
Part of subcall function 0051C3A0: __vbaStrMove.MSVBVM60 ref: 0051C470
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60 ref: 0051C479
Part of subcall function 0051C3A0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0051C489
Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,00000000,00411816), ref: 0051C4A1
Part of subcall function 0051C3A0: #520.MSVBVM60(?,00000008), ref: 0051C4C2
Part of subcall function 0051C3A0: __vbaStrVarMove.MSVBVM60(?), ref: 0051C4CC
Part of subcall function 0051C3A0: __vbaStrMove.MSVBVM60 ref: 0051C4D7
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60 ref: 0051C4E0
Part of subcall function 0051C3A0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0051C4F0
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C500
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051C50B
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051C52C
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00000000,00411816), ref: 0051C542
Part of subcall function 0051C3A0: #645.MSVBVM60(00004008,00000000), ref: 0051C573
Part of subcall function 0051C3A0: __vbaStrMove.MSVBVM60 ref: 0051C57E
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,00000000), ref: 0051C58A
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60 ref: 0051C5A2

__vbaStrMove.MSVBVM60 ref: 004E6A5D
__vbaStrCat.MSVBVM60(:UoDC,00000000), ref: 004E6A69
__vbaStrMove.MSVBVM60 ref: 004E6A74
__vbaStrCopy.MSVBVM60 ref: 004E6A82
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 004E6AAB
__vbaStrCopy.MSVBVM60 ref: 004E6AC1
#685.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004E6ACE
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,00411816), ref: 004E6AD9
__vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004E6AF1
__vbaFreeStr.MSVBVM60(004E6B49,?,00000000,00000000,?,00411816), ref: 004E6B39
__vbaFreeStr.MSVBVM60(?,00000000,00000000,?,00411816), ref: 004E6B42

Part of subcall function 0051C3A0: __vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,00530973,?,00000000,?,00000000,00411816), ref: 0051C3BE
Part of subcall function 0051C3A0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 0051C3EE
Part of subcall function 0051C3A0: __vbaStrCmp.MSVBVM60(00473D9C,00773364,?,00000000,?,00000000,00411816), ref: 0051C406
Part of subcall function 0051C3A0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051C420
Part of subcall function 0051C3A0: #685.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE34
Part of subcall function 0051C3A0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00411816), ref: 0051CE3F
Part of subcall function 0051C3A0: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CE60
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(0051CED1,?,?,?,?,00000000,00411816), ref: 0051CEB8
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CEC1
Part of subcall function 0051C3A0: __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,00411816), ref: 0051CECA

Strings

providerIsUC:, xrefs: 004E69FE
:UoDC, xrefs: 004E6966, 004E6A64
UserOfDefaultCertificate, xrefs: 004E698A, 004E6A7A

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$Move$Copy$List$ChkstkError$#619#685$#518#520#608$#617#645BoolBstrNull
String ID: :UoDC$UserOfDefaultCertificate$providerIsUC:
API String ID: 489622813-529920552
Opcode ID: 63c587997eff896dfe65c236d24bd43c2da25a44fe23c3e9faa15ed3ddd9f221
Instruction ID: b5bef91a7f567028a9733b66d1873b389a38bdb1aa5a2c0a064aaacb6db0d97d
Opcode Fuzzy Hash: 63c587997eff896dfe65c236d24bd43c2da25a44fe23c3e9faa15ed3ddd9f221
Instruction Fuzzy Hash: B9610971900249EFDB04EFE4DE48ADEBB78EF48705F108169F502B76A0DB746A09CB64

