Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe

Overview

General Information

Sample name:SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe
Analysis ID:1431447
MD5:64a34c1da55f5ca2fe610703986fded7
SHA1:5d4ea6d1563ad3e43ad689162f1abdd76f6e35db
SHA256:2df9436f1b6d32141309c78a4401c1c8cb6c6de8d23ff28873fb6a5a12bfaf1d
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contain functionality to detect virtual machines
Dynamically executes visual basic script code
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
AV process strings found (often used to terminate AV products)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Source: Registry Key setAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Details: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, ProcessId: 936, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38C0BD58-DB01-4975-AA5D-0C4127BA83C1}\LocalServer32\(Default)

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://blog.aloaha.com
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://www.aloaha.com/wi-software-en/uprade-your-aloaha-pdf-suite.php
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://www.startssl.com/0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://www.startssl.com/policy.pdf0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://www.startssl.com/policy.pdf04
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeString found in binary or memory: http://www.startssl.com/sfsca.crt0

System Summary

barindex
Dynamically executes visual basic script code
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_005FA560 __vbaChkstk,__vbaStrCopy,__vbaOnError,__vbaVarCopy,__vbaStrCopy,#520,__vbaVarTstNe,__vbaFreeVar,#685,__vbaObjSet,__vbaFreeObj,#716,__vbaObjVar,__vbaObjSetAddref,__vbaFreeVar,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,#685,__vbaObjSet,__vbaFreeObj,#716,__vbaObjVar,__vbaObjSetAddref,__vbaFreeVar,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,#685,__vbaObjSet,__vbaFreeObj,__vbaChkstk,__vbaLateMemSt,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,__vbaChkstk,__vbaLateMemSt,__vbaFreeVar,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,#518,#518,#518,__vbaInStrVar,__vbaVarCmpEq,__vbaInStrVar,__vbaVarCmpEq,__vbaVarAnd,__vbaInStrVar,__vbaVarCmpEq,__vbaVarAnd,__vbaBoolVarNull,__vbaFreeVarList,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaChkstk,__vbaLateMemCall,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,#518,__vbaInStrVar,__vbaVarTstGt,__vbaFreeVarList,__vbaChkstk,__vbaLateMemCallLd,__vbaStrErrVarCopy,__vbaVarMove,__vbaFreeVar,__vbaChkstk,__vbaLateMemCallLd,__vbaStrErrVarCopy,__vbaVarMove,__vbaFreeVar,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaFreeObj,__vbaStrErrVarCopy,#520,__vbaVarTstEq,__vbaFreeVarList,#685,__vbaObjSet,__vbaHresultCheckObj,__vbaStrCat,__vbaStrMove,__vbaVarCopy,__vbaFreeStrList,__vbaFreeObj,__vbaVarTstEq,__vbaVarCopy,#685,__vbaObjSet,__vbaFreeObj,__vbaFreeObj,__vbaFreeStr,__vbaFreeStr,0_2_005FA560
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_006558400_2_00655840
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_006690200_2_00669020
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_0060D8D00_2_0060D8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_004080B80_2_004080B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_005289500_2_00528950
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_0055C9400_2_0055C940
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_005939300_2_00593930
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_005599B00_2_005599B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_006521800_2_00652180
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_0056EAE00_2_0056EAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_005812B00_2_005812B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_0063FB400_2_0063FB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_005E5BA00_2_005E5BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_0066B4500_2_0066B450
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_00677DE00_2_00677DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_00556DF00_2_00556DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_0053C5800_2_0053C580
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_00586E900_2_00586E90
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: String function: 0056B880 appears 43 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: String function: 00423E80 appears 54 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: String function: 005ED250 appears 99 times
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeStatic PE information: invalid certificate
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeStatic PE information: Resource name: _IID_PROVIDER type: a.out VAX demand paged (first page unmapped) pure executable not stripped
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAloahaCredentials.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeBinary or memory string: OriginalFilenameAloahaCredentials.exe, vs SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal52.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeMutant created: NULL
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeStatic file information: File size 2931336 > 1048576
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2b2000
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_0040A4F8 push ebp; retn 0058h0_2_0040A4F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_00408C9E push 0C0057CFh; iretd 0_2_0040910D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_004064A0 push ebx; retf 0055h0_2_004064A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_00407CA8 push ebx; retn 0056h0_2_00407CA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_00407CAC push ebx; retn 0056h0_2_00407CAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_00407CB0 push ebx; retn 0056h0_2_00407CB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: 0_2_00404DC8 push edi; retf 0_2_00404DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeCode function: __vmware_user__ _vmware_user_ vmware_user __vmware_user__ 0_2_0066B450
Source: C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeAPI coverage: 0.0 %
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeBinary or memory string: __vmware_user__
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeBinary or memory string: vmware_user
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeBinary or memory string: _vmware_user_
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exeBinary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000000.2090919593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: ClamTray.exe
Source: SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000000.2090919593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe, 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: ClamWin.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe2%ReversingLabs
SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe1%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe
http://www.startssl.com/sfsca.crl00%Avira URL Cloudsafe
http://www.startssl.com/policy.pdf040%Avira URL Cloudsafe
http://ocsp.startssl.com/sub/class2/code/ca00%Avira URL Cloudsafe
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#0%Avira URL Cloudsafe
http://www.startssl.com/sfsca.crt00%Avira URL Cloudsafe
http://crl.startssl.com/sfsca.crl00%Avira URL Cloudsafe
http://blog.aloaha.com0%Avira URL Cloudsafe
http://www.startssl.com/policy.pdf00%Avira URL Cloudsafe
http://www.startssl.com/sfsca.crl00%VirustotalBrowse
http://www.startssl.com/intermediate.pdf00%Avira URL Cloudsafe
http://ocsp.startssl.com/sub/class2/code/ca00%VirustotalBrowse
http://www.startssl.com/policy.pdf040%VirustotalBrowse
http://www.startssl.com/sfsca.crt00%VirustotalBrowse
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#0%VirustotalBrowse
http://www.startssl.com/intermediate.pdf00%VirustotalBrowse
http://blog.aloaha.com0%VirustotalBrowse
http://www.startssl.com/00%Avira URL Cloudsafe
http://www.startssl.com/00%VirustotalBrowse
http://crl.startssl.com/sfsca.crl00%VirustotalBrowse
http://crl.startssl.com/crtc2-crl.crl00%Avira URL Cloudsafe
http://www.aloaha.com/wi-software-en/uprade-your-aloaha-pdf-suite.php0%Avira URL Cloudsafe
http://www.startssl.com/policy.pdf00%VirustotalBrowse
http://crl.startssl.com/crtc2-crl.crl00%VirustotalBrowse
http://www.aloaha.com/wi-software-en/uprade-your-aloaha-pdf-suite.php0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.startssl.com/sfsca.crt0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://ocsp.startssl.com/sub/class2/code/ca0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    		high
    http://www.startssl.com/sfsca.crl0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.startssl.com/policy.pdf04SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://blog.aloaha.comSecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://ocsp.thawte.com0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • URL Reputation: safe
    		unknown
    http://crl.startssl.com/sfsca.crl0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.startssl.com/policy.pdf0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.startssl.com/intermediate.pdf0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.startssl.com/0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crl.startssl.com/crtc2-crl.crl0SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.aloaha.com/wi-software-en/uprade-your-aloaha-pdf-suite.phpSecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1431447
    Start date and time:2024-04-25 05:32:58 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 3m 16s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe
    Detection:MAL
    Classification:mal52.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 1
    • Number of non-executed functions: 112
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded domains from analysis (whitelisted): client.wns.windows.com
    • Report size exceeded maximum capacity and may have missing disassembly code.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.115553145001247
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe
    File size:2'931'336 bytes
    MD5:64a34c1da55f5ca2fe610703986fded7
    SHA1:5d4ea6d1563ad3e43ad689162f1abdd76f6e35db
    SHA256:2df9436f1b6d32141309c78a4401c1c8cb6c6de8d23ff28873fb6a5a12bfaf1d
    SHA512:6996019f49e1cb7061fe2511655734d3f7be117921c3228f721141a2866ad55addcff1cf1e3481f760dab2f11974a349cbe311b860143f1f69d8c240a9fdeac2
    SSDEEP:49152:PZ+ps0w8MpFatQEa+RnopCrSVJa0/tSqZfGnY1JClurdBEYlY2QaH:PTh8MBEopCrSVJa0/tSqZfGnY1JjrdB9
    TLSH:46D5C722E680914FE672C9F0B5B4D56669173E321698A44BB3C12E4F31727D7F8A432F
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B............4.......................Rich............PE..L...w:.R................. +.........(E.......0+...@................

    File Icon

    Icon Hash:8e96868e8e8eccce

    Static PE Info

    General

    Entrypoint:0x424528
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    DLL Characteristics:
    Time Stamp:0x52B33A77 [Thu Dec 19 18:27:03 2013 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:b81fdd9aec1d97fa8034605b33095794

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
    Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
    Error Number:-2146762495
    Not Before, Not After
    • 05/04/2013 12:42:01 05/04/2015 18:32:50
    Subject Chain
    • E=info@wrocklage.de, CN=Wrocklage Intermedia GmbH, O=Wrocklage Intermedia GmbH, L=Ibbenbueren, S=Nordrhein-Westfalen, C=DE, Description=0xC3J0qHPGjDilu1
    Version:3
    Thumbprint MD5:3BBC60BE8DFEB5640F06CE2A6A3241D7
    Thumbprint SHA-1:5A117187BD5C360764F66E37C47958D94EA295FF
    Thumbprint SHA-256:B345BF99D3037AEF50BFB1FD74AE3B74688943C424BACF1CBCAFED83EA455CBD
    Serial:095B

    Entrypoint Preview

    Instruction
    push 004251ACh
    call 00007FDC491291F5h
    add byte ptr [eax], al
    push eax
    add byte ptr [eax], al
    add byte ptr [eax], dh
    add byte ptr [eax], al
    add byte ptr [eax+00h], cl
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    or al, 86h
    xor dword ptr [edi+48FAEAEAh], esp
    mov eax, 8A372E4Dh
    adc eax, 00005B6Fh
    add byte ptr [eax], al
    add byte ptr [eax], al
    add eax, dword ptr [eax]
    adc al, byte ptr [eax]
    inc ecx
    add byte ptr [esi+41018250h], al
    insb
    outsd
    popad
    push 65724361h
    outsb
    je 00007FDC4912926Bh
    popad
    insb
    jnc 00007FDC49129202h
    add byte ptr [eax], al
    add bl, ah
    or dword ptr [ebx], eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    mov eax, 98000001h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edx], al
    add byte ptr [eax], al
    add byte ptr [ecx], dh
    add byte ptr [eax], al
    add byte ptr [eax-43h], bl
    sar byte ptr [eax], 00000001h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x2b12340x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2ba0000x15933.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x2ca0000x1a88.rsrc
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x474.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x2b13f40x2b2000e0294e6b3b10b3c99a1f051a9c256e44unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x2b30000x60cc0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x2ba0000x159330x160006f9518a01e42cae9dd0a2dcf062f1278False0.6529651988636364data6.6252864373119555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    TYPELIB0x2ca0cf0x5864data0.389649991161393
    _IID_CRYPTOAPI0x2c9f430x64data1.11
    _IID_HASH0x2c9f2f0x14data1.45
    _IID_PROVIDER0x2c9fbb0x114a.out VAX demand paged (first page unmapped) pure executable not stripped1.039855072463768
    _IID_SAVERCLASS0x2c9fa70x14data1.45
    RT_ICON0x2c9c470x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.532258064516129
    RT_ICON0x2c9b1f0x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.5878378378378378
    RT_ICON0x2c7e770x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 00.5273991275899673
    RT_ICON0x2c71cf0xca8Device independent bitmap graphic, 32 x 64 x 24, image size 00.6466049382716049
    RT_ICON0x2c6e670x368Device independent bitmap graphic, 16 x 32 x 24, image size 00.8509174311926605
    RT_ICON0x2becaa0x81bdPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9895823924366964
    RT_ICON0x2bc7020x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.4266597510373444
    RT_ICON0x2bb65a0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.5286116322701688
    RT_ICON0x2bacd20x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.6184426229508196
    RT_ICON0x2ba86a0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7553191489361702
    RT_GROUP_ICON0x2ba7d80x92data0.7808219178082192
    RT_VERSION0x2ba4800x358dataEnglishUnited States0.4158878504672897

    Imports

    DLLImport
    MSVBVM60.DLL__vbaR8FixI4, __vbaVarSub, __vbaVarTstGt, __vbaStrI2, __vbaNextEachAry, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaRedimPreserveVar, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaLateIdCall, __vbaStrVarMove, __vbaVarIdiv, __vbaFreeVarList, _adj_fdiv_m64, __vbaFpCDblR8, __vbaAryRecMove, __vbaVarIndexStore, __vbaNextEachVar, __vbaFreeObjList, __vbaVarIndexLoadRef, __vbaStrErrVarCopy, _adj_fprem1, __vbaRecAnsiToUni, __vbaI2Abs, __vbaCopyBytes, __vbaResume, __vbaForEachCollAd, __vbaVarCmpNe, __vbaStrCat, __vbaError, __vbaBoolErrVar, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaVargVarCopy, __vbaLenVar, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarIndexLoadRefLock, __vbaLateMemSt, __vbaBoolStr, __vbaStrBool, __vbaVarForInit, __vbaExitProc, __vbaI4Abs, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaVarIndexStoreObj, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaStrFixstr, __vbaBoolVar, __vbaVargVar, __vbaVarTstLt, __vbaFpR8, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, __vbaGosubFree, EVENT_SINK_AddRef, __vbaVarAbs, __vbaGenerateBoundsError, __vbaExitEachColl, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaDateR8, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarLateMemSt, __vbaVarOr, __vbaFpUI1, __vbaCastObjVar, __vbaStrR4, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaFixstrConstruct, __vbaLateIdCallLd, __vbaStrR8, __vbaRedim, __vbaUI1ErrVar, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, __vbaRedimVar, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaStrUI1, __vbaVarMul, __vbaUI1I4, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaR4ErrVar, __vbaExitEachAry, __vbaDateStr, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaVarDiv, __vbaGosub, __vbaR8ErrVar, __vbaFPException, __vbaInStrVar, __vbaGetOwner3, __vbaStrVarVal, __vbaUbound, __vbaVarCat, __vbaDateVar, __vbaLsetFixstrFree, __vbaI2Var, __vbaExitEachVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaR8Str, __vbaVarLateMemCallLdRf, __vbaVar2Vec, __vbaNew2, __vbaInStr, __vbaCyMulI2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaVarCmpLt, __vbaFreeStrList, _adj_fdivr_m32, __vbaR8Var, __vbaPowerR8, _adj_fdiv_r, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaForEachAry, __vbaVarCmpEq, __vbaVarAdd, __vbaLateMemCall, __vbaAryLock, __vbaStrComp, __vbaStrToAnsi, __vbaVarDup, __vbaFpI2, __vbaVarMod, __vbaUnkVar, __vbaVarTstGe, __vbaVarLateMemCallLd, __vbaFpI4, __vbaVarCopy, __vbaVarSetObjAddref, __vbaRecDestructAnsi, __vbaR8IntI2, __vbaLateMemCallLd, _CIatan, __vbaUI1Str, __vbaI2ErrVar, __vbaCastObj, __vbaStrMove, __vbaAryCopy, __vbaR8IntI4, __vbaForEachVar, __vbaStrVarCopy, _allmul, __vbaLateIdSt, __vbaLateMemCallSt, __vbaAryRecCopy, _CItan, __vbaNextEachCollAd, __vbaFPInt, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaMidStmtBstr, __vbaRecAssign, __vbaI4ErrVar, __vbaFreeObj, __vbaFreeStr

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:05:33:47
    Start date:25/04/2024
    Path:C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.BACKDOOR.Trojan.16076.5082.exe"
    Imagebase:0x400000
    File size:2'931'336 bytes
    MD5 hash:64A34C1DA55F5CA2FE610703986FDED7
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:0%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:2.7%
      Total number of Nodes:221
      Total number of Limit Nodes:0
      execution_graph 33783 605c60 43 API calls 33784 606460 11 API calls 33786 528450 6 API calls 33927 542a50 139 API calls 33787 568c50 96 API calls 33928 6abe60 2875 API calls 33929 531240 28 API calls 33930 544a40 2241 API calls 33931 646a70 4038 API calls 33788 69e070 7 API calls 33932 698270 4569 API calls 33933 5ea640 18 API calls 33790 520c70 195 API calls 33934 52ce70 7 API calls 33791 531870 40 API calls 33792 632440 2301 API calls 33935 632e40 __vbaObjSet __vbaHresultCheckObj __vbaFreeObj 33793 690440 9 API calls 33794 691440 8932 API calls 33795 695440 2313 API calls 33796 696440 170 API calls 33936 693a40 32 API calls 33797 6a4440 116 API calls 33798 62ec50 209 API calls 33937 52c660 81 API calls 33799 568060 77 API calls 33800 66b450 5077 API calls 33801 51ec10 167 API calls 33802 535410 10 API calls 33803 669020 3693 API calls 33940 567e10 21 API calls 33804 69b820 2813 API calls 33805 698420 2727 API calls 33806 6a6420 27 API calls 33941 6a5620 80 API calls 33942 626230 23 API calls 33943 625e30 11 API calls 33944 528600 __vbaAryCopy 33807 539800 8 API calls 33808 537800 44 API calls 33809 543c00 112 API calls 33810 551800 11 API calls 33811 567800 3047 API calls 33946 574200 39 API calls 33812 698030 7 API calls 33813 69b030 49 API calls 33947 591e00 42 API calls 33948 693e30 43 API calls 33949 69de30 31 API calls 33950 6ace30 2847 API calls 33815 579c30 106 API calls 33816 69ac00 36 API calls 33952 6a7200 27 API calls 33817 51f820 12 API calls 33818 62f410 373 API calls 33954 523a20 151 API calls 33956 53aa20 2822 API calls 33819 691010 8818 API calls 33820 691810 22 API calls 33821 696c10 6981 API calls 33957 696210 4771 API calls 33958 69b610 15 API calls 33822 5af820 2167 API calls 33823 6a5010 46 API calls 33824 6a6010 85 API calls 33825 606ce0 28 API calls 33826 62d8e0 57 API calls 33827 5208d0 29 API calls 33960 5322d0 179 API calls 33961 69e6e0 12 API calls 33962 605af0 9 API calls 33963 521ac0 2582 API calls 33965 53bac0 13 API calls 33966 53f2c0 485 API calls 33967 5536c0 59 API calls 33968 668ef0 8 API calls 33828 57acc0 49 API calls 33969 6772f0 3748 API calls 33829 5924c0 165 API calls 33830 69ccf0 14 API calls 33970 6902f0 5952 API calls 33971 52baf0 37 API calls 33972 63a2c0 173 API calls 33973 5382f0 5358 API calls 33974 545ef0 2965 API calls 33975 690ec0 10 API calls 33976 69cec0 208 API calls 33831 6a5cc0 3802 API calls 33977 6a6ec0 25 API calls 33832 5254e0 2661 API calls 33978 6246d0 5122 API calls 33833 53bce0 17 API calls 33979 662ad0 20 API calls 33980 6776d0 15 API calls 33834 6960d0 4753 API calls 33835 547c90 191 API calls 33836 552c90 37 API calls 33981 6916a0 51 API calls 33838 6a58a0 3661 API calls 33839 52f480 30 API calls 33982 62feb0 120 API calls 33840 53c080 12 API calls 33841 534480 164 API calls 33983 6322b0 11 API calls 33984 6386b0 286 API calls 33842 6778b0 202 API calls 33843 58ec80 2477 API calls 33844 694cb0 2793 API calls 33845 697cb0 5785 API calls 33985 592280 49 API calls 33986 51f6b0 8 API calls 33987 53c2b0 37 API calls 33988 545ab0 35 API calls 33989 551ab0 6 API calls 33846 69e880 9428 API calls 33990 6a4680 2529 API calls 33847 626890 19 API calls 33848 529ca0 15 API calls 33991 5282a0 52 API calls 33849 531ca0 7 API calls 33850 69d090 27 API calls 33851 5ac0a0 55 API calls 33852 528950 168 API calls 33853 528550 __vbaHresultCheckObj __vbaStrCopy __vbaFreeStr 33854 62fd60 8 API calls 33992 551350 41 API calls 33993 567350 2629 API calls 33855 691160 8789 API calls 33856 695d60 2294 API calls 33994 591b50 17 API calls 33995 697b60 38 API calls 33857 6a6960 23 API calls 33858 62e570 253 API calls 33996 62d370 42 API calls 33859 53b140 52 API calls 33860 533d40 92 API calls 33861 553540 12 API calls 33862 690d70 51 API calls 33864 626540 135 API calls 33997 520370 25 API calls 33865 567170 2866 API calls 33866 57f170 3146 API calls 33867 6a6140 27 API calls 33868 604550 28 API calls 33869 539960 92 API calls 33998 534b60 200 API calls 33870 547960 30 API calls 33871 57d560 241 API calls 33872 698150 2272 API calls 33999 6a5b50 3678 API calls 33873 52b910 __vbaVarDup __vbaVarDup #595 __vbaFreeVarList __vbaVarDup 33874 52e510 __vbaStrI4 __vbaStrMove 34000 6a4b20 23 API calls 33877 607130 __vbaChkstk __vbaOnError 33878 61c130 176 API calls 33879 529900 40 API calls 33880 53a900 6 API calls 33881 530d00 6 API calls 33882 63cd30 16 API calls 33883 65d130 5225 API calls 34002 522b30 228 API calls 34003 522330 35 API calls 33884 630100 6 API calls 33885 535530 130 API calls 33886 542930 9 API calls 33887 593930 8206 API calls 33888 693d00 160 API calls 33889 699500 2765 API calls 34004 691300 8901 API calls 34005 691b00 55 API calls 33781 424528 #100 33782 424572 33781->33782 33890 549120 581 API calls 33891 668d10 25 API calls 34006 69e310 5781 API calls 33893 51f5d0 __vbaChkstk __vbaOnError #685 __vbaObjSet __vbaFreeObj 33894 551dd0 72 API calls 34007 551bd0 14 API calls 34008 668be0 9 API calls 33895 677de0 17280 API calls 33896 6a59e0 27 API calls 33897 6a5de0 18 API calls 34009 52abc0 98 API calls 33898 6755f0 3727 API calls 34010 69d3f0 3793 API calls 33899 5365f0 9 API calls 34011 648bc0 3575 API calls 33900 6aadc0 3379 API calls 34012 6a6bc0 22 API calls 33901 69e1d0 3677 API calls 33902 697dd0 2116 API calls 34013 69cbd0 9 API calls 33903 6ad9d0 316 API calls 33904 6a7dd0 15 API calls 33905 6a4dd0 19 API calls 33906 62d1a0 13 API calls 33907 531d90 18 API calls 33908 551990 10 API calls 34014 57a390 50 API calls 34015 591390 26 API calls 33910 6a75a0 38 API calls 33911 53c580 599 API calls 33912 54d180 202 API calls 33913 568980 19 API calls 33914 578580 20 API calls 33915 6775b0 62 API calls 33916 6a49b0 32 API calls 34016 6a7bb0 19 API calls 34017 5fb380 2151 API calls 33918 52e9b0 45 API calls 33919 57b1b0 57 API calls 33920 691980 151 API calls 33921 691580 10 API calls 33922 690580 65 API calls 33923 51f9a0 235 API calls 33924 627190 159 API calls 34018 626b90 21 API calls 34019 633390 29 API calls 34021 5923a0 8 API calls 34022 693b90 124 API calls 33926 5ec1a0 101 API calls

