Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe

Overview

General Information

Sample name:SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe
Analysis ID:1431443
MD5:5c4e6b119a01b350a02a25704fc912ec
SHA1:e2236c2bda3a2590cd2b6f96870a20ce23b5d6fd
SHA256:710e7a08ebafad9cf16628f7ba362846f52dc5a485ac5066e4f60e0bc0f2862a
Tags:exe
Infos:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
AV process strings found (often used to terminate AV products)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Source: Registry Key setAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Details: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, ProcessId: 5580, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC2B860C-CA40-4AF1-83E3-D4FAA197DA0E}\LocalServer32\(Default)

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://www.startssl.com/0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://www.startssl.com/policy.pdf0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://www.startssl.com/policy.pdf04
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeString found in binary or memory: http://www.startssl.com/sfsca.crt0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_005C58C00_2_005C58C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_004074910_2_00407491
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_005859400_2_00585940
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_0058EDC00_2_0058EDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_005D06100_2_005D0610
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_005C0AD00_2_005C0AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_005AE2A00_2_005AE2A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_004FDBC00_2_004FDBC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: String function: 005611F0 appears 85 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: String function: 004153F0 appears 56 times
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeStatic PE information: invalid certificate
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAloahaHTMLFormSaver.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeBinary or memory string: OriginalFilenameAloahaHTMLFormSaver.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: sus24.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeMutant created: NULL
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeStatic file information: File size 2067080 > 1048576
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1e1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_00401DBE push edx; retn 004Fh0_2_00402245
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_004022D8 push es; retn 004Fh0_2_004022D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_004022EC push edx; retn 004Fh0_2_004022ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_0040B774 push A10055C3h; ret 0_2_0040B779
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeCode function: 0_2_00402306 push esi; ret 0_2_00402315
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeAPI coverage: 0.0 %
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exeBinary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000000.2146198753.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: ClamTray.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe, 00000000.00000000.2146198753.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: ClamWin.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe0%ReversingLabs
SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe4%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe
http://www.startssl.com/intermediate.pdf00%Avira URL Cloudsafe
http://www.startssl.com/sfsca.crt00%Avira URL Cloudsafe
http://ocsp.startssl.com/sub/class2/code/ca00%Avira URL Cloudsafe
http://www.startssl.com/policy.pdf00%Avira URL Cloudsafe
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#0%Avira URL Cloudsafe
http://www.startssl.com/00%Avira URL Cloudsafe
http://www.startssl.com/sfsca.crl00%Avira URL Cloudsafe
http://ocsp.startssl.com/sub/class2/code/ca00%VirustotalBrowse
http://crl.startssl.com/crtc2-crl.crl00%Avira URL Cloudsafe
http://www.startssl.com/sfsca.crt00%VirustotalBrowse
http://www.startssl.com/intermediate.pdf00%VirustotalBrowse
http://www.startssl.com/policy.pdf040%Avira URL Cloudsafe
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#0%VirustotalBrowse
http://www.startssl.com/policy.pdf00%VirustotalBrowse
http://www.startssl.com/sfsca.crl00%VirustotalBrowse
http://crl.startssl.com/crtc2-crl.crl00%VirustotalBrowse
http://crl.startssl.com/sfsca.crl00%Avira URL Cloudsafe
http://www.startssl.com/policy.pdf040%VirustotalBrowse
http://crl.startssl.com/sfsca.crl00%VirustotalBrowse
http://www.startssl.com/00%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.startssl.com/policy.pdf0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.startssl.com/sfsca.crt0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://ocsp.startssl.com/sub/class2/code/ca0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.startssl.com/intermediate.pdf0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.startssl.com/0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
    		high
    http://www.startssl.com/sfsca.crl0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crl.startssl.com/crtc2-crl.crl0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.startssl.com/policy.pdf04SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://ocsp.thawte.com0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
    • URL Reputation: safe
    		unknown
    http://crl.startssl.com/sfsca.crl0SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1431443
    Start date and time:2024-04-25 05:29:39 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 48s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe
    Detection:SUS
    Classification:sus24.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 1
    • Number of non-executed functions: 146
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded domains from analysis (whitelisted): client.wns.windows.com
    • Report size exceeded maximum capacity and may have missing disassembly code.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.053152801182865
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe
    File size:2'067'080 bytes
    MD5:5c4e6b119a01b350a02a25704fc912ec
    SHA1:e2236c2bda3a2590cd2b6f96870a20ce23b5d6fd
    SHA256:710e7a08ebafad9cf16628f7ba362846f52dc5a485ac5066e4f60e0bc0f2862a
    SHA512:46bc9aa27e02aeee5f3498ebda75b1944ababfe06e36bda400c01d1795a78f763bf7d5438d3a8ce8b0133c67036b1048fa413d01f54b2732cf67d666bcdca54a
    SSDEEP:24576:tKHl95jZp8XCryW34KM1tliPIN8E6BhrGilKKQ6GDWF+GKGQDixfWtopOd5mMqrU:4BZeXtW34KocF+3P8q
    TLSH:77A5E712E690510FF262CAF0B5B4C87668137D3515E9640BF6C23F4E7176BA3ACA4B1B
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L...YfUR............................\Z....... ....@........

    File Icon

    Icon Hash:3e6360743db11903

    Static PE Info

    General

    Entrypoint:0x415a5c
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    DLL Characteristics:
    Time Stamp:0x52556659 [Wed Oct 9 14:21:13 2013 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:cca452a33e3211477990315632f22948

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
    Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
    Error Number:-2146762495
    Not Before, Not After
    • 05/04/2013 12:42:01 05/04/2015 18:32:50
    Subject Chain
    • E=info@wrocklage.de, CN=Wrocklage Intermedia GmbH, O=Wrocklage Intermedia GmbH, L=Ibbenbueren, S=Nordrhein-Westfalen, C=DE, Description=0xC3J0qHPGjDilu1
    Version:3
    Thumbprint MD5:3BBC60BE8DFEB5640F06CE2A6A3241D7
    Thumbprint SHA-1:5A117187BD5C360764F66E37C47958D94EA295FF
    Thumbprint SHA-256:B345BF99D3037AEF50BFB1FD74AE3B74688943C424BACF1CBCAFED83EA455CBD
    Serial:095B

    Entrypoint Preview

    Instruction
    push 004162FCh
    call 00007F1340DD1E65h
    add byte ptr [eax], al
    push eax
    add byte ptr [eax], al
    add byte ptr [eax], dh
    add byte ptr [eax], al
    add byte ptr [eax+00h], cl
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    jl 00007F1340DD1EECh
    sub eax, 63A4A124h
    inc esi
    lea eax, eax
    push ebp
    lodsb
    ror dh, cl
    mov byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edx], al
    add byte ptr [edx], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx+6Ch], al
    outsd
    popad
    push 4D544861h
    dec esp
    inc esi
    outsd
    jc 00007F1340DD1EDFh
    push ebx
    popad
    jbe 00007F1340DD1ED7h
    jc 00007F1340DD1E72h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    mov eax, 98000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edx], al
    add byte ptr [eax], al
    add byte ptr [edi], cl
    add byte ptr [eax], al
    add byte ptr [esi+eax*4], cl
    sub ebp, dword ptr [eax+eax*2-7CB50E36h]
    jecxz 00007F1340DD1E46h
    cli
    mov eax, dword ptr [010EDA97h]
    add byte ptr [eax], al
    add byte ptr [eax+00000000h], ch
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    adc byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ebx+72h], al
    jns 00007F1340DD1EE2h
    je 00007F1340DD1EE1h
    inc ecx
    push eax
    dec ecx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edi-1153C131h], dh
    jnl 00007F1340DD1E4Fh
    inc esi
    cmpsb
    xchg eax, esp
    jnbe 00007F1340DD1E77h
    dec edx
    sub bl, byte ptr [edi+18h]
    add dword ptr [eax], eax

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1e02e40x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e80000x1338e.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x1f70000x1a88.rsrc
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x44c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1e04500x1e10001f9b9a7d00d552e0ebcbe571edbab3c1False0.2906435770205301data6.08091131677185IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x1e20000x51440x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x1e80000x1338e0x1400091ee33cf145a157dc00d42f9b429e894False0.3121826171875data4.809586134372352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    TYPELIB0x1f97860x1c08data0.3933946488294314
    _IID_CRYPTOAPI0x1f97720x14data1.45
    _IID_HASH0x1f975e0x14data1.45
    _IID_SAVERCLASS0x1f972a0x34data1.2115384615384615
    RT_ICON0x1f90c20x668Device independent bitmap graphic, 48 x 96 x 4, image size 15360.2646341463414634
    RT_ICON0x1f8dda0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.3736559139784946
    RT_ICON0x1f8cb20x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.5168918918918919
    RT_ICON0x1f7e0a0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 26880.5479744136460555
    RT_ICON0x1f75620x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 11520.7084837545126353
    RT_ICON0x1f6ffa0x568Device independent bitmap graphic, 16 x 32 x 8, image size 3200.5036127167630058
    RT_ICON0x1f4a520x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.41161825726141077
    RT_ICON0x1f39aa0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.551594746716698
    RT_ICON0x1f35420x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.8280141843971631
    RT_ICON0x1f2d8a0x7b8Device independent bitmap graphic, 52 x 104 x 4, image size 18720.22621457489878544
    RT_ICON0x1f1d320x1058Device independent bitmap graphic, 52 x 104 x 8, image size 3120, resolution 2851 x 2851 px/m0.18929254302103252
    RT_ICON0x1efbba0x2178Device independent bitmap graphic, 52 x 104 x 24, image size 85280.10644257703081232
    RT_ICON0x1ecfb20x2c08Device independent bitmap graphic, 52 x 104 x 32, image size 112320.08481192334989354
    RT_ICON0x1ecc4a0x368Device independent bitmap graphic, 16 x 32 x 24, image size 8320.5963302752293578
    RT_ICON0x1eca620x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 3840.46311475409836067
    RT_ICON0x1ec39a0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 6720.7868663594470046
    RT_ICON0x1ebc520x748Device independent bitmap graphic, 24 x 48 x 24, image size 18240.5118025751072961
    RT_ICON0x1eb2ca0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.6540983606557377
    RT_ICON0x1ea6220xca8Device independent bitmap graphic, 32 x 64 x 24, image size 32000.44320987654320987
    RT_ICON0x1e897a0x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 72960.33764994547437294
    RT_GROUP_ICON0x1e885c0x11edata0.6048951048951049
    RT_VERSION0x1e86000x25cdataEnglishUnited States0.46192052980132453

    Imports

    DLLImport
    MSVBVM60.DLL__vbaR8FixI4, __vbaVarSub, __vbaVarTstGt, __vbaStrI2, __vbaNextEachAry, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaRedimPreserveVar, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaLateIdCall, __vbaStrVarMove, __vbaLenBstr, __vbaAptOffset, __vbaVarIdiv, __vbaFreeVarList, _adj_fdiv_m64, __vbaFpCDblR8, __vbaAryRecMove, __vbaNextEachVar, __vbaFreeObjList, __vbaVarIndexLoadRef, __vbaStrErrVarCopy, _adj_fprem1, __vbaRecAnsiToUni, __vbaI2Abs, __vbaResume, __vbaCopyBytes, __vbaForEachCollAd, __vbaStrCat, __vbaVarCmpNe, __vbaError, __vbaBoolErrVar, __vbaLsetFixstr, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, __vbaVargVarCopy, __vbaLenVar, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarIndexLoadRefLock, __vbaLateMemSt, __vbaVarForInit, __vbaExitProc, __vbaStrBool, __vbaBoolStr, __vbaI4Abs, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaStrFixstr, __vbaBoolVar, __vbaVarTstLt, __vbaVargVar, __vbaRefVarAry, __vbaFpR8, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, __vbaGosubFree, __vbaFileClose, EVENT_SINK_AddRef, __vbaVarAbs, __vbaGenerateBoundsError, __vbaExitEachColl, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaDateR8, __vbaI2I4, __vbaObjVar, DllFunctionCall, __vbaVarOr, __vbaVarLateMemSt, __vbaFpUI1, __vbaCastObjVar, __vbaStrR4, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaFixstrConstruct, __vbaLateIdCallLd, __vbaRedim, __vbaStrR8, __vbaUI1ErrVar, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, __vbaRedimVar, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaStr2Vec, __vbaUI1I4, __vbaStrUI1, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaDateStr, __vbaExitEachAry, __vbaR4ErrVar, _adj_fprem, _adj_fdivr_m64, __vbaGosub, __vbaVarDiv, __vbaI2Str, __vbaR8ErrVar, __vbaFPException, __vbaInStrVar, __vbaGetOwner3, __vbaUbound, __vbaStrVarVal, __vbaVarCat, __vbaDateVar, __vbaLsetFixstrFree, __vbaI2Var, __vbaExitEachVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVarLateMemCallLdRf, __vbaR8Str, __vbaVar2Vec, __vbaInStr, __vbaNew2, __vbaCyMulI2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaVarCmpLt, __vbaFreeStrList, _adj_fdivr_m32, __vbaPowerR8, __vbaR8Var, _adj_fdiv_r, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaForEachAry, __vbaVarCmpEq, __vbaAryLock, __vbaLateMemCall, __vbaVarAdd, __vbaStrComp, __vbaStrToAnsi, __vbaVarDup, __vbaFpI2, __vbaVarMod, __vbaUnkVar, __vbaFpI4, __vbaVarLateMemCallLd, __vbaVarCopy, __vbaRecDestructAnsi, __vbaR8IntI2, __vbaVarSetObjAddref, __vbaLateMemCallLd, _CIatan, __vbaUI1Str, __vbaI2ErrVar, __vbaCastObj, __vbaStrMove, __vbaAryCopy, __vbaR8IntI4, __vbaStrVarCopy, __vbaForEachVar, _allmul, __vbaLateIdSt, __vbaAryRecCopy, __vbaLateMemCallSt, _CItan, __vbaNextEachCollAd, __vbaFPInt, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaMidStmtBstr, __vbaRecAssign, __vbaI4ErrVar, __vbaFreeObj, __vbaFreeStr

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:05:30:32
    Start date:25/04/2024
    Path:C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.1093.28848.exe"
    Imagebase:0x400000
    File size:2'067'080 bytes
    MD5 hash:5C4E6B119A01B350A02A25704FC912EC
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:0%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:2.1%
      Total number of Nodes:141
      Total number of Limit Nodes:0
      execution_graph 21984 50fc50 4563 API calls 21985 57bc50 13 API calls 22061 574150 11 API calls 22062 57e350 4150 API calls 21987 598a50 6 API calls 21988 5bac50 20 API calls 22064 5cf550 4210 API calls 22065 5d3350 4562 API calls 22066 4f2d40 19 API calls 21989 502240 136 API calls 22067 585940 9235 API calls 21982 415a5c #100 21983 415a7a 21982->21983 22068 5dbd40 191 API calls 22069 5d0340 37 API calls 21990 575070 4578 API calls 22070 57eb70 4693 API calls 22071 57ef70 4623 API calls 21991 58ea70 __vbaAryCopy 22072 58fd70 42 API calls 22073 583370 4141 API calls 21992 593470 __vbaSetSystemError 21993 5c9070 84 API calls 21994 5cce70 4986 API calls 21995 50f460 43 API calls 21996 50ea60 13 API calls 21997 507660 4132 API calls 21998 510660 __vbaObjSet __vbaHresultCheckObj __vbaFreeObj 22075 583b60 18 API calls 22000 596260 __vbaStrI4 __vbaStrMove 22076 591f60 39 API calls 22077 5ce960 4303 API calls 22078 5d9b60 38 API calls 22079 508910 317 API calls 22080 50cd10 12 API calls 22081 573910 4297 API calls 22003 583e10 4155 API calls 22082 590110 16 API calls 22005 5cba10 6 API calls 22083 5ce710 4133 API calls 22006 5d0610 4731 API calls 22007 5dba10 30 API calls 22084 5d0110 13 API calls 22085 57cd00 4141 API calls 22087 583700 4157 API calls 22009 599a00 7 API calls 22088 596700 47 API calls 22089 5ce500 4129 API calls 22090 5d6b00 146 API calls 22091 4f3d10 11 API calls 22010 519630 31 API calls 22011 574e30 __vbaChkstk __vbaOnError 22012 577e30 4166 API calls 22092 580330 5818 API calls 22013 591030 100 API calls 22014 59a030 187 API calls 22015 5cbc30 8 API calls 22016 5ccc30 6 API calls 22093 4f4520 6849 API calls 22094 4fa720 61 API calls 22095 511120 5586 API calls 22017 4fd030 6 API calls 22018 4f3c30 __vbaChkstk __vbaOnError #685 __vbaObjSet __vbaFreeObj 22099 50cfd0 6 API calls 22100 510bd0 4141 API calls 22101 57bdd0 4736 API calls 22019 5844d0 172 API calls 22020 596cd0 46 API calls 22021 592ad0 81 API calls 22102 5971d0 30 API calls 22103 5995d0 40 API calls 22022 543ac0 5434 API calls 22104 58e9c0 __vbaHresultCheckObj __vbaStrCopy __vbaFreeStr 22105 58edc0 177 API calls 22024 599cc0 __vbaPowerR8 __vbaPowerR8 __vbaPowerR8 22025 59c8c0 4293 API calls 22106 5903c0 91 API calls 22107 5cdfc0 14 API calls 22027 4fbad0 4337 API calls 22028 50d0f0 14 API calls 22029 50d2f0 76 API calls 22030 57def0 4852 API calls 22033 599af0 18 API calls 22034 5c9af0 8642 API calls 22035 5d8af0 4404 API calls 22109 5d57f0 4275 API calls 22036 4f38e0 23 API calls 22037 4f3ee0 167 API calls 22110 4fcde0 4323 API calls 22111 4f35e0 20 API calls 22112 4f9fe0 15 API calls 22113 50ebe0 65 API calls 22114 5107e0 27 API calls 22038 535ae0 133 API calls 22040 57bae0 8 API calls 22115 5749e0 4140 API calls 22116 577fe0 7 API calls 22117 57dbe0 28 API calls 22118 58ebe0 7 API calls 22041 5932e0 8 API calls 22119 59c1e0 4207 API calls 22120 5cd5e0 4305 API calls 22121 5ce1e0 18 API calls 22122 5d69e0 9 API calls 22042 4fc2f0 4242 API calls 22043 50fa90 12 API calls 22123 55e790 623 API calls 22044 562c90 4493 API calls 22045 57fe90 4545 API calls 22046 581a90 4386 API calls 22047 584290 9551 API calls 22048 5cca90 9 API calls 22125 5cbd90 93 API calls 22049 4fcc80 4481 API calls 22126 4f2b80 12 API calls 22127 4f2f80 330 API calls 22128 573780 10 API calls 22129 591d80 __vbaVarDup __vbaVarDup #595 __vbaFreeVarList __vbaVarDup 22130 59d180 10 API calls 22050 5ca680 8834 API calls 22051 5cf280 4132 API calls 22052 4f3290 144 API calls 22053 50ceb0 10 API calls 22132 50e1b0 41 API calls 22134 5843b0 9509 API calls 22135 5923b0 98 API calls 22136 5cd3b0 15 API calls 22054 5d7cb0 4381 API calls 22137 5d67b0 9 API calls 22138 4fada0 56 API calls 22055 50c8a0 43 API calls 22056 5744a0 35 API calls 22057 57d0a0 4588 API calls 22139 57c7a0 4139 API calls 22058 5964a0 15 API calls 22059 59baa0 4256 API calls 22060 59d2a0 138 API calls 22141 598fa0 29 API calls 22143 5d9fa0 5132 API calls 22144 4fa1b0 229 API calls 22145 4fb3b0 4391 API calls