Uniqueness

Uniqueness Score: -1.00%

Function 005208D0 Relevance: 54.4, APIs: 30, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,00545E5D), ref: 005208EE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,00545E5D), ref: 0052091E
__vbaSetSystemError.MSVBVM60(?,?,?,00000000,00411816,00545E5D), ref: 00520933
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000000,00411816,00545E5D), ref: 00520953
__vbaStrI4.MSVBVM60(?,?,?,?,00000000,00411816,00545E5D), ref: 00520964
__vbaStrMove.MSVBVM60(?,?,?,00000000,00411816,00545E5D), ref: 0052096F
__vbaStrCat.MSVBVM60(004787B4,00000000,?,?,?,00000000,00411816,00545E5D), ref: 0052097B
__vbaStrMove.MSVBVM60(?,?,?,00000000,00411816,00545E5D), ref: 00520986
__vbaFreeStr.MSVBVM60(?,?,?,00000000,00411816,00545E5D), ref: 0052098F
__vbaStrI4.MSVBVM60(?,?,?,?,?,00000000,00411816,00545E5D), ref: 005209A4
__vbaStrMove.MSVBVM60(?,?,?,00000000,00411816,00545E5D), ref: 005209AF
__vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,00411816,00545E5D), ref: 005209B6
__vbaStrMove.MSVBVM60(?,?,?,00000000,00411816,00545E5D), ref: 005209C1
__vbaStrCat.MSVBVM60(004787B4,00000000,?,?,?,00000000,00411816,00545E5D), ref: 005209CD
__vbaStrMove.MSVBVM60(?,?,?,00000000,00411816,00545E5D), ref: 005209D8
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,00411816,00545E5D), ref: 005209E8
__vbaSetSystemError.MSVBVM60(?,00000000,00411816,00545E5D), ref: 00520A00
__vbaStrI4.MSVBVM60(?,?,?,00000000,00411816,00545E5D), ref: 00520A0E
__vbaStrMove.MSVBVM60(?,00000000,00411816,00545E5D), ref: 00520A19
__vbaStrCat.MSVBVM60(00000000,?,00000000,00411816,00545E5D), ref: 00520A20
__vbaStrMove.MSVBVM60(?,00000000,00411816,00545E5D), ref: 00520A2B
__vbaFreeStr.MSVBVM60(?,00000000,00411816,00545E5D), ref: 00520A34
__vbaStrCopy.MSVBVM60(?,00000000,00411816,00545E5D), ref: 00520A47
__vbaStrCat.MSVBVM60(?,SessionID: ,?,00000000,00411816,00545E5D), ref: 00520A5D
__vbaStrMove.MSVBVM60(?,00000000,00411816,00545E5D), ref: 00520A68
__vbaFreeStr.MSVBVM60(?,?,00000000,00411816,00545E5D), ref: 00520A7A
#685.MSVBVM60(?,00000000,00411816,00545E5D), ref: 00520A87
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00411816,00545E5D), ref: 00520A92
__vbaFreeObj.MSVBVM60(?,00000000,00411816,00545E5D), ref: 00520AAA
__vbaFreeStr.MSVBVM60(00520AF1,?,00000000,00411816,00545E5D), ref: 00520AEA

Strings

SessionID: , xrefs: 00520A54

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Move$Free$Error$System$#685ChkstkCopyList
String ID: SessionID:
API String ID: 2739133491-404888849
Opcode ID: a7ba0aa9dc5511d1d0c93cca8214319157d892109596afdad6fa01cd7099c864
Instruction ID: 6ce322db98a2071882d084d9b6556ca0d95c74d827ae0119cf10ef97139437fb
Opcode Fuzzy Hash: a7ba0aa9dc5511d1d0c93cca8214319157d892109596afdad6fa01cd7099c864
Instruction Fuzzy Hash: 1251C875900249EFDB04EFE0EE49ADEBBB5BF48305F108129F906B3660DB745A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00522C00 Relevance: 52.8, APIs: 35, Instructions: 292COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816,?,?,?,00522545,?,?), ref: 00522C1E
__vbaAryConstruct2.MSVBVM60(?,00491EDC,00000011,6D65285F,6D721D9E,6D6517CC,?,00411816), ref: 00522C50
__vbaOnError.MSVBVM60(000000FF), ref: 00522C5F
__vbaGenerateBoundsError.MSVBVM60 ref: 00522C95
#644.MSVBVM60(0000EC00), ref: 00522CA8
__vbaUI1I2.MSVBVM60 ref: 00522CBD
__vbaUI1I2.MSVBVM60(?,?), ref: 00522CDF
__vbaUI1I2.MSVBVM60(?,?), ref: 00522D01
__vbaUI1I2.MSVBVM60(?,?), ref: 00522D23
__vbaUI1I2.MSVBVM60(?,?), ref: 00522D45
__vbaUI1I2.MSVBVM60(?,?), ref: 00522D67
#685.MSVBVM60(?,?), ref: 00522D84
__vbaObjSet.MSVBVM60(?,00000000), ref: 00522D8F
__vbaFreeObj.MSVBVM60 ref: 00522DB0
__vbaUbound.MSVBVM60(00000001), ref: 00522DD1
__vbaI2I4.MSVBVM60 ref: 00522DD9
#685.MSVBVM60 ref: 00522E0C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00522E17