      Executed Functions

      Function 00424528 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 424528-424570 #100 1 424572-42459a 0->1 2 4245db-4245dd 0->2 7 4245c7-4245cf 1->7 3 4245f2-424608 2->3 4 4245df-4245e8 2->4 3->7 8 42460a-424636 3->8 6 4245eb-4245ef 4->6 6->3 9 42463a-424655 7->9 10 4245d1-4245d9 7->10 8->9 12 424677-4246b9 9->12 13 424657-424658 9->13 10->2 13->6 14 42465a-42465f 13->14 14->12
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: f28efade8f7265b9ee19074822bb63f1ff252c090e0938340b764ef8f1a453b7
      • Instruction ID: 14e3763b422b4cfb14b6431159a00c7c44a193b9d45f88151c322b76b71eb6fc
      • Opcode Fuzzy Hash: f28efade8f7265b9ee19074822bb63f1ff252c090e0938340b764ef8f1a453b7
      • Instruction Fuzzy Hash: 3C41CB6964E7E19FC7138B789D64281BFB0EE4721074A02CBC1C2CF5E3D21D994AC7A6
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 0066B450 Relevance: 2492.9, APIs: 1365, Strings: 54, Instructions: 9679COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0066B46E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0066B49E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0066B4B3
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 0066B4C5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046020C,00000078), ref: 0066B52E
      • __vbaAryMove.MSVBVM60(?,?), ref: 0066B551
      • #685.MSVBVM60 ref: 0066B55E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0066B56C
      • __vbaFreeObj.MSVBVM60 ref: 0066B590
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066B5D4
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066B5F1
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0066B612
      • #685.MSVBVM60 ref: 0066B627
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0066B635
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042DF28,0000001C), ref: 0066B680
      • __vbaFreeObj.MSVBVM60 ref: 0066B6B3
      • __vbaUbound.MSVBVM60(00000001,00000000,00000000), ref: 0066B6D7
      • __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000), ref: 0066B6ED
      • __vbaUbound.MSVBVM60(00000001,?), ref: 0066B703
      • __vbaStrCopy.MSVBVM60 ref: 0066B752
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066B797
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066B7B4
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046020C,0000007C), ref: 0066B801
      • __vbaStrMove.MSVBVM60 ref: 0066B832
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0066B848
      • __vbaStrCat.MSVBVM60(?,Found ATR: ), ref: 0066B866
      • __vbaStrMove.MSVBVM60 ref: 0066B871
      • __vbaFreeStr.MSVBVM60(00000000), ref: 0066B883
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066B8D5
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066B8F2
      • __vbaStrCopy.MSVBVM60 ref: 0066B90D
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066B954
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066B971
      • __vbaStrCopy.MSVBVM60 ref: 0066B98E
      • __vbaStrCopy.MSVBVM60 ref: 0066B9C0
      • __vbaFreeStr.MSVBVM60(?), ref: 0066B9D2
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0066BA07
      • __vbaStrMove.MSVBVM60 ref: 0066BA22
      • #685.MSVBVM60 ref: 0066BA2F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0066BA3D
      • __vbaFreeObj.MSVBVM60 ref: 0066BA61
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066BAA5
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066BAC2
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0066BAE3
      • #685.MSVBVM60 ref: 0066BAF8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0066BB06
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042DF28,0000001C), ref: 0066BB51
      • __vbaFreeObj.MSVBVM60 ref: 0066BB84
      • __vbaUbound.MSVBVM60(00000001,00000000), ref: 0066BBA6
      • #712.MSVBVM60(00000000,0042FA64,0042ADE8,00000001,000000FF,00000000), ref: 0066BC6E
      • #528.MSVBVM60(?,00000008), ref: 0066BC92
      • __vbaStrVarMove.MSVBVM60(?), ref: 0066BC9F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$BoundsGenerate$Move$Free$Copy$#685CheckHresult$ChkstkUbound$#518#520#528#711#712IndexLoadLockRedimUnlock
      • String ID: / $ in $ in workfile: $ to find data$*.ini$.ini$0u$3B 04 49 32 43 2E$ATR$AloahaCredentials:DoBlacklist$AloahaCredentials:Entering GetHashFromATR$AloahaCredentials:Entering UserATR$AloahaCredentials:GetHashFromContainerName (ContainerName/Username): $Could not get any ATR from Reader!$Double hashes not possible$Found ATR: $Found Hash: $Found in: $Found no Hash in $Generic$GetHashFromContainerName (hash/Username): $Going to use Username: $HASH$Leaving GetHashFromATR: $Leaving UserATR: $Only one Hash per user should be found! $Only one Hash should be found! $PASS$UCN$USER$UserHash$UserMapping$Username is NOT empty. Trying to find HASH$Username is empty. Trying to find one$Using $Workfile: $[Generic]$[Secret]$],[$__vmware_user__$_vmware_user_$called as system?$generic$local$localnetwork$localsystem$network$null$secret$system$true$vmware_user${$`2m
      • API String ID: 3355104221-3500857003
      • Opcode ID: 1cdf936c0767cf00b923b624e09971b5c660eaad818d6100e1d064822726f2f8
      • Instruction ID: 5d751db638a094ba35da48f4d2c8189a932de3916d7590bcdccc0525cc9ddca6
      • Opcode Fuzzy Hash: 1cdf936c0767cf00b923b624e09971b5c660eaad818d6100e1d064822726f2f8
      • Instruction Fuzzy Hash: E2244A75900219DFDB24DFA0DD88BEEB7B5FF48301F1081A9E50AA72A0DB745A89CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0060D8D0 Relevance: 1792.5, APIs: 967, Strings: 53, Instructions: 7529COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0060D8EE
      • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00423E86), ref: 0060D91E
        • Part of subcall function 0064D6F0: __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0064D70E
        • Part of subcall function 0064D6F0: __vbaAryConstruct2.MSVBVM60(?,0045EF7C,00000011,6D23D8CD,00000001,?,00000000,00423E86), ref: 0064D743
        • Part of subcall function 0064D6F0: __vbaOnError.MSVBVM60(000000FF), ref: 0064D752
        • Part of subcall function 0064D6F0: __vbaAryMove.MSVBVM60(?,?,000000FF), ref: 0064D7BB
        • Part of subcall function 0064D6F0: __vbaStrCopy.MSVBVM60 ref: 0064D7E1
        • Part of subcall function 0064D6F0: __vbaFreeStr.MSVBVM60(?), ref: 0064D7F3
        • Part of subcall function 0064D6F0: __vbaI4Str.MSVBVM60(0042ADE8), ref: 0064D805
        • Part of subcall function 0064D6F0: __vbaAryMove.MSVBVM60(?,?,000000FF), ref: 0064D83E
        • Part of subcall function 0064D6F0: #685.MSVBVM60 ref: 0064D85B
        • Part of subcall function 0064D6F0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0064D866
        • Part of subcall function 0064D6F0: __vbaFreeObj.MSVBVM60 ref: 0064D887
        • Part of subcall function 0064D6F0: __vbaAryLock.MSVBVM60(?,?), ref: 0064D89C
      • __vbaAryRecMove.MSVBVM60(004442D0,?,?), ref: 0060D953
      • __vbaStrCopy.MSVBVM60 ref: 0060D96A
      • #685.MSVBVM60 ref: 0060D977
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0060D985
      • __vbaFreeObj.MSVBVM60 ref: 0060D9A9
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0060D9ED
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0060DA0A
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0060DA2B
      • #685.MSVBVM60 ref: 0060DA4E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0060DA5C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0060DAA7
      • __vbaFreeObj.MSVBVM60 ref: 0060DADA
      • __vbaUbound.MSVBVM60(00000001,00000000), ref: 0060DAFC
      • __vbaLbound.MSVBVM60(00000001,00000000), ref: 0060DB18
      • #685.MSVBVM60 ref: 0060DBCB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0060DBD9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ErrorFree$Move$BoundsChkstkCopyGenerate$CheckConstruct2HresultLboundLockUbound
      • String ID: certificates in addressbook store$ certificates in my store$(@k$(@k$@0k$@0k$@0k$@0k$AddressBook$CAPICOM.Store$Certificate NOT valid anymore!$Certificates$Close$Count$D0k$D0k$EKUs$EncodedKey$Export$ExtendedKeyUsage$GetInfo$HKLM\Software\Aloaha\CSP\DoNotCheck4PrivateKey$HKLM\Software\Aloaha\GINA\AllowedAllCertificates$HKLM\Software\Aloaha\GINA\onlyAllowedEKU$HKLM\Software\Aloaha\GINA\onlyAllowedIssuer$HasPrivateKey$IsDataEnciphermentEnabled$IsDecipherOnlyEnabled$IsEncipherOnlyEnabled$IsHardwareDevice$IsKeyAgreementEnabled$IsKeyEnciphermentEnabled$IsNonRepudiationEnabled$IsPresent$KeyUsage$Nothing$OID$Open$PrivateKey$ProviderName$SubjectName$Thumbprint$UniqueContainerName$ValidFromDate$ValidToDate$Value$false$found $publickey$serialnumber$true$~$`2m
      • API String ID: 1500743811-139479046
      • Opcode ID: 41c488ef2b9b316f72989402458c8a92bf33e37793cff080193b78fc8ee41bd8
      • Instruction ID: e56f054ef9587f9cf0ca7532bc3fb9458542cae3b47987fb4fd0bf08f53231ca
      • Opcode Fuzzy Hash: 41c488ef2b9b316f72989402458c8a92bf33e37793cff080193b78fc8ee41bd8
      • Instruction Fuzzy Hash: BA045574900218DFDB28DFA0DD88BDDB7B6FB48304F108599E50AAB2A1DB749AC5CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00655840 Relevance: 1101.8, APIs: 592, Strings: 35, Instructions: 4594COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0065585E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 0065588E
        • Part of subcall function 005FE0D0: __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 005FE0EE
        • Part of subcall function 005FE0D0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 005FE11E
        • Part of subcall function 005FE0D0: #518.MSVBVM60(?,00004008), ref: 005FE165
        • Part of subcall function 005FE0D0: #520.MSVBVM60(?,?), ref: 005FE173
        • Part of subcall function 005FE0D0: #518.MSVBVM60(?,00004008), ref: 005FE1AF
        • Part of subcall function 005FE0D0: #520.MSVBVM60(?,?), ref: 005FE1C3
        • Part of subcall function 005FE0D0: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005FE1EF
        • Part of subcall function 005FE0D0: __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 005FE20B
        • Part of subcall function 005FE0D0: __vbaVarOr.MSVBVM60(?,00000000), ref: 005FE219
        • Part of subcall function 005FE0D0: __vbaBoolVarNull.MSVBVM60(00000000), ref: 005FE220
        • Part of subcall function 005FE0D0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005FE245
        • Part of subcall function 005FE0D0: #518.MSVBVM60(?,00004008), ref: 005FE283
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 006558C8
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 00655900
      • __vbaAryRecMove.MSVBVM60(004442D0,?,?), ref: 00655948
      • __vbaObjSetAddref.MSVBVM60(006B3FDC,00000000), ref: 0065595C
      • #685.MSVBVM60 ref: 0065597A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00655988
      • __vbaFreeObj.MSVBVM60 ref: 006559AC
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 00655A2E
      • #685.MSVBVM60 ref: 00655A43
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00655A51
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00655A9C
      • #685.MSVBVM60 ref: 0065A52B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0065A539
      • __vbaFreeObj.MSVBVM60 ref: 0065A55D
      • __vbaFreeObj.MSVBVM60(0065A739), ref: 0065A660
      • __vbaAryDestruct.MSVBVM60(004442D0,?), ref: 0065A672
      • __vbaFreeObj.MSVBVM60 ref: 0065A67B
      • __vbaFreeObj.MSVBVM60 ref: 0065A684
      • __vbaFreeStr.MSVBVM60 ref: 0065A68D
      • __vbaFreeStr.MSVBVM60 ref: 0065A696
      • __vbaFreeObj.MSVBVM60 ref: 0065A69F
      • __vbaFreeStr.MSVBVM60 ref: 0065A6A8
      • __vbaFreeStr.MSVBVM60 ref: 0065A6B1
      • __vbaFreeStr.MSVBVM60 ref: 0065A6BA
      • __vbaFreeStr.MSVBVM60 ref: 0065A6C3
      • __vbaFreeStr.MSVBVM60 ref: 0065A6CC
      • __vbaFreeStr.MSVBVM60 ref: 0065A6D5
      • __vbaFreeStr.MSVBVM60 ref: 0065A6DE
      • __vbaFreeStr.MSVBVM60 ref: 0065A6E7
      • __vbaFreeObj.MSVBVM60 ref: 0065A6F0
      • __vbaFreeObj.MSVBVM60 ref: 0065A6F9
      • __vbaFreeStr.MSVBVM60 ref: 0065A702
      • __vbaAryDestruct.MSVBVM60(004442D0,00000000), ref: 0065A711
      • __vbaFreeStr.MSVBVM60 ref: 0065A71A
      • __vbaFreeStr.MSVBVM60 ref: 0065A726
      • __vbaFreeStr.MSVBVM60 ref: 0065A732
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#518#685$#520ChkstkCopyDestructError$AddrefBoolCheckHresultListMoveNull
      • String ID: / $3B044932432E$AllowI2C$AllowedATRs$Aloaha Cryptographic Provider$Capicom.Store$Card has NO Name!!!$Card has NO Provider Name!!!$Certificates$Close$ContainerName$Count$Generic$Going to use Reader: $HasPrivateKey$Kerberos$Open$PrivateKey$ProviderName$RetrievContainerName NO Reader found!$Skipping Card: $UniqueContainerName$\\.\$aloaha$aloaha_3B044932432E$false$testing card with ATR: $testing reader: $true$~$?k$?k$?k$?k$`2m
      • API String ID: 3454658237-3635604643
      • Opcode ID: 4c91bd51593f20aa334d5d466d78fc835f1def79aaca42a3ab28effc8acd25db
      • Instruction ID: afe174ee4a4bfb268e49563d6e217aeb9ae73f8fdb5193aee1a6ff9d723d4d00
      • Opcode Fuzzy Hash: 4c91bd51593f20aa334d5d466d78fc835f1def79aaca42a3ab28effc8acd25db
      • Instruction Fuzzy Hash: 77B32974900219DFDB24DF64DA88BDDB7B5BF48305F1081DAE90AB72A0DB709A89CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00669020 Relevance: 562.2, APIs: 303, Strings: 17, Instructions: 2204COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0066903E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0066906B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00669083
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0066909E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006690B3
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006690C5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046020C,00000078), ref: 00669106
      • __vbaAryMove.MSVBVM60(?,?), ref: 00669129
      • #685.MSVBVM60 ref: 00669136
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00669141
      • __vbaFreeObj.MSVBVM60 ref: 00669162
      • __vbaGenerateBoundsError.MSVBVM60 ref: 006691A6
      • __vbaGenerateBoundsError.MSVBVM60 ref: 006691C3
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 006691E4
      • #685.MSVBVM60 ref: 006691F9
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00669204
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042DF28,0000001C), ref: 0066924F
      • __vbaFreeObj.MSVBVM60 ref: 0066927F
      • __vbaUbound.MSVBVM60(00000001,00000000,00000000), ref: 006692A3
      • __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000), ref: 006692B9
      • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,00423E86), ref: 006692CF
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066934E
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0066936B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046020C,0000007C), ref: 006693B8
      • __vbaStrMove.MSVBVM60 ref: 006693E9
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 006693FF
      • #712.MSVBVM60(?,0042FA64,0042ADE8,00000001,000000FF,00000000), ref: 00669432
      • #518.MSVBVM60(?,00000008), ref: 0066944D
      • #712.MSVBVM60(3B 04 49 32 43 2E,0042FA64,0042ADE8,00000001,000000FF,00000000), ref: 00669468
      • #518.MSVBVM60(?,00000008), ref: 0066948C
      • #685.MSVBVM60 ref: 00669492
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0066949D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 006694E8
      • __vbaVarCmpNe.MSVBVM60(?,?,?,0000000B), ref: 0066953B
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 00669549
      • __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 0066955E
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00669565
      • __vbaFreeObj.MSVBVM60 ref: 00669575
      • __vbaFreeVarList.MSVBVM60(00000006,00000008,00000008,?,?,0000000B,0000000B), ref: 006695A4
      • __vbaGenerateBoundsError.MSVBVM60 ref: 006695FB
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00669618
      • __vbaStrCopy.MSVBVM60 ref: 00669633
      • #685.MSVBVM60 ref: 00669640
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0066964B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00669696
      • __vbaFreeObj.MSVBVM60 ref: 006696C6
      • #685.MSVBVM60 ref: 006696F0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006696FB
      • __vbaFreeObj.MSVBVM60 ref: 0066971C
      • __vbaStrCopy.MSVBVM60 ref: 0066973F
      • __vbaStrMove.MSVBVM60 ref: 00669756
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0066976C
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 00669782
      • #685.MSVBVM60 ref: 0066979E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006697A9
      • __vbaFreeObj.MSVBVM60 ref: 006697CA
      • __vbaStrCat.MSVBVM60(*.ini,?), ref: 006697E0
      • #645.MSVBVM60(00000008,00000000), ref: 006697F6
      • __vbaStrMove.MSVBVM60 ref: 00669801
      • __vbaFreeVar.MSVBVM60 ref: 0066980A
      • #685.MSVBVM60 ref: 00669817
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00669822
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042DF28,0000001C), ref: 0066986D
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0066988E
      • __vbaFreeObj.MSVBVM60 ref: 006698B7
      • __vbaStrCat.MSVBVM60(?,?), ref: 00669920
      • __vbaStrMove.MSVBVM60 ref: 0066992B
      • #518.MSVBVM60(?,00000008,?), ref: 0066994F
      • __vbaStrVarMove.MSVBVM60(?), ref: 0066995C
      • __vbaStrMove.MSVBVM60 ref: 00669967
      • __vbaFreeStr.MSVBVM60 ref: 00669970
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00669983
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0066999C
      • __vbaStrCat.MSVBVM60(?,0042DF48), ref: 006699CD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Error$#685$BoundsCheckCopyGenerateHresult$#518$Chkstk$#712ListUbound$#520#645#711BoolIndexLoadLockNullRedimUnlock
      • String ID: *.ini$.ini$0u$0u$3B 04 49 32 43 2E$AloahaCredentials:Entering FindUniqueHash$FindUniqueHashF: $FindUniqueHashL: $HAk$Leaving FindUniqueHash: $UserMapping$],[$`Ak$`Ak$dAk$~$`2m
      • API String ID: 2674679802-3963869080
      • Opcode ID: 6453f472d4395a3ceda0d4035e2b2c4054ea6c1eb03b3520e0834a4301ab9f7e
      • Instruction ID: 32ff25a4352d3d57917adddc61adf851943fa8a95d8840715ac0a2142482934f
      • Opcode Fuzzy Hash: 6453f472d4395a3ceda0d4035e2b2c4054ea6c1eb03b3520e0834a4301ab9f7e
      • Instruction Fuzzy Hash: F4233774900218DFDB14DFA4DE88BEDBBB5FF48305F1081A9E50AA72A0DB749A85CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00528950 Relevance: 317.9, APIs: 177, Strings: 4, Instructions: 1153COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$#525Error$BoundsGenerate$BstrCopyUbound$#523#537#606OverflowStmt
      • String ID: ('@$Data corrupted$Data string is corrupted. Cannot be Decrypted.$`2m
      • API String ID: 6703403-284228998
      • Opcode ID: 3ffd4b5275d4594f04fe2cf5b6aed4d05ebce6b15d5e9ca014c4898e46511320