      Executed Functions

      Function 00415A5C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 415a5c-415a78 #100 1 415a7a-415aa4 0->1 2 415b13-415b1a 1->2 3 415aa6-415aa8 1->3 7 415b21-415b43 2->7 8 415b1d-415b1e 2->8 5 415aaa 3->5 6 415b0f 3->6 9 415aab-415ad5 5->9 6->2 10 415b45 7->10 11 415b46-415b68 7->11 8->7 9->9 12 415ad7-415b01 9->12 10->11 13 415b6a 11->13 14 415b02 12->14 15 415b7c-415b7e 12->15 16 415bd4-415be0 13->16 17 415b6c-415b72 13->17 18 415b03 14->18 19 415b74 14->19 20 415b84-415bc8 15->20 21 415c2b 16->21 17->19 23 415b04 18->23 24 415b79 18->24 19->13 22 415b75-415b78 19->22 20->21 25 415bca 20->25 26 415c31-415c41 21->26 22->24 23->22 27 415b05-415b0d 23->27 24->15 24->20 25->26 28 415bcc 25->28 29 415c45-415c4b 26->29 27->6 28->26 30 415bce-415bd0 28->30 30->29 31 415bd2 30->31 31->16
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: 963e02851b1aa4560a9eecd8fc56deaf4fb3a77f090a61602f10db615ebc09a8
      • Instruction ID: 801b88e6b71bfb4e61991cbabe5aa58d619be4c9623bc5513bbe0137c7fbb1b9
      • Opcode Fuzzy Hash: 963e02851b1aa4560a9eecd8fc56deaf4fb3a77f090a61602f10db615ebc09a8
      • Instruction Fuzzy Hash: 5951A56144EBC18FD7074B709D652947FB5AE93224B1E01CBC4C1CF0A3E25D588AC76B
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 00585940 Relevance: 1921.2, APIs: 1045, Strings: 48, Instructions: 8408COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0058595E
      • __vbaAryConstruct2.MSVBVM60(?,0043C018,00000008,?,?,?,?,004153F6), ref: 0058599F
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005859AE
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005859D5
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00585A05
      • __vbaStrCopy.MSVBVM60 ref: 00585A23
      • __vbaAryCopy.MSVBVM60(?,?), ref: 00585A47
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0043ACD4,00000064), ref: 00585A8A
      • __vbaAryMove.MSVBVM60(?,?), ref: 00585AAD
      • __vbaStrCopy.MSVBVM60 ref: 00585AC5
      • __vbaFreeStr.MSVBVM60(?), ref: 00585ADD
      • #685.MSVBVM60 ref: 00585AEA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00585AF8
      • __vbaFreeObj.MSVBVM60 ref: 00585B1C
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00585B60
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00585B7D
      • __vbaStrCopy.MSVBVM60 ref: 00585B9B
      • #685.MSVBVM60 ref: 00585BA8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00585BB6
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C600,0000001C), ref: 00585C01
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00585C22
      • __vbaFreeObj.MSVBVM60 ref: 00585C4E
      • __vbaStrCopy.MSVBVM60 ref: 00585C70
      • #685.MSVBVM60 ref: 00585C7D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00585C8B
      • __vbaFreeObj.MSVBVM60 ref: 00585CAF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00585CC5
      • __vbaUbound.MSVBVM60(00000001,00000000), ref: 00585CE0
      • __vbaStrCopy.MSVBVM60 ref: 00585D2F
      • #685.MSVBVM60 ref: 00585D3C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00585D4A
      • __vbaFreeObj.MSVBVM60 ref: 00585D6E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$#685Error$BoundsGenerate$CheckHresult$ChkstkConstruct2MoveUbound
      • String ID: <> $ and going to enum for container$ did not Return ATR$ does not fit to $ in $ is not used in token$ reader$ to containerlist$*.ini$+$ATR$Aloaha Cryptographic Provider$CSP$CardMapping$CompleteContainerList$Container found: $Entering IsProviderResponsibleForReader: $Found CSP: $Found Cardreader and going to enum now the Container$Found CurrentProvider: $Found right ATR Card: $Generic$Getting Container List for: $Going to check: $INIATR$IgnoreReader$Leaving ContainerList$Leaving IsProviderResponsibleForReader: $Microsoft Enhanced$Microsoft RSA$Microsoft Strong$No Cardreader found$No Softtoken found$No card found in: $No current container$Provider $Provider: $Reader $Softtoken is missing ATR or CSP - ASSUMING that card exists!!!$added: $aks ifdh$aks vr$c$csp$eToken Base Cryptographic Provider$found $found in $rainbow tech
      • API String ID: 1549294690-1852802038
      • Opcode ID: 6b23e2177582d85bddd05769690184b4c71fe70b5b77a473e9bc8314d56dc851
      • Instruction ID: cfc37cb45fb048c02919eddfa9d75aa83e7551519f0e91d26d3ab561ab6f4ccf
      • Opcode Fuzzy Hash: 6b23e2177582d85bddd05769690184b4c71fe70b5b77a473e9bc8314d56dc851
      • Instruction Fuzzy Hash: 7B14F475900218DFDB24DFA4CD88BEDBBB5BF48305F1081D9E50AAB2A0DB709A85CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C0AD0 Relevance: 992.6, APIs: 541, Strings: 24, Instructions: 3888COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,005C06F4,?,?,?), ref: 005C0AEE
      • __vbaAptOffset.MSVBVM60(00419C98,00000000,00000001,6D1CD8CD,00000000,004153F6), ref: 005C0B13
      • __vbaStrCopy.MSVBVM60 ref: 005C0B2C
      • __vbaStrCopy.MSVBVM60 ref: 005C0B38
      • __vbaOnError.MSVBVM60(000000FF), ref: 005C0B47
      • __vbaFreeStr.MSVBVM60(?), ref: 005C0B77
      • #520.MSVBVM60(?,00004008), ref: 005C0BA5
      • #520.MSVBVM60(?,00004008), ref: 005C0BE0
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005C0C0F
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 005C0C2B
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 005C0C39
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 005C0C40
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C0C5D
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?), ref: 005C0CB1
      • __vbaStrCopy.MSVBVM60 ref: 005C0CCA
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005C0CE0
      • #518.MSVBVM60(?,00004008), ref: 005C0D2D
      • __vbaVarDup.MSVBVM60 ref: 005C0D53
      • #518.MSVBVM60(?,?), ref: 005C0D67
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 005C0D7B
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 005C0D9F
      • #518.MSVBVM60(?,00004008), ref: 005C0DDF
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005C0E26
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005C0E34
        • Part of subcall function 005C58C0: __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,005C0C85,?,?), ref: 005C58DE
        • Part of subcall function 005C58C0: __vbaOnError.MSVBVM60(000000FF,00000000,00000001,6D1CD8CD,?,004153F6), ref: 005C590E
        • Part of subcall function 005C58C0: #520.MSVBVM60(?,00004008), ref: 005C5930
        • Part of subcall function 005C58C0: __vbaStrVarMove.MSVBVM60(?), ref: 005C593A
        • Part of subcall function 005C58C0: __vbaStrMove.MSVBVM60 ref: 005C5945
        • Part of subcall function 005C58C0: __vbaFreeVar.MSVBVM60 ref: 005C594E
        • Part of subcall function 005C58C0: __vbaStrCmp.MSVBVM60(0041AA3C), ref: 005C5966
        • Part of subcall function 005C58C0: __vbaAryRecMove.MSVBVM60(0043C030,?,?), ref: 005C5996
        • Part of subcall function 005C58C0: #685.MSVBVM60 ref: 005C59A3
        • Part of subcall function 005C58C0: __vbaObjSet.MSVBVM60(?,00000000), ref: 005C59AE
        • Part of subcall function 005C58C0: __vbaFreeObj.MSVBVM60 ref: 005C59CF
        • Part of subcall function 005C58C0: __vbaUbound.MSVBVM60(00000001,00000000), ref: 005C5A42
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C0E51
      • __vbaStrMove.MSVBVM60 ref: 005C0E7D
      • __vbaStrCopy.MSVBVM60 ref: 005C0E8E
      • __vbaStrMove.MSVBVM60(?,?,?,?), ref: 005C0ECB
      • __vbaStrCmp.MSVBVM60(0041AB28,00000000), ref: 005C0ED7
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 005C0F0A
      • __vbaStrMove.MSVBVM60 ref: 005C0F32
      • __vbaStrCopy.MSVBVM60 ref: 005C0F43
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 005C0F8F
      • __vbaStrCopy.MSVBVM60 ref: 005C1305
      • __vbaStrCopy.MSVBVM60 ref: 005C1316
      • __vbaStrCopy.MSVBVM60 ref: 005C0F54
        • Part of subcall function 0052FC40: __vbaChkstk.MSVBVM60(?,004153F6,?,004F31D0,?,?,?,?), ref: 0052FC5E
        • Part of subcall function 0052FC40: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0052FC83
        • Part of subcall function 0052FC40: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0052FC9F
        • Part of subcall function 0052FC40: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0052FCB4
        • Part of subcall function 0052FC40: #520.MSVBVM60(?,00004008), ref: 0052FCDF
        • Part of subcall function 0052FC40: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0052FD04
        • Part of subcall function 0052FC40: __vbaFreeVar.MSVBVM60 ref: 0052FD14
        • Part of subcall function 0052FC40: __vbaStrCat.MSVBVM60(.lock), ref: 0052FD3B
        • Part of subcall function 0052FC40: __vbaStrMove.MSVBVM60 ref: 0052FD46
        • Part of subcall function 0052FC40: __vbaStrCmp.MSVBVM60(true,?), ref: 0052FD77
        • Part of subcall function 0052FC40: __vbaStrCmp.MSVBVM60(true,?), ref: 0052FDE3
        • Part of subcall function 0052FC40: __vbaSetSystemError.MSVBVM60(00000064), ref: 0052FDFB
        • Part of subcall function 0052FC40: #598.MSVBVM60 ref: 0052FE08
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 005C1170
      • #518.MSVBVM60(?,00004008), ref: 005C11A1
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005C11E8
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005C11F6
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C1213
      • __vbaStrMove.MSVBVM60 ref: 005C123F
      • __vbaStrCopy.MSVBVM60 ref: 005C1250
      • __vbaStrCopy.MSVBVM60 ref: 005C1261
      • __vbaStrCopy.MSVBVM60 ref: 005C0E9F
        • Part of subcall function 0052EC60: __vbaChkstk.MSVBVM60(?,004153F6), ref: 0052EC7E
        • Part of subcall function 0052EC60: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0052ECA3
        • Part of subcall function 0052EC60: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0052ECBF
        • Part of subcall function 0052EC60: #619.MSVBVM60(?,00004008,00000001), ref: 0052ECEC
        • Part of subcall function 0052EC60: #608.MSVBVM60(?,00000022), ref: 0052ECF8
        • Part of subcall function 0052EC60: #617.MSVBVM60(?,00004008,00000001), ref: 0052ED21
        • Part of subcall function 0052EC60: #608.MSVBVM60(?,00000022), ref: 0052ED30
        • Part of subcall function 0052EC60: __vbaVarCmpEq.MSVBVM60(?,?,?), ref: 0052ED45
        • Part of subcall function 0052EC60: __vbaVarCmpEq.MSVBVM60(?,?,?,00000000), ref: 0052ED61
        • Part of subcall function 0052EC60: __vbaVarAnd.MSVBVM60(?,00000000), ref: 0052ED6F
        • Part of subcall function 0052EC60: __vbaBoolVarNull.MSVBVM60(00000000), ref: 0052ED76
        • Part of subcall function 0052EC60: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0052ED9B
        • Part of subcall function 0052EC60: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0052EDBE
      • #518.MSVBVM60(?,00004008), ref: 005C0FC0
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005C1007
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005C1015
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C1032
      • __vbaStrMove.MSVBVM60 ref: 005C105E
      • __vbaStrCopy.MSVBVM60 ref: 005C106F
      • __vbaStrCopy.MSVBVM60 ref: 005C1080
      • __vbaStrMove.MSVBVM60(?,?,?,?), ref: 005C10AC
      • __vbaStrCmp.MSVBVM60(0041AB28,00000000), ref: 005C10B8
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 005C10EB
      • __vbaStrMove.MSVBVM60 ref: 005C1113
      • __vbaStrCopy.MSVBVM60 ref: 005C1124
      • __vbaStrCopy.MSVBVM60 ref: 005C1135
        • Part of subcall function 0053BA10: __vbaChkstk.MSVBVM60(?,004153F6), ref: 0053BA2E
        • Part of subcall function 0053BA10: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0053BA53
        • Part of subcall function 0053BA10: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0053BA6F
        • Part of subcall function 0053BA10: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053BA8E
        • Part of subcall function 0053BA10: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0053BAAE
        • Part of subcall function 0053BA10: #685.MSVBVM60(?,?,?,?,004153F6), ref: 0053BD2F
        • Part of subcall function 0053BA10: __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,004153F6), ref: 0053BD3A
        • Part of subcall function 0053BA10: __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0053BD5B
        • Part of subcall function 0053BA10: __vbaFreeStr.MSVBVM60(0053BDAB,?,?,?,?,004153F6), ref: 0053BDA4
      • __vbaStrMove.MSVBVM60(?,?,?,?), ref: 005C128D
      • __vbaStrCmp.MSVBVM60(0041AB28,00000000), ref: 005C1299
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 005C12CC
      • __vbaStrMove.MSVBVM60 ref: 005C12F4
        • Part of subcall function 0053BA10: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0053BAC8
        • Part of subcall function 0053BA10: __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0053BADF
        • Part of subcall function 0053BA10: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053BAF5
        • Part of subcall function 0053BA10: __vbaNew2.MSVBVM60(0041F624,?,?,?,?,?,004153F6), ref: 0053BB2B
        • Part of subcall function 0053BA10: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000014), ref: 0053BB8B
        • Part of subcall function 0053BA10: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F634,00000050), ref: 0053BBD3
        • Part of subcall function 0053BA10: __vbaStrMove.MSVBVM60 ref: 0053BC04
        • Part of subcall function 0053BA10: __vbaFreeObj.MSVBVM60 ref: 0053BC0D
        • Part of subcall function 0053BA10: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053BC23
        • Part of subcall function 0053BA10: #619.MSVBVM60(?,00004008,00000001), ref: 0053BC4F
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 005C1351
      • __vbaVarDup.MSVBVM60 ref: 005C1381
      • #520.MSVBVM60(?,?), ref: 005C1395
      • #518.MSVBVM60(?,?), ref: 005C13A9
      • #520.MSVBVM60(?,00004008), ref: 005C13D0
      • #518.MSVBVM60(?,?), ref: 005C13E4
      • #520.MSVBVM60(?,00004008), ref: 005C140B
      • __vbaVarCmpEq.MSVBVM60(?,?,?), ref: 005C143A
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 005C1456
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 005C1464
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 005C146B
      • __vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 005C14A4
      • #685.MSVBVM60 ref: 005C14C3
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C14D1
      • __vbaFreeObj.MSVBVM60 ref: 005C14F5
      • __vbaStrCopy.MSVBVM60 ref: 005C150D
      • __vbaStrCopy.MSVBVM60 ref: 005C151E
      • __vbaObjSet.MSVBVM60(?,00000000,AloahaCSP.Provider,00000000,?,?), ref: 005C1551
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C1567
      • __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 005C159D
      • __vbaVarTstGt.MSVBVM60(?,00000000), ref: 005C15AE
      • __vbaFreeVar.MSVBVM60 ref: 005C15C1
      • #685.MSVBVM60 ref: 005C15DD
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C15EB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005C1636
      • __vbaFreeObj.MSVBVM60 ref: 005C1669
      • __vbaLateMemCallLd.MSVBVM60(?,?,Readers,00000000), ref: 005C1697
      • __vbaI4Var.MSVBVM60(00000000), ref: 005C16A1
      • __vbaFreeVar.MSVBVM60 ref: 005C16B0
      • #685.MSVBVM60 ref: 005C16CE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C16DC
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005C1727
      • __vbaFreeObj.MSVBVM60 ref: 005C175A
      • __vbaStrCopy.MSVBVM60 ref: 005C17CB
      • __vbaChkstk.MSVBVM60 ref: 005C17F0
      • __vbaLateMemCall.MSVBVM60(?,disconnect,00000000), ref: 005C1CA2
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005C1CB8
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005C1CCE
      • #685.MSVBVM60(Aloahacertinstaller.exe,Aloahacertinstaller), ref: 005C1D05
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C1D13
      • __vbaFreeObj.MSVBVM60 ref: 005C1D37
      • __vbaStrCopy.MSVBVM60 ref: 005C1D4F
      • __vbaStrCopy.MSVBVM60 ref: 005C1D60
      • __vbaObjSet.MSVBVM60(?,00000000,AloahaCSP.Provider,00000000,?,?), ref: 005C1D93
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C1DA9
      • __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 005C1DDF
      • __vbaVarTstGt.MSVBVM60(?,00000000), ref: 005C1DF0
      • __vbaFreeVar.MSVBVM60 ref: 005C1E03
      • #685.MSVBVM60 ref: 005C1E1F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C1E2D
      • #520.MSVBVM60(?,00004008), ref: 005C2742
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 005C276A
      • __vbaFreeVar.MSVBVM60 ref: 005C277D
      • __vbaStrCat.MSVBVM60(?,aloaha_), ref: 005C27A2
      • __vbaStrMove.MSVBVM60 ref: 005C27B6
      • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 005C27EB
      • __vbaVar2Vec.MSVBVM60(?,?), ref: 005C27FF
      • __vbaAryMove.MSVBVM60(?,?), ref: 005C2810
      • __vbaFreeVar.MSVBVM60 ref: 005C281C
      • __vbaAryCopy.MSVBVM60(?,?), ref: 005C3584
      • #685.MSVBVM60 ref: 005C3591
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C359F
      • __vbaFreeObj.MSVBVM60 ref: 005C35C3
      • __vbaAryDestruct.MSVBVM60(00000000,?,005C3728), ref: 005C36A3
      • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 005C36B2
      • __vbaFreeObj.MSVBVM60 ref: 005C36BB
      • __vbaFreeStr.MSVBVM60 ref: 005C36C4
      • __vbaFreeStr.MSVBVM60 ref: 005C36CD
      • __vbaFreeStr.MSVBVM60 ref: 005C36D6
      • __vbaFreeStr.MSVBVM60 ref: 005C36DF
      • __vbaFreeStr.MSVBVM60 ref: 005C36E8
      • __vbaFreeObj.MSVBVM60 ref: 005C36F1
      • __vbaStrCopy.MSVBVM60 ref: 005C0B5F
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$Move$List$#520$#518#685Chkstk$Error$Offset$CallCheckHresultLate$BoolNull$#608#619Destruct$#598#617#711#717AddrefIndexLoadLockNew2SystemUboundUnlockVar2
      • String ID: Aloaha Cryptographic Provider$AloahaCSP.Provider$Aloahacertinstaller$Aloahacertinstaller.exe$CardATR$DefaultCert$E$FindCertificate$FingerPrint_by_Reader$IgnoreReader$ReaderATR$ReaderName$Readers$T$\\.\$_$aks ifdh$aks vr$aloaha_$cardtype$disconnect$info$phUserKey: $rainbow tech
      • API String ID: 3977010008-1415616802
      • Opcode ID: 88d693ff78122630cd8b23080ef2d25ca22058e8010df0632843594a95830eee
      • Instruction ID: 26a298647f26dd2d2f20658dc29d31e8ed4d98a837fc6a03c3dc1f0f78fc13ae
      • Opcode Fuzzy Hash: 88d693ff78122630cd8b23080ef2d25ca22058e8010df0632843594a95830eee
      • Instruction Fuzzy Hash: 81830B75900218EFDB14DFA0DD88BDEBBB4BF48704F108199E60AA72A0DB745B89CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005D0610 Relevance: 692.3, APIs: 367, Strings: 27, Instructions: 2797COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005D062E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005D0673
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005D0688
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,004153F6), ref: 005D069A
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005D06AF
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 005D06D4
      • __vbaOnError.MSVBVM60(000000FF,00000000), ref: 005D0705
      • __vbaStrCopy.MSVBVM60 ref: 005D071A
      • __vbaStrCopy.MSVBVM60 ref: 005D0728
      • __vbaObjSet.MSVBVM60(?,00000000,ebCrypt.eb_c_Certificate,00000000,?,?), ref: 005D0755
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005D0765
      • #685.MSVBVM60(?,?,004153F6), ref: 005D0775
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,004153F6), ref: 005D0780
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005D07CB
      • __vbaFreeObj.MSVBVM60 ref: 005D07FB
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005D081D
      • __vbaStrMove.MSVBVM60 ref: 005D0834
      • __vbaChkstk.MSVBVM60 ref: 005D085D
      • __vbaStrMove.MSVBVM60 ref: 005D0884
      • __vbaStrCat.MSVBVM60(ebCrypt.dll,00000000), ref: 005D0890
      • __vbaStrMove.MSVBVM60 ref: 005D089B
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000), ref: 005D08B5
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 005D08CF
      • __vbaChkstk.MSVBVM60 ref: 005D08F8
      • __vbaStrMove.MSVBVM60 ref: 005D091F
      • __vbaStrCat.MSVBVM60(vbCrypt.dll,00000000), ref: 005D092B
      • __vbaStrMove.MSVBVM60 ref: 005D0936
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000), ref: 005D0950
      • #685.MSVBVM60 ref: 005D0960
      • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 005D096B
      • __vbaFreeObj.MSVBVM60 ref: 005D098C
      • __vbaStrCopy.MSVBVM60 ref: 005D09A1
      • __vbaStrCopy.MSVBVM60 ref: 005D09AF
      • __vbaObjSet.MSVBVM60(?,00000000,ebCrypt.eb_c_Certificate,00000000,?,?), ref: 005D09DC
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005D09EC
      • #685.MSVBVM60 ref: 005D09FC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D0A07
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005D0A52
      • __vbaFreeObj.MSVBVM60 ref: 005D0A82
      • #685.MSVBVM60 ref: 005D0A9E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D0AA9
      • __vbaFreeObj.MSVBVM60 ref: 005D0ACA
      • __vbaChkstk.MSVBVM60 ref: 005D0AF9
      • __vbaChkstk.MSVBVM60 ref: 005D0B1C
      • __vbaLateMemCallLd.MSVBVM60(?,?,ImportFromPKCS12File,00000002), ref: 005D0B4F
      • __vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 005D0B59
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005D0B64
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 005D0B6D
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 005D0B7A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D0B85
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005D0BD0
      • __vbaFreeObj.MSVBVM60 ref: 005D0C00
      • __vbaStrCopy.MSVBVM60 ref: 005D0C24
        • Part of subcall function 00521D20: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EE7
        • Part of subcall function 00521D20: __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00521F12
        • Part of subcall function 00521D20: __vbaNew2.MSVBVM60(0041F624,?), ref: 00521F42
        • Part of subcall function 00521D20: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000014), ref: 00521FB8
        • Part of subcall function 00521D20: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F634,00000058), ref: 00522015
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 0052205E
        • Part of subcall function 00521D20: #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 00522077
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00522082
      • __vbaFreeStr.MSVBVM60(?), ref: 005D0C36
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005D0CA1
      • #685.MSVBVM60 ref: 005D0CAE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D0CB9
      • __vbaFreeObj.MSVBVM60 ref: 005D0CDA
      • __vbaChkstk.MSVBVM60 ref: 005D0D09
      • __vbaChkstk.MSVBVM60 ref: 005D0D2C
      • __vbaLateMemCallLd.MSVBVM60(?,?,ImportFromPKCS12File,00000002), ref: 005D0D5F
      • __vbaObjVar.MSVBVM60(00000000), ref: 005D0D69
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005D0D74
      • __vbaFreeVar.MSVBVM60 ref: 005D0D7D
      • __vbaStrCopy.MSVBVM60 ref: 005D0D92
      • #685.MSVBVM60 ref: 005D0D9F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D0DAA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005D0DF5
      • __vbaFreeObj.MSVBVM60 ref: 005D0E25
      • #685.MSVBVM60 ref: 005D0EA7
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D0EB2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005D0EFD
      • __vbaFreeObj.MSVBVM60 ref: 005D0F2D
      • #685.MSVBVM60 ref: 005D0F49
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D0F54
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005D0F9F
      • __vbaFreeObj.MSVBVM60 ref: 005D0FDE
      • __vbaStrCopy.MSVBVM60 ref: 005D0FFE
      • __vbaFreeStr.MSVBVM60(?), ref: 005D1010
      • __vbaLateMemCallLd.MSVBVM60(?,?,keytype,00000000), ref: 005D103B
      • __vbaVarTstEq.MSVBVM60(?,00000000), ref: 005D1049
      • __vbaFreeVar.MSVBVM60 ref: 005D1059
      • __vbaLateMemCallLd.MSVBVM60(?,?,keytype,00000000), ref: 005D1092
      • __vbaVarTstEq.MSVBVM60(00000000,00000000), ref: 005D10A0
      • __vbaFreeVar.MSVBVM60 ref: 005D10B0
      • __vbaStrCopy.MSVBVM60 ref: 005D10D4
      • __vbaStrCmp.MSVBVM60(true,?), ref: 005D10ED
      • __vbaChkstk.MSVBVM60 ref: 005D113D
      • __vbaChkstk.MSVBVM60 ref: 005D1160
      • __vbaChkstk.MSVBVM60 ref: 005D118F
      • __vbaLateMemCallLd.MSVBVM60(?,?,ExportPrivateKey,00000003), ref: 005D11C8
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 005D11D2
      • __vbaStrMove.MSVBVM60 ref: 005D11DD
      • __vbaFreeVar.MSVBVM60 ref: 005D11E6
      • __vbaChkstk.MSVBVM60 ref: 005D1233
      • __vbaChkstk.MSVBVM60 ref: 005D1256
      • __vbaChkstk.MSVBVM60 ref: 005D1285
      • __vbaLateMemCallLd.MSVBVM60(?,?,ExportPrivateKey,00000003), ref: 005D12BE
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 005D12C8
      • __vbaStrMove.MSVBVM60 ref: 005D12D3
      • __vbaFreeVar.MSVBVM60 ref: 005D12DC
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005D12F2
      • __vbaStrCopy.MSVBVM60 ref: 005D1309
      • __vbaStrCopy.MSVBVM60 ref: 005D1320
      • __vbaStrCopy.MSVBVM60 ref: 005D1335
      • __vbaFreeStr.MSVBVM60(?), ref: 005D1347
      • __vbaStrCopy.MSVBVM60 ref: 005D135E
      • __vbaFreeStr.MSVBVM60(?), ref: 005D1370
      • __vbaStrCopy.MSVBVM60 ref: 005D1387
      • __vbaFreeStr.MSVBVM60(?), ref: 005D1399
      • __vbaStrCat.MSVBVM60( does not exist!,?,00000000), ref: 005D1405
      • __vbaStrMove.MSVBVM60(?,00000000), ref: 005D1410
      • __vbaFreeStr.MSVBVM60(?,?,00000000), ref: 005D1422
      • __vbaStrCopy.MSVBVM60 ref: 005D1439
      • __vbaFreeStr.MSVBVM60(?), ref: 005D144B
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005D145E
      • __vbaObjSetAddref.MSVBVM60(00000000,00000000), ref: 005D1471
      • __vbaStrCopy.MSVBVM60 ref: 005D1486
      • __vbaFreeStr.MSVBVM60(?), ref: 005D1498
      • #685.MSVBVM60 ref: 005D14A5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D14B0
      • __vbaFreeObj.MSVBVM60 ref: 005D14D1
      • __vbaFreeStr.MSVBVM60(005D1541), ref: 005D1528
      • __vbaFreeObj.MSVBVM60 ref: 005D1531
      • __vbaFreeObj.MSVBVM60 ref: 005D153A
        • Part of subcall function 005036F0: __vbaChkstk.MSVBVM60(00000000,004153F6,?,004FEC87,?,00000000,?,?,00000004,00000080,00000000), ref: 0050370E
        • Part of subcall function 005036F0: __vbaOnError.MSVBVM60(000000FF,6D1E1654,00000000,6D29595C,00000000,004153F6), ref: 0050373E
        • Part of subcall function 005036F0: #518.MSVBVM60(?,00004008), ref: 00503760
        • Part of subcall function 005036F0: #617.MSVBVM60(?,?,00000004), ref: 00503770
        • Part of subcall function 005036F0: __vbaInStr.MSVBVM60(00000000,://,00000000,00000001), ref: 00503796
        • Part of subcall function 005036F0: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005037C5
        • Part of subcall function 005036F0: __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 005037D7
        • Part of subcall function 005036F0: __vbaBoolVarNull.MSVBVM60(00000000), ref: 005037DE
        • Part of subcall function 005036F0: __vbaFreeVarList.MSVBVM60(00000003,?,?,0000000B), ref: 005037FC
        • Part of subcall function 005036F0: #685.MSVBVM60(?), ref: 0050383A
        • Part of subcall function 005036F0: __vbaObjSet.MSVBVM60(?,00000000), ref: 00503845
        • Part of subcall function 005036F0: __vbaFreeObj.MSVBVM60 ref: 00503866
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$Chkstk$Move$#685$CheckHresult$List$AddrefCallLate$Error$#518#711$#520#617BoolIndexLoadLockNew2NullOffsetUnlock
      • String ID: does not exist!$CAPICOM.Utilities$CAPICOM.certificate$Could not import from PKCS12File$EncodedKey$Entering get private key$ExportPrivateKey$Finally loaded PKCS12$Import$ImportFromPKCS12File$Key is not RSA Key$Keytype wrong$Leaving get private key$Load$PFX Path empty$Private key is empty :-($Problem with import from PKCS12 - going to retry$Problems loading Object to export PK$c$capicom.dll$ebCrypt.dll$ebCrypt.eb_c_Certificate$keytype$publickey$serialnumber$true$vbCrypt.dll
      • API String ID: 3495471947-2099420826
      • Opcode ID: 572067f30485a9710e163a81769b1ed707a60be06480dcc6b9ef4731b38e4a65
      • Instruction ID: 36e34557f73cd3b45dae0c49c496492a8e8ccbb1e97cb3e55e3645d73f7c1970
      • Opcode Fuzzy Hash: 572067f30485a9710e163a81769b1ed707a60be06480dcc6b9ef4731b38e4a65
      • Instruction Fuzzy Hash: 81531874900218DFDB14DFA4DD88BDEBBB5FF48304F1081AAE50AA72A1DB749A85CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C58C0 Relevance: 494.6, APIs: 279, Strings: 2, Instructions: 2882COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,005C0C85,?,?), ref: 005C58DE
      • __vbaOnError.MSVBVM60(000000FF,00000000,00000001,6D1CD8CD,?,004153F6), ref: 005C590E
      • #520.MSVBVM60(?,00004008), ref: 005C5930
      • __vbaStrVarMove.MSVBVM60(?), ref: 005C593A
      • __vbaStrMove.MSVBVM60 ref: 005C5945
      • __vbaFreeVar.MSVBVM60 ref: 005C594E
      • __vbaStrCmp.MSVBVM60(0041AA3C), ref: 005C5966
      • __vbaAryRecMove.MSVBVM60(0043C030,?,?), ref: 005C5996
      • #685.MSVBVM60 ref: 005C59A3
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C59AE
      • __vbaFreeObj.MSVBVM60 ref: 005C59CF
      • __vbaGenerateBoundsError.MSVBVM60 ref: 005C5A13
      • __vbaGenerateBoundsError.MSVBVM60 ref: 005C5A30
      • __vbaUbound.MSVBVM60(00000001,00000000), ref: 005C5A42
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 005C5A65
      • #685.MSVBVM60 ref: 005C5A81
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C5A8C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005C5AD7
      • __vbaFreeObj.MSVBVM60 ref: 005C5B07
      • __vbaGenerateBoundsError.MSVBVM60 ref: 005C5B56
      • __vbaGenerateBoundsError.MSVBVM60 ref: 005C5B73
      • __vbaStrCopy.MSVBVM60 ref: 005C5B91
      • #520.MSVBVM60(?,00004008), ref: 005C5BB3
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 005C5BD8
      • __vbaFreeVar.MSVBVM60 ref: 005C5BE8
      • #685.MSVBVM60 ref: 005C5C12
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C5C1D
      • __vbaFreeObj.MSVBVM60 ref: 005C5C3E
      • __vbaGenerateBoundsError.MSVBVM60 ref: 005C5C82
      • __vbaGenerateBoundsError.MSVBVM60 ref: 005C5C9F
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 005C5CC0
      • #685.MSVBVM60 ref: 005C5CD5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C5CE0
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005C5D2B
      • __vbaFreeObj.MSVBVM60 ref: 005C5D5B
      • __vbaUbound.MSVBVM60(00000001,00000000), ref: 005C5D7D
      • __vbaLbound.MSVBVM60(00000001,00000000), ref: 005C5D99
      • #685.MSVBVM60 ref: 005C5E4C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C5E57
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005C5EA2
      • __vbaFreeObj.MSVBVM60 ref: 005C5ED2
      • #685.MSVBVM60 ref: 005C7CBF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C7CCA
      • __vbaFreeObj.MSVBVM60 ref: 005C7CEB
      • #520.MSVBVM60(?,00004008), ref: 005C7D0D
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 005C7D32
      • __vbaFreeVar.MSVBVM60 ref: 005C7D42
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,00000000), ref: 005C7D79
      • __vbaAryRecMove.MSVBVM60(0043C030,?,?,?,00000000), ref: 005C7DA9
      • #685.MSVBVM60(?,00000000), ref: 005C7DB6
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 005C7DC1
      • __vbaFreeObj.MSVBVM60(?,00000000), ref: 005C7DE2
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000,?,00000000), ref: 005C7E64
        • Part of subcall function 005BB4A0: __vbaChkstk.MSVBVM60(00000000,004153F6,005AE311,?,00000001,?,00000000,004153F6), ref: 005BB4BE
        • Part of subcall function 005BB4A0: __vbaAptOffset.MSVBVM60(00419C98,?,00000001,?,00000000,004153F6,005AE311), ref: 005BB4E3
        • Part of subcall function 005BB4A0: __vbaAryConstruct2.MSVBVM60(?,00448480,00000011,?,00000001,?,00000000,004153F6,005AE311), ref: 005BB504
        • Part of subcall function 005BB4A0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,004153F6,005AE311), ref: 005BB513
        • Part of subcall function 005BB4A0: __vbaAryMove.MSVBVM60(?,?,00000001), ref: 005BB582
        • Part of subcall function 005BB4A0: __vbaStrCopy.MSVBVM60 ref: 005BB5AE
        • Part of subcall function 005BB4A0: __vbaFreeStr.MSVBVM60(?), ref: 005BB5C0
        • Part of subcall function 005BB4A0: __vbaI4Str.MSVBVM60(0041AA3C), ref: 005BB5D2
        • Part of subcall function 005BB4A0: __vbaAryMove.MSVBVM60(?,?,00000001), ref: 005BB60B
        • Part of subcall function 005BB4A0: #685.MSVBVM60 ref: 005BB62E
        • Part of subcall function 005BB4A0: __vbaObjSet.MSVBVM60(?,00000000), ref: 005BB639
        • Part of subcall function 005BB4A0: __vbaFreeObj.MSVBVM60 ref: 005BB65A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685Error$BoundsGenerateMove$#520CheckHresult$ChkstkCopyUbound$Construct2LboundOffset
      • String ID: Kerberos$h
      • API String ID: 2846854144-1025543997
      • Opcode ID: 44a3cb2f9bc42fda007798352172202ac188f553e8d66494634e1066b17503d5
      • Instruction ID: a3022f6aaae3942acff002b1e8641477c19ec814eacdcb2d7858f79a031875e1
      • Opcode Fuzzy Hash: 44a3cb2f9bc42fda007798352172202ac188f553e8d66494634e1066b17503d5
      • Instruction Fuzzy Hash: FA63C774901228DFDB28DFA4D988FADBBB1FF48304F108599E50AAB251DB709E85CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0058EDC0 Relevance: 314.4, APIs: 177, Strings: 2, Instructions: 1153COMMON
      Download Yara Rule
      APIs
      Strings
      • Data corrupted, xrefs: 0058F392
      • Data string is corrupted. Cannot be Decrypted., xrefs: 0058F3AD
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$#525Error$BoundsGenerate$BstrCopyUbound$#523#537#606OverflowStmt
      • String ID: Data corrupted$Data string is corrupted. Cannot be Decrypted.
      • API String ID: 6703403-1644968294
      • Opcode ID: b8eab4a812c7be539caff50227bb87c7ee595e21cc0f0d03f8faf7c3b2828280
      • Instruction ID: 47ef1ab1a8008b8d8d99c873d4a8c62c842a8b3db317edff2be659c1089ec20c
      • Opcode Fuzzy Hash: b8eab4a812c7be539caff50227bb87c7ee595e21cc0f0d03f8faf7c3b2828280
      • Instruction Fuzzy Hash: 83A20775D00219AFDB04DFA4DD899EEBBB9FF88304F10812AE906B7264DB706946CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00407491 Relevance: 3.8, Strings: 2, Instructions: 1299COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID: "S$ZS
      • API String ID: 0-703164569
      • Opcode ID: 42546dbbdb8a78b6ae550dcb0ec2734c255064cbab0db9841a728d1e15e82d28
      • Instruction ID: d41f04379e1ba13d3460f0979c504116ea68c9c7ce2842a9e4457038da4ecefe
      • Opcode Fuzzy Hash: 42546dbbdb8a78b6ae550dcb0ec2734c255064cbab0db9841a728d1e15e82d28
      • Instruction Fuzzy Hash: 65A2DC9048E7C12FD7138B206CE9892BF6CE94322471D85CFECC05A497D64EA95EE772
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00507880 Relevance: 268.2, APIs: 108, Strings: 45, Instructions: 449COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0050789E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005078CE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005078E3
      • __vbaStrCat.MSVBVM60(MIIINAYJKwYBBAGCN1gDoIIIJTCCCCEGCisGAQQBgjdYAwGggggRMIIIDQIDAgAB,?,?,?,?,?,004153F6), ref: 005078F9
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507904
      • __vbaStrCat.MSVBVM60(AgJoAQICAIAEAAQQbiCke/50Fnbqmi1ZiSsUVwSCB+jAtpYJWC9fDD/Y+lThSQ0S,?,?,?,?,?,004153F6), ref: 0050791A
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507925
      • __vbaStrCat.MSVBVM60(79wkP3oMNW47sucCpdlZ4gGbPCQ8d5737IN0Gxwx176wUSKq/CzA4ZhAWplnX9ME,?,?,?,?,?,004153F6), ref: 0050793B
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507946
      • __vbaStrCat.MSVBVM60(XCZasSG+xQxnZ7GYotBO/7rPjDZKJo/LmhyuE4N7Qs2+i5YIRAgvdtm2nxLWyRpE,?,?,?,?,?,004153F6), ref: 0050795C
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507967
      • __vbaStrCat.MSVBVM60(fEdondnJEkhLHgN0XRhdz0m9pAyELDJUK2qE2CD4IVFOUKjmJZHQ1Pwui/S0Z3fF,?,?,?,?,?,004153F6), ref: 0050797D
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507988
      • __vbaStrCat.MSVBVM60(/66bXOlakIsehXS0H4EgUfd2cVqmbU8ZJ8ZJfwLBRKrYlUINOgimmwm4RTsfLBcr,?,?,?,?,?,004153F6), ref: 0050799E
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 005079A9
      • __vbaStrCat.MSVBVM60(rahIO498Qmp6YunpBhq5IqxXdVrhmjqOhTakNV4H1HrlgfcEe33rxeXzterW3+yu,?,?,?,?,?,004153F6), ref: 005079BF
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 005079CA
      • __vbaStrCat.MSVBVM60(NrKfP5oHMFqL5A2t5oeEZYSyuWLMiUafW5AooSa+pH8IGdRLP4bgCtsbL51m51Eb,?,?,?,?,?,004153F6), ref: 005079E0
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 005079EB
      • __vbaStrCat.MSVBVM60(/+CvDilGGGnz5Kp4aV5bklJfNA0HWA7avFmf/o3BBjQZ9RxHAT89qDsscK0q3eAS,?,?,?,?,?,004153F6), ref: 00507A01
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507A0C
      • __vbaStrCat.MSVBVM60(+BoV/IxFZKtuFK5r3HpPf4TBMKj9jrN2UZhzJPB6mAEZgsp3NX5tqWuMM3VP9bVm,?,?,?,?,?,004153F6), ref: 00507A22
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507A2D
      • __vbaStrCat.MSVBVM60(ogeofIK4WR+HWq/3/znyQaEsIfFd1Mg9RNgcegXJ1KEUUofbFAu6txYWE/phor0/,?,?,?,?,?,004153F6), ref: 00507A43
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507A4E
      • __vbaStrCat.MSVBVM60(MvNy2XHn2nduSaV6cuu2e7hrq4i5AralYzK18xRImyGswx2OLrMYF2jltvcJ9LUI,?,?,?,?,?,004153F6), ref: 00507A64
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507A6F
      • __vbaStrCat.MSVBVM60(/QBJrq0eQbEV1HjWkh/v7BQ2ykaekUjpB2GKpCy45NQ3aRgy47KHD33ZartUsUZV,?,?,?,?,?,004153F6), ref: 00507A85
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507A90
      • __vbaStrCat.MSVBVM60(Y7Dr0Wm4yfs3SDLB9ciHDkkmIhNxMrNQ2PWGKBoSPSzdYiPQN9EA+ODAo9RYFLrj,?,?,?,?,?,004153F6), ref: 00507AA6
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507AB1
      • __vbaStrCat.MSVBVM60(1IbTqNuCEgUGY1w4180ELsYF1ZmbFh136XJvmlETa1qqy1Wupr+bIbt6lD21Dt33,?,?,?,?,?,004153F6), ref: 00507AC7
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507AD2
      • __vbaStrCat.MSVBVM60(Uk0kWWxCHw8lrqYhNy4nQpGHevLEdcMWempUZlY3fjt5iduzo/h0dU5behCl3jER,?,?,?,?,?,004153F6), ref: 00507AE8
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507AF3
      • __vbaStrCat.MSVBVM60(q3mz8HC7a3tICl5aj+NZ+FRnNeOWY9U8hEOOpqA60LRJ2+PFGygwlYX0A09FskCp,?,?,?,?,?,004153F6), ref: 00507B09
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507B14
      • __vbaStrCat.MSVBVM60(e3TFtYWtdJeu8LGOipfgLv3y3nkKu28w0Gsvvp2hYN0SToePKmdE3Kl20UqeHyiJ,?,?,?,?,?,004153F6), ref: 00507B2A
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507B35
      • __vbaStrCat.MSVBVM60(kKt8tox3iLM01iltkeQqVG/CmMgYzp4CY9gp8eDQ3z4Jr2DGrzNlIflJZh3xMEkE,?,?,?,?,?,004153F6), ref: 00507B4B
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507B56
      • __vbaStrCat.MSVBVM60(wzSY1t8nsLIBP9iHtFWWizGZlEaYNCHR2aWLcqztmMjnDgLBiNx+x1GWzV9MD/wI,?,?,?,?,?,004153F6), ref: 00507B6C
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507B77
      • __vbaStrCat.MSVBVM60(TEHVbNT+XuSAksRTpBcPFkSJflEgJ9MD024aKu9Qj+cyMrfao13h+k87Ak5xwrnG,?,?,?,?,?,004153F6), ref: 00507B8D
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507B98
      • __vbaStrCat.MSVBVM60(jeywotsRDgSRZQvYP8qPEfpnLMVEjIJWICWYAu+zFRpYk5jGnGXY6P3fwlj5kY1H,?,?,?,?,?,004153F6), ref: 00507BAE
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507BB9
      • __vbaStrCat.MSVBVM60(864MI9BQgUn88bT7vv0k+tQ1ZxaJ5uz3LH9Of1O55FMfOAjiV9cLFDzx4cgE7rqH,?,?,?,?,?,004153F6), ref: 00507BCF
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507BDA
      • __vbaStrCat.MSVBVM60(79R3tOB5hYfEqfYAsSSudeX9fYezXFH6SRUbYxGkyX3jKU0Jk4R70H9+HAGcVP2a,?,?,?,?,?,004153F6), ref: 00507BF0
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507BFB
      • __vbaStrCat.MSVBVM60(MuovB+gH5CR0Z2xO+DB0md7a/GbsGemKBzVmJCvP4uGiJ7K7lcfHGY/0A8TCEhiA,?,?,?,?,?,004153F6), ref: 00507C11
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507C1C
      • __vbaStrCat.MSVBVM60(w361RDERc57cljarx9VeaZ5W4EB0LW18viXVaWkig1bx1Si3iHa4XXYFPgycNF+0,?,?,?,?,?,004153F6), ref: 00507C32
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507C3D
      • __vbaStrCat.MSVBVM60(2fjibSs6LIPLRxniXJmGTcQDBJOiN2wl/ymCtn3AvliU0ObuOhF6hGP0/G2uLzb1,?,?,?,?,?,004153F6), ref: 00507C53
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507C5E
      • __vbaStrCat.MSVBVM60(7hNqH70Qdac+Nko2uRZrNtSquZGoX/ofggW9uKbGus+TGyV/HH62UJkDhf0uhegm,?,?,?,?,?,004153F6), ref: 00507C74
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507C7F
      • __vbaStrCat.MSVBVM60(4oGOkoi1gybLdX3pHQxpRFYPIInnBW7KTyIJ9kMzEwRh74ePNA5hwNTMgxTwiaLD,?,?,?,?,?,004153F6), ref: 00507C95
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507CA0
      • __vbaStrCat.MSVBVM60(WjzBLNYs38Uc4h769UwPIez432UWfDBnDAO0ssyCx1tEZM823tHHXPpDTChjQ4Ij,?,?,?,?,?,004153F6), ref: 00507CB6
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507CC1
      • __vbaStrCat.MSVBVM60(CPUnJNux4gFPdqpCqhS9qrr38kZx+Xj+GUoPh+C/e4Y73hPHVpWjhRteX0ttIlAh,?,?,?,?,?,004153F6), ref: 00507CD7
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507CE2
      • __vbaStrCat.MSVBVM60(pA9PiWERE7q9BXbaphl91FU7XDQspIlzsluJsH8kMByQY8skIntNlS1833/4L0Hk,?,?,?,?,?,004153F6), ref: 00507CF8
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507D03
      • __vbaStrCat.MSVBVM60(BwDVAK1Q/3gZN+LmAlN4JNw7L1zpEAP1688JXPIruR9g/JXUzEtquuBpL5gyINs1,?,?,?,?,?,004153F6), ref: 00507D19
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507D24
      • __vbaStrCat.MSVBVM60(vixsmmVRMnSCeBY+iwu7sV3eJGY05KxC5nG6mo4IpSloskAERBDozR0EBztCpqzE,?,?,?,?,?,004153F6), ref: 00507D3A
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507D45
      • __vbaStrCat.MSVBVM60(D9wEsodNa0vLtAVl1zpr4j+7azoV+zexC6fZghJ61FD68IQb8mQRsrhXE1NunRxX,?,?,?,?,?,004153F6), ref: 00507D5B
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507D66
      • __vbaStrCat.MSVBVM60(+pxCMv+/Mm/XDL+wQHe4o+it20WgQqgxwoftogzOVA2+H3s7vRiu+agXZCKSRXyr,?,?,?,?,?,004153F6), ref: 00507D7C
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507D87
      • __vbaStrCat.MSVBVM60(36lkZjAVCd5vAPnBbgAARGPzvMTBQJJnLLpMDh3dvSzZzhhwuhAJoQ9hcINx2H8Z,?,?,?,?,?,004153F6), ref: 00507D9D
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507DA8
      • __vbaStrCat.MSVBVM60(EN3YNVz6oggMjHKV6RQ1o0Qxnju8rYiC6dy9tnQHawT4UClkpYf/l2hqK+/nIQzp,?,?,?,?,?,004153F6), ref: 00507DBE
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507DC9
      • __vbaStrCat.MSVBVM60(nO0EfxJNYzWa94+v3AuuL6nAyUXvVbdemN0kkDbkzs9XtA9vILWFcWKUG5845nGo,?,?,?,?,?,004153F6), ref: 00507DDF
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507DEA
      • __vbaStrCat.MSVBVM60(d9QhutelZhsRvwvSHWuTuuKcFK+ZAsxVuAqIzOFrpHMZyk331Uv6QwU/U3CPcwHv,?,?,?,?,?,004153F6), ref: 00507E00
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507E0B
      • __vbaStrCat.MSVBVM60(E1RQkxRD6fAuUe4c5J7AvnfQ6x0tNueZ3J2i5bDy2DOGlUUvQ5q+v86ATf4CDton,?,?,?,?,?,004153F6), ref: 00507E21
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507E2C
      • __vbaStrCat.MSVBVM60(j1XnDc9643MyvE+lTFsRn6Qs9VVyoaq2StmNmiuzOGEaz+WNILuxhqG+lnKcfi0y,?,?,?,?,?,004153F6), ref: 00507E42
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507E4D
      • __vbaStrCat.MSVBVM60(/My5QVTCBXvNoWSDb/XwPyoWMwrnR431sgfEWseH39NCRiNBn1tLOw5+myZp4TaO,?,?,?,?,?,004153F6), ref: 00507E63
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507E6E
      • __vbaStrCat.MSVBVM60(X9wtJb4rHjxK0k3eoRSNaqQj9X98ys3e0DzV/qlizcdB2SVO4bhgMg==,?,?,?,?,?,004153F6), ref: 00507E84
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507E8F
      • #608.MSVBVM60(?,0000000A,?,?,?,?,004153F6), ref: 00507EA2
      • __vbaStrVarVal.MSVBVM60(?,?,0041AA3C,00000001,000000FF,00000000,?,?,?,?,004153F6), ref: 00507EBB
      • #712.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00507EC6
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507ED1
      • __vbaFreeStr.MSVBVM60(?,?,?,?,004153F6), ref: 00507EDA
      • __vbaFreeVar.MSVBVM60(?,?,?,?,004153F6), ref: 00507EE3
      • #608.MSVBVM60(?,0000000D,?,?,?,?,004153F6), ref: 00507EF6
      • __vbaStrVarVal.MSVBVM60(?,?,0041AA3C,00000001,000000FF,00000000,?,?,?,?,004153F6), ref: 00507F0F
      • #712.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00507F1A
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00507F25
      • __vbaFreeStr.MSVBVM60(?,?,?,?,004153F6), ref: 00507F2E
      • __vbaFreeVar.MSVBVM60(?,?,?,?,004153F6), ref: 00507F37
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00507F4C
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00507F59
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,004153F6), ref: 00507F64
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00507F7C
      • __vbaFreeStr.MSVBVM60(00507FC2,?,?,?,?,004153F6), ref: 00507FBB
      Strings
      • D9wEsodNa0vLtAVl1zpr4j+7azoV+zexC6fZghJ61FD68IQb8mQRsrhXE1NunRxX, xrefs: 00507D56
      • 1IbTqNuCEgUGY1w4180ELsYF1ZmbFh136XJvmlETa1qqy1Wupr+bIbt6lD21Dt33, xrefs: 00507AC2
      • fEdondnJEkhLHgN0XRhdz0m9pAyELDJUK2qE2CD4IVFOUKjmJZHQ1Pwui/S0Z3fF, xrefs: 00507978
      • w361RDERc57cljarx9VeaZ5W4EB0LW18viXVaWkig1bx1Si3iHa4XXYFPgycNF+0, xrefs: 00507C2D
      • /QBJrq0eQbEV1HjWkh/v7BQ2ykaekUjpB2GKpCy45NQ3aRgy47KHD33ZartUsUZV, xrefs: 00507A80
      • nO0EfxJNYzWa94+v3AuuL6nAyUXvVbdemN0kkDbkzs9XtA9vILWFcWKUG5845nGo, xrefs: 00507DDA
      • ogeofIK4WR+HWq/3/znyQaEsIfFd1Mg9RNgcegXJ1KEUUofbFAu6txYWE/phor0/, xrefs: 00507A3E
      • q3mz8HC7a3tICl5aj+NZ+FRnNeOWY9U8hEOOpqA60LRJ2+PFGygwlYX0A09FskCp, xrefs: 00507B04
      • /My5QVTCBXvNoWSDb/XwPyoWMwrnR431sgfEWseH39NCRiNBn1tLOw5+myZp4TaO, xrefs: 00507E5E
      • NrKfP5oHMFqL5A2t5oeEZYSyuWLMiUafW5AooSa+pH8IGdRLP4bgCtsbL51m51Eb, xrefs: 005079DB
      • +BoV/IxFZKtuFK5r3HpPf4TBMKj9jrN2UZhzJPB6mAEZgsp3NX5tqWuMM3VP9bVm, xrefs: 00507A1D
      • j1XnDc9643MyvE+lTFsRn6Qs9VVyoaq2StmNmiuzOGEaz+WNILuxhqG+lnKcfi0y, xrefs: 00507E3D
      • X9wtJb4rHjxK0k3eoRSNaqQj9X98ys3e0DzV/qlizcdB2SVO4bhgMg==, xrefs: 00507E7F
      • 864MI9BQgUn88bT7vv0k+tQ1ZxaJ5uz3LH9Of1O55FMfOAjiV9cLFDzx4cgE7rqH, xrefs: 00507BCA
      • d9QhutelZhsRvwvSHWuTuuKcFK+ZAsxVuAqIzOFrpHMZyk331Uv6QwU/U3CPcwHv, xrefs: 00507DFB
      • Y7Dr0Wm4yfs3SDLB9ciHDkkmIhNxMrNQ2PWGKBoSPSzdYiPQN9EA+ODAo9RYFLrj, xrefs: 00507AA1
      • wzSY1t8nsLIBP9iHtFWWizGZlEaYNCHR2aWLcqztmMjnDgLBiNx+x1GWzV9MD/wI, xrefs: 00507B67
      • 2fjibSs6LIPLRxniXJmGTcQDBJOiN2wl/ymCtn3AvliU0ObuOhF6hGP0/G2uLzb1, xrefs: 00507C4E
      • 79wkP3oMNW47sucCpdlZ4gGbPCQ8d5737IN0Gxwx176wUSKq/CzA4ZhAWplnX9ME, xrefs: 00507936
      • Uk0kWWxCHw8lrqYhNy4nQpGHevLEdcMWempUZlY3fjt5iduzo/h0dU5behCl3jER, xrefs: 00507AE3
      • /+CvDilGGGnz5Kp4aV5bklJfNA0HWA7avFmf/o3BBjQZ9RxHAT89qDsscK0q3eAS, xrefs: 005079FC
      • BwDVAK1Q/3gZN+LmAlN4JNw7L1zpEAP1688JXPIruR9g/JXUzEtquuBpL5gyINs1, xrefs: 00507D14
      • pA9PiWERE7q9BXbaphl91FU7XDQspIlzsluJsH8kMByQY8skIntNlS1833/4L0Hk, xrefs: 00507CF3
      • MuovB+gH5CR0Z2xO+DB0md7a/GbsGemKBzVmJCvP4uGiJ7K7lcfHGY/0A8TCEhiA, xrefs: 00507C0C
      • 79R3tOB5hYfEqfYAsSSudeX9fYezXFH6SRUbYxGkyX3jKU0Jk4R70H9+HAGcVP2a, xrefs: 00507BEB
      • e3TFtYWtdJeu8LGOipfgLv3y3nkKu28w0Gsvvp2hYN0SToePKmdE3Kl20UqeHyiJ, xrefs: 00507B25
      • AgJoAQICAIAEAAQQbiCke/50Fnbqmi1ZiSsUVwSCB+jAtpYJWC9fDD/Y+lThSQ0S, xrefs: 00507915
      • +pxCMv+/Mm/XDL+wQHe4o+it20WgQqgxwoftogzOVA2+H3s7vRiu+agXZCKSRXyr, xrefs: 00507D77
      • XCZasSG+xQxnZ7GYotBO/7rPjDZKJo/LmhyuE4N7Qs2+i5YIRAgvdtm2nxLWyRpE, xrefs: 00507957
      • MvNy2XHn2nduSaV6cuu2e7hrq4i5AralYzK18xRImyGswx2OLrMYF2jltvcJ9LUI, xrefs: 00507A5F
      • kKt8tox3iLM01iltkeQqVG/CmMgYzp4CY9gp8eDQ3z4Jr2DGrzNlIflJZh3xMEkE, xrefs: 00507B46
      • vixsmmVRMnSCeBY+iwu7sV3eJGY05KxC5nG6mo4IpSloskAERBDozR0EBztCpqzE, xrefs: 00507D35
      • WjzBLNYs38Uc4h769UwPIez432UWfDBnDAO0ssyCx1tEZM823tHHXPpDTChjQ4Ij, xrefs: 00507CB1
      • E1RQkxRD6fAuUe4c5J7AvnfQ6x0tNueZ3J2i5bDy2DOGlUUvQ5q+v86ATf4CDton, xrefs: 00507E1C
      • EN3YNVz6oggMjHKV6RQ1o0Qxnju8rYiC6dy9tnQHawT4UClkpYf/l2hqK+/nIQzp, xrefs: 00507DB9
      • MIIINAYJKwYBBAGCN1gDoIIIJTCCCCEGCisGAQQBgjdYAwGggggRMIIIDQIDAgAB, xrefs: 005078F4
      • 7hNqH70Qdac+Nko2uRZrNtSquZGoX/ofggW9uKbGus+TGyV/HH62UJkDhf0uhegm, xrefs: 00507C6F
      • 36lkZjAVCd5vAPnBbgAARGPzvMTBQJJnLLpMDh3dvSzZzhhwuhAJoQ9hcINx2H8Z, xrefs: 00507D98
      • /66bXOlakIsehXS0H4EgUfd2cVqmbU8ZJ8ZJfwLBRKrYlUINOgimmwm4RTsfLBcr, xrefs: 00507999
      • CPUnJNux4gFPdqpCqhS9qrr38kZx+Xj+GUoPh+C/e4Y73hPHVpWjhRteX0ttIlAh, xrefs: 00507CD2
      • 4oGOkoi1gybLdX3pHQxpRFYPIInnBW7KTyIJ9kMzEwRh74ePNA5hwNTMgxTwiaLD, xrefs: 00507C90
      • TEHVbNT+XuSAksRTpBcPFkSJflEgJ9MD024aKu9Qj+cyMrfao13h+k87Ak5xwrnG, xrefs: 00507B88
      • jeywotsRDgSRZQvYP8qPEfpnLMVEjIJWICWYAu+zFRpYk5jGnGXY6P3fwlj5kY1H, xrefs: 00507BA9
      • rahIO498Qmp6YunpBhq5IqxXdVrhmjqOhTakNV4H1HrlgfcEe33rxeXzterW3+yu, xrefs: 005079BA
      • 3, xrefs: 00507F52
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$#608#712Copy$#685ChkstkError
      • String ID: +BoV/IxFZKtuFK5r3HpPf4TBMKj9jrN2UZhzJPB6mAEZgsp3NX5tqWuMM3VP9bVm$+pxCMv+/Mm/XDL+wQHe4o+it20WgQqgxwoftogzOVA2+H3s7vRiu+agXZCKSRXyr$/+CvDilGGGnz5Kp4aV5bklJfNA0HWA7avFmf/o3BBjQZ9RxHAT89qDsscK0q3eAS$/66bXOlakIsehXS0H4EgUfd2cVqmbU8ZJ8ZJfwLBRKrYlUINOgimmwm4RTsfLBcr$/My5QVTCBXvNoWSDb/XwPyoWMwrnR431sgfEWseH39NCRiNBn1tLOw5+myZp4TaO$/QBJrq0eQbEV1HjWkh/v7BQ2ykaekUjpB2GKpCy45NQ3aRgy47KHD33ZartUsUZV$1IbTqNuCEgUGY1w4180ELsYF1ZmbFh136XJvmlETa1qqy1Wupr+bIbt6lD21Dt33$2fjibSs6LIPLRxniXJmGTcQDBJOiN2wl/ymCtn3AvliU0ObuOhF6hGP0/G2uLzb1$3$36lkZjAVCd5vAPnBbgAARGPzvMTBQJJnLLpMDh3dvSzZzhhwuhAJoQ9hcINx2H8Z$4oGOkoi1gybLdX3pHQxpRFYPIInnBW7KTyIJ9kMzEwRh74ePNA5hwNTMgxTwiaLD$79R3tOB5hYfEqfYAsSSudeX9fYezXFH6SRUbYxGkyX3jKU0Jk4R70H9+HAGcVP2a$79wkP3oMNW47sucCpdlZ4gGbPCQ8d5737IN0Gxwx176wUSKq/CzA4ZhAWplnX9ME$7hNqH70Qdac+Nko2uRZrNtSquZGoX/ofggW9uKbGus+TGyV/HH62UJkDhf0uhegm$864MI9BQgUn88bT7vv0k+tQ1ZxaJ5uz3LH9Of1O55FMfOAjiV9cLFDzx4cgE7rqH$AgJoAQICAIAEAAQQbiCke/50Fnbqmi1ZiSsUVwSCB+jAtpYJWC9fDD/Y+lThSQ0S$BwDVAK1Q/3gZN+LmAlN4JNw7L1zpEAP1688JXPIruR9g/JXUzEtquuBpL5gyINs1$CPUnJNux4gFPdqpCqhS9qrr38kZx+Xj+GUoPh+C/e4Y73hPHVpWjhRteX0ttIlAh$D9wEsodNa0vLtAVl1zpr4j+7azoV+zexC6fZghJ61FD68IQb8mQRsrhXE1NunRxX$E1RQkxRD6fAuUe4c5J7AvnfQ6x0tNueZ3J2i5bDy2DOGlUUvQ5q+v86ATf4CDton$EN3YNVz6oggMjHKV6RQ1o0Qxnju8rYiC6dy9tnQHawT4UClkpYf/l2hqK+/nIQzp$MIIINAYJKwYBBAGCN1gDoIIIJTCCCCEGCisGAQQBgjdYAwGggggRMIIIDQIDAgAB$MuovB+gH5CR0Z2xO+DB0md7a/GbsGemKBzVmJCvP4uGiJ7K7lcfHGY/0A8TCEhiA$MvNy2XHn2nduSaV6cuu2e7hrq4i5AralYzK18xRImyGswx2OLrMYF2jltvcJ9LUI$NrKfP5oHMFqL5A2t5oeEZYSyuWLMiUafW5AooSa+pH8IGdRLP4bgCtsbL51m51Eb$TEHVbNT+XuSAksRTpBcPFkSJflEgJ9MD024aKu9Qj+cyMrfao13h+k87Ak5xwrnG$Uk0kWWxCHw8lrqYhNy4nQpGHevLEdcMWempUZlY3fjt5iduzo/h0dU5behCl3jER$WjzBLNYs38Uc4h769UwPIez432UWfDBnDAO0ssyCx1tEZM823tHHXPpDTChjQ4Ij$X9wtJb4rHjxK0k3eoRSNaqQj9X98ys3e0DzV/qlizcdB2SVO4bhgMg==$XCZasSG+xQxnZ7GYotBO/7rPjDZKJo/LmhyuE4N7Qs2+i5YIRAgvdtm2nxLWyRpE$Y7Dr0Wm4yfs3SDLB9ciHDkkmIhNxMrNQ2PWGKBoSPSzdYiPQN9EA+ODAo9RYFLrj$d9QhutelZhsRvwvSHWuTuuKcFK+ZAsxVuAqIzOFrpHMZyk331Uv6QwU/U3CPcwHv$e3TFtYWtdJeu8LGOipfgLv3y3nkKu28w0Gsvvp2hYN0SToePKmdE3Kl20UqeHyiJ$fEdondnJEkhLHgN0XRhdz0m9pAyELDJUK2qE2CD4IVFOUKjmJZHQ1Pwui/S0Z3fF$j1XnDc9643MyvE+lTFsRn6Qs9VVyoaq2StmNmiuzOGEaz+WNILuxhqG+lnKcfi0y$jeywotsRDgSRZQvYP8qPEfpnLMVEjIJWICWYAu+zFRpYk5jGnGXY6P3fwlj5kY1H$kKt8tox3iLM01iltkeQqVG/CmMgYzp4CY9gp8eDQ3z4Jr2DGrzNlIflJZh3xMEkE$nO0EfxJNYzWa94+v3AuuL6nAyUXvVbdemN0kkDbkzs9XtA9vILWFcWKUG5845nGo$ogeofIK4WR+HWq/3/znyQaEsIfFd1Mg9RNgcegXJ1KEUUofbFAu6txYWE/phor0/$pA9PiWERE7q9BXbaphl91FU7XDQspIlzsluJsH8kMByQY8skIntNlS1833/4L0Hk$q3mz8HC7a3tICl5aj+NZ+FRnNeOWY9U8hEOOpqA60LRJ2+PFGygwlYX0A09FskCp$rahIO498Qmp6YunpBhq5IqxXdVrhmjqOhTakNV4H1HrlgfcEe33rxeXzterW3+yu$vixsmmVRMnSCeBY+iwu7sV3eJGY05KxC5nG6mo4IpSloskAERBDozR0EBztCpqzE$w361RDERc57cljarx9VeaZ5W4EB0LW18viXVaWkig1bx1Si3iHa4XXYFPgycNF+0$wzSY1t8nsLIBP9iHtFWWizGZlEaYNCHR2aWLcqztmMjnDgLBiNx+x1GWzV9MD/wI
      • API String ID: 2976903542-96595784
      • Opcode ID: bfcd036427f3040e89dd628997f66fecb3803a561951fbdfc7cce09c96d2bbe3
      • Instruction ID: b126d4da140b28a0e0d79f4bb0da0379e6d5f48f3ef362fdcf78136b96ce4b84
      • Opcode Fuzzy Hash: bfcd036427f3040e89dd628997f66fecb3803a561951fbdfc7cce09c96d2bbe3
      • Instruction Fuzzy Hash: 6412EC75A00208EFEB04DFE0DB99AEE77F4EB48705F2041A5E502B36A0DB756E45CB64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0050ADD0 Relevance: 152.7, APIs: 82, Strings: 5, Instructions: 487COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0050ADEE
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,?,004153F6), ref: 0050AE13
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 0050AE2C
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004153F6), ref: 0050AE3B
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 0050AE5E
      • #619.MSVBVM60(?,00004008,00000001), ref: 0050AE93
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0050AEB8
      • __vbaFreeVar.MSVBVM60 ref: 0050AEC8
      • __vbaLenBstr.MSVBVM60(00000000), ref: 0050AEF7
      • #617.MSVBVM60(?,00004008,-00000001), ref: 0050AF12
      • __vbaStrVarMove.MSVBVM60(?), ref: 0050AF1C
      • __vbaStrMove.MSVBVM60 ref: 0050AF27
      • __vbaFreeVar.MSVBVM60 ref: 0050AF30
      • #520.MSVBVM60(?,00004008), ref: 0050AF63
      • #518.MSVBVM60(?,?), ref: 0050AF71
      • #520.MSVBVM60(?,00004008), ref: 0050AF95
      • #518.MSVBVM60(?,?), ref: 0050AFA3
      • __vbaStrCmp.MSVBVM60(true,?), ref: 0050AFBB
      • __vbaStrCmp.MSVBVM60(false,?), ref: 0050AFDC
      • __vbaVarCmpEq.MSVBVM60(?,?,?), ref: 0050B00C
      • __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 0050B021
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0050B028
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,0000000B), ref: 0050B04E
      • __vbaStrCmp.MSVBVM60(true,?), ref: 0050B07B
      • __vbaStrCopy.MSVBVM60 ref: 0050B0BE
      • __vbaStrCopy.MSVBVM60 ref: 0050B0DA
        • Part of subcall function 0050AC30: __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0050AC4E
        • Part of subcall function 0050AC30: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0050AC7B
        • Part of subcall function 0050AC30: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 0050AC8A
        • Part of subcall function 0050AC30: __vbaBoolStr.MSVBVM60(0041AA3C,?,00000000), ref: 0050ACA9
        • Part of subcall function 0050AC30: #619.MSVBVM60(?,0000400B,00000001), ref: 0050ACD7
        • Part of subcall function 0050AC30: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0050ACF3
        • Part of subcall function 0050AC30: __vbaFreeVar.MSVBVM60 ref: 0050AD00
        • Part of subcall function 0050AC30: #685.MSVBVM60(?,00000000), ref: 0050AD56
        • Part of subcall function 0050AC30: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 0050AD61
        • Part of subcall function 0050AC30: __vbaFreeObj.MSVBVM60(?,00000000), ref: 0050AD82
        • Part of subcall function 0050AC30: __vbaFreeStr.MSVBVM60(0050ADB6,?,00000000), ref: 0050ADAF
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000,00000000), ref: 0050B102
      • #619.MSVBVM60(?,00004008,00000001), ref: 0050B13E
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0050B163
      • __vbaFreeVar.MSVBVM60 ref: 0050B173
      • __vbaStrCat.MSVBVM60(0041F52C,00000000), ref: 0050B194
      • __vbaStrMove.MSVBVM60 ref: 0050B19F
      • #685.MSVBVM60 ref: 0050B1AC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050B1B7
      • __vbaFreeObj.MSVBVM60 ref: 0050B1D8
      • __vbaStrCat.MSVBVM60(testfile.txt,00000000), ref: 0050B1EE
      • #645.MSVBVM60(00000008,00000000), ref: 0050B204
      • __vbaStrMove.MSVBVM60 ref: 0050B20F
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 0050B21B
      • __vbaFreeStr.MSVBVM60 ref: 0050B233
      • __vbaFreeVar.MSVBVM60 ref: 0050B23C
      • __vbaStrCat.MSVBVM60(testfile.txt,00000000), ref: 0050B25D
      • #529.MSVBVM60(00000008), ref: 0050B271
      • __vbaFreeVar.MSVBVM60 ref: 0050B27A
      • #685.MSVBVM60 ref: 0050B287
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050B292
      • __vbaFreeObj.MSVBVM60 ref: 0050B2B3
      • __vbaStrCat.MSVBVM60(testfile.txt,00000000), ref: 0050B2D2
      • __vbaStrMove.MSVBVM60 ref: 0050B2DD
      • __vbaFreeStr.MSVBVM60(?,test,00000000), ref: 0050B30D
      • __vbaStrCat.MSVBVM60(testfile.txt,00000000), ref: 0050B332
      • __vbaStrMove.MSVBVM60 ref: 0050B33D
        • Part of subcall function 004FD630: __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 004FD64E
        • Part of subcall function 004FD630: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 004FD67E
        • Part of subcall function 004FD630: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD693
        • Part of subcall function 004FD630: #685.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD6A0
        • Part of subcall function 004FD630: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,004153F6), ref: 004FD6AB
        • Part of subcall function 004FD630: __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD6C3
        • Part of subcall function 004FD630: #685.MSVBVM60(00000000,?,00000000,00000000,00000000,004153F6), ref: 004FD6EC
        • Part of subcall function 004FD630: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,004153F6), ref: 004FD6F7
        • Part of subcall function 004FD630: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 004FD72A
        • Part of subcall function 004FD630: __vbaFreeObj.MSVBVM60 ref: 004FD74E
        • Part of subcall function 004FD630: __vbaVar2Vec.MSVBVM60(?,?,?,?), ref: 004FD778
        • Part of subcall function 004FD630: __vbaAryMove.MSVBVM60(00000000,?), ref: 004FD786
      • #520.MSVBVM60(?,00000008,?), ref: 0050B35E
      • __vbaStrVarMove.MSVBVM60(?), ref: 0050B368
      • __vbaStrMove.MSVBVM60 ref: 0050B373
      • __vbaFreeStr.MSVBVM60 ref: 0050B37C
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0050B38C
      • #518.MSVBVM60(?,00004008), ref: 0050B3BA
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0050B3DF
      • __vbaFreeVar.MSVBVM60 ref: 0050B3EF
      • __vbaStrCopy.MSVBVM60 ref: 0050B425
      • #685.MSVBVM60 ref: 0050B432
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050B43D
      • __vbaFreeObj.MSVBVM60 ref: 0050B45E
      • __vbaStrCat.MSVBVM60(testfile.txt,00000000), ref: 0050B474
      • #645.MSVBVM60(00000008,00000000), ref: 0050B48A
      • __vbaStrMove.MSVBVM60 ref: 0050B495
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 0050B4A1
      • __vbaFreeStr.MSVBVM60 ref: 0050B4B9
      • __vbaFreeVar.MSVBVM60 ref: 0050B4C2
      • __vbaStrCat.MSVBVM60(testfile.txt,00000000), ref: 0050B4E3
      • #529.MSVBVM60(00000008), ref: 0050B4F7
      • __vbaFreeVar.MSVBVM60 ref: 0050B500
      • #685.MSVBVM60 ref: 0050B50D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050B518
      • __vbaFreeObj.MSVBVM60 ref: 0050B539
      • #685.MSVBVM60 ref: 0050B546
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050B551
      • __vbaFreeObj.MSVBVM60 ref: 0050B572
      • __vbaFreeStr.MSVBVM60(0050B5CE), ref: 0050B5BE
      • __vbaFreeStr.MSVBVM60 ref: 0050B5C7
      • __vbaErrorOverflow.MSVBVM60 ref: 0050B5E5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$#685$Copy$Error$#518#520#619Chkstk$#529#645BoolList$#617BstrCheckHresultNullOffsetOverflowVar2