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$#685Error$#644BoundsChkstkConstruct2FreeGenerateUbound
String ID:
API String ID: 2444365471-0
Opcode ID: 58e8559a1a341c4f9a8f42d8b7232dbc3bef3b2a8dbdc6acf93afdc16ceb9634
Instruction ID: dc40b2f828a6c42190409b9670c8d274a293b93f856794d3530834f8f58eea15
Opcode Fuzzy Hash: 58e8559a1a341c4f9a8f42d8b7232dbc3bef3b2a8dbdc6acf93afdc16ceb9634
Instruction Fuzzy Hash: 89D12474900218EFDB14DFA0DA48BEEBBB4BF49305F20855DE506AB2A1DBB45A44DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00510810 Relevance: 52.7, APIs: 28, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00411816), ref: 0051082E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 0051085E
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,?,?,?,00411816), ref: 00510876
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 00510890
__vbaStrCopy.MSVBVM60(?,?,?,?,00411816), ref: 005108AA
__vbaStrMove.MSVBVM60(?,?,?,?,00411816), ref: 005108C1
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00411816), ref: 005108D7
__vbaNew2.MSVBVM60(00477E14,0054ED28,?,?,?,?,00411816), ref: 005108FF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00477E04,00000014), ref: 00510950
__vbaHresultCheckObj.MSVBVM60(00000000,?,0047A994,00000050), ref: 00510998
__vbaStrMove.MSVBVM60 ref: 005109C9
__vbaFreeObj.MSVBVM60 ref: 005109D2
__vbaStrCmp.MSVBVM60(00473D9C,?,?,?,?,?,00411816), ref: 005109E8
#619.MSVBVM60(?,00004008,00000001), ref: 00510A14
#685.MSVBVM60(?,?,?,?,00411816), ref: 00510AED
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00411816), ref: 00510AF8
__vbaFreeObj.MSVBVM60(?,?,?,?,00411816), ref: 00510B19
__vbaFreeStr.MSVBVM60(00510B69,?,?,?,?,00411816), ref: 00510B62

Strings

ReaderINI.ini, xrefs: 00510A77
(T, xrefs: 0051091B

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$CheckCopyHresultMove$#619#685ChkstkErrorNew2
String ID: (T$ReaderINI.ini
API String ID: 733303979-1789204238
Opcode ID: a859a44a6c0c1029ffaab5f9aa2a48a8f4694a03e81f017ca30664d8c7eae3c2
Instruction ID: 86458bb700f357c32fad6a2cff923efd5d88954ce99a8c504b6a10529cfa4273
Opcode Fuzzy Hash: a859a44a6c0c1029ffaab5f9aa2a48a8f4694a03e81f017ca30664d8c7eae3c2
Instruction Fuzzy Hash: 52911975900208DFEB14DFA0CA48BDEBBB4FF48705F208169E505B72A0DBB55A85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0050ACC0 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,0054D0DC,?,00000000,00000000,00000000,00411816), ref: 0050ACDE
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AD0E
#685.MSVBVM60(?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AD1B
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AD26
__vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AD47
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AD60
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AD80
__vbaStrCmp.MSVBVM60(00473D9C,?,?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AD98
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,00000000), ref: 0050ADCC
__vbaObjVar.MSVBVM60(?,?,?,00000000), ref: 0050ADD6
__vbaObjSetAddref.MSVBVM60(00000000,00000000,?,?,00000000), ref: 0050ADE1
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0050ADEA
__vbaChkstk.MSVBVM60 ref: 0050AE16
__vbaChkstk.MSVBVM60 ref: 0050AE39
__vbaLateMemCall.MSVBVM60(00000000,CopyFile,00000002), ref: 0050AE62
#685.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 0050AE72
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00000000), ref: 0050AE7D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 0050AEB0
__vbaFreeObj.MSVBVM60 ref: 0050AEDA
__vbaObjSetAddref.MSVBVM60(00000000,00000000), ref: 0050AF02
#685.MSVBVM60(?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AF1E
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AF29
__vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AF4A
__vbaFreeObj.MSVBVM60(0050AF74,?,00000000,00000000,00000000,00411816,0054D0DC), ref: 0050AF6D