      • Instruction ID: 62cca3d8af0b430861b5ee800a948bb26fc0770284238730013388b5c2be145d
      • Opcode Fuzzy Hash: 3ffd4b5275d4594f04fe2cf5b6aed4d05ebce6b15d5e9ca014c4898e46511320
      • Instruction Fuzzy Hash: 1AA22975D00219DFCB04DFA5ED889EEBBB9FF89300F10812AE506A72A4DB746946CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004080B8 Relevance: .6, Instructions: 592COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 784a823f87b38c04e92df125adbce5c9091e20d95dc368066ea10d6bf55e2d5a
      • Instruction ID: ebc841016076b5091867c98df2c5815a2cdaf9b2f5629db2f196dcc69dd9d143
      • Opcode Fuzzy Hash: 784a823f87b38c04e92df125adbce5c9091e20d95dc368066ea10d6bf55e2d5a
      • Instruction Fuzzy Hash: 71224B2524E7C16FC71787346CB59DABFB8AD8381830F82CFD0D88A893C255A55AD763
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00579C30 Relevance: 269.9, APIs: 108, Strings: 46, Instructions: 449COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,0057A7EC), ref: 00579C4E
      • __vbaOnError.MSVBVM60(000000FF,00000000,00000000,00000000,00000000,00423E86), ref: 00579C7E
      • __vbaStrCopy.MSVBVM60 ref: 00579C93
      • __vbaStrCat.MSVBVM60(MIIINAYJKwYBBAGCN1gDoIIIJTCCCCEGCisGAQQBgjdYAwGggggRMIIIDQIDAgAB,?), ref: 00579CA9
      • __vbaStrMove.MSVBVM60 ref: 00579CB4
      • __vbaStrCat.MSVBVM60(AgJoAQICAIAEAAQQbiCke/50Fnbqmi1ZiSsUVwSCB+jAtpYJWC9fDD/Y+lThSQ0S,?), ref: 00579CCA
      • __vbaStrMove.MSVBVM60 ref: 00579CD5
      • __vbaStrCat.MSVBVM60(79wkP3oMNW47sucCpdlZ4gGbPCQ8d5737IN0Gxwx176wUSKq/CzA4ZhAWplnX9ME,?), ref: 00579CEB
      • __vbaStrMove.MSVBVM60 ref: 00579CF6
      • __vbaStrCat.MSVBVM60(XCZasSG+xQxnZ7GYotBO/7rPjDZKJo/LmhyuE4N7Qs2+i5YIRAgvdtm2nxLWyRpE,?), ref: 00579D0C
      • __vbaStrMove.MSVBVM60 ref: 00579D17
      • __vbaStrCat.MSVBVM60(fEdondnJEkhLHgN0XRhdz0m9pAyELDJUK2qE2CD4IVFOUKjmJZHQ1Pwui/S0Z3fF,?), ref: 00579D2D
      • __vbaStrMove.MSVBVM60 ref: 00579D38
      • __vbaStrCat.MSVBVM60(/66bXOlakIsehXS0H4EgUfd2cVqmbU8ZJ8ZJfwLBRKrYlUINOgimmwm4RTsfLBcr,?), ref: 00579D4E
      • __vbaStrMove.MSVBVM60 ref: 00579D59
      • __vbaStrCat.MSVBVM60(rahIO498Qmp6YunpBhq5IqxXdVrhmjqOhTakNV4H1HrlgfcEe33rxeXzterW3+yu,?), ref: 00579D6F
      • __vbaStrMove.MSVBVM60 ref: 00579D7A
      • __vbaStrCat.MSVBVM60(NrKfP5oHMFqL5A2t5oeEZYSyuWLMiUafW5AooSa+pH8IGdRLP4bgCtsbL51m51Eb,?), ref: 00579D90
      • __vbaStrMove.MSVBVM60 ref: 00579D9B
      • __vbaStrCat.MSVBVM60(/+CvDilGGGnz5Kp4aV5bklJfNA0HWA7avFmf/o3BBjQZ9RxHAT89qDsscK0q3eAS,?), ref: 00579DB1
      • __vbaStrMove.MSVBVM60 ref: 00579DBC
      • __vbaStrCat.MSVBVM60(+BoV/IxFZKtuFK5r3HpPf4TBMKj9jrN2UZhzJPB6mAEZgsp3NX5tqWuMM3VP9bVm,?), ref: 00579DD2
      • __vbaStrMove.MSVBVM60 ref: 00579DDD
      • __vbaStrCat.MSVBVM60(ogeofIK4WR+HWq/3/znyQaEsIfFd1Mg9RNgcegXJ1KEUUofbFAu6txYWE/phor0/,?), ref: 00579DF3
      • __vbaStrMove.MSVBVM60 ref: 00579DFE
      • __vbaStrCat.MSVBVM60(MvNy2XHn2nduSaV6cuu2e7hrq4i5AralYzK18xRImyGswx2OLrMYF2jltvcJ9LUI,?), ref: 00579E14
      • __vbaStrMove.MSVBVM60 ref: 00579E1F
      • __vbaStrCat.MSVBVM60(/QBJrq0eQbEV1HjWkh/v7BQ2ykaekUjpB2GKpCy45NQ3aRgy47KHD33ZartUsUZV,?), ref: 00579E35
      • __vbaStrMove.MSVBVM60 ref: 00579E40
      • __vbaStrCat.MSVBVM60(Y7Dr0Wm4yfs3SDLB9ciHDkkmIhNxMrNQ2PWGKBoSPSzdYiPQN9EA+ODAo9RYFLrj,?), ref: 00579E56
      • __vbaStrMove.MSVBVM60 ref: 00579E61
      • __vbaStrCat.MSVBVM60(1IbTqNuCEgUGY1w4180ELsYF1ZmbFh136XJvmlETa1qqy1Wupr+bIbt6lD21Dt33,?), ref: 00579E77
      • __vbaStrMove.MSVBVM60 ref: 00579E82
      • __vbaStrCat.MSVBVM60(Uk0kWWxCHw8lrqYhNy4nQpGHevLEdcMWempUZlY3fjt5iduzo/h0dU5behCl3jER,?), ref: 00579E98
      • __vbaStrMove.MSVBVM60 ref: 00579EA3
      • __vbaStrCat.MSVBVM60(q3mz8HC7a3tICl5aj+NZ+FRnNeOWY9U8hEOOpqA60LRJ2+PFGygwlYX0A09FskCp,?), ref: 00579EB9
      • __vbaStrMove.MSVBVM60 ref: 00579EC4
      • __vbaStrCat.MSVBVM60(e3TFtYWtdJeu8LGOipfgLv3y3nkKu28w0Gsvvp2hYN0SToePKmdE3Kl20UqeHyiJ,?), ref: 00579EDA
      • __vbaStrMove.MSVBVM60 ref: 00579EE5
      • __vbaStrCat.MSVBVM60(kKt8tox3iLM01iltkeQqVG/CmMgYzp4CY9gp8eDQ3z4Jr2DGrzNlIflJZh3xMEkE,?), ref: 00579EFB
      • __vbaStrMove.MSVBVM60 ref: 00579F06
      • __vbaStrCat.MSVBVM60(wzSY1t8nsLIBP9iHtFWWizGZlEaYNCHR2aWLcqztmMjnDgLBiNx+x1GWzV9MD/wI,?), ref: 00579F1C
      • __vbaStrMove.MSVBVM60 ref: 00579F27
      • __vbaStrCat.MSVBVM60(TEHVbNT+XuSAksRTpBcPFkSJflEgJ9MD024aKu9Qj+cyMrfao13h+k87Ak5xwrnG,?), ref: 00579F3D
      • __vbaStrMove.MSVBVM60 ref: 00579F48
      • __vbaStrCat.MSVBVM60(jeywotsRDgSRZQvYP8qPEfpnLMVEjIJWICWYAu+zFRpYk5jGnGXY6P3fwlj5kY1H,?), ref: 00579F5E
      • __vbaStrMove.MSVBVM60 ref: 00579F69
      • __vbaStrCat.MSVBVM60(864MI9BQgUn88bT7vv0k+tQ1ZxaJ5uz3LH9Of1O55FMfOAjiV9cLFDzx4cgE7rqH,?), ref: 00579F7F
      • __vbaStrMove.MSVBVM60 ref: 00579F8A
      • __vbaStrCat.MSVBVM60(79R3tOB5hYfEqfYAsSSudeX9fYezXFH6SRUbYxGkyX3jKU0Jk4R70H9+HAGcVP2a,?), ref: 00579FA0
      • __vbaStrMove.MSVBVM60 ref: 00579FAB
      • __vbaStrCat.MSVBVM60(MuovB+gH5CR0Z2xO+DB0md7a/GbsGemKBzVmJCvP4uGiJ7K7lcfHGY/0A8TCEhiA,?), ref: 00579FC1
      • __vbaStrMove.MSVBVM60 ref: 00579FCC
      • __vbaStrCat.MSVBVM60(w361RDERc57cljarx9VeaZ5W4EB0LW18viXVaWkig1bx1Si3iHa4XXYFPgycNF+0,?), ref: 00579FE2
      • __vbaStrMove.MSVBVM60 ref: 00579FED
      • __vbaStrCat.MSVBVM60(2fjibSs6LIPLRxniXJmGTcQDBJOiN2wl/ymCtn3AvliU0ObuOhF6hGP0/G2uLzb1,?), ref: 0057A003
      • __vbaStrMove.MSVBVM60 ref: 0057A00E
      • __vbaStrCat.MSVBVM60(7hNqH70Qdac+Nko2uRZrNtSquZGoX/ofggW9uKbGus+TGyV/HH62UJkDhf0uhegm,?), ref: 0057A024
      • __vbaStrMove.MSVBVM60 ref: 0057A02F
      • __vbaStrCat.MSVBVM60(4oGOkoi1gybLdX3pHQxpRFYPIInnBW7KTyIJ9kMzEwRh74ePNA5hwNTMgxTwiaLD,?), ref: 0057A045
      • __vbaStrMove.MSVBVM60 ref: 0057A050
      • __vbaStrCat.MSVBVM60(WjzBLNYs38Uc4h769UwPIez432UWfDBnDAO0ssyCx1tEZM823tHHXPpDTChjQ4Ij,?), ref: 0057A066
      • __vbaStrMove.MSVBVM60 ref: 0057A071
      • __vbaStrCat.MSVBVM60(CPUnJNux4gFPdqpCqhS9qrr38kZx+Xj+GUoPh+C/e4Y73hPHVpWjhRteX0ttIlAh,?), ref: 0057A087
      • __vbaStrMove.MSVBVM60 ref: 0057A092
      • __vbaStrCat.MSVBVM60(pA9PiWERE7q9BXbaphl91FU7XDQspIlzsluJsH8kMByQY8skIntNlS1833/4L0Hk,?), ref: 0057A0A8
      • __vbaStrMove.MSVBVM60 ref: 0057A0B3
      • __vbaStrCat.MSVBVM60(BwDVAK1Q/3gZN+LmAlN4JNw7L1zpEAP1688JXPIruR9g/JXUzEtquuBpL5gyINs1,?), ref: 0057A0C9
      • __vbaStrMove.MSVBVM60 ref: 0057A0D4
      • __vbaStrCat.MSVBVM60(vixsmmVRMnSCeBY+iwu7sV3eJGY05KxC5nG6mo4IpSloskAERBDozR0EBztCpqzE,?), ref: 0057A0EA
      • __vbaStrMove.MSVBVM60 ref: 0057A0F5
      • __vbaStrCat.MSVBVM60(D9wEsodNa0vLtAVl1zpr4j+7azoV+zexC6fZghJ61FD68IQb8mQRsrhXE1NunRxX,?), ref: 0057A10B
      • __vbaStrMove.MSVBVM60 ref: 0057A116
      • __vbaStrCat.MSVBVM60(+pxCMv+/Mm/XDL+wQHe4o+it20WgQqgxwoftogzOVA2+H3s7vRiu+agXZCKSRXyr,?), ref: 0057A12C
      • __vbaStrMove.MSVBVM60 ref: 0057A137
      • __vbaStrCat.MSVBVM60(36lkZjAVCd5vAPnBbgAARGPzvMTBQJJnLLpMDh3dvSzZzhhwuhAJoQ9hcINx2H8Z,?), ref: 0057A14D
      • __vbaStrMove.MSVBVM60 ref: 0057A158
      • __vbaStrCat.MSVBVM60(EN3YNVz6oggMjHKV6RQ1o0Qxnju8rYiC6dy9tnQHawT4UClkpYf/l2hqK+/nIQzp,?), ref: 0057A16E
      • __vbaStrMove.MSVBVM60 ref: 0057A179
      • __vbaStrCat.MSVBVM60(nO0EfxJNYzWa94+v3AuuL6nAyUXvVbdemN0kkDbkzs9XtA9vILWFcWKUG5845nGo,?), ref: 0057A18F
      • __vbaStrMove.MSVBVM60 ref: 0057A19A
      • __vbaStrCat.MSVBVM60(d9QhutelZhsRvwvSHWuTuuKcFK+ZAsxVuAqIzOFrpHMZyk331Uv6QwU/U3CPcwHv,?), ref: 0057A1B0
      • __vbaStrMove.MSVBVM60 ref: 0057A1BB
      • __vbaStrCat.MSVBVM60(E1RQkxRD6fAuUe4c5J7AvnfQ6x0tNueZ3J2i5bDy2DOGlUUvQ5q+v86ATf4CDton,?), ref: 0057A1D1
      • __vbaStrMove.MSVBVM60 ref: 0057A1DC
      • __vbaStrCat.MSVBVM60(j1XnDc9643MyvE+lTFsRn6Qs9VVyoaq2StmNmiuzOGEaz+WNILuxhqG+lnKcfi0y,?), ref: 0057A1F2
      • __vbaStrMove.MSVBVM60 ref: 0057A1FD
      • __vbaStrCat.MSVBVM60(/My5QVTCBXvNoWSDb/XwPyoWMwrnR431sgfEWseH39NCRiNBn1tLOw5+myZp4TaO,?), ref: 0057A213
      • __vbaStrMove.MSVBVM60 ref: 0057A21E
      • __vbaStrCat.MSVBVM60(X9wtJb4rHjxK0k3eoRSNaqQj9X98ys3e0DzV/qlizcdB2SVO4bhgMg==,?), ref: 0057A234
      • __vbaStrMove.MSVBVM60 ref: 0057A23F
      • #608.MSVBVM60(?,0000000A), ref: 0057A252
      • __vbaStrVarVal.MSVBVM60(?,?,0042ADE8,00000001,000000FF,00000000), ref: 0057A26B
      • #712.MSVBVM60(?,00000000), ref: 0057A276
      • __vbaStrMove.MSVBVM60 ref: 0057A281
      • __vbaFreeStr.MSVBVM60 ref: 0057A28A
      • __vbaFreeVar.MSVBVM60 ref: 0057A293
      • #608.MSVBVM60(?,0000000D), ref: 0057A2A6
      • __vbaStrVarVal.MSVBVM60(?,?,0042ADE8,00000001,000000FF,00000000), ref: 0057A2BF
      • #712.MSVBVM60(?,00000000), ref: 0057A2CA
      • __vbaStrMove.MSVBVM60 ref: 0057A2D5
      • __vbaFreeStr.MSVBVM60 ref: 0057A2DE
      • __vbaFreeVar.MSVBVM60 ref: 0057A2E7
      • __vbaStrCopy.MSVBVM60 ref: 0057A2FC
      • #685.MSVBVM60 ref: 0057A309
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057A314
      • __vbaFreeObj.MSVBVM60 ref: 0057A32C
      • __vbaFreeStr.MSVBVM60(0057A372), ref: 0057A36B
      Strings
      • 36lkZjAVCd5vAPnBbgAARGPzvMTBQJJnLLpMDh3dvSzZzhhwuhAJoQ9hcINx2H8Z, xrefs: 0057A148
      • ogeofIK4WR+HWq/3/znyQaEsIfFd1Mg9RNgcegXJ1KEUUofbFAu6txYWE/phor0/, xrefs: 00579DEE
      • e3TFtYWtdJeu8LGOipfgLv3y3nkKu28w0Gsvvp2hYN0SToePKmdE3Kl20UqeHyiJ, xrefs: 00579ED5
      • E1RQkxRD6fAuUe4c5J7AvnfQ6x0tNueZ3J2i5bDy2DOGlUUvQ5q+v86ATf4CDton, xrefs: 0057A1CC
      • Y7Dr0Wm4yfs3SDLB9ciHDkkmIhNxMrNQ2PWGKBoSPSzdYiPQN9EA+ODAo9RYFLrj, xrefs: 00579E51
      • 3, xrefs: 0057A302
      • /QBJrq0eQbEV1HjWkh/v7BQ2ykaekUjpB2GKpCy45NQ3aRgy47KHD33ZartUsUZV, xrefs: 00579E30
      • Uk0kWWxCHw8lrqYhNy4nQpGHevLEdcMWempUZlY3fjt5iduzo/h0dU5behCl3jER, xrefs: 00579E93
      • wzSY1t8nsLIBP9iHtFWWizGZlEaYNCHR2aWLcqztmMjnDgLBiNx+x1GWzV9MD/wI, xrefs: 00579F17
      • w361RDERc57cljarx9VeaZ5W4EB0LW18viXVaWkig1bx1Si3iHa4XXYFPgycNF+0, xrefs: 00579FDD
      • pA9PiWERE7q9BXbaphl91FU7XDQspIlzsluJsH8kMByQY8skIntNlS1833/4L0Hk, xrefs: 0057A0A3
      • q3mz8HC7a3tICl5aj+NZ+FRnNeOWY9U8hEOOpqA60LRJ2+PFGygwlYX0A09FskCp, xrefs: 00579EB4
      • 1IbTqNuCEgUGY1w4180ELsYF1ZmbFh136XJvmlETa1qqy1Wupr+bIbt6lD21Dt33, xrefs: 00579E72
      • MIIINAYJKwYBBAGCN1gDoIIIJTCCCCEGCisGAQQBgjdYAwGggggRMIIIDQIDAgAB, xrefs: 00579CA4
      • MvNy2XHn2nduSaV6cuu2e7hrq4i5AralYzK18xRImyGswx2OLrMYF2jltvcJ9LUI, xrefs: 00579E0F
      • EN3YNVz6oggMjHKV6RQ1o0Qxnju8rYiC6dy9tnQHawT4UClkpYf/l2hqK+/nIQzp, xrefs: 0057A169
      • +BoV/IxFZKtuFK5r3HpPf4TBMKj9jrN2UZhzJPB6mAEZgsp3NX5tqWuMM3VP9bVm, xrefs: 00579DCD
      • WjzBLNYs38Uc4h769UwPIez432UWfDBnDAO0ssyCx1tEZM823tHHXPpDTChjQ4Ij, xrefs: 0057A061
      • D9wEsodNa0vLtAVl1zpr4j+7azoV+zexC6fZghJ61FD68IQb8mQRsrhXE1NunRxX, xrefs: 0057A106
      • fEdondnJEkhLHgN0XRhdz0m9pAyELDJUK2qE2CD4IVFOUKjmJZHQ1Pwui/S0Z3fF, xrefs: 00579D28
      • +pxCMv+/Mm/XDL+wQHe4o+it20WgQqgxwoftogzOVA2+H3s7vRiu+agXZCKSRXyr, xrefs: 0057A127
      • TEHVbNT+XuSAksRTpBcPFkSJflEgJ9MD024aKu9Qj+cyMrfao13h+k87Ak5xwrnG, xrefs: 00579F38
      • /My5QVTCBXvNoWSDb/XwPyoWMwrnR431sgfEWseH39NCRiNBn1tLOw5+myZp4TaO, xrefs: 0057A20E
      • 864MI9BQgUn88bT7vv0k+tQ1ZxaJ5uz3LH9Of1O55FMfOAjiV9cLFDzx4cgE7rqH, xrefs: 00579F7A
      • d9QhutelZhsRvwvSHWuTuuKcFK+ZAsxVuAqIzOFrpHMZyk331Uv6QwU/U3CPcwHv, xrefs: 0057A1AB
      • jeywotsRDgSRZQvYP8qPEfpnLMVEjIJWICWYAu+zFRpYk5jGnGXY6P3fwlj5kY1H, xrefs: 00579F59
      • 79R3tOB5hYfEqfYAsSSudeX9fYezXFH6SRUbYxGkyX3jKU0Jk4R70H9+HAGcVP2a, xrefs: 00579F9B
      • CPUnJNux4gFPdqpCqhS9qrr38kZx+Xj+GUoPh+C/e4Y73hPHVpWjhRteX0ttIlAh, xrefs: 0057A082
      • 2fjibSs6LIPLRxniXJmGTcQDBJOiN2wl/ymCtn3AvliU0ObuOhF6hGP0/G2uLzb1, xrefs: 00579FFE
      • vixsmmVRMnSCeBY+iwu7sV3eJGY05KxC5nG6mo4IpSloskAERBDozR0EBztCpqzE, xrefs: 0057A0E5
      • 79wkP3oMNW47sucCpdlZ4gGbPCQ8d5737IN0Gxwx176wUSKq/CzA4ZhAWplnX9ME, xrefs: 00579CE6
      • kKt8tox3iLM01iltkeQqVG/CmMgYzp4CY9gp8eDQ3z4Jr2DGrzNlIflJZh3xMEkE, xrefs: 00579EF6
      • rahIO498Qmp6YunpBhq5IqxXdVrhmjqOhTakNV4H1HrlgfcEe33rxeXzterW3+yu, xrefs: 00579D6A
      • /+CvDilGGGnz5Kp4aV5bklJfNA0HWA7avFmf/o3BBjQZ9RxHAT89qDsscK0q3eAS, xrefs: 00579DAC
      • BwDVAK1Q/3gZN+LmAlN4JNw7L1zpEAP1688JXPIruR9g/JXUzEtquuBpL5gyINs1, xrefs: 0057A0C4
      • XCZasSG+xQxnZ7GYotBO/7rPjDZKJo/LmhyuE4N7Qs2+i5YIRAgvdtm2nxLWyRpE, xrefs: 00579D07
      • `2m, xrefs: 0057A293, 0057A2E7
      • 7hNqH70Qdac+Nko2uRZrNtSquZGoX/ofggW9uKbGus+TGyV/HH62UJkDhf0uhegm, xrefs: 0057A01F
      • j1XnDc9643MyvE+lTFsRn6Qs9VVyoaq2StmNmiuzOGEaz+WNILuxhqG+lnKcfi0y, xrefs: 0057A1ED
      • nO0EfxJNYzWa94+v3AuuL6nAyUXvVbdemN0kkDbkzs9XtA9vILWFcWKUG5845nGo, xrefs: 0057A18A
      • AgJoAQICAIAEAAQQbiCke/50Fnbqmi1ZiSsUVwSCB+jAtpYJWC9fDD/Y+lThSQ0S, xrefs: 00579CC5
      • NrKfP5oHMFqL5A2t5oeEZYSyuWLMiUafW5AooSa+pH8IGdRLP4bgCtsbL51m51Eb, xrefs: 00579D8B
      • 4oGOkoi1gybLdX3pHQxpRFYPIInnBW7KTyIJ9kMzEwRh74ePNA5hwNTMgxTwiaLD, xrefs: 0057A040
      • /66bXOlakIsehXS0H4EgUfd2cVqmbU8ZJ8ZJfwLBRKrYlUINOgimmwm4RTsfLBcr, xrefs: 00579D49
      • MuovB+gH5CR0Z2xO+DB0md7a/GbsGemKBzVmJCvP4uGiJ7K7lcfHGY/0A8TCEhiA, xrefs: 00579FBC
      • X9wtJb4rHjxK0k3eoRSNaqQj9X98ys3e0DzV/qlizcdB2SVO4bhgMg==, xrefs: 0057A22F
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$#608#712Copy$#685ChkstkError
      • String ID: +BoV/IxFZKtuFK5r3HpPf4TBMKj9jrN2UZhzJPB6mAEZgsp3NX5tqWuMM3VP9bVm$+pxCMv+/Mm/XDL+wQHe4o+it20WgQqgxwoftogzOVA2+H3s7vRiu+agXZCKSRXyr$/+CvDilGGGnz5Kp4aV5bklJfNA0HWA7avFmf/o3BBjQZ9RxHAT89qDsscK0q3eAS$/66bXOlakIsehXS0H4EgUfd2cVqmbU8ZJ8ZJfwLBRKrYlUINOgimmwm4RTsfLBcr$/My5QVTCBXvNoWSDb/XwPyoWMwrnR431sgfEWseH39NCRiNBn1tLOw5+myZp4TaO$/QBJrq0eQbEV1HjWkh/v7BQ2ykaekUjpB2GKpCy45NQ3aRgy47KHD33ZartUsUZV$1IbTqNuCEgUGY1w4180ELsYF1ZmbFh136XJvmlETa1qqy1Wupr+bIbt6lD21Dt33$2fjibSs6LIPLRxniXJmGTcQDBJOiN2wl/ymCtn3AvliU0ObuOhF6hGP0/G2uLzb1$3$36lkZjAVCd5vAPnBbgAARGPzvMTBQJJnLLpMDh3dvSzZzhhwuhAJoQ9hcINx2H8Z$4oGOkoi1gybLdX3pHQxpRFYPIInnBW7KTyIJ9kMzEwRh74ePNA5hwNTMgxTwiaLD$79R3tOB5hYfEqfYAsSSudeX9fYezXFH6SRUbYxGkyX3jKU0Jk4R70H9+HAGcVP2a$79wkP3oMNW47sucCpdlZ4gGbPCQ8d5737IN0Gxwx176wUSKq/CzA4ZhAWplnX9ME$7hNqH70Qdac+Nko2uRZrNtSquZGoX/ofggW9uKbGus+TGyV/HH62UJkDhf0uhegm$864MI9BQgUn88bT7vv0k+tQ1ZxaJ5uz3LH9Of1O55FMfOAjiV9cLFDzx4cgE7rqH$AgJoAQICAIAEAAQQbiCke/50Fnbqmi1ZiSsUVwSCB+jAtpYJWC9fDD/Y+lThSQ0S$BwDVAK1Q/3gZN+LmAlN4JNw7L1zpEAP1688JXPIruR9g/JXUzEtquuBpL5gyINs1$CPUnJNux4gFPdqpCqhS9qrr38kZx+Xj+GUoPh+C/e4Y73hPHVpWjhRteX0ttIlAh$D9wEsodNa0vLtAVl1zpr4j+7azoV+zexC6fZghJ61FD68IQb8mQRsrhXE1NunRxX$E1RQkxRD6fAuUe4c5J7AvnfQ6x0tNueZ3J2i5bDy2DOGlUUvQ5q+v86ATf4CDton$EN3YNVz6oggMjHKV6RQ1o0Qxnju8rYiC6dy9tnQHawT4UClkpYf/l2hqK+/nIQzp$MIIINAYJKwYBBAGCN1gDoIIIJTCCCCEGCisGAQQBgjdYAwGggggRMIIIDQIDAgAB$MuovB+gH5CR0Z2xO+DB0md7a/GbsGemKBzVmJCvP4uGiJ7K7lcfHGY/0A8TCEhiA$MvNy2XHn2nduSaV6cuu2e7hrq4i5AralYzK18xRImyGswx2OLrMYF2jltvcJ9LUI$NrKfP5oHMFqL5A2t5oeEZYSyuWLMiUafW5AooSa+pH8IGdRLP4bgCtsbL51m51Eb$TEHVbNT+XuSAksRTpBcPFkSJflEgJ9MD024aKu9Qj+cyMrfao13h+k87Ak5xwrnG$Uk0kWWxCHw8lrqYhNy4nQpGHevLEdcMWempUZlY3fjt5iduzo/h0dU5behCl3jER$WjzBLNYs38Uc4h769UwPIez432UWfDBnDAO0ssyCx1tEZM823tHHXPpDTChjQ4Ij$X9wtJb4rHjxK0k3eoRSNaqQj9X98ys3e0DzV/qlizcdB2SVO4bhgMg==$XCZasSG+xQxnZ7GYotBO/7rPjDZKJo/LmhyuE4N7Qs2+i5YIRAgvdtm2nxLWyRpE$Y7Dr0Wm4yfs3SDLB9ciHDkkmIhNxMrNQ2PWGKBoSPSzdYiPQN9EA+ODAo9RYFLrj$d9QhutelZhsRvwvSHWuTuuKcFK+ZAsxVuAqIzOFrpHMZyk331Uv6QwU/U3CPcwHv$e3TFtYWtdJeu8LGOipfgLv3y3nkKu28w0Gsvvp2hYN0SToePKmdE3Kl20UqeHyiJ$fEdondnJEkhLHgN0XRhdz0m9pAyELDJUK2qE2CD4IVFOUKjmJZHQ1Pwui/S0Z3fF$j1XnDc9643MyvE+lTFsRn6Qs9VVyoaq2StmNmiuzOGEaz+WNILuxhqG+lnKcfi0y$jeywotsRDgSRZQvYP8qPEfpnLMVEjIJWICWYAu+zFRpYk5jGnGXY6P3fwlj5kY1H$kKt8tox3iLM01iltkeQqVG/CmMgYzp4CY9gp8eDQ3z4Jr2DGrzNlIflJZh3xMEkE$nO0EfxJNYzWa94+v3AuuL6nAyUXvVbdemN0kkDbkzs9XtA9vILWFcWKUG5845nGo$ogeofIK4WR+HWq/3/znyQaEsIfFd1Mg9RNgcegXJ1KEUUofbFAu6txYWE/phor0/$pA9PiWERE7q9BXbaphl91FU7XDQspIlzsluJsH8kMByQY8skIntNlS1833/4L0Hk$q3mz8HC7a3tICl5aj+NZ+FRnNeOWY9U8hEOOpqA60LRJ2+PFGygwlYX0A09FskCp$rahIO498Qmp6YunpBhq5IqxXdVrhmjqOhTakNV4H1HrlgfcEe33rxeXzterW3+yu$vixsmmVRMnSCeBY+iwu7sV3eJGY05KxC5nG6mo4IpSloskAERBDozR0EBztCpqzE$w361RDERc57cljarx9VeaZ5W4EB0LW18viXVaWkig1bx1Si3iHa4XXYFPgycNF+0$wzSY1t8nsLIBP9iHtFWWizGZlEaYNCHR2aWLcqztmMjnDgLBiNx+x1GWzV9MD/wI$`2m
      • API String ID: 2976903542-3657057152
      • Opcode ID: 81d0ef4a5e4f965127092b577cb02919459f0c467887dcb817122691f9ae4e10
      • Instruction ID: ef55b04711c96772b2a8d7a9f167f635c9aceacdacbeea44827632c1aa3a6a7c
      • Opcode Fuzzy Hash: 81d0ef4a5e4f965127092b577cb02919459f0c467887dcb817122691f9ae4e10
      • Instruction Fuzzy Hash: 4512EE75A00108DFDB05DFA0DE5DAEEB7B5EB48305F2081A6E506B32B0DB765E49CB24
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00694CB0 Relevance: 152.7, APIs: 75, Strings: 12, Instructions: 474COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 00694CCE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00694D0A
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00694D1F
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 00694D31
      • __vbaStrCmp.MSVBVM60(true,?,?,?,?,?,00423E86), ref: 00694D4D
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00694D70
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 00694D87
        • Part of subcall function 005A4CD0: __vbaChkstk.MSVBVM60(000000FF,00423E86), ref: 005A4CEE
        • Part of subcall function 005A4CD0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,000000FF,00423E86), ref: 005A4D1E
        • Part of subcall function 005A4CD0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4D36
        • Part of subcall function 005A4CD0: #525.MSVBVM60(00000104,?,00000000,00000000,000000FF,00423E86), ref: 005A4D50
        • Part of subcall function 005A4CD0: __vbaStrMove.MSVBVM60(?,00000000,00000000,000000FF,00423E86), ref: 005A4D5B
        • Part of subcall function 005A4CD0: __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4D6C
        • Part of subcall function 005A4CD0: __vbaStrToAnsi.MSVBVM60(00000000,00000000,00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4D7B
        • Part of subcall function 005A4CD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4D8A
        • Part of subcall function 005A4CD0: __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,00000000,000000FF,00423E86), ref: 005A4D98
        • Part of subcall function 005A4CD0: __vbaFreeStr.MSVBVM60(?,00000000,00000000,000000FF,00423E86), ref: 005A4DA7
        • Part of subcall function 005A4CD0: #616.MSVBVM60(00000000,?,?,00000000,00000000,000000FF,00423E86), ref: 005A4DBC
        • Part of subcall function 005A4CD0: __vbaStrMove.MSVBVM60(?,00000000,00000000,000000FF,00423E86), ref: 005A4DC7
        • Part of subcall function 005A4CD0: __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4DD8
        • Part of subcall function 005A4CD0: #619.MSVBVM60(?,00004008,00000001), ref: 005A4E01
        • Part of subcall function 005A4CD0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 005A4E1D
        • Part of subcall function 005A4CD0: __vbaFreeVar.MSVBVM60 ref: 005A4E2A
        • Part of subcall function 005A4CD0: __vbaStrCat.MSVBVM60(0042E5EC,00000000), ref: 005A4E48