      • String ID: )$false$test$testfile.txt$true
      • API String ID: 3529711977-3619963293
      • Opcode ID: b4b72b1e653ecbc0ee216e2be732e2d4876952588580f49ed38e19aa4f255098
      • Instruction ID: 9c3f3245ba1dc8d6ab167d7d7750423b8801b6a21e765004798d61bca2f017db
      • Opcode Fuzzy Hash: b4b72b1e653ecbc0ee216e2be732e2d4876952588580f49ed38e19aa4f255098
      • Instruction Fuzzy Hash: 04221875900219DBDB14DFA0DE88BDDBBB4FF48305F1081A9E606B72A0DB745A89CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00541C00 Relevance: 145.7, APIs: 71, Strings: 12, Instructions: 490COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,?,00540535,?), ref: 00541C1E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,?,004153F6), ref: 00541C43
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 00541C5C
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004153F6), ref: 00541C6B
      • __vbaStrCmp.MSVBVM60(true,?,?,00000000,?,?,004153F6), ref: 00541C8A
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 00541CAC
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 00541CDC
      • __vbaStrCmp.MSVBVM60(true,?,?,00000000,?,?,004153F6), ref: 00541CFB
      • __vbaStrCat.MSVBVM60(00000000,Show Message: ,?,00000000,?,?,004153F6), ref: 00541D30
      • __vbaStrMove.MSVBVM60(?,00000000,?,?,004153F6), ref: 00541D3B
      • __vbaFreeStr.MSVBVM60(?,?,00000000,?,?,004153F6), ref: 00541D4D
      • #685.MSVBVM60(?,00000000,?,?,004153F6), ref: 00541D5A
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,004153F6), ref: 00541D65
      • __vbaFreeObj.MSVBVM60(?,00000000,?,?,004153F6), ref: 00541D86
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,?,004153F6), ref: 00541DA5
      • #518.MSVBVM60(?,00000008), ref: 00541DD1
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00541E12
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00541E20
      • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 00541E3B
      • __vbaStrCopy.MSVBVM60(00000000,?,?,004153F6), ref: 00541E67
      • #518.MSVBVM60(?,00000008), ref: 00541E8B
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00541ECC
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00541EDA
      • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 00541EF5
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,?,004153F6), ref: 00541F21
      • #518.MSVBVM60(?,00000008), ref: 00541F45
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00541F86
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00541F94
      • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 00541FAF
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,004153F6), ref: 00541FDB
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,?,004153F6), ref: 00541FFA
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,?,004153F6), ref: 00542021
      • __vbaStrMove.MSVBVM60(?,00000000,?,?,004153F6), ref: 00542040
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054204E
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054205C
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054206A
        • Part of subcall function 0052EC60: __vbaChkstk.MSVBVM60(?,004153F6), ref: 0052EC7E
        • Part of subcall function 0052EC60: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0052ECA3
        • Part of subcall function 0052EC60: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0052ECBF
        • Part of subcall function 0052EC60: #619.MSVBVM60(?,00004008,00000001), ref: 0052ECEC
        • Part of subcall function 0052EC60: #608.MSVBVM60(?,00000022), ref: 0052ECF8
        • Part of subcall function 0052EC60: #617.MSVBVM60(?,00004008,00000001), ref: 0052ED21
        • Part of subcall function 0052EC60: #608.MSVBVM60(?,00000022), ref: 0052ED30
        • Part of subcall function 0052EC60: __vbaVarCmpEq.MSVBVM60(?,?,?), ref: 0052ED45
        • Part of subcall function 0052EC60: __vbaVarCmpEq.MSVBVM60(?,?,?,00000000), ref: 0052ED61
        • Part of subcall function 0052EC60: __vbaVarAnd.MSVBVM60(?,00000000), ref: 0052ED6F
        • Part of subcall function 0052EC60: __vbaBoolVarNull.MSVBVM60(00000000), ref: 0052ED76
        • Part of subcall function 0052EC60: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0052ED9B
        • Part of subcall function 0052EC60: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0052EDBE
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000,?,?,004153F6), ref: 00542093
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,?,004153F6), ref: 005420AB
        • Part of subcall function 005426C0: __vbaChkstk.MSVBVM60(00000001,004153F6,0054223F,?,00000000,?,?,004153F6), ref: 005426DE
        • Part of subcall function 005426C0: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000001,004153F6,0054223F), ref: 00542703
        • Part of subcall function 005426C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000001,004153F6,0054223F), ref: 0054271F
        • Part of subcall function 005426C0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000001,004153F6,0054223F), ref: 00542734
        • Part of subcall function 005426C0: __vbaFreeStr.MSVBVM60(?,?,00000000,?,00000001,004153F6,0054223F), ref: 00542746
        • Part of subcall function 005426C0: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,00000001,004153F6,0054223F), ref: 00542765
        • Part of subcall function 005426C0: __vbaStrCmp.MSVBVM60(true,?,?,00000000,?,00000001,004153F6,0054223F), ref: 0054278C
        • Part of subcall function 005426C0: __vbaStrCmp.MSVBVM60(true,?,?,00000000,?,00000001,004153F6,0054223F), ref: 005427AB
        • Part of subcall function 005426C0: #685.MSVBVM60(?,00000000), ref: 005427EA
        • Part of subcall function 005426C0: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 005427F5
        • Part of subcall function 005426C0: __vbaFreeObj.MSVBVM60(?,00000000), ref: 00542816
        • Part of subcall function 005426C0: __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 0054284F
        • Part of subcall function 0050C140: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,005416BA,?), ref: 0050C15E
        • Part of subcall function 0050C140: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 0050C183
        • Part of subcall function 0050C140: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 0050C19F
        • Part of subcall function 0050C140: #685.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C1C2
        • Part of subcall function 0050C140: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004153F6), ref: 0050C1CD
        • Part of subcall function 0050C140: __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C1EE
        • Part of subcall function 0050C140: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,00000000,004153F6), ref: 0050C20D
        • Part of subcall function 0050C140: __vbaStrCmp.MSVBVM60(?,?,?,00000000,?,00000000,004153F6), ref: 0050C22D
        • Part of subcall function 0050C140: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,00000000,004153F6), ref: 0050C253
        • Part of subcall function 0050C140: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C27A
        • Part of subcall function 0050C140: #685.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C80E
        • Part of subcall function 0050C140: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004153F6), ref: 0050C819
        • Part of subcall function 0050C140: __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C83A
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,?,004153F6), ref: 005420CD
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 005420E6
      • __vbaStrMove.MSVBVM60(?,?,00000000,?,?,004153F6), ref: 00542103
      • __vbaFreeStr.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054210C
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,?,004153F6), ref: 0054212B
      • __vbaStrCopy.MSVBVM60 ref: 0054214E
      • __vbaFreeStr.MSVBVM60(?,00000000), ref: 00542167
      • __vbaStrCopy.MSVBVM60 ref: 00542185
      • __vbaStrCmp.MSVBVM60(0041AB28,?,?,00000000,?,?,004153F6), ref: 005421A4
      • __vbaStrCmp.MSVBVM60(00000000,?,?,00000000,?,?,004153F6), ref: 005421E1
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,?,004153F6), ref: 00542201
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 00542228
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,?,004153F6), ref: 005422E9
        • Part of subcall function 00539030: __vbaChkstk.MSVBVM60(00000000,004153F6,0054302D,?,00000001,?,00000000,004153F6,005421B6), ref: 0053904E
        • Part of subcall function 00539030: __vbaAptOffset.MSVBVM60(00419C98,?,00000001,?,00000000,004153F6,0054302D), ref: 00539073
        • Part of subcall function 00539030: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,004153F6,0054302D), ref: 0053908F
        • Part of subcall function 00539030: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000001,?,00000000,004153F6,0054302D), ref: 005390AE
        • Part of subcall function 00539030: __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,004153F6,0054302D), ref: 005390CE
        • Part of subcall function 00539030: #685.MSVBVM60(?,00000001,?,00000000,004153F6,0054302D), ref: 0053938E
        • Part of subcall function 00539030: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001,?,00000000,004153F6,0054302D), ref: 00539399
        • Part of subcall function 00539030: __vbaFreeObj.MSVBVM60(?,00000001,?,00000000,004153F6,0054302D), ref: 005393BA
        • Part of subcall function 00539030: __vbaFreeStr.MSVBVM60(0053940A,?,00000001,?,00000000,004153F6,0054302D), ref: 00539403
      • __vbaStrMove.MSVBVM60(00000000,?,00000000,?,?,004153F6), ref: 00542254
        • Part of subcall function 00546140: __vbaChkstk.MSVBVM60(00000000,004153F6,00000000,?,00000000,?,?,004153F6), ref: 0054615E
        • Part of subcall function 00546140: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6,00000000), ref: 0054618B
        • Part of subcall function 00546140: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6,00000000), ref: 0054619A
        • Part of subcall function 00546140: #617.MSVBVM60(?,00004008,00000001), ref: 005461BE
        • Part of subcall function 00546140: #528.MSVBVM60(?,?), ref: 005461CC
        • Part of subcall function 00546140: __vbaLenBstr.MSVBVM60(00000000), ref: 005461E9
        • Part of subcall function 00546140: #619.MSVBVM60(?,00004008,-00000001), ref: 00546204
        • Part of subcall function 00546140: __vbaVarAdd.MSVBVM60(?,?,?), ref: 00546216
        • Part of subcall function 00546140: __vbaStrVarMove.MSVBVM60(00000000), ref: 0054621D
        • Part of subcall function 00546140: __vbaStrMove.MSVBVM60 ref: 00546228
        • Part of subcall function 00546140: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00546240
        • Part of subcall function 00546140: #685.MSVBVM60(?,00000000,?,00000000,004153F6,00000000), ref: 00546250
        • Part of subcall function 00546140: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004153F6,00000000), ref: 0054625B
        • Part of subcall function 00546140: __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,004153F6,00000000), ref: 0054627C
        • Part of subcall function 00546140: __vbaFreeStr.MSVBVM60(005462CB,?,00000000,?,00000000,004153F6,00000000), ref: 005462C4
      • __vbaStrMove.MSVBVM60(00000000,?,00000000,?,?,004153F6), ref: 00542265
      • __vbaFreeStr.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054226E
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,?,004153F6), ref: 00542284
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054229B
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 005422B7
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 005422D3
      • __vbaChkstk.MSVBVM60 ref: 00542312
      • __vbaLateMemCall.MSVBVM60(?,show_AloahaBanner,00000001), ref: 00542350
      • __vbaStrCat.MSVBVM60(00000000,Running as Service. Supressing: ,?,00000000,?,?,004153F6), ref: 0054236B
      • __vbaStrMove.MSVBVM60(?,00000000,?,?,004153F6), ref: 00542376
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(?,?,00000000,?,?,004153F6), ref: 00542388
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054239D
      • __vbaFreeStr.MSVBVM60(?,?,00000000,?,?,004153F6), ref: 005423AF
      • #685.MSVBVM60(?,00000000,?,?,004153F6), ref: 005423BC
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,004153F6), ref: 005423C7
      • __vbaFreeObj.MSVBVM60(?,00000000,?,?,004153F6), ref: 005423E8
      • __vbaFreeStr.MSVBVM60(00542451,?,00000000,?,?,004153F6), ref: 00542438
      • __vbaFreeStr.MSVBVM60(?,00000000,?,?,004153F6), ref: 00542441
      • __vbaFreeStr.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054244A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$Move$Chkstk$#685Error$ListOffset$#518$#608#617#619CallLate$#520#528#711BoolBstrIndexLoadLockNullUnlock
      • String ID: 7$DisableBanner$HKLM\Software\Aloaha\DisableBanner$Running as Service. Supressing: $Settings$Show Message: $leaving Show Message$localservice$service$show_AloahaBanner$system$true
      • API String ID: 2837324800-372147756
      • Opcode ID: b29ae5f0699219f851717eeff4c6e35e3176997c839b701d4f8941cd75b916d2
      • Instruction ID: 06e622a53583f340045d0a8132c288a5e6ede9da203b6f0eb64429ecb9b0691b
      • Opcode Fuzzy Hash: b29ae5f0699219f851717eeff4c6e35e3176997c839b701d4f8941cd75b916d2
      • Instruction Fuzzy Hash: 5D224775901228DBEB14DFA0DD88FEEBB74FF44704F1082A9E506A72A0DB745A88CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0054B810 Relevance: 140.4, APIs: 77, Strings: 3, Instructions: 435COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0054B82E
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6), ref: 0054B85B
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6), ref: 0054B867
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6), ref: 0054B873
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 0054B882
      • __vbaStrCat.MSVBVM60(?,ProcessLauncher: ,?,?,?,00000000,004153F6), ref: 0054B898
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6), ref: 0054B8A3
      • __vbaStrCat.MSVBVM60( / ,00000000,?,?,?,00000000,004153F6), ref: 0054B8AF
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6), ref: 0054B8BA
      • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004153F6), ref: 0054B8C5
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6), ref: 0054B8D0
      • __vbaStrCat.MSVBVM60( / ,00000000,?,?,?,00000000,004153F6), ref: 0054B8DC
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6), ref: 0054B8E7
      • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004153F6), ref: 0054B8F2
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6), ref: 0054B8FD
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 0054B922
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0054B93B
      • #619.MSVBVM60(?,00004008,00000001), ref: 0054B970
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0054B995
      • __vbaFreeVar.MSVBVM60 ref: 0054B9A5
      • __vbaStrCat.MSVBVM60(0041F52C,?), ref: 0054B9C6
      • __vbaStrMove.MSVBVM60 ref: 0054B9D1
      • __vbaStrCopy.MSVBVM60 ref: 0054B9E4
      • __vbaInStr.MSVBVM60(00000000,0041F52C,?,00000001), ref: 0054B9FE
      • __vbaInStr.MSVBVM60(00000000,0041F52C,00000001,00000001), ref: 0054BA20
      • #520.MSVBVM60(?,00004008), ref: 0054BA53
      • #520.MSVBVM60(?,00004008), ref: 0054BA77
      • __vbaVarAdd.MSVBVM60(?,?,?), ref: 0054BA89
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0054BA90
      • __vbaStrMove.MSVBVM60 ref: 0054BA9B
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0054BAAF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0054BAC8
      • #685.MSVBVM60 ref: 0054BADD
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054BAE8
      • __vbaFreeObj.MSVBVM60 ref: 0054BB09
      • #520.MSVBVM60(?,00004008), ref: 0054BB34
      • #645.MSVBVM60(?,00000000), ref: 0054BB40
      • __vbaStrMove.MSVBVM60 ref: 0054BB4B
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 0054BB57
      • __vbaFreeStr.MSVBVM60 ref: 0054BB6F
      • __vbaFreeVar.MSVBVM60 ref: 0054BB78
      • #685.MSVBVM60 ref: 0054BB94
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054BB9F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0054BBEA
      • __vbaFreeObj.MSVBVM60 ref: 0054BC1A
      • #608.MSVBVM60(?,00000022), ref: 0054BC3C
      • #608.MSVBVM60(?,00000022), ref: 0054BC5B
      • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0054BC70
      • __vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0054BC82
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0054BC89
      • __vbaStrMove.MSVBVM60 ref: 0054BC94
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0054BCAF
      • __vbaStrCopy.MSVBVM60 ref: 0054BCC5
      • #619.MSVBVM60(?,00004008,00000001), ref: 0054BCF2
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0054BD17
      • __vbaFreeVar.MSVBVM60 ref: 0054BD27
      • __vbaStrCat.MSVBVM60(0041F52C,?), ref: 0054BD48
      • __vbaStrMove.MSVBVM60 ref: 0054BD53
      • #520.MSVBVM60(?,00004008), ref: 0054BD7E
      • __vbaStrToAnsi.MSVBVM60(?,?,00000001), ref: 0054BD8E
      • __vbaStrVarVal.MSVBVM60(?,?,00000000), ref: 0054BD9D
      • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0054BDA8
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0054BDB7
      • __vbaStrToAnsi.MSVBVM60(?,Open,00000000), ref: 0054BDC7
      • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0054BDD5
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0054BDE3
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0054BDF1
      • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0054BE0D
      • __vbaFreeVar.MSVBVM60 ref: 0054BE19
      • #685.MSVBVM60 ref: 0054BE26
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054BE31
      • __vbaFreeObj.MSVBVM60 ref: 0054BE52
      • __vbaFreeStr.MSVBVM60(0054BED4), ref: 0054BEA9
      • __vbaFreeStr.MSVBVM60 ref: 0054BEB2
      • __vbaFreeStr.MSVBVM60 ref: 0054BEBB
      • __vbaFreeStr.MSVBVM60 ref: 0054BEC4
      • __vbaFreeStr.MSVBVM60 ref: 0054BECD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$#520$AnsiList$#685ChkstkError$#608#619Unicode$#518#645#711CheckHresultIndexLoadLockOffsetSystemUnlock
      • String ID: / $Open$ProcessLauncher:
      • API String ID: 1009384616-1551329386
      • Opcode ID: 6409fc9e5b7315a0f37227223877fdbd137283d7762cb05dabd37daa97117a87
      • Instruction ID: 8260649095003f623f519dbf1148782b40c532019d6f4dcab832dbf474ea1d2b
      • Opcode Fuzzy Hash: 6409fc9e5b7315a0f37227223877fdbd137283d7762cb05dabd37daa97117a87
      • Instruction Fuzzy Hash: 3312F775900208EBDB14DFE0DE88FDEBBB9BF48705F1081A9E606B6160DB745A49CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005459D0 Relevance: 137.0, APIs: 71, Strings: 7, Instructions: 465COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005459EE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00545A13
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00545A2C
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00545A3B
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 00545A5A
        • Part of subcall function 0054E010: __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,?,?,0053C771,?,00000000,004153F6), ref: 0054E02E
        • Part of subcall function 0054E010: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,?,004153F6), ref: 0054E053
        • Part of subcall function 0054E010: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004153F6), ref: 0054E06F
        • Part of subcall function 0054E010: __vbaStrCmp.MSVBVM60(true,?,?,00000000,?,?,004153F6), ref: 0054E08E
        • Part of subcall function 0054E010: #685.MSVBVM60 ref: 0054E38B
        • Part of subcall function 0054E010: __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0054E396
        • Part of subcall function 0054E010: __vbaFreeObj.MSVBVM60 ref: 0054E3B7
        • Part of subcall function 0054E010: __vbaFreeStr.MSVBVM60(0054E3F8), ref: 0054E3E8
        • Part of subcall function 0054E010: __vbaFreeStr.MSVBVM60 ref: 0054E3F1
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00545A8D
      • __vbaStrCat.MSVBVM60(localhost,winmgmts://), ref: 00545AB2
      • __vbaStrMove.MSVBVM60 ref: 00545ABD
      • #685.MSVBVM60 ref: 00545ACA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00545AD5
      • __vbaFreeObj.MSVBVM60 ref: 00545AF6
      • __vbaStrCat.MSVBVM60(?,select * from Win32_Process WHERE Name = '), ref: 00545B0C
      • __vbaStrMove.MSVBVM60 ref: 00545B17
      • __vbaStrCat.MSVBVM60(00421164,00000000), ref: 00545B23
      • #626.MSVBVM60(?,00004008,0000000A), ref: 00545B66
      • __vbaChkstk.MSVBVM60 ref: 00545B71
      • __vbaVarLateMemCallLd.MSVBVM60(?,?,ExecQuery,00000001), ref: 00545BA7
      • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 00545BB5
      • __vbaFreeStr.MSVBVM60 ref: 00545BBE
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00545BD5
      • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?), ref: 00545C09
      • __vbaVarLateMemCallLdRf.MSVBVM60(?,?,Caption,00000000), ref: 00545C46
      • #518.MSVBVM60(?,00000000), ref: 00545C54
      • #518.MSVBVM60(?,00004008), ref: 00545C7B
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 00545C8C
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00545CAA
      • __vbaObjVar.MSVBVM60(?,Terminate,00000000), ref: 00545CD0
      • __vbaLateMemCall.MSVBVM60(00000000), ref: 00545CD7
      • __vbaVarLateMemCallLdRf.MSVBVM60(?,?,Caption,00000000), ref: 00545CF9
      • __vbaVarLateMemCallLd.MSVBVM60(?,?,Caption,00000000), ref: 00545D25
      • __vbaLenVar.MSVBVM60(?,00000000), ref: 00545D33
      • __vbaVarSub.MSVBVM60(?,?,00000000), ref: 00545D48
      • __vbaI4Var.MSVBVM60(00000000), ref: 00545D4F
      • #617.MSVBVM60(?,?,00000000), ref: 00545D64
      • #518.MSVBVM60(?,?), ref: 00545D78
      • __vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 00546032
      • __vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 00546045
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00546052
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0054605D
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0054607E
      • __vbaAryUnlock.MSVBVM60(?,00546122,?,?,?,?,004153F6), ref: 005460E2
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 005460EE
      • __vbaFreeVar.MSVBVM60(?,?,?,?,004153F6), ref: 005460F7
      • __vbaFreeStr.MSVBVM60(?,?,?,?,004153F6), ref: 00546100
      • __vbaFreeStr.MSVBVM60(?,?,?,?,004153F6), ref: 00546109
      • __vbaFreeVar.MSVBVM60(?,?,?,?,004153F6), ref: 00546112
      • __vbaFreeStr.MSVBVM60(?,?,?,?,004153F6), ref: 0054611B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CallLate$#518#685Chkstk$AddrefCopyErrorListMoveOffset$#617#626EachUnlock
      • String ID: .exe$Caption$ExecQuery$Terminate$localhost$select * from Win32_Process WHERE Name = '$winmgmts://
      • API String ID: 2098987896-4279341880
      • Opcode ID: 7d4eba7e006c5c0c32d473050dcea3a94e77b37a07a7d7201dba5a784851ecea
      • Instruction ID: 312d178799d539e9b25ace537ad098832686a77a8319916d581198a4a660a19e
      • Opcode Fuzzy Hash: 7d4eba7e006c5c0c32d473050dcea3a94e77b37a07a7d7201dba5a784851ecea
      • Instruction Fuzzy Hash: 9B120AB2800218EBDB14DFA0DD88FDEBB78BF48705F108599E61AB7161DB745A88CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0059C8C0 Relevance: 128.2, APIs: 71, Strings: 2, Instructions: 497COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0059C8DE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0059C917
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0059C92C
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0059C941
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0059C956
      • __vbaStrMove.MSVBVM60 ref: 0059C990
      • __vbaLenBstr.MSVBVM60(?), ref: 0059C9A1
      • __vbaStrCopy.MSVBVM60 ref: 0059C9BB
        • Part of subcall function 00519940: __vbaChkstk.MSVBVM60(000000FF,004153F6), ref: 0051995E
        • Part of subcall function 00519940: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,000000FF,004153F6), ref: 00519983
        • Part of subcall function 00519940: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,000000FF,004153F6), ref: 0051999F
        • Part of subcall function 00519940: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,000000FF,004153F6), ref: 005199BE
        • Part of subcall function 00519940: #525.MSVBVM60(00000104,?,00000000,00000000,000000FF,004153F6), ref: 005199D8
        • Part of subcall function 00519940: __vbaStrMove.MSVBVM60(?,00000000,00000000,000000FF,004153F6), ref: 005199E3
        • Part of subcall function 00519940: __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,004153F6), ref: 005199F4
        • Part of subcall function 00519940: __vbaStrToAnsi.MSVBVM60(00000000,00000000,00000000,?,00000000,00000000,000000FF,004153F6), ref: 00519A03
        • Part of subcall function 00519940: __vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,000000FF,004153F6), ref: 00519A12
        • Part of subcall function 00519940: __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,00000000,000000FF,004153F6), ref: 00519A20
        • Part of subcall function 00519940: __vbaFreeStr.MSVBVM60(?,00000000,00000000,000000FF,004153F6), ref: 00519A2F
        • Part of subcall function 00519940: #616.MSVBVM60(00000000,?,?,00000000,00000000,000000FF,004153F6), ref: 00519A44
        • Part of subcall function 00519940: __vbaStrMove.MSVBVM60(?,00000000,00000000,000000FF,004153F6), ref: 00519A4F
        • Part of subcall function 00519940: __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,004153F6), ref: 00519A60
        • Part of subcall function 00519940: #619.MSVBVM60(?,00004008,00000001), ref: 00519A89
        • Part of subcall function 00519940: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00519AA5
        • Part of subcall function 00519940: __vbaFreeVar.MSVBVM60 ref: 00519AB2
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0059C9D1
      • #685.MSVBVM60 ref: 0059C9FC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059CA07
      • __vbaFreeObj.MSVBVM60 ref: 0059CA28
      • __vbaNew.MSVBVM60(00441128), ref: 0059CA3A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059CA45
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0059CA53
      • __vbaFreeObj.MSVBVM60 ref: 0059CA5C
      • __vbaNew.MSVBVM60(00436690), ref: 0059CA6E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059CA79
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0059CA87
      • __vbaFreeObj.MSVBVM60 ref: 0059CA90
      • #685.MSVBVM60 ref: 0059CA9D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059CAA8
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0059CADB
      • __vbaFreeObj.MSVBVM60 ref: 0059CB05
      • __vbaStrMove.MSVBVM60 ref: 0059CB39
      • __vbaChkstk.MSVBVM60 ref: 0059CB62
      • __vbaStrMove.MSVBVM60 ref: 0059CB89
      • __vbaStrCat.MSVBVM60(capicom.dll,00000000), ref: 0059CB95
      • __vbaStrMove.MSVBVM60 ref: 0059CBA0
        • Part of subcall function 00536660: __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0053667E
        • Part of subcall function 00536660: __vbaAptOffset.MSVBVM60(00419C98,?,00000001,?,00000000,004153F6), ref: 005366A3
        • Part of subcall function 00536660: __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 005366BC
        • Part of subcall function 00536660: __vbaVarDup.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 005366C8
        • Part of subcall function 00536660: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,004153F6), ref: 005366D7
        • Part of subcall function 00536660: __vbaStrCmp.MSVBVM60(true,?,?,00000001,?,00000000,004153F6), ref: 005366F6
        • Part of subcall function 00536660: __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 0053671C
        • Part of subcall function 00536660: #518.MSVBVM60(?,00004008), ref: 00536747
        • Part of subcall function 00536660: #619.MSVBVM60(?,?,00000004), ref: 00536757
        • Part of subcall function 00536660: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0053677C
        • Part of subcall function 00536660: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00536793
        • Part of subcall function 00536660: __vbaBoolVar.MSVBVM60(?,?,00000000,004153F6), ref: 005367B2
        • Part of subcall function 00536660: __vbaStrCopy.MSVBVM60 ref: 00536B2C
        • Part of subcall function 00536660: #685.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 00536B39
        • Part of subcall function 00536660: __vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,00000000,004153F6), ref: 00536B44
      • __vbaFreeStrList.MSVBVM60(00000003,00000000,?,00000000,00000000), ref: 0059CBBA
      • #685.MSVBVM60(?,?,?,004153F6), ref: 0059CBCA
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CBD5
      • __vbaFreeObj.MSVBVM60(?,?,?,004153F6), ref: 0059CBF6
      • __vbaCastObj.MSVBVM60(00000000,00441118,?,?,?,004153F6), ref: 0059CC0A
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CC15
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CC23
      • __vbaFreeObj.MSVBVM60(?,?,?,004153F6), ref: 0059CC2C
      • __vbaCastObj.MSVBVM60(00000000,00436680,?,?,?,004153F6), ref: 0059CC40
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CC4B
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CC59
      • __vbaFreeObj.MSVBVM60(?,?,?,004153F6), ref: 0059CC62
      • __vbaNew.MSVBVM60(00441128,?,?,?,004153F6), ref: 0059CC74
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CC7F
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CC8D
      • __vbaFreeObj.MSVBVM60(?,?,?,004153F6), ref: 0059CC96
      • __vbaNew.MSVBVM60(00436690,?,?,?,004153F6), ref: 0059CCA8
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CCB3
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CCC1
      • __vbaFreeObj.MSVBVM60(?,?,?,004153F6), ref: 0059CCCA
      • #685.MSVBVM60(?,?,?,004153F6), ref: 0059CCD7
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0059CCE2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0059CD15
      • __vbaFreeObj.MSVBVM60 ref: 0059CD3F
      • __vbaChkstk.MSVBVM60(00000000,?,00000000), ref: 0059CD8C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00436680,00000034), ref: 0059CDD9
      • __vbaStrMove.MSVBVM60 ref: 0059CE0A
      • __vbaFreeVar.MSVBVM60 ref: 0059CE13
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00441118,00000024), ref: 0059CE66
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00441118,00000028), ref: 0059CEB8
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00441118,0000001C), ref: 0059CF0A
      • #520.MSVBVM60(?,00000008), ref: 0059CF4A
      • __vbaStrVarMove.MSVBVM60(?), ref: 0059CF54
      • __vbaStrMove.MSVBVM60 ref: 0059CF5F
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0059CF6F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0059CF88
      • __vbaStrCopy.MSVBVM60 ref: 0059CF9F
      • #685.MSVBVM60 ref: 0059CFAC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059CFB7
      • __vbaFreeObj.MSVBVM60 ref: 0059CFD8
      • __vbaFreeStr.MSVBVM60(0059D03F), ref: 0059D02F
      • __vbaFreeStr.MSVBVM60 ref: 0059D038
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$#685AddrefCheckHresult$Chkstk$Error$BstrList$#619CastOffset$#518#520#525#616AnsiBoolSystemUnicode
      • String ID: )$capicom.dll
      • API String ID: 1972158018-1218308616
      • Opcode ID: 66cd6ad32a66932b6b4582159191dff8629afcab6647db32dd41fc44f31ffe59
      • Instruction ID: 83050b7253b7c649c5e9494ca11322776a0caa03d08ded5cd5cd1c581475e132
      • Opcode Fuzzy Hash: 66cd6ad32a66932b6b4582159191dff8629afcab6647db32dd41fc44f31ffe59
      • Instruction Fuzzy Hash: 7D323875900208EFDB14DFA4DA88BDEBBB5FF48304F208169F506AB2A1DB749A45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0050C140 Relevance: 123.0, APIs: 67, Strings: 3, Instructions: 486COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,005416BA,?), ref: 0050C15E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 0050C183
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 0050C19F
        • Part of subcall function 0050B5F0: __vbaChkstk.MSVBVM60(00000000,004153F6,0050C1B1,?,00000000,?,00000000,004153F6), ref: 0050B60E
        • Part of subcall function 0050B5F0: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6,0050C1B1), ref: 0050B633
        • Part of subcall function 0050B5F0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6,0050C1B1), ref: 0050B64F
        • Part of subcall function 0050B5F0: #685.MSVBVM60(?,00000000,?,00000000,004153F6,0050C1B1), ref: 0050B65C
        • Part of subcall function 0050B5F0: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004153F6,0050C1B1), ref: 0050B667
        • Part of subcall function 0050B5F0: __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,004153F6,0050C1B1), ref: 0050B688
        • Part of subcall function 0050B5F0: __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 0050B6BB
        • Part of subcall function 0050B5F0: __vbaVarTstGt.MSVBVM60(?,00000000,00000000,?,00000000,004153F6,0050C1B1), ref: 0050B6C9
        • Part of subcall function 0050B5F0: __vbaFreeVar.MSVBVM60(?,00000000,004153F6,0050C1B1), ref: 0050B6D6
        • Part of subcall function 0050B5F0: #685.MSVBVM60(?,00000000,004153F6,0050C1B1), ref: 0050B6EF
        • Part of subcall function 0050B5F0: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,004153F6,0050C1B1), ref: 0050B6FA
        • Part of subcall function 0050B5F0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0050B736
        • Part of subcall function 0050B5F0: __vbaFreeObj.MSVBVM60 ref: 0050B763
      • #685.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C1C2
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004153F6), ref: 0050C1CD
      • __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C1EE
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,00000000,004153F6), ref: 0050C20D
      • __vbaStrCmp.MSVBVM60(?,?,?,00000000,?,00000000,004153F6), ref: 0050C22D
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,00000000,004153F6), ref: 0050C253
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C27A
      • __vbaChkstk.MSVBVM60 ref: 0050C29E
      • __vbaLateMemCallLd.MSVBVM60(?,?,translateit,00000001), ref: 0050C2D4
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,004153F6), ref: 0050C2DE
      • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,00000000,004153F6), ref: 0050C2E9
      • __vbaFreeVar.MSVBVM60(?,?,?,?,00000000,?,00000000,004153F6), ref: 0050C2F2
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,00000000,?,00000000,004153F6), ref: 0050C308
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,00000000,004153F6), ref: 0050C321
      • __vbaStrCmp.MSVBVM60(00000000,?,?,?,?,?,00000000,?,00000000,004153F6), ref: 0050C338
      • __vbaInStr.MSVBVM60(00000000,00420760,?,00000001,?,?,?,?,00000000,?,00000000,004153F6), ref: 0050C355
      • #712.MSVBVM60(00000000,00420760,@@vbcrlf@@,00000001,000000FF,00000000,?,00000001,?,?,?,?,00000000,?,00000000,004153F6), ref: 0050C389
      • __vbaChkstk.MSVBVM60 ref: 0050C39E
      • __vbaLateMemCallLd.MSVBVM60(?,?,translateit,00000001), ref: 0050C3D4
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C801
      • #685.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C80E
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004153F6), ref: 0050C819
      • __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0050C83A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685Chkstk$CallCopyLate$ErrorMoveOffset$#712CheckHresult
      • String ID: '$@@vbcrlf@@$translateit
      • API String ID: 1971963269-3714960174
      • Opcode ID: c9cb09806c4cfa2baffb15fdb3f7ea11ffc12427b1b2b5e2fce51810559e2da7
      • Instruction ID: 2abca887b35a8271920832b34e53da14ea4f75a5f95386bf799d4fb35291e057
      • Opcode Fuzzy Hash: c9cb09806c4cfa2baffb15fdb3f7ea11ffc12427b1b2b5e2fce51810559e2da7
      • Instruction Fuzzy Hash: 5A221875A00208EFDB14DFA4D988BDEBBB4FF48704F108299E506BB2A0DB759A45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0059C1E0 Relevance: 122.9, APIs: 64, Strings: 6, Instructions: 419COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0059C1FE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0059C237
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0059C24C
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,004153F6), ref: 0059C25E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0059C289
      • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 0059C2B2
      • __vbaStrVarMove.MSVBVM60(?), ref: 0059C2BC
      • __vbaStrMove.MSVBVM60 ref: 0059C2C7
      • __vbaFreeVar.MSVBVM60 ref: 0059C2D0
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0059C2E6
      • #685.MSVBVM60 ref: 0059C2FB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059C306
      • __vbaFreeObj.MSVBVM60 ref: 0059C327
      • __vbaStrCopy.MSVBVM60 ref: 0059C33C
      • __vbaStrCopy.MSVBVM60 ref: 0059C34A
      • __vbaObjSet.MSVBVM60(?,00000000,ebCrypt.eb_c_Hash,00000000,?,?), ref: 0059C371
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0059C381
      • #685.MSVBVM60(?,?,004153F6), ref: 0059C391
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,004153F6), ref: 0059C39C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0059C3E7
      • __vbaFreeObj.MSVBVM60 ref: 0059C417
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0059C439
      • __vbaStrMove.MSVBVM60 ref: 0059C450
      • __vbaChkstk.MSVBVM60 ref: 0059C479
      • __vbaStrMove.MSVBVM60 ref: 0059C4A0
      • __vbaStrCat.MSVBVM60(ebCrypt.dll,00000000), ref: 0059C4AC
      • __vbaStrMove.MSVBVM60 ref: 0059C4B7
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000), ref: 0059C4D1
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 0059C4EB
      • __vbaChkstk.MSVBVM60 ref: 0059C514
      • __vbaStrMove.MSVBVM60 ref: 0059C53B
      • __vbaStrCat.MSVBVM60(vbCrypt.dll,00000000), ref: 0059C547
      • __vbaStrMove.MSVBVM60 ref: 0059C552
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000), ref: 0059C56C
      • #685.MSVBVM60 ref: 0059C57C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059C587
      • __vbaFreeObj.MSVBVM60 ref: 0059C5A8
      • __vbaStrCopy.MSVBVM60 ref: 0059C5BD
      • __vbaStrCopy.MSVBVM60 ref: 0059C5CB
      • __vbaObjSet.MSVBVM60(?,00000000,ebCrypt.eb_c_Hash,00000000,?,?), ref: 0059C5F2
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0059C602
      • __vbaChkstk.MSVBVM60 ref: 0059C632
      • __vbaChkstk.MSVBVM60 ref: 0059C655
      • __vbaLateMemCallLd.MSVBVM60(?,?,hashstring,00000002), ref: 0059C682
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0059C68C
      • __vbaStrMove.MSVBVM60 ref: 0059C697
      • __vbaFreeVar.MSVBVM60 ref: 0059C6A0
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0059C6B3
      • #685.MSVBVM60 ref: 0059C6C0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059C6CB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0059C716
      • __vbaFreeObj.MSVBVM60 ref: 0059C746
      • __vbaStrCopy.MSVBVM60 ref: 0059C766
      • #685.MSVBVM60 ref: 0059C783
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059C78E
      • __vbaFreeObj.MSVBVM60 ref: 0059C7AF
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0059C7D8
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0059C7ED
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,004153F6), ref: 0059C7FF
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 0059C80C
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0059C817
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0059C838
      • __vbaFreeStr.MSVBVM60(0059C895,?,?,?,?,004153F6), ref: 0059C885
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0059C88E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$Chkstk$#685$List$AddrefCheckErrorHresult$#518#520#711#717CallIndexLateLoadLockOffsetUnlock
      • String ID: Entering ebhash$Leaving ebhash$ebCrypt.dll$ebCrypt.eb_c_Hash$hashstring$vbCrypt.dll
      • API String ID: 1354180897-3639736530
      • Opcode ID: adc0a573a4f76f8f4a669345914eeeef1a9ee5c55a1e955f6c06b41d07e83e98
      • Instruction ID: fafaf003e5c55b30a7e09e8de6536d6d09f89ebb00cd7dcc3d44f5ca0ec9fda7
      • Opcode Fuzzy Hash: adc0a573a4f76f8f4a669345914eeeef1a9ee5c55a1e955f6c06b41d07e83e98
      • Instruction Fuzzy Hash: FA12F975900208EFDB14DFA4DE88BDEBBB5FF48304F1081A9E506A72A1DB745A89CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00548070 Relevance: 117.6, APIs: 60, Strings: 7, Instructions: 397COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0054808E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,?,004153F6), ref: 005480B3
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004153F6), ref: 005480CF
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 005480E4
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(?,?,00000000,?,?,004153F6), ref: 005480F6
      • __vbaStrCmp.MSVBVM60(true,?,?,00000000,?,?,004153F6), ref: 00548115
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054813B
      • #685.MSVBVM60(?,00000000,?,?,004153F6), ref: 00548148
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,004153F6), ref: 00548153
      • __vbaFreeObj.MSVBVM60(?,00000000,?,?,004153F6), ref: 00548174
      • __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 005481A7
      • __vbaVarTstLt.MSVBVM60(?,00000000,00000000,?,?,004153F6), ref: 005481B5
      • __vbaFreeVar.MSVBVM60(?,?,004153F6), ref: 005481C2
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,004153F6), ref: 005481E5
      • #685.MSVBVM60(?,?,004153F6), ref: 005481F7
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,004153F6), ref: 00548202
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00548235
      • __vbaFreeObj.MSVBVM60 ref: 00548262
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00548289
      • #685.MSVBVM60 ref: 00548296
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005482A1
      • __vbaFreeObj.MSVBVM60 ref: 005482C2
      • #685.MSVBVM60 ref: 005482CF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005482DA
      • __vbaFreeObj.MSVBVM60 ref: 005482FB
      • __vbaChkstk.MSVBVM60 ref: 00548331
      • __vbaLateMemSt.MSVBVM60(?,AnaCalled), ref: 00548361
      • #685.MSVBVM60 ref: 0054836E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00548379
      • __vbaFreeObj.MSVBVM60 ref: 0054839A
      • __vbaLateMemCallLd.MSVBVM60(?,?,HighestLicenseCount,00000000), ref: 005483BF
      • __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,004153F6), ref: 005483C9
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,004153F6), ref: 005483D5
      • #685.MSVBVM60(?,?,?,?,?,?,?,004153F6), ref: 005483F2
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005483FD
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00548430
      • __vbaFreeObj.MSVBVM60 ref: 0054845D
      • #685.MSVBVM60 ref: 00548483
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054848E
      • __vbaFreeObj.MSVBVM60 ref: 005484AF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005484CE
      • __vbaI4Str.MSVBVM60(?), ref: 005484F0
      • __vbaI4Str.MSVBVM60(?), ref: 00548512
      • #685.MSVBVM60 ref: 00548528
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00548533
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00548566
      • __vbaFreeObj.MSVBVM60 ref: 00548593
      • __vbaI4Str.MSVBVM60(?), ref: 005485B8
      • #685.MSVBVM60 ref: 005485C8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005485D3
      • __vbaFreeObj.MSVBVM60 ref: 005485F4
      • __vbaStrCopy.MSVBVM60 ref: 00548612
      • __vbaStrI4.MSVBVM60(?,highest license count: ,?,00000000,?,?,004153F6), ref: 00548635
      • __vbaStrMove.MSVBVM60(?,00000000,?,?,004153F6), ref: 00548640
      • __vbaStrCat.MSVBVM60(00000000,?,00000000,?,?,004153F6), ref: 00548647
      • __vbaStrMove.MSVBVM60(?,00000000,?,?,004153F6), ref: 00548652
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00000000,?,?,004153F6), ref: 0054866B
      • #685.MSVBVM60(?,?,004153F6), ref: 0054867B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,004153F6), ref: 00548686
      • __vbaFreeObj.MSVBVM60(?,?,004153F6), ref: 005486A7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$Move$ChkstkCopy$CheckHresultLate$AddrefCallErrorOffset$#518#520#711IndexListLoadLockUnlock
      • String ID: )$AnaCalled$HighestLicenseCount$going to find highest license count$highest license count: $info$true
      • API String ID: 3652020283-3881071883
      • Opcode ID: 52e888fab8323edb6aa911c97368b95d1a678207f54428646ceb366633866e71
      • Instruction ID: 68445f1be25335f10b8aabb1caed52ef74c9e4552cb9ac9339bc10e3871295eb
      • Opcode Fuzzy Hash: 52e888fab8323edb6aa911c97368b95d1a678207f54428646ceb366633866e71
      • Instruction Fuzzy Hash: FF023774D00208EFDB14DFA4DE88BDEBBB5BF48305F208199E506A72A1DB749A45CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FADA0 Relevance: 115.9, APIs: 56, Strings: 10, Instructions: 381COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004FADBE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004FADF7
      • __vbaChkstk.MSVBVM60 ref: 004FAE4B
      • __vbaChkstk.MSVBVM60 ref: 004FAE6E
      • __vbaLateMemCallLd.MSVBVM60(?,?,DESdecrypt,00000002), ref: 004FAE9E
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 004FAEA8
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 004FAEB3
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 004FAEBC
      • __vbaHresultCheckObj.MSVBVM60(?,?,0041C0D8,00000054), ref: 004FAF02
      • #716.MSVBVM60(?,CAPICOM.Utilities,00000000), ref: 004FAF3A
      • __vbaObjVar.MSVBVM60(?), ref: 004FAF44
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004FAF4F
      • __vbaFreeVar.MSVBVM60 ref: 004FAF58
      • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 004FAF81
      • __vbaChkstk.MSVBVM60 ref: 004FAF8C
      • __vbaLateMemCallLd.MSVBVM60(?,?,Base64Encode,00000001), ref: 004FAFB9
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,004153F6), ref: 004FAFC3
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,004153F6), ref: 004FAFCE
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,004153F6), ref: 004FAFDE
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 004FAFF4
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004153F6), ref: 004FB009
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004153F6), ref: 004FB01E
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004153F6), ref: 004FB02B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 004FB036
      • #685.MSVBVM60 ref: 004FB2F3
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FB2FE
      • __vbaFreeObj.MSVBVM60 ref: 004FB31F
      • __vbaFreeObj.MSVBVM60(004FB38B), ref: 004FB372
      • __vbaFreeStr.MSVBVM60 ref: 004FB37B
      • __vbaFreeObj.MSVBVM60 ref: 004FB384
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$ChkstkMove$#685AddrefCallCopyLate$#716#717CheckErrorHresultList
      • String ID: @@NULL@@$Algorithm$Base64Encode$CAPICOM.EncryptedData$CAPICOM.Utilities$DESdecrypt$Name$SetSecret$content$decrypt
      • API String ID: 4008903109-3869962738
      • Opcode ID: 9996a0b55da6d6008b66bad86e1c7b98295caa510413f03d166cb1814e453555
      • Instruction ID: e910bccd6cf44098cc722fc5270f503cf70c0c348f363a2771f652117da3f590
      • Opcode Fuzzy Hash: 9996a0b55da6d6008b66bad86e1c7b98295caa510413f03d166cb1814e453555
      • Instruction Fuzzy Hash: CD02F3B4900308DFDB04DFA4DA88BDDBBB5FF48304F208169E919AB2A1D7759A46CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0056B530 Relevance: 112.4, APIs: 61, Strings: 3, Instructions: 399COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0056B54E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6), ref: 0056B573
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 0056B58F
      • #518.MSVBVM60(?,00004008), ref: 0056B5BF
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 0056B600
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 0056B60E
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0056B625
      • __vbaStrCopy.MSVBVM60(00000000,00000000,004153F6), ref: 0056B651
      • __vbaSetSystemError.MSVBVM60(00000000,00000000,004153F6), ref: 0056B68C
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,00000000,00000000,004153F6), ref: 0056B6B6
      • __vbaStrCopy.MSVBVM60 ref: 0056B6D6
      • __vbaStrCopy.MSVBVM60 ref: 0056B6F0
      • #525.MSVBVM60(00000104), ref: 0056B71E
      • __vbaStrMove.MSVBVM60 ref: 0056B729
      • __vbaStrToAnsi.MSVBVM60(?,?), ref: 0056B75E
      • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,00000000), ref: 0056B783
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0056B791
      • __vbaFreeStr.MSVBVM60 ref: 0056B7AF
      • __vbaLenBstr.MSVBVM60(?), ref: 0056B7CF
      • #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0056B847
      • __vbaStrVarVal.MSVBVM60(?,?), ref: 0056B855
      • #516.MSVBVM60(00000000), ref: 0056B85C
      • __vbaFreeStr.MSVBVM60 ref: 0056B86B
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0056B87B
      • #632.MSVBVM60(?,00004008,00000001,00000003), ref: 0056B8CF
      • __vbaStrVarMove.MSVBVM60(?), ref: 0056B8D9
      • __vbaStrMove.MSVBVM60 ref: 0056B8E4
      • __vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 0056B8F4
      • #608.MSVBVM60(?,00000000), ref: 0056B918
      • __vbaStrVarVal.MSVBVM60(?,?,0041AA3C,00000001,000000FF,00000000), ref: 0056B931
      • #712.MSVBVM60(?,00000000), ref: 0056B93C
      • #520.MSVBVM60(?,00000008), ref: 0056B954
      • __vbaStrVarMove.MSVBVM60(?), ref: 0056B95E
      • __vbaStrMove.MSVBVM60 ref: 0056B969
      • __vbaFreeStr.MSVBVM60 ref: 0056B972
      • __vbaFreeVarList.MSVBVM60(00000003,?,00000008,?), ref: 0056B986
      • #618.MSVBVM60(?,00000001), ref: 0056B99C
      • __vbaStrMove.MSVBVM60 ref: 0056B9A7
      • __vbaStrCmp.MSVBVM60(0041F52C,00000000), ref: 0056B9B3
      • __vbaFreeStr.MSVBVM60 ref: 0056B9CB
      • __vbaStrCat.MSVBVM60(0041F52C,?), ref: 0056B9EC
      • __vbaStrMove.MSVBVM60 ref: 0056B9F7
      • __vbaLenBstr.MSVBVM60(?), ref: 0056BA08
      • __vbaVarDup.MSVBVM60 ref: 0056BA38
      • #667.MSVBVM60(?), ref: 0056BA42
      • __vbaStrMove.MSVBVM60 ref: 0056BA4D
      • __vbaFreeVar.MSVBVM60 ref: 0056BA56
      • #618.MSVBVM60(?,00000001), ref: 0056BA69
      • __vbaStrMove.MSVBVM60 ref: 0056BA74
      • __vbaStrCmp.MSVBVM60(0041F52C,00000000), ref: 0056BA80
      • __vbaFreeStr.MSVBVM60 ref: 0056BA98
      • __vbaStrCat.MSVBVM60(0041F52C,?), ref: 0056BAB9
      • __vbaStrMove.MSVBVM60 ref: 0056BAC4
      • __vbaLenBstr.MSVBVM60(?), ref: 0056BAD5
      • __vbaStrMove.MSVBVM60(0000001A), ref: 0056BAF5
      • __vbaStrCopy.MSVBVM60 ref: 0056BB11
      • #685.MSVBVM60 ref: 0056BB1E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056BB29
      • __vbaFreeObj.MSVBVM60 ref: 0056BB4A
      • __vbaFreeStr.MSVBVM60(0056BB9E), ref: 0056BB97
      • __vbaErrorOverflow.MSVBVM60 ref: 0056BBB4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$CopyErrorList$Bstr$#618#632System$#516#518#520#525#608#667#685#712AnsiChkstkOffsetOverflowUnicode
      • String ID: *$APPDATA$\default\
      • API String ID: 4098389905-1245737974
      • Opcode ID: 4a6ad9e58213e110973d214f73f0fa0b47dd02c4061a4959f5f1eb175f4f6c73
      • Instruction ID: 0e6eeebf6a29fccf9a63f85316df1fec92f0edfb905ea526ca50e823664dee52
      • Opcode Fuzzy Hash: 4a6ad9e58213e110973d214f73f0fa0b47dd02c4061a4959f5f1eb175f4f6c73
      • Instruction Fuzzy Hash: 8902E871900209EFEB14DFE0DA98BDEBBB4BF48305F108169E506B72A0DB745A89CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00521650 Relevance: 108.9, APIs: 55, Strings: 7, Instructions: 430COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,005238FE), ref: 0052166E
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6), ref: 0052169B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 005216AA
      • #520.MSVBVM60(?,00004008), ref: 005216E2
      • #518.MSVBVM60(?,?), ref: 005216F0
      • __vbaVarDup.MSVBVM60 ref: 00521713
      • #520.MSVBVM60(?,?), ref: 00521721
      • #518.MSVBVM60(?,?), ref: 0052172F
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 0052173D
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00521760
      • #520.MSVBVM60(?,00004008), ref: 005217A6
      • #518.MSVBVM60(?,?), ref: 005217B4
      • __vbaVarDup.MSVBVM60 ref: 005217D7
      • #520.MSVBVM60(?,?), ref: 005217E5
      • #518.MSVBVM60(?,?), ref: 005217F3
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 00521801
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00521824
      • #520.MSVBVM60(?,00004008), ref: 0052186A
      • #518.MSVBVM60(?,?), ref: 00521878
      • __vbaVarDup.MSVBVM60 ref: 0052189B
      • #520.MSVBVM60(?,?), ref: 005218A9
      • #518.MSVBVM60(?,?), ref: 005218B7
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 005218C5
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005218E8
      • #520.MSVBVM60(?,00004008), ref: 0052192E
      • #518.MSVBVM60(?,?), ref: 0052193C
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 0052197D
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 0052198B
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 005219A6
      • #520.MSVBVM60(?,00004008), ref: 005219EC
      • #518.MSVBVM60(?,?), ref: 005219FA
      • __vbaVarDup.MSVBVM60 ref: 00521A1D
      • #520.MSVBVM60(?,?), ref: 00521A2B
      • #518.MSVBVM60(?,?), ref: 00521A39
      • __vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 00521A66
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00521A74
      • __vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00521A9E
      • #520.MSVBVM60(?,00004008), ref: 00521AE4
      • #518.MSVBVM60(?,?), ref: 00521AF2
      • __vbaVarDup.MSVBVM60 ref: 00521B15
      • #518.MSVBVM60(?,?), ref: 00521B23
      • __vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 00521B4D
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00521B5B
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00521B7E
      • #520.MSVBVM60(?,00004008), ref: 00521BC4
      • #518.MSVBVM60(?,?), ref: 00521BD2
      • __vbaVarDup.MSVBVM60 ref: 00521BF5
      • #518.MSVBVM60(?,?), ref: 00521C03
      • __vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 00521C2D
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00521C3B
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00521C5E
      • #685.MSVBVM60 ref: 00521C86
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00521C91
      • __vbaFreeObj.MSVBVM60 ref: 00521CB2
      • __vbaFreeStr.MSVBVM60(00521D00), ref: 00521CF9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#518$#520$Free$List$#685ChkstkCopyError
      • String ID: Info Ready$Is NOT System (lsass) Process$Is_ServerMode$ReaderList Length (in characters) is:$set_$set_ ready$unloading
      • API String ID: 1926088322-990535336
      • Opcode ID: 5fdcc2d78a9a278702be02ad67cf3782cf28f76770e34a6f65b1823d655e2968
      • Instruction ID: c951ff9b9e456a20fff4d4877d1de36e977f8a185cb9539f9a2df74b464d8e3d
      • Opcode Fuzzy Hash: 5fdcc2d78a9a278702be02ad67cf3782cf28f76770e34a6f65b1823d655e2968
      • Instruction Fuzzy Hash: B812A3B2C00218EBEB15DFD0D988FDEB778BF48704F00859AE216B6160EB745689CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005251D0 Relevance: 108.8, APIs: 60, Strings: 2, Instructions: 330COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,0052515E), ref: 005251EE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6,0052515E), ref: 00525213
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6,0052515E), ref: 0052522F
      • __vbaSetSystemError.MSVBVM60(00000094), ref: 00525284
      • #685.MSVBVM60 ref: 00525291
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052529F
      • __vbaFreeObj.MSVBVM60 ref: 005252C3
      • #685.MSVBVM60 ref: 005252E4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005252F2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0052533D
      • __vbaFreeObj.MSVBVM60 ref: 00525370
      • __vbaStrI4.MSVBVM60(?,OS: ), ref: 005253C0
      • __vbaStrMove.MSVBVM60 ref: 005253CE
      • __vbaStrCat.MSVBVM60(00000000), ref: 005253D5
      • __vbaStrMove.MSVBVM60 ref: 005253E3
      • __vbaStrCat.MSVBVM60(004210F0,00000000), ref: 005253EF
      • __vbaStrMove.MSVBVM60 ref: 005253FD
      • __vbaStrI4.MSVBVM60(00000005,00000000), ref: 0052540B
      • __vbaStrMove.MSVBVM60 ref: 00525419
      • __vbaStrCat.MSVBVM60(00000000), ref: 00525420
      • __vbaStrMove.MSVBVM60 ref: 0052542E
      • __vbaStrCat.MSVBVM60(004206D8,00000000), ref: 0052543A
      • __vbaStrMove.MSVBVM60 ref: 00525448
      • __vbaStrI4.MSVBVM60(?,00000000), ref: 00525456
      • __vbaStrMove.MSVBVM60 ref: 00525464
      • __vbaStrCat.MSVBVM60(00000000), ref: 0052546B
      • __vbaStrMove.MSVBVM60 ref: 00525479
      • __vbaStrCat.MSVBVM60(004206D8,00000000), ref: 00525485
      • __vbaStrMove.MSVBVM60 ref: 00525493
      • __vbaStrI4.MSVBVM60(?,00000000), ref: 005254A1
      • __vbaStrMove.MSVBVM60 ref: 005254AF
      • __vbaStrCat.MSVBVM60(00000000), ref: 005254B6
      • __vbaStrMove.MSVBVM60 ref: 005254C4
      • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00525525
      • __vbaStrI4.MSVBVM60(?,OS: ,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525541
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 0052554F
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525556
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525564
      • __vbaStrCat.MSVBVM60(004210F0,00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525570
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 0052557E
      • __vbaStrI4.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 0052558C
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 0052559A
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 005255A1
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 005255AF
      • __vbaStrCat.MSVBVM60(004206D8,00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 005255BB
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 005255C9
      • __vbaStrI4.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 005255D7
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 005255E5
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 005255EC
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 005255FA
      • __vbaStrCat.MSVBVM60(004206D8,00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525606
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525614
      • __vbaStrI4.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525622
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525630
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525637
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004153F6,0052515E), ref: 00525645
      • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005256A6