Strings

Scripting.FileSystemObject, xrefs: 0050ADC3
CopyFile, xrefs: 0050AE59

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#685Chkstk$Addref$#716CallCheckErrorHresultLate
String ID: CopyFile$Scripting.FileSystemObject
API String ID: 1648761310-2836766061
Opcode ID: 7569d6688bc44fd1148a601bd1b83b8caf40726829a8cde21ae43422f7a55f1e
Instruction ID: 217e7c94eb118e15bacc9c6af9d4ae07b71197abe120d4aa48be90fe925b017d
Opcode Fuzzy Hash: 7569d6688bc44fd1148a601bd1b83b8caf40726829a8cde21ae43422f7a55f1e
Instruction Fuzzy Hash: 9981F3B5D00209DFDB14DFA4DA48BDEBBB4FF48705F108169E509AB2A0DB749A44CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00511870 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816), ref: 0051188E
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00411816), ref: 005118BE
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,?,00000000,00411816), ref: 005118D6
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 005118EF
__vbaStrMove.MSVBVM60(00000000,?,00000000,?,00000000,00411816), ref: 00511905
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00411816), ref: 0051190E
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,?,00000000,00411816), ref: 00511927
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00511942
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00511958
#685.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00511965
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,00411816), ref: 00511970
__vbaFreeObj.MSVBVM60(?,00000000,?,00000000,00411816), ref: 00511988

Strings

Aloaha PDF (www.aloaha.com), xrefs: 00511938
HKLM\Software\Aloaha\pdf\PDFAgent, xrefs: 005118E7

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$Free$#685ChkstkErrorMove
String ID: Aloaha PDF (www.aloaha.com)$HKLM\Software\Aloaha\pdf\PDFAgent
API String ID: 2014732186-3193446157
Opcode ID: a242a23f55c32c3ec9ae98e1a6a7a66f70dcbdba68c20a9db0b0b143f3298b7c
Instruction ID: e3d6f15bfcc76d21bd0ed74fe54e8ee54972dd8a7e133152686944ff6e481156
Opcode Fuzzy Hash: a242a23f55c32c3ec9ae98e1a6a7a66f70dcbdba68c20a9db0b0b143f3298b7c
Instruction Fuzzy Hash: D5317175900208DFDB10DF90DE58BDEBFB8FB08709F208069E511B76A0D7795A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004D2C70 Relevance: 21.1, APIs: 14, Instructions: 106COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,004A7331), ref: 004D2C8E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004D2CBE
#685.MSVBVM60(?,?,?,00000000,00411816), ref: 004D2CCB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 004D2CD6
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 004D2CEE
__vbaSetSystemError.MSVBVM60(?,?,?,00000000,00411816), ref: 004D2D03
__vbaSetSystemError.MSVBVM60(0000087C,0054D658,?,?,?,00000000,00411816), ref: 004D2D2A
#685.MSVBVM60(?,?,?,00000000,00411816), ref: 004D2D46
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 004D2D51
__vbaHresultCheckObj.MSVBVM60(00000000,?,004747A8,0000001C), ref: 004D2D84
__vbaFreeObj.MSVBVM60 ref: 004D2DA8
#685.MSVBVM60 ref: 004D2DCB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004D2DD6
__vbaFreeObj.MSVBVM60 ref: 004D2DF7

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$#685ErrorFree$System$CheckChkstkHresult
String ID:
API String ID: 110213536-0
Opcode ID: f831ba4fbd9abf6139129695e229c801e292d4fb70132b3b862f2a22e1da7751
Instruction ID: 74bba9e13135bc30f04da962857e81cb542f74fd9de24c2bc1997f0017276d74
Opcode Fuzzy Hash: f831ba4fbd9abf6139129695e229c801e292d4fb70132b3b862f2a22e1da7751
Instruction Fuzzy Hash: 5B4126B4D00208DFDB00DFE4DA48BDDBBB4BF08745F20815AE516AB2A4DB785A49DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004CB8D0 Relevance: 18.1, APIs: 12, Instructions: 109COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004CB8EE
__vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00411816), ref: 004CB91B
__vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816), ref: 004CB92A