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 00694D9E
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 00694DB4
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 00694DCA
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 00694DE6
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00694DF1
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 00694E12
      • __vbaStrCat.MSVBVM60(AloahaCredentialProvider.dll,?,?,?,?,?,00423E86), ref: 00694E28
      • #645.MSVBVM60(00000008,00000000), ref: 00694E3E
      • __vbaStrMove.MSVBVM60 ref: 00694E49
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 00694E55
      • __vbaFreeStr.MSVBVM60 ref: 00694E6C
      • __vbaFreeVar.MSVBVM60 ref: 00694E75
      • #685.MSVBVM60 ref: 00694E91
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00694E9C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00694EE7
      • __vbaFreeObj.MSVBVM60 ref: 00694F17
      • __vbaStrCat.MSVBVM60(AloahaCredentialProvider.dll,?), ref: 00694F38
      • __vbaStrMove.MSVBVM60 ref: 00694F43
      • __vbaStrCat.MSVBVM60(AloahaCredentialProvider.dll,?), ref: 00694F52
      • __vbaStrMove.MSVBVM60 ref: 00694F5D
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 00694F7A
      • #685.MSVBVM60(?,?,00423E86), ref: 00694F8A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00694F95
      • __vbaFreeObj.MSVBVM60(?,?,00423E86), ref: 00694FB6
      • __vbaStrCat.MSVBVM60(AloahaUICredentials.dll,?), ref: 00694FCC
      • #645.MSVBVM60(00000008,00000000), ref: 00694FE2
      • __vbaStrMove.MSVBVM60 ref: 00694FED
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 00694FF9
      • __vbaFreeStr.MSVBVM60 ref: 00695010
      • __vbaFreeVar.MSVBVM60 ref: 00695019
      • #685.MSVBVM60 ref: 00695035
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00695040
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0069508B
      • __vbaFreeObj.MSVBVM60 ref: 006950BB
      • __vbaStrCat.MSVBVM60(AloahaUICredentials.dll,?), ref: 006950DC
      • __vbaStrMove.MSVBVM60 ref: 006950E7
      • __vbaStrCat.MSVBVM60(AloahaUICredentials.dll,?), ref: 006950F6
      • __vbaStrMove.MSVBVM60 ref: 00695101
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 0069511E
      • #685.MSVBVM60(?,?,00423E86), ref: 0069512E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00695139
      • __vbaFreeObj.MSVBVM60(?,?,00423E86), ref: 0069515A
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069516F
      • #520.MSVBVM60(?,00000008), ref: 00695190
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 006951AC
      • __vbaFreeStr.MSVBVM60 ref: 006951BC
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 006951CC
      • __vbaVarDup.MSVBVM60 ref: 00695208
      • __vbaFreeVarList.MSVBVM60(00000002,00000003,?,00000003,?), ref: 00695233
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00423E86), ref: 0069524B
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00423E86), ref: 00695259
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,00423E86), ref: 00695276
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00423E86), ref: 0069528E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00423E86), ref: 0069529C
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 006952B9
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 006952D1
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 006952DF
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 006952FC
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00695316
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00695324
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00695332
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00695340
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,?,?,?), ref: 0069536D
        • Part of subcall function 005D9640: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005D965E
        • Part of subcall function 005D9640: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 005D968E
        • Part of subcall function 005D9640: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,?,00423E86), ref: 005D96A6
        • Part of subcall function 005D9640: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 005D96C5
        • Part of subcall function 005D9640: __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 005D96DC
        • Part of subcall function 005D9640: __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 005D96F2
        • Part of subcall function 005D9640: #619.MSVBVM60(?,00004008,00000001), ref: 005D971E
        • Part of subcall function 005D9640: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 005D973A
        • Part of subcall function 005D9640: __vbaFreeVar.MSVBVM60 ref: 005D9747
        • Part of subcall function 005D9640: __vbaStrCat.MSVBVM60(0042E5EC,?), ref: 005D9765
        • Part of subcall function 005D9640: __vbaStrMove.MSVBVM60 ref: 005D9770
        • Part of subcall function 005D9640: #685.MSVBVM60 ref: 005D977D
        • Part of subcall function 005D9640: __vbaObjSet.MSVBVM60(?,00000000), ref: 005D9788
        • Part of subcall function 005D9640: __vbaFreeObj.MSVBVM60 ref: 005D97A9
        • Part of subcall function 005D9640: __vbaStrCat.MSVBVM60(AloahaCredentialProvider.dll,?), ref: 005D97BF
        • Part of subcall function 005D9640: #645.MSVBVM60(00000008,00000000), ref: 005D97D5
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 00695389
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00695394
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006953B5
      • __vbaFreeStr.MSVBVM60(00695411,?,?,?,?,00423E86), ref: 00695401
      • __vbaFreeStr.MSVBVM60(?,?,?,?,00423E86), ref: 0069540A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$List$#685$ChkstkError$#645$#520#619BstrCheckHresult$#518#525#616#711AnsiIndexLoadLockSystemUnicodeUnlock
      • String ID: $781A7B48-79A7-4fcf-92CC-A6977171F1A8$AloahaCredentialProvider.dll$AloahaCredentials:RegisterCredentialProvider$AloahaUICredentials.dll$CredentialProviders$HKLM\SOFTWARE\Aloaha\CP\CredentialProviderFilter$HKLM\SOFTWARE\Aloaha\CP\F8A0B131-5F68-486c-8040-7E8FC3C85BB6$HKLM\Software\Aloaha\GINA\Enable_PIN_or_PASS$Software\Aloaha\GINA$true$`2m
      • API String ID: 3078734486-1977472881
      • Opcode ID: 720386b85f31214f3f2b9c541960e56dd9a4791207d0fa0fc9d91ced779ca841
      • Instruction ID: d8179ed2346be1527f05ae2e0b275778a62299cdcc13b055adbd8a1630a042e3
      • Opcode Fuzzy Hash: 720386b85f31214f3f2b9c541960e56dd9a4791207d0fa0fc9d91ced779ca841
      • Instruction Fuzzy Hash: 19222871900218EFDB04DFA0EE48BEEBB78FF48705F1081A9E506A7261DB745A49CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005D08D0 Relevance: 138.7, APIs: 70, Strings: 9, Instructions: 469COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,005826EF,Aloahacertinstaller), ref: 005D08EE
      • __vbaStrCopy.MSVBVM60(6D23D8CD,00000001,?,00000000,00423E86), ref: 005D091B
      • __vbaOnError.MSVBVM60(000000FF), ref: 005D092A
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 005D0942
        • Part of subcall function 005D9E00: __vbaChkstk.MSVBVM60(00000000,00423E86,005200D7,?,?,?,00000000,00423E86), ref: 005D9E1E
        • Part of subcall function 005D9E00: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,005200D7), ref: 005D9E4E
        • Part of subcall function 005D9E00: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00423E86,005200D7), ref: 005D9E66
        • Part of subcall function 005D9E00: #685.MSVBVM60 ref: 005DA126
        • Part of subcall function 005D9E00: __vbaObjSet.MSVBVM60(00000000,00000000), ref: 005DA131
        • Part of subcall function 005D9E00: __vbaFreeObj.MSVBVM60 ref: 005DA152
        • Part of subcall function 005D9E00: __vbaFreeStr.MSVBVM60(005DA193), ref: 005DA183
        • Part of subcall function 005D9E00: __vbaFreeStr.MSVBVM60 ref: 005DA18C
      • __vbaStrCopy.MSVBVM60 ref: 005D0975
      • __vbaStrCat.MSVBVM60(localhost,winmgmts://), ref: 005D099A
      • __vbaStrMove.MSVBVM60 ref: 005D09A5
      • #685.MSVBVM60 ref: 005D09B2
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D09BD
      • __vbaFreeObj.MSVBVM60 ref: 005D09DE
      • __vbaStrCat.MSVBVM60(?,select * from Win32_Process WHERE Name = '), ref: 005D09F4
      • __vbaStrMove.MSVBVM60 ref: 005D09FF
      • __vbaStrCat.MSVBVM60(004322AC,00000000), ref: 005D0A0B
      • #626.MSVBVM60(?,00004008,0000000A), ref: 005D0A4E
      • __vbaChkstk.MSVBVM60 ref: 005D0A59
      • __vbaVarLateMemCallLd.MSVBVM60(?,?,ExecQuery,00000001), ref: 005D0A8F
      • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 005D0A9D
      • __vbaFreeStr.MSVBVM60 ref: 005D0AA6
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 005D0ABD
      • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?), ref: 005D0AF1
      • __vbaVarLateMemCallLdRf.MSVBVM60(?,?,Caption,00000000), ref: 005D0B2E
      • #518.MSVBVM60(?,00000000), ref: 005D0B3C
      • #518.MSVBVM60(?,00004008), ref: 005D0B63
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 005D0B74
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 005D0B92
      • __vbaObjVar.MSVBVM60(?,Terminate,00000000), ref: 005D0BB8
      • __vbaLateMemCall.MSVBVM60(00000000), ref: 005D0BBF
      • __vbaVarLateMemCallLdRf.MSVBVM60(?,?,Caption,00000000), ref: 005D0BE1
      • __vbaVarLateMemCallLd.MSVBVM60(?,?,Caption,00000000), ref: 005D0C0D
      • __vbaLenVar.MSVBVM60(?,00000000), ref: 005D0C1B
      • __vbaVarSub.MSVBVM60(?,?,00000000), ref: 005D0C30
      • __vbaI4Var.MSVBVM60(00000000), ref: 005D0C37
      • #617.MSVBVM60(?,?,00000000), ref: 005D0C4C
      • #518.MSVBVM60(?,?), ref: 005D0C60
      • __vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 005D0F1A
      • __vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 005D0F2D
      • #685.MSVBVM60 ref: 005D0F3A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D0F45
      • __vbaFreeObj.MSVBVM60 ref: 005D0F66
      • __vbaAryUnlock.MSVBVM60(?,005D100A), ref: 005D0FCA
      • __vbaFreeObj.MSVBVM60 ref: 005D0FD6
      • __vbaFreeVar.MSVBVM60 ref: 005D0FDF
      • __vbaFreeStr.MSVBVM60 ref: 005D0FE8
      • __vbaFreeStr.MSVBVM60 ref: 005D0FF1
      • __vbaFreeVar.MSVBVM60 ref: 005D0FFA
      • __vbaFreeStr.MSVBVM60 ref: 005D1003
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CallLate$#518#685Chkstk$AddrefCopyErrorListMove$#617#626EachUnlock
      • String ID: .exe$Caption$ExecQuery$Terminate$localhost$select * from Win32_Process WHERE Name = '$winmgmts://$&X$`2m
      • API String ID: 3886220148-18637549
      • Opcode ID: 0e3550f2970bc4a66b7e2193909030a31088aaa035a6913a00a8f8a76b4be693
      • Instruction ID: 4652fd2926123c0d7c58042310740a17c06f9d1ee7d242c460eb113fa4bce54f
      • Opcode Fuzzy Hash: 0e3550f2970bc4a66b7e2193909030a31088aaa035a6913a00a8f8a76b4be693
      • Instruction Fuzzy Hash: 60120DB1800218EFDB14DFA4DD88FDEBB78BF48705F10859AE60AB6161DB745A88CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0064AC40 Relevance: 133.5, APIs: 69, Strings: 7, Instructions: 488COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,00000000,00000000,00000000,00423E86,0042ADE8), ref: 0064AC5E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0064AC8E
      • #520.MSVBVM60(?,00004008), ref: 0064ACBD
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0064ACE5
      • __vbaFreeVar.MSVBVM60 ref: 0064ACF8
      • __vbaStrMove.MSVBVM60 ref: 0064AD1C
      • __vbaAryMove.MSVBVM60(?,?), ref: 0064AD3F
      • __vbaVarDup.MSVBVM60 ref: 0064AD6C
      • #710.MSVBVM60(00006008,?,Going to check: ), ref: 0064AD98
      • __vbaStrMove.MSVBVM60 ref: 0064ADA3
      • __vbaStrCat.MSVBVM60(00000000), ref: 0064ADAA
      • __vbaStrMove.MSVBVM60 ref: 0064ADB5
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 0064ADCE
      • __vbaFreeVar.MSVBVM60(00000000,00000000,00423E86), ref: 0064ADDD
      • __vbaStrCopy.MSVBVM60 ref: 0064ADF4
      • #685.MSVBVM60 ref: 0064AE0F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064AE1A
      • __vbaFreeObj.MSVBVM60 ref: 0064AE3B
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064AE7F
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064AE9C
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0064AEBD
      • #685.MSVBVM60 ref: 0064AED2
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064AEDD
        • Part of subcall function 00605770: __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0060578E
        • Part of subcall function 00605770: __vbaFixstrConstruct.MSVBVM60(000000FF,00000000,6D23D8B1,00000000,6D23D8CD,00000000,00423E86), ref: 006057BE
        • Part of subcall function 00605770: __vbaOnError.MSVBVM60(000000FF), ref: 006057CD
        • Part of subcall function 00605770: __vbaStrToAnsi.MSVBVM60(?,?), ref: 006057E2
        • Part of subcall function 00605770: __vbaLenBstr.MSVBVM60(?,00000000), ref: 006057ED
        • Part of subcall function 00605770: __vbaSetSystemError.MSVBVM60(00000000), ref: 006057FF
        • Part of subcall function 00605770: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0060580D
        • Part of subcall function 00605770: __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0060581A
        • Part of subcall function 00605770: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00605833
        • Part of subcall function 00605770: #608.MSVBVM60(?,00000000), ref: 0060585C
        • Part of subcall function 00605770: __vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 00605889
        • Part of subcall function 00605770: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00605897
        • Part of subcall function 00605770: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 006058AE
        • Part of subcall function 00605770: #608.MSVBVM60(?,00000000), ref: 006058D3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0064AF28
      • __vbaFreeObj.MSVBVM60 ref: 0064AF58
      • __vbaForEachAry.MSVBVM60(00000008,?,?,?,00000000), ref: 0064AF8C
      • __vbaStrCopy.MSVBVM60 ref: 0064AFC2
      • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0064AFD3
      • __vbaStrMove.MSVBVM60 ref: 0064AFDE
      • #685.MSVBVM60 ref: 0064AFEB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064AFF6
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0064B041
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0064B070
      • __vbaFreeObj.MSVBVM60 ref: 0064B08B
      • __vbaRecAssign.MSVBVM60(00437A70,?,?,?), ref: 0064B0CF
      • __vbaRecDestruct.MSVBVM60(00437A70,?), ref: 0064B0E8
      • __vbaRecAssign.MSVBVM60(00437A70,?,?,?,?), ref: 0064B10E
      • #520.MSVBVM60(?,00004008), ref: 0064B15F
      • #518.MSVBVM60(?,?), ref: 0064B173
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0064B19B
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0064B1B8
      • #520.MSVBVM60(?,00004008), ref: 0064B1F8
      • #518.MSVBVM60(?,00004008), ref: 0064B247
      • #520.MSVBVM60(?,?), ref: 0064B25B
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 0064B28E
      • __vbaVarCmpGt.MSVBVM60(?,00008002,00000000), ref: 0064B2A3
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 0064B2BF
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 0064B2CD
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0064B2D4
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0064B2FF
      • __vbaStrCat.MSVBVM60(?,Found: ), ref: 0064B323
      • __vbaStrMove.MSVBVM60 ref: 0064B32E
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?), ref: 0064B340
      • __vbaStrCopy.MSVBVM60 ref: 0064B353
      • __vbaExitEachAry.MSVBVM60(?), ref: 0064B360
      • __vbaExitEachAry.MSVBVM60(?), ref: 0064B37C
      • #685.MSVBVM60 ref: 0064B3BF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064B3CA
      • __vbaFreeObj.MSVBVM60 ref: 0064B3EB
      • __vbaAryUnlock.MSVBVM60(?,0064B4CF), ref: 0064B46B
      • __vbaRecDestruct.MSVBVM60(00437A70,?), ref: 0064B47D
      • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0064B48C
      • __vbaRecDestruct.MSVBVM60(00437A70,?), ref: 0064B49B
      • __vbaFreeStr.MSVBVM60 ref: 0064B4A4
      • __vbaRecDestruct.MSVBVM60(00437A70,?), ref: 0064B4B3
      • __vbaAryDestruct.MSVBVM60(00000000,00000000), ref: 0064B4BF
      • __vbaFreeVar.MSVBVM60 ref: 0064B4C8
      • __vbaErrorOverflow.MSVBVM60 ref: 0064B4E3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Error$Destruct$#520CopyList$#685Chkstk$#518Each$#608AssignBoundsCheckExitFixstrGenerateHresultUnlock$#710#711AnsiBoolBstrConstructIndexLoadLockLsetNullOverflowSystemUnicode
      • String ID: ($<>k$Found: $Going to check: $cd drive$gemalto$`2m
      • API String ID: 3228401062-2446419755
      • Opcode ID: c5183a1c175033f7744fc1601649b9c4046867dbabb722ad06f239183fa606d8
      • Instruction ID: 96fdd4c61585da130d94511fc50a1e548d7690f28b746607678816fd7d3d3f73
      • Opcode Fuzzy Hash: c5183a1c175033f7744fc1601649b9c4046867dbabb722ad06f239183fa606d8
      • Instruction Fuzzy Hash: 3F321CB5900218DFDB24DFA0DD48BDEB7B9FF48305F1081A9E50AA7260DB745A88CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00615C90 Relevance: 128.2, APIs: 69, Strings: 4, Instructions: 466COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 00615CAE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00615CDB
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00615CE7
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00615CF6
      • #712.MSVBVM60(?,0042FA64,0042ADE8,00000001,000000FF,00000000,?,?,?,?,00423E86), ref: 00615D17
      • #528.MSVBVM60(?,00000008), ref: 00615D3B
      • __vbaStrVarMove.MSVBVM60(?), ref: 00615D48
      • __vbaStrMove.MSVBVM60 ref: 00615D53
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00615D69
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,00423E86), ref: 00615D82
      • __vbaStrCopy.MSVBVM60(?,?,00423E86), ref: 00615DA2
      • __vbaStrCopy.MSVBVM60(?,?,00423E86), ref: 00615DB3
        • Part of subcall function 005ED250: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005ED26E
        • Part of subcall function 005ED250: __vbaStrCopy.MSVBVM60(?,00000001,00000000,?,00423E86), ref: 005ED29B
        • Part of subcall function 005ED250: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,?,00423E86), ref: 005ED2AA
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED2F5
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED336
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED344
        • Part of subcall function 005ED250: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005ED35B
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED3B4
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED3F5
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED403
      • __vbaObjSet.MSVBVM60(?,00000000,AloahaCSPCore.provider,00000000,?,?), ref: 00615DE6
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00615DFC