      • #685.MSVBVM60(?,?,?,?,004153F6,0052515E), ref: 00525758
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6,0052515E), ref: 00525766
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6,0052515E), ref: 0052578A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$#685$ErrorList$CheckChkstkHresultOffsetSystem
      • String ID: OS: $c
      • API String ID: 458304046-3002540896
      • Opcode ID: 7cbe3b1a57a98e20ad2473539a152ed270f74c92b75054203683784c5143d1fe
      • Instruction ID: 13a051cdc078e2e69cdf7f2ba389abce68747b31086679a7f5a9b16bacb99836
      • Opcode Fuzzy Hash: 7cbe3b1a57a98e20ad2473539a152ed270f74c92b75054203683784c5143d1fe
      • Instruction Fuzzy Hash: F7F12F75900218DFDB14DFA0DE98BDEB7B5BB48300F1085E9E60AB36A0DB745A85CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C8990 Relevance: 107.2, APIs: 58, Strings: 3, Instructions: 405COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005C89AE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005C89D3
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005C89EF
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005C8A04
      • __vbaLenBstr.MSVBVM60(?,?,?,?,?,004153F6), ref: 005C8A17
      • __vbaLenBstr.MSVBVM60(00000000,InputString in String2Hex: ,?,?,?,?,?,004153F6), ref: 005C8A37
      • __vbaStrI4.MSVBVM60(00000000,?,?,?,?,?,004153F6), ref: 005C8A3E
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,004153F6), ref: 005C8A49
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,004153F6), ref: 005C8A50
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,004153F6), ref: 005C8A74
        • Part of subcall function 005C8860: __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 005C887E
        • Part of subcall function 005C8860: __vbaAptOffset.MSVBVM60(00419C98,00000000,00000001,6D1CD8CD,00000000,004153F6), ref: 005C88A3
        • Part of subcall function 005C8860: __vbaOnError.MSVBVM60(000000FF), ref: 005C88BC
        • Part of subcall function 005C8860: __vbaCastObj.MSVBVM60(00000000,00436680), ref: 005C88F8
        • Part of subcall function 005C8860: __vbaObjSet.MSVBVM60(?,00000000), ref: 005C8908
        • Part of subcall function 005C8860: __vbaNew.MSVBVM60(00436690), ref: 005C891A
        • Part of subcall function 005C8860: __vbaObjSet.MSVBVM60(?,00000000), ref: 005C892B
        • Part of subcall function 005C8860: #685.MSVBVM60 ref: 005C8938
        • Part of subcall function 005C8860: __vbaObjSet.MSVBVM60(?,00000000), ref: 005C8943
        • Part of subcall function 005C8860: __vbaFreeObj.MSVBVM60 ref: 005C895B
      • #685.MSVBVM60(?,?,004153F6), ref: 005C8A90
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,004153F6), ref: 005C8A9B
      • __vbaFreeObj.MSVBVM60(?,?,004153F6), ref: 005C8ABC
        • Part of subcall function 00593CF0: __vbaChkstk.MSVBVM60(?,004153F6), ref: 00593D0E
        • Part of subcall function 00593CF0: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00593D33
        • Part of subcall function 00593CF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00593D4F
        • Part of subcall function 00593CF0: __vbaChkstk.MSVBVM60 ref: 00593DA9
        • Part of subcall function 00593CF0: __vbaLateMemCallLd.MSVBVM60(?,?,string2byte,00000001), ref: 00593DDF
        • Part of subcall function 00593CF0: __vbaVar2Vec.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004153F6), ref: 00593DED
        • Part of subcall function 00593CF0: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,004153F6), ref: 00593DFB
        • Part of subcall function 00593CF0: __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,004153F6), ref: 00593E04
        • Part of subcall function 00593CF0: __vbaVarCopy.MSVBVM60 ref: 0059405A
        • Part of subcall function 00593CF0: #685.MSVBVM60 ref: 00594067
        • Part of subcall function 00593CF0: __vbaObjSet.MSVBVM60(?,00000000), ref: 00594072
        • Part of subcall function 00593CF0: __vbaFreeObj.MSVBVM60 ref: 00594093
        • Part of subcall function 00593CF0: __vbaAryDestruct.MSVBVM60(00000000,00000000,005940F2), ref: 005940EB
      • __vbaChkstk.MSVBVM60(?,?,?,?,?,004153F6), ref: 005C8ADF
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00436680,00000034), ref: 005C8B47
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00436680,00000028), ref: 005C8BB1
      • #712.MSVBVM60(?,0041C664,0041AA3C,00000001,000000FF,00000000), ref: 005C8BDD
      • __vbaStrMove.MSVBVM60 ref: 005C8BE8
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C8BF8
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,004153F6), ref: 005C8C04
      • #685.MSVBVM60(?,?,?,?,?,004153F6), ref: 005C8C11
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,004153F6), ref: 005C8C1C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005C8C67
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005C8C88
      • __vbaFreeObj.MSVBVM60 ref: 005C8CB0
      • __vbaStrCopy.MSVBVM60 ref: 005C8CD4
      • __vbaFreeStr.MSVBVM60(?), ref: 005C8CE6
      • __vbaLenBstr.MSVBVM60 ref: 005C8CF9
      • #632.MSVBVM60(?,00004008,00000001,00000002), ref: 005C8D74
      • __vbaStrVarMove.MSVBVM60(?), ref: 005C8D7E
      • __vbaStrMove.MSVBVM60 ref: 005C8D89
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 005C8D99
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005C8DB2
      • #516.MSVBVM60(?), ref: 005C8DCB
      • #573.MSVBVM60(?,00000002), ref: 005C8DE4
      • __vbaVarAdd.MSVBVM60(?,?,00000008,00000002), ref: 005C8E22
      • #619.MSVBVM60(?,00000000), ref: 005C8E2D
      • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 005C8E59
      • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 005C8E6E
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 005C8E75
      • __vbaStrMove.MSVBVM60 ref: 005C8E80
      • __vbaFreeVarList.MSVBVM60(00000006,00000002,?,?,?,?,?), ref: 005C8EA6
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,004153F6), ref: 005C8A5B
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • #520.MSVBVM60(?,00004008), ref: 005C8EE0
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 005C8F05
      • __vbaFreeVar.MSVBVM60 ref: 005C8F15
      • __vbaStrCat.MSVBVM60(?,String2Hex failed on: ), ref: 005C8F38
      • __vbaStrMove.MSVBVM60(?,String2Hex failed on: ), ref: 005C8F43
      • __vbaFreeStr.MSVBVM60(?,?,String2Hex failed on: ), ref: 005C8F55
      • #520.MSVBVM60(?,00004008), ref: 005C8F80
      • __vbaStrVarMove.MSVBVM60(?), ref: 005C8F8A
      • __vbaStrMove.MSVBVM60 ref: 005C8F95
      • __vbaFreeVar.MSVBVM60 ref: 005C8F9E
      • #685.MSVBVM60 ref: 005C8FAB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C8FB6
      • __vbaFreeObj.MSVBVM60 ref: 005C8FD7
      • __vbaFreeStr.MSVBVM60(005C9050), ref: 005C9040
      • __vbaFreeStr.MSVBVM60 ref: 005C9049
      Strings
      • String2Hex failed on: , xrefs: 005C8F2D
      • First Method did not deliver hex, xrefs: 005C8CCC
      • InputString in String2Hex: , xrefs: 005C8A2C
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Chkstk$#685$CopyErrorListOffset$#520BstrCheckHresult$#516#518#573#619#632#711#712CallCastDestructIndexLateLoadLockUnlockVar2
      • String ID: First Method did not deliver hex$InputString in String2Hex: $String2Hex failed on:
      • API String ID: 1709974585-306552035
      • Opcode ID: a52eff4ad5455d2995886711f82f26c1aa01dad6887e47ec929a0ab649599c24
      • Instruction ID: c8739ce8c31562c4f29a6ab99c3849625d1abc4fa8406314f201655d916536a2
      • Opcode Fuzzy Hash: a52eff4ad5455d2995886711f82f26c1aa01dad6887e47ec929a0ab649599c24
      • Instruction Fuzzy Hash: 8F12E975900218EFDB14DFA0D988FDEBBB9BF48304F108599E506B7260DB745A89CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00511C90 Relevance: 101.9, APIs: 52, Strings: 6, Instructions: 351COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 00511CAE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00511CD3
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00511CEF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 00511D0E
      • __vbaVarVargNofree.MSVBVM60(?,?,?,?,004153F6), ref: 00511D29
      • __vbaI4ErrVar.MSVBVM60(00000000,?,?,?,?,004153F6), ref: 00511D30
        • Part of subcall function 00538720: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,00000000,00000000,00000003,004153F6), ref: 0053873E
        • Part of subcall function 00538720: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6,?), ref: 00538763
        • Part of subcall function 00538720: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6,?), ref: 0053877C
        • Part of subcall function 00538720: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000000,004153F6,?), ref: 005387B3
        • Part of subcall function 00538720: __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,004153F6,?), ref: 005387CE
        • Part of subcall function 00538720: __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,004153F6,?), ref: 005387D7
        • Part of subcall function 00538720: __vbaStrCmp.MSVBVM60(true,?,?,00000000,00000000,00000000,004153F6,?), ref: 005387F3
        • Part of subcall function 00538720: __vbaR8Str.MSVBVM60(Mapped: HKCU to: ,?,00000000,00000000,00000000,004153F6,?), ref: 0053883A
        • Part of subcall function 00538720: __vbaStrR8.MSVBVM60(00000000,004153F6,?), ref: 00538856
        • Part of subcall function 00538720: __vbaStrMove.MSVBVM60 ref: 00538861
        • Part of subcall function 00538720: __vbaFreeStr.MSVBVM60(?), ref: 00538873
        • Part of subcall function 00538720: #685.MSVBVM60(?,00000000,00000000,00000000,004153F6,?), ref: 00538891
        • Part of subcall function 00538720: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,004153F6,?), ref: 0053889C
        • Part of subcall function 00538720: __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,004153F6,?), ref: 005388B4
      • __vbaVargVarMove.MSVBVM60 ref: 00511D52
      • __vbaStrMove.MSVBVM60 ref: 00511D92
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 00511D9E
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00511DBF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00511DE1
      • __vbaFreeStr.MSVBVM60 ref: 00511DF8
      • #685.MSVBVM60 ref: 00511E58
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00511E63
      • __vbaFreeObj.MSVBVM60 ref: 00511E84
      • __vbaChkstk.MSVBVM60 ref: 00511EA4
      • __vbaLateMemCallLd.MSVBVM60(?,?,RegRead,00000001), ref: 00511EDA
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?), ref: 00511EE4
      • __vbaStrMove.MSVBVM60(?,?,?), ref: 00511EEF
      • __vbaFreeVar.MSVBVM60(?,?,?), ref: 00511EF8
      • #685.MSVBVM60(?,?,?), ref: 00511F05
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?), ref: 00511F10
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00511F43
      • __vbaFreeObj.MSVBVM60 ref: 00511F6D
      • #685.MSVBVM60 ref: 00511F86
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00511F91
      • __vbaFreeObj.MSVBVM60 ref: 00511FB2
        • Part of subcall function 00519C50: __vbaChkstk.MSVBVM60(?,004153F6,?,?,00000000,00000000,?,004153F6), ref: 00519C6E
        • Part of subcall function 00519C50: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,?,004153F6), ref: 00519C93
        • Part of subcall function 00519C50: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,004153F6), ref: 00519CAC
        • Part of subcall function 00519C50: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,?,004153F6), ref: 00519CC8
        • Part of subcall function 00519C50: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,?,004153F6), ref: 00519CEC
        • Part of subcall function 00519C50: __vbaStrCopy.MSVBVM60 ref: 00519D17
        • Part of subcall function 00519C50: __vbaStrCopy.MSVBVM60 ref: 00519D25
        • Part of subcall function 00519C50: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 00519D41
        • Part of subcall function 00519C50: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00519D51
        • Part of subcall function 00519C50: __vbaFreeVar.MSVBVM60(00000000,?,004153F6), ref: 00519D5D
        • Part of subcall function 00519C50: __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00519D73
        • Part of subcall function 00519C50: __vbaStrCmp.MSVBVM60(0041AB20,?), ref: 00519D8A
        • Part of subcall function 00519C50: __vbaStrCopy.MSVBVM60 ref: 00519DD5
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00511FCE
      • #716.MSVBVM60(?,WScript.Shell,00000000), ref: 00511FE6
      • __vbaObjVar.MSVBVM60(?), ref: 00511FF0
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00512004
      • __vbaFreeVar.MSVBVM60 ref: 0051200D
      • #685.MSVBVM60 ref: 0051201A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00512025
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00512058
      • __vbaFreeObj.MSVBVM60 ref: 00512082
      • __vbaStrCopy.MSVBVM60 ref: 0051209F
      • __vbaFreeStr.MSVBVM60(?), ref: 005120B1
      • #685.MSVBVM60 ref: 005120BE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005120C9
      • __vbaFreeObj.MSVBVM60 ref: 005120EA
      • __vbaVargVar.MSVBVM60(?), ref: 0051210D
      • __vbaChkstk.MSVBVM60 ref: 0051211A
        • Part of subcall function 0051A2F0: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,00000000,00000000,?,004153F6), ref: 0051A30E
        • Part of subcall function 0051A2F0: __vbaAptOffset.MSVBVM60(00419C98,?,00000001,00000000,00000000,004153F6), ref: 0051A333
        • Part of subcall function 0051A2F0: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,00000000,004153F6), ref: 0051A34F
        • Part of subcall function 0051A2F0: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000001,00000000,00000000,004153F6), ref: 0051A36E
        • Part of subcall function 0051A2F0: __vbaStrCmp.MSVBVM60(004250B4,?,?,00000001,00000000,00000000,004153F6), ref: 0051A395
        • Part of subcall function 0051A2F0: __vbaStrCopy.MSVBVM60(?,00000001,00000000,00000000,004153F6), ref: 0051A3BB
        • Part of subcall function 0051A2F0: __vbaStrCopy.MSVBVM60 ref: 0051A426
        • Part of subcall function 0051A2F0: __vbaStrCopy.MSVBVM60 ref: 0051A434
        • Part of subcall function 0051A2F0: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 0051A450
        • Part of subcall function 0051A2F0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0051A460
        • Part of subcall function 0051A2F0: __vbaFreeVar.MSVBVM60(00000000,00000000,004153F6), ref: 0051A46C
        • Part of subcall function 0051A2F0: __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0051A498
        • Part of subcall function 0051A2F0: __vbaStrCopy.MSVBVM60 ref: 0051A4B5
        • Part of subcall function 0051A2F0: #685.MSVBVM60 ref: 0051A4C2
      • __vbaVargVar.MSVBVM60(?), ref: 00512141
      • __vbaChkstk.MSVBVM60 ref: 0051214E
      • __vbaLateMemCallLd.MSVBVM60(?,?,DeleteKey,00000002), ref: 00512183
      • __vbaBoolVar.MSVBVM60(00000000), ref: 0051218D
      • __vbaFreeVar.MSVBVM60 ref: 0051219A
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 005121A7
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,004153F6), ref: 005121B2
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 005121D3
      • __vbaFreeStr.MSVBVM60(00512206,?,?,?,?,004153F6), ref: 005121FF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685CopyMove$Chkstk$ErrorOffsetVarg$AddrefCallCheckHresultLateList$#716BoolNofree
      • String ID: DMB$DeleteKey$HKLM\SOFTWARE\Aloaha\ctest$RegRead$WScript.Shell$regi.CreateCOMObject wscript.shell failed in deletekey
      • API String ID: 1274433013-1973597153
      • Opcode ID: 2bedadecc19304e77bc49073201a8ae2658cefb65bc91fa73c9d76ba8ba247d5
      • Instruction ID: 8df20a3cf77b3114ca95ce4b8aaea55ba33885bd14a87f7c9e3537c19cbe8a81
      • Opcode Fuzzy Hash: 2bedadecc19304e77bc49073201a8ae2658cefb65bc91fa73c9d76ba8ba247d5
      • Instruction Fuzzy Hash: 5AF13A74900218DFDB04DFA4DD88BEEBBB5FF48305F1081A9E50AAB2A1DB745A85CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C0560 Relevance: 101.8, APIs: 53, Strings: 5, Instructions: 326COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,005C501D,?,?), ref: 005C057E
      • __vbaAptOffset.MSVBVM60(00419C98,00000000,00000001,6D1CD8CD,?,004153F6), ref: 005C05A3
      • __vbaStrCopy.MSVBVM60 ref: 005C05BC
      • __vbaStrCopy.MSVBVM60 ref: 005C05C8
      • __vbaOnError.MSVBVM60(000000FF), ref: 005C05D7
      • #520.MSVBVM60(?,00004008), ref: 005C0602
      • #520.MSVBVM60(?,00004008), ref: 005C063A
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005C0663
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 005C067C
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 005C068A
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 005C0691
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C06A8
      • __vbaAryMove.MSVBVM60(?,?,?,?,?), ref: 005C0705
      • #685.MSVBVM60 ref: 005C0712
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C071D
      • __vbaFreeObj.MSVBVM60 ref: 005C073E
      • __vbaUbound.MSVBVM60(00000001,?), ref: 005C0751
      • #685.MSVBVM60 ref: 005C0767
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C0772
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005C07BD
      • __vbaFreeObj.MSVBVM60 ref: 005C07ED
      • #716.MSVBVM60(?,CAPICOM.Certificate,00000000), ref: 005C0814
      • __vbaObjVar.MSVBVM60(?), ref: 005C081E
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005C0829
      • __vbaFreeVar.MSVBVM60 ref: 005C0832
      • __vbaChkstk.MSVBVM60 ref: 005C0857
        • Part of subcall function 005C58C0: __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,005C0C85,?,?), ref: 005C58DE
        • Part of subcall function 005C58C0: __vbaOnError.MSVBVM60(000000FF,00000000,00000001,6D1CD8CD,?,004153F6), ref: 005C590E
        • Part of subcall function 005C58C0: #520.MSVBVM60(?,00004008), ref: 005C5930
        • Part of subcall function 005C58C0: __vbaStrVarMove.MSVBVM60(?), ref: 005C593A
        • Part of subcall function 005C58C0: __vbaStrMove.MSVBVM60 ref: 005C5945
        • Part of subcall function 005C58C0: __vbaFreeVar.MSVBVM60 ref: 005C594E
        • Part of subcall function 005C58C0: __vbaStrCmp.MSVBVM60(0041AA3C), ref: 005C5966
        • Part of subcall function 005C58C0: __vbaAryRecMove.MSVBVM60(0043C030,?,?), ref: 005C5996
        • Part of subcall function 005C58C0: #685.MSVBVM60 ref: 005C59A3
        • Part of subcall function 005C58C0: __vbaObjSet.MSVBVM60(?,00000000), ref: 005C59AE
        • Part of subcall function 005C58C0: __vbaFreeObj.MSVBVM60 ref: 005C59CF
        • Part of subcall function 005C58C0: __vbaUbound.MSVBVM60(00000001,00000000), ref: 005C5A42
      • __vbaLateMemCall.MSVBVM60(?,Import,00000001), ref: 005C088C
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 005C08A4
      • #716.MSVBVM60(?,Capicom.Utilities,00000000), ref: 005C08BC
      • __vbaObjVar.MSVBVM60(?), ref: 005C08C6
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005C08D1
      • __vbaFreeVar.MSVBVM60 ref: 005C08DA
      • __vbaChkstk.MSVBVM60 ref: 005C0900
      • __vbaLateMemCallLd.MSVBVM60(?,?,Export,00000001), ref: 005C0939
      • __vbaChkstk.MSVBVM60 ref: 005C0949
      • __vbaLateMemCallLd.MSVBVM60(00000001,?,BinaryToHex,00000001), ref: 005C0975
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 005C097F
      • __vbaStrMove.MSVBVM60 ref: 005C098A
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C099A
      • __vbaStrCopy.MSVBVM60 ref: 005C09B9
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005C09CC
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005C09DF
      • #685.MSVBVM60 ref: 005C09EC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C09F7
      • __vbaFreeObj.MSVBVM60 ref: 005C0A18
      • __vbaAryDestruct.MSVBVM60(00000000,?,005C0AB9), ref: 005C0A70
      • __vbaFreeStr.MSVBVM60 ref: 005C0A79
      • __vbaFreeStr.MSVBVM60 ref: 005C0A82
      • __vbaFreeStr.MSVBVM60 ref: 005C0A8B
      • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 005C0A97
      • __vbaFreeStr.MSVBVM60 ref: 005C0AA0
      • __vbaFreeObj.MSVBVM60 ref: 005C0AA9
      • __vbaFreeObj.MSVBVM60 ref: 005C0AB2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$AddrefChkstk$#685$#520CallCopyLate$#716DestructErrorListUbound$BoolCheckHresultNullOffset
      • String ID: BinaryToHex$CAPICOM.Certificate$Capicom.Utilities$Export$Import
      • API String ID: 2986534527-2476618023
      • Opcode ID: 2faa06d4ad0ad89be1ea254133320e0e4923a3ce0c0d28da7fbe901728351c73
      • Instruction ID: 17c5c022cb111c22f45194037f7d43f0c0f018960864f6463423b38eac388429
      • Opcode Fuzzy Hash: 2faa06d4ad0ad89be1ea254133320e0e4923a3ce0c0d28da7fbe901728351c73
      • Instruction Fuzzy Hash: 8EE1F875900208DFDB14DFA4DE88BDDBBB4BF48304F1085A9E606B72A1DB745A89CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00548E60 Relevance: 96.6, APIs: 54, Strings: 1, Instructions: 389COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00548E7E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6), ref: 00548EA3
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 00548EBC
      • #685.MSVBVM60(?,?,?,00000000,004153F6), ref: 00548EF4
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6), ref: 00548EFF
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6), ref: 00548F17
      • __vbaNew2.MSVBVM60(0041F624,?,?,?,?,00000000,004153F6), ref: 00548F3F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000018), ref: 00548F90
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042D6D4,00000088), ref: 00548FD8
      • __vbaStrR4.MSVBVM60(?), ref: 00548FEE
      • __vbaStrMove.MSVBVM60 ref: 00548FF9
      • __vbaFreeObj.MSVBVM60 ref: 00549002
      • #685.MSVBVM60 ref: 0054900F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054901A
      • #685.MSVBVM60 ref: 00549381
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054938C
      • __vbaFreeObj.MSVBVM60 ref: 005493AD
      • __vbaFreeStr.MSVBVM60(005493D8), ref: 005493D1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$CheckHresult$ChkstkErrorMoveNew2Offset
      • String ID: HKCU\Software\Aloaha\pdf\TwipsY
      • API String ID: 4019427196-844317383
      • Opcode ID: 8264dc2c29c14b472844670fd1def8a0fbe27220e3b1fbcf95fbdcc9e4158c53
      • Instruction ID: ed3485d5c8056b22952b1a173b48967277f4d8741e8a82e631fdd48b4172aa5e
      • Opcode Fuzzy Hash: 8264dc2c29c14b472844670fd1def8a0fbe27220e3b1fbcf95fbdcc9e4158c53
      • Instruction Fuzzy Hash: 4602F3B5D00208DFDB14DFE4DA88ADEBBB5BF48305F108569E502B72A0DB74994ACF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0053D820 Relevance: 96.6, APIs: 54, Strings: 1, Instructions: 366COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,00521DD6,?,?,?,00000000,004153F6,?), ref: 0053D83E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,00521DD6), ref: 0053D863
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,00521DD6), ref: 0053D87C
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,00000000,004153F6,00521DD6), ref: 0053D898
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,00521DD6), ref: 0053D8B7
      • __vbaInStr.MSVBVM60(00000000,0041F52C,?,00000001,?,?,?,00000000,004153F6,00521DD6), ref: 0053D8D1
      • __vbaLenBstr.MSVBVM60(?), ref: 0053D8F7
      • #709.MSVBVM60(?,0041F52C,000000FF,00000000), ref: 0053D90C
      • #619.MSVBVM60(?,00004008,00000000), ref: 0053D923
      • #520.MSVBVM60(?,?), ref: 0053D931
      • __vbaStrVarMove.MSVBVM60(?), ref: 0053D93B
      • __vbaStrMove.MSVBVM60 ref: 0053D946
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0053D956
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,00000000,004153F6,00521DD6), ref: 0053D96F
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,00521DD6), ref: 0053D986
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,00521DD6), ref: 0053D99F
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,00521DD6), ref: 0053D9BA
      • #685.MSVBVM60(?,?,?,00000000,004153F6,00521DD6), ref: 0053D9C7
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6,00521DD6), ref: 0053D9D2
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6,00521DD6), ref: 0053D9EA
      • __vbaFreeStr.MSVBVM60(0053DA31,?,?,?,00000000,004153F6,00521DD6), ref: 0053DA2A
        • Part of subcall function 0053D4C0: __vbaChkstk.MSVBVM60(00000000,004153F6,0053D8B2,?,?,?,00000000,004153F6,00521DD6), ref: 0053D4DE
        • Part of subcall function 0053D4C0: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D503
        • Part of subcall function 0053D4C0: __vbaAryConstruct2.MSVBVM60(?,0042AA30,00000003,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D51E
        • Part of subcall function 0053D4C0: __vbaFixstrConstruct.MSVBVM60(00000104,?,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D52D
        • Part of subcall function 0053D4C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D53C
        • Part of subcall function 0053D4C0: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D558
        • Part of subcall function 0053D4C0: __vbaSetSystemError.MSVBVM60(?,?,?,00000000,004153F6,0053D8B2), ref: 0053D575
        • Part of subcall function 0053D4C0: __vbaSetSystemError.MSVBVM60(00000410,00000000,?,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D59B
        • Part of subcall function 0053D4C0: __vbaSetSystemError.MSVBVM60(00000000,?,000000C8,?), ref: 0053D60A
        • Part of subcall function 0053D4C0: __vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 0053D667
      • __vbaErrorOverflow.MSVBVM60 ref: 0053DA45
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,00000000,004153F6,00521DD6), ref: 0053DA6E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 0053DA93
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 0053DAAF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,?,00000000,004153F6), ref: 0053DACE
      • __vbaInStr.MSVBVM60(00000000,0041F52C,?,00000001,?,00000000,?,00000000,004153F6), ref: 0053DAF1
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0053DB1A
      • #685.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0053DDB2
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004153F6), ref: 0053DDBD
      • __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0053DDDE
      • __vbaFreeStr.MSVBVM60(0053DE37,?,00000000,?,00000000,004153F6), ref: 0053DE27
      • __vbaFreeStr.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0053DE30
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$Free$Copy$ChkstkMoveOffsetSystem$#685$#520#619#709AnsiBstrConstructConstruct2FixstrListOverflow
      • String ID: Processpath:
      • API String ID: 913230381-3455462373
      • Opcode ID: a2033281525af4903875feb6a45c947446f5703d51bb96df784a25075c515d56
      • Instruction ID: 7373a343eeb06155551603bbc06750ead68ea18bf1e9a9228b140a1f59e0de61
      • Opcode Fuzzy Hash: a2033281525af4903875feb6a45c947446f5703d51bb96df784a25075c515d56
      • Instruction Fuzzy Hash: 83F13775900208EFDB14DFA0DA88BDEBBB5FF48704F208169E502B72A1DB745A85CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00536660 Relevance: 94.8, APIs: 46, Strings: 8, Instructions: 312COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0053667E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000001,?,00000000,004153F6), ref: 005366A3
      • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 005366BC
      • __vbaVarDup.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 005366C8
      • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,004153F6), ref: 005366D7
      • __vbaStrCmp.MSVBVM60(true,?,?,00000001,?,00000000,004153F6), ref: 005366F6
      • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 0053671C
      • #518.MSVBVM60(?,00004008), ref: 00536747
      • #619.MSVBVM60(?,?,00000004), ref: 00536757
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0053677C
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00536793
      • __vbaBoolVar.MSVBVM60(?,?,00000000,004153F6), ref: 005367B2
        • Part of subcall function 00536BD0: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,005367C2,?,00000000,?,00000000,004153F6), ref: 00536BEE
        • Part of subcall function 00536BD0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,004153F6), ref: 00536C1E
        • Part of subcall function 00536BD0: __vbaStrCat.MSVBVM60(00424CA4,?,?,00000001,?,00000000,004153F6), ref: 00536C49
        • Part of subcall function 00536BD0: __vbaStrMove.MSVBVM60(?,?,00000001,?,00000000,004153F6), ref: 00536C54
        • Part of subcall function 00536BD0: __vbaStr2Vec.MSVBVM60(?,00000000,?,?,00000001,?,00000000,004153F6), ref: 00536C5F
        • Part of subcall function 00536BD0: __vbaAryMove.MSVBVM60(?,?,?,?,00000001,?,00000000,004153F6), ref: 00536C6D
        • Part of subcall function 00536BD0: __vbaFreeStr.MSVBVM60(?,?,00000001,?,00000000,004153F6), ref: 00536C76
        • Part of subcall function 00536BD0: __vbaAryLock.MSVBVM60(?,?,?,?,00000001,?,00000000,004153F6), ref: 00536C8B
        • Part of subcall function 00536BD0: __vbaSetSystemError.MSVBVM60(?,?), ref: 00536CEF
        • Part of subcall function 00536BD0: __vbaAryUnlock.MSVBVM60(00000000), ref: 00536CF9
        • Part of subcall function 00536BD0: __vbaUI1I2.MSVBVM60 ref: 00536D1F
        • Part of subcall function 00536BD0: __vbaAryLock.MSVBVM60(00000000,?), ref: 00536D30
      • #518.MSVBVM60(?,00004008), ref: 005367F9
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 0053683A
      • __vbaVarTstEq.MSVBVM60(00008002,00000000), ref: 00536848
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0053685F
      • __vbaStrCat.MSVBVM60(?,Have to register: ,?,?,?,?,00000000,004153F6), ref: 00536883
      • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004153F6), ref: 0053688E
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,004153F6), ref: 005368A0
      • __vbaStrToAnsi.MSVBVM60(?,?,?), ref: 005368DC
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 005368EE
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 005368FC
      • __vbaFreeStr.MSVBVM60 ref: 0053690E
      • __vbaBoolVarNull.MSVBVM60(?), ref: 0053691F
      • __vbaStrToAnsi.MSVBVM60(?,DllRegisterServer), ref: 0053693C
      • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00536952
      • __vbaFreeStr.MSVBVM60 ref: 00536964
      • __vbaStrCopy.MSVBVM60 ref: 00536B2C
      • #685.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 00536B39
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,00000000,004153F6), ref: 00536B44
      • __vbaFreeObj.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 00536B65
      • __vbaFreeVar.MSVBVM60(00536BB2,?,00000001,?,00000000,004153F6), ref: 00536BA2
      • __vbaFreeStr.MSVBVM60(?,00000001,?,00000000,004153F6), ref: 00536BAB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Error$CopyMoveSystem$#518AnsiBoolChkstkListLock$#619#685NullOffsetStr2UnicodeUnlock
      • String ID: +$.tlb$DllRegisterServer$DllUnregisterServer$Failed$Have to register: $pilot$true
      • API String ID: 224055642-3333837834
      • Opcode ID: e6430bce28866f51d5b5e62e101083f1f64ca8ed99adf87777b60c75fb50d0cb
      • Instruction ID: a7c6afeecc875475f9281eb0fa2d29c611dc0e20edcb09f33934d0470482a12b
      • Opcode Fuzzy Hash: e6430bce28866f51d5b5e62e101083f1f64ca8ed99adf87777b60c75fb50d0cb
      • Instruction Fuzzy Hash: 04E1F975900218EBDB14DFE0DD88BDEBBB4BF48304F1085A9E506B72A4DB785A88CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0053DE50 Relevance: 94.8, APIs: 49, Strings: 5, Instructions: 306COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0053DE6E
      • __vbaOnError.MSVBVM60(000000FF,6D1E1654,00000000,6D29595C,00000000,004153F6,C0000000), ref: 0053DE9E
      • __vbaSetSystemError.MSVBVM60(?), ref: 0053DEB4
      • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000027,00000000), ref: 0053DEF6
      • __vbaAryLock.MSVBVM60(?,?), ref: 0053DF0E
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0053DF4B
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0053DF65
      • #644.MSVBVM60(?), ref: 0053DF7E
      • __vbaAryUnlock.MSVBVM60(00000000), ref: 0053DF8E
      • __vbaSetSystemError.MSVBVM60(?,?,?), ref: 0053DFAE
      • __vbaStrVarCopy.MSVBVM60(00002011,?), ref: 0053DFEB
      • __vbaStrMove.MSVBVM60 ref: 0053DFF6
      • #616.MSVBVM60(00000000), ref: 0053DFFD
      • __vbaStrMove.MSVBVM60 ref: 0053E008
      • __vbaFreeStr.MSVBVM60 ref: 0053E011
      • #712.MSVBVM60(?,0042084C,0041AA3C,00000001,000000FF,00000000), ref: 0053E032
      • __vbaStrMove.MSVBVM60 ref: 0053E03D
      • #712.MSVBVM60(?,00420854,0041AA3C,00000001,000000FF,00000000), ref: 0053E05E
      • __vbaStrMove.MSVBVM60 ref: 0053E069
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0053E07F
      • #610.MSVBVM60(?), ref: 0053E098
      • #612.MSVBVM60(?), ref: 0053E0A5
      • __vbaVarDup.MSVBVM60 ref: 0053E0C8
      • __vbaVarDup.MSVBVM60 ref: 0053E0EE
      • #650.MSVBVM60(?,?,00000001,00000001), ref: 0053E100
      • __vbaStrMove.MSVBVM60 ref: 0053E10B
      • #650.MSVBVM60(?,?,00000001,00000001,00000000), ref: 0053E124
      • __vbaStrMove.MSVBVM60 ref: 0053E12F
      • __vbaStrCat.MSVBVM60(00000000), ref: 0053E136
      • __vbaStrMove.MSVBVM60 ref: 0053E141
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0053E151
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0053E172
      • __vbaStrCopy.MSVBVM60 ref: 0053E188
      • __vbaAryDestruct.MSVBVM60(00000000,?,0053E1FD), ref: 0053E1ED
      • __vbaFreeStr.MSVBVM60 ref: 0053E1F6
      • __vbaErrorOverflow.MSVBVM60(00000000), ref: 0053E211
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0053E23E
      • __vbaAptOffset.MSVBVM60(00419C98,6D1E1654,00000000,6D29595C,00000000,004153F6), ref: 0053E263
      • __vbaOnError.MSVBVM60(000000FF), ref: 0053E27C
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0053E298
      • __vbaStrCopy.MSVBVM60 ref: 0053E2B1
      • __vbaStrMove.MSVBVM60(?), ref: 0053E2CB
      • __vbaFreeStr.MSVBVM60 ref: 0053E2D4
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0053E2F0
      • __vbaStrCopy.MSVBVM60 ref: 0053E30F
      • __vbaStrCopy.MSVBVM60 ref: 0053E328
      • #685.MSVBVM60 ref: 0053E335
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053E340
      • __vbaFreeObj.MSVBVM60 ref: 0053E358
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Error$Free$Copy$#650#712BoundsChkstkGenerateListSystem$#610#612#616#644#685DestructLockOffsetOverflowRedimUnlock
      • String ID: ($Aloaha PDF (www.aloaha.com)$HKLM\Software\Aloaha\pdf\PDFAgent$hhnnss$yyyymmdd
      • API String ID: 493154774-289438348
      • Opcode ID: 0557ee80aefd034b42fb4f42dd42f368994d590ef4068e7ec15df2be35f62f04
      • Instruction ID: e3a9fc5ee23d9d3714b90cb6cf9560eb765bbd02ac83d792ed15ba5d5cd1cba7
      • Opcode Fuzzy Hash: 0557ee80aefd034b42fb4f42dd42f368994d590ef4068e7ec15df2be35f62f04
      • Instruction Fuzzy Hash: CAD10771900208DFDB04DFA0DE89BDEBBB5FB48704F1085A9E506B72A0DB746A89CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00548900 Relevance: 91.4, APIs: 51, Strings: 1, Instructions: 375COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,0050FD28,?,?,?,?,004153F6), ref: 0054891E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,0050FD28), ref: 00548943
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,0050FD28), ref: 0054895C
      • #685.MSVBVM60(?,?,?,00000000,004153F6,0050FD28), ref: 00548994
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6,0050FD28), ref: 0054899F
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6,0050FD28), ref: 005489B7
      • __vbaNew2.MSVBVM60(0041F624,?,?,?,?,00000000,004153F6,0050FD28), ref: 005489DF
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000018), ref: 00548A30
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042D6D4,00000080), ref: 00548A78
      • __vbaStrR4.MSVBVM60(?), ref: 00548A8E
      • __vbaStrMove.MSVBVM60 ref: 00548A99
      • __vbaFreeObj.MSVBVM60 ref: 00548AA2
      • #685.MSVBVM60 ref: 00548AAF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00548ABA
      • #685.MSVBVM60 ref: 00548DE8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00548DF3
      • __vbaFreeObj.MSVBVM60 ref: 00548E14
      • __vbaFreeStr.MSVBVM60(00548E3F), ref: 00548E38
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$CheckHresult$ChkstkErrorMoveNew2Offset
      • String ID: HKCU\Software\Aloaha\pdf\TwipsX
      • API String ID: 4019427196-1163162193
      • Opcode ID: bf0e49aff942bf7fd8b93bf6e4c96237a638d2c827e454686cb1723b0a0a457e
      • Instruction ID: 36f1710cd99b9455e0c44a173443f019642f391e61fbe753f76dd388bb11d42b
      • Opcode Fuzzy Hash: bf0e49aff942bf7fd8b93bf6e4c96237a638d2c827e454686cb1723b0a0a457e
      • Instruction Fuzzy Hash: F0F1E4B5D00218DFDB14DFE4D988AEEBBB5BF48305F10852AE502B72A0DB749946CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00533620 Relevance: 91.3, APIs: 47, Strings: 5, Instructions: 315COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0053363E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6), ref: 00533663
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 0053367C
      • #685.MSVBVM60(?,00000000), ref: 00533696
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 005336A1
      • __vbaFreeObj.MSVBVM60(?,00000000), ref: 005336C2
      • __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 005336D5
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,00000000), ref: 005336F1
      • __vbaStrCat.MSVBVM60(00000000,callit: ,?,?,00000000), ref: 00533719
      • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00533724
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000), ref: 00533736
      • #685.MSVBVM60(?,?,00000000), ref: 00533743
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000), ref: 0053374E
      • __vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0053376F
      • __vbaChkstk.MSVBVM60 ref: 0053379C
      • __vbaLateMemCallLd.MSVBVM60(?,?,Run,00000001), ref: 005337CF
      • __vbaI4Var.MSVBVM60(00000000), ref: 005337D9
      • __vbaFreeVar.MSVBVM60 ref: 005337E5
      • #685.MSVBVM60 ref: 005337F2
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005337FD
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00533830
      • __vbaFreeObj.MSVBVM60 ref: 0053385A
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0053387F
      • __vbaStrCopy.MSVBVM60 ref: 00533894
      • __vbaFreeStr.MSVBVM60(?), ref: 005338A6
      • #685.MSVBVM60 ref: 005338B3
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005338BE
      • __vbaFreeObj.MSVBVM60 ref: 005338DF
      • #716.MSVBVM60(?,WScript.Shell,00000000), ref: 005338F7
      • __vbaObjVar.MSVBVM60(?), ref: 00533901
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00533911
      • __vbaFreeVar.MSVBVM60 ref: 0053391A
      • __vbaChkstk.MSVBVM60 ref: 00533947
      • __vbaLateMemCallLd.MSVBVM60(?,?,Run,00000001), ref: 0053397A
      • __vbaI4Var.MSVBVM60(00000000), ref: 00533984
      • __vbaFreeVar.MSVBVM60 ref: 00533990
      • #685.MSVBVM60 ref: 0053399D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005339A8
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005339DB
      • __vbaFreeObj.MSVBVM60 ref: 00533A05
      • #600.MSVBVM60(00004008,00000001), ref: 00533A2D
      • __vbaStrCat.MSVBVM60(?,Callit is false, but tried shell command: ), ref: 00533A48
      • __vbaStrMove.MSVBVM60(?,Callit is false, but tried shell command: ), ref: 00533A53
      • __vbaFreeStr.MSVBVM60(?,?,Callit is false, but tried shell command: ), ref: 00533A65
      • #685.MSVBVM60(?,?,00000000), ref: 00533A8E
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000), ref: 00533A99
      • __vbaFreeObj.MSVBVM60(?,?,00000000), ref: 00533ABA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685Move$Chkstk$AddrefCallCheckCopyErrorHresultLateOffset$#518#520#600#711#716BstrIndexLoadLockUnlock
      • String ID: Callit is false, but tried shell command: $ObjShell could not start$Run$WScript.Shell$callit:
      • API String ID: 3647539409-3259931088
      • Opcode ID: 41f8443664aafbea52cc82036b84dff1dab9d3cf468b6645eaf822b3782e1594
      • Instruction ID: d3c9bf820c04ee9cab10cabe5ed69ce553336314a9210ca32a8f003873165266
      • Opcode Fuzzy Hash: 41f8443664aafbea52cc82036b84dff1dab9d3cf468b6645eaf822b3782e1594
      • Instruction Fuzzy Hash: 1FE1F6B5900218DFDB04DFA4DA88BDEBBB4FF48305F108169E506BB2A1DB749A49CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00532240 Relevance: 89.7, APIs: 47, Strings: 4, Instructions: 420COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,?,00000000,00000003,004153F6), ref: 0053225E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6), ref: 00532283
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 0053229F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000000,004153F6), ref: 00532365
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$ChkstkErrorOffset
      • String ID: to $Copied: $c$called:
      • API String ID: 367529106-1711763018
      • Opcode ID: a755d02210d7961cedf182c818793df8172ff3666a2e7e9707fc5737f62206e0
      • Instruction ID: 353da059c820f88ddf9ac803ec98a997225a2200a6ba7d0c931b8d996d8554db
      • Opcode Fuzzy Hash: a755d02210d7961cedf182c818793df8172ff3666a2e7e9707fc5737f62206e0
      • Instruction Fuzzy Hash: C6028070A01216DFEB18DFA0CD89F9EB7B5BF14304F108299E949AB2D0DB745E44CB65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0056D920 Relevance: 89.5, APIs: 47, Strings: 4, Instructions: 264COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,0056EC72), ref: 0056D93E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6), ref: 0056D963
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 0056D97F
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056D994
      • __vbaStrCmp.MSVBVM60(true,?,?,00000000,00000000,00000000,004153F6), ref: 0056D9B3
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056D9D9
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000000,004153F6), ref: 0056D9F8
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056DA18
      • __vbaStrCmp.MSVBVM60(true,?,?,00000000,00000000,00000000,004153F6), ref: 0056DA3C
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056DA59
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056DA77
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056DA95
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056DAAA
      • __vbaStrMove.MSVBVM60(?,?,00000000,00000000,00000000,004153F6), ref: 0056DABE
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056DAC7
      • #520.MSVBVM60(?,00004008), ref: 0056DAE9
      • __vbaStrVarMove.MSVBVM60(?), ref: 0056DAF3
      • __vbaStrMove.MSVBVM60 ref: 0056DAFE
      • __vbaFreeVar.MSVBVM60 ref: 0056DB07
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 0056DB1D
      • #619.MSVBVM60(?,00004008,00000001), ref: 0056DB49
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0056DB65
      • __vbaFreeVar.MSVBVM60 ref: 0056DB72
      • __vbaStrCat.MSVBVM60(0041F52C,00000000), ref: 0056DB90
      • __vbaStrMove.MSVBVM60 ref: 0056DB9B
      • #531.MSVBVM60(00000000), ref: 0056DBAC
      • __vbaStrCopy.MSVBVM60 ref: 0056DD2E
      • #685.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056DD3B
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,004153F6), ref: 0056DD46
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0056DD67
      • __vbaFreeStr.MSVBVM60(0056DDC1,?,00000000,00000000,00000000,004153F6), ref: 0056DDBA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$Move$#520#531#619#685ChkstkErrorOffset
      • String ID: "$HKLM\Software\Aloaha\AlternativeWritePath$HKLM\Software\Aloaha\debugpath$true
      • API String ID: 459383368-957309409
      • Opcode ID: 6503fa52c49da7f0aba9682bb8827cca33d494d38029f49d5f520bd5a0a62b9a
      • Instruction ID: 49316c0a175269b13332c8f7305af4bbea52f0be344bfff69ceb2b8c23159a57
      • Opcode Fuzzy Hash: 6503fa52c49da7f0aba9682bb8827cca33d494d38029f49d5f520bd5a0a62b9a
      • Instruction Fuzzy Hash: 80C10875900208DFDB04DFA0DA98BDDBBB4FF48705F2081A9E506B72A1DB745A49CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FD120 Relevance: 87.8, APIs: 49, Strings: 1, Instructions: 343COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 004FD13E
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6), ref: 004FD16B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 004FD17A
      • #685.MSVBVM60(?,?,?,?,00000000,004153F6), ref: 004FD1AC
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6), ref: 004FD1B7
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6), ref: 004FD1CF
      • #645.MSVBVM60(00004008,00000000), ref: 004FD1EF
      • __vbaStrMove.MSVBVM60 ref: 004FD1FA
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 004FD206
      • __vbaFreeStr.MSVBVM60 ref: 004FD21B
      • #685.MSVBVM60 ref: 004FD234
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FD23F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 004FD272
      • __vbaFreeObj.MSVBVM60 ref: 004FD296
      • #529.MSVBVM60(00004008), ref: 004FD2BC
      • #685.MSVBVM60 ref: 004FD2C9
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FD2D4
      • __vbaFreeObj.MSVBVM60 ref: 004FD2EC
      • #685.MSVBVM60(?,?,?,00000000,004153F6), ref: 004FD2F9
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6), ref: 004FD304
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6), ref: 004FD325
      • #645.MSVBVM60(00004008,00000000), ref: 004FD359
      • __vbaStrMove.MSVBVM60 ref: 004FD364
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 004FD370
      • __vbaFreeStr.MSVBVM60 ref: 004FD385
      • #685.MSVBVM60 ref: 004FD39E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FD3A9
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 004FD3DC
      • __vbaFreeObj.MSVBVM60 ref: 004FD406
      • __vbaFreeStr.MSVBVM60(004FD612), ref: 004FD60B
        • Part of subcall function 00502E40: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,00000000,004153F6), ref: 00502E5E
        • Part of subcall function 00502E40: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00502E83
        • Part of subcall function 00502E40: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00502E9F
        • Part of subcall function 00502E40: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,00000000,004153F6,?), ref: 00502EB7
        • Part of subcall function 00502E40: __vbaInStr.MSVBVM60(00000000,0041F52C,00000000,00000001,?,?,?,?,00000000,004153F6,?), ref: 00502EDB
        • Part of subcall function 00502E40: #685.MSVBVM60(?,?,?,?,00000000,004153F6,?), ref: 00502EF0
        • Part of subcall function 00502E40: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,004153F6,?), ref: 00502EFB
        • Part of subcall function 00502E40: __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,004153F6,?), ref: 00502F1C
        • Part of subcall function 00502E40: __vbaChkstk.MSVBVM60 ref: 00502F49
        • Part of subcall function 00502E40: __vbaLateMemCallLd.MSVBVM60(?,?,FileExists,00000001), ref: 00502F7F
        • Part of subcall function 00502E40: __vbaVarTstEq.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00502F8D
        • Part of subcall function 00502E40: __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00502F9A
        • Part of subcall function 00502E40: #685.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00502FA7
        • Part of subcall function 00502E40: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00502FB2
      • #685.MSVBVM60(?,?,?,00000000,004153F6), ref: 004FD420
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6), ref: 004FD42B
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6), ref: 004FD44C
      • __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004153F6), ref: 004FD45D
      • __vbaStrToAnsi.MSVBVM60(00000000,00000000,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,00000000,004153F6), ref: 004FD489
      • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,004153F6), ref: 004FD498
      • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004153F6), ref: 004FD4A6
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000,004153F6), ref: 004FD4B5
      • __vbaStrToAnsi.MSVBVM60(?,?,?,?,00000000), ref: 004FD4E5
      • __vbaSetSystemError.MSVBVM60(000000FF,00000000), ref: 004FD4F8
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004FD506
      • __vbaFreeStr.MSVBVM60 ref: 004FD520
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 004FD546
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 004FD565
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 004FD583
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 004FD599
      • #685.MSVBVM60 ref: 004FD5BC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FD5C7
      • __vbaFreeObj.MSVBVM60 ref: 004FD5E8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$Error$System$Chkstk$#645AnsiCheckHresultMoveUnicode$#529BstrCallCopyLateOffset
      • String ID: $
      • API String ID: 3362409638-3993045852
      • Opcode ID: 59acd4743d1c5df5b5f8b776f7c9c5457d6fcf00413f5a16b457d4f70982017d
      • Instruction ID: 195d622d1372577da8685a6c367dfeb9252493d229214dbb11c2c7afa9b94045
      • Opcode Fuzzy Hash: 59acd4743d1c5df5b5f8b776f7c9c5457d6fcf00413f5a16b457d4f70982017d
      • Instruction Fuzzy Hash: 9FE1F875D00248EFDB04DFE4D988BEEBBB5BF48305F108169E602AB2A4DB749A45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FA1B0 Relevance: 87.8, APIs: 48, Strings: 2, Instructions: 328COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004FA1CE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004FA213
      • __vbaLateMemCallLd.MSVBVM60(?,?,FSPath,00000000), ref: 004FA250
      • __vbaVarMove.MSVBVM60(?,?,?,004153F6), ref: 004FA25E
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 004FA27C
      • #619.MSVBVM60(?,00004008,00000001), ref: 004FA2A7
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 004FA2C3
      • __vbaFreeVar.MSVBVM60 ref: 004FA2D3
      • __vbaStrCopy.MSVBVM60 ref: 004FA2F6
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 004FA30F
      • __vbaVarCopy.MSVBVM60 ref: 004FA336
      • #685.MSVBVM60 ref: 004FA669
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FA674
      • __vbaFreeObj.MSVBVM60 ref: 004FA695
      • __vbaFreeStr.MSVBVM60(004FA6DC), ref: 004FA6D5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#619#685CallChkstkErrorLateMove
      • String ID: '$FSPath
      • API String ID: 3049871069-2180189934
      • Opcode ID: 0ed14f8ca9ccb680cf9f496f0a27b3a0ba30f6f914b193cb990805c65daa029c
      • Instruction ID: 02105ac3b2f702be87a22dee6ff92261b0fc634830bb4cf91ab4ff18905e8400
      • Opcode Fuzzy Hash: 0ed14f8ca9ccb680cf9f496f0a27b3a0ba30f6f914b193cb990805c65daa029c
      • Instruction Fuzzy Hash: BAE11DB5900208EFDB04DFA0CA98BDDBBB5FF48704F108159E506BB2A0DB759A89CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00573910 Relevance: 84.5, APIs: 45, Strings: 3, Instructions: 498COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0057392E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0057396A
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00573986
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005739A7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,000000A0), ref: 005739F5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00573A21
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,000000A0), ref: 00573A6F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00573A9B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,00000090), ref: 00573AEC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00573B18
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,000000A0), ref: 00573B66
      • __vbaStrCmp.MSVBVM60(?,?), ref: 00573B86
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00573BAD
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00573BD6
      • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,004153F6), ref: 00573BF1
      • __vbaObjSet.MSVBVM60(0000FFFF,00000000), ref: 00573C34
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,000000A0), ref: 00573C82
      • __vbaStrMove.MSVBVM60 ref: 00573CBC
      • __vbaFreeObj.MSVBVM60 ref: 00573CC5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00573CEB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,000000A4), ref: 00573D3A
      • __vbaFreeObj.MSVBVM60 ref: 00573D55
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00573D76
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,000000A4), ref: 00573DC5
      • __vbaFreeObj.MSVBVM60 ref: 00573DE0
      • __vbaStrCopy.MSVBVM60 ref: 00573DFE
      • __vbaStrCopy.MSVBVM60 ref: 00573E13
      • __vbaStrMove.MSVBVM60(?), ref: 00573E27
      • __vbaStrCopy.MSVBVM60 ref: 00573E35
      • __vbaStrMove.MSVBVM60(?), ref: 00573E49
      • #595.MSVBVM60(00000008,00001000,00000008,0000000A,0000000A), ref: 00573EC0
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,00000000,00000000), ref: 00573ED8
      • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00573EF3
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00573F17
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,00000204), ref: 00573F61
      • __vbaFreeObj.MSVBVM60 ref: 00573F7C
      • #599.MSVBVM60({Home}+{End},0000000A), ref: 00573FA0
      • __vbaFreeVar.MSVBVM60 ref: 00573FA9
      • __vbaNew2.MSVBVM60(0041F624,?), ref: 00573FEC
      • __vbaObjSetAddref.MSVBVM60(000000FF,?), ref: 0057402D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000010), ref: 0057406C
      • __vbaFreeObj.MSVBVM60 ref: 00574087
      • #685.MSVBVM60 ref: 00574094
      • __vbaObjSet.MSVBVM60(000000FF,00000000), ref: 0057409F
      • __vbaFreeObj.MSVBVM60 ref: 005740C0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$List$CopyMove$#595#599#685AddrefChkstkErrorNew2Offset
      • String ID: Invalid Password, try again!$Login${Home}+{End}
      • API String ID: 2144987475-2174773702
      • Opcode ID: 6b7bfb89b5fa54c7f12d15e574da4ccc88df454463711265a241aa47fd82ce4a
      • Instruction ID: f5da660c8016ead7b81c0b40584eb8348976feab6a677cc0bfe87045578dd31b
      • Opcode Fuzzy Hash: 6b7bfb89b5fa54c7f12d15e574da4ccc88df454463711265a241aa47fd82ce4a
      • Instruction Fuzzy Hash: 17322AB5A00218EFDB14DF94C988FDEBBB5FF48300F108599E54AAB250DB749A84CF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005501D0 Relevance: 82.6, APIs: 39, Strings: 8, Instructions: 310COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 005501EE
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6), ref: 00550213
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 0055022F
      • __vbaStrCmp.MSVBVM60(true,?), ref: 00550268
      • __vbaStrCmp.MSVBVM60(false,?), ref: 00550288
      • __vbaStrCmp.MSVBVM60(true,?), ref: 00550321
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$ChkstkErrorOffset
      • String ID: B$Software\Aloaha$WinPE$bootmgr$false$true$winpe$U
      • API String ID: 367529106-2625207190
      • Opcode ID: efe0919e1a9a910461f70322f61c5661116bc4e5dc8f4dd275264c67d9dc6ef3
      • Instruction ID: 33ad91d5f2489699b0eda033537691542a26e2913c978e89be9a1a516812fd86
      • Opcode Fuzzy Hash: efe0919e1a9a910461f70322f61c5661116bc4e5dc8f4dd275264c67d9dc6ef3
      • Instruction Fuzzy Hash: 0BE16974E00218DFEB14DFA0D958BDDBBB4FF48305F10819AE906A72A0DB745A89CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00536E60 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 233COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,0056C2F7,?,00000000,00000000,00000000,004153F6), ref: 00536E7E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00536EA3
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00536EBF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00536EDE
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00536EFB
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00536F10
        • Part of subcall function 005133A0: __vbaChkstk.MSVBVM60(?,004153F6), ref: 005133BE
        • Part of subcall function 005133A0: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005133E3
        • Part of subcall function 005133A0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005133FF
        • Part of subcall function 005133A0: __vbaStrCmp.MSVBVM60(true,?,?,?,?,?,004153F6), ref: 0051341E
        • Part of subcall function 005133A0: #712.MSVBVM60(00000000,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,?,004153F6), ref: 00513449
        • Part of subcall function 005133A0: __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00513454
        • Part of subcall function 005133A0: #712.MSVBVM60(?,hkcu\,HKCU\,00000001,000000FF,00000000,?,?,?,?,004153F6), ref: 00513477
        • Part of subcall function 005133A0: __vbaStrMove.MSVBVM60(?,hkcu\,HKCU\,00000001,000000FF,00000000,?,?,?,?,004153F6), ref: 00513482
        • Part of subcall function 005133A0: #712.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001,000000FF,00000000,?,?,?,?), ref: 005134A5
        • Part of subcall function 005133A0: __vbaStrMove.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001,000000FF,00000000,?,?,?,?), ref: 005134B0
        • Part of subcall function 005133A0: #712.MSVBVM60(00000000,software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001), ref: 005134D3
        • Part of subcall function 005133A0: __vbaStrMove.MSVBVM60(?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001,000000FF,00000000,?,?,?,?), ref: 005134DE
        • Part of subcall function 005133A0: #712.MSVBVM60(?,Software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001), ref: 00513501
        • Part of subcall function 005133A0: __vbaStrMove.MSVBVM60(?,Software\,SOFTWARE\,00000001,000000FF,00000000,?,hlcr\,HKCR\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001), ref: 0051350C
      • __vbaStrMove.MSVBVM60(?,?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00536F24
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00536F2D
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000,?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00536F43
      • #619.MSVBVM60(?,00004008,00000001), ref: 00536F6F
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00536F8B
      • __vbaFreeVar.MSVBVM60 ref: 00536F98
      • __vbaStrCat.MSVBVM60(0041F52C,00000000), ref: 00536FB6
      • __vbaStrMove.MSVBVM60 ref: 00536FC1
      • __vbaInStr.MSVBVM60(00000000,MULTICERT S.A.,00000000,00000001), ref: 00536FDB
      • #712.MSVBVM60(00000000,MULTICERT S.A.,aloaha,00000001,000000FF,00000000), ref: 00537000
      • __vbaStrMove.MSVBVM60 ref: 0053700B
      • __vbaStrCopy.MSVBVM60 ref: 00537020
      • __vbaFreeStr.MSVBVM60(?,00000000), ref: 00537036
      • __vbaStrCopy.MSVBVM60 ref: 00537049
      • __vbaStrCopy.MSVBVM60 ref: 00537065
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00537083
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000,?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00537099
      • __vbaVarDup.MSVBVM60 ref: 005370C2
      • #667.MSVBVM60(?), ref: 005370CC
      • __vbaStrMove.MSVBVM60 ref: 005370D7
      • __vbaFreeVar.MSVBVM60 ref: 005370E0