Part of subcall function 00531FD0: __vbaChkstk.MSVBVM60(00000000,00411816,004CB93C,?,00000001,?,00000000,00411816), ref: 00531FEE
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053201E
Part of subcall function 00531FD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000001,?,00000000,00411816,004CB93C), ref: 0053202D
Part of subcall function 00531FD0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00411816,004CB93C), ref: 0053203C
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 0053206B
Part of subcall function 00531FD0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00532093
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 005320A6
Part of subcall function 00531FD0: __vbaStrCopy.MSVBVM60 ref: 005320CA
Part of subcall function 00531FD0: #520.MSVBVM60(?,00000008,?), ref: 005320F7
Part of subcall function 00531FD0: __vbaStrVarMove.MSVBVM60(?), ref: 00532104
Part of subcall function 00531FD0: __vbaStrMove.MSVBVM60 ref: 00532111
Part of subcall function 00531FD0: __vbaFreeStr.MSVBVM60 ref: 0053211A
Part of subcall function 00531FD0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00532130
Part of subcall function 00531FD0: #520.MSVBVM60(?,00004008), ref: 00532162
Part of subcall function 00531FD0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053218A
Part of subcall function 00531FD0: __vbaFreeVar.MSVBVM60 ref: 0053219D

__vbaStrToAnsi.MSVBVM60(?,?,00000000,00405518,?,00411816,?,00000001,?,00000000,00411816), ref: 004CB962
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000001,?,00000000,00411816), ref: 004CB975
__vbaStrToUnicode.MSVBVM60(?,?,?,00000001,?,00000000,00411816), ref: 004CB983
__vbaFreeStr.MSVBVM60(?,00000001,?,00000000,00411816), ref: 004CB992
__vbaFreeVar.MSVBVM60(?,?,00000001,?,00000000,00411816), ref: 004CB9C0
#685.MSVBVM60(?), ref: 004CBA41
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004CBA4C
__vbaFreeObj.MSVBVM60 ref: 004CBA64
__vbaFreeStr.MSVBVM60(004CBA97), ref: 004CBA90

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Free$#520Error$ChkstkConstructCopyFixstrMove$#685AnsiListSystemUnicode
String ID:
API String ID: 2490341460-0
Opcode ID: 481b98f19858ab9450d15d327674548578db01d80da14484085be1baf7cb8f0c
Instruction ID: c33aabf705f99ccfdd174f2b0bf0ad993a0d6cb5820b43c7e7fc5f92dfbe8fb8
Opcode Fuzzy Hash: 481b98f19858ab9450d15d327674548578db01d80da14484085be1baf7cb8f0c
Instruction Fuzzy Hash: A3411AB5800209EFDB00DFE4DA49BDEBBB8FF48304F20805AE501A7290D7799A45DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 005044D0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816,?,?,00000000,00000000,00000000,00411816), ref: 005044EE
__vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00411816), ref: 0050451E
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 00504533
__vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00411816), ref: 00504548
__vbaStrCmp.MSVBVM60(00473D9C,00000000,?,00000000,00000000,00000000,00411816), ref: 00504560
__vbaStrCopy.MSVBVM60 ref: 005045A2
__vbaStrCopy.MSVBVM60 ref: 005045B0

Strings

MyDocuments, xrefs: 0050459A
Software\Aloaha\pdf, xrefs: 005045A8

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Copy$ChkstkError
String ID: MyDocuments$Software\Aloaha\pdf
API String ID: 1771118016-820968302
Opcode ID: 4c83cc4686318587bfe12ee31705d07fd5747acd0c6091a81ac892e83eb6e2b6
Instruction ID: 7521ac20d02b06770792b12d039c5d0e33bd08a9eca29259ba2b4fdfa89c278a
Opcode Fuzzy Hash: 4c83cc4686318587bfe12ee31705d07fd5747acd0c6091a81ac892e83eb6e2b6
Instruction Fuzzy Hash: EA212CB5901248EFDB10DF94DA09BDEBB78FB04708F20C02DE501776A0DBB85A09CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004CC840 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00411816), ref: 004CC85E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816), ref: 004CC88E

Part of subcall function 0051D000: __vbaChkstk.MSVBVM60(?,00411816,?,?,?,?,00000000,00411816), ref: 0051D01E
Part of subcall function 0051D000: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00411816), ref: 0051D04E
Part of subcall function 0051D000: __vbaStrCmp.MSVBVM60(true,0077F45C,?,?,?,?,00411816), ref: 0051D066
Part of subcall function 0051D000: #685.MSVBVM60 ref: 0051D326
Part of subcall function 0051D000: __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0051D331
Part of subcall function 0051D000: __vbaFreeObj.MSVBVM60 ref: 0051D352
Part of subcall function 0051D000: __vbaFreeStr.MSVBVM60(0051D393), ref: 0051D383
Part of subcall function 0051D000: __vbaFreeStr.MSVBVM60 ref: 0051D38C