      • #685.MSVBVM60(?,?,?,?,?,00423E86), ref: 00615E0C
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00423E86), ref: 00615E1A
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00423E86), ref: 00615E3E
        • Part of subcall function 00617600: __vbaChkstk.MSVBVM60(?,00423E86,?,?,?,00615E5B,?,?,?,?,?,?,?,00423E86), ref: 0061761E
        • Part of subcall function 00617600: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0061764B
        • Part of subcall function 00617600: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0061765A
        • Part of subcall function 00617600: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0061766F
        • Part of subcall function 00617600: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0061767D
        • Part of subcall function 00617600: __vbaObjSet.MSVBVM60(?,00000000,CAPICOM.Utilities,00000000,?,?), ref: 006176A4
        • Part of subcall function 00617600: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 006176B4
        • Part of subcall function 00617600: __vbaChkstk.MSVBVM60 ref: 006176D6
        • Part of subcall function 00617600: __vbaLateMemCallLd.MSVBVM60(?,?,HexToBinary,00000001), ref: 00617703
        • Part of subcall function 00617600: __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 0061770D
        • Part of subcall function 00617600: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00617718
        • Part of subcall function 00617600: __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00617721
        • Part of subcall function 00617600: __vbaChkstk.MSVBVM60 ref: 00617740
      • __vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,00423E86), ref: 00615E64
      • __vbaRefVarAry.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 00615E75
      • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,00423E86), ref: 00615E80
      • #685.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 00615E96
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00423E86), ref: 00615EA4
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00615EEF
      • __vbaFreeObj.MSVBVM60 ref: 00615F22
      • __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 00615F64
      • __vbaVarTstGt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00423E86), ref: 00615F75
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00423E86), ref: 00615F88
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,00423E86), ref: 00615FA4
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00423E86), ref: 00615FB2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00615FFD
      • __vbaFreeObj.MSVBVM60 ref: 00616030
      • __vbaVarMove.MSVBVM60(?,?), ref: 00616065
      • #528.MSVBVM60(?,?), ref: 0061607D
      • __vbaVarTstGt.MSVBVM60(00008002,?), ref: 006160A5
      • __vbaFreeVar.MSVBVM60 ref: 006160B8
      • #685.MSVBVM60 ref: 006160D4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006160E2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0061612D
      • __vbaFreeObj.MSVBVM60 ref: 00616160
      • __vbaChkstk.MSVBVM60 ref: 006161D1
      • __vbaChkstk.MSVBVM60 ref: 00616200
      • __vbaChkstk.MSVBVM60 ref: 0061622F
      • __vbaLateMemCallLd.MSVBVM60(?,?,RSA_Encrypt,00000003), ref: 0061626B
      • __vbaVarTstEq.MSVBVM60(?,00000000), ref: 0061627C
      • __vbaFreeVar.MSVBVM60 ref: 0061628F
      • #685.MSVBVM60 ref: 006162AB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006162B9
      • __vbaFreeObj.MSVBVM60 ref: 006162DD
      • __vbaRefVarAry.MSVBVM60(?), ref: 006162F1
      • __vbaUbound.MSVBVM60(00000001), ref: 006162FC
      • #685.MSVBVM60 ref: 00616312
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00616320
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0061636B
      • __vbaFreeObj.MSVBVM60 ref: 0061639E
      • __vbaChkstk.MSVBVM60 ref: 006163BB
      • __vbaStrMove.MSVBVM60 ref: 006163E6
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,00423E86), ref: 006163F9
      • #685.MSVBVM60(?,?,00423E86), ref: 00616406
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00423E86), ref: 00616414
      • __vbaFreeObj.MSVBVM60(?,?,00423E86), ref: 00616438
      • __vbaFreeVar.MSVBVM60(006164EC,?,?,00423E86), ref: 0061649A
      • __vbaFreeVar.MSVBVM60(?,?,00423E86), ref: 006164A3
      • __vbaFreeVar.MSVBVM60(?,?,00423E86), ref: 006164AC
      • __vbaFreeVar.MSVBVM60(?,?,00423E86), ref: 006164B5
      • __vbaFreeStr.MSVBVM60(?,?,00423E86), ref: 006164BE
      • __vbaFreeObj.MSVBVM60(?,?,00423E86), ref: 006164C7
      • __vbaFreeStr.MSVBVM60(?,?,00423E86), ref: 006164D0
      • __vbaFreeStr.MSVBVM60(?,?,00423E86), ref: 006164D9
      • __vbaFreeVar.MSVBVM60(?,?,00423E86), ref: 006164E5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Chkstk$Copy$#685Move$CheckHresultList$CallErrorLate$#518#528Ubound$#712Addref
      • String ID: AloahaCSPCore.provider$RSA_Encrypt$info$`2m
      • API String ID: 3141605034-4232117830
      • Opcode ID: 01c22fa19882113ce49c75e796da1d8080fd9e2519a3703277ca800c1127ad5b
      • Instruction ID: 512afb4a998647ed5fdf13cf45c6c5a154cac4f3483dc785feab65790c0b81df
      • Opcode Fuzzy Hash: 01c22fa19882113ce49c75e796da1d8080fd9e2519a3703277ca800c1127ad5b
      • Instruction Fuzzy Hash: C3320774900229DFDB24DF60DE88BEDB7B5BF08301F1481E9E50AA76A0DB749A84CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0064A480 Relevance: 126.4, APIs: 66, Strings: 6, Instructions: 435COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,?,00000000,00000000,00423E86), ref: 0064A49E
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064A4CB
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064A4D7
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064A4E3
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0064A4F2
      • #520.MSVBVM60(?,00004008), ref: 0064A537
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0064A55C
      • __vbaFreeVar.MSVBVM60 ref: 0064A56C
      • __vbaStrCopy.MSVBVM60 ref: 0064A58C
      • #520.MSVBVM60(?,00004008), ref: 0064A5B7
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0064A5DC
      • __vbaFreeVar.MSVBVM60 ref: 0064A5EC
      • __vbaStrCopy.MSVBVM60 ref: 0064A60C
      • #518.MSVBVM60(?,00004008), ref: 0064A637
      • #518.MSVBVM60(?,00004008), ref: 0064A66F
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 0064A698
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 0064A6B1
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 0064A6BF
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0064A6C6
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0064A6DD
      • #518.MSVBVM60(?,00004008), ref: 0064A71A
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0064A73F
      • __vbaFreeVar.MSVBVM60 ref: 0064A74F
      • __vbaStrMove.MSVBVM60 ref: 0064A771
        • Part of subcall function 00648940: __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0064895E
        • Part of subcall function 00648940: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064898B
        • Part of subcall function 00648940: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0064899A
        • Part of subcall function 00648940: #520.MSVBVM60(?,00004008), ref: 006489BD
        • Part of subcall function 00648940: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 006489D9
        • Part of subcall function 00648940: __vbaFreeVar.MSVBVM60 ref: 006489E6
        • Part of subcall function 00648940: __vbaChkstk.MSVBVM60(00000000), ref: 00648A25
        • Part of subcall function 00648940: __vbaVarIndexLoad.MSVBVM60(?,00002008,00000001,00000000), ref: 00648A4D
        • Part of subcall function 00648940: __vbaStrVarVal.MSVBVM60(00000000,?,00000000,?,?,?,00000000,00000000,00000000,00423E86), ref: 00648A62
        • Part of subcall function 00648940: __vbaFreeStr.MSVBVM60(00000000,?,?,?,00000000,00000000,00000000,00423E86), ref: 00648A71
        • Part of subcall function 00648940: __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000000,00000000,00000000,00423E86), ref: 00648A81
        • Part of subcall function 00648940: #520.MSVBVM60(?,00004008), ref: 00648AA7
      • __vbaFreeStr.MSVBVM60(0000012C,00000000), ref: 0064A785
        • Part of subcall function 005FF9D0: __vbaChkstk.MSVBVM60(?,00423E86,?,?,?,006482FD,?,006B3E20,?,?,?,?,?,?,00423E86), ref: 005FF9EE
        • Part of subcall function 005FF9D0: __vbaAryConstruct2.MSVBVM60(?,00455ACC,00000011,?,00000000,00000000,?,00423E86), ref: 005FFA20
        • Part of subcall function 005FF9D0: __vbaAryConstruct2.MSVBVM60(?,00455ACC,00000011,?,00000000,00000000,?,00423E86), ref: 005FFA31
        • Part of subcall function 005FF9D0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005FFA40
        • Part of subcall function 005FF9D0: #520.MSVBVM60(?,00004008), ref: 005FFA7B
        • Part of subcall function 005FF9D0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 005FFAA3
        • Part of subcall function 005FF9D0: __vbaFreeVar.MSVBVM60 ref: 005FFAB6
        • Part of subcall function 005FF9D0: __vbaStrCopy.MSVBVM60 ref: 005FFAD6
        • Part of subcall function 005FF9D0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 005FFAEE
        • Part of subcall function 005FF9D0: __vbaStrCopy.MSVBVM60 ref: 005FFB07
        • Part of subcall function 005FF9D0: #685.MSVBVM60 ref: 0060032C
        • Part of subcall function 005FF9D0: __vbaObjSet.MSVBVM60(?,00000000), ref: 00600337
        • Part of subcall function 005FF9D0: __vbaFreeObj.MSVBVM60 ref: 00600358
        • Part of subcall function 005FF9D0: __vbaAryDestruct.MSVBVM60(00000000,?,006003DF), ref: 006003C0
        • Part of subcall function 005FF9D0: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 006003D8
      • #608.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064A7BC
      • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0064A80C
      • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0064A81E
      • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0064A833
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0064A83A
      • __vbaStrMove.MSVBVM60 ref: 0064A845
      • __vbaStrMove.MSVBVM60(?,?), ref: 0064A85D
      • __vbaFreeStr.MSVBVM60 ref: 0064A866
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0064A881
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0064A89A
      • __vbaStrMove.MSVBVM60(?,0042ADE8,?,0042ADE8,?), ref: 0064A907
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0064A91D
        • Part of subcall function 00604E60: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,00000000,00000000,00000000,00423E86,0042ADE8), ref: 00604E7E
        • Part of subcall function 00604E60: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 00604EAE
        • Part of subcall function 00604E60: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 00604EC6
        • Part of subcall function 00604E60: __vbaStrMove.MSVBVM60(gto_discovery.dll,?,00000000,00000000,00000000,00423E86), ref: 00604EE8
        • Part of subcall function 00604E60: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 00604F01
        • Part of subcall function 00604E60: __vbaStrMove.MSVBVM60(gto_core.dll,?,00000000,00000000,00000000,00423E86), ref: 00604F23
        • Part of subcall function 00604E60: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 00604F39
        • Part of subcall function 00604E60: #685.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 00604F46
        • Part of subcall function 00604E60: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 00604F51
        • Part of subcall function 00604E60: __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 00604F69
      • __vbaStrMove.MSVBVM60(?,?), ref: 0064A944
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0064A95A
      • #632.MSVBVM60(?,00004008,00000002,00000002), ref: 0064A9A1
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0064A9C6
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0064A9DD
      • #619.MSVBVM60(?,00004008,00000001), ref: 0064AA1C
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0064AA41
      • __vbaFreeVar.MSVBVM60 ref: 0064AA51
      • __vbaLenBstr.MSVBVM60(?), ref: 0064AA84
      • #617.MSVBVM60(?,00004008,-00000001), ref: 0064AA9F
      • __vbaStrVarMove.MSVBVM60(?), ref: 0064AAA9
      • __vbaStrMove.MSVBVM60 ref: 0064AAB4
      • __vbaFreeVar.MSVBVM60 ref: 0064AABD
      • __vbaLenBstr.MSVBVM60(?), ref: 0064AAE1
      • #619.MSVBVM60(?,00004008,-00000002), ref: 0064AAFC
      • __vbaStrVarMove.MSVBVM60(?), ref: 0064AB06
      • __vbaStrMove.MSVBVM60 ref: 0064AB11
      • __vbaFreeVar.MSVBVM60 ref: 0064AB1A
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0064AB30
      • __vbaStrCmp.MSVBVM60(?,?), ref: 0064AB49
      • #685.MSVBVM60(00000000,00000000,00423E86), ref: 0064AB84
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064AB8F
      • __vbaFreeObj.MSVBVM60 ref: 0064ABB0
      • __vbaFreeStr.MSVBVM60(0064AC23), ref: 0064ABF8
      • __vbaFreeStr.MSVBVM60 ref: 0064AC01
      • __vbaFreeStr.MSVBVM60 ref: 0064AC0A
      • __vbaFreeStr.MSVBVM60 ref: 0064AC13
      • __vbaFreeStr.MSVBVM60 ref: 0064AC1C
      • __vbaErrorOverflow.MSVBVM60 ref: 0064AC3A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$#520ChkstkError$List$#518#685$#619BstrConstruct2Destruct$#608#617#632BoolIndexLoadNullOverflow
      • String ID: -$23081970$KeinPassword$reset$reset\reset$`2m
      • API String ID: 4180056421-1726886527
      • Opcode ID: 22ac86c26cf02133e88828fb0f3294a511fdd160451a019d1941f2ce0e81d12d
      • Instruction ID: 32b5755d4fcde9b5cbab3249c4bac1a2b4bbf74b27bbc68f14c1d7471d96630c
      • Opcode Fuzzy Hash: 22ac86c26cf02133e88828fb0f3294a511fdd160451a019d1941f2ce0e81d12d
      • Instruction Fuzzy Hash: 4322F6B5900218EFDB14DFA0DD88BDEBB79BF48305F1081A9E506B7260DB745A88CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0062D8E0 Relevance: 126.4, APIs: 61, Strings: 11, Instructions: 411COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0062D8FE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0062D937
      • __vbaChkstk.MSVBVM60 ref: 0062D98B
      • __vbaChkstk.MSVBVM60 ref: 0062D9AE
      • __vbaLateMemCallLd.MSVBVM60(?,?,DESencrypt,00000002), ref: 0062D9DE
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 0062D9E8
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 0062D9F3
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 0062D9FC
      • __vbaHresultCheckObj.MSVBVM60(?,?,0045B570,00000064), ref: 0062DA42
      • __vbaStrCopy.MSVBVM60 ref: 0062DA77
      • __vbaStrCopy.MSVBVM60 ref: 0062DA8C
      • #685.MSVBVM60 ref: 0062DA99
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0062DAA4
      • __vbaFreeObj.MSVBVM60 ref: 0062DAC5
      • __vbaStrCmp.MSVBVM60(0042ADE8), ref: 0062DADD
      • __vbaStrCopy.MSVBVM60 ref: 0062DAF6
      • #685.MSVBVM60 ref: 0062DB03
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0062DB0E
      • __vbaFreeObj.MSVBVM60 ref: 0062DB2F
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0062DB42
      • __vbaStrCopy.MSVBVM60 ref: 0062DB57
      • __vbaStrCopy.MSVBVM60 ref: 0062DB65
      • __vbaObjSet.MSVBVM60(?,00000000,CAPICOM.EncryptedData,00000000,?,?), ref: 0062DB92
      • #685.MSVBVM60 ref: 0062DE9A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0062DEA5
      • __vbaFreeObj.MSVBVM60 ref: 0062DEC6
      • __vbaFreeStr.MSVBVM60(0062DF3B), ref: 0062DF19
      • __vbaFreeObj.MSVBVM60 ref: 0062DF22
      • __vbaFreeStr.MSVBVM60 ref: 0062DF2B
      • __vbaFreeObj.MSVBVM60 ref: 0062DF34
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#685Chkstk$Move$AddrefCallCheckErrorHresultLate
      • String ID: @@NULL@@$Algorithm$Base64Decode$CAPICOM.EncryptedData$CAPICOM.Utilities$DESencrypt$Name$SetSecret$content$encrypt$`2m
      • API String ID: 3770605308-1041167345
      • Opcode ID: 1c7c186409a4f02ab2053b9f6cd37007852b642828d64a0ed1d9a05c277f762d
      • Instruction ID: eebbcf254eda8eee52c56518ce8681b9345b0cc10bcaafa8d51045d7279bfd77
      • Opcode Fuzzy Hash: 1c7c186409a4f02ab2053b9f6cd37007852b642828d64a0ed1d9a05c277f762d
      • Instruction Fuzzy Hash: 1712D3B4A00318DFDB04DFA4D988BDDBBB5FF48305F208169E909AB2A1DB749A45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006474F0 Relevance: 126.4, APIs: 60, Strings: 12, Instructions: 365COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,00000000,00423E86), ref: 0064750E
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86,?), ref: 0064753B
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86,?), ref: 0064754A
      • __vbaStrMove.MSVBVM60(00000000,?), ref: 006475DF
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 006475F5
      • #617.MSVBVM60(?,00004008,00000006), ref: 00647646
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 00647676
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 00647681
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00647688
      • __vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 006476A2
      • __vbaStrCopy.MSVBVM60 ref: 006476C3
      • __vbaStrCat.MSVBVM60(?,?), ref: 006476F7
      • __vbaStrMove.MSVBVM60 ref: 00647702
      • #617.MSVBVM60(?,00004008,00000006), ref: 0064772F
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 00647790
      • __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 006477A2
      • __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 006477B7
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 006477BE
      • __vbaFreeVarList.MSVBVM60(00000003,?,0000000B,0000000B), ref: 006477DF
      • __vbaVarDup.MSVBVM60 ref: 0064782F
      • #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 00647845
      • __vbaChkstk.MSVBVM60 ref: 00647850
      • #619.MSVBVM60(?,00004008,00000006), ref: 00647C99
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00647CBE
      • __vbaFreeVar.MSVBVM60 ref: 00647CCE
      • __vbaLenBstr.MSVBVM60(?), ref: 00647CFD
      • #617.MSVBVM60(?,00004008,-00000006), ref: 00647D18
      • __vbaStrVarMove.MSVBVM60(?), ref: 00647D22
      • __vbaStrMove.MSVBVM60 ref: 00647D2D
      • __vbaFreeVar.MSVBVM60 ref: 00647D36
      • #617.MSVBVM60(?,00004008,00000006), ref: 00647D63
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00647D88
      • __vbaFreeVar.MSVBVM60 ref: 00647D98
      • __vbaLenBstr.MSVBVM60(?), ref: 00647DC7
      • #619.MSVBVM60(?,00004008,-00000006), ref: 00647DE2
      • __vbaStrVarMove.MSVBVM60(?), ref: 00647DEC
      • __vbaStrMove.MSVBVM60 ref: 00647DF7
      • __vbaFreeVar.MSVBVM60 ref: 00647E00
      • __vbaLenBstr.MSVBVM60(?), ref: 00647E11
      • #608.MSVBVM60(?,0000000D), ref: 00647E42
      • __vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000), ref: 00647E56
      • #712.MSVBVM60(?,chr13,00000000), ref: 00647E66
      • __vbaStrMove.MSVBVM60 ref: 00647E71
      • __vbaFreeStr.MSVBVM60 ref: 00647E7A
      • __vbaFreeVar.MSVBVM60 ref: 00647E83