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 005370F6
      • #619.MSVBVM60(?,00004008,00000001), ref: 00537122
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053713E
      • __vbaFreeVar.MSVBVM60 ref: 0053714B
      • __vbaStrCat.MSVBVM60(0041F52C,00000000), ref: 00537169
      • __vbaStrMove.MSVBVM60 ref: 00537174
      • __vbaStrCat.MSVBVM60(Aloaha\,00000000), ref: 0053718A
      • __vbaStrMove.MSVBVM60 ref: 00537195
      • __vbaStrCopy.MSVBVM60 ref: 005371AA
      • __vbaFreeStr.MSVBVM60(?,00000000), ref: 005371C0
      • __vbaStrCopy.MSVBVM60 ref: 005371D3
      • #685.MSVBVM60(?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 005371E0
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 005371EB
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 0053720C
      • __vbaFreeStr.MSVBVM60(0053725C,?,00000000,00000000,00000000,004153F6,0056C2F7), ref: 00537255
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$CopyFree$#712$#619ChkstkErrorOffset$#667#685
      • String ID: Aloaha\$COMMONPROGRAMFILES$HKLM\Software\aloaha\pdf\commondir$MULTICERT S.A.$aloaha
      • API String ID: 229994797-1158547150
      • Opcode ID: cdd2f235319a36bc0ca1c8e7ea20abf6107668dbaf9c7f0c718d323610dddd44
      • Instruction ID: 87bb44c071b3b5343104f7c017f8110f6999c099b4ae4dc7d3dee10b13803e4a
      • Opcode Fuzzy Hash: cdd2f235319a36bc0ca1c8e7ea20abf6107668dbaf9c7f0c718d323610dddd44
      • Instruction Fuzzy Hash: 80B1C475900208DBEB04DFA0DE98AEDBBB4FF48705F208169E502B72A0DB755E49DF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00502E40 Relevance: 80.8, APIs: 42, Strings: 4, Instructions: 301COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,00000000,004153F6), ref: 00502E5E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00502E83
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00502E9F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,00000000,004153F6,?), ref: 00502EB7
      • __vbaInStr.MSVBVM60(00000000,0041F52C,00000000,00000001,?,?,?,?,00000000,004153F6,?), ref: 00502EDB
      • #685.MSVBVM60(?,?,?,?,00000000,004153F6,?), ref: 00502EF0
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,004153F6,?), ref: 00502EFB
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,004153F6,?), ref: 00502F1C
      • __vbaChkstk.MSVBVM60 ref: 00502F49
      • __vbaLateMemCallLd.MSVBVM60(?,?,FileExists,00000001), ref: 00502F7F
      • __vbaVarTstEq.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00502F8D
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00502F9A
      • #685.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00502FA7
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00502FB2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00502FE5
      • __vbaFreeObj.MSVBVM60 ref: 0050300F
      • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 0050302F
      • __vbaObjVar.MSVBVM60(?), ref: 00503039
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0050304D
      • __vbaFreeVar.MSVBVM60 ref: 00503056
      • #685.MSVBVM60 ref: 00503063
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050306E
      • __vbaFreeObj.MSVBVM60 ref: 0050308F
      • #685.MSVBVM60 ref: 0050309C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005030A7
      • __vbaFreeObj.MSVBVM60 ref: 005030C8
      • __vbaChkstk.MSVBVM60 ref: 005030F5
      • __vbaLateMemCallLd.MSVBVM60(?,?,FileExists,00000001), ref: 0050312B
      • __vbaVarTstEq.MSVBVM60(?,00000000), ref: 00503139
      • __vbaFreeVar.MSVBVM60 ref: 00503146
      • #685.MSVBVM60 ref: 0050315F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050316A
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0050319D
      • __vbaFreeObj.MSVBVM60 ref: 005031C7
      • __vbaChkstk.MSVBVM60 ref: 005031F2
      • __vbaLateMemCallLd.MSVBVM60(?,?,GetFile,00000001), ref: 00503228
      • __vbaObjVar.MSVBVM60(00000000), ref: 00503232
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0050323D
      • __vbaFreeVar.MSVBVM60 ref: 00503246
      • __vbaChkstk.MSVBVM60 ref: 00503266
      • __vbaLateMemCall.MSVBVM60(?,DELETE,00000001), ref: 0050328F
      • __vbaFreeObj.MSVBVM60(005032C6,?,?,?,?,00000000,004153F6,?), ref: 005032BF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685Chkstk$CallLate$AddrefCheckHresult$#716ErrorOffset
      • String ID: DELETE$FileExists$GetFile$Scripting.FileSystemObject
      • API String ID: 1595044492-3565155828
      • Opcode ID: b138c718e9e3cc7fc6a94932ae6e9c7c124e728b044a03eeb07ae24070ea0200
      • Instruction ID: d0771f54ee7c5fe14b9e6ad105fd7de1061a887555c55de38d80c592c7621413
      • Opcode Fuzzy Hash: b138c718e9e3cc7fc6a94932ae6e9c7c124e728b044a03eeb07ae24070ea0200
      • Instruction Fuzzy Hash: BBD11BB4900208DFDB14DFA4D988BDEBBB5FF48300F10825AE906BB2A1DB749985CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C4DA0 Relevance: 79.0, APIs: 43, Strings: 2, Instructions: 283COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 005C4DBE
      • __vbaAptOffset.MSVBVM60(00419C98,00000000,00000001,6D1CD8CD,00000000,004153F6), ref: 005C4DE3
      • __vbaStrCopy.MSVBVM60 ref: 005C4DFC
      • __vbaStrCopy.MSVBVM60 ref: 005C4E08
      • __vbaOnError.MSVBVM60(000000FF), ref: 005C4E17
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005C4E32
      • __vbaStrCopy.MSVBVM60 ref: 005C4E50
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005C4E66
      • __vbaStrCopy.MSVBVM60 ref: 005C4E7F
        • Part of subcall function 005C0560: __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,005C501D,?,?), ref: 005C057E
        • Part of subcall function 005C0560: __vbaAptOffset.MSVBVM60(00419C98,00000000,00000001,6D1CD8CD,?,004153F6), ref: 005C05A3
        • Part of subcall function 005C0560: __vbaStrCopy.MSVBVM60 ref: 005C05BC
        • Part of subcall function 005C0560: __vbaStrCopy.MSVBVM60 ref: 005C05C8
        • Part of subcall function 005C0560: __vbaOnError.MSVBVM60(000000FF), ref: 005C05D7
        • Part of subcall function 005C0560: #520.MSVBVM60(?,00004008), ref: 005C0602
        • Part of subcall function 005C0560: #520.MSVBVM60(?,00004008), ref: 005C063A
        • Part of subcall function 005C0560: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005C0663
        • Part of subcall function 005C0560: __vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 005C067C
        • Part of subcall function 005C0560: __vbaVarAnd.MSVBVM60(?,00000000), ref: 005C068A
        • Part of subcall function 005C0560: __vbaBoolVarNull.MSVBVM60(00000000), ref: 005C0691
        • Part of subcall function 005C0560: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C06A8
      • #520.MSVBVM60(?,00004008), ref: 005C4EAA
      • __vbaStrVarMove.MSVBVM60(?), ref: 005C4EB4
      • __vbaStrMove.MSVBVM60 ref: 005C4EBF
      • __vbaFreeVar.MSVBVM60 ref: 005C4EC8
      • #520.MSVBVM60(?,00004008), ref: 005C4EF3
      • #520.MSVBVM60(?,00004008), ref: 005C4F2B
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005C4F54
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 005C4F6A
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 005C4F78
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 005C4F7F
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C4F96
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?), ref: 005C4FDE
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005C4FF4
      • __vbaObjSet.MSVBVM60(?,00000000,?,?), ref: 005C5022
      • #685.MSVBVM60 ref: 005C502F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C503A
      • __vbaFreeObj.MSVBVM60 ref: 005C505B
      • __vbaLateMemCallLd.MSVBVM60(?,00000000,serialnumber,00000000), ref: 005C5077
      • #520.MSVBVM60(?,00000000), ref: 005C5085
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 005C50AA
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C50C1
      • #685.MSVBVM60 ref: 005C50E0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C50EB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005C5136
      • __vbaFreeObj.MSVBVM60 ref: 005C5166
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 005C518F
      • __vbaStrCopy.MSVBVM60 ref: 005C51AB
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005C51BE
      • #685.MSVBVM60 ref: 005C51CB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C51D6
      • __vbaFreeObj.MSVBVM60 ref: 005C51F7
      • __vbaFreeStr.MSVBVM60(005C525F), ref: 005C5246
      • __vbaFreeObj.MSVBVM60 ref: 005C524F
      • __vbaFreeStr.MSVBVM60 ref: 005C5258
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#520$#685AddrefList$BoolChkstkErrorMoveNullOffset$CallCheckHresultLate
      • String ID: Aloaha Cryptographic Provider$serialnumber
      • API String ID: 1780360227-3677228449
      • Opcode ID: 9f1b9f79542de6f3439c028dc5136c801b98e9c31605ba574bc0fa4facaf4cd5
      • Instruction ID: 36011063796b58dd01047de9cc7805192cee857100824f705493a5628e6abea8
      • Opcode Fuzzy Hash: 9f1b9f79542de6f3439c028dc5136c801b98e9c31605ba574bc0fa4facaf4cd5
      • Instruction Fuzzy Hash: 74D1F975901219DBDB14DFA0CE48FDDBBB8BF48304F1085A9E606B7260DB745A89CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0050F460 Relevance: 77.4, APIs: 43, Strings: 1, Instructions: 368COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0050F47E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0050F4B7
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0050F4CF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0050F4F2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424904,0000003C), ref: 0050F53B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424904,0000003C), ref: 0050F59B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424904,00000050), ref: 0050F62F
      • __vbaStrVarMove.MSVBVM60(?), ref: 0050F64B
      • __vbaStrMove.MSVBVM60 ref: 0050F656
      • __vbaFreeVar.MSVBVM60 ref: 0050F65F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0050F675
      • __vbaInStr.MSVBVM60(00000000,?,?,00000001), ref: 0050F696
      • __vbaVarDup.MSVBVM60 ref: 0050F6DC
      • #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 0050F6F2
      • __vbaChkstk.MSVBVM60 ref: 0050F6FD
      • __vbaStrCopy.MSVBVM60 ref: 0050F8F8
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424904,0000003C), ref: 0050F939
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424904,0000004C), ref: 0050F995
      • __vbaStrVarMove.MSVBVM60(?), ref: 0050F9B1
      • __vbaStrMove.MSVBVM60 ref: 0050F9BC
      • __vbaFreeVar.MSVBVM60 ref: 0050F9C5
      • #685.MSVBVM60 ref: 0050F9D2
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050F9DD
      • __vbaFreeObj.MSVBVM60 ref: 0050F9FE
      • __vbaFreeStr.MSVBVM60(0050FA5F), ref: 0050FA4F
      • __vbaFreeStr.MSVBVM60 ref: 0050FA58
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$Move$ChkstkCopy$#685#711Error
      • String ID: @@||@@
      • API String ID: 2785376529-483291907
      • Opcode ID: 9cc0b198be999b88b6137ce51ba3124929545777e56e3bd5111d684847ae986b
      • Instruction ID: 765e986d3fe0594f04d4b72d4170f3bd7ab1c5d10f5bd913090105ec726900b6
      • Opcode Fuzzy Hash: 9cc0b198be999b88b6137ce51ba3124929545777e56e3bd5111d684847ae986b
      • Instruction Fuzzy Hash: C50239B5900208EFDB10DFA4C988BDEBBB5FF48304F10C599E50AAB291D7749A85CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0058FD70 Relevance: 75.5, APIs: 42, Strings: 1, Instructions: 280COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60 ref: 0058FDD5
      • __vbaStrCopy.MSVBVM60 ref: 0058FDDF
      • __vbaHresultCheckObj.MSVBVM60(00000000,0040FA28,004367E4,00000088), ref: 0058FE16
      • #546.MSVBVM60(?), ref: 0058FE25
      • __vbaSetSystemError.MSVBVM60 ref: 0058FE33
      • __vbaR8ErrVar.MSVBVM60(?), ref: 0058FE3D
      • __vbaStrR8.MSVBVM60 ref: 0058FE5C
      • __vbaStrMove.MSVBVM60 ref: 0058FE6D
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0058FE79
      • __vbaHresultCheckObj.MSVBVM60(00000000,0040FA28,004367E4,00000050), ref: 0058FEBC
      • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 0058FECE
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0058FED5
      • __vbaStrMove.MSVBVM60 ref: 0058FEE0
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0058FEEC
      • __vbaHresultCheckObj.MSVBVM60(00000000,0040FA28,004367E4,00000048), ref: 0058FF15
      • __vbaStrMove.MSVBVM60 ref: 0058FF24
      • #525.MSVBVM60(?,?), ref: 0058FF30
      • __vbaStrMove.MSVBVM60(?,?), ref: 0058FF3B
      • __vbaStrCat.MSVBVM60(00000000,?,?), ref: 0058FF3E
      • __vbaStrMove.MSVBVM60(?,?), ref: 0058FF49
      • __vbaFreeStr.MSVBVM60(?,?), ref: 0058FF4E
      • __vbaStrToAnsi.MSVBVM60(?,?,?,?), ref: 0058FF5C
      • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,?), ref: 0058FF75
      • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,?), ref: 0058FF83
      • __vbaFreeStr.MSVBVM60(?,00000000,?,?), ref: 0058FF9B
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?), ref: 0058FFAF
      • __vbaFreeStr.MSVBVM60(005900D8,?,00000000,?,?), ref: 005900D0
      • __vbaFreeStr.MSVBVM60(?,00000000,?,?), ref: 005900D5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$FreeMove$CheckCopyHresult$ErrorListSystem$#525#546AnsiUnicode
      • String ID: (
      • API String ID: 448687699-3887548279
      • Opcode ID: 92a3a82df30f3a1566bf7052a55b07fdbca34f43eef158561490a5ff7d3d690c
      • Instruction ID: f5dd339430cd20833818399650f566849f2292dc4bf80e66fcd4b3b9107bbe93
      • Opcode Fuzzy Hash: 92a3a82df30f3a1566bf7052a55b07fdbca34f43eef158561490a5ff7d3d690c
      • Instruction Fuzzy Hash: EBB11C75900249EFCB04EFA4DD889EEBBB9FF48304F108529E506B72A4DB746945CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00572040 Relevance: 72.2, APIs: 40, Strings: 1, Instructions: 442COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0057205E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 00572083
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0057209C
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 005720AB
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 005720E0
      • #518.MSVBVM60(?,00004008), ref: 00572110
      • #520.MSVBVM60(?,?), ref: 0057211E
      • __vbaStrVarMove.MSVBVM60(?), ref: 00572128
      • __vbaStrMove.MSVBVM60 ref: 00572133
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00572143
        • Part of subcall function 00571BC0: __vbaChkstk.MSVBVM60(00000000,004153F6,005720CC,?,00000000,?,00000000,004153F6), ref: 00571BDE
        • Part of subcall function 00571BC0: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6,005720CC), ref: 00571C03
        • Part of subcall function 00571BC0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6,005720CC), ref: 00571C1F
        • Part of subcall function 00571BC0: #685.MSVBVM60 ref: 00571FA5
        • Part of subcall function 00571BC0: __vbaObjSet.MSVBVM60(?,00000000), ref: 00571FB0
        • Part of subcall function 00571BC0: __vbaFreeObj.MSVBVM60 ref: 00571FD1
        • Part of subcall function 00571BC0: __vbaFreeStr.MSVBVM60(00572017), ref: 00572007
        • Part of subcall function 00571BC0: __vbaFreeStr.MSVBVM60 ref: 00572010
      • __vbaGenerateBoundsError.MSVBVM60(?), ref: 005721CD
      • __vbaGenerateBoundsError.MSVBVM60(?), ref: 005721E7
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00572271
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0057228B
      • __vbaStrCopy.MSVBVM60 ref: 005722B2
      • __vbaStrCopy.MSVBVM60 ref: 005722D4
      • #546.MSVBVM60(?), ref: 00572436
      • __vbaFreeVar.MSVBVM60(?), ref: 0057244B
      • #685.MSVBVM60(?), ref: 005727B3
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005727BE
      • __vbaFreeObj.MSVBVM60 ref: 005727DF
      • __vbaFreeStr.MSVBVM60(00572830), ref: 00572820
      • __vbaFreeStr.MSVBVM60 ref: 00572829
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Error$BoundsCopyGenerate$#685ChkstkMoveOffset$#518#520#546List
      • String ID: %
      • API String ID: 2749879825-2567322570
      • Opcode ID: f1757bc3e4811e0e2eb9508fdb423b3c6332ba3db1a67af15d69911071665f6f
      • Instruction ID: 9cd8436c14e307ffd74dc880bb698dc00642cf0416e3d73d96abbc7413f7896f
      • Opcode Fuzzy Hash: f1757bc3e4811e0e2eb9508fdb423b3c6332ba3db1a67af15d69911071665f6f
      • Instruction Fuzzy Hash: C532E574900218CFCB58CF54DA88B9DBBB5FF88318F208299D4096B395CB719E89DF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00583E10 Relevance: 70.2, APIs: 36, Strings: 4, Instructions: 238COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 00583E2E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00583E5E
      • __vbaStrCmp.MSVBVM60(true,?,?,?,?,?,004153F6), ref: 00583E77
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00583E97
      • __vbaCastObj.MSVBVM60(00000000,0043AFB4,?,?,?,?,004153F6), ref: 00583EC1
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00583ECC
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00583EDA
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00583EE3
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00583EF0
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00583EFB
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00583F13
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00583F28
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00583F36
      • __vbaObjSet.MSVBVM60(?,00000000,CryptoAPIs.basicAPIs,00000000,?,?,0043AFB4), ref: 00583F62
      • __vbaCastObj.MSVBVM60(00000000), ref: 00583F69
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00583F74
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00583F82
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00583F92
      • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,004153F6), ref: 00583FA5
      • #685.MSVBVM60 ref: 00583FB5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00583FC0
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00583FF3
      • __vbaFreeObj.MSVBVM60 ref: 00584017
      • __vbaStrCopy.MSVBVM60 ref: 00584034
      • __vbaFreeStr.MSVBVM60(?), ref: 00584046
      • #685.MSVBVM60 ref: 00584068
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00584073
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000002C), ref: 005840A6
      • __vbaStrCat.MSVBVM60(?,Capi API failed: ), ref: 005840C1
      • __vbaStrMove.MSVBVM60 ref: 005840CC
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 005840E5
      • __vbaFreeObj.MSVBVM60 ref: 005840F1
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00584125
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00584132
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0058413D
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00584155
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#685$List$AddrefCastCheckHresult$ChkstkErrorMove
      • String ID: Capi API failed: $Capi API loaded$CryptoAPIs.basicAPIs$true
      • API String ID: 2565813220-2982437628
      • Opcode ID: dfa09aaba42159121dc6636daca38f2668c8dd3965aa84c3cb143633cecab3de
      • Instruction ID: c377ca75ae8590c9a7c72fc7357f5fdd98580d7113abf32b6ef07ce8b420c373
      • Opcode Fuzzy Hash: dfa09aaba42159121dc6636daca38f2668c8dd3965aa84c3cb143633cecab3de
      • Instruction Fuzzy Hash: 5DA1EB75900208EFDB04DFE4DA89BDEBBB4FF48705F108159E902BB2A1DB749A45CB64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00596CD0 Relevance: 69.3, APIs: 46, Instructions: 324COMMON
      Download Yara Rule
      APIs
      • __vbaUI1I4.MSVBVM60 ref: 00596D39
      • #573.MSVBVM60(?,?), ref: 00596D6F
      • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00596D7D
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00596D8A
      • __vbaStrMove.MSVBVM60 ref: 00596D97
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00596DA3
      • #573.MSVBVM60(?,?), ref: 00596DC9
      • __vbaStrVarMove.MSVBVM60(?), ref: 00596DD5
      • __vbaStrMove.MSVBVM60 ref: 00596DE2
      • __vbaFreeVar.MSVBVM60 ref: 00596DE7
      • __vbaUI1I4.MSVBVM60 ref: 00596DF5
      • __vbaStrCat.MSVBVM60(0041AB20,?), ref: 00596E0B
      • #573.MSVBVM60(?,00004011), ref: 00596E30
      • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00596E3E
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00596E45
      • __vbaStrMove.MSVBVM60 ref: 00596E4C
      • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 00596E5C
      • #573.MSVBVM60(?,00004011), ref: 00596E89
      • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00596E97
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00596E9E
      • __vbaStrMove.MSVBVM60 ref: 00596EA5
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00596EB1
      • __vbaUI1I4.MSVBVM60 ref: 00596EC2
      • __vbaStrCat.MSVBVM60(0041AB20,?), ref: 00596ED8
      • #573.MSVBVM60(?,00004011), ref: 00596EFD
      • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00596F0B
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00596F12
      • __vbaStrMove.MSVBVM60 ref: 00596F19
      • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 00596F29
      • __vbaUI1I4.MSVBVM60 ref: 00596FB0
      • __vbaStrCat.MSVBVM60(0041AB20,?), ref: 00596FC6
      • #573.MSVBVM60(?,00004011), ref: 00596FEB
      • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00596FF9
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00597000
      • __vbaStrMove.MSVBVM60 ref: 00597007
      • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 00597017
      • #573.MSVBVM60(?,00004011), ref: 00597044
      • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00597052
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00597059
      • __vbaStrMove.MSVBVM60 ref: 00597060
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0059706C
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$#573Free$List
      • String ID:
      • API String ID: 381117457-0
      • Opcode ID: 2287416d5e0525878f69ddce1e1f9cd1673023c7a1d8ca62839e3c250e9869fd
      • Instruction ID: 3b119161c75c4e39c1f0b2acf5568dab9f1dd57c97b191a06e82db1ebe0dd317
      • Opcode Fuzzy Hash: 2287416d5e0525878f69ddce1e1f9cd1673023c7a1d8ca62839e3c250e9869fd
      • Instruction Fuzzy Hash: 06D1E5B180024DAFDF04DFE4D8949EEBFB9FF48304F14452AE506AB261EB746589CB64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0054E010 Relevance: 66.7, APIs: 34, Strings: 4, Instructions: 227COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,?,?,0053C771,?,00000000,004153F6), ref: 0054E02E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,?,004153F6), ref: 0054E053
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004153F6), ref: 0054E06F
      • __vbaStrCmp.MSVBVM60(true,?,?,00000000,?,?,004153F6), ref: 0054E08E
      • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004153F6), ref: 0054E0C2
      • __vbaStrCopy.MSVBVM60 ref: 0054E37E
      • #685.MSVBVM60 ref: 0054E38B
      • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0054E396
      • __vbaFreeObj.MSVBVM60 ref: 0054E3B7
      • __vbaFreeStr.MSVBVM60(0054E3F8), ref: 0054E3E8
      • __vbaFreeStr.MSVBVM60 ref: 0054E3F1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#685ChkstkErrorOffset
      • String ID: &$lsass$lsass.exe$true
      • API String ID: 365979175-3999059111
      • Opcode ID: 023e48ed53a30ed8a82a38868d9a37752c76a0954c08f972592ec17a7bc5bc1e
      • Instruction ID: 151864579767b175d2aff59e61c5e6b307afac7fad0c27264c8fa13bb7aa3d5d
      • Opcode Fuzzy Hash: 023e48ed53a30ed8a82a38868d9a37752c76a0954c08f972592ec17a7bc5bc1e
      • Instruction Fuzzy Hash: CCA14970A00208DBEB14DFA4DD49BEDBBB4FF44708F1081A9E506B72A1D7B45A89CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00543660 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 255COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0054367E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005436A3
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005436BF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 005436DE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005436FE
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0054371A
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 00543730
      • __vbaNew2.MSVBVM60(0041F624,?,?,?,?,?,004153F6), ref: 00543766
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000014), ref: 005437C6
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F634,00000050), ref: 0054380E
      • __vbaStrMove.MSVBVM60 ref: 0054383F
      • __vbaFreeObj.MSVBVM60 ref: 00543848
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0054385E
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00543879
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0054388F
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00543A27
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,004153F6), ref: 00543A32
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00543A53
      • __vbaFreeStr.MSVBVM60(00543AA3,?,?,?,?,004153F6), ref: 00543A9C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$FreeMove$CheckHresult$#685ChkstkCopyErrorNew2Offset
      • String ID: Certificates\
      • API String ID: 2105572680-4177056569
      • Opcode ID: 1486bfcd7a65bb49bf32bb4276e1eb9c2a1502c85986540867c7e155beedfe30
      • Instruction ID: 3de830f5cf7d0bb45a346cb030399906a095b0fbea48eefd5765fd1b71b9f0cd
      • Opcode Fuzzy Hash: 1486bfcd7a65bb49bf32bb4276e1eb9c2a1502c85986540867c7e155beedfe30
      • Instruction Fuzzy Hash: 33C1F675A00208DFDB14DFA0CA88BDEBBB4FF48704F2081A9E506B72A1DB755A45CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005BA860 Relevance: 65.0, APIs: 34, Strings: 3, Instructions: 221COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,005B64A8,?,?,?,00000000,004153F6), ref: 005BA87E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,005B64A8), ref: 005BA8A3
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,005B64A8), ref: 005BA8BF
        • Part of subcall function 005BA330: __vbaChkstk.MSVBVM60(00000000,004153F6,005B6492,?,?,?,00000000,004153F6), ref: 005BA34E
        • Part of subcall function 005BA330: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,005B6492), ref: 005BA373
        • Part of subcall function 005BA330: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,005B6492), ref: 005BA38F
        • Part of subcall function 005BA330: #520.MSVBVM60(?,00004008), ref: 005BA3CF
        • Part of subcall function 005BA330: #518.MSVBVM60(?,00004008), ref: 005BA40F
        • Part of subcall function 005BA330: #520.MSVBVM60(?,?), ref: 005BA41D
        • Part of subcall function 005BA330: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005BA446
        • Part of subcall function 005BA330: __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 005BA45F
        • Part of subcall function 005BA330: __vbaVarOr.MSVBVM60(?,00000000), ref: 005BA46D
        • Part of subcall function 005BA330: __vbaBoolVarNull.MSVBVM60(00000000), ref: 005BA474
        • Part of subcall function 005BA330: __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 005BA48F
        • Part of subcall function 005BA330: __vbaStrCopy.MSVBVM60 ref: 005BA4B6
        • Part of subcall function 005BA330: __vbaStrMove.MSVBVM60(?), ref: 005BA4D3
        • Part of subcall function 005BA330: __vbaFreeStr.MSVBVM60 ref: 005BA4DC
      • __vbaInStr.MSVBVM60(00000000,004206D8,?,00000001,?,?,?,00000000,004153F6,005B64A8), ref: 005BA8F8
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,005B64A8), ref: 005BA915
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,005B64A8), ref: 005BA923
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?), ref: 005BA952
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005BA962
      • __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 005BA98F
      • __vbaVarTstGt.MSVBVM60(?,00000000,?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BA99D
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BA9AA
      • #685.MSVBVM60(?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BA9C3
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BA9CE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005BAA0A
      • __vbaFreeObj.MSVBVM60 ref: 005BAA37
      • __vbaLateMemCallLd.MSVBVM60(?,?,ReaderArray,00000000), ref: 005BAA5E
      • __vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BAA6C
      • __vbaAryVar.MSVBVM60(00002008,?,?,?,?,?,?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BAA82
      • __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BAA93
      • __vbaStrCopy.MSVBVM60 ref: 005BAAB3
      • __vbaStrCopy.MSVBVM60 ref: 005BAAD1
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BAAF1
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BAB0F
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BAB22
      • #685.MSVBVM60(?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BAB2F
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BAB3A
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00000000,004153F6,005B64A8), ref: 005BAB5B
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,005B64A8), ref: 005BAB7B
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,005B64A8), ref: 005BAB99
      • #685.MSVBVM60(?,?,?,00000000,004153F6,005B64A8), ref: 005BABA6
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6,005B64A8), ref: 005BABB1
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6,005B64A8), ref: 005BABD2
      • __vbaFreeObj.MSVBVM60(005BAC38,?,?,?,00000000,004153F6,005B64A8), ref: 005BAC28
      • __vbaFreeVar.MSVBVM60(?,?,?,00000000,004153F6,005B64A8), ref: 005BAC31
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$#685$#520CallChkstkErrorLateListMoveOffset$#518AddrefBoolCheckHresultNull
      • String ID: ReaderArray$info$null
      • API String ID: 210083457-1474791835
      • Opcode ID: 26b1a3115d879f74aa9307c168e3fd7849e13f38e11d3a32006474c39d4cb2e7
      • Instruction ID: 91320f9c4a09e705969010ec518f4c77afeff5b3e76e2f7256fe472e7be57509
      • Opcode Fuzzy Hash: 26b1a3115d879f74aa9307c168e3fd7849e13f38e11d3a32006474c39d4cb2e7
      • Instruction Fuzzy Hash: 7DA14C74900208EFDB14DFA4CE48BDEBBB4FF48304F2081A9E546A72A0DB746A45DF59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0050C8A0 Relevance: 64.8, APIs: 43, Instructions: 279COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0050C8BE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0050C8FA
      • #520.MSVBVM60(?,00004008), ref: 0050C91F
      • __vbaStrVarMove.MSVBVM60(?), ref: 0050C929
      • __vbaStrMove.MSVBVM60 ref: 0050C934
      • __vbaStrCopy.MSVBVM60 ref: 0050C942
      • __vbaFreeStr.MSVBVM60 ref: 0050C94B
      • __vbaFreeVar.MSVBVM60 ref: 0050C954
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0050C96D
      • #619.MSVBVM60(?,00004008,00000001), ref: 0050C99C
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0050C9B8
      • __vbaFreeVar.MSVBVM60 ref: 0050C9C5
      • __vbaLenBstr.MSVBVM60(?), ref: 0050C9F1
      • #617.MSVBVM60(?,00004008,-00000001), ref: 0050CA09
      • __vbaStrVarMove.MSVBVM60(?), ref: 0050CA13
      • __vbaStrMove.MSVBVM60 ref: 0050CA1E
      • __vbaStrCopy.MSVBVM60 ref: 0050CA2C
      • __vbaFreeStr.MSVBVM60 ref: 0050CA35
      • __vbaFreeVar.MSVBVM60 ref: 0050CA3E
      • #617.MSVBVM60(?,00004008,00000001), ref: 0050CA65
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0050CA81
      • __vbaFreeVar.MSVBVM60 ref: 0050CA8E
      • __vbaLenBstr.MSVBVM60(?), ref: 0050CABA
      • #619.MSVBVM60(?,00004008,-00000001), ref: 0050CAD2
      • __vbaStrVarMove.MSVBVM60(?), ref: 0050CADC
      • __vbaStrMove.MSVBVM60 ref: 0050CAE7
      • __vbaStrCopy.MSVBVM60 ref: 0050CAF5
      • __vbaFreeStr.MSVBVM60 ref: 0050CAFE
      • __vbaFreeVar.MSVBVM60 ref: 0050CB07
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0050CB20
      • __vbaVarDup.MSVBVM60 ref: 0050CB45
      • #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 0050CB5E
      • __vbaAryVar.MSVBVM60(00002008,?), ref: 0050CB6D
      • __vbaAryCopy.MSVBVM60(?,?), ref: 0050CB7E
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0050CB8E
      • __vbaAryMove.MSVBVM60(?,?), ref: 0050CBA6
      • __vbaAryDestruct.MSVBVM60(00000000,?,0050CBF3), ref: 0050CBEC
      • __vbaErrorOverflow.MSVBVM60 ref: 0050CC1D
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 0050CC4E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 0050CC8A
      • #685.MSVBVM60 ref: 0050CCA5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050CCB0
      • __vbaFreeObj.MSVBVM60 ref: 0050CCC8
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$Error$#617#619BstrChkstk$#520#685#711DestructListOverflow
      • String ID:
      • API String ID: 983237057-0
      • Opcode ID: 4ddea045ba79df70d9593d9aa1c24ddd07c9d6700a3f41ac52d1c2e06edc8547
      • Instruction ID: 9942bf5818615e902add9afcce1867fd2e429cc0390f2e5f259a5619fdaefee5
      • Opcode Fuzzy Hash: 4ddea045ba79df70d9593d9aa1c24ddd07c9d6700a3f41ac52d1c2e06edc8547
      • Instruction Fuzzy Hash: 41C1E875900208EFDB04DFE4DA88ADDBBB8FF48745F10C129E516AB2A0DB749A49CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005CCE70 Relevance: 63.4, APIs: 34, Strings: 2, Instructions: 366COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005CCE8E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005CCECA
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005CCEE3
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005CCF04
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BA8,0000008C), ref: 005CCF3B
      • __vbaFreeObj.MSVBVM60 ref: 005CCF50
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CCF71
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00447150,00000094), ref: 005CCFA8
      • __vbaFreeObj.MSVBVM60 ref: 005CCFBD
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CD011
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0044B648,000000E0), ref: 005CD04A
      • __vbaFreeObj.MSVBVM60 ref: 005CD06F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CD0AC
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0044B648,000000E0), ref: 005CD0E5
      • __vbaFreeObj.MSVBVM60 ref: 005CD10A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CD147
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0044B648,000000E0), ref: 005CD180
      • __vbaFreeObj.MSVBVM60 ref: 005CD1A5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CD1E2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00447150,000000F0), ref: 005CD21B
      • __vbaStrI2.MSVBVM60(000000FF), ref: 005CD232
      • __vbaStrMove.MSVBVM60 ref: 005CD23D
      • __vbaFreeStr.MSVBVM60(writepfxreader,00000000), ref: 005CD251
      • __vbaFreeObj.MSVBVM60 ref: 005CD25A
      • __vbaStrI4.MSVBVM60(?), ref: 005CD271
      • __vbaStrMove.MSVBVM60 ref: 005CD27C
        • Part of subcall function 0053F200: __vbaChkstk.MSVBVM60(?,004153F6), ref: 0053F21E
        • Part of subcall function 0053F200: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0053F243
        • Part of subcall function 0053F200: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0053F25C
        • Part of subcall function 0053F200: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0053F268
        • Part of subcall function 0053F200: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0053F277
        • Part of subcall function 0053F200: __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0053F2A3
        • Part of subcall function 0053F200: #520.MSVBVM60(?,00004008), ref: 0053F2D6
        • Part of subcall function 0053F200: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0053F2FB
        • Part of subcall function 0053F200: __vbaFreeVar.MSVBVM60 ref: 0053F30B
        • Part of subcall function 0053F200: __vbaStrCopy.MSVBVM60 ref: 0053F346
        • Part of subcall function 0053F200: __vbaStrCopy.MSVBVM60(?,?), ref: 0053F378
        • Part of subcall function 0053F200: #685.MSVBVM60 ref: 0053FAE2
        • Part of subcall function 0053F200: __vbaObjSet.MSVBVM60(?,00000000), ref: 0053FAED
        • Part of subcall function 0053F200: __vbaFreeObj.MSVBVM60 ref: 0053FB0E
        • Part of subcall function 0053F200: __vbaFreeStr.MSVBVM60(0053FB7D), ref: 0053FB64
      • __vbaFreeStr.MSVBVM60(writepfxctype,00000000), ref: 005CD290
      • __vbaNew2.MSVBVM60(0041F624,?), ref: 005CD2B8
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 005CD2E7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000010), ref: 005CD314
      • __vbaFreeObj.MSVBVM60 ref: 005CD329
      • #685.MSVBVM60 ref: 005CD336
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CD341
      • __vbaFreeObj.MSVBVM60 ref: 005CD359
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$Copy$#685ChkstkErrorMoveOffset$#520AddrefNew2
      • String ID: writepfxctype$writepfxreader
      • API String ID: 2178253202-3688181146
      • Opcode ID: 82b6afc56b661a3249533ff4861b717bac3fd32c753cfeac2657fdb6b4fb88bd
      • Instruction ID: d3da053b5742e47e41f771661411655987442d367bb1a613337fd24a267d37c6
      • Opcode Fuzzy Hash: 82b6afc56b661a3249533ff4861b717bac3fd32c753cfeac2657fdb6b4fb88bd
      • Instruction Fuzzy Hash: A6F1E479901218EFDB04DFE4D988FEDBBB5FF48300F108569E506AB2A0DB749945CB64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005AC170 Relevance: 63.3, APIs: 42, Instructions: 321COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 005AC18E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 005AC1B3
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 005AC1CC
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 005AC1DB
      • #712.MSVBVM60(00000000,0041C664,0041AA3C,00000001,000000FF,00000000,?,?,?,00000000,004153F6,?), ref: 005AC1FC
      • #528.MSVBVM60(?,00000008), ref: 005AC214
      • __vbaStrVarMove.MSVBVM60(?), ref: 005AC21E
      • __vbaStrMove.MSVBVM60 ref: 005AC229
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 005AC239
        • Part of subcall function 005AC6E0: __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,?,005AC252,?,?,00000000,004153F6,?), ref: 005AC6FE
        • Part of subcall function 005AC6E0: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005AC723
        • Part of subcall function 005AC6E0: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005AC73C
        • Part of subcall function 005AC6E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005AC74B
        • Part of subcall function 005AC6E0: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 005AC76A
        • Part of subcall function 005AC6E0: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005AC787
        • Part of subcall function 005AC6E0: __vbaStrMove.MSVBVM60(?,?,?,?,?,004153F6), ref: 005AC79B
        • Part of subcall function 005AC6E0: __vbaVarDup.MSVBVM60 ref: 005AC7BA
        • Part of subcall function 005AC6E0: #520.MSVBVM60(?,?), ref: 005AC7C8
        • Part of subcall function 005AC6E0: __vbaStrVarMove.MSVBVM60(?), ref: 005AC7D2
        • Part of subcall function 005AC6E0: __vbaStrMove.MSVBVM60 ref: 005AC7E6
        • Part of subcall function 005AC6E0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005AC7F6
        • Part of subcall function 005AC6E0: __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,004153F6), ref: 005AC809
        • Part of subcall function 005AC6E0: __vbaStrCmp.MSVBVM60(0041AB28,?), ref: 005AC82B
        • Part of subcall function 005AC6E0: __vbaStrCopy.MSVBVM60 ref: 005AC84D
        • Part of subcall function 005AC6E0: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005AC862
      • __vbaStrMove.MSVBVM60(?,?,00000000,004153F6,?), ref: 005AC257
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,004153F6,?), ref: 005AC26D
      • __vbaStrCmp.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 005AC28B
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,004153F6,?), ref: 005AC2B1
      • __vbaStrCopy.MSVBVM60(?,00000000,004153F6,?), ref: 005AC2D8
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,004153F6,?), ref: 005AC2F3
      • __vbaStrCopy.MSVBVM60(?,00000000,004153F6,?), ref: 005AC310
      • __vbaStrCmp.MSVBVM60(?,?), ref: 005AC408
      • __vbaStrCopy.MSVBVM60 ref: 005AC4B6
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005AC4CC
      • __vbaStrCopy.MSVBVM60 ref: 005AC4E7
      • #685.MSVBVM60(?,00000000,004153F6,?), ref: 005AC648
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,004153F6,?), ref: 005AC653
      • __vbaFreeObj.MSVBVM60(?,00000000,004153F6,?), ref: 005AC674
      • __vbaFreeStr.MSVBVM60(005AC6C4,?,00000000,004153F6,?), ref: 005AC6B4
      • __vbaFreeStr.MSVBVM60(?,00000000,004153F6,?), ref: 005AC6BD
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$FreeMove$List$ChkstkErrorOffset$#520#528#685#712
      • String ID:
      • API String ID: 905073237-0
      • Opcode ID: c829b9e80e3bf8e519834f8273f169b4b5b6bb910fd591e586398fb39b2398d9
      • Instruction ID: 75e03f00aa63cfffaa7acd2b8960e58d4a4542eefcd44bb68022eb604fea8884
      • Opcode Fuzzy Hash: c829b9e80e3bf8e519834f8273f169b4b5b6bb910fd591e586398fb39b2398d9
      • Instruction Fuzzy Hash: D1E13C74900219DFCB18DFA4CA88BADBBB5FF48304F208299E546BB264DB745E85CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005184F0 Relevance: 61.8, APIs: 41, Instructions: 273COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0051850E
      • __vbaAptOffset.MSVBVM60(00419C98,6D1E1654,00000000,6D29595C,00000000,004153F6,C0000000), ref: 00518533
      • __vbaOnError.MSVBVM60(000000FF), ref: 0051854F
      • __vbaStrCopy.MSVBVM60 ref: 00518564
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00518583
      • __vbaStrCopy.MSVBVM60 ref: 005185A3
      • #525.MSVBVM60(00000104), ref: 005185BA
      • __vbaStrMove.MSVBVM60 ref: 005185C5
      • __vbaStrToAnsi.MSVBVM60(?,?), ref: 005185DA
      • __vbaLenBstr.MSVBVM60(?,00000000), ref: 005185E5
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 005185F4
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00518602
      • __vbaFreeStr.MSVBVM60 ref: 00518611
      • #616.MSVBVM60(?,?), ref: 00518626
      • __vbaStrMove.MSVBVM60 ref: 00518631
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00518647
      • __vbaNew2.MSVBVM60(0041F624,?), ref: 0051867D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000014), ref: 005186E6
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005188BF
      • __vbaStrMove.MSVBVM60(?), ref: 005188F0
      • __vbaStrCopy.MSVBVM60 ref: 00518903
      • #685.MSVBVM60 ref: 00518910
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0051891B
      • __vbaFreeObj.MSVBVM60 ref: 0051893C
      • __vbaFreeStr.MSVBVM60(00518995), ref: 00518985
      • __vbaFreeStr.MSVBVM60 ref: 0051898E
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CopyMove$Error$#525#616#685AnsiBstrCheckChkstkHresultNew2OffsetSystemUnicode
      • String ID:
      • API String ID: 2830564057-0
      • Opcode ID: ae6a90c25dce0a1850db7b9fff0a6a60a8cea82677646fb3e10418d1f5c39905
      • Instruction ID: 54380f7051f3f9a8fbf017afee772017ba48900e4540e9cd3c8f9cf6c63f86be
      • Opcode Fuzzy Hash: ae6a90c25dce0a1850db7b9fff0a6a60a8cea82677646fb3e10418d1f5c39905
      • Instruction Fuzzy Hash: 86D12975900208DFDB14DFA4DA88BDEBBB5FF48304F1081A9E506B72A0DB745A89CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0054A9A0 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 209COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?), ref: 0054A9BE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 0054A9E3
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 0054A9FC
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 0054AA0B
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 0054AA1E
      • __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 0054AA3D
      • #685.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 0054AA68
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6,?), ref: 0054AA73
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 0054AA94
      • __vbaChkstk.MSVBVM60 ref: 0054AAC0
      • __vbaChkstk.MSVBVM60 ref: 0054AAE3
      • __vbaLateMemCallLd.MSVBVM60(?,?,scrmread,00000002), ref: 0054AB19
      • __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 0054AB23
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 0054AB2F
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 0054AB3C
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 0054AB47
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0054AB7A
      • __vbaFreeObj.MSVBVM60 ref: 0054ABA4
      • __vbaStrCopy.MSVBVM60 ref: 0054ABBF
      • __vbaStrCopy.MSVBVM60 ref: 0054ABD6
      • __vbaStrCopy.MSVBVM60 ref: 0054ABF4
      • #685.MSVBVM60 ref: 0054AC01
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054AC0C
      • __vbaFreeObj.MSVBVM60 ref: 0054AC2D
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 0054AC4D
      • __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 0054AC6C
      • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004153F6,?), ref: 0054AC8B
      • #685.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 0054AC98
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6,?), ref: 0054ACA3
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 0054ACC4
      • __vbaFreeStr.MSVBVM60(0054AD13,?,?,?,00000000,004153F6,?), ref: 0054ACFA
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 0054AD03
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 0054AD0C
        • Part of subcall function 005498A0: __vbaChkstk.MSVBVM60(00000000,004153F6,0054A740,?,?,?,?,004153F6), ref: 005498BE
        • Part of subcall function 005498A0: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,0054A740), ref: 005498E3
        • Part of subcall function 005498A0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,0054A740), ref: 005498FF
        • Part of subcall function 005498A0: __vbaStrCopy.MSVBVM60 ref: 0054992A
        • Part of subcall function 005498A0: __vbaStrCmp.MSVBVM60(true,?), ref: 00549949
        • Part of subcall function 005498A0: #685.MSVBVM60 ref: 0054A602
        • Part of subcall function 005498A0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0054A60D
        • Part of subcall function 005498A0: __vbaFreeObj.MSVBVM60 ref: 0054A62E
        • Part of subcall function 005498A0: __vbaFreeStr.MSVBVM60(0054A675), ref: 0054A66E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#685$Chkstk$ErrorOffset$CallCheckHresultLateMove
      • String ID: scrmread$true
      • API String ID: 67554207-3318929670
      • Opcode ID: 5236e04f7e272b04a4a6b65cd791b16dbd102fa5cf53cf9f72da54a5ea6d67ea
      • Instruction ID: e57eda6270a3919a8e3772c0677e112605f5c0ee3fc1ccb72207fe043750bcc0
      • Opcode Fuzzy Hash: 5236e04f7e272b04a4a6b65cd791b16dbd102fa5cf53cf9f72da54a5ea6d67ea
      • Instruction Fuzzy Hash: F2A107B4900208DFDB04DFA4DA88BDDBBB5FF48305F2081A9E506A72A1DB745A85CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005995D0 Relevance: 60.3, APIs: 40, Instructions: 330COMMON
      Download Yara Rule
      APIs
      • __vbaPowerR8.MSVBVM60(00000000,40000000,?,?), ref: 00599652
      • __vbaPowerR8.MSVBVM60(00000000,40000000,?,?), ref: 00599696
      • _adj_fdivr_m64.MSVBVM60(?,?), ref: 005996B3
      • __vbaCopyBytes.MSVBVM60(00000004,?,?), ref: 00599703
      • __vbaErrorOverflow.MSVBVM60 ref: 00599722
      • #572.MSVBVM60(?,00000000,?,?), ref: 005997BC
      • __vbaStrMove.MSVBVM60 ref: 005997CD
      • #572.MSVBVM60(?), ref: 005997E0
      • __vbaStrMove.MSVBVM60 ref: 005997EB
      • #572.MSVBVM60(?), ref: 00599807
      • __vbaStrMove.MSVBVM60 ref: 00599812
      • #572.MSVBVM60(?), ref: 0059982E
      • __vbaStrMove.MSVBVM60 ref: 00599839
      • __vbaStrMove.MSVBVM60(0041AB20,00000002), ref: 0059986F
      • __vbaStrCat.MSVBVM60(00000000), ref: 00599878
      • __vbaStrMove.MSVBVM60 ref: 0059987F
      • #618.MSVBVM60(00000000), ref: 00599888
      • __vbaStrMove.MSVBVM60 ref: 0059988F
      • __vbaStrMove.MSVBVM60(0041AB20,00000002,00000000), ref: 005998A2
      • __vbaStrCat.MSVBVM60(00000000), ref: 005998A5
      • __vbaStrMove.MSVBVM60 ref: 005998AC
      • #618.MSVBVM60(00000000), ref: 005998AF
      • __vbaStrMove.MSVBVM60 ref: 005998B6
      • __vbaStrCat.MSVBVM60(00000000), ref: 005998B9
      • __vbaStrMove.MSVBVM60 ref: 005998C0
      • __vbaStrMove.MSVBVM60(0041AB20,00000002,00000000), ref: 005998D3
      • __vbaStrCat.MSVBVM60(00000000), ref: 005998D6
      • __vbaStrMove.MSVBVM60 ref: 005998DD
      • #618.MSVBVM60(00000000), ref: 005998E0
      • __vbaStrMove.MSVBVM60 ref: 005998E7
      • __vbaStrCat.MSVBVM60(00000000), ref: 005998EA
      • __vbaStrMove.MSVBVM60 ref: 005998F1
      • __vbaStrMove.MSVBVM60(0041AB20,00000002,00000000), ref: 00599904
      • __vbaStrCat.MSVBVM60(00000000), ref: 00599907
      • __vbaStrMove.MSVBVM60 ref: 0059990E
      • #618.MSVBVM60(00000000), ref: 00599911
      • __vbaStrMove.MSVBVM60 ref: 00599918
      • __vbaStrCat.MSVBVM60(00000000), ref: 0059991B
      • __vbaStrMove.MSVBVM60 ref: 00599922
      • __vbaFreeStrList.MSVBVM60(00000012,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0059996E
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$#572#618$Power$BytesCopyErrorFreeListOverflow_adj_fdivr_m64
      • String ID:
      • API String ID: 846408782-0
      • Opcode ID: ab000803b5531c57bcb16858e5c09eba2d92ae72f64a90f59b19de9855c983dd
      • Instruction ID: 44d1b15d25428988dee9fd9686e716f04fec8ef2131a00356a4335a45bfc8c11
      • Opcode Fuzzy Hash: ab000803b5531c57bcb16858e5c09eba2d92ae72f64a90f59b19de9855c983dd
      • Instruction Fuzzy Hash: 0ED1F2B1D04218ABCB04DFA9C8849EEFBF9FF98300F10851EE545A7264DB74AA45CF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0056D510 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 246COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004FCF28,?,?,004153F6), ref: 0056D52E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6), ref: 0056D553
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 0056D56F
      • __vbaStrCmp.MSVBVM60(true,?), ref: 0056D59B
      • __vbaStrCmp.MSVBVM60(false,?), ref: 0056D5BB
      • __vbaStrCmp.MSVBVM60(true,?), ref: 0056D5E6
      • __vbaStrMove.MSVBVM60 ref: 0056D622
      • #617.MSVBVM60(?,00004008,00000004), ref: 0056D646
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0056D662
      • __vbaFreeVar.MSVBVM60 ref: 0056D66F
      • #617.MSVBVM60(?,00004008,00000004), ref: 0056D6AD
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0056D6C9
      • __vbaFreeVar.MSVBVM60 ref: 0056D6D6
      • #685.MSVBVM60 ref: 0056D6FD
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056D708
      • __vbaFreeObj.MSVBVM60 ref: 0056D729
      • #632.MSVBVM60(?,00004008,00000005,00000002), ref: 0056D75F
      • __vbaI4ErrVar.MSVBVM60(?), ref: 0056D769
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 0056D780
      • #685.MSVBVM60(?,?,00000000,004153F6), ref: 0056D790
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,004153F6), ref: 0056D79B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0056D7CE
      • __vbaFreeObj.MSVBVM60 ref: 0056D806
      • __vbaStrCopy.MSVBVM60 ref: 0056D873
      • __vbaStrCopy.MSVBVM60 ref: 0056D893
      • #685.MSVBVM60 ref: 0056D8A0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056D8AB
      • __vbaFreeObj.MSVBVM60 ref: 0056D8CC
      • __vbaFreeStr.MSVBVM60(0056D900), ref: 0056D8F9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$#617Copy$#632CheckChkstkErrorHresultListMoveOffset
      • String ID: $$2013$false$true
      • API String ID: 2154926115-1782952355
      • Opcode ID: 560bc8a79101236e02cd64fb06b7e956210b8fd278426fedf4648cda3b9a831d
      • Instruction ID: eda100a9157e51b5040ce47d2b3582589dad4afb83b12cca51b4d53d649c0364
      • Opcode Fuzzy Hash: 560bc8a79101236e02cd64fb06b7e956210b8fd278426fedf4648cda3b9a831d
      • Instruction Fuzzy Hash: EDB136B1D00218DBDB14DFE4C988BEEBBB4BF48304F208559E506BB2A1DB745A48CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00539030 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 228COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,0054302D,?,00000001,?,00000000,004153F6,005421B6), ref: 0053904E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000001,?,00000000,004153F6,0054302D), ref: 00539073
      • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,004153F6,0054302D), ref: 0053908F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000001,?,00000000,004153F6,0054302D), ref: 005390AE
      • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,004153F6,0054302D), ref: 005390CE
      • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,004153F6,0054302D), ref: 005390E8
      • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,004153F6,0054302D), ref: 005390FF
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000001,?,00000001,?,00000000,004153F6,0054302D), ref: 00539115
      • __vbaNew2.MSVBVM60(0041F624,?,?,00000001,?,00000000,004153F6,0054302D), ref: 0053914B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000014), ref: 005391AB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F634,00000050), ref: 005391F3
      • __vbaStrMove.MSVBVM60 ref: 00539224
      • __vbaFreeObj.MSVBVM60 ref: 0053922D
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000001,?,00000001,?,00000000,004153F6,0054302D), ref: 00539243
      • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,004153F6,0054302D), ref: 0053925E
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000001,?,00000001,?,00000000,004153F6,0054302D), ref: 00539274
      • #685.MSVBVM60(?,00000001,?,00000000,004153F6,0054302D), ref: 0053938E
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001,?,00000000,004153F6,0054302D), ref: 00539399
      • __vbaFreeObj.MSVBVM60(?,00000001,?,00000000,004153F6,0054302D), ref: 005393BA
      • __vbaFreeStr.MSVBVM60(0053940A,?,00000001,?,00000000,004153F6,0054302D), ref: 00539403
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$FreeMove$CheckCopyHresult$#685ChkstkErrorNew2Offset
      • String ID: Settings.ini
      • API String ID: 2036196789-873160048
      • Opcode ID: 3ba163d7c0244026a2ab94ccf5a98d34edfa8209cff45a38a2ba6ec85a20ea56
      • Instruction ID: 36a92ca2e58f0a085ab61ff7b33c006f6001f75d09b21086952df29aa855c0db
      • Opcode Fuzzy Hash: 3ba163d7c0244026a2ab94ccf5a98d34edfa8209cff45a38a2ba6ec85a20ea56
      • Instruction Fuzzy Hash: E4B11CB4900208DFDB14DFA0CA88BDEBBB5FF48704F208169E506B72A1DB745A85CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00538900 Relevance: 57.9, APIs: 30, Strings: 3, Instructions: 186COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,005383AD,?,?,00000000,00000000,004153F6), ref: 0053891E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,00000000,00000000,004153F6,005383AD), ref: 00538943
      • __vbaOnError.MSVBVM60(000000FF,?,?,00000000,00000000,004153F6,005383AD), ref: 0053895F
      • __vbaStrCmp.MSVBVM60(true,?,?,?,00000000,00000000,004153F6,005383AD), ref: 0053897E
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 005389A4
      • __vbaStrCmp.MSVBVM60(true,?,?,?,00000000,00000000,004153F6,005383AD), ref: 005389C3
      • __vbaStrVarMove.MSVBVM60(?,?,HKLM\Software\Aloaha\forceHKLM,?,?,00000000,00000000,004153F6,005383AD), ref: 005389E6
      • __vbaStrMove.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 005389F1
      • __vbaFreeVar.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 005389FA
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 00538A11
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00000000,004153F6,005383AD), ref: 00538A25
      • __vbaFreeStr.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 00538A2E
      • #518.MSVBVM60(?,00004008), ref: 00538A59
      • #520.MSVBVM60(?,?), ref: 00538A67
      • #518.MSVBVM60(?,00004008), ref: 00538A9F
      • #520.MSVBVM60(?,?), ref: 00538AAD
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 00538AD6
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 00538AEF
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 00538AFD
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00538B04
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00538B23
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 00538B4F
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 00538B6D
        • Part of subcall function 0054F360: __vbaChkstk.MSVBVM60(00000000,004153F6,HKLM\Software\Aloaha\forceHKLM,?,?,00000000,00000000,004153F6,005383AD), ref: 0054F37E
        • Part of subcall function 0054F360: __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,004153F6,HKLM\Software\Aloaha\forceHKLM), ref: 0054F3AB
        • Part of subcall function 0054F360: __vbaOnError.MSVBVM60(000000FF,?,?,00000000,00000000,004153F6,HKLM\Software\Aloaha\forceHKLM), ref: 0054F3BA
        • Part of subcall function 0054F360: __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,004153F6,HKLM\Software\Aloaha\forceHKLM), ref: 0054F3CD
        • Part of subcall function 0054F360: #518.MSVBVM60(?,00004008), ref: 0054F3F8
        • Part of subcall function 0054F360: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 0054F43C
        • Part of subcall function 0054F360: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 0054F44A
        • Part of subcall function 0054F360: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0054F464
        • Part of subcall function 0054F360: #712.MSVBVM60(?,Software,SOFTWARE,00000001,000000FF,00000000,00000000,00000000,004153F6), ref: 0054F493
        • Part of subcall function 0054F360: __vbaStrMove.MSVBVM60 ref: 0054F49E
        • Part of subcall function 0054F360: #712.MSVBVM60(?,software,SOFTWARE,00000001,000000FF,00000000), ref: 0054F4BF
        • Part of subcall function 0054F360: __vbaStrMove.MSVBVM60 ref: 0054F4CA
        • Part of subcall function 0054F360: __vbaVarDup.MSVBVM60 ref: 0054F508
      • __vbaStrCmp.MSVBVM60(true,?,?,?,00000000,00000000,004153F6,005383AD), ref: 00538B8E
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 00538BB0
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 00538BD0
      • #685.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 00538BDD
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,00000000,004153F6,005383AD), ref: 00538BE8
      • __vbaFreeObj.MSVBVM60(?,?,00000000,00000000,004153F6,005383AD), ref: 00538C09
      • __vbaFreeStr.MSVBVM60(00538C60,?,?,00000000,00000000,004153F6,005383AD), ref: 00538C59
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$Move$#518$#520#712ChkstkErrorList$#685BoolNullOffset
      • String ID: HKLM\Software\Aloaha\forceHKLM$false$true
      • API String ID: 2999347621-2477423824
      • Opcode ID: 675d7fe13f9deccdc26bb10c69930c28f5f55f24a43c437f654d0dfc59256c93
      • Instruction ID: c18a65eadd0e0a49e81bb82595eec6a27e8edfe15495243bc064388790a71831
      • Opcode Fuzzy Hash: 675d7fe13f9deccdc26bb10c69930c28f5f55f24a43c437f654d0dfc59256c93
      • Instruction Fuzzy Hash: EB811CB1900209DFDB18DF90DD48FEEBB78BB48304F1085A9E616B7660DB745A88CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005098C0 Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 196COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,00509775,00000000,00000000), ref: 005098DE