__vbaSetSystemError.MSVBVM60(00000002,00000000,000000FF), ref: 004CC91A
#685.MSVBVM60(?,?,?,00000000,00411816), ref: 004CC927
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816), ref: 004CC932
__vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816), ref: 004CC94A

Part of subcall function 004EAF90: __vbaChkstk.MSVBVM60(00000000,00411816,00000000,?,?,?,00000005,00411816), ref: 004EAFAE
Part of subcall function 004EAF90: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00411816,00000000), ref: 004EAFDE
Part of subcall function 004EAF90: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00411816,00000000), ref: 004EB003
Part of subcall function 004EAF90: #685.MSVBVM60(?,?,?,00000000,00411816,00000000), ref: 004EB041
Part of subcall function 004EAF90: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00411816,00000000), ref: 004EB04C
Part of subcall function 004EAF90: __vbaFreeObj.MSVBVM60(?,?,?,00000000,00411816,00000000), ref: 004EB064

Part of subcall function 004CCBC0: __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004CCC17
Part of subcall function 004CCBC0: __vbaSetSystemError.MSVBVM60(00000000,00000028,?), ref: 004CCC2F
Part of subcall function 004CCBC0: __vbaStrToAnsi.MSVBVM60(?,SeShutdownPrivilege,?), ref: 004CCC42
Part of subcall function 004CCBC0: __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 004CCC51
Part of subcall function 004CCBC0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004CCC61
Part of subcall function 004CCBC0: __vbaCopyBytes.MSVBVM60(00000008,?,?), ref: 004CCC7D
Part of subcall function 004CCBC0: __vbaSetSystemError.MSVBVM60(?,00000000,00000001,00000000,00000000,00000000), ref: 004CCC9D

Memory Dump Source

Source File: 00000000.00000002.2637034256.0000000000469000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2637018909.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637034256.0000000000425000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637148375.000000000054D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.000000000059A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2637164707.00000000005AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __vba$Error$Free$System$#685Chkstk$Copy$AnsiBytes
String ID:
API String ID: 3529819506-0
Opcode ID: 9b767d6fba4e527b0ec35e5c4744b229864be18d27eac2e43db288cc9798c314
Instruction ID: a4ae9d724ae255af07576ab4b4b28b5a2ab011b85748dbf30ab981d596ff7ea1
Opcode Fuzzy Hash: 9b767d6fba4e527b0ec35e5c4744b229864be18d27eac2e43db288cc9798c314
Instruction Fuzzy Hash: 34315CB5C01219EFDB10DF94CA49BDEBBB4BB08708F208259E115B7290C7795A448BA5

Uniqueness

Uniqueness Score: -1.00%

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.150051908780836
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe
File size:	1'772'168 bytes
MD5:	ffb4c4458546447f3bee304de21cd2eb
SHA1:	002c2f32ee46dacb422e75f687d8f74690184d31
SHA256:	2e823662bd36d30faea424591d4bf1557224007d9ee859917bb769a45cd4c0c6
SHA512:	a0879f813da4ae4a68f844dd20534c4cfc754e8c4a96a9c4498fde70ee0b3ab2261d71a5cbbe2c1f5239935e6c254d49df032c3466475d49dbd9c5f51c0f34be
SSDEEP:	24576:MMW7HssTOhL+0w6ZCNfNq8OPvTOiY+5dhhsqEyJ7VnHI4kyZHtwcy6FWEXGzt1WU:MRHssTOhLvPjYBK5T7rLRy
TLSH:	BC85F8A29940101EF1A5D9F1E4EB96221A0A3D364288944FB6DC7E46E1735C3BCB77CF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................6.......................Rich............PE..L...}:.R.....................@....................@................