      • #608.MSVBVM60(?,0000000A), ref: 00647E96
      • __vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000), ref: 00647EAA
      • #712.MSVBVM60(?,chr10,00000000), ref: 00647EBA
      • __vbaStrMove.MSVBVM60 ref: 00647EC5
      • __vbaFreeStr.MSVBVM60 ref: 00647ECE
      • __vbaFreeVar.MSVBVM60 ref: 00647ED7
      • #608.MSVBVM60(?,00000000), ref: 00647EEA
      • __vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000), ref: 00647EFE
      • #712.MSVBVM60(?,chr0,00000000), ref: 00647F0E
      • __vbaStrMove.MSVBVM60 ref: 00647F19
      • __vbaFreeStr.MSVBVM60 ref: 00647F22
      • __vbaFreeVar.MSVBVM60 ref: 00647F2B
      • __vbaStrMove.MSVBVM60(?), ref: 00647F46
      • #520.MSVBVM60(?,00004008), ref: 00647F71
      • __vbaErrorOverflow.MSVBVM60(?), ref: 0064809C
        • Part of subcall function 006484F0: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,0064831C,00000000,?,?,?,?,?,?,?,00423E86), ref: 0064850E
        • Part of subcall function 006484F0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064853B
        • Part of subcall function 006484F0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0064854A
        • Part of subcall function 006484F0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064855F
        • Part of subcall function 006484F0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 00648577
        • Part of subcall function 006484F0: __vbaStrMove.MSVBVM60(?,?,00000000,00000000,00000000,00423E86), ref: 00648598
        • Part of subcall function 006484F0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 006485B1
        • Part of subcall function 006484F0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 006485D1
        • Part of subcall function 006484F0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 006485EA
        • Part of subcall function 006484F0: __vbaStrMove.MSVBVM60(006B3E24,?,?,00000000,00000000,00000000,00423E86), ref: 00648605
        • Part of subcall function 006484F0: __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064860E
        • Part of subcall function 006484F0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 00648627
        • Part of subcall function 006484F0: __vbaAryMove.MSVBVM60(00000000,?,00000000,?,?,00000000,00000000,00000000,00423E86), ref: 0064865A
        • Part of subcall function 006484F0: #717.MSVBVM60(?,00006011,00000040,00000000), ref: 00648680
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$FreeMove$Copy$#617$#608#712BstrChkstkError$#619BoolListNull$#520#711#717Overflow
      • String ID: >k$$>k$5$@@B@@|$D$PhillipNielsJosephine$chr0$chr10$chr13$d$|@@E@@$`2m
      • API String ID: 118225425-1940973509
      • Opcode ID: 1e63d2c7506483de1ef596c9e309108249653379a2ca21662ed8d5952eaa547b
      • Instruction ID: d3cb5b8f6aeeb8cc32bbe599041fe1e50b2770f13207d4771e279ac5167b15a4
      • Opcode Fuzzy Hash: 1e63d2c7506483de1ef596c9e309108249653379a2ca21662ed8d5952eaa547b
      • Instruction Fuzzy Hash: 31F117B5900218EFDB14DFA0DE88BEEBB79BF04305F108199E506B72A0DB745A49CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00534480 Relevance: 124.7, APIs: 64, Strings: 7, Instructions: 419COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0053449E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 005344D7
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 005344EC
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 005344FE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00534529
      • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 00534552
      • __vbaStrVarMove.MSVBVM60(?), ref: 0053455C
      • __vbaStrMove.MSVBVM60 ref: 00534567
      • __vbaFreeVar.MSVBVM60 ref: 00534570
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 00534586
      • #685.MSVBVM60 ref: 0053459B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005345A6
      • __vbaFreeObj.MSVBVM60 ref: 005345C7
      • __vbaStrCopy.MSVBVM60 ref: 005345DC
      • __vbaStrCopy.MSVBVM60 ref: 005345EA
        • Part of subcall function 005ED250: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005ED26E
        • Part of subcall function 005ED250: __vbaStrCopy.MSVBVM60(?,00000001,00000000,?,00423E86), ref: 005ED29B
        • Part of subcall function 005ED250: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,?,00423E86), ref: 005ED2AA
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED2F5
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED336
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED344
        • Part of subcall function 005ED250: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005ED35B
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED3B4
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED3F5
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED403
      • __vbaObjSet.MSVBVM60(?,00000000,ebCrypt.eb_c_Hash,00000000,?,?), ref: 00534611
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00534621
      • #685.MSVBVM60(?,?,00423E86), ref: 00534631
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00423E86), ref: 0053463C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00534687
      • __vbaFreeObj.MSVBVM60 ref: 005346B7
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005346D9
      • __vbaStrMove.MSVBVM60 ref: 005346F0
      • __vbaChkstk.MSVBVM60 ref: 00534719
      • __vbaStrMove.MSVBVM60 ref: 00534740
      • __vbaStrCat.MSVBVM60(ebCrypt.dll,00000000), ref: 0053474C
      • __vbaStrMove.MSVBVM60 ref: 00534757
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000), ref: 00534771
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 0053478B
      • __vbaChkstk.MSVBVM60 ref: 005347B4
      • __vbaStrMove.MSVBVM60 ref: 005347DB
      • __vbaStrCat.MSVBVM60(vbCrypt.dll,00000000), ref: 005347E7
      • __vbaStrMove.MSVBVM60 ref: 005347F2
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000), ref: 0053480C
      • #685.MSVBVM60 ref: 0053481C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00534827
      • __vbaFreeObj.MSVBVM60 ref: 00534848
      • __vbaStrCopy.MSVBVM60 ref: 0053485D
      • __vbaStrCopy.MSVBVM60 ref: 0053486B
        • Part of subcall function 005ED250: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005ED41A
      • __vbaObjSet.MSVBVM60(?,00000000,ebCrypt.eb_c_Hash,00000000,?,?), ref: 00534892
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005348A2
      • __vbaChkstk.MSVBVM60 ref: 005348D2
      • __vbaChkstk.MSVBVM60 ref: 005348F5
      • __vbaLateMemCallLd.MSVBVM60(?,?,hashstring,00000002), ref: 00534922
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0053492C
      • __vbaStrMove.MSVBVM60 ref: 00534937
      • __vbaFreeVar.MSVBVM60 ref: 00534940
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00534953
      • #685.MSVBVM60 ref: 00534960
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053496B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005349B6
      • __vbaFreeObj.MSVBVM60 ref: 005349E6
      • __vbaStrCopy.MSVBVM60 ref: 00534A06
      • #685.MSVBVM60 ref: 00534A23
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00534A2E
      • __vbaFreeObj.MSVBVM60 ref: 00534A4F
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00534A78
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00534A8D
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 00534A9F
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 00534AAC
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00534AB7
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 00534AD8
      • __vbaFreeStr.MSVBVM60(00534B35,?,?,?,?,00423E86), ref: 00534B25
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 00534B2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$Chkstk$#685List$#518Error$AddrefCheckHresult$#520#711#717CallIndexLateLoadLockUnlock
      • String ID: Entering ebhash$Leaving ebhash$ebCrypt.dll$ebCrypt.eb_c_Hash$hashstring$vbCrypt.dll$`2m
      • API String ID: 2198750563-4186865939
      • Opcode ID: 3b76216806dde9658357b33f3bec1d5f61a4b38864a41880ad88d7f45fca7078
      • Instruction ID: 3b06ae6d21957b00ced0a20307e8b5d4c06c818e557ed2691b6892bb9fdf9bca
      • Opcode Fuzzy Hash: 3b76216806dde9658357b33f3bec1d5f61a4b38864a41880ad88d7f45fca7078
      • Instruction Fuzzy Hash: B7122875900218EFDB04DFA4DA88BDEBBB5FF48305F1081A9F506A72A0DB749A49CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00567800 Relevance: 121.2, APIs: 58, Strings: 11, Instructions: 405COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0056781E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0056784B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0056785A
        • Part of subcall function 00634B20: __vbaChkstk.MSVBVM60(00000000,00423E86,0065D216,?,?,?,00000000,00423E86), ref: 00634B3E
        • Part of subcall function 00634B20: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,?,?,00000000,00423E86,0065D216), ref: 00634B6E
        • Part of subcall function 00634B20: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,?,?,00000000,00423E86,0065D216), ref: 00634B7D
        • Part of subcall function 00634B20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,0065D216), ref: 00634B8C
        • Part of subcall function 00634B20: #520.MSVBVM60(?,00004008), ref: 00634BBB
        • Part of subcall function 00634B20: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00634BE3
        • Part of subcall function 00634B20: __vbaFreeVar.MSVBVM60 ref: 00634BF6
        • Part of subcall function 00634B20: __vbaStrCopy.MSVBVM60 ref: 00634C1A
        • Part of subcall function 00634B20: #520.MSVBVM60(?,00000008,?), ref: 00634C47
        • Part of subcall function 00634B20: __vbaStrVarMove.MSVBVM60(?), ref: 00634C54
        • Part of subcall function 00634B20: __vbaStrMove.MSVBVM60 ref: 00634C61
        • Part of subcall function 00634B20: __vbaFreeStr.MSVBVM60 ref: 00634C6A
        • Part of subcall function 00634B20: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00634C80
        • Part of subcall function 00634B20: #520.MSVBVM60(?,00004008), ref: 00634CB2
        • Part of subcall function 00634B20: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00634CDA
        • Part of subcall function 00634B20: __vbaFreeVar.MSVBVM60 ref: 00634CED
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000,004074C8,?,00423E86,?,?,?,?,?,00423E86), ref: 00567896
      • __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 005678A9
      • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 005678B7
      • __vbaFreeStr.MSVBVM60(?,?,?,?,00423E86), ref: 005678C6
      • #520.MSVBVM60(?,00004008), ref: 005678FB
      • __vbaStrVarVal.MSVBVM60(?,?), ref: 00567909
      • __vbaStrMove.MSVBVM60(00000000), ref: 0056791A
      • __vbaFreeStr.MSVBVM60 ref: 00567923
      • __vbaFreeVar.MSVBVM60 ref: 0056792C
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 00567942
      • #520.MSVBVM60(?,00004008), ref: 0056796C
      • __vbaStrVarVal.MSVBVM60(?,?), ref: 0056797A
      • __vbaAryMove.MSVBVM60(?,?,00000000), ref: 00567991
      • __vbaFreeStr.MSVBVM60 ref: 0056799A
      • __vbaFreeVar.MSVBVM60 ref: 005679A3
      • #685.MSVBVM60 ref: 005679B0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005679BB
      • __vbaFreeObj.MSVBVM60 ref: 005679DC
      • __vbaUbound.MSVBVM60(00000001,?), ref: 005679EF
      • #685.MSVBVM60 ref: 00567A05
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00567A10
      • #685.MSVBVM60 ref: 00567B5A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00567B65
      • __vbaFreeObj.MSVBVM60 ref: 00567B86
      • __vbaAryDestruct.MSVBVM60(00000000,?,00567BE4), ref: 00567BBF
      • __vbaFreeStr.MSVBVM60 ref: 00567BC8
      • __vbaFreeStr.MSVBVM60 ref: 00567BD1
      • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00567BDD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#520$Move$#685Error$ChkstkConstructCopyDestructFixstr$AnsiListSystemUboundUnicode
      • String ID: @u@$AloahaCredentialsServiceCommand:ServiceStatus$Coninue Pending$Pause Pending$Paused$Running$ServicesActive$Start Pending$Stop Pending$Stopped$`2m
      • API String ID: 2723649384-2626194199
      • Opcode ID: 9bb531ca899bf6fd73decf5c5c4d7c90c9d38e8ea2ca602b5413211dfb3bb8c0
      • Instruction ID: b132b5a6916e7c13cb5b2e82a00bb029b9018c56ddda2959d1c3151389347e56
      • Opcode Fuzzy Hash: 9bb531ca899bf6fd73decf5c5c4d7c90c9d38e8ea2ca602b5413211dfb3bb8c0
      • Instruction Fuzzy Hash: 73F12D71900209EFDB04DFE4DA88AEEBBB9FF48304F108559F506A7260DB74AA45CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005BF880 Relevance: 115.9, APIs: 59, Strings: 7, Instructions: 399fileCOMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,005AFC84,?), ref: 005BF89E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 005BF8CE
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 005BF8E6
      • #685.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 005BF921
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 005BF92C
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 005BF94D
      • __vbaStrCopy.MSVBVM60 ref: 005BF970
      • __vbaStrCopy.MSVBVM60 ref: 005BF97E
        • Part of subcall function 005BBD50: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005BBD6E
        • Part of subcall function 005BBD50: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005BBD9E
        • Part of subcall function 005BBD50: #592.MSVBVM60(00000000,?,00000000,00000000,?,00423E86), ref: 005BBDBF
        • Part of subcall function 005BBD50: __vbaStrToAnsi.MSVBVM60(?,?,00000000,00020019,00000000), ref: 005BBE23
        • Part of subcall function 005BBD50: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00020019,00000000), ref: 005BBE36
        • Part of subcall function 005BBD50: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,00020019,00000000), ref: 005BBE44
        • Part of subcall function 005BBD50: __vbaFreeStr.MSVBVM60(?,00000000,00020019,00000000), ref: 005BBE53
        • Part of subcall function 005BBD50: #525.MSVBVM60(00000400,?,00000000,00020019,00000000), ref: 005BBE83
        • Part of subcall function 005BBD50: __vbaStrMove.MSVBVM60(?,00000000,00020019,00000000), ref: 005BBE8E
        • Part of subcall function 005BBD50: __vbaStrToAnsi.MSVBVM60(?,?,00000400,?,00000000,00020019,00000000), ref: 005BBEA7
        • Part of subcall function 005BBD50: __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000001,00000000,?,00000000,00020019,00000000), ref: 005BBEBE
        • Part of subcall function 005BBD50: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000000,00000001,00000000,?,00000000,00020019,00000000), ref: 005BBED1
      • __vbaStrMove.MSVBVM60(00000000,?,0000000A), ref: 005BF99A
      • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 005BF9AA
      • __vbaFreeVar.MSVBVM60(00000000,00000000,00423E86), ref: 005BF9B6
      • #685.MSVBVM60 ref: 005BF9C3
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005BF9CE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005BFA01
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 005BFA22
      • __vbaFreeObj.MSVBVM60 ref: 005BFA44
      • __vbaStrCopy.MSVBVM60 ref: 005BFA61
      • __vbaI4Str.MSVBVM60(?), ref: 005BFA72
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,00000000,00000000,00000000,00423E86), ref: 005BFA8F
      • #685.MSVBVM60(?,?,00000000,00000000,00000000,00423E86), ref: 005BFAB1
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,00000000,00000000,00423E86), ref: 005BFABC
      • __vbaFreeObj.MSVBVM60(?,?,00000000,00000000,00000000,00423E86), ref: 005BFADD
      • __vbaFileOpen.MSVBVM60(00000008,000000FF,00000001,c:\aloaha.log,?,?,00000000,00000000,00000000,00423E86), ref: 005BFB15
      • #685.MSVBVM60(?,?,00000000,00000000,00000000,00423E86), ref: 005BFB22
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,00000000,00000000,00423E86), ref: 005BFB2D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005BFB60
      • __vbaFreeObj.MSVBVM60 ref: 005BFB8A
      • __vbaFileClose.MSVBVM60(00000001), ref: 005BFBA1
      • #685.MSVBVM60 ref: 005BFBAE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005BFBB9
      • __vbaFreeObj.MSVBVM60 ref: 005BFBDA
      • __vbaFileOpen.MSVBVM60(00000008,000000FF,00000001,d:\aloaha.log), ref: 005BFBF2
      • #685.MSVBVM60 ref: 005BFBFF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005BFC0A
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005BFC3D
      • __vbaFreeObj.MSVBVM60 ref: 005BFC67
      • __vbaFileClose.MSVBVM60(00000001), ref: 005BFC7E
      • #685.MSVBVM60 ref: 005BFC8B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005BFC96
      • __vbaFreeObj.MSVBVM60 ref: 005BFCB7
      • __vbaFileOpen.MSVBVM60(00000008,000000FF,00000001,e:\aloaha.log), ref: 005BFCCF
      • #685.MSVBVM60 ref: 005BFCDC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005BFCE7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005BFD1A
      • __vbaFreeObj.MSVBVM60 ref: 005BFD44
      • #712.MSVBVM60(?,0042E700,0042ADE8,00000001,000000FF,00000000), ref: 005BFD73
      • #520.MSVBVM60(?,00000008,?,0042E700,0042ADE8,00000001,000000FF,00000000), ref: 005BFD8B
      • __vbaStrVarMove.MSVBVM60(?,?,0042E700,0042ADE8,00000001,000000FF,00000000), ref: 005BFD95
      • __vbaStrMove.MSVBVM60(?,0042E700,0042ADE8,00000001,000000FF,00000000), ref: 005BFDA0
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,0042E700,0042ADE8,00000001,000000FF,00000000), ref: 005BFDB0
      • __vbaPrintFile.MSVBVM60(0043AF34,00000001,?,00000000,00000000,00423E86), ref: 005BFDCD
      • __vbaFileClose.MSVBVM60(00000001), ref: 005BFDDF
      • #685.MSVBVM60(?,?,?,?,?,00423E86), ref: 005BFDEC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005BFDF7
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00423E86), ref: 005BFE18
      • #685.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 005BFE25
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 005BFE30
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 005BFE51
      • __vbaFreeStr.MSVBVM60(005BFE98,?,00000000,00000000,00000000,00423E86), ref: 005BFE91
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$File$CheckErrorHresultMove$AnsiCloseCopyOpen$ChkstkListSystem$#520#525#592#712PrintUnicode
      • String ID: $$Software\Aloaha\pdf$c:\aloaha.log$clog$d:\aloaha.log$e:\aloaha.log$`2m
      • API String ID: 409325249-2458605836
      • Opcode ID: 991f323ad2efa5608dfbc294c44671f78768b394d6115ab5d263835fd0953b95
      • Instruction ID: 8d7919e01823c43ffc96b4bdddfa23b9d4b5380bfbbf6b259f6e2773f35e0839
      • Opcode Fuzzy Hash: 991f323ad2efa5608dfbc294c44671f78768b394d6115ab5d263835fd0953b95