      • __vbaStrCopy.MSVBVM60(00000000,?,?,00000000,004153F6), ref: 0050990B
      • __vbaOnError.MSVBVM60(000000FF), ref: 0050991A
      • #685.MSVBVM60 ref: 00509927
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00509932
      • __vbaFreeObj.MSVBVM60 ref: 00509953
      • __vbaStrCopy.MSVBVM60 ref: 00509968
      • __vbaStrCopy.MSVBVM60 ref: 00509976
      • __vbaObjSet.MSVBVM60(?,00000000,CAPICOM.Utilities,00000000,?,?), ref: 005099A3
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005099B3
      • #685.MSVBVM60 ref: 005099C3
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005099CE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00509A19
      • __vbaFreeObj.MSVBVM60 ref: 00509A49
      • __vbaChkstk.MSVBVM60 ref: 00509A77
      • __vbaLateMemCallLd.MSVBVM60(?,?,BinaryToHex,00000001), ref: 00509AA4
      • __vbaStrVarVal.MSVBVM60(?,00000000), ref: 00509AB2
      • __vbaChkstk.MSVBVM60 ref: 00509AD2
      • __vbaLateMemCallLd.MSVBVM60(?,?,HexToBinary,00000001), ref: 00509AFF
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00509B09
      • __vbaStrMove.MSVBVM60 ref: 00509B14
      • __vbaFreeStr.MSVBVM60 ref: 00509B1D
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00509B31
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00509B47
      • #685.MSVBVM60 ref: 00509B54
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00509B5F
      • __vbaFreeObj.MSVBVM60 ref: 00509B80
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685ChkstkCopy$CallLateListMove$AddrefCheckErrorHresult
      • String ID: BinaryToHex$CAPICOM.Utilities$HexToBinary
      • API String ID: 2271533857-3136699940
      • Opcode ID: f6de7df8355a85fff4d62ec137e8fa345da728e9a3d9a5d8889155495e3d7648
      • Instruction ID: bb9d69fb092cf2543b169fd31c5045c0488d65aced23a719244bc6cb6344ee9e
      • Opcode Fuzzy Hash: f6de7df8355a85fff4d62ec137e8fa345da728e9a3d9a5d8889155495e3d7648
      • Instruction Fuzzy Hash: D7912975900208DFDB04DFA4DD88BDEBBB9FF48304F108199E506A72A1DB745A89CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005DBA10 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 190COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005DBA2E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005DBA67
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005DBA76
      • __vbaStrCopy.MSVBVM60 ref: 005DBA9F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005DBAB5
      • #712.MSVBVM60(?,0041C664,0041AA3C,00000001,000000FF,00000000), ref: 005DBADE
      • #528.MSVBVM60(?,00000008), ref: 005DBAF6
      • __vbaStrVarMove.MSVBVM60(?), ref: 005DBB00
      • __vbaStrMove.MSVBVM60 ref: 005DBB0B
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 005DBB1B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00449C28,0000006C), ref: 005DBB60
      • __vbaStrCopy.MSVBVM60 ref: 005DBB82
      • __vbaStrCopy.MSVBVM60 ref: 005DBB9A
      • __vbaStrCopy.MSVBVM60 ref: 005DBBB0
      • __vbaStrCopy.MSVBVM60 ref: 005DBBC8
      • __vbaStrCopy.MSVBVM60 ref: 005DBBDE
      • __vbaStrCopy.MSVBVM60 ref: 005DBBF6
      • __vbaStrCopy.MSVBVM60 ref: 005DBC0C
      • __vbaStrCopy.MSVBVM60 ref: 005DBC24
      • __vbaStrCopy.MSVBVM60 ref: 005DBC3A
      • __vbaStrCopy.MSVBVM60 ref: 005DBC52
      • __vbaStrCopy.MSVBVM60 ref: 005DBC68
      • __vbaStrCopy.MSVBVM60 ref: 005DBC80
      • __vbaStrCopy.MSVBVM60 ref: 005DBC98
      • #685.MSVBVM60 ref: 005DBCA5
      • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 005DBCB0
      • __vbaFreeObj.MSVBVM60 ref: 005DBCC8
      • __vbaAryDestruct.MSVBVM60(00000000,?,005DBD14), ref: 005DBCF8
      • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 005DBD04
      • __vbaFreeStr.MSVBVM60 ref: 005DBD0D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$DestructMove$#528#685#712CheckChkstkErrorHresultList
      • String ID: 0OA$true
      • API String ID: 2781528291-2119256600
      • Opcode ID: acd76446b264dcf96f4081b82e8df41c89b2e0fb43d8f39a60b843b5c2681e1a
      • Instruction ID: e4c53a1426ee1b473a71860a475fb033448bfa3975564a17375d3816c9e22e64
      • Opcode Fuzzy Hash: acd76446b264dcf96f4081b82e8df41c89b2e0fb43d8f39a60b843b5c2681e1a
      • Instruction Fuzzy Hash: D891F774901208EFDB04DF94CA98BDE7B71FF48754F208159E9026B3A0CB75AA85CF58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00571460 Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 161COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 0057147E
      • __vbaVarDup.MSVBVM60(?,?,?,?,004153F6), ref: 005714AB
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005714BA
      • #716.MSVBVM60(?,CAPICOM.HashedData,00000000,?,?,?,?,004153F6), ref: 005714D2
      • __vbaObjVar.MSVBVM60(?,?,?,?,?,004153F6), ref: 005714DC
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005714E7
      • __vbaFreeVar.MSVBVM60(?,?,?,?,004153F6), ref: 005714F0
      • __vbaChkstk.MSVBVM60 ref: 00571516
      • __vbaLateMemSt.MSVBVM60(?,Algorithm), ref: 00571549
      • __vbaVarCopy.MSVBVM60 ref: 0057155C
      • __vbaChkstk.MSVBVM60 ref: 00571581
      • __vbaLateMemCall.MSVBVM60(?,hash,00000001), ref: 005715B6
      • __vbaLateMemCallLd.MSVBVM60(?,?,value,00000000,?,?,?,?,?,?,004153F6), ref: 005715D5
      • __vbaStrVarVal.MSVBVM60(000000FF,?,0041C664,0041AA3C,00000001,000000FF,00000000), ref: 005715F6
      • #712.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 005715FD
      • #528.MSVBVM60(?,00000008), ref: 00571615
      • #520.MSVBVM60(?,?), ref: 00571626
      • __vbaStrVarMove.MSVBVM60(?), ref: 00571633
      • __vbaStrMove.MSVBVM60 ref: 0057163E
      • __vbaFreeStr.MSVBVM60 ref: 00571647
      • __vbaFreeVarList.MSVBVM60(00000004,?,00000008,?,?), ref: 00571662
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00571678
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 00571685
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00571690
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 005716B1
      • __vbaFreeVar.MSVBVM60(0057171E,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00571705
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 0057170E
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 00571717
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$ChkstkLate$AddrefCallMove$#520#528#685#712#716CopyErrorList
      • String ID: Algorithm$CAPICOM.HashedData$hash$value
      • API String ID: 3470399468-4194837620
      • Opcode ID: 5fe12f128e69d2bc6adab9c88d10f6df517e7b34cab68f91e27182af14c605a7
      • Instruction ID: 699102863fee6d0f8beb1a2d90d2f3ccde68ea142feb549846287d379ccbb289
      • Opcode Fuzzy Hash: 5fe12f128e69d2bc6adab9c88d10f6df517e7b34cab68f91e27182af14c605a7
      • Instruction Fuzzy Hash: 017129B5900218DFDB04DFA4CD88BDEBBB4FF48304F1081A9E50AA72A1DB745A89CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00593CF0 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 246COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 00593D0E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00593D33
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00593D4F
      • __vbaChkstk.MSVBVM60 ref: 00593DA9
      • __vbaLateMemCallLd.MSVBVM60(?,?,string2byte,00000001), ref: 00593DDF
      • __vbaVar2Vec.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004153F6), ref: 00593DED
      • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,004153F6), ref: 00593DFB
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,004153F6), ref: 00593E04
      • __vbaRedim.MSVBVM60(00000080,00000001,00000001,00000011,00000001,00000000,00000000,?,?,?,?,004153F6), ref: 00593E29
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00593E70
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00593E8A
      • __vbaUI1I2.MSVBVM60 ref: 00593E98
      • __vbaLenBstr.MSVBVM60(?), ref: 00593EBA
      • __vbaLenBstr.MSVBVM60(00000000,00000000), ref: 00593ED7
      • __vbaRedim.MSVBVM60(00000080,00000001,00000000,00000011,00000001,-00000001), ref: 00593EF6
      • __vbaUbound.MSVBVM60(00000001,?), ref: 00593F0C
      • #632.MSVBVM60(?,00004008,-00000001,00000002), ref: 00593F87
      • __vbaStrVarVal.MSVBVM60(?,?), ref: 00593FF3
      • #516.MSVBVM60(00000000), ref: 00593FFA
      • __vbaUI1I4.MSVBVM60 ref: 00594003
      • __vbaFreeStr.MSVBVM60 ref: 0059401B
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0059402B
      • __vbaVarCopy.MSVBVM60 ref: 0059405A
      • #685.MSVBVM60 ref: 00594067
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00594072
      • __vbaFreeObj.MSVBVM60 ref: 00594093
      • __vbaAryDestruct.MSVBVM60(00000000,00000000,005940F2), ref: 005940EB
        • Part of subcall function 00593700: __vbaChkstk.MSVBVM60(?,004153F6), ref: 0059371E
        • Part of subcall function 00593700: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00593743
        • Part of subcall function 00593700: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0059375F
        • Part of subcall function 00593700: #685.MSVBVM60(?,?,?,?,004153F6), ref: 0059376C
        • Part of subcall function 00593700: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00593777
        • Part of subcall function 00593700: __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00593798
        • Part of subcall function 00593700: __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000,?,?,?,?,004153F6), ref: 005937BD
        • Part of subcall function 00593700: __vbaI4Var.MSVBVM60(00000000,?,?,?,004153F6), ref: 005937C7
        • Part of subcall function 00593700: __vbaFreeVar.MSVBVM60(?,?,?,004153F6), ref: 005937D3
        • Part of subcall function 00593700: #685.MSVBVM60(?,?,?,004153F6), ref: 005937E0
        • Part of subcall function 00593700: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 005937EB
        • Part of subcall function 00593700: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0059381E
        • Part of subcall function 00593700: __vbaFreeObj.MSVBVM60 ref: 00593848
        • Part of subcall function 00593700: #685.MSVBVM60 ref: 005938B0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685Error$Chkstk$BoundsBstrCallGenerateLateOffsetRedim$#516#632CheckCopyDestructHresultListMoveUboundVar2
      • String ID: string2byte
      • API String ID: 4011877138-1258903281
      • Opcode ID: 61fd7fbd9c49051c9aebc581beb032b825a8b80b91ea09830f1cdc8ea0cfbb8b
      • Instruction ID: 85f722b085ef1301ace58bb54f27097f65fc103339e4237fdd593b03e5b01e93
      • Opcode Fuzzy Hash: 61fd7fbd9c49051c9aebc581beb032b825a8b80b91ea09830f1cdc8ea0cfbb8b
      • Instruction Fuzzy Hash: D7B147B4900308EFDB14DFA4D988BDEBBB5FF48304F208199E50AAB291D7B55A85CF51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0053B640 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 215COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0053B65E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0053B683
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0053B69F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053B6BE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0053B6DE
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0053B6FA
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053B710
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0053B72B
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053B741
      • __vbaNew2.MSVBVM60(0041F624,?,?,?,?,?,004153F6), ref: 0053B776
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000014), ref: 0053B7D7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F634,00000050), ref: 0053B828
      • __vbaStrMove.MSVBVM60 ref: 0053B859
      • __vbaFreeObj.MSVBVM60 ref: 0053B862
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053B878
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 0053B96E
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0053B979
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0053B99A
      • __vbaFreeStr.MSVBVM60(0053B9F3,?,?,?,?,004153F6), ref: 0053B9E3
      • __vbaFreeStr.MSVBVM60(?,?,?,?,004153F6), ref: 0053B9EC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$CheckHresult$#685ChkstkCopyErrorNew2Offset
      • String ID: CSP_Cache.ini
      • API String ID: 3636845949-1224292376
      • Opcode ID: df9b254e3f2dda6dcf8888f98cfbc6a84ae319247644c29740041a20b341821f
      • Instruction ID: 67fbd7c0da61338a88df6b1bf75af1c47a1ce9084e46399580fbaa993e5c0b3d
      • Opcode Fuzzy Hash: df9b254e3f2dda6dcf8888f98cfbc6a84ae319247644c29740041a20b341821f
      • Instruction Fuzzy Hash: 03A1F775A00208DFEB14DFA4CA88BDDBBB5FF48304F2081A9E506B72A1DB745A45CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0057CD00 Relevance: 54.4, APIs: 29, Strings: 2, Instructions: 198COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0057CD1E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0057CD4E
      • #610.MSVBVM60(?,?,?,?,?,004153F6), ref: 0057CD5F
      • __vbaVarDup.MSVBVM60 ref: 0057CD82
      • #650.MSVBVM60(?,?,00000001,00000001), ref: 0057CD94
      • __vbaStrMove.MSVBVM60 ref: 0057CD9F
      • #610.MSVBVM60(?), ref: 0057CDAC
      • __vbaVarDup.MSVBVM60 ref: 0057CDD2
      • #650.MSVBVM60(?,?,00000001,00000001), ref: 0057CDEA
      • __vbaStrMove.MSVBVM60 ref: 0057CDF5
      • __vbaStrMove.MSVBVM60 ref: 0057CE28
      • __vbaVarDup.MSVBVM60 ref: 0057CE47
      • #619.MSVBVM60(?,?,00000002), ref: 0057CE57
      • __vbaStrMove.MSVBVM60 ref: 0057CE76
      • __vbaVarDup.MSVBVM60 ref: 0057CE98
      • #617.MSVBVM60(?,?,00000002), ref: 0057CEAE
      • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0057CEC6
      • __vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0057CEDB
      • __vbaI4ErrVar.MSVBVM60(00000000), ref: 0057CEE2
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,00000000,00000000), ref: 0057CF00
      • __vbaFreeVarList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?), ref: 0057CF4C
      • __vbaStrI4.MSVBVM60(00000000,port: ), ref: 0057CF99
      • __vbaStrMove.MSVBVM60 ref: 0057CFA4
      • __vbaStrCat.MSVBVM60(00000000), ref: 0057CFAB
      • __vbaStrMove.MSVBVM60 ref: 0057CFB6
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 0057CFCF
      • #685.MSVBVM60 ref: 0057CFDF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057CFEA
      • __vbaFreeObj.MSVBVM60 ref: 0057D00B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$List$#610#650$#617#619#685ChkstkError
      • String ID: mmdd$port:
      • API String ID: 1628101360-642465026
      • Opcode ID: 085818498d13595ceb22dfca50ae8bf4a1a5e95c6414166d6e024aeb5a688bdb
      • Instruction ID: 5a9f72828220df1fa2ae8c8784cba81bddbd74513facd12d7c8fa2bd222ae66a
      • Opcode Fuzzy Hash: 085818498d13595ceb22dfca50ae8bf4a1a5e95c6414166d6e024aeb5a688bdb
      • Instruction Fuzzy Hash: 5091E9B2800218EFDB54DF90DD88FDEBB78FB48704F108599E50AA75A0DB745A89CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00509560 Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 192COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,004FF03E,?,00000000), ref: 0050957E
      • __vbaVarDup.MSVBVM60(00000000,?,?,?,004153F6), ref: 005095AB
      • __vbaOnError.MSVBVM60(000000FF), ref: 005095BA
      • #685.MSVBVM60 ref: 005095C7
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005095D2
      • __vbaFreeObj.MSVBVM60 ref: 005095F3
      • __vbaStrCopy.MSVBVM60 ref: 00509608
      • __vbaStrCopy.MSVBVM60 ref: 00509616
      • __vbaObjSet.MSVBVM60(?,00000000,CAPICOM.Utilities,00000000,?,?), ref: 00509643
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00509653
      • #685.MSVBVM60 ref: 00509663
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050966E
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 005096B9
      • __vbaFreeObj.MSVBVM60 ref: 005096E9
      • __vbaChkstk.MSVBVM60 ref: 0050971D
      • __vbaLateMemCallLd.MSVBVM60(?,?,ByteArrayToBinaryString,00000001), ref: 00509756
      • __vbaStrVarVal.MSVBVM60(00000000,00000000), ref: 00509764
      • __vbaChkstk.MSVBVM60 ref: 00509784
      • __vbaLateMemCallLd.MSVBVM60(?,?,BinaryStringToByteArray,00000001), ref: 005097B1
      • __vbaVarMove.MSVBVM60(?,?,?,?,?,?,00000000,00000000), ref: 005097BF
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000,00000000), ref: 005097C8
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000000,00000000), ref: 005097D8
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005097EE
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 005097FB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00509806
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00509827
      • __vbaFreeVar.MSVBVM60(0050988E), ref: 0050987E
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00509887
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685Chkstk$CallCopyLateList$AddrefCheckErrorHresultMove
      • String ID: BinaryStringToByteArray$ByteArrayToBinaryString$CAPICOM.Utilities
      • API String ID: 1672340527-3832077767
      • Opcode ID: 6cbdc493a929bd7063de8e04be83b4e58c105c75f71e702c4d8876c1606089b7
      • Instruction ID: 8f1d43e240374071f9ef6397d44ea157a1d5a6892b5f5f77e96ed73d8c3f7388
      • Opcode Fuzzy Hash: 6cbdc493a929bd7063de8e04be83b4e58c105c75f71e702c4d8876c1606089b7
      • Instruction Fuzzy Hash: C3911A75900218DFDB14DFA4CD88BDEBBB4FF48304F1081AAE50AA72A1DB745A85CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005BCE70 Relevance: 54.2, APIs: 36, Instructions: 240COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 005BCE8E
      • __vbaStrCopy.MSVBVM60(00000000,00000001,6D1CD8CD,00000000,004153F6), ref: 005BCEBB
      • __vbaFixstrConstruct.MSVBVM60(00000800,?), ref: 005BCECA
      • __vbaOnError.MSVBVM60(000000FF), ref: 005BCED9
      • #520.MSVBVM60(?,00004008), ref: 005BCF20
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 005BCF50
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 005BCF5B
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 005BCF62
      • __vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 005BCF7C
      • __vbaLenBstr.MSVBVM60(?), ref: 005BCF9F
      • __vbaStrToAnsi.MSVBVM60(?,?,?), ref: 005BCFBB
      • __vbaStrToAnsi.MSVBVM60(?,?,00000002,00000000), ref: 005BCFCC
      • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 005BCFE2
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 005BCFF0
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 005BCFFE
      • __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 005BD00B
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 005BD028
      • __vbaStrCopy.MSVBVM60 ref: 005BD059
      • #617.MSVBVM60(?,00004008,00000000), ref: 005BD081
      • __vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 005BD091
      • #608.MSVBVM60(?,00000000), ref: 005BD09D
      • __vbaStrVarVal.MSVBVM60(?,?,?,000000FF,00000000), ref: 005BD0C7
      • #711.MSVBVM60(?,00000000), ref: 005BD0D2
      • __vbaChkstk.MSVBVM60 ref: 005BD0DD
      • __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005BD118
      • #520.MSVBVM60(?,00000000), ref: 005BD129
      • __vbaAryUnlock.MSVBVM60(?), ref: 005BD133
      • __vbaStrVarMove.MSVBVM60(?), ref: 005BD140
      • __vbaStrMove.MSVBVM60 ref: 005BD14B
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005BD15B
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005BD180
      • #685.MSVBVM60 ref: 005BD190
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005BD19B
      • __vbaFreeObj.MSVBVM60 ref: 005BD1BC
      • __vbaFreeStr.MSVBVM60(005BD23F), ref: 005BD22F
      • __vbaFreeStr.MSVBVM60 ref: 005BD238
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$List$Fixstr$#520AnsiChkstkCopyErrorLsetMoveUnicode$#608#617#685#711BoolBstrConstructIndexLoadLockNullSystemUnlock
      • String ID:
      • API String ID: 1223289815-0
      • Opcode ID: 3edcc40e425e29a4280033e5aafb6affc834c4d860f322b1e1824c1e6da1196d
      • Instruction ID: 0390ef3854d8c4379aa56274db3e079b4e989d9847327bd1b610038881c0b3e0
      • Opcode Fuzzy Hash: 3edcc40e425e29a4280033e5aafb6affc834c4d860f322b1e1824c1e6da1196d
      • Instruction Fuzzy Hash: 17B1E8B6900208EFDB14DFD4DD88BDEBB78BF48704F108599E60AA7160DB745A88CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005744A0 Relevance: 52.9, APIs: 35, Instructions: 383COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005744BE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005744FA
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00574513
      • __vbaStrCmp.MSVBVM60(004367BC,?,?,?,?,?,004153F6), ref: 0057452F
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00574558
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,0000015C), ref: 00574592
      • __vbaFreeObj.MSVBVM60 ref: 005745A7
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005745C8
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,0000015C), ref: 00574602
      • __vbaFreeObj.MSVBVM60 ref: 00574617
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0057463D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,0000015C), ref: 00574677
      • __vbaFreeObj.MSVBVM60 ref: 0057468C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005746AD
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,0000015C), ref: 005746E7
      • __vbaFreeObj.MSVBVM60 ref: 005746FC
      • __vbaStrCopy.MSVBVM60 ref: 00574717
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00574738
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004367C4,00000054), ref: 00574771
      • __vbaFreeObj.MSVBVM60 ref: 00574786
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005747A7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,000000A4), ref: 005747E1
      • __vbaFreeObj.MSVBVM60 ref: 005747F6
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00574817
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,000000A4), ref: 00574851
      • __vbaFreeObj.MSVBVM60 ref: 00574866
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00574887
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424C48,0000005C), ref: 005748B8
      • __vbaFreeObj.MSVBVM60 ref: 005748CD
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005748EE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424C48,00000064), ref: 00574922
      • __vbaFreeObj.MSVBVM60 ref: 00574937
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00574958
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424C48,0000005C), ref: 00574989
      • __vbaFreeObj.MSVBVM60 ref: 0057499E
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$ChkstkCopyErrorOffset
      • String ID:
      • API String ID: 3434117887-0
      • Opcode ID: 740979306a8ce6e9511855733de5f0cac6df36ca69825fe13a9d0903e84a1372
      • Instruction ID: cd6a70769bdd0e47671e21a673ff1d75a32ac1894426f6eea335cec5a6baf61f
      • Opcode Fuzzy Hash: 740979306a8ce6e9511855733de5f0cac6df36ca69825fe13a9d0903e84a1372
      • Instruction Fuzzy Hash: 0A02D4B9900208EFCB04DFA4D988ADEBBB5FF4C310F208559E506BB2A0C7749945CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005749E0 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 298COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005749FE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00574A45
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00574A5A
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,004153F6), ref: 00574A6C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004360D8,00000058), ref: 00574AA3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004360D8,00000058), ref: 00574AF0
      • __vbaSetSystemError.MSVBVM60(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 00574B17
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004360D8,00000058), ref: 00574B4E
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 00574B6C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00574B93
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00424C48,0000005C), ref: 00574BC4
      • __vbaFreeObj.MSVBVM60 ref: 00574BD9
      • __vbaSetSystemError.MSVBVM60 ref: 00574C01
      • #685.MSVBVM60 ref: 00574C2F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00574C3A
      • __vbaFreeObj.MSVBVM60 ref: 00574C52
      • __vbaSetSystemError.MSVBVM60(000000FF,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 00574C74
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 00574C8D
      • __vbaStrCopy.MSVBVM60 ref: 00574CA8
        • Part of subcall function 00521D20: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EE7
        • Part of subcall function 00521D20: __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00521F12
        • Part of subcall function 00521D20: __vbaNew2.MSVBVM60(0041F624,?), ref: 00521F42
        • Part of subcall function 00521D20: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000014), ref: 00521FB8
        • Part of subcall function 00521D20: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F634,00000058), ref: 00522015
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 0052205E
        • Part of subcall function 00521D20: #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 00522077
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00522082
      • __vbaFreeStr.MSVBVM60(?), ref: 00574CBA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00574CDB
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00424C48,0000005C), ref: 00574D0C
      • __vbaFreeObj.MSVBVM60 ref: 00574D21
      • __vbaChkstk.MSVBVM60 ref: 00574D41
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004360D8,000002AC), ref: 00574D8B
      • #685.MSVBVM60 ref: 00574DAB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00574DB6
      • __vbaFreeObj.MSVBVM60 ref: 00574DD7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$Error$ChkstkSystem$Move$Copy$#685#711List$#518#520IndexLoadLockNew2OffsetUnlock
      • String ID: Bring PIN Dialog to front$timer
      • API String ID: 1732441070-1745417365
      • Opcode ID: 11cde07010bc3c833491640f5f2f022ce345fdea69d4e6e4a0b9d6cec770f792
      • Instruction ID: a7345dc896b1aab4781c92d23e8358a578e9b8af9485cc9eeaab99402129f19e
      • Opcode Fuzzy Hash: 11cde07010bc3c833491640f5f2f022ce345fdea69d4e6e4a0b9d6cec770f792
      • Instruction Fuzzy Hash: F7D1F4B4900208EFDB14DFA4D988BDEBBB5FF48305F208159E516BB2A0C774AA45DF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00560980 Relevance: 52.8, APIs: 35, Instructions: 292COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,005602C5,?,?), ref: 0056099E
      • __vbaAryConstruct2.MSVBVM60(?,00431788,00000011,6D1F285F,6D2C1D9E,6D1F17CC,?,004153F6), ref: 005609D0
      • __vbaOnError.MSVBVM60(000000FF), ref: 005609DF
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00560A15
      • #644.MSVBVM60(0000EC00), ref: 00560A28
      • __vbaUI1I2.MSVBVM60 ref: 00560A3D
      • __vbaUI1I2.MSVBVM60(?,?), ref: 00560A5F
      • __vbaUI1I2.MSVBVM60(?,?), ref: 00560A81
      • __vbaUI1I2.MSVBVM60(?,?), ref: 00560AA3
      • __vbaUI1I2.MSVBVM60(?,?), ref: 00560AC5
      • __vbaUI1I2.MSVBVM60(?,?), ref: 00560AE7
      • #685.MSVBVM60(?,?), ref: 00560B04
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00560B0F
      • __vbaFreeObj.MSVBVM60 ref: 00560B30
      • __vbaUbound.MSVBVM60(00000001), ref: 00560B51
      • __vbaI2I4.MSVBVM60 ref: 00560B59
      • #685.MSVBVM60 ref: 00560B8C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00560B97
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685Error$#644BoundsChkstkConstruct2FreeGenerateUbound
      • String ID:
      • API String ID: 2444365471-0
      • Opcode ID: cb09c5218c8e17294c10e331a9b6053dd50d18a300559d54653d84971c0d99a4
      • Instruction ID: f0a89751d7802d42afeed654e44c77c7e6dfa1f1369e3680ba7925bfa23b4cb1
      • Opcode Fuzzy Hash: cb09c5218c8e17294c10e331a9b6053dd50d18a300559d54653d84971c0d99a4
      • Instruction Fuzzy Hash: 18D11474900308DFDB14DFE4C988BDEBBB4BF48305F208659E506AB2A1DB749A84DF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00538C80 Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 210COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 00538C9E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00538CC3
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00538CDF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 00538CFE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00538D1E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00538D38
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 00538D4F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 00538D65
      • __vbaNew2.MSVBVM60(0041F624,?,?,?,?,?,004153F6), ref: 00538D9B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000014), ref: 00538DFB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F634,00000050), ref: 00538E43
      • __vbaStrMove.MSVBVM60 ref: 00538E74
      • __vbaFreeObj.MSVBVM60 ref: 00538E7D
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 00538E93
      • #619.MSVBVM60(?,00004008,00000001), ref: 00538EBF
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00538F9F
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,004153F6), ref: 00538FAA
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00538FCB
      • __vbaFreeStr.MSVBVM60(0053901B,?,?,?,?,004153F6), ref: 00539014
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckCopyHresultMove$#619#685ChkstkErrorNew2Offset
      • String ID: CardINI.ini
      • API String ID: 4267331689-3911529127
      • Opcode ID: 3c332b417603dd84b6ac1347d9cc9e69838cf23f62653e6be5ef49bc69938552
      • Instruction ID: 5f513565d89ab2812d41e1cc1cc63f135233a36713d337d7ef3ac885ffe6abe0
      • Opcode Fuzzy Hash: 3c332b417603dd84b6ac1347d9cc9e69838cf23f62653e6be5ef49bc69938552
      • Instruction Fuzzy Hash: 4EA10874900208DFDB14DFA0CA88BEDBBB5FF48704F2081A9E505B72A1DB755A89CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0053BA10 Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 210COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0053BA2E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0053BA53
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0053BA6F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053BA8E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0053BAAE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0053BAC8
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0053BADF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053BAF5
      • __vbaNew2.MSVBVM60(0041F624,?,?,?,?,?,004153F6), ref: 0053BB2B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F614,00000014), ref: 0053BB8B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041F634,00000050), ref: 0053BBD3
      • __vbaStrMove.MSVBVM60 ref: 0053BC04
      • __vbaFreeObj.MSVBVM60 ref: 0053BC0D
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 0053BC23
      • #619.MSVBVM60(?,00004008,00000001), ref: 0053BC4F
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 0053BD2F
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,004153F6), ref: 0053BD3A
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0053BD5B
      • __vbaFreeStr.MSVBVM60(0053BDAB,?,?,?,?,004153F6), ref: 0053BDA4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckCopyHresultMove$#619#685ChkstkErrorNew2Offset
      • String ID: ReaderINI.ini
      • API String ID: 4267331689-509458093
      • Opcode ID: 8249dc032d74311b8d0d0924065ba0e87f7e402f1a3575e25374388f0b60f196
      • Instruction ID: a219d8ae502d9e1a19da41bbd9ed646fca51e3ce170143df1d7e58c7d15860c6
      • Opcode Fuzzy Hash: 8249dc032d74311b8d0d0924065ba0e87f7e402f1a3575e25374388f0b60f196
      • Instruction Fuzzy Hash: 30A11774A00208DFEB14CFA0CA88BDDBBB4FF48304F2081A9E505B72A1DB755A85CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005AA4C0 Relevance: 50.9, APIs: 25, Strings: 4, Instructions: 159COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005AA4DE
      • __vbaVarDup.MSVBVM60(?,?,?,?,004153F6), ref: 005AA50B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005AA51A
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005AA52F
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005AA53D
      • __vbaObjSet.MSVBVM60(?,00000000,CAPICOM.Utilities,00000000,?,?), ref: 005AA564
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005AA574
      • __vbaStrCopy.MSVBVM60(?,?,004153F6), ref: 005AA58C
      • __vbaStrCopy.MSVBVM60(?,?,004153F6), ref: 005AA59A
      • __vbaObjSet.MSVBVM60(?,00000000,CAPICOM.Certificate,00000000,?,?), ref: 005AA5C1
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005AA5D1
      • __vbaChkstk.MSVBVM60 ref: 005AA5F3
      • __vbaLateMemCallLd.MSVBVM60(?,?,ByteArrayToBinaryString,00000001), ref: 005AA620
      • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004153F6), ref: 005AA630
      • __vbaLateMemCall.MSVBVM60(?,Import,00000001), ref: 005AA658
      • __vbaFreeVar.MSVBVM60 ref: 005AA664
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 005AA679
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005AA68C
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005AA69F
      • #685.MSVBVM60 ref: 005AA6AC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AA6B7
      • __vbaFreeObj.MSVBVM60 ref: 005AA6D8
      • __vbaFreeObj.MSVBVM60(005AA73A), ref: 005AA721
      • __vbaFreeObj.MSVBVM60 ref: 005AA72A
      • __vbaFreeVar.MSVBVM60 ref: 005AA733
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$AddrefChkstk$CallLateList$#685Error
      • String ID: ByteArrayToBinaryString$CAPICOM.Certificate$CAPICOM.Utilities$Import
      • API String ID: 1585374449-4063253086
      • Opcode ID: 12037ed9395a928837eba534361a21c4180c0662afd186c467277aba3b308f95
      • Instruction ID: fc34a8eb3769ccf369fb53d400b0fc55b6b32a5624d8b108845d04337b19d9cb
      • Opcode Fuzzy Hash: 12037ed9395a928837eba534361a21c4180c0662afd186c467277aba3b308f95
      • Instruction Fuzzy Hash: 08615C75900208DFDB04DFA4CA49BDEBBB4FF48304F108169E506B72A1DB756A49CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00526180 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 211COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0052619E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,?,004153F6), ref: 005261C3
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,004153F6), ref: 005261DC
        • Part of subcall function 0054DEE0: __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0054DEFE
        • Part of subcall function 0054DEE0: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6), ref: 0054DF23
        • Part of subcall function 0054DEE0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 0054DF3C
        • Part of subcall function 0054DEE0: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6), ref: 0054DF58
        • Part of subcall function 0054DEE0: #685.MSVBVM60 ref: 0054DFB4
        • Part of subcall function 0054DEE0: __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0054DFBF
        • Part of subcall function 0054DEE0: __vbaFreeObj.MSVBVM60 ref: 0054DFD7
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,004153F6), ref: 00526207
        • Part of subcall function 00538300: __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0053831E
        • Part of subcall function 00538300: __vbaAptOffset.MSVBVM60(00419C98,?,?,00000000,00000000,004153F6), ref: 00538343
        • Part of subcall function 00538300: __vbaOnError.MSVBVM60(000000FF,?,?,00000000,00000000,004153F6), ref: 0053835C
        • Part of subcall function 00538300: __vbaStrCmp.MSVBVM60(true,?,?,?,00000000,00000000,004153F6), ref: 00538378
        • Part of subcall function 00538300: __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,004153F6), ref: 0053839B
        • Part of subcall function 00538300: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,00000000,00000000,004153F6), ref: 005383C3
        • Part of subcall function 00538300: __vbaStrMove.MSVBVM60(?,?,00000000,00000000,004153F6), ref: 005383DE
        • Part of subcall function 00538300: __vbaFreeStr.MSVBVM60(?,?,00000000,00000000,004153F6), ref: 005383E7
        • Part of subcall function 00538300: __vbaStrCmp.MSVBVM60(true,?,?,?,00000000,00000000,004153F6), ref: 00538403
        • Part of subcall function 00538300: __vbaStrCmp.MSVBVM60(true,?,?,?,00000000,00000000,004153F6), ref: 00538427
        • Part of subcall function 00538300: __vbaInStr.MSVBVM60(00000000,HKCU,00000000,00000001,?,?,00000000,00000000,004153F6), ref: 00538444
        • Part of subcall function 00538300: __vbaInStr.MSVBVM60(00000000,HKEY_CURRENT_USER,?,00000001,?,?,00000000,00000000,004153F6), ref: 00538460
      • __vbaStrMove.MSVBVM60(?,?,00000000,00000000,?,004153F6), ref: 0052621B
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,?,004153F6), ref: 00526224
      • __vbaStrMove.MSVBVM60 ref: 00526262
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 0052626E
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0052628C
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005262AB
      • __vbaFreeStr.MSVBVM60 ref: 005262C2
      • #592.MSVBVM60(00000000), ref: 0052631D
      • __vbaVarVargNofree.MSVBVM60 ref: 00526347
      • __vbaI4Var.MSVBVM60(00000000), ref: 0052634E
        • Part of subcall function 0051A2F0: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,00000000,00000000,?,004153F6), ref: 0051A30E
        • Part of subcall function 0051A2F0: __vbaAptOffset.MSVBVM60(00419C98,?,00000001,00000000,00000000,004153F6), ref: 0051A333
        • Part of subcall function 0051A2F0: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,00000000,004153F6), ref: 0051A34F
        • Part of subcall function 0051A2F0: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000001,00000000,00000000,004153F6), ref: 0051A36E
        • Part of subcall function 0051A2F0: __vbaStrCmp.MSVBVM60(004250B4,?,?,00000001,00000000,00000000,004153F6), ref: 0051A395
        • Part of subcall function 0051A2F0: __vbaStrCopy.MSVBVM60(?,00000001,00000000,00000000,004153F6), ref: 0051A3BB
        • Part of subcall function 0051A2F0: __vbaStrCopy.MSVBVM60 ref: 0051A426
        • Part of subcall function 0051A2F0: __vbaStrCopy.MSVBVM60 ref: 0051A434
        • Part of subcall function 0051A2F0: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 0051A450
        • Part of subcall function 0051A2F0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0051A460
        • Part of subcall function 0051A2F0: __vbaFreeVar.MSVBVM60(00000000,00000000,004153F6), ref: 0051A46C
        • Part of subcall function 0051A2F0: __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0051A498
        • Part of subcall function 0051A2F0: __vbaStrCopy.MSVBVM60 ref: 0051A4B5
        • Part of subcall function 0051A2F0: #685.MSVBVM60 ref: 0051A4C2
      • __vbaStrToAnsi.MSVBVM60(?,0041AA3C,00000000,00020006,?,00000000,?), ref: 0052637A
      • __vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000000), ref: 0052638D
      • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 005263A0
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 005263AE
      • __vbaI2I4.MSVBVM60 ref: 005263B7
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005263CB
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 00526403
      • __vbaI2I4.MSVBVM60 ref: 0052640C
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 00526462
      • __vbaI2I4.MSVBVM60 ref: 0052646B
        • Part of subcall function 00519C50: __vbaChkstk.MSVBVM60(?,004153F6,?,?,00000000,00000000,?,004153F6), ref: 00519C6E
        • Part of subcall function 00519C50: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,?,004153F6), ref: 00519C93
        • Part of subcall function 00519C50: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,004153F6), ref: 00519CAC
        • Part of subcall function 00519C50: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,?,004153F6), ref: 00519CC8
        • Part of subcall function 00519C50: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,?,004153F6), ref: 00519CEC
        • Part of subcall function 00519C50: __vbaStrCopy.MSVBVM60 ref: 00519D17
        • Part of subcall function 00519C50: __vbaStrCopy.MSVBVM60 ref: 00519D25
        • Part of subcall function 00519C50: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 00519D41
        • Part of subcall function 00519C50: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00519D51
        • Part of subcall function 00519C50: __vbaFreeVar.MSVBVM60(00000000,?,004153F6), ref: 00519D5D
        • Part of subcall function 00519C50: __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00519D73
        • Part of subcall function 00519C50: __vbaStrCmp.MSVBVM60(0041AB20,?), ref: 00519D8A
        • Part of subcall function 00519C50: __vbaStrCopy.MSVBVM60 ref: 00519DD5
      • #685.MSVBVM60(?,00000000,00000000,?,004153F6), ref: 0052648A
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,004153F6), ref: 00526495
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,?,004153F6), ref: 005264AD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$Error$ChkstkMoveOffset$#685ListSystem$Ansi$#592NofreeUnicodeVarg
      • String ID: "
      • API String ID: 531980915-123907689
      • Opcode ID: 5db3f126cedb27ebb036cfa5c1d913727756bfcf95206a83d3a30bfb4554556d
      • Instruction ID: c8956ed5d95a7f85b0cf1f1d8712c27e200c647f8e7e975318093915bfe6bffa
      • Opcode Fuzzy Hash: 5db3f126cedb27ebb036cfa5c1d913727756bfcf95206a83d3a30bfb4554556d
      • Instruction Fuzzy Hash: 5C914A74D00208EFDB14DFE4DA88BEEBBB4FF48704F208159E902AB2A0DB755A45CB55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0057CA50 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 173COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0057CA6E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0057CAB2
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0057CABE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0057CACD
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0057CAE2
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,004153F6), ref: 0057CAF4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057CB4E
      • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0057CB59
      • __vbaI2Var.MSVBVM60(00000000,?,?,?,004153F6), ref: 0057CB63
      • __vbaFreeObj.MSVBVM60(?,?,?,004153F6), ref: 0057CB7B
      • __vbaFreeVar.MSVBVM60(?,?,?,004153F6), ref: 0057CB84
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0057CBB1
      • __vbaLateIdCall.MSVBVM60(00000000,?,?,?,004153F6), ref: 0057CBB8
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 0057CBC4
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0057CBE9
      • __vbaLateIdCallLd.MSVBVM60(?,00000000,?,?,?,004153F6), ref: 0057CBF4
      • __vbaI2Var.MSVBVM60(00000000), ref: 0057CBFE
      • __vbaFreeObj.MSVBVM60 ref: 0057CC16
      • __vbaFreeVar.MSVBVM60 ref: 0057CC1F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057CC4C
      • __vbaLateIdCall.MSVBVM60(00000000), ref: 0057CC53
      • __vbaFreeObj.MSVBVM60 ref: 0057CC5F
      • #685.MSVBVM60 ref: 0057CC6C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057CC77
      • __vbaFreeObj.MSVBVM60 ref: 0057CC8F
      • __vbaFreeStr.MSVBVM60(0057CCD2), ref: 0057CCC2
      • __vbaFreeStr.MSVBVM60 ref: 0057CCCB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CallCopyLateMove$Chkstk$Error$#518#520#685#711IndexLoadLockOffsetUnlock
      • String ID: rsock error
      • API String ID: 3751721835-418110253
      • Opcode ID: 75856c678de444ae44958913635b196d9071dbce63cedeb0bd22f02a8826928e
      • Instruction ID: 937ac72ff28192cb8705cae884ff0b138de67a9b421b367b657c252fc1a93a93
      • Opcode Fuzzy Hash: 75856c678de444ae44958913635b196d9071dbce63cedeb0bd22f02a8826928e
      • Instruction Fuzzy Hash: EC712E75900208EFDB04DFA4DD48BDEBB78FF48705F108169F506AB2A0DB759A45CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00537270 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 137COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0053728E
      • __vbaStrCopy.MSVBVM60(6D1E1654,00000000,6D29595C,?,004153F6), ref: 005372BB
      • __vbaOnError.MSVBVM60(000000FF), ref: 005372CA
      • #526.MSVBVM60(?,000000FF), ref: 005372E0
      • __vbaStrVarMove.MSVBVM60(?), ref: 005372EA
      • __vbaStrMove.MSVBVM60 ref: 005372F5
      • __vbaFreeVar.MSVBVM60 ref: 005372FE
      • __vbaLenBstr.MSVBVM60(?), ref: 0053730F
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0053731E
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0053732D
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 0053733F
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0053734D
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0053735B
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00537374
      • #608.MSVBVM60(?,00000000), ref: 00537397
      • __vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 005373C1
      • __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 005373D3
      • __vbaI4Var.MSVBVM60(00000000), ref: 005373DA
      • #616.MSVBVM60(?,00000000), ref: 005373E5
      • __vbaStrMove.MSVBVM60 ref: 005373F0
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00537400
      • #685.MSVBVM60 ref: 00537410
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053741B
      • __vbaFreeObj.MSVBVM60 ref: 0053743C
      • __vbaFreeStr.MSVBVM60(005374A3), ref: 00537493
      • __vbaFreeStr.MSVBVM60 ref: 0053749C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$AnsiErrorListUnicode$#526#608#616#685BstrChkstkCopySystem
      • String ID: \Y)m
      • API String ID: 2292728281-3031955511
      • Opcode ID: f9ff5d7823c86a3acbe6fe1455adf94d1ae314b26f1809b827837d787fb3adc5
      • Instruction ID: 94f5513852b495ff9b451517d561cc732ecae52be0b0731727a86dc0349c279f
      • Opcode Fuzzy Hash: f9ff5d7823c86a3acbe6fe1455adf94d1ae314b26f1809b827837d787fb3adc5
      • Instruction Fuzzy Hash: 3F51B5B2900208ABDB14DFE4DE48EDEBB78BB48705F108169F616A7160DB746A48CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00519940 Relevance: 46.7, APIs: 31, Instructions: 173COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(000000FF,004153F6), ref: 0051995E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,000000FF,004153F6), ref: 00519983
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,000000FF,004153F6), ref: 0051999F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,000000FF,004153F6), ref: 005199BE
      • #525.MSVBVM60(00000104,?,00000000,00000000,000000FF,004153F6), ref: 005199D8
      • __vbaStrMove.MSVBVM60(?,00000000,00000000,000000FF,004153F6), ref: 005199E3
      • __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,004153F6), ref: 005199F4
      • __vbaStrToAnsi.MSVBVM60(00000000,00000000,00000000,?,00000000,00000000,000000FF,004153F6), ref: 00519A03
      • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,000000FF,004153F6), ref: 00519A12
      • __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,00000000,000000FF,004153F6), ref: 00519A20
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,000000FF,004153F6), ref: 00519A2F
      • #616.MSVBVM60(00000000,?,?,00000000,00000000,000000FF,004153F6), ref: 00519A44
      • __vbaStrMove.MSVBVM60(?,00000000,00000000,000000FF,004153F6), ref: 00519A4F
      • __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,004153F6), ref: 00519A60
      • #619.MSVBVM60(?,00004008,00000001), ref: 00519A89
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00519AA5
      • __vbaFreeVar.MSVBVM60 ref: 00519AB2
      • __vbaStrCat.MSVBVM60(0041F52C,00000000), ref: 00519AD0
      • __vbaStrMove.MSVBVM60 ref: 00519ADB
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,000000FF,004153F6), ref: 00519AF9
      • __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,004153F6), ref: 00519B0A
      • #619.MSVBVM60(?,00004008,00000001), ref: 00519B37
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00519B53
      • __vbaFreeVar.MSVBVM60 ref: 00519B60
      • __vbaStrCat.MSVBVM60(0041F52C,00000000), ref: 00519B7E
      • __vbaStrMove.MSVBVM60 ref: 00519B89
      • __vbaStrCopy.MSVBVM60 ref: 00519BA5
      • #685.MSVBVM60(?,00000000,00000000,000000FF,004153F6), ref: 00519BB2
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,000000FF,004153F6), ref: 00519BBD
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,000000FF,004153F6), ref: 00519BDE
      • __vbaFreeStr.MSVBVM60(00519C2E,?,00000000,00000000,000000FF,004153F6), ref: 00519C27
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Bstr$#619CopyError$#525#616#685AnsiChkstkOffsetSystemUnicode
      • String ID:
      • API String ID: 1171693291-0
      • Opcode ID: 94d54280e6aacd2e98d81af9fd185129559349c95327ab396f9b45276557a6b1
      • Instruction ID: 8c1d19082412093b240a13c2d70cc2b6d5218018950a20dcb3c0155ea8581303
      • Opcode Fuzzy Hash: 94d54280e6aacd2e98d81af9fd185129559349c95327ab396f9b45276557a6b1
      • Instruction Fuzzy Hash: 83811975D00208DBDB14DFE0CA98ADEBBB4FF48705F208169E506B7261DB745A49CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00519630 Relevance: 46.7, APIs: 31, Instructions: 173COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0051964E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00519673
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0051968F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 005196AE
      • #525.MSVBVM60(00000104,?,?,?,?,004153F6), ref: 005196C8
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 005196D3
      • __vbaLenBstr.MSVBVM60(?,?,?,?,?,004153F6), ref: 005196E4
      • __vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,?,?,?,004153F6), ref: 005196F3
      • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,004153F6), ref: 00519702
      • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 00519710
      • __vbaFreeStr.MSVBVM60(?,?,?,?,004153F6), ref: 0051971F
      • #616.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 00519734
      • __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0051973F
      • __vbaLenBstr.MSVBVM60(?,?,?,?,?,004153F6), ref: 00519750
      • #619.MSVBVM60(?,00004008,00000001), ref: 00519779
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00519795
      • __vbaFreeVar.MSVBVM60 ref: 005197A2
      • __vbaStrCat.MSVBVM60(0041F52C,?), ref: 005197C0
      • __vbaStrMove.MSVBVM60 ref: 005197CB
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005197E9
      • __vbaLenBstr.MSVBVM60(?,?,?,?,?,004153F6), ref: 005197FA
      • #619.MSVBVM60(?,00004008,00000001), ref: 00519827
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00519843
      • __vbaFreeVar.MSVBVM60 ref: 00519850
      • __vbaStrCat.MSVBVM60(0041F52C,?), ref: 0051986E
      • __vbaStrMove.MSVBVM60 ref: 00519879
      • __vbaStrCopy.MSVBVM60 ref: 00519895
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 005198A2
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005198AD
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 005198CE
      • __vbaFreeStr.MSVBVM60(0051991E,?,?,?,?,004153F6), ref: 00519917
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Bstr$#619CopyError$#525#616#685AnsiChkstkOffsetSystemUnicode
      • String ID:
      • API String ID: 1171693291-0
      • Opcode ID: e71bee0342e4d3e6e32ebb356ce3a1e685f329e5169bbe0aaf2233ac2673087f
      • Instruction ID: e3ee796f6366cca3ed354616eb600ca4615dfa1c7474aeed98ef8c8d39c7b045
      • Opcode Fuzzy Hash: e71bee0342e4d3e6e32ebb356ce3a1e685f329e5169bbe0aaf2233ac2673087f
      • Instruction Fuzzy Hash: 838117B5D00208DBDB14DFE0CA98ADEBBB4FF48705F208169E502B7661DB745A85CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005CE500 Relevance: 45.6, APIs: 17, Strings: 9, Instructions: 141COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60 ref: 005CE55F
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(?), ref: 005CE56D
      • __vbaInStr.MSVBVM60(00000000,0041C664,?,00000001), ref: 005CE581
      • __vbaStrCopy.MSVBVM60(?,00000001), ref: 005CE597
      • __vbaStrToAnsi.MSVBVM60(?,ServicesActive,000F003F,?,00000001), ref: 005CE5AD
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000001), ref: 005CE5BA
      • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000001), ref: 005CE5CA
      • __vbaStrToUnicode.MSVBVM60(004153F6,?,?,00000000,?,00000001), ref: 005CE5D4
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,00000001), ref: 005CE5E7
      • __vbaStrToAnsi.MSVBVM60(?,00000000,000F01FF), ref: 005CE607
      • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 005CE612
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 005CE61C
      • __vbaFreeStr.MSVBVM60 ref: 005CE625
      • __vbaSetSystemError.MSVBVM60(00000000,?), ref: 005CE63B
      • __vbaStrCopy.MSVBVM60 ref: 005CE685
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 005CE691
      • __vbaSetSystemError.MSVBVM60(?), ref: 005CE69C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$System$CopyMove$AnsiFree$ChkstkUnicode$#518#520#711IndexListLoadLockOffsetUnlock
      • String ID: AloahaCredentialsServiceCommand:ServiceStatus$Coninue Pending$Pause Pending$Paused$Running$ServicesActive$Start Pending$Stop Pending$Stopped
      • API String ID: 2513209986-9662761
      • Opcode ID: 5bbd50c89f1d4e3b84e4477970c1713d68a8642cdf440327266b73b50a1e7452
      • Instruction ID: 3f90a75078ba0e48959be9f89e1e23f44370d555332b9aa523f7745a9b937b31
      • Opcode Fuzzy Hash: 5bbd50c89f1d4e3b84e4477970c1713d68a8642cdf440327266b73b50a1e7452
      • Instruction Fuzzy Hash: 944170719002089FDB10DFE4DD85EAEBB79FF58704B10842EE901A7254DB38EE42CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0053D4C0 Relevance: 45.2, APIs: 30, Instructions: 200COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,0053D8B2,?,?,?,00000000,004153F6,00521DD6), ref: 0053D4DE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D503
      • __vbaAryConstruct2.MSVBVM60(?,0042AA30,00000003,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D51E
      • __vbaFixstrConstruct.MSVBVM60(00000104,?,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D52D
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D53C
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D558
      • __vbaSetSystemError.MSVBVM60(?,?,?,00000000,004153F6,0053D8B2), ref: 0053D575
      • __vbaSetSystemError.MSVBVM60(00000410,00000000,?,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D59B
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0053D5DF
      • __vbaSetSystemError.MSVBVM60(00000000,?,000000C8,?), ref: 0053D60A
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0053D64E
      • __vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 0053D667
      • __vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 0053D684
      • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0053D692
      • __vbaLsetFixstr.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0053D69F
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 0053D6B5
      • __vbaStrCopy.MSVBVM60(?,?,00000000,004153F6,0053D8B2), ref: 0053D6CF
      • #616.MSVBVM60(00000000,?,00000000,004153F6,0053D8B2), ref: 0053D6D6
      • __vbaStrMove.MSVBVM60(?,00000000,004153F6,0053D8B2), ref: 0053D6E1
      • __vbaLsetFixstr.MSVBVM60(00000000,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D6F1
      • __vbaStrMove.MSVBVM60 ref: 0053D710
      • __vbaFreeStr.MSVBVM60 ref: 0053D719
      • __vbaStrCopy.MSVBVM60 ref: 0053D732
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 0053D74B
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,0053D8B2), ref: 0053D76C
      • #685.MSVBVM60(?,?,?,00000000,004153F6,0053D8B2), ref: 0053D779
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D784
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6,0053D8B2), ref: 0053D7A5
      • __vbaAryDestruct.MSVBVM60(00000000,?,0053D7FE,?,?,?,00000000,004153F6,0053D8B2), ref: 0053D7EE
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000,004153F6,0053D8B2), ref: 0053D7F7
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$System$Free$CopyFixstr$BoundsGenerateLsetMove$#616#685AnsiChkstkConstructConstruct2DestructListOffsetUnicode
      • String ID:
      • API String ID: 3480677397-0
      • Opcode ID: 8b28cc64ffe1d5cfb8ce0788b92ba067d65944be15353c9033f4a6446c31eb26
      • Instruction ID: 8ca4fdbd975c4fa2d6ecc87ef0ace157b7f8be4747f82ba3aa18169b0ae3b3d2
      • Opcode Fuzzy Hash: 8b28cc64ffe1d5cfb8ce0788b92ba067d65944be15353c9033f4a6446c31eb26
      • Instruction Fuzzy Hash: 0791D3B4900348DFDB04DFE4DA88BEEBBB5FB48305F108169E506AB2A4DB745A45CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0055D650 Relevance: 45.2, APIs: 30, Instructions: 157COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,?,?,?,?,004153F6), ref: 0055D66E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 0055D693
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 0055D6AF
      • #520.MSVBVM60(?,00004008), ref: 0055D6D9
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0055D6F5
      • __vbaFreeVar.MSVBVM60 ref: 0055D702
      • #520.MSVBVM60(?,00000008), ref: 0055D72E
      • __vbaStrVarMove.MSVBVM60(?), ref: 0055D738
      • __vbaStrMove.MSVBVM60 ref: 0055D74C
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0055D75C
      • __vbaStrI4.MSVBVM60(00000000), ref: 0055D772
      • __vbaStrMove.MSVBVM60(?,00000000,004153F6), ref: 0055D77D
      • #520.MSVBVM60(?,00000008), ref: 0055D7A1
      • __vbaStrVarMove.MSVBVM60(?), ref: 0055D7AB
      • __vbaStrMove.MSVBVM60 ref: 0055D7B6
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0055D7C6
      • __vbaStrCat.MSVBVM60(00420744,?,?,00000000,004153F6), ref: 0055D7E8
      • __vbaStrMove.MSVBVM60(?,00000000,004153F6), ref: 0055D7F3
      • __vbaStrCat.MSVBVM60(00000000,00000000,?,00000000,004153F6), ref: 0055D7FE
      • __vbaStrMove.MSVBVM60(?,00000000,004153F6), ref: 0055D809
      • __vbaStrCat.MSVBVM60(00420744,00000000,?,00000000,004153F6), ref: 0055D815
      • __vbaStrMove.MSVBVM60(?,00000000,004153F6), ref: 0055D820
      • __vbaStrCat.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0055D82B
      • __vbaStrMove.MSVBVM60(?,00000000,004153F6), ref: 0055D836
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,004153F6), ref: 0055D84A
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6), ref: 0055D85A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0055D865
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6), ref: 0055D886
      • __vbaFreeStr.MSVBVM60(0055D8ED), ref: 0055D8DD
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6), ref: 0055D8E6
        • Part of subcall function 00528D20: __vbaChkstk.MSVBVM60(?,004153F6,00532D89,?,00000000,00000000,00000000,004153F6), ref: 00528D3E
        • Part of subcall function 00528D20: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,?,004153F6,00532D89), ref: 00528D63
        • Part of subcall function 00528D20: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,004153F6,00532D89), ref: 00528D7F
        • Part of subcall function 00528D20: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,?,004153F6,00532D89), ref: 00528D9E
        • Part of subcall function 00528D20: __vbaStrCmp.MSVBVM60(true,?,?,00000000,00000000,?,004153F6,00532D89), ref: 00528DBE