Entrypoint:	0x411de8
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x52B33A7D [Thu Dec 19 18:27:09 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2f37a530f5e6742f10a20c18ed4a30e0

Signature Valid:	false
Signature Issuer:	CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	05/04/2013 12:42:01 05/04/2015 18:32:50
Subject Chain	E=info@wrocklage.de, CN=Wrocklage Intermedia GmbH, O=Wrocklage Intermedia GmbH, L=Ibbenbueren, S=Nordrhein-Westfalen, C=DE, Description=0xC3J0qHPGjDilu1
Version:	3
Thumbprint MD5:	3BBC60BE8DFEB5640F06CE2A6A3241D7
Thumbprint SHA-1:	5A117187BD5C360764F66E37C47958D94EA295FF
Thumbprint SHA-256:	B345BF99D3037AEF50BFB1FD74AE3B74688943C424BACF1CBCAFED83EA455CBD
Serial:	095B

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b4d4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x150000	0x60234	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1af000	0x1a88
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x3e8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14b520	0x14c000	61878b0b27fb1249a783240ed8c9c9b3	False	0.2629997529179217	data	6.0978626075661575	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x14d000	0x2688	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x150000	0x60234	0x61000	05db5244864036c1088ca876c81b6ee8	False	0.209069950064433	data	5.79150754764298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1afbcc	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152			0.2146341463414634
RT_ICON	0x1af8e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512			0.3172043010752688
RT_ICON	0x1af6fc	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288			0.38729508196721313
RT_ICON	0x1af5d4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128			0.4527027027027027
RT_ICON	0x19d1ac	0x12428	Device independent bitmap graphic, 256 x 512 x 8, image size 65536, 256 important colors			0.12199165686169644
RT_ICON	0x19c304	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.5229211087420043
RT_ICON	0x19ba5c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.6985559566787004
RT_ICON	0x19b394	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.7684331797235023
RT_ICON	0x19ae2c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.6026011560693642
RT_ICON	0x158e04	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336			0.1946141669378939
RT_ICON	0x154bdc	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.33656117146906
RT_ICON	0x152634	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.4545643153526971
RT_ICON	0x15158c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.47607879924953095
RT_ICON	0x150c04	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.5823770491803278
RT_ICON	0x15079c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.6223404255319149
RT_GROUP_ICON	0x1506c4	0xd8	data			0.6111111111111112
RT_VERSION	0x150390	0x334	data	English	United States	0.4146341463414634

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF7FC1D6B129264C8B.TMP

C:\Users\user\Desktop\FalseUserPass.ini.lock

C:\Users\user\Desktop\FalseUserPass.ini:SmartLogin.txt

C:\Windows\FalseUserPass.ini

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exePID: 2172, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exePID: 2172, Parent PID: 4056COMMON

Execution Graph

Windows Analysis Report
SecuriteInfo.com.BScope.Trojan.Diple.31685.13945.exe

Function 004D5390 Relevance: 419.5, APIs: 227, Strings: 12, Instructions: 1292
COMMON

Function 0051DAE0 Relevance: 372.4, APIs: 203, Strings: 9, Instructions: 1361
COMMON

Function 00531FD0 Relevance: 314.4, APIs: 170, Strings: 9, Instructions: 1186
COMMON

Function 005006B0 Relevance: 300.2, APIs: 151, Strings: 20, Instructions: 929
COMMON

Function 004F0CA0 Relevance: 242.3, APIs: 112, Strings: 26, Instructions: 817
COMMON

Function 004CF630 Relevance: 221.3, APIs: 114, Strings: 12, Instructions: 778
COMMON

Function 00506210 Relevance: 212.4, APIs: 116, Strings: 5, Instructions: 698
COMMON

Function 00530720 Relevance: 210.8, APIs: 111, Strings: 9, Instructions: 829
COMMON

Function 004ABD10 Relevance: 198.5, APIs: 100, Strings: 13, Instructions: 792
COMMON

Function 0051C3A0 Relevance: 196.7, APIs: 106, Strings: 6, Instructions: 676
COMMON

Function 00518B80 Relevance: 194.9, APIs: 105, Strings: 6, Instructions: 699
COMMON

Function 004D4360 Relevance: 184.5, APIs: 96, Strings: 9, Instructions: 745
COMMON

Function 004D22A0 Relevance: 180.8, APIs: 96, Strings: 7, Instructions: 589
COMMON

Function 0050E600 Relevance: 177.4, APIs: 90, Strings: 11, Instructions: 609
COMMON

Function 004F92B0 Relevance: 177.3, APIs: 80, Strings: 21, Instructions: 568
COMMON