      • Instruction Fuzzy Hash: 3D0203B5900318EFDB04DFA0DE48BDEBBB8BF48705F108169E506AB2A1DB749A44CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00696440 Relevance: 114.2, APIs: 61, Strings: 4, Instructions: 466COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069645E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069648B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069649A
      • __vbaStrCopy.MSVBVM60 ref: 006964BC
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?), ref: 006964CE
      • #685.MSVBVM60 ref: 006964DB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006964E6
      • __vbaFreeObj.MSVBVM60 ref: 00696507
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00696553
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00696570
      • __vbaStrCmp.MSVBVM60(0042ADE8), ref: 00696593
      • #685.MSVBVM60 ref: 006965A8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006965B3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 006965FE
      • __vbaFreeObj.MSVBVM60 ref: 0069662E
      • __vbaStrCopy.MSVBVM60 ref: 00696652
      • __vbaStrCopy.MSVBVM60 ref: 00696660
      • __vbaStrCopy.MSVBVM60 ref: 0069666E
      • __vbaStrMove.MSVBVM60(?,?,?,?), ref: 0069668E
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 006966A2
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,00423E86), ref: 006966BB
      • __vbaUbound.MSVBVM60(00000001), ref: 006966E5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Move$ErrorFree$Chkstk$#685BoundsGenerate$#518#520#711CheckHresultIndexListLoadLockUboundUnlock
      • String ID: ATR$ATR is valid: $AloahaCredentials:ATR_Valid$Generic
      • API String ID: 2702834302-1454299756
      • Opcode ID: ee22d5d165656db28fa646f338e524b816f6af9294a43e45c1c7d6e85c80b910
      • Instruction ID: 72596a09d190d9820f6f56b6483a8564a5a45c4172b60ae5f115c20087dbfc81
      • Opcode Fuzzy Hash: ee22d5d165656db28fa646f338e524b816f6af9294a43e45c1c7d6e85c80b910
      • Instruction Fuzzy Hash: 05222971900219DFDB14DFA4DD88BEEB7B9FF08304F1081A9E506A76A0EB745A89CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00636160 Relevance: 110.7, APIs: 57, Strings: 6, Instructions: 456COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,00635D03,00000000), ref: 0063617E
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 006361AB
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 006361BA
      • #712.MSVBVM60(00000000,0042FA64,0042ADE8,00000001,000000FF,00000000,?,?,?,00000000,00423E86), ref: 006361DB
      • #520.MSVBVM60(?,00000008), ref: 006361F3
      • #608.MSVBVM60(?,00000000), ref: 00636202
      • __vbaStrVarVal.MSVBVM60(?,?,0042ADE8,00000001,000000FF,00000000), ref: 0063621E
      • __vbaStrVarVal.MSVBVM60(?,?,00000000), ref: 0063622D
      • #712.MSVBVM60(00000000), ref: 00636234
      • __vbaStrMove.MSVBVM60 ref: 0063623F
      • __vbaStrMove.MSVBVM60(00430E04,0042ADE8,00000001,000000FF,00000000), ref: 0063626E
      • #712.MSVBVM60(00000000), ref: 00636275
      • __vbaStrMove.MSVBVM60 ref: 00636280
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0063628C
      • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 006362B7
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,00000000,00423E86), ref: 006362D1
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00423E86), ref: 0063630A
      • __vbaStrCopy.MSVBVM60 ref: 00636355
      • __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 00636375
      • __vbaGenerateBoundsError.MSVBVM60 ref: 006363BC
      • __vbaGenerateBoundsError.MSVBVM60 ref: 006363D9
      • __vbaStrCopy.MSVBVM60 ref: 006363F6
      • #632.MSVBVM60(?,00004008,?,00000002), ref: 00636438
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?), ref: 00636480
      • __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 00636495
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0063649C
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,0000000B), ref: 006364BA
      • #632.MSVBVM60(?,00004008,?,00000002), ref: 00636532
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?), ref: 0063657D
      • __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 00636592
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00636599
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,0000000B), ref: 006365B7
      • #632.MSVBVM60(?,00004008,?,00000002), ref: 00636634
      • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0063664C
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00636653
      • __vbaStrMove.MSVBVM60 ref: 0063665E
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 00636675
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 006366C5
      • __vbaRedimPreserve.MSVBVM60(00000180,00000004,00000000,00000008,00000001,?,00000000), ref: 006366F0
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00636754
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00636771
      • __vbaStrCopy.MSVBVM60 ref: 0063678C
      • __vbaStrCat.MSVBVM60(?,Found: ), ref: 006367A2
      • __vbaStrMove.MSVBVM60 ref: 006367AD
      • __vbaFreeStr.MSVBVM60(?), ref: 006367BF
      • __vbaStrCopy.MSVBVM60 ref: 006367ED
      • __vbaAryCopy.MSVBVM60(?,00000000), ref: 00636807
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00423E86), ref: 006362F8
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00423E86), ref: 0063681C
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00423E86), ref: 0063682E
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00423E86), ref: 0063683B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00423E86), ref: 00636846
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00423E86), ref: 00636867
      • __vbaAryDestruct.MSVBVM60(00000000,?,006368F3,?,?,?,?,?,?,?,?,00000000,00423E86), ref: 006368DA
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00423E86), ref: 006368E3
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00423E86), ref: 006368EC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$Error$List$BoundsGenerate$#632#712Chkstk$#520BoolNullRedim$#518#608#685#711DestructIndexLoadLockPreserveUnlock
      • String ID: !$D?k$Found: $H?k$Load Reader Array$Load Reader Array ready!
      • API String ID: 2440176738-1712007218
      • Opcode ID: 44ecc1e3417a56021c79ab815b214827ce8425a1cc2dfabec0cd2886e345c9bb
      • Instruction ID: f227dbda5ddfcea588f1bd1323492a030f1e7cf7f54f7715ddff9abd18098df9
      • Opcode Fuzzy Hash: 44ecc1e3417a56021c79ab815b214827ce8425a1cc2dfabec0cd2886e345c9bb
      • Instruction Fuzzy Hash: 132239B1900218EBEB14DF90DD48BDEBBB4FF48705F108199E516B72A0DBB45A89CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0069B030 Relevance: 110.6, APIs: 52, Strings: 11, Instructions: 345COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069B04E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069B087
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069B093
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069B09F
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069B0B7
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069B0CC
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 0069B0DE
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 0069B0F4
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 0069B112
      • __vbaStrCmp.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 0069B12F
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 0069B157
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 0069B162
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0069B183
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069B198
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069B1A6
        • Part of subcall function 005ED250: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005ED26E
        • Part of subcall function 005ED250: __vbaStrCopy.MSVBVM60(?,00000001,00000000,?,00423E86), ref: 005ED29B
        • Part of subcall function 005ED250: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,?,00423E86), ref: 005ED2AA
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED2F5
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED336
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED344
        • Part of subcall function 005ED250: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005ED35B
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED3B4
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED3F5
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED403
      • __vbaObjSet.MSVBVM60(?,00000000,AloahaSync.SyncAPI,00000000,?,?), ref: 0069B1D3
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0069B1E3
      • __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 0069B210
      • __vbaVarTstGt.MSVBVM60(?,00000000,?,?,?,?,?,?,00423E86), ref: 0069B21E
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 0069B22E
      • #685.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 0069B24A
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00423E86), ref: 0069B255
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0069B2A0
      • __vbaFreeObj.MSVBVM60 ref: 0069B2D0
      • __vbaChkstk.MSVBVM60 ref: 0069B302
      • __vbaLateMemSt.MSVBVM60(?,AllowIdenticalPasswords), ref: 0069B329
      • __vbaFreeVar.MSVBVM60 ref: 0069B332
      • __vbaChkstk.MSVBVM60 ref: 0069B384
      • __vbaChkstk.MSVBVM60 ref: 0069B3A7
      • __vbaChkstk.MSVBVM60 ref: 0069B3CA
      • __vbaChkstk.MSVBVM60 ref: 0069B3F9
      • __vbaLateMemCallLd.MSVBVM60(?,?,ChangePasswordCard,00000004), ref: 0069B432
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0069B43C
      • __vbaStrMove.MSVBVM60 ref: 0069B447
      • __vbaFreeVar.MSVBVM60 ref: 0069B450
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 0069B47E
      • __vbaLateMemCall.MSVBVM60(?,ReleaseAll,00000000,?,?,?,?,?,?,00423E86), ref: 0069B496
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00423E86), ref: 0069B4AC
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,00423E86), ref: 0069B4B9
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00423E86), ref: 0069B4C4
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00423E86), ref: 0069B4E5
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069B4FC
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069B513
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069B52A
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 0069B537
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 0069B542
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0069B563
      • __vbaFreeStr.MSVBVM60(0069B5D8,?,?,?,?,00423E86), ref: 0069B5B6
      • __vbaFreeStr.MSVBVM60(?,?,?,?,00423E86), ref: 0069B5BF
      • __vbaFreeStr.MSVBVM60(?,?,?,?,00423E86), ref: 0069B5C8
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0069B5D1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$Chkstk$Move$#685Late$#518CallError$List$#520#711AddrefCheckHresultIndexLoadLockUnlock
      • String ID: AllowIdenticalPasswords$AloahaCredentials:ChangePasswordCard$AloahaSync.SyncAPI$ChangePasswordCard$Could could not create Sync Object$New Password not specified$Old Password not specified$Old and new Passwords are identically$ReleaseAll$info$`2m
      • API String ID: 1200945872-108179000
      • Opcode ID: b2bf8429680aa510187b83226d6f8ddcc23401b54361ada52feacdc03e262485
      • Instruction ID: 7e840ec7bfeecf1bcb5564390663194e6b7cb0a2d79885b2adcefb501982f1dc
      • Opcode Fuzzy Hash: b2bf8429680aa510187b83226d6f8ddcc23401b54361ada52feacdc03e262485
      • Instruction Fuzzy Hash: CDF15A74A00218DFDB04DFA4DA88BDEBBB5FF48705F1081A9E50AB7260DB349A49CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005AC0A0 Relevance: 108.9, APIs: 55, Strings: 7, Instructions: 430COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,005AE14B), ref: 005AC0BE
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 005AC0EB
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 005AC0FA
      • #520.MSVBVM60(?,00004008), ref: 005AC132
      • #518.MSVBVM60(?,?), ref: 005AC140
      • __vbaVarDup.MSVBVM60 ref: 005AC163
      • #520.MSVBVM60(?,?), ref: 005AC171
      • #518.MSVBVM60(?,?), ref: 005AC17F
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 005AC18D
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005AC1B0
      • #520.MSVBVM60(?,00004008), ref: 005AC1F6
      • #518.MSVBVM60(?,?), ref: 005AC204
      • __vbaVarDup.MSVBVM60 ref: 005AC227
      • #520.MSVBVM60(?,?), ref: 005AC235
      • #518.MSVBVM60(?,?), ref: 005AC243
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 005AC251
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005AC274
      • #520.MSVBVM60(?,00004008), ref: 005AC2BA
      • #518.MSVBVM60(?,?), ref: 005AC2C8
      • __vbaVarDup.MSVBVM60 ref: 005AC2EB
      • #520.MSVBVM60(?,?), ref: 005AC2F9
      • #518.MSVBVM60(?,?), ref: 005AC307
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 005AC315
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005AC338
      • #520.MSVBVM60(?,00004008), ref: 005AC37E
      • #518.MSVBVM60(?,?), ref: 005AC38C
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005AC3CD
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005AC3DB
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 005AC3F6
      • #520.MSVBVM60(?,00004008), ref: 005AC43C
      • #518.MSVBVM60(?,?), ref: 005AC44A
      • __vbaVarDup.MSVBVM60 ref: 005AC46D
      • #520.MSVBVM60(?,?), ref: 005AC47B
      • #518.MSVBVM60(?,?), ref: 005AC489
      • __vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 005AC4B6
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005AC4C4
      • __vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 005AC4EE
      • #520.MSVBVM60(?,00004008), ref: 005AC534
      • #518.MSVBVM60(?,?), ref: 005AC542
      • __vbaVarDup.MSVBVM60 ref: 005AC565
      • #518.MSVBVM60(?,?), ref: 005AC573
      • __vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 005AC59D
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005AC5AB
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005AC5CE
      • #520.MSVBVM60(?,00004008), ref: 005AC614
      • #518.MSVBVM60(?,?), ref: 005AC622
      • __vbaVarDup.MSVBVM60 ref: 005AC645
      • #518.MSVBVM60(?,?), ref: 005AC653
      • __vbaInStrVar.MSVBVM60(?,00000000,?,?,00000001), ref: 005AC67D
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005AC68B
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005AC6AE
      • #685.MSVBVM60 ref: 005AC6D6
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AC6E1
      • __vbaFreeObj.MSVBVM60 ref: 005AC702
      • __vbaFreeStr.MSVBVM60(005AC750), ref: 005AC749
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#518$#520$Free$List$#685ChkstkCopyError
      • String ID: Info Ready$Is NOT System (lsass) Process$Is_ServerMode$ReaderList Length (in characters) is:$set_$set_ ready$unloading
      • API String ID: 1926088322-990535336
      • Opcode ID: 971c583b1544d30737fa126bd857dcc61a1fa4b58e30bfca8a8aee021facb399
      • Instruction ID: d2408f0260a8e64c48b54e0ca78f57f90d40cb814979cc725bdde0ba6b9de58e
      • Opcode Fuzzy Hash: 971c583b1544d30737fa126bd857dcc61a1fa4b58e30bfca8a8aee021facb399
      • Instruction Fuzzy Hash: E21294B6C00218EAEB15DFD0DD48FDEB7B8BB48704F00C59AE216B6160EB745649CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005AF820 Relevance: 107.1, APIs: 59, Strings: 2, Instructions: 321COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,005AF7AC,?,00000000), ref: 005AF83E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AF86E
      • __vbaSetSystemError.MSVBVM60(00000094), ref: 005AF8BD
      • #685.MSVBVM60 ref: 005AF8CA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AF8D8
      • __vbaFreeObj.MSVBVM60 ref: 005AF8FC
      • #685.MSVBVM60 ref: 005AF91D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AF92B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005AF976
      • __vbaFreeObj.MSVBVM60 ref: 005AF9A9
      • __vbaStrI4.MSVBVM60(?,OS: ), ref: 005AF9ED
      • __vbaStrMove.MSVBVM60 ref: 005AF9FB
      • __vbaStrCat.MSVBVM60(00000000), ref: 005AFA02
      • __vbaStrMove.MSVBVM60 ref: 005AFA10
      • __vbaStrCat.MSVBVM60(0042EBD4,00000000), ref: 005AFA1C
      • __vbaStrMove.MSVBVM60 ref: 005AFA2A
      • __vbaStrI4.MSVBVM60(00000005,00000000), ref: 005AFA38
      • __vbaStrMove.MSVBVM60 ref: 005AFA46
      • __vbaStrCat.MSVBVM60(00000000), ref: 005AFA4D
      • __vbaStrMove.MSVBVM60 ref: 005AFA5B
      • __vbaStrCat.MSVBVM60(004312D8,00000000), ref: 005AFA67
      • __vbaStrMove.MSVBVM60 ref: 005AFA75
      • __vbaStrI4.MSVBVM60(?,00000000), ref: 005AFA83
      • __vbaStrMove.MSVBVM60 ref: 005AFA91
      • __vbaStrCat.MSVBVM60(00000000), ref: 005AFA98
      • __vbaStrMove.MSVBVM60 ref: 005AFAA6
      • __vbaStrCat.MSVBVM60(004312D8,00000000), ref: 005AFAB2
      • __vbaStrMove.MSVBVM60 ref: 005AFAC0
      • __vbaStrI4.MSVBVM60(?,00000000), ref: 005AFACE
      • __vbaStrMove.MSVBVM60 ref: 005AFADC
      • __vbaStrCat.MSVBVM60(00000000), ref: 005AFAE3
      • __vbaStrMove.MSVBVM60 ref: 005AFAF1
      • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005AFB52
      • __vbaStrI4.MSVBVM60(?,OS: ,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFB6E
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFB7C
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFB83
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFB91
      • __vbaStrCat.MSVBVM60(0042EBD4,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFB9D
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFBAB
      • __vbaStrI4.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFBB9
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFBC7
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFBCE
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFBDC
      • __vbaStrCat.MSVBVM60(004312D8,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFBE8
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFBF6
      • __vbaStrI4.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC04
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC12
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC19
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC27
      • __vbaStrCat.MSVBVM60(004312D8,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC33
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC41
      • __vbaStrI4.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC4F
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC5D
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC64
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFC72
      • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005AFCD3
      • #685.MSVBVM60(?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFD72
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFD80
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86,005AF7AC), ref: 005AFDA4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$#685$ErrorList$CheckChkstkHresultSystem
      • String ID: OS: $c
      • API String ID: 2318683197-3002540896