        • Part of subcall function 00528D20: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,004153F6,00532D89), ref: 00528DEB
        • Part of subcall function 00528D20: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 00528E1B
        • Part of subcall function 00528D20: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,?,004153F6,00532D89), ref: 00528E3A
        • Part of subcall function 00528D20: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000000,004153F6), ref: 00528E5D
        • Part of subcall function 00528D20: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 00528E86
        • Part of subcall function 00528D20: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,?,004153F6,00532D89), ref: 00528EE7
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$#520CopyList$ChkstkErrorOffset$#685
      • String ID:
      • API String ID: 251320292-0
      • Opcode ID: c28f227ff30922023387d6a61c3dd5a1efc2edc85ccf35c311ed14416a4b3ea3
      • Instruction ID: 64276acb168f88d2073b68fa9aabbe28dce548188182fd9a438a2b9ffeec65cd
      • Opcode Fuzzy Hash: c28f227ff30922023387d6a61c3dd5a1efc2edc85ccf35c311ed14416a4b3ea3
      • Instruction Fuzzy Hash: 2D612771C00208DFDB04DFE4DA98ADEBBB8FF48705F108169E616A72A1DB745A49CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004F38E0 Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 188COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004F38FE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004F3943
      • __vbaLateMemCallLd.MSVBVM60(?,?,RemoteURL,00000000), ref: 004F3986
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,004153F6), ref: 004F3990
      • __vbaStrMove.MSVBVM60(?,?,?,004153F6), ref: 004F399B
      • __vbaFreeVar.MSVBVM60(?,?,?,004153F6), ref: 004F39A4
      • __vbaHresultCheckObj.MSVBVM60(?,?,0041C0D8,00000054), ref: 004F39EA
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 004F3A23
      • #619.MSVBVM60(?,00004008,00000001), ref: 004F3A52
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 004F3A6E
      • __vbaFreeVar.MSVBVM60 ref: 004F3A7E
      • __vbaStrCat.MSVBVM60(0041DFA8,?), ref: 004F3AA2
      • __vbaStrMove.MSVBVM60 ref: 004F3AAD
      • __vbaStrCopy.MSVBVM60 ref: 004F3ABB
      • __vbaFreeStr.MSVBVM60 ref: 004F3AC4
      • __vbaStrCopy.MSVBVM60 ref: 004F3ADA
      • #518.MSVBVM60(?,00004008), ref: 004F3AFF
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 004F3B37
      • #685.MSVBVM60 ref: 004F3B87
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004F3B92
      • __vbaFreeObj.MSVBVM60 ref: 004F3BB3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$#518#619#685CallCheckChkstkErrorHresultLate
      • String ID: RemoteURL$http
      • API String ID: 2642090067-3421398506
      • Opcode ID: 38a9772321d60fa0dfb9e9825d20d7a5c166f354aa3bd6466a272695e4534bed
      • Instruction ID: 2efeed992260a985f558ef9c74d14bdbce89b01941578218a2575b34ead52bd0
      • Opcode Fuzzy Hash: 38a9772321d60fa0dfb9e9825d20d7a5c166f354aa3bd6466a272695e4534bed
      • Instruction Fuzzy Hash: D6914E75900208EFDB14DFA4C958BEEBBB4FF48305F108159F606AB2A1D7749A85CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005BE8C0 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 166COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,005BB525,?,00000001,?,00000000,004153F6,005AE311), ref: 005BE8DE
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000001,?,00000000,004153F6,005BB525), ref: 005BE903
      • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,004153F6,005BB525), ref: 005BE91C
      • __vbaStrCmp.MSVBVM60(true,?,?,00000001,?,00000000,004153F6,005BB525), ref: 005BE938
      • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,004153F6,005BB525), ref: 005BE95B
      • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,004153F6,005BB525), ref: 005BE970
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(00000001,?,00000001,?,00000000,004153F6,005BB525), ref: 005BE982
      • __vbaNew2.MSVBVM60(0041675C,00000000,?,00000001), ref: 005BE99E
      • __vbaStrCopy.MSVBVM60(?,00000001), ref: 005BE9C2
      • __vbaStrCopy.MSVBVM60(?,00000001), ref: 005BE9D0
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00448994,00000038), ref: 005BEA08
      • __vbaFreeStrList.MSVBVM60(00000002,00000001,?), ref: 005BEA24
      • __vbaNew2.MSVBVM60(0041675C,00000000), ref: 005BEA43
      • __vbaStrCopy.MSVBVM60 ref: 005BEA67
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00448994,0000002C), ref: 005BEA97
      • __vbaFreeStr.MSVBVM60 ref: 005BEAAC
      • __vbaCastObj.MSVBVM60(00000000,00448994), ref: 005BEAC0
      • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 005BEACB
      • #685.MSVBVM60(?,00000001,?,00000000,004153F6,005BB525), ref: 005BEAD8
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001,?,00000000,004153F6,005BB525), ref: 005BEAE3
      • __vbaFreeObj.MSVBVM60(?,00000001,?,00000000,004153F6,005BB525), ref: 005BEAFB
      • __vbaFreeObj.MSVBVM60(005BEB2F,?,00000001,?,00000000,004153F6,005BB525), ref: 005BEB28
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$Move$Chkstk$CheckErrorHresultNew2Offset$#518#520#685#711CastIndexListLoadLockUnlock
      • String ID: Going to Start Services in Readerinfo$SCardSvr$true
      • API String ID: 2176687372-412317244
      • Opcode ID: 318589b2db997f750030e80429115ded3dea4cd91530bd33b532fe40f9c1b6c6
      • Instruction ID: dadf89e7b5a64f4b4fdfba3730d4c8cebf4bec1acf57953c218ac3bd36e16d43
      • Opcode Fuzzy Hash: 318589b2db997f750030e80429115ded3dea4cd91530bd33b532fe40f9c1b6c6
      • Instruction Fuzzy Hash: 8871E4B5900208EFDB04DFD4D989BDDBBB8FF48705F108169E502B72A0DB746A49CB65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00547260 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 165COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,00000000,?,00000000,00000000,00000000,004153F6), ref: 0054727E
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6,00000000), ref: 005472AB
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6,00000000), ref: 005472BA
      • #518.MSVBVM60(?,00004008), ref: 005472F2
      • #518.MSVBVM60(?,00004008), ref: 00547316
      • #518.MSVBVM60(?,00004008), ref: 0054733D
      • #617.MSVBVM60(?,?,00000005), ref: 0054734D
      • #617.MSVBVM60(?,?,00000006), ref: 00547371
      • #617.MSVBVM60(?,?,00000004), ref: 0054739B
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005473C4
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 005473DD
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 005473EB
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 00547407
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 00547415
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0054741C
      • __vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00547449
      • __vbaInStr.MSVBVM60(00000000,00420744,00000000,00000001), ref: 00547471
      • __vbaInStr.MSVBVM60(00000000,0041DFA8,00000000,00000001), ref: 0054748F
      • #685.MSVBVM60 ref: 005474AD
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005474B8
      • __vbaFreeObj.MSVBVM60 ref: 005474D9
      • __vbaFreeStr.MSVBVM60(00547543), ref: 0054753C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#518#617Free$#685BoolChkstkCopyErrorListNull
      • String ID: ftp:$http:$https:
      • API String ID: 791095536-3222233963
      • Opcode ID: de505e045284e54270a5a0d0b24f4306b7c1078b1c7e6f2d413cbc7fac80b10d
      • Instruction ID: 85b7d504fcb3700c99c1cd1cd67ce6eaeb47117834347388333b25777dd5105a
      • Opcode Fuzzy Hash: de505e045284e54270a5a0d0b24f4306b7c1078b1c7e6f2d413cbc7fac80b10d
      • Instruction Fuzzy Hash: AE71F9B2800218EBDB14DF90DD88FDEBBB8BB48704F108599F616B6160DB745B48CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FD8D0 Relevance: 42.2, APIs: 28, Instructions: 199COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,004FDC5D,00000000,?,00000000,00000000), ref: 004FD8EE
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD91B
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 004FD92A
      • #685.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD937
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,004153F6), ref: 004FD942
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD95A
      • #578.MSVBVM60(?), ref: 004FD979
      • #685.MSVBVM60 ref: 004FD989
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FD994
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 004FD9C7
      • __vbaFreeObj.MSVBVM60 ref: 004FD9F9
      • #685.MSVBVM60 ref: 004FDA12
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FDA1D
      • __vbaFreeObj.MSVBVM60 ref: 004FDA35
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 004FDA4C
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 004FDA5B
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004FDA69
      • __vbaFreeStr.MSVBVM60 ref: 004FDA78
      • #685.MSVBVM60 ref: 004FDA85
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FDA90
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 004FDAC3
      • __vbaFreeObj.MSVBVM60 ref: 004FDAE7
      • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 004FDB0C
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 004FDB38
      • #685.MSVBVM60 ref: 004FDB52
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FDB5D
      • __vbaFreeObj.MSVBVM60 ref: 004FDB75
      • __vbaFreeStr.MSVBVM60(004FDB9F), ref: 004FDB98
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$Error$System$CheckHresult$#578AnsiChkstkCopyUnicode
      • String ID:
      • API String ID: 2269764201-0
      • Opcode ID: 0f22d709d1ed6e4e0c714cdf8e2973817d2df9a3474c0ca9b67a6bad55693efc
      • Instruction ID: ffec52cbcbc8c2f40e8a2e37ab5e2ed7fd49a807f5d53c26eeb73f920a2a9e24
      • Opcode Fuzzy Hash: 0f22d709d1ed6e4e0c714cdf8e2973817d2df9a3474c0ca9b67a6bad55693efc
      • Instruction Fuzzy Hash: C79193B5D00208EFDB04DFA4DA88ADEBBB5BF48305F20852AE502A7260DB746A45DB55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005BF9C0 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 148COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 005BF9DE
      • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,004153F6), ref: 005BFA0E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$ChkstkError
      • String ID: ProvParam lngData:
      • API String ID: 3554142864-3780388914
      • Opcode ID: b036678f584d172fb9b95c3db1569952c448fd273a10a1b4058a209ad07749c8
      • Instruction ID: 53587e4b07802ed3b86152200213013512002b53d8bec751ed1ffe4759ef0555
      • Opcode Fuzzy Hash: b036678f584d172fb9b95c3db1569952c448fd273a10a1b4058a209ad07749c8
      • Instruction Fuzzy Hash: AD61E975901208EFDB04DFE4DA48BDEBBB5FF48305F208169F502A72A0DB756A49CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005A0E60 Relevance: 42.1, APIs: 21, Strings: 3, Instructions: 140COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,?,?,?,004153F6,?), ref: 005A0E7E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6), ref: 005A0EA3
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6), ref: 005A0EBC
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 005A0ECB
      • #712.MSVBVM60(?,0041C664,0041AA3C,00000001,000000FF,00000000,?,?,?,00000000,004153F6), ref: 005A0EEC
      • __vbaChkstk.MSVBVM60 ref: 005A0F01
      • __vbaLateMemCallLd.MSVBVM60(?,?,HEX2BSTR,00000001), ref: 005A0F37
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,00000000,004153F6), ref: 005A0F41
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6), ref: 005A0F4C
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005A0F5C
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005A0F75
      • #712.MSVBVM60(?,0041C664,0041AA3C,00000001,000000FF,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 005A0F9A
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005A0FA5
        • Part of subcall function 00594130: __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0059414E
        • Part of subcall function 00594130: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 0059417E
        • Part of subcall function 00594130: __vbaStrCat.MSVBVM60(?,Entering Hex2bin: ,?,?,?,00000000,004153F6), ref: 00594196
        • Part of subcall function 00594130: __vbaStrMove.MSVBVM60(?,Entering Hex2bin: ,?,?,?,00000000,004153F6), ref: 005941A1
        • Part of subcall function 00594130: __vbaFreeStr.MSVBVM60(?,?,Entering Hex2bin: ,?,?,?,00000000,004153F6), ref: 005941B3
        • Part of subcall function 00594130: __vbaStrCopy.MSVBVM60(?,Entering Hex2bin: ,?,?,?,00000000,004153F6), ref: 005941C8
        • Part of subcall function 00594130: #598.MSVBVM60(?,Entering Hex2bin: ,?,?,?,00000000,004153F6), ref: 005941D5
        • Part of subcall function 00594130: __vbaInStr.MSVBVM60(00000000,0041C664,?,00000001,?,Entering Hex2bin: ,?,?,?,00000000,004153F6), ref: 005941F1
        • Part of subcall function 00594130: #712.MSVBVM60(00000000,0041C664,0041AA3C,00000001,000000FF,00000000,?,00000001,?,Entering Hex2bin: ,?,?,?,00000000,004153F6), ref: 00594218
        • Part of subcall function 00594130: __vbaStrMove.MSVBVM60(?,00000001,?,Entering Hex2bin: ,?,?,?,00000000,004153F6), ref: 00594223
        • Part of subcall function 00594130: #608.MSVBVM60(?,0000000D), ref: 0059424B
        • Part of subcall function 00594130: __vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 00594278
        • Part of subcall function 00594130: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00594286
        • Part of subcall function 00594130: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0059429D
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005A0FB9
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005A0FC2
      • __vbaChkstk.MSVBVM60 ref: 005A0FF9
      • __vbaLateMemCall.MSVBVM60(?,pipe,00000001), ref: 005A102B
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005A103B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005A1046
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005A1067
      • __vbaFreeStr.MSVBVM60(005A10B7,?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005A10B0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$FreeMove$Chkstk$#712$CallCopyErrorLateList$#598#608#685Offset
      • String ID: HEX2BSTR$Stefan Engelbert$pipe
      • API String ID: 1818396932-1017112943
      • Opcode ID: d7290e02ca1f441b471e9b4eaaf6d5e5ee9eea77e6e80553439989adf3c2ad3c
      • Instruction ID: 64b10f953693554a60ad2470988b167de8d530c2d8acac98c2eff1abdf3d9644
      • Opcode Fuzzy Hash: d7290e02ca1f441b471e9b4eaaf6d5e5ee9eea77e6e80553439989adf3c2ad3c
      • Instruction Fuzzy Hash: 72510770A00208EBDB00DFA4DD89BDEBBB4FF48704F208169E505BB2A1DB756989CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005BAC50 Relevance: 42.1, APIs: 20, Strings: 4, Instructions: 129COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,005B9E52,?), ref: 005BAC6E
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6), ref: 005BAC9B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 005BACAA
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6), ref: 005BACBD
      • __vbaInStr.MSVBVM60(00000000,0041C664,?,00000001,?,?,?,00000000,004153F6), ref: 005BACD7
      • #520.MSVBVM60(?,00004008), ref: 005BAD01
      • #528.MSVBVM60(?,?), ref: 005BAD0F
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 005BAD2B
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005BAD42
      • __vbaStrCopy.MSVBVM60(?,00000000,004153F6), ref: 005BAD65
      • #520.MSVBVM60(?,00004008), ref: 005BAD87
      • #528.MSVBVM60(?,?), ref: 005BAD95
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 005BADB1
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005BADC8
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,004153F6), ref: 005BADEB
      • #685.MSVBVM60(?,?,?,00000000,004153F6), ref: 005BADF8
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,00000000,004153F6), ref: 005BAE03
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6), ref: 005BAE24
      • __vbaFreeStr.MSVBVM60(005BAE78,?,?,?,00000000,004153F6), ref: 005BAE68
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000,004153F6), ref: 005BAE71
      Strings
      • 3B DE 94 FF 81 B1 FE 45 1F 03 00 63 04 01 00 31 BE 73 9E 21 93 00 90 00 04, xrefs: 005BAD9B
      • 3B DF 94 FF 81 B1 FE 45 1F 03 00 64 04 05 11 00 31 BE 73 9E 21 D3 00 90 00 57, xrefs: 005BAD15
      • 3B DF 18 FF 81 B1 FE 45 1F 03 00 64 04 05 11 00 31 BE 73 9E 21 D3 00 90 00 DB, xrefs: 005BAD5D
      • 3B DE 18 FF 81 B1 FE 45 1F 03 00 63 04 01 00 31 BE 73 9E 21 93 00 90 00 88, xrefs: 005BADE3
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#520#528List$#685ChkstkError
      • String ID: 3B DE 18 FF 81 B1 FE 45 1F 03 00 63 04 01 00 31 BE 73 9E 21 93 00 90 00 88$3B DE 94 FF 81 B1 FE 45 1F 03 00 63 04 01 00 31 BE 73 9E 21 93 00 90 00 04$3B DF 18 FF 81 B1 FE 45 1F 03 00 64 04 05 11 00 31 BE 73 9E 21 D3 00 90 00 DB$3B DF 94 FF 81 B1 FE 45 1F 03 00 64 04 05 11 00 31 BE 73 9E 21 D3 00 90 00 57
      • API String ID: 3912423961-3013417761
      • Opcode ID: 0735c5edc9b9ffb48c630c23bc07e67a43524c2f93c01134cefcfffd4eef328c
      • Instruction ID: 23c803f0bf277d774d8fc907c0eb95671dd80e2a6fe85a0087e0e34dcff0181a
      • Opcode Fuzzy Hash: 0735c5edc9b9ffb48c630c23bc07e67a43524c2f93c01134cefcfffd4eef328c
      • Instruction Fuzzy Hash: 2D51E6B1800218DBDB04DFE4DD88BEEBBB8BB48705F14816AE602B7261DB745A49CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00519C50 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 151COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,00000000,00000000,?,004153F6), ref: 00519C6E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,?,004153F6), ref: 00519C93
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,004153F6), ref: 00519CAC
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,?,004153F6), ref: 00519CC8
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,?,004153F6), ref: 00519CEC
      • __vbaStrCopy.MSVBVM60 ref: 00519D17
      • __vbaStrCopy.MSVBVM60 ref: 00519D25
        • Part of subcall function 00527390: __vbaChkstk.MSVBVM60(00000003,004153F6,?,?,00000000,00000000,00000000,004153F6), ref: 005273AE
        • Part of subcall function 00527390: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000003,004153F6), ref: 005273D3
        • Part of subcall function 00527390: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000003,004153F6), ref: 005273EF
        • Part of subcall function 00527390: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000003,004153F6), ref: 0052741C
        • Part of subcall function 00527390: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000003,004153F6), ref: 00527457
        • Part of subcall function 00527390: __vbaStrMove.MSVBVM60(?,?,00000000,00000000,00000003,004153F6), ref: 0052746B
        • Part of subcall function 00527390: __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000003,004153F6), ref: 00527474
        • Part of subcall function 00527390: #592.MSVBVM60(00000000), ref: 0052749F
      • __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 00519D41
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00519D51
      • __vbaFreeVar.MSVBVM60(00000000,?,004153F6), ref: 00519D5D
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 00519D73
      • __vbaStrCmp.MSVBVM60(0041AB20,?), ref: 00519D8A
      • __vbaStrCopy.MSVBVM60 ref: 00519DD5
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,004153F6), ref: 00519DF0
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000,?,00000000,00000000,?,004153F6), ref: 00519E06
      • __vbaStrCmp.MSVBVM60(0041AB20,00000000,?,00000000,00000000,?,004153F6), ref: 00519E1D
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,004153F6), ref: 00519E62
      • #685.MSVBVM60(?,00000000,00000000,?,004153F6), ref: 00519E6F
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,004153F6), ref: 00519E7A
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,?,004153F6), ref: 00519E92
      • __vbaFreeStr.MSVBVM60(00519EE2,?,00000000,00000000,?,004153F6), ref: 00519EDB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$ChkstkErrorMoveOffset$#592#685List
      • String ID: Software\Aloaha$useini
      • API String ID: 2219585563-249623257
      • Opcode ID: 6ed36e9fb07e7fed4a90c347bfa0b06a58858a7885a7e3bdaf542e0e5523b967
      • Instruction ID: 97edae1e2b96993cbfa68b350012f7b5bdb0d8b18923b20dd01d10c03cd0acd2
      • Opcode Fuzzy Hash: 6ed36e9fb07e7fed4a90c347bfa0b06a58858a7885a7e3bdaf542e0e5523b967
      • Instruction Fuzzy Hash: D3614C75D00209DFDB14DFA4DA88BDDBBB8FF48704F208259E902BB2A0D7746945CB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004F35E0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 177COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004F35FE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 004F3637
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004F3646
      • __vbaChkstk.MSVBVM60 ref: 004F3689
      • __vbaLateMemSt.MSVBVM60(?,RemoteURL), ref: 004F36B3
      • __vbaHresultCheckObj.MSVBVM60(?,?,0041C0D8,00000054), ref: 004F36F9
      • #518.MSVBVM60(?,00004008), ref: 004F373B
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 004F3770
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 004F377E
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004F3795
      • #619.MSVBVM60(?,00004008,00000001), ref: 004F37CB
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 004F37E7
      • __vbaFreeVar.MSVBVM60 ref: 004F37F7
      • __vbaStrCat.MSVBVM60(0041DFA8,?), ref: 004F3818
      • __vbaStrMove.MSVBVM60 ref: 004F3823
      • __vbaStrCopy.MSVBVM60 ref: 004F3839
      • #685.MSVBVM60 ref: 004F3856
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004F3861
      • __vbaFreeObj.MSVBVM60 ref: 004F3882
      • __vbaFreeStr.MSVBVM60(004F38BA), ref: 004F38B3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$ChkstkCopy$#518#619#685CheckErrorHresultLateListMove
      • String ID: RemoteURL$http
      • API String ID: 1248986982-3421398506
      • Opcode ID: 77c1e31da85646cffa16b87fd1e8b3e4144068ac66b9f0c5b33bdb4b1c712021
      • Instruction ID: 8e99a93dc5b7533b5ddf3d2f57eab8767877ea836fb29d685c072ec935fab6dc
      • Opcode Fuzzy Hash: 77c1e31da85646cffa16b87fd1e8b3e4144068ac66b9f0c5b33bdb4b1c712021
      • Instruction Fuzzy Hash: 79810EB5900208EFDB14DF94C988BDEBBB4FF48705F108199F509AB290D7789A89CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00546D60 Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 143COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 00546D7E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6), ref: 00546DA3
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 00546DBF
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000000,004153F6), ref: 00546DDE
      • __vbaStrCmp.MSVBVM60(true,?,?,00000000,00000000,00000000,004153F6), ref: 00546E05
      • __vbaVarDup.MSVBVM60 ref: 00546E3C
      • #626.MSVBVM60(?,?,0000000A), ref: 00546E4E
      • __vbaObjVar.MSVBVM60(?), ref: 00546E58
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00546E6C
      • __vbaFreeVarList.MSVBVM60(00000003,?,0000000A,?), ref: 00546E80
      • #685.MSVBVM60(00000000,00000000,00000000,004153F6), ref: 00546E90
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00546E9B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00546ECE
      • __vbaFreeObj.MSVBVM60 ref: 00546EFB
      • __vbaStrCopy.MSVBVM60 ref: 00546F24
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00546F41
      • __vbaStrCopy.MSVBVM60 ref: 00546F5F
      • #685.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 00546F6C
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,004153F6), ref: 00546F77
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 00546F98
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685AddrefCopy$#626CheckChkstkErrorHresultListOffset
      • String ID: true$winmgmts:!root/default:StdRegProv
      • API String ID: 2289871302-3679271456
      • Opcode ID: 012c8fc19fa5011ba03cb4dfe29e9ea959b5f831d4e6d1a926c6105a3a038467
      • Instruction ID: b19fd2761b3df03811f4a664237cb707881f0739999190b83dd3e21756f59b4c
      • Opcode Fuzzy Hash: 012c8fc19fa5011ba03cb4dfe29e9ea959b5f831d4e6d1a926c6105a3a038467
      • Instruction Fuzzy Hash: A4513EB5900208EFDB14DFA4DA48BDEBBB4FF48304F108159E506B7261DB745A49CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005A9500 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 140COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 005A951E
      • __vbaAptOffset.MSVBVM60(00419C98,00000000,00000001,6D1CD8B1,00000000,004153F6), ref: 005A9543
      • __vbaOnError.MSVBVM60(000000FF), ref: 005A955C
      • __vbaStrCmp.MSVBVM60(true,?), ref: 005A9578
      • __vbaStrCmp.MSVBVM60(false,?), ref: 005A9595
      • __vbaStrCmp.MSVBVM60(true,?), ref: 005A95BD
      • __vbaStrMove.MSVBVM60 ref: 005A95F9
      • __vbaStrCopy.MSVBVM60 ref: 005A9607
      • __vbaStrCopy.MSVBVM60 ref: 005A9615
      • __vbaStrCopy.MSVBVM60 ref: 005A9623
      • __vbaStrMove.MSVBVM60(?,?,?,?), ref: 005A9643
      • __vbaStrCmp.MSVBVM60(0041AB28,00000000), ref: 005A964F
      • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 005A9676
      • __vbaStrCopy.MSVBVM60 ref: 005A969C
      • __vbaStrCopy.MSVBVM60 ref: 005A96C6
      • #685.MSVBVM60 ref: 005A96E0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005A96EB
      • __vbaFreeObj.MSVBVM60 ref: 005A9703
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$FreeMove$#685ChkstkErrorListOffset
      • String ID: Settings$SuperCache$false$true
      • API String ID: 3202145352-1873926150
      • Opcode ID: 46b0d7a8d7d4df185d7a1ea280b7d56d05ac522c314d9d5af23e55a6049aa270
      • Instruction ID: 9bb69233b4949838b87a3f456abc01ac5d6b3e02a5a7427fa7f6a7e88ee89edd
      • Opcode Fuzzy Hash: 46b0d7a8d7d4df185d7a1ea280b7d56d05ac522c314d9d5af23e55a6049aa270
      • Instruction Fuzzy Hash: 22518F71D00218EBDB14DFE4D949BDEBBB4FF48704F10826AE502BB2A0DB745A45CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00542470 Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 139COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,00511097,?,?,?,?,004153F6), ref: 0054248E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,00511097), ref: 005424B3
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,00511097), ref: 005424CC
      • #685.MSVBVM60(?,?,?,00000000,004153F6,00511097), ref: 005424D9
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6,00511097), ref: 005424E4
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6,00511097), ref: 005424FC
      • __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 0054252C
      • __vbaVarTstGt.MSVBVM60(?,00000000,?,?,00000000,004153F6,00511097), ref: 0054253A
      • __vbaFreeVar.MSVBVM60(?,?,00000000,004153F6,00511097), ref: 00542547
      • #685.MSVBVM60(?,?,00000000,004153F6,00511097), ref: 00542560
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,004153F6,00511097), ref: 0054256B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0054259E
      • __vbaFreeObj.MSVBVM60 ref: 005425C8
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005425E8
      • #685.MSVBVM60(?,?,00000000,004153F6,00511097), ref: 005425F5
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,004153F6,00511097), ref: 00542600
      • __vbaFreeObj.MSVBVM60(?,?,00000000,004153F6,00511097), ref: 00542621
      • __vbaStrCopy.MSVBVM60(?,?,00000000,004153F6,00511097), ref: 0054263C
      • #685.MSVBVM60(?,?,00000000,004153F6,00511097), ref: 00542649
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,004153F6,00511097), ref: 00542654
      • __vbaFreeObj.MSVBVM60(?,?,00000000,004153F6,00511097), ref: 00542675
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$AddrefCallCheckChkstkCopyErrorHresultLateOffset
      • String ID: info
      • API String ID: 832475703-3414765911
      • Opcode ID: d0236aa52dc26c75cb3802038c966a78c2d6d59523c938c74827d4b77cf0fc27
      • Instruction ID: 82eb8228ff086a67704b2682e9f7821916b765dc5b19e463ab5cefcdd8ba59e3
      • Opcode Fuzzy Hash: d0236aa52dc26c75cb3802038c966a78c2d6d59523c938c74827d4b77cf0fc27
      • Instruction Fuzzy Hash: 0E5105B5900208DFDB14DFA4CA48BDEBBB4FF48305F20815AE516BB2A0DB749A44CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B5940 Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 137COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,?,?,?,?,00000000,004153F6), ref: 005B595E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6), ref: 005B5983
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 005B599C
        • Part of subcall function 0055E2A0: __vbaChkstk.MSVBVM60(?,004153F6), ref: 0055E2BE
        • Part of subcall function 0055E2A0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0055E2EE
        • Part of subcall function 0055E2A0: __vbaSetSystemError.MSVBVM60(?,?,?,?,004153F6), ref: 0055E303
        • Part of subcall function 0055E2A0: __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 0055E323
        • Part of subcall function 0055E2A0: __vbaStrI4.MSVBVM60(?,?,?,?,?,004153F6), ref: 0055E334
        • Part of subcall function 0055E2A0: __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0055E33F
        • Part of subcall function 0055E2A0: __vbaStrCat.MSVBVM60(004210F0,00000000,?,?,?,?,004153F6), ref: 0055E34B
        • Part of subcall function 0055E2A0: __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0055E356
        • Part of subcall function 0055E2A0: __vbaFreeStr.MSVBVM60(?,?,?,?,004153F6), ref: 0055E35F
        • Part of subcall function 0055E2A0: __vbaStrI4.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 0055E374
        • Part of subcall function 0055E2A0: __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0055E37F
        • Part of subcall function 0055E2A0: __vbaStrCat.MSVBVM60(00000000,?,?,?,?,004153F6), ref: 0055E386
        • Part of subcall function 0055E2A0: __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0055E391
        • Part of subcall function 0055E2A0: __vbaStrCat.MSVBVM60(004210F0,00000000,?,?,?,?,004153F6), ref: 0055E39D
        • Part of subcall function 0055E2A0: __vbaStrMove.MSVBVM60(?,?,?,?,004153F6), ref: 0055E3A8
        • Part of subcall function 0055E2A0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,004153F6), ref: 0055E3B8
        • Part of subcall function 0055E2A0: __vbaSetSystemError.MSVBVM60(?,?,004153F6), ref: 0055E3D0
        • Part of subcall function 0055E2A0: __vbaStrI4.MSVBVM60(?,?,?,?,004153F6), ref: 0055E3DE
        • Part of subcall function 0055E2A0: __vbaStrMove.MSVBVM60(?,?,004153F6), ref: 0055E3E9
        • Part of subcall function 0055E2A0: __vbaStrCat.MSVBVM60(00000000,?,?,004153F6), ref: 0055E3F0
        • Part of subcall function 0055E2A0: __vbaStrMove.MSVBVM60(?,?,004153F6), ref: 0055E3FB
        • Part of subcall function 0055E2A0: __vbaFreeStr.MSVBVM60(?,?,004153F6), ref: 0055E404
        • Part of subcall function 0055E2A0: __vbaStrCopy.MSVBVM60(?,?,004153F6), ref: 0055E417
      • __vbaStrMove.MSVBVM60 ref: 005B59C0
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005B59D6
      • __vbaStrCat.MSVBVM60(?,MiniCSP SessionID: ), ref: 005B59F4
      • __vbaStrMove.MSVBVM60 ref: 005B59FF
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 00521D3E
        • Part of subcall function 00521D20: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,?), ref: 00521D63
        • Part of subcall function 00521D20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,?), ref: 00521D7F
        • Part of subcall function 00521D20: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,?), ref: 00521D9E
        • Part of subcall function 00521D20: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DC4
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,00000000,004153F6,?), ref: 00521DDB
        • Part of subcall function 00521D20: __vbaVarDup.MSVBVM60 ref: 00521E12
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 00521E39
        • Part of subcall function 00521D20: #711.MSVBVM60(?,00000000), ref: 00521E47
        • Part of subcall function 00521D20: __vbaChkstk.MSVBVM60 ref: 00521E52
        • Part of subcall function 00521D20: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 00521E90
        • Part of subcall function 00521D20: #520.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EA1
        • Part of subcall function 00521D20: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EAB
        • Part of subcall function 00521D20: #518.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521EBF
        • Part of subcall function 00521D20: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ECC
        • Part of subcall function 00521D20: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,004153F6,?), ref: 00521ED7
      • __vbaFreeStr.MSVBVM60(?), ref: 005B5A11
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005B5A2D
      • __vbaStrCmp.MSVBVM60(?,?), ref: 005B5A50
      • __vbaStrCopy.MSVBVM60 ref: 005B5A73
      • __vbaStrCopy.MSVBVM60 ref: 005B5A8E
      • __vbaStrCopy.MSVBVM60 ref: 005B5AA9
      • __vbaStrCopy.MSVBVM60 ref: 005B5AC4
      • __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 005B5AEA
      • __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 005B5B12
      • __vbaStrCopy.MSVBVM60 ref: 005B5B3B
      • #685.MSVBVM60 ref: 005B5B48
      • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 005B5B53
      • __vbaFreeObj.MSVBVM60 ref: 005B5B6B
      • __vbaFreeStr.MSVBVM60(005B5B95), ref: 005B5B8E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Copy$ErrorFree$Chkstk$System$OffsetRedim$#518#520#685#711IndexListLoadLockUnlock
      • String ID: MiniCSP SessionID:
      • API String ID: 2835543681-2347431474
      • Opcode ID: 1eb83ea609ba19505215da9c835497432a215b84a322fdfccc47bd47634b0616
      • Instruction ID: 16badddea353094a5041b3b2e8678f270a549af84ff437bd93bbcecc938f5cfb
      • Opcode Fuzzy Hash: 1eb83ea609ba19505215da9c835497432a215b84a322fdfccc47bd47634b0616
      • Instruction Fuzzy Hash: 8A515070901208EFDB04DF94DE49BDDBBB4FF44708F248158E602BB2A1CBB55A45CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FD630 Relevance: 37.7, APIs: 25, Instructions: 164COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 004FD64E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 004FD67E
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD693
      • #685.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD6A0
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,004153F6), ref: 004FD6AB
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD6C3
        • Part of subcall function 00547260: __vbaChkstk.MSVBVM60(00000000,004153F6,00000000,?,00000000,00000000,00000000,004153F6), ref: 0054727E
        • Part of subcall function 00547260: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6,00000000), ref: 005472AB
        • Part of subcall function 00547260: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6,00000000), ref: 005472BA
        • Part of subcall function 00547260: #518.MSVBVM60(?,00004008), ref: 005472F2
        • Part of subcall function 00547260: #518.MSVBVM60(?,00004008), ref: 00547316
        • Part of subcall function 00547260: #518.MSVBVM60(?,00004008), ref: 0054733D
        • Part of subcall function 00547260: #617.MSVBVM60(?,?,00000005), ref: 0054734D
        • Part of subcall function 00547260: #617.MSVBVM60(?,?,00000006), ref: 00547371
        • Part of subcall function 00547260: #617.MSVBVM60(?,?,00000004), ref: 0054739B
        • Part of subcall function 00547260: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005473C4
        • Part of subcall function 00547260: __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 005473DD
        • Part of subcall function 00547260: __vbaVarOr.MSVBVM60(?,00000000), ref: 005473EB
      • #685.MSVBVM60(00000000,?,00000000,00000000,00000000,004153F6), ref: 004FD6EC
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,004153F6), ref: 004FD6F7
      • __vbaStrMove.MSVBVM60(?), ref: 004FD7F0
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 004FD72A
        • Part of subcall function 004FDBC0: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000), ref: 004FDC3E
        • Part of subcall function 004FDBC0: __vbaOnError.MSVBVM60(00000001,?,00000000,00000000), ref: 004FDC4C
        • Part of subcall function 004FDBC0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,00000000,?,00000000,00000000), ref: 004FDC71
        • Part of subcall function 004FDBC0: __vbaStrToAnsi.MSVBVM60(?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004FDC99
        • Part of subcall function 004FDBC0: __vbaSetSystemError.MSVBVM60(00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004FDCA7
        • Part of subcall function 004FDBC0: __vbaStrToUnicode.MSVBVM60(00000000,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004FDCB8
        • Part of subcall function 004FDBC0: __vbaFreeStr.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004FDCC6
        • Part of subcall function 004FDBC0: __vbaAryLock.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004FDCDE
        • Part of subcall function 004FDBC0: __vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 004FDCFB
      • __vbaFreeObj.MSVBVM60 ref: 004FD74E
      • __vbaVar2Vec.MSVBVM60(?,?,?,?), ref: 004FD778
      • __vbaAryMove.MSVBVM60(00000000,?), ref: 004FD786
      • __vbaFreeVar.MSVBVM60 ref: 004FD78F
      • #717.MSVBVM60(?,00006011,00000040,00000000), ref: 004FD7B5
      • __vbaStrVarMove.MSVBVM60(?), ref: 004FD7BF
      • __vbaStrMove.MSVBVM60 ref: 004FD7CA
      • __vbaFreeVar.MSVBVM60 ref: 004FD7D3
      • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00000000,00000000,004153F6), ref: 004FD80D
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD820
      • #685.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD82D
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,004153F6), ref: 004FD838
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD859
      • __vbaAryDestruct.MSVBVM60(00000000,00000000,004FD8AE,?,00000000,00000000,00000000,004153F6), ref: 004FD89E
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 004FD8A7
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$ErrorMove$#518#617#685Copy$Chkstk$#717AnsiBoundsCheckDestructGenerateHresultLockOffsetRedimSystemUnicodeVar2
      • String ID:
      • API String ID: 3943459799-0
      • Opcode ID: 5f5412f682d620457d4c03575b2f8bd8e1e9c0d9a68de1d1dd1b93b5ffa33006
      • Instruction ID: fb21781f414fce82e3a644573f51f6a0c9bab505548b078bd5fda3d28cf01c2e
      • Opcode Fuzzy Hash: 5f5412f682d620457d4c03575b2f8bd8e1e9c0d9a68de1d1dd1b93b5ffa33006
      • Instruction Fuzzy Hash: 4A71F975D00209EFDB04DFA4DA88BEEBBB5FF48304F108169E502AB2A0DB745A45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00507660 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 134COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0050767E
      • __vbaOnError.MSVBVM60(000000FF,6D1E1654,00000000,6D29595C,00000000,004153F6), ref: 005076AE
      • #685.MSVBVM60(?,?,?,?,?,?), ref: 005076C8
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?), ref: 005076D3
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?), ref: 005076EB
      • #645.MSVBVM60(00004008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050770B
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00507716
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00507723
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050772E
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 00507761
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00507785
      • __vbaStrCat.MSVBVM60(?,File/Path Access Problem (), ref: 005077B2
      • __vbaStrMove.MSVBVM60(?,File/Path Access Problem (), ref: 005077BD
      • __vbaStrCat.MSVBVM60(00421978,00000000,?,File/Path Access Problem (), ref: 005077C9
      • __vbaStrMove.MSVBVM60(?,File/Path Access Problem (), ref: 005077D4
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,File/Path Access Problem (), ref: 005077ED
      • #685.MSVBVM60 ref: 0050780C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00507817
      • __vbaFreeObj.MSVBVM60 ref: 0050782F
      • __vbaFreeStr.MSVBVM60(00507863), ref: 0050785C
      Strings
      • File/Path Access Problem (, xrefs: 005077A7
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685Move$#645CheckChkstkErrorHresultList
      • String ID: File/Path Access Problem (
      • API String ID: 3825216665-2550869938
      • Opcode ID: 32a2ae180c8619927b296d4a3223db975e218948c30289b0468316fa8a93e9bf
      • Instruction ID: 5eed9e5033ef23411f1977862add0812bb36171c2f1fd840d093bb71d36ba211
      • Opcode Fuzzy Hash: 32a2ae180c8619927b296d4a3223db975e218948c30289b0468316fa8a93e9bf
      • Instruction Fuzzy Hash: B951E5B5D00208EBDB04DFE4DA89BDEBBB5FF48705F208129E502B72A0DB746A45CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00573440 Relevance: 36.2, APIs: 24, Instructions: 180COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,?,?,00000000,004153F6), ref: 0057345E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 00573483
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0057349C
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 005734AB
      • #518.MSVBVM60(?,00004008), ref: 005734D6
      • #520.MSVBVM60(?,?), ref: 005734E4
      • __vbaStrVarMove.MSVBVM60(?), ref: 005734EE
      • __vbaStrMove.MSVBVM60 ref: 005734F9
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00573509
        • Part of subcall function 00572850: __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0057286E
        • Part of subcall function 00572850: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 00572893
        • Part of subcall function 00572850: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 005728AC
        • Part of subcall function 00572850: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000), ref: 00572942
        • Part of subcall function 00572850: #685.MSVBVM60(?,00000000), ref: 00572957
        • Part of subcall function 00572850: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 00572962
        • Part of subcall function 00572850: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C,?,?,?,?,?,?,?,?,?,0057352C), ref: 00572995
        • Part of subcall function 00572850: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0057352C), ref: 005729B9
        • Part of subcall function 00572850: #685.MSVBVM60(?,00000000), ref: 005729DB
      • __vbaUbound.MSVBVM60(00000001,?), ref: 0057354D
      • __vbaAryLock.MSVBVM60(?,?), ref: 005735A5
      • __vbaGenerateBoundsError.MSVBVM60 ref: 005735E3
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00573600
      • #518.MSVBVM60(?,00004008), ref: 00573637
      • __vbaAryUnlock.MSVBVM60(00000000), ref: 00573641
      • #520.MSVBVM60(?,?), ref: 0057364F
      • #518.MSVBVM60(?,00004008), ref: 00573673
      • #520.MSVBVM60(?,?), ref: 00573681
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 0057368F
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005736AE
      • #685.MSVBVM60 ref: 005736E4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005736EF
      • __vbaFreeObj.MSVBVM60 ref: 00573710
      • __vbaFreeStr.MSVBVM60(0057375D), ref: 00573756
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Error$#518#520#685$BoundsChkstkGenerateListMoveOffset$CheckCopyHresultLockUboundUnlock
      • String ID:
      • API String ID: 2759212316-0
      • Opcode ID: 6530723a5395784554574b109fe9eb58d285ccdf64b7f1433b064250fb50a77b
      • Instruction ID: 787658b7a768c0f95ee1a775a0f77dac83ab214d9fae1d57e71414e249b424e4
      • Opcode Fuzzy Hash: 6530723a5395784554574b109fe9eb58d285ccdf64b7f1433b064250fb50a77b
      • Instruction Fuzzy Hash: A48128B1900218EFDB14DFA4D988BDDBBB5FF48304F10819AE50AB7260DB745A88DF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0055E4E0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 145COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0055E4FE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0055E52E
        • Part of subcall function 0055D650: __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,?,?,?,?,004153F6), ref: 0055D66E
        • Part of subcall function 0055D650: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 0055D693
        • Part of subcall function 0055D650: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 0055D6AF
        • Part of subcall function 0055D650: #520.MSVBVM60(?,00004008), ref: 0055D6D9
        • Part of subcall function 0055D650: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0055D6F5
        • Part of subcall function 0055D650: __vbaFreeVar.MSVBVM60 ref: 0055D702
        • Part of subcall function 0055D650: #520.MSVBVM60(?,00000008), ref: 0055D72E
        • Part of subcall function 0055D650: __vbaStrVarMove.MSVBVM60(?), ref: 0055D738
        • Part of subcall function 0055D650: __vbaStrMove.MSVBVM60 ref: 0055D74C
        • Part of subcall function 0055D650: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0055D75C
        • Part of subcall function 0055D650: __vbaStrI4.MSVBVM60(00000000), ref: 0055D772
        • Part of subcall function 0055D650: __vbaStrMove.MSVBVM60(?,00000000,004153F6), ref: 0055D77D
        • Part of subcall function 0055D650: #520.MSVBVM60(?,00000008), ref: 0055D7A1
        • Part of subcall function 0055D650: __vbaStrVarMove.MSVBVM60(?), ref: 0055D7AB
        • Part of subcall function 0055D650: __vbaStrMove.MSVBVM60 ref: 0055D7B6
        • Part of subcall function 0055D650: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0055D7C6
      • __vbaStrMove.MSVBVM60 ref: 0055E552
      • __vbaInStr.MSVBVM60(00000000,00428574,?,00000001), ref: 0055E56C
      • #518.MSVBVM60(?,00004008), ref: 0055E5AA
      • #518.MSVBVM60(?,00004008), ref: 0055E5F6
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,0000000B), ref: 0055E63E
      • __vbaVarCmpGt.MSVBVM60(?,00008002,00000000), ref: 0055E650
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 0055E65B
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,00000000), ref: 0055E678
      • __vbaVarCmpGt.MSVBVM60(?,00008002,00000000), ref: 0055E68D
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 0055E69B
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0055E6A2
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,0000000B,?,?), ref: 0055E6CB
      • #685.MSVBVM60 ref: 0055E6F3
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0055E6FE
      • __vbaFreeObj.MSVBVM60 ref: 0055E71F
      • __vbaFreeStr.MSVBVM60(0055E774), ref: 0055E76D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$FreeMove$#520List$#518ChkstkError$#685BoolNullOffset
      • String ID: logon$lsass
      • API String ID: 1904609158-3332110998
      • Opcode ID: d83eb81070c791acd3102c02a7859035ad4b24b15022f7d6d43f362c03b785bf
      • Instruction ID: 56ad50e692afbc9c36ce56674d96821508b1856be783b6d1e9b8c3d12fcaea65
      • Opcode Fuzzy Hash: d83eb81070c791acd3102c02a7859035ad4b24b15022f7d6d43f362c03b785bf
      • Instruction Fuzzy Hash: BE61DCB2800218EBEB14DF94CD49FDEBB78FB48704F008599E616B7190DB755A88CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004F2D40 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 144COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004F2D5E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004F2D8E
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 004F2D9B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 004F2DA6
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 004F2DBE
      • #685.MSVBVM60 ref: 004F2DD8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004F2DE3
      • __vbaFreeObj.MSVBVM60 ref: 004F2DFB
      • #716.MSVBVM60(?,AloahaCredentials.saverclass,00000000), ref: 004F2E47
      • __vbaObjVar.MSVBVM60(?), ref: 004F2E51
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004F2E5F
      • __vbaFreeVar.MSVBVM60 ref: 004F2E68
      • #716.MSVBVM60(?,AloahaCredentials.saverclass,00000000), ref: 004F2EAE
      • __vbaObjVar.MSVBVM60(?), ref: 004F2EB8
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004F2EC6
      • __vbaFreeVar.MSVBVM60 ref: 004F2ECF
      • #685.MSVBVM60 ref: 004F2F19
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004F2F24
      • __vbaFreeObj.MSVBVM60 ref: 004F2F3C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$#716Addref$ChkstkError
      • String ID: AloahaCredentials.saverclass
      • API String ID: 3184275522-2454359930
      • Opcode ID: 5fd2cf055f46062cbf4eeecfc9566399116753c676e4f2cfd2da1be9590c1f63
      • Instruction ID: b22638ec200439adebcb08c839788516ebc7694ff8b9bbb008bc05bdafc168d7
      • Opcode Fuzzy Hash: 5fd2cf055f46062cbf4eeecfc9566399116753c676e4f2cfd2da1be9590c1f63
      • Instruction Fuzzy Hash: 06510975900209EFDB04DFE4DA48BDEBB78FF08305F108159F601AB260D7789A89DB64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00529D40 Relevance: 31.6, APIs: 21, Instructions: 140COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,?,00532D89), ref: 00529D5E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6), ref: 00529D83
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 00529D9F
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000000,004153F6), ref: 00529DBE
      • __vbaLenBstr.MSVBVM60(?,?,00000000,00000000,00000000,004153F6), ref: 00529DD9
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0052C053
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0052C078
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0052C094
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000000,004153F6), ref: 0052C0B3
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$BstrChkstkErrorOffset
      • String ID:
      • API String ID: 307063670-0
      • Opcode ID: 2a1b2892c840c64e7f070f790cc3c602f64b3164631e192e2c07f7e4611bdae9
      • Instruction ID: 2a022b4286cb036811affaac0070f16be2c0d377c53dde913eba7df90ff3c384
      • Opcode Fuzzy Hash: 2a1b2892c840c64e7f070f790cc3c602f64b3164631e192e2c07f7e4611bdae9
      • Instruction Fuzzy Hash: 08514775900218DBDB14DFA4DE88BDDBBB4FF48304F1081A9E506B72A1CB745A89CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FCDE0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 132COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004FCDFE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004FCE3A
      • __vbaLateMemCallLd.MSVBVM60(?,?,HTMLSaverLicensed,00000000), ref: 004FCE77
      • __vbaBoolVar.MSVBVM60(00000000,?,?,?,004153F6), ref: 004FCE81
      • __vbaFreeVar.MSVBVM60(?,?,?,004153F6), ref: 004FCE8E
      • #520.MSVBVM60(?,00004008), ref: 004FCEB8
      • #518.MSVBVM60(?,?), ref: 004FCEC6
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004FCEE2
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004FCEF9
      • #685.MSVBVM60 ref: 004FCFA1
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FCFAC
      • __vbaFreeObj.MSVBVM60 ref: 004FCFCD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#518#520#685BoolCallChkstkErrorLateList
      • String ID: HTMLSaverLicensed$true
      • API String ID: 3069399734-1548498821
      • Opcode ID: 92a05eb2f145fa7162b18b603d097354ec94b292fb8226dd4b81cc890ea1daba
      • Instruction ID: 011eaaf196a892056f8fadffbc7a17981e00a9fda8ae0c1b9b595d29cee4d6c6
      • Opcode Fuzzy Hash: 92a05eb2f145fa7162b18b603d097354ec94b292fb8226dd4b81cc890ea1daba
      • Instruction Fuzzy Hash: 0B513AB5D00208EFDB04DFA4CA88BDDBBB4FF48704F20815AE616A72A1D7745A45CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0057A220 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 104COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,?,0057A171,?), ref: 0057A23E
      • __vbaStrCopy.MSVBVM60(00000000,6D1CD8B1,6D1BE251,?,004153F6), ref: 0057A26B
      • __vbaOnError.MSVBVM60(000000FF), ref: 0057A27A
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 0057A29D
      • #520.MSVBVM60(?,00004008), ref: 0057A2D0
      • #528.MSVBVM60(?,?), ref: 0057A2DE
      • __vbaVarDup.MSVBVM60 ref: 0057A301
      • #520.MSVBVM60(?,?), ref: 0057A30F
      • #528.MSVBVM60(?,?), ref: 0057A31D
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 0057A32B
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0057A34E
      • #685.MSVBVM60 ref: 0057A376
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057A381
      • __vbaFreeObj.MSVBVM60 ref: 0057A3A2
      • __vbaFreeStr.MSVBVM60(0057A3E9), ref: 0057A3E2
      Strings
      • 30D64A22AA37FFCF2641C2BACD3CB1C1EA1EC7AF9DC6649D7ED6F6, xrefs: 0057A2E4
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#520#528$#685ChkstkCopyErrorList
      • String ID: 30D64A22AA37FFCF2641C2BACD3CB1C1EA1EC7AF9DC6649D7ED6F6
      • API String ID: 3169182468-1092225018
      • Opcode ID: 4e44fa4eefe64072cdea192a9ef5b91a25870fbba8b076405e420a37f6000993
      • Instruction ID: 2eee99cf9024b0d885b53e1da46f19768a7064877441dba64741d0a54d287d07
      • Opcode Fuzzy Hash: 4e44fa4eefe64072cdea192a9ef5b91a25870fbba8b076405e420a37f6000993
      • Instruction Fuzzy Hash: FC41E6B1C00208EBDB14DFA4D988BDEBBB8BF48704F108559E616B7160DB745A49CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005CE1E0 Relevance: 27.2, APIs: 18, Instructions: 204COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005CE1FE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005CE22F
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005CE248
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CE2A0
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0044B648,000000E4), ref: 005CE2D7
      • __vbaFreeObj.MSVBVM60 ref: 005CE2EC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CE326
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0044B648,000000E4), ref: 005CE35D
      • __vbaFreeObj.MSVBVM60 ref: 005CE372
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CE3AC
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0044B648,000000E4), ref: 005CE3E3
      • __vbaFreeObj.MSVBVM60 ref: 005CE3F8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CE432
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0044B648,000000E4), ref: 005CE469
      • __vbaFreeObj.MSVBVM60 ref: 005CE47E
      • #685.MSVBVM60 ref: 005CE49F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CE4AA
      • __vbaFreeObj.MSVBVM60 ref: 005CE4C2
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$#685ChkstkErrorOffset
      • String ID:
      • API String ID: 2836370456-0
      • Opcode ID: d5f9351f4f24ab8082b5ab1a2bf40a72f728d44e80b6b3dbce7c6f8fd0d03127
      • Instruction ID: fd7f5f923a9f73d98c4f8ffad81653292847b097a9634db1beb73b1db0c697d1
      • Opcode Fuzzy Hash: d5f9351f4f24ab8082b5ab1a2bf40a72f728d44e80b6b3dbce7c6f8fd0d03127
      • Instruction Fuzzy Hash: 169105B9900248EFDB04DFE4C989BDDBBB5FB48314F208559E512BB2A0C774A945CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00594DB0 Relevance: 27.1, APIs: 18, Instructions: 120COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000003,004153F6), ref: 00594DCE
      • __vbaStrCopy.MSVBVM60(?,?,?,00000003,004153F6), ref: 00594DFB
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000003,004153F6), ref: 00594E0A
      • __vbaNew.MSVBVM60(00436690,?,?,?,00000003,004153F6), ref: 00594E1C
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000003,004153F6), ref: 00594E27
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00436680,0000002C), ref: 00594E62
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00436680,00000030), ref: 00594EA2
      • __vbaVar2Vec.MSVBVM60(?,?), ref: 00594EBC
      • __vbaAryMove.MSVBVM60(?,?), ref: 00594ECA
      • __vbaFreeStr.MSVBVM60 ref: 00594ED3
      • __vbaFreeVar.MSVBVM60 ref: 00594EDC
      • __vbaCastObj.MSVBVM60(00000000,00436680), ref: 00594EF0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00594EFB
      • #685.MSVBVM60 ref: 00594F08
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00594F13
      • __vbaFreeObj.MSVBVM60 ref: 00594F2B
      • __vbaFreeStr.MSVBVM60(00594F89), ref: 00594F79
      • __vbaFreeObj.MSVBVM60 ref: 00594F82
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$#685CastChkstkCopyErrorMoveVar2
      • String ID:
      • API String ID: 1078759795-0
      • Opcode ID: 6d790c46b136bcfef3e4686d43c1d18d47a00ab0175f18ffa8de0ba5788f786e
      • Instruction ID: 6710b5fb7c8f1013b94f6535dff5cf43e4906a8fb1eed5aff006fe24dd07584e
      • Opcode Fuzzy Hash: 6d790c46b136bcfef3e4686d43c1d18d47a00ab0175f18ffa8de0ba5788f786e
      • Instruction Fuzzy Hash: 5051F4B5900209EFDB04DFA4D989FDEBBB8BB48305F108519E502B72A0D7745A45CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0050D0F0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 131COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0050D10E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0050D14A
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 0050D157
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0050D162
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0050D17A
      • __vbaStrCmp.MSVBVM60(true,?,?,?,?,?,004153F6), ref: 0050D193
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00422668,00000024), ref: 0050D1DB
      • #685.MSVBVM60 ref: 0050D1FA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050D205
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C600,0000001C), ref: 0050D238
      • __vbaFreeObj.MSVBVM60 ref: 0050D25C
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 0050D27F
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0050D28A
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0050D2A2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685Free$CheckHresult$ChkstkError
      • String ID: true
      • API String ID: 3336096172-4261170317
      • Opcode ID: a1a26f2c55df36fbb515a26df01183a90134e4045b8c143e3becfb1f1baca84f
      • Instruction ID: d844a1b2062114f059cc737fb430fcc060b153d1a6316081e22a294bb09c245b
      • Opcode Fuzzy Hash: a1a26f2c55df36fbb515a26df01183a90134e4045b8c143e3becfb1f1baca84f
      • Instruction Fuzzy Hash: A451E8B9900208EFDB00DFE4D988BDEBBB5FF48705F108519E902AB2A0C7749A45CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0050EA60 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 88COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0050EA7E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0050EAC5
      • __vbaChkstk.MSVBVM60 ref: 0050EAE5
      • __vbaVarLateMemSt.MSVBVM60(?,DoingShutdown), ref: 0050EB0C
      • __vbaStrCopy.MSVBVM60 ref: 0050EB24
      • __vbaCastObj.MSVBVM60(00000000,00422668), ref: 0050EB38
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050EB43
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0050EB51
      • __vbaFreeObj.MSVBVM60 ref: 0050EB5A
      • #685.MSVBVM60 ref: 0050EB67
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050EB72
      • __vbaFreeObj.MSVBVM60 ref: 0050EB8A
      • __vbaFreeVar.MSVBVM60(0050EBB2), ref: 0050EBAB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Chkstk$#685AddrefCastCopyErrorLate
      • String ID: DoingShutdown$true
      • API String ID: 1510381634-3497760169
      • Opcode ID: c4dda2ba40be494838d6059e699ae5b70748753880b89c5f467b2600077976f8
      • Instruction ID: 8512e2631b7dbc4385d107379c285bc3edc6a16751cafd187456b4418068fc14
      • Opcode Fuzzy Hash: c4dda2ba40be494838d6059e699ae5b70748753880b89c5f467b2600077976f8
      • Instruction Fuzzy Hash: 68411DB4901208EFDB04DF94DA49B9DBBB4FF48304F108159F916AB3A1C7789A44CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00590110 Relevance: 24.2, APIs: 16, Instructions: 196COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60 ref: 00590172
      • __vbaHresultCheckObj.MSVBVM60(00000000,0040FA38,004367E4,00000060), ref: 005901CD
      • __vbaR8IntI2.MSVBVM60 ref: 005901D6
      • #537.MSVBVM60(?,?), ref: 00590206
      • __vbaStrMove.MSVBVM60(?,?), ref: 00590211
      • __vbaStrCat.MSVBVM60(00000000,?,?), ref: 00590214
      • __vbaStrMove.MSVBVM60(?,?), ref: 0059021F
      • __vbaFreeStr.MSVBVM60(?,?), ref: 00590224
      • __vbaHresultCheckObj.MSVBVM60(00000000,0040FA38,004367E4,0000004C), ref: 0059026B
      • __vbaStrMove.MSVBVM60 ref: 00590280
      • __vbaVarCopy.MSVBVM60 ref: 00590295
      • #606.MSVBVM60(000000FA,?), ref: 005902B2
      • __vbaStrMove.MSVBVM60 ref: 005902BD
      • __vbaFreeVar.MSVBVM60 ref: 005902C2
      • __vbaFreeStr.MSVBVM60(005902FC), ref: 005902F5
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$CheckCopyHresult$#537#606
      • String ID:
      • API String ID: 3670525414-0
      • Opcode ID: 94b4029814c8745a90fafe2e99119dfd76bbd2696e2d1ea26a748a6958035c19
      • Instruction ID: 8b0e8fbbc4be3b225a0c2b282e3ef4a28ad437fb9dd1f62cc576e73867241256
      • Opcode Fuzzy Hash: 94b4029814c8745a90fafe2e99119dfd76bbd2696e2d1ea26a748a6958035c19
      • Instruction Fuzzy Hash: 14715CB4D00249EFDB10DF99D988AEEFBB9FF84300F20851AE815A72A4D7746946CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00546140 Relevance: 24.1, APIs: 16, Instructions: 104COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,00000000,?,00000000,?,?,004153F6), ref: 0054615E
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6,00000000), ref: 0054618B
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6,00000000), ref: 0054619A
      • #617.MSVBVM60(?,00004008,00000001), ref: 005461BE
      • #528.MSVBVM60(?,?), ref: 005461CC
      • __vbaLenBstr.MSVBVM60(00000000), ref: 005461E9
      • #619.MSVBVM60(?,00004008,-00000001), ref: 00546204
      • __vbaVarAdd.MSVBVM60(?,?,?), ref: 00546216
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0054621D
      • __vbaStrMove.MSVBVM60 ref: 00546228
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00546240
      • #685.MSVBVM60(?,00000000,?,00000000,004153F6,00000000), ref: 00546250
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004153F6,00000000), ref: 0054625B
      • __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,004153F6,00000000), ref: 0054627C
      • __vbaFreeStr.MSVBVM60(005462CB,?,00000000,?,00000000,004153F6,00000000), ref: 005462C4
      • __vbaErrorOverflow.MSVBVM60 ref: 005462E1
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$ErrorMove$#528#617#619#685BstrChkstkCopyListOverflow
      • String ID:
      • API String ID: 386560673-0
      • Opcode ID: 12836ffceb81357806c152f1921dfe51c65325798569814dcd6048ba42bf0ac7
      • Instruction ID: 79d27fc1d464ea7c535fe4b10daadf67d3c2ca0f7fb936851922526de7d1dd92
      • Opcode Fuzzy Hash: 12836ffceb81357806c152f1921dfe51c65325798569814dcd6048ba42bf0ac7
      • Instruction Fuzzy Hash: 7741E5B6C00209EFDB04DFE4C988ADEBBB8FB48305F108569E616B71A0DB745648CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00577E30 Relevance: 24.1, APIs: 16, Instructions: 96COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 00577E4E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00577E7B
      • __vbaAryConstruct2.MSVBVM60(?,00437258,00000011,?,?,?,?,004153F6), ref: 00577E8C
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00577E9B
      • __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 00577EB6
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,?,004153F6), ref: 00577ECC
      • __vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?,?,004153F6), ref: 00577EF2
      • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 00577F00
      • __vbaFreeVar.MSVBVM60(?,?,?,?,004153F6), ref: 00577F09
      • __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,004153F6), ref: 00577F1E
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00577F2B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00577F36
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00577F4E
      • __vbaFreeStr.MSVBVM60(00577FB8,?,?,?,?,004153F6), ref: 00577F93
      • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,004153F6), ref: 00577FA5
      • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,004153F6), ref: 00577FB1
        • Part of subcall function 005A0B40: __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,?,?,004153F6), ref: 005A0B5E
        • Part of subcall function 005A0B40: __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6,?), ref: 005A0B8B
        • Part of subcall function 005A0B40: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6,?), ref: 005A0B9A
        • Part of subcall function 005A0B40: __vbaLenBstr.MSVBVM60(?,entering str2ba with inputlen: ,?,?,?,?,004153F6,?), ref: 005A0BB0
        • Part of subcall function 005A0B40: __vbaStrI4.MSVBVM60(00000000,?,?,?,?,004153F6,?), ref: 005A0BB7
        • Part of subcall function 005A0B40: __vbaStrMove.MSVBVM60(?,?,?,?,004153F6,?), ref: 005A0BC2
        • Part of subcall function 005A0B40: __vbaStrCat.MSVBVM60(00000000,?,?,?,?,004153F6,?), ref: 005A0BC9
        • Part of subcall function 005A0B40: __vbaStrMove.MSVBVM60(?,?,?,?,004153F6,?), ref: 005A0BD4
        • Part of subcall function 005A0B40: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,004153F6,?), ref: 005A0BED
        • Part of subcall function 005A0B40: __vbaLenBstr.MSVBVM60(?,?,?,004153F6,?), ref: 005A0C01
        • Part of subcall function 005A0B40: #717.MSVBVM60(?,00004008,00000080,00000000), ref: 005A0C2D
        • Part of subcall function 005A0B40: __vbaVar2Vec.MSVBVM60(?,?), ref: 005A0C3B
        • Part of subcall function 005A0B40: __vbaAryMove.MSVBVM60(?,?), ref: 005A0C49
        • Part of subcall function 005A0B40: __vbaFreeVar.MSVBVM60 ref: 005A0C52
        • Part of subcall function 005A0B40: __vbaUbound.MSVBVM60(00000001,?), ref: 005A0C65
        • Part of subcall function 005A0B40: __vbaStrCat.MSVBVM60(?,STR2BA: ), ref: 005A0C87
        • Part of subcall function 005A0B40: __vbaStrMove.MSVBVM60 ref: 005A0C92
        • Part of subcall function 005A0B40: __vbaFreeStr.MSVBVM60(?), ref: 005A0CA4
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$BstrChkstkDestructErrorVar2$#685#717Construct2ListUbound
      • String ID:
      • API String ID: 2677038126-0
      • Opcode ID: 1bbeba1338f77a3a45992aeb11583321a840f5551ec13fdcfefed6d3b2ee6ef5
      • Instruction ID: b647662819d27265595b32ded32c66f4ff8fb24f349beb1c3ab54f5fe29fc3af
      • Opcode Fuzzy Hash: 1bbeba1338f77a3a45992aeb11583321a840f5551ec13fdcfefed6d3b2ee6ef5
      • Instruction Fuzzy Hash: DB41DBB5900209EFDB04DFE4DA49BDEBBB8FF48705F108159E512A71A0DB746A05CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00511120 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 104COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0051113E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00511163
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0051117C
      • __vbaStrCmp.MSVBVM60(true,?), ref: 005111A5
      • __vbaStrCmp.MSVBVM60(false,?), ref: 005111C2
      • __vbaStrCmp.MSVBVM60(true,?), ref: 005111EA
      • __vbaStrCopy.MSVBVM60 ref: 00511267
      • __vbaStrCopy.MSVBVM60 ref: 00511284
      • #685.MSVBVM60 ref: 005112A0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005112AB
      • __vbaFreeObj.MSVBVM60 ref: 005112C3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$#685ChkstkErrorFreeOffset
      • String ID: false$true
      • API String ID: 1803863674-2658103896
      • Opcode ID: 0359c9460a1d494bd5981dec2538829bade0652b5240336c0a0fc326d1191915
      • Instruction ID: babcf3c2e98dedaf73e68ba4431cf79ee33464ac393193bc0887808e81984bea
      • Opcode Fuzzy Hash: 0359c9460a1d494bd5981dec2538829bade0652b5240336c0a0fc326d1191915
      • Instruction Fuzzy Hash: FF415E74901208DBDB10DFE5CA48BDEBBB4FF48704F208199E502BB290D7B95E45DB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0050CD10 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0050CD2E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0050CD6A
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0050CD83
      • __vbaStrCmp.MSVBVM60(true,?,?,?,?,?,004153F6), ref: 0050CD9C
      • __vbaNew.MSVBVM60(00422A2C), ref: 0050CDD9
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0050CDE4
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0050CDF2
      • __vbaFreeObj.MSVBVM60 ref: 0050CDFB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424904,00000038), ref: 0050CE2E
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 0050CE47
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0050CE52
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0050CE6A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685AddrefCheckChkstkErrorHresultOffset
      • String ID: true
      • API String ID: 3942274144-4261170317
      • Opcode ID: bfec116eb090b9cf050f20dab7c47d224d3b625919852a373c3a7eb448967e34
      • Instruction ID: 63145f7bbfc670355d0582b9b2886aad217dff683e35c9e6e4ff67baefb94466
      • Opcode Fuzzy Hash: bfec116eb090b9cf050f20dab7c47d224d3b625919852a373c3a7eb448967e34
      • Instruction Fuzzy Hash: 00412EB5900208EFCB14DFA4C949BDEBFB4FF48354F108259F915AB2A1C7759A44CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005964A0 Relevance: 22.7, APIs: 15, Instructions: 163COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005964BE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00596503
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00436FD8,0000003C), ref: 00596534
      • __vbaAryMove.MSVBVM60(?,?), ref: 00596569
      • __vbaLenBstr.MSVBVM60 ref: 00596575
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00436FD8,00000044), ref: 005965AA
      • __vbaErase.MSVBVM60(00000000,?), ref: 005965C2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00436FD8,00000040), ref: 005965F3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00436FD8,00000034), ref: 00596634
      • __vbaStrMove.MSVBVM60 ref: 00596659
      • #685.MSVBVM60 ref: 00596666
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00596671
      • __vbaFreeObj.MSVBVM60 ref: 00596689
      • __vbaAryDestruct.MSVBVM60(00000000,?,005966D5), ref: 005966C2
      • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 005966CE
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckHresult$DestructMove$#685BstrChkstkEraseErrorFree
      • String ID:
      • API String ID: 1291968583-0
      • Opcode ID: 9f95202d155cfa9a67f8d02f3367d6c7ad2ffab5502029ce66000fd18012ae7c
      • Instruction ID: 9334a007928d4dd0755fd762ed4c26aec39886feb218e15a25e048229ccadcb9
      • Opcode Fuzzy Hash: 9f95202d155cfa9a67f8d02f3367d6c7ad2ffab5502029ce66000fd18012ae7c
      • Instruction Fuzzy Hash: BD71E9B5901209EFDB04DF94D988BDEBBB5FF48300F108519F506AB294D774AA44CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004F3D10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 109COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004F3D2E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004F3D73
      • __vbaLateMemCallLd.MSVBVM60(?,?,INIPath,00000000), ref: 004F3DB0
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,004153F6), ref: 004F3DBA
      • __vbaStrMove.MSVBVM60(?,?,?,004153F6), ref: 004F3DC5
      • __vbaFreeVar.MSVBVM60(?,?,?,004153F6), ref: 004F3DCE
      • __vbaHresultCheckObj.MSVBVM60(?,?,0041C0D8,00000054), ref: 004F3E05
      • __vbaStrMove.MSVBVM60 ref: 004F3E48
      • #685.MSVBVM60 ref: 004F3E55
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004F3E60
      • __vbaFreeObj.MSVBVM60 ref: 004F3E78
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$#685CallCheckChkstkErrorHresultLate
      • String ID: INIPath
      • API String ID: 2060099556-2792113629
      • Opcode ID: 1631f0296a852ef7a20b1ffa46be4cba6a293e39e82e9d3fc330750f498f6022
      • Instruction ID: 0856cb1dacd52d8c1b1cb13371f88e7fa95dfade78152e8645e50e04f9c110df
      • Opcode Fuzzy Hash: 1631f0296a852ef7a20b1ffa46be4cba6a293e39e82e9d3fc330750f498f6022
      • Instruction Fuzzy Hash: 05410B75900208EFDB04DFA4C988BDEBBB5FF48305F108159E606AB2A0D774AA45CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FCC80 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 80COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004FCC9E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 004FCCCF
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004FCCE8
      • __vbaLateMemCall.MSVBVM60(?,RegASM,00000000), ref: 004FCD21
      • __vbaStrCmp.MSVBVM60(true,?), ref: 004FCD42
      • __vbaStrCopy.MSVBVM60 ref: 004FCD61
      • #685.MSVBVM60 ref: 004FCD7F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004FCD8A
      • __vbaFreeObj.MSVBVM60 ref: 004FCDA2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685CallChkstkCopyErrorFreeLateOffset
      • String ID: AloahaFormSaver.dll$RegASM$true
      • API String ID: 1043273738-3006667744
      • Opcode ID: 6bd5ac0b99a0df84c702669c382cf5871e573cf1abe2cd05d20b7f7c16a3ef69
      • Instruction ID: 96d8367a229d919a5eca68f091eac98ec6311677c7a773cc945798f98273976e
      • Opcode Fuzzy Hash: 6bd5ac0b99a0df84c702669c382cf5871e573cf1abe2cd05d20b7f7c16a3ef69
      • Instruction Fuzzy Hash: E1314274900208EFDB04DF94CA89BDEBBB4FF48704F208159E506672A1C778AA45DB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005D0110 Relevance: 19.6, APIs: 13, Instructions: 146COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005D012E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005D016A
      • __vbaVarMove.MSVBVM60 ref: 005D018B
      • __vbaStrCmp.MSVBVM60(0041AA3C), ref: 005D01B1
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000), ref: 005D01C9
      • __vbaStrCmp.MSVBVM60(0041AA3C), ref: 005D01E7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00449C28,00000040), ref: 005D022F
      • __vbaStrMove.MSVBVM60 ref: 005D0254
      • __vbaStrCmp.MSVBVM60(0041AA3C,?), ref: 005D026A
      • __vbaStrCopy.MSVBVM60 ref: 005D0283
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00449C28,00000044), ref: 005D02C4
      • __vbaFreeVar.MSVBVM60(005D0310), ref: 005D0300
      • __vbaFreeStr.MSVBVM60 ref: 005D0309
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultMove$ChkstkCopyError
      • String ID:
      • API String ID: 2126626259-0
      • Opcode ID: d6bfcc00b8c7ba365d105e49aa10f6de843576b9ebdee6c9a088edfedded43b0
      • Instruction ID: bb16268abd91cd2aca285827c330a447ed9a9972494878752b8af391618ca57e
      • Opcode Fuzzy Hash: d6bfcc00b8c7ba365d105e49aa10f6de843576b9ebdee6c9a088edfedded43b0
      • Instruction Fuzzy Hash: 7A51E7B4901209EFDB14DF94DA88B9EBBB4FF48704F208219F906AB390D7749A45CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00572850 Relevance: 19.6, APIs: 13, Instructions: 120COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0057286E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 00572893
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 005728AC
      • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 0057290C
      • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 00572920
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000), ref: 00572942
      • #685.MSVBVM60(?,00000000), ref: 00572957
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 00572962
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C,?,?,?,?,?,?,?,?,?,0057352C), ref: 00572995
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0057352C), ref: 005729B9
      • #685.MSVBVM60(?,00000000), ref: 005729DB
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 005729E6
      • __vbaFreeObj.MSVBVM60(?,00000000), ref: 005729FE
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$#685BoundsFreeGenerate$CheckChkstkHresultOffset
      • String ID:
      • API String ID: 2164376316-0
      • Opcode ID: 302321c7b98702a3de12e6baf7dbc89f2c228475431f20c6871d3f7785fe93c6
      • Instruction ID: bfe31892be0f3dbb59527018b28d4ed0d7290a3c1013604eca6b878df240e312
      • Opcode Fuzzy Hash: 302321c7b98702a3de12e6baf7dbc89f2c228475431f20c6871d3f7785fe93c6
      • Instruction Fuzzy Hash: A15116B4900248EFCB04DFE4DA88BDEBBB5FF48304F248159E506AB2A4D7B49984DB55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0057BC50 Relevance: 19.6, APIs: 13, Instructions: 80COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0057BC6E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0057BCB3
      • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,004153F6), ref: 0057BCCC
      • #606.MSVBVM60(?,00000002), ref: 0057BCE8
      • __vbaStrMove.MSVBVM60 ref: 0057BCF3
      • __vbaFreeVar.MSVBVM60 ref: 0057BCFC
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0057BD15
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 0057BD21
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0057BD2F
      • __vbaFreeStr.MSVBVM60 ref: 0057BD38
      • #685.MSVBVM60 ref: 0057BD45
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057BD50
      • __vbaFreeObj.MSVBVM60 ref: 0057BD68
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$ErrorFree$System$#606#685AnsiChkstkMoveUnicode
      • String ID:
      • API String ID: 835289985-0
      • Opcode ID: 5d7094befa4e7dfdb119f15a2aed371512b7be522df3308cb37c0ac9e5e665aa
      • Instruction ID: 0a7568c62d6697e09a249307d399fad5a239b5c35afa308b35880ddd60058037
      • Opcode Fuzzy Hash: 5d7094befa4e7dfdb119f15a2aed371512b7be522df3308cb37c0ac9e5e665aa
      • Instruction Fuzzy Hash: 9631E9B5900248EFDB04DFA4D988BDEBBB8FF48305F108559F516A7260CB789A44CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B4D80 Relevance: 19.6, APIs: 13, Instructions: 76COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,00581CD8,?,?,?,?,?,004153F6), ref: 005B4D9E
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 005B4DCB
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 005B4DDA
      • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 005B4E03
      • __vbaVar2Vec.MSVBVM60(?,?), ref: 005B4E11
      • __vbaAryMove.MSVBVM60(?,?), ref: 005B4E1F
      • __vbaFreeVar.MSVBVM60 ref: 005B4E28
      • __vbaVarCopy.MSVBVM60 ref: 005B4E48
      • #685.MSVBVM60 ref: 005B4E55
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005B4E60
      • __vbaFreeObj.MSVBVM60 ref: 005B4E78
      • __vbaAryDestruct.MSVBVM60(00000000,?,005B4ECD), ref: 005B4EBD
      • __vbaFreeStr.MSVBVM60 ref: 005B4EC6
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#685#717ChkstkDestructErrorMoveVar2
      • String ID:
      • API String ID: 1652129996-0
      • Opcode ID: 735fbd104b3c0736181c30b3d5f9193314d3e96397a91d6d72f54a450247c90a
      • Instruction ID: 6adf2825b2f0940c248a01959af38e6f199294733f23483d491ec813ebe321d6
      • Opcode Fuzzy Hash: 735fbd104b3c0736181c30b3d5f9193314d3e96397a91d6d72f54a450247c90a
      • Instruction Fuzzy Hash: A831E5B5800209EFDB00DFD4D988BDEBBB8FB48705F108119E612B72A0DB746A49CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0050AC30 Relevance: 18.1, APIs: 12, Instructions: 87COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 0050AC4E
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0050AC7B
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 0050AC8A
      • __vbaBoolStr.MSVBVM60(0041AA3C,?,00000000), ref: 0050ACA9
      • #619.MSVBVM60(?,0000400B,00000001), ref: 0050ACD7
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0050ACF3
      • __vbaFreeVar.MSVBVM60 ref: 0050AD00
      • #579.MSVBVM60(?), ref: 0050AD28
      • #685.MSVBVM60(?,00000000), ref: 0050AD56
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 0050AD61
      • __vbaFreeObj.MSVBVM60(?,00000000), ref: 0050AD82
      • __vbaFreeStr.MSVBVM60(0050ADB6,?,00000000), ref: 0050ADAF
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#579#619#685BoolChkstkCopyError
      • String ID:
      • API String ID: 3252879415-0
      • Opcode ID: 66fa8373a10e993a292f1a67d88f39b14a41029a383014f6e3438fdffc5484b1
      • Instruction ID: b1867eed8d8ff57e7f59ebf7db4be1cf9e0f07b77a33e395caa6ad417c8f3d56
      • Opcode Fuzzy Hash: 66fa8373a10e993a292f1a67d88f39b14a41029a383014f6e3438fdffc5484b1
      • Instruction Fuzzy Hash: FB41E5B5801308EBDB14DFA4CA48BDDBBB5FF08705F208159E501BB2A0DBB55A48CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0052CE70 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,00000000,00000000,00000000,004153F6), ref: 0052CE8E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,00000000,004153F6), ref: 0052CEB3
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,004153F6), ref: 0052CECF
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0052CEE4
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,004153F6), ref: 0052CEF9
      • __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000,00000000,00000000,004153F6), ref: 0052CF18
      • __vbaStrCopy.MSVBVM60 ref: 0052CF60
      • __vbaStrCopy.MSVBVM60 ref: 0052CF6E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$ChkstkErrorOffset
      • String ID: MyDocuments$Software\Aloaha\pdf
      • API String ID: 2512712719-820968302
      • Opcode ID: fcd7a9b35c2033e91ccb6fe8213276a0a0b199666717b1637a168eac46ce41df
      • Instruction ID: 33eb5356784b921005485d20c2181a025483fcc4bab5ad157b89224eae685781
      • Opcode Fuzzy Hash: fcd7a9b35c2033e91ccb6fe8213276a0a0b199666717b1637a168eac46ce41df
      • Instruction Fuzzy Hash: 3B2129B1901208EFDB00DF94DA49BDEBBB4FF44704F6081A9E50177690D7B81A88CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00574150 Relevance: 16.6, APIs: 11, Instructions: 108COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0057416E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005741AA
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005741CB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,0000015C), ref: 00574205
      • __vbaFreeObj.MSVBVM60 ref: 0057421A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057423B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424BB8,0000015C), ref: 00574275
      • __vbaFreeObj.MSVBVM60 ref: 0057428A
      • #685.MSVBVM60 ref: 00574297
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005742A2
      • __vbaFreeObj.MSVBVM60 ref: 005742BA
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$#685ChkstkError
      • String ID:
      • API String ID: 3217198854-0
      • Opcode ID: e1e486855385c12c40bb9526b4a462127afa2cb846e600431655d96884858833
      • Instruction ID: 6e230822e3e9f672f6b539f4de4cd5d4d2e89e62df43ae2c2d05252727e22183
      • Opcode Fuzzy Hash: e1e486855385c12c40bb9526b4a462127afa2cb846e600431655d96884858833
      • Instruction Fuzzy Hash: 4941E8B9900208EFCB04DFA4D988BDEBBB8FF48705F208159E505B7261C775A945DFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00511000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0051101E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00511043
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0051105C
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00511085
        • Part of subcall function 00542470: __vbaChkstk.MSVBVM60(00000000,004153F6,00511097,?,?,?,?,004153F6), ref: 0054248E
        • Part of subcall function 00542470: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,00511097), ref: 005424B3
        • Part of subcall function 00542470: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,00511097), ref: 005424CC
        • Part of subcall function 00542470: #685.MSVBVM60(?,?,?,00000000,004153F6,00511097), ref: 005424D9
        • Part of subcall function 00542470: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6,00511097), ref: 005424E4
        • Part of subcall function 00542470: __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6,00511097), ref: 005424FC
        • Part of subcall function 00542470: __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 0054252C
        • Part of subcall function 00542470: __vbaVarTstGt.MSVBVM60(?,00000000,?,?,00000000,004153F6,00511097), ref: 0054253A
        • Part of subcall function 00542470: __vbaFreeVar.MSVBVM60(?,?,00000000,004153F6,00511097), ref: 00542547
        • Part of subcall function 00542470: #685.MSVBVM60(?,?,00000000,004153F6,00511097), ref: 00542560
        • Part of subcall function 00542470: __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,004153F6,00511097), ref: 0054256B
        • Part of subcall function 00542470: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0054259E
        • Part of subcall function 00542470: __vbaFreeObj.MSVBVM60 ref: 005425C8
        • Part of subcall function 00533ED0: __vbaChkstk.MSVBVM60(00000000,004153F6,005110A3,?,?,?,?,004153F6), ref: 00533EEE
        • Part of subcall function 00533ED0: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,005110A3), ref: 00533F13
        • Part of subcall function 00533ED0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,005110A3), ref: 00533F2F
        • Part of subcall function 00533ED0: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,005110A3), ref: 00533F4E
        • Part of subcall function 00533ED0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,005110A3), ref: 00533F74
        • Part of subcall function 00533ED0: __vbaStrCmp.MSVBVM60(true,?,?,?,?,00000000,004153F6,005110A3), ref: 00533F93
        • Part of subcall function 00533ED0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,005110A3), ref: 00533FB9
        • Part of subcall function 00533ED0: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,00000000,004153F6,005110A3), ref: 00533FD8
        • Part of subcall function 00533ED0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004153F6,005110A3), ref: 00533FF1
        • Part of subcall function 00533ED0: #520.MSVBVM60(?,00000008), ref: 00534012
        • Part of subcall function 00533ED0: __vbaStrVarMove.MSVBVM60(?), ref: 0053401C
        • Part of subcall function 00533ED0: __vbaStrMove.MSVBVM60 ref: 00534030
        • Part of subcall function 00533ED0: __vbaFreeStr.MSVBVM60 ref: 00534039
        • Part of subcall function 00533ED0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00534049
        • Part of subcall function 00533ED0: #518.MSVBVM60(?,00000008), ref: 00534070
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005110BA
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 005110C7
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005110D2
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 005110EA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#685ChkstkErrorOffset$Move$#518#520CallCheckHresultLateList
      • String ID: true
      • API String ID: 683495191-4261170317
      • Opcode ID: 52d24905a917c1b015f63241326a19b7b2c5466f1b81393d47199bcfae10edc6
      • Instruction ID: cc97d9531a0e85b58fded8722bb0cbe865f4a239525f024c4fe572e809ad5e25
      • Opcode Fuzzy Hash: 52d24905a917c1b015f63241326a19b7b2c5466f1b81393d47199bcfae10edc6
      • Instruction Fuzzy Hash: 27214CB4D01248EBDB00DFA4CA097DEBBB4FF48705F208059E611B72A1C7791A44CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005BFCD0 Relevance: 15.1, APIs: 10, Instructions: 74COMMON
      Download Yara Rule
      APIs
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000001), ref: 005BFD54
      • __vbaStrCopy.MSVBVM60(?,00000001), ref: 005BFD6E
      • __vbaStrCopy.MSVBVM60(?,00000001), ref: 005BFD76
      • __vbaOnError.MSVBVM60(00000001,?,00000001), ref: 005BFD7A
      • __vbaStrCopy.MSVBVM60(?,00000001), ref: 005BFD88
      • #685.MSVBVM60(?,00000001), ref: 005BFD90
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000001), ref: 005BFD97
      • __vbaFreeObj.MSVBVM60(?,00000001), ref: 005BFDA6
      • __vbaGenerateBoundsError.MSVBVM60(?,00000001), ref: 005BFDE1
      • __vbaStrCmp.MSVBVM60(0041AA3C,00000000,?,00000001), ref: 005BFDF9
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Error$#685BoundsFreeGenerateOffset
      • String ID:
      • API String ID: 1093577955-0
      • Opcode ID: 89ac929625ddfde17a76e8841f79dc43ebd5c2f80005a58eac31d7f96b2e0e09
      • Instruction ID: d006006494695885abce8e10056e5763713bcd5b6c11ff7fcccf02e5e8df5c43
      • Opcode Fuzzy Hash: 89ac929625ddfde17a76e8841f79dc43ebd5c2f80005a58eac31d7f96b2e0e09
      • Instruction Fuzzy Hash: 1731B0B0D002589BDB10DF9AC984A9EFBF8BF94700F10815AE415A7265C7B05941CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C8860 Relevance: 15.1, APIs: 10, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 005C887E
      • __vbaAptOffset.MSVBVM60(00419C98,00000000,00000001,6D1CD8CD,00000000,004153F6), ref: 005C88A3
      • __vbaOnError.MSVBVM60(000000FF), ref: 005C88BC
      • __vbaCastObj.MSVBVM60(00000000,00436680), ref: 005C88F8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C8908
      • __vbaNew.MSVBVM60(00436690), ref: 005C891A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C892B
      • #685.MSVBVM60 ref: 005C8938
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C8943
      • __vbaFreeObj.MSVBVM60 ref: 005C895B
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685CastChkstkErrorFreeOffset
      • String ID:
      • API String ID: 1883798004-0
      • Opcode ID: 786e1954822b95a2e9ac1cd21b23abf17026d2e0125c8241d4108558ae1f47d0
      • Instruction ID: 33f39573142711d41327247685faa7c046851ae33a7bfcbdcc0bd5d73cb6a037
      • Opcode Fuzzy Hash: 786e1954822b95a2e9ac1cd21b23abf17026d2e0125c8241d4108558ae1f47d0
      • Instruction Fuzzy Hash: 01214FB5900308EFDB14DF98C949BAEBBB8FF48705F108159F501B72A1CBB85944CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0059D180 Relevance: 15.1, APIs: 10, Instructions: 64COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0059D19E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0059D1E5
      • __vbaCastObj.MSVBVM60(00000000,00441118,?,?,?,?,004153F6), ref: 0059D1F9
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0059D204
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0059D212
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0059D21B
      • __vbaCastObj.MSVBVM60(00000000,00436680,?,?,?,?,004153F6), ref: 0059D22F
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0059D23A
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 0059D248
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 0059D251
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$AddrefCastFree$ChkstkError
      • String ID:
      • API String ID: 4027267587-0
      • Opcode ID: 27431af3fb049133a189fada992927543cfa8cf6a10bc52762a0107d4ad7184c
      • Instruction ID: e5d79457ebe16645ab08caa32d718903ba093f8f220897c8cc8aee4e2ba75e1e
      • Opcode Fuzzy Hash: 27431af3fb049133a189fada992927543cfa8cf6a10bc52762a0107d4ad7184c
      • Instruction Fuzzy Hash: E52121B5540208EFDB04DF94CD49BDEBBB8FB48745F108119F615B72A1C774AA44CBA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00591D80 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 110COMMON
      Download Yara Rule
      APIs
      • __vbaVarDup.MSVBVM60 ref: 00591E5B
      • __vbaVarDup.MSVBVM60 ref: 00591E6D
      • #595.MSVBVM60(?,00000030,?,?,?), ref: 00591E81
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00591E99
      • __vbaVarDup.MSVBVM60 ref: 00591EEE
      Strings
      • Wrong Cipher Selection, xrefs: 00591E51, 00591EE4
      • Enhanced provider does not support cipher selected., xrefs: 00591E5D
      • Default provider does not support Triple DES ciphers., xrefs: 00591EF0
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#595FreeList
      • String ID: Default provider does not support Triple DES ciphers.$Enhanced provider does not support cipher selected.$Wrong Cipher Selection
      • API String ID: 319278861-3268093948
      • Opcode ID: ceec55b0b2442e0a3ab5ac01e7c1708885e9eff858ad6f768c9f92df9eaac068
      • Instruction ID: c01c0dae4621d6c3a50c8c5ed8d8bd625e831fbc5409f22ac4d1525b24555358
      • Opcode Fuzzy Hash: ceec55b0b2442e0a3ab5ac01e7c1708885e9eff858ad6f768c9f92df9eaac068
      • Instruction Fuzzy Hash: 5E4114B0D0175E9FDF10DF94D680AADBBB5FB48704F60842AE409BB280D7755A0ACF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0059D060 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0059D07E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 0059D0BA
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0059D0D3
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 0059D0EE
      • #685.MSVBVM60 ref: 0059D11B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059D126
      • __vbaFreeObj.MSVBVM60 ref: 0059D13E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkCopyErrorFreeOffset
      • String ID: csp.log
      • API String ID: 1390433616-1673887612
      • Opcode ID: 54795366e6a48dc1f0f3fa69fe3a5f838c7ac76550662ada4a8fae35f8bc0264
      • Instruction ID: 09be458a3c0c60b3cacac5e692c5ef6cf62b3216ae3a3114287ab5276013b089
      • Opcode Fuzzy Hash: 54795366e6a48dc1f0f3fa69fe3a5f838c7ac76550662ada4a8fae35f8bc0264
      • Instruction Fuzzy Hash: D82125B5900208EFCB04DF98C949BDEBBB4FF48354F108159F916AB3A1C779AA44CB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005D68C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 59COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005D68DE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005D691A
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005D6933
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 005D694E
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 005D696E
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005D6979
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 005D6991
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkCopyErrorFreeOffset
      • String ID: csp.log
      • API String ID: 1390433616-1673887612
      • Opcode ID: a61ca46de211282df26732ca0584a0feb63ea515ce2d620f06640d66e3525aa0
      • Instruction ID: 4d41aa9685a9168926b32ae7c9b26abf14e338f53cd84c4733fc30772d4bfe1c
      • Opcode Fuzzy Hash: a61ca46de211282df26732ca0584a0feb63ea515ce2d620f06640d66e3525aa0
      • Instruction Fuzzy Hash: 1F2109B5900248EFCB04DF98C959BDEBBB4FF48704F10815AF915AB3A1C778AA44CB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00598E60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 00598E7E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 00598EBA
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00598ED3
      • __vbaStrCopy.MSVBVM60(?,?,?,?,004153F6), ref: 00598EEE
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00598EFB
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00598F06
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00598F1E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkCopyErrorFreeOffset
      • String ID: csp.log
      • API String ID: 1390433616-1673887612
      • Opcode ID: ecb31232717ad24bd33dcec5c4271bad709e4e114dbcd58a4e075974a89f6da9
      • Instruction ID: e9b2df76a1e94d4d0435526319900a00993bccc00c2ccdc3edf8b467876bd091
      • Opcode Fuzzy Hash: ecb31232717ad24bd33dcec5c4271bad709e4e114dbcd58a4e075974a89f6da9
      • Instruction Fuzzy Hash: F5213BB5900208EFCB04DF98C949BDEBBB4FF48744F108159F916AB2A1C7789A44CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005D69E0 Relevance: 13.6, APIs: 9, Instructions: 66COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005D69FE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005D6A45
      • __vbaCastObj.MSVBVM60(00000000,00436680,?,?,?,?,004153F6), ref: 005D6A59
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005D6A64
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005D6A72
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 005D6A7B
      • #685.MSVBVM60 ref: 005D6A98
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D6AA3
      • __vbaFreeObj.MSVBVM60 ref: 005D6ABB
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685AddrefCastChkstkError
      • String ID:
      • API String ID: 3575696440-0
      • Opcode ID: 328fb365703b018bb0628ac9c146fa38c9c60e6fc9f762861dc15a6548f3dc1b
      • Instruction ID: 2ba49de0979aaee37b028a31cc3e857140acc3aa7ba8998ab57b4d0b05ce1991
      • Opcode Fuzzy Hash: 328fb365703b018bb0628ac9c146fa38c9c60e6fc9f762861dc15a6548f3dc1b
      • Instruction Fuzzy Hash: E021FBB5900208EFDB04DF94C949B9EBBB4FF48745F108559F915AB3A0C7789A44CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005CBC30 Relevance: 12.1, APIs: 8, Instructions: 87COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005CBC4E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005CBC95
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005CBCB6
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00424C48,0000005C), ref: 005CBCE7
      • __vbaFreeObj.MSVBVM60 ref: 005CBCFC
      • #685.MSVBVM60 ref: 005CBD1F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CBD2A
      • __vbaFreeObj.MSVBVM60 ref: 005CBD42
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685CheckChkstkErrorHresult
      • String ID:
      • API String ID: 3196891914-0
      • Opcode ID: fb614030a129bc63f91ffc24e5282a7a2d3acd0b6c81f54e4f7c7b92aa64a771
      • Instruction ID: dfb2f31bfc52e6ee91f547ca9884119c3752b1228f1aa4875c18f4f15168fb26
      • Opcode Fuzzy Hash: fb614030a129bc63f91ffc24e5282a7a2d3acd0b6c81f54e4f7c7b92aa64a771
      • Instruction Fuzzy Hash: 24410EB9900208EFDB04DF94C989BDDBBB4FF48310F108559F916AB2A0C775AA45CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00599A00 Relevance: 10.6, APIs: 7, Instructions: 64COMMON
      Download Yara Rule
      APIs
      • __vbaStrCat.MSVBVM60(?,00423CF8,?,?,?,?,?,?,?,?,?,004153F6), ref: 00599A4E
      • __vbaStrMove.MSVBVM60(?,00423CF8,?,?,?,?,?,?,?,?,?,004153F6), ref: 00599A5B
      • __vbaStrCat.MSVBVM60(00440FF4,00000000,?,00423CF8,?,?,?,?,?,?,?,?,?,004153F6), ref: 00599A63
      • __vbaStrMove.MSVBVM60(?,00423CF8,?,?,?,?,?,?,?,?,?,004153F6), ref: 00599A6A
      • #581.MSVBVM60(00000000,?,00423CF8,?,?,?,?,?,?,?,?,?,004153F6), ref: 00599A6D
      • __vbaCopyBytes.MSVBVM60(00000004,?,?,?,00423CF8,?,?,?,?,?,?,?,?,?,004153F6), ref: 00599A91
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00423CF8,?,?,?,?,?,?,?,?,?,004153F6), ref: 00599AA1
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$#581BytesCopyFreeList
      • String ID:
      • API String ID: 2085924500-0
      • Opcode ID: 400ed14628f6497a578be2cea5ec98917e6352adadf86259d4b828137a51eadd
      • Instruction ID: 386948664c778bc6535879f1f0d82ef71ced08d1a53939d6181ca0c08a4dd8f3
      • Opcode Fuzzy Hash: 400ed14628f6497a578be2cea5ec98917e6352adadf86259d4b828137a51eadd
      • Instruction Fuzzy Hash: 2E211AB1D0020AEFDB00DFA8C945EEEBBB8FB48704F14816AE505F7250E7746A45CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005AC070 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,?,?,004153F6), ref: 005AC08E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005AC0B3
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005AC0CC
      • __vbaRedim.MSVBVM60(00000000,00000038,-001A7EB8,0043ADEC,00000001,00000000,00000000,?,?,?,?,004153F6), ref: 005AC105
      • #685.MSVBVM60 ref: 005AC115
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AC120
      • __vbaFreeObj.MSVBVM60 ref: 005AC138
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFreeOffsetRedim
      • String ID:
      • API String ID: 3151619516-0
      • Opcode ID: 43b9cded58ece012681f167292962919eb927b771a3f4fe15a25e79d978e1de9
      • Instruction ID: 859d679898aba6e100333aa5101c2d446ca0c8529fdd5e6addb127a3e3d73cec
      • Opcode Fuzzy Hash: 43b9cded58ece012681f167292962919eb927b771a3f4fe15a25e79d978e1de9
      • Instruction Fuzzy Hash: A5212CB4940308EFD714DF98CE49B9DBBB8FB48705F208159F611772A1D7B91A04CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00533DF0 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,00000000), ref: 00533E0E
      • __vbaAptOffset.MSVBVM60(00419C98,?,00000000,00000000,?,004153F6,00000000), ref: 00533E33
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,004153F6,00000000), ref: 00533E4C
      • __vbaSetSystemError.MSVBVM60(00000064,?,00000000,00000000,?,004153F6,00000000), ref: 00533E60
      • #685.MSVBVM60(?,00000000,00000000,?,004153F6,00000000), ref: 00533E80
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,?,004153F6,00000000), ref: 00533E8B
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,?,004153F6,00000000), ref: 00533EA3
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$#685ChkstkFreeOffsetSystem
      • String ID:
      • API String ID: 2653108579-0
      • Opcode ID: ce16d9f57d7f10d494dc4db2d14858b38e9e3a9a769f5765db06f3876fdc0d46
      • Instruction ID: 8c8c0c8d886768391bbd97360b19f3d535e45ef912802d18adf399641224a9eb
      • Opcode Fuzzy Hash: ce16d9f57d7f10d494dc4db2d14858b38e9e3a9a769f5765db06f3876fdc0d46
      • Instruction Fuzzy Hash: 6A110AB4800248EFDB14EF94CA49BDEBBB8FF08704F104159F511B72A1D7B95A44CB66
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00598A50 Relevance: 9.3, APIs: 6, Instructions: 324COMMON
      Download Yara Rule
      APIs
      • __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004153F6), ref: 00598B29
      • __vbaErrorOverflow.MSVBVM60 ref: 00598C0C
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: ErrorOverflow__vba
      • String ID:
      • API String ID: 2582359951-0
      • Opcode ID: 5da390005a92316317e9845698df35ffa2e30d9eb3196fdb580913ba12761b6d
      • Instruction ID: 440eff6fa9d722d5d4cfa030a0a810b0dcccb51e545e5dd488249dd71dd3a399
      • Opcode Fuzzy Hash: 5da390005a92316317e9845698df35ffa2e30d9eb3196fdb580913ba12761b6d
      • Instruction Fuzzy Hash: B9A1E076A046068BC704CF28DC847AABBE5FFDA710F188A7DE485D73A4D734D8188B52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005CCC30 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005CCC4E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005CCC95
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00443994,00000700), ref: 005CCCCC
      • #685.MSVBVM60 ref: 005CCCE5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CCCF0
      • __vbaFreeObj.MSVBVM60 ref: 005CCD08
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685CheckChkstkErrorFreeHresult
      • String ID:
      • API String ID: 686449242-0
      • Opcode ID: d9f63d01a416ea30d29ab0cf0ef0efb3f05114999b037871b286d2fab97351af
      • Instruction ID: 1e9f1778bbe06acfaf5e7320c7b1282d0e227bd720c78b6d7833d38cfe15e406
      • Opcode Fuzzy Hash: d9f63d01a416ea30d29ab0cf0ef0efb3f05114999b037871b286d2fab97351af
      • Instruction Fuzzy Hash: D031E8B5900608EFCB14DF94C949BDDBFB4FF48314F208259F91AAB290C778AA45CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005CCD50 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005CCD6E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005CCDB5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00443994,00000700), ref: 005CCDEC
      • #685.MSVBVM60 ref: 005CCE05
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CCE10
      • __vbaFreeObj.MSVBVM60 ref: 005CCE28
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685CheckChkstkErrorFreeHresult
      • String ID:
      • API String ID: 686449242-0
      • Opcode ID: 3b9a92715b8889a940d4f109f3312eb180f0d4cc688f51bafac402e4a475ce9e
      • Instruction ID: ec93b7f387220b8f00084ea8c10223dd695180d4709071e31db992924ee0d59d
      • Opcode Fuzzy Hash: 3b9a92715b8889a940d4f109f3312eb180f0d4cc688f51bafac402e4a475ce9e
      • Instruction Fuzzy Hash: 0B31FCB5900609EFCB10DF98C949BDDBFB4FF48314F208159F915AB290C774AA40CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005CBA10 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005CBA2E
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6), ref: 005CBA6A
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005CBA83
      • #685.MSVBVM60 ref: 005CBAB6
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CBAC1
      • __vbaFreeObj.MSVBVM60 ref: 005CBAD9
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFreeOffset
      • String ID:
      • API String ID: 1226335803-0
      • Opcode ID: 26d3bf4b063d37ffe12ee30c902f5ac6cad65ded0c05de0bb38b0ab6d025b93f
      • Instruction ID: 977105d9dcfc95a2c2e81dca1d5af0c79b1a8b6aa40c2040300592dc4ca6fcc7
      • Opcode Fuzzy Hash: 26d3bf4b063d37ffe12ee30c902f5ac6cad65ded0c05de0bb38b0ab6d025b93f
      • Instruction Fuzzy Hash: 8D2107B4900208EFCB04DF98C949BDEBBB4FB48314F108259E915AB2A1C7B4AA40CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005250D0 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 005250EE
      • __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6), ref: 00525113
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 0052512C
      • #685.MSVBVM60 ref: 00525181
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052518C
      • __vbaFreeObj.MSVBVM60 ref: 005251A4
        • Part of subcall function 005251D0: __vbaChkstk.MSVBVM60(?,004153F6,0052515E), ref: 005251EE
        • Part of subcall function 005251D0: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,?,004153F6,0052515E), ref: 00525213
        • Part of subcall function 005251D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6,0052515E), ref: 0052522F
        • Part of subcall function 005251D0: __vbaSetSystemError.MSVBVM60(00000094), ref: 00525284
        • Part of subcall function 005251D0: #685.MSVBVM60 ref: 00525291
        • Part of subcall function 005251D0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0052529F
        • Part of subcall function 005251D0: __vbaFreeObj.MSVBVM60 ref: 005252C3
        • Part of subcall function 005251D0: #685.MSVBVM60 ref: 005252E4
        • Part of subcall function 005251D0: __vbaObjSet.MSVBVM60(?,00000000), ref: 005252F2
        • Part of subcall function 005251D0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C600,0000001C), ref: 0052533D
        • Part of subcall function 005251D0: __vbaFreeObj.MSVBVM60 ref: 00525370
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ErrorFree$ChkstkOffset$CheckHresultSystem
      • String ID:
      • API String ID: 2868862224-0
      • Opcode ID: 0e2dc2715e3650cb454ae565b37ca9a343ac8757ad245fd4f628544e99f09d0d
      • Instruction ID: f3a710205f3a6f28d56abce1a24b06af5929cf8fbda52c88c3d0fe28209091a5
      • Opcode Fuzzy Hash: 0e2dc2715e3650cb454ae565b37ca9a343ac8757ad245fd4f628544e99f09d0d
      • Instruction Fuzzy Hash: B22102B9801609DFCB04DF98CA48BDEBBB4FF49304F208159E545B72A1D7B82A05CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FD030 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004FD04E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004FD095
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 004FD0AB
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 004FD0B8
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 004FD0C3
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 004FD0DB
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685AddrefChkstkErrorFree
      • String ID:
      • API String ID: 1923674218-0
      • Opcode ID: 76bfd666f02bfcc01b3897ddbb937b212bba31223ae9f1259dbb0680889dbbfa
      • Instruction ID: b68ca503ebc601e627a71f0f05d1970a1378ebebca4279ecfa7400c96d83b11e
      • Opcode Fuzzy Hash: 76bfd666f02bfcc01b3897ddbb937b212bba31223ae9f1259dbb0680889dbbfa
      • Instruction Fuzzy Hash: 4B210075900608EFCB04DF94C949B9EBBB4FF48704F108159F915AB3A1C7789A44CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00560E30 Relevance: 9.1, APIs: 6, Instructions: 52COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 00560E4E
      • __vbaOnError.MSVBVM60(000000FF,6D1F285F,6D2C1D9E,6D1F17CC,00000000,004153F6), ref: 00560E7E
      • __vbaUI1I2.MSVBVM60 ref: 00560E90
      • #685.MSVBVM60(?,00000000,?,?), ref: 00560EC1
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00560ECC
      • __vbaFreeObj.MSVBVM60 ref: 00560EE4
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 7f768d01cf92046814794927425169755d1ddeabc7bcf834dbac7fb8ba4a16c2
      • Instruction ID: 378405a49ef65d93bdbc5eb5e68b1f409e923471d382beb5c488009601d62589
      • Opcode Fuzzy Hash: 7f768d01cf92046814794927425169755d1ddeabc7bcf834dbac7fb8ba4a16c2
      • Instruction Fuzzy Hash: DB112EB5900208EFDB00DFD4C949BDEBBB8FF48714F108559E511B7291C7799A44CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005935F0 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0059360E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0059364A
      • #685.MSVBVM60 ref: 0059369A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005936A5
      • __vbaFreeObj.MSVBVM60 ref: 005936BD
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: c6b1568ece218b9f0b2450871ab7c6eb6eecefbf232e8fef94d8a94aee5187ff
      • Instruction ID: adbc545097ccd95b4db2afd47bb416d124f7563552aa9e6f3ff41a935c650c96
      • Opcode Fuzzy Hash: c6b1568ece218b9f0b2450871ab7c6eb6eecefbf232e8fef94d8a94aee5187ff
      • Instruction Fuzzy Hash: 1B2107B4900208EFDB00DF94C948BDEBBB4FF48718F208159E9156B3A1D7B99A44DB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00583D20 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 00583D3E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00583D85
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00583DA5
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00583DB0
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00583DC8
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 51ac65fbb5fc21f44388ea6c2071931404d7bfe5f80eaeb18ed8936adc14e537
      • Instruction ID: dfb531f0edb9ec332eba09c35f9db25097dc788b5b924ea6f90973b14c282d87
      • Opcode Fuzzy Hash: 51ac65fbb5fc21f44388ea6c2071931404d7bfe5f80eaeb18ed8936adc14e537
      • Instruction Fuzzy Hash: B4211D75900208EFCB04DF94C949B9EBBB4FF48744F108159F915AB3A0C775AA44CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005841A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005841BE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00584205
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 00584225
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 00584230
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 00584248
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 4d526746f768f853fc2fd60d0881d9a4605e11c6e9132ce1778e0bf881b5e11a
      • Instruction ID: d885deddf465d875ec815b81440da13374234be3ae2fb497f5f2162ef2a67a29
      • Opcode Fuzzy Hash: 4d526746f768f853fc2fd60d0881d9a4605e11c6e9132ce1778e0bf881b5e11a
      • Instruction Fuzzy Hash: 5D211DB5900209EFCB04DF94C989B9EBBB4FF48304F108559F916AB3A0C774AA40CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005934F0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0059350E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0059354A
      • #685.MSVBVM60 ref: 0059358A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00593595
      • __vbaFreeObj.MSVBVM60 ref: 005935AD
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: d751bcd96218f281d4f48ad6f3b0f642383ae953ec4de0d34d5c247699b7b707
      • Instruction ID: 1dbd9e7b12b1e8267e093d27c49c5d34333d92bf4a0fe0757643bca5816f55d7
      • Opcode Fuzzy Hash: d751bcd96218f281d4f48ad6f3b0f642383ae953ec4de0d34d5c247699b7b707
      • Instruction Fuzzy Hash: 8D2129B4900208EFDB04DF94C949BDEBBB4FF08704F108159E915AB3A1D7B9AA44CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005CA5A0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005CA5BE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 005CA5FA
      • #685.MSVBVM60(?,?,?,?,004153F6), ref: 005CA61B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004153F6), ref: 005CA626
      • __vbaFreeObj.MSVBVM60(?,?,?,?,004153F6), ref: 005CA63E
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 84d786512157b98023aa217d14f6aa1f1b843153ea94e1a0712bfcdfc5a97fa7
      • Instruction ID: 683ac0e246b5127d708fd98125bb9203b32b18b2790d155a455281e8ecd0d4c4
      • Opcode Fuzzy Hash: 84d786512157b98023aa217d14f6aa1f1b843153ea94e1a0712bfcdfc5a97fa7
      • Instruction Fuzzy Hash: 0C110AB9900208EFDB00DFA4C949BDEBBB8FF48704F108159F915A73A1C779AA44CB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004F3C30 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 004F3C4E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 004F3C8A
      • #685.MSVBVM60 ref: 004F3CA5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004F3CB0
      • __vbaFreeObj.MSVBVM60 ref: 004F3CC8
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 868a6df110070340e46bb4ddc215350d3c66cea189c44894a141e2944243e313
      • Instruction ID: 1f4c5fed08111489fd9017a2340742c865e9b65da70734b6d588c35e23506aba
      • Opcode Fuzzy Hash: 868a6df110070340e46bb4ddc215350d3c66cea189c44894a141e2944243e313
      • Instruction Fuzzy Hash: BC113CB5900208EFCB00DF94C949BDEBBB8FF48704F50815AE511B72A1C7B96A45CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005819B0 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 005819CE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 00581A0A
      • #685.MSVBVM60 ref: 00581A25
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00581A30
      • __vbaFreeObj.MSVBVM60 ref: 00581A48
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 2421a7c1e39bf91bd95c6ad81e81d4c6eb7d4d9eb41188f62fed8ab388f4a2c5
      • Instruction ID: 498671d465e5650ee5a712de7ec76a31e0511dd9dcaff5e2402088d1365d0656
      • Opcode Fuzzy Hash: 2421a7c1e39bf91bd95c6ad81e81d4c6eb7d4d9eb41188f62fed8ab388f4a2c5
      • Instruction Fuzzy Hash: EE112AB5900208EFCB00DF94C949BDEBBB8FB48704F108159E901A7291C7B99A45CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0057BA00 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6), ref: 0057BA1E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004153F6), ref: 0057BA5A
      • #685.MSVBVM60 ref: 0057BA75
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057BA80
      • __vbaFreeObj.MSVBVM60 ref: 0057BA98
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 741b98950d27ef209daa942b9b0810158ec8a5e4fbdcf182c3a7307c7e1baec1
      • Instruction ID: f5a778e8b73b34d8f7e1a6cc0af7dd1bbb15ce266cd7e295b00e91ff97dbefec
      • Opcode Fuzzy Hash: 741b98950d27ef209daa942b9b0810158ec8a5e4fbdcf182c3a7307c7e1baec1
      • Instruction Fuzzy Hash: F5110CB5900208EFDB00DF94C949BDEBFB8FF48704F108159E511A7291C7B95A45DBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005A98E0 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,004153F6,?,?,?,?,005A40E3,?), ref: 005A98FE
      • __vbaOnError.MSVBVM60(000000FF,00000000,00000000,6D1CD8B1,?,004153F6), ref: 005A992E
        • Part of subcall function 005403C0: __vbaChkstk.MSVBVM60(00000000,004153F6), ref: 005403DE
        • Part of subcall function 005403C0: __vbaAptOffset.MSVBVM60(00419C98,?,00000000,?,00000000,004153F6), ref: 00540403
        • Part of subcall function 005403C0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004153F6), ref: 0054041C
        • Part of subcall function 005403C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004153F6), ref: 0054042B
        • Part of subcall function 005403C0: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,00000000), ref: 00540457
        • Part of subcall function 005403C0: #518.MSVBVM60(?,00004008), ref: 00540498
        • Part of subcall function 005403C0: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005404D0
        • Part of subcall function 005403C0: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005404DE
        • Part of subcall function 005403C0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005404F5
        • Part of subcall function 005403C0: #685.MSVBVM60(?,00000000), ref: 0054053C
        • Part of subcall function 005403C0: __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 00540547
      • #685.MSVBVM60 ref: 005A994D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005A9958
      • __vbaFreeObj.MSVBVM60 ref: 005A9970
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree$#518CopyListOffset
      • String ID:
      • API String ID: 3835623037-0
      • Opcode ID: 744f527bcf5a4b9e60450770bf68b180795926141fc89a8d0ae858a0e0a42a8c
      • Instruction ID: 20b7cc7afde60a0ab73d20c3fd7acdf46011c3206b4f63de23b75395e90b1348
      • Opcode Fuzzy Hash: 744f527bcf5a4b9e60450770bf68b180795926141fc89a8d0ae858a0e0a42a8c
      • Instruction Fuzzy Hash: 1E111BB5900208EFDB00DF98C949BDEBBB4FB48704F108559F511A72A1C7B95A44DBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00548840 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,004153F6,?,?,?,?,?,004153F6), ref: 0054885E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6), ref: 0054888E
        • Part of subcall function 00548700: __vbaChkstk.MSVBVM60(00000000,004153F6,005488A0,?,?,?,00000000,004153F6), ref: 0054871E
        • Part of subcall function 00548700: __vbaAptOffset.MSVBVM60(00419C98,?,?,?,00000000,004153F6,005488A0), ref: 00548743
        • Part of subcall function 00548700: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004153F6,005488A0), ref: 0054875C
        • Part of subcall function 00548700: __vbaStrCmp.MSVBVM60(0041AA3C,?,?,?,?,00000000,004153F6,005488A0), ref: 00548778
        • Part of subcall function 00548700: __vbaI4Str.MSVBVM60(?,?,?,?,00000000,004153F6,005488A0), ref: 00548793
        • Part of subcall function 00548700: #685.MSVBVM60(?,?,?,00000000,004153F6,005488A0), ref: 005487E2
        • Part of subcall function 00548700: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6,005488A0), ref: 005487ED
        • Part of subcall function 00548700: __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6,005488A0), ref: 00548805
      • #685.MSVBVM60(?,?,?,00000000,004153F6), ref: 005488AA
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,004153F6), ref: 005488B5
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,004153F6), ref: 005488CD
      Memory Dump Source
      • Source File: 00000000.00000002.2147374377.00000000004EB000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2147350782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2147374377.00000000004A7000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148271138.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2148293339.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree$Offset
      • String ID:
      • API String ID: 2978987124-0
      • Opcode ID: 85e0b89936822cdbad7d969a99f7464b6c8948912cd25f1a8a012751262b0e1f
      • Instruction ID: 3b23b04aeffe3e1f4915c58774b09180a94da7933d4c82f72e58c24dfa9448bf
      • Opcode Fuzzy Hash: 85e0b89936822cdbad7d969a99f7464b6c8948912cd25f1a8a012751262b0e1f
      • Instruction Fuzzy Hash: 8E01E9B5800209EFDB00EFA8C949BDEBBB8FB48718F50415AE511B7291C7785A45CBA5
      Uniqueness

      Uniqueness Score: -1.00%