      • Opcode ID: feeb4ac4b4a5b464ae0929bc92f435cdc018df1aeef0e5ff0b3f2c32427f60ab
      • Instruction ID: 5c2687e95ddd158db57e8146667299c3a543e85d350144137e1aee5d78d9e8d4
      • Opcode Fuzzy Hash: feeb4ac4b4a5b464ae0929bc92f435cdc018df1aeef0e5ff0b3f2c32427f60ab
      • Instruction Fuzzy Hash: BDE11C75900218DFDB15DFA0DD58BDEB779BB48301F1086E9E10AB3260DB745A89CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C0080 Relevance: 103.6, APIs: 50, Strings: 9, Instructions: 346COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(FFFFFFFF,00423E86,0045197C,?,00000001), ref: 005C009E
      • __vbaStrCopy.MSVBVM60(?,00000001,00000000,FFFFFFFF,00423E86,0045197C), ref: 005C00CB
      • __vbaVarDup.MSVBVM60(?,00000001,00000000,FFFFFFFF,00423E86,0045197C), ref: 005C00D7
      • __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,FFFFFFFF,00423E86,0045197C), ref: 005C00E6
      • __vbaStrCmp.MSVBVM60(true,00000000,?,00000001,00000000,FFFFFFFF,00423E86,0045197C), ref: 005C00FE
      • #520.MSVBVM60(?,00004008), ref: 005C013B
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,0000000B), ref: 005C016B
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 005C0179
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 005C0180
      • __vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 005C019A
      • __vbaStrCopy.MSVBVM60(00000000,FFFFFFFF,00423E86,0045197C), ref: 005C01C3
      • #518.MSVBVM60(?,00004008), ref: 005C01EE
      • #619.MSVBVM60(?,?,00000004), ref: 005C01FE
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 005C0223
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C023A
      • __vbaBoolVar.MSVBVM60(?), ref: 005C0259
        • Part of subcall function 005C0670: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,005C0269,?,00000000), ref: 005C068E
        • Part of subcall function 005C0670: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,00000000,00423E86), ref: 005C06BE
        • Part of subcall function 005C0670: __vbaStrCat.MSVBVM60(00430E04,?,?,00000001,00000000,00000000,00423E86), ref: 005C06E9
        • Part of subcall function 005C0670: __vbaStrMove.MSVBVM60(?,?,00000001,00000000,00000000,00423E86), ref: 005C06F4
        • Part of subcall function 005C0670: __vbaStr2Vec.MSVBVM60(?,00000000,?,?,00000001,00000000,00000000,00423E86), ref: 005C06FF
        • Part of subcall function 005C0670: __vbaAryMove.MSVBVM60(00000000,?,?,?,00000001,00000000,00000000,00423E86), ref: 005C070D
        • Part of subcall function 005C0670: __vbaFreeStr.MSVBVM60(?,?,00000001,00000000,00000000,00423E86), ref: 005C0716
        • Part of subcall function 005C0670: __vbaAryLock.MSVBVM60(00000000,00000000,?,?,00000001,00000000,00000000,00423E86), ref: 005C072B
        • Part of subcall function 005C0670: __vbaSetSystemError.MSVBVM60(?,?), ref: 005C078F
        • Part of subcall function 005C0670: __vbaAryUnlock.MSVBVM60(00000000), ref: 005C0799
        • Part of subcall function 005C0670: __vbaUI1I2.MSVBVM60 ref: 005C07BF
        • Part of subcall function 005C0670: __vbaAryLock.MSVBVM60(00000000,00000000), ref: 005C07D0
      • #518.MSVBVM60(?,00004008), ref: 005C02A0
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005C02E1
      • __vbaVarTstEq.MSVBVM60(00008002,00000000), ref: 005C02EF
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C0306
      • __vbaStrCat.MSVBVM60(?,Have to register: ), ref: 005C032A
      • __vbaStrMove.MSVBVM60 ref: 005C0335
      • __vbaFreeStr.MSVBVM60(?), ref: 005C0347
      • __vbaStrToAnsi.MSVBVM60(?,?,?), ref: 005C0383
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 005C0395
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 005C03A3
      • __vbaFreeStr.MSVBVM60 ref: 005C03B5
      • __vbaBoolVarNull.MSVBVM60(?), ref: 005C03C6
      • __vbaStrToAnsi.MSVBVM60(?,DllRegisterServer), ref: 005C03E3
      • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 005C03F9
      • __vbaFreeStr.MSVBVM60 ref: 005C040B
      • __vbaStrCopy.MSVBVM60 ref: 005C05CC
      • #685.MSVBVM60(00000000,FFFFFFFF,00423E86,0045197C), ref: 005C05D9
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C05E4
      • __vbaFreeObj.MSVBVM60 ref: 005C0605
      • __vbaFreeVar.MSVBVM60(005C0652), ref: 005C0642
      • __vbaFreeStr.MSVBVM60 ref: 005C064B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Error$BoolCopyListMoveSystem$#518AnsiChkstkLockNull$#520#619#685Str2UnicodeUnlock
      • String ID: +$.tlb$DllRegisterServer$DllUnregisterServer$Failed$Have to register: $pilot$true$`2m
      • API String ID: 1682408783-1432992081
      • Opcode ID: cb8fcd6a68103a433602975b4e44a647fb820f4434920f7004a6f2a4a7c5ac26
      • Instruction ID: 308f1d8f3300fa971caa9be1b7f41fc896d2bc2c0041cc8d8a6d1882c602a453
      • Opcode Fuzzy Hash: cb8fcd6a68103a433602975b4e44a647fb820f4434920f7004a6f2a4a7c5ac26
      • Instruction Fuzzy Hash: C4F1F8B5900218DFDB14DFE0D988BDEBB75BF48304F1085A9E506BB2A0DB785A88CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0057DC20 Relevance: 103.5, APIs: 55, Strings: 4, Instructions: 280COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0057DC3E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0057DC6B
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0057DC77
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0057DC83
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0057DC92
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0057DCA7
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 0057DCBD
      • __vbaStrCat.MSVBVM60(?,-user:,?,?,?,?,00423E86), ref: 0057DCD7
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 0057DCE2
      • __vbaStrCat.MSVBVM60(0042FA64,00000000,?,?,?,?,00423E86), ref: 0057DCEE
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 0057DCF9
      • __vbaFreeStr.MSVBVM60(?,?,?,?,00423E86), ref: 0057DD02
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 0057DD18
      • __vbaStrCat.MSVBVM60(-domain:,?,?,?,?,?,00423E86), ref: 0057DD32
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 0057DD3D
      • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 0057DD48
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 0057DD53
      • __vbaStrCat.MSVBVM60(0042FA64,00000000,?,?,?,?,00423E86), ref: 0057DD5F
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 0057DD6A
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00423E86), ref: 0057DD7A
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 0057DD93
      • __vbaStrCat.MSVBVM60(-pass:,?,?,?,?,?,00423E86), ref: 0057DDAD
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 0057DDB8
      • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 0057DDC3
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 0057DDCE
      • __vbaStrCat.MSVBVM60(0042FA64,00000000,?,?,?,?,00423E86), ref: 0057DDDA
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 0057DDE5
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00423E86), ref: 0057DDF5
      • #617.MSVBVM60(?,00004008,00000001), ref: 0057DE1C
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0057DE38
      • __vbaFreeVar.MSVBVM60 ref: 0057DE45
      • __vbaLenBstr.MSVBVM60(?), ref: 0057DE6B
      • #619.MSVBVM60(?,00004008,-00000001), ref: 0057DE83
      • __vbaStrVarMove.MSVBVM60(?), ref: 0057DE8D
      • __vbaStrMove.MSVBVM60 ref: 0057DE98
      • __vbaFreeVar.MSVBVM60 ref: 0057DEA1
      • #619.MSVBVM60(?,00004008,00000001), ref: 0057DEC5
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0057DEE1
      • __vbaFreeVar.MSVBVM60 ref: 0057DEEE
      • __vbaLenBstr.MSVBVM60(?), ref: 0057DF14
      • #617.MSVBVM60(?,00004008,-00000001), ref: 0057DF2C
      • __vbaStrVarMove.MSVBVM60(?), ref: 0057DF36
      • __vbaStrMove.MSVBVM60 ref: 0057DF41
      • __vbaFreeVar.MSVBVM60 ref: 0057DF4A
      • __vbaStrMove.MSVBVM60 ref: 0057DF61
      • __vbaStrMove.MSVBVM60(?,000000FF), ref: 0057DF86
      • __vbaFreeStrList.MSVBVM60(00000002,?,00000000,00000000), ref: 0057DF9C
      • #685.MSVBVM60(?,?,00423E86), ref: 0057DFAC
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00423E86), ref: 0057DFB7
      • __vbaFreeObj.MSVBVM60(?,?,00423E86), ref: 0057DFD8
      • __vbaFreeStr.MSVBVM60(0057E03A,?,?,00423E86), ref: 0057E018
      • __vbaFreeStr.MSVBVM60(?,?,00423E86), ref: 0057E021
      • __vbaFreeStr.MSVBVM60(?,?,00423E86), ref: 0057E02A
      • __vbaFreeStr.MSVBVM60(?,?,00423E86), ref: 0057E033
      • __vbaErrorOverflow.MSVBVM60 ref: 0057E04D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$Copy$List$#617#619BstrError$#685ChkstkOverflow
      • String ID: -domain:$-pass:$-user:$`2m
      • API String ID: 617598588-3156522762
      • Opcode ID: b71cb79dd1e9d2e053deb638953018d4ab949577d169f27f6723f6e852fcebfd
      • Instruction ID: 813c1be9a5b9b0503694bd1c3c0976580b82de98b146cc6db029ad4909ad3bac
      • Opcode Fuzzy Hash: b71cb79dd1e9d2e053deb638953018d4ab949577d169f27f6723f6e852fcebfd
      • Instruction Fuzzy Hash: 21C1E475D00209EFDB04DFA4EA88ADEBB78BF48705F10C129E516B7260DB745A49CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00580D50 Relevance: 101.8, APIs: 52, Strings: 6, Instructions: 322COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86,?,?,?,005865FE,?,?), ref: 00580D6E
      • __vbaStrCopy.MSVBVM60(6D23D8CD,00000001,?,?,00423E86), ref: 00580D9B
      • __vbaStrCopy.MSVBVM60 ref: 00580DA7
      • __vbaOnError.MSVBVM60(000000FF), ref: 00580DB6
      • #520.MSVBVM60(?,00004008), ref: 00580DE1
      • #520.MSVBVM60(?,00004008), ref: 00580E19
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 00580E42
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 00580E5B
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 00580E69
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00580E70
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00580E87
      • __vbaAryMove.MSVBVM60(?,?,?,?,?), ref: 00580EE4
      • #685.MSVBVM60 ref: 00580EF1
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00580EFC
      • __vbaFreeObj.MSVBVM60 ref: 00580F1D
      • __vbaUbound.MSVBVM60(00000001,?), ref: 00580F30
      • #685.MSVBVM60 ref: 00580F46
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00580F51
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00580F9C
      • __vbaFreeObj.MSVBVM60 ref: 00580FCC
      • #716.MSVBVM60(?,CAPICOM.Certificate,00000000), ref: 00580FF3
      • __vbaObjVar.MSVBVM60(?), ref: 00580FFD
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00581008
      • __vbaFreeVar.MSVBVM60 ref: 00581011
      • __vbaChkstk.MSVBVM60 ref: 00581036
        • Part of subcall function 00586E90: __vbaChkstk.MSVBVM60(?,00423E86,?,?,?,0058148D,?,?), ref: 00586EAE
        • Part of subcall function 00586E90: __vbaOnError.MSVBVM60(000000FF,6D23D8CD,00000001,?,?,00423E86), ref: 00586EDE
        • Part of subcall function 00586E90: #520.MSVBVM60(?,00004008), ref: 00586F00
        • Part of subcall function 00586E90: __vbaStrVarMove.MSVBVM60(?), ref: 00586F0A
        • Part of subcall function 00586E90: __vbaStrMove.MSVBVM60 ref: 00586F15
        • Part of subcall function 00586E90: __vbaFreeVar.MSVBVM60 ref: 00586F1E
        • Part of subcall function 00586E90: __vbaStrCmp.MSVBVM60(0042ADE8), ref: 00586F36
        • Part of subcall function 00586E90: __vbaAryRecMove.MSVBVM60(004442D0,?,?), ref: 00586F66
        • Part of subcall function 00586E90: #685.MSVBVM60 ref: 00586F73
        • Part of subcall function 00586E90: __vbaObjSet.MSVBVM60(?,00000000), ref: 00586F7E
        • Part of subcall function 00586E90: __vbaFreeObj.MSVBVM60 ref: 00586F9F
        • Part of subcall function 00586E90: __vbaUbound.MSVBVM60(00000001,00000000), ref: 00587012
      • __vbaLateMemCall.MSVBVM60(?,Import,00000001), ref: 0058106B
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 00581083
      • #716.MSVBVM60(?,Capicom.Utilities,00000000), ref: 0058109B
      • __vbaObjVar.MSVBVM60(?), ref: 005810A5
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005810B0
      • __vbaFreeVar.MSVBVM60 ref: 005810B9
      • __vbaChkstk.MSVBVM60 ref: 005810DF
      • __vbaLateMemCallLd.MSVBVM60(?,?,Export,00000001), ref: 00581118
      • __vbaChkstk.MSVBVM60 ref: 00581128
      • __vbaLateMemCallLd.MSVBVM60(00000001,?,BinaryToHex,00000001), ref: 00581154
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0058115E
      • __vbaStrMove.MSVBVM60 ref: 00581169
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00581179
      • __vbaStrCopy.MSVBVM60 ref: 00581191
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005811A4
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005811B7
      • #685.MSVBVM60 ref: 005811C4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005811CF
      • __vbaFreeObj.MSVBVM60 ref: 005811F0
      • __vbaAryDestruct.MSVBVM60(00000000,?,00581291), ref: 00581248
      • __vbaFreeStr.MSVBVM60 ref: 00581251
      • __vbaFreeStr.MSVBVM60 ref: 0058125A
      • __vbaFreeStr.MSVBVM60 ref: 00581263
      • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0058126F
      • __vbaFreeStr.MSVBVM60 ref: 00581278
      • __vbaFreeObj.MSVBVM60 ref: 00581281
      • __vbaFreeObj.MSVBVM60 ref: 0058128A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$AddrefChkstk$#685$#520CallCopyLate$#716DestructErrorListUbound$BoolCheckHresultNull
      • String ID: BinaryToHex$CAPICOM.Certificate$Capicom.Utilities$Export$Import$`2m
      • API String ID: 3568775936-2925061297
      • Opcode ID: 4ed6cd89dc6de85ddf28dc1b48db578b33671d15860b940b1a0549ab63684b25
      • Instruction ID: 6401db50c376a8e2424103b8b59eeaac7f2418d1fdf110669ea549b6de2541f6
      • Opcode Fuzzy Hash: 4ed6cd89dc6de85ddf28dc1b48db578b33671d15860b940b1a0549ab63684b25
      • Instruction Fuzzy Hash: 8AE11B75900219DFDB14DFA0DE48BDDBBB8BF48304F108599E60AB7260DB745A89CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00638080 Relevance: 98.4, APIs: 51, Strings: 5, Instructions: 388COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000001,?,00000000,00423E86), ref: 0063809E
      • __vbaStrCopy.MSVBVM60(?,00000001,?,?,00423E86), ref: 006380CB
      • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,?,00423E86), ref: 006380DA
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,00000001,?,?,00423E86), ref: 006380F0
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000001,?,?,00423E86), ref: 0063810A
      • __vbaStrCopy.MSVBVM60(?,00000001,?,?,00423E86), ref: 0063812B
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,00000001,?,?,00423E86), ref: 00638141
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000001,?,?,00423E86), ref: 00638159
      • __vbaStrCmp.MSVBVM60(00000000,?,?,00000001,?,?,00423E86), ref: 00638177
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000001,?,?,00423E86), ref: 006381A6
      • #520.MSVBVM60(?,00004008), ref: 00638205
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00638221
      • __vbaFreeVar.MSVBVM60 ref: 00638231
      • __vbaChkstk.MSVBVM60 ref: 0063826B
      • __vbaVarIndexLoad.MSVBVM60(?,00002008,00000001), ref: 00638293
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000001), ref: 0063829D
      • __vbaStrMove.MSVBVM60(?,?,?,00000001), ref: 006382A8
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000001), ref: 006382B8
      • #520.MSVBVM60(?,00004008), ref: 006382DD
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 006382F9
      • __vbaFreeVar.MSVBVM60 ref: 00638309
      • #712.MSVBVM60(?,ALOAHA Secure Stick,GEMALTO IDBridge K3000,00000001,000000FF,00000000), ref: 0063835D
      • __vbaStrMove.MSVBVM60 ref: 00638368
      • #717.MSVBVM60(?,00000008,00000080,00000000), ref: 0063839D
      • __vbaVar2Vec.MSVBVM60(?,?), ref: 006383AB
      • __vbaAryMove.MSVBVM60(?,?), ref: 006383B9
      • __vbaFreeStr.MSVBVM60 ref: 006383C2
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 006383D2
      • #685.MSVBVM60 ref: 006383E2
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006383ED
      • __vbaFreeObj.MSVBVM60 ref: 0063840E
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00638452
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0063846C
      • __vbaChkstk.MSVBVM60 ref: 00638493
      • __vbaLateMemCallLd.MSVBVM60(?,00000000,gSCardConnect,00000001), ref: 006384C3
      • __vbaI4Var.MSVBVM60(00000000), ref: 006384CD
      • __vbaFreeVar.MSVBVM60 ref: 006384D9
      • #685.MSVBVM60 ref: 006384E6
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006384F1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00638539
      • __vbaFreeObj.MSVBVM60 ref: 00638574
      • __vbaStrCopy.MSVBVM60 ref: 006385A4
      • #685.MSVBVM60(?,00000001,?,?,00423E86), ref: 006385BF
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,?,00423E86), ref: 006385CA
      • __vbaFreeObj.MSVBVM60(?,00000001,?,?,00423E86), ref: 006385EB
      • #685.MSVBVM60(?,00000001,?,?,00423E86), ref: 00638609
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000001,?,?,00423E86), ref: 00638614
      • __vbaFreeObj.MSVBVM60(?,00000001,?,?,00423E86), ref: 00638635
      • __vbaAryDestruct.MSVBVM60(00000000,?,00638699,?,00000001,?,?,00423E86), ref: 0063867D
      • __vbaAryDestruct.MSVBVM60(00000000,?,?,00000001,?,?,00423E86), ref: 00638689
      • __vbaFreeStr.MSVBVM60(?,00000001,?,?,00423E86), ref: 00638692
        • Part of subcall function 00639FC0: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,00000000,00423E86,00567576), ref: 00639FDE
        • Part of subcall function 00639FC0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 0063A00E
        • Part of subcall function 00639FC0: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00423E86), ref: 0063A03C
        • Part of subcall function 00639FC0: #685.MSVBVM60(?,?,?,00000000,00423E86), ref: 0063A24F
        • Part of subcall function 00639FC0: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86), ref: 0063A25A
        • Part of subcall function 00639FC0: __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86), ref: 0063A272
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$ChkstkErrorMove$Copy$#520BoundsDestructGenerateList$#712#717CallCheckHresultIndexLateLoadVar2
      • String ID: "$ALOAHA Secure Stick$GEMALTO IDBridge K3000$gSCardConnect$`2m
      • API String ID: 2532455593-1775504010
      • Opcode ID: 81f36dfa7995a9d050fdbbc5c4e500425978a530df3e2c214aca063412d10280
      • Instruction ID: 9c2819e69300c471598127750628b820f7debafc851fb00e7090823de2ae081c
      • Opcode Fuzzy Hash: 81f36dfa7995a9d050fdbbc5c4e500425978a530df3e2c214aca063412d10280
      • Instruction Fuzzy Hash: 150248B0D00319EFDB14DFA4DA48BEDBBB5BF48304F108169E506AB2A0DB745A85CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00586850 Relevance: 96.7, APIs: 54, Strings: 1, Instructions: 411COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,005865AF,?), ref: 0058686E
      • __vbaOnError.MSVBVM60(000000FF,6D23D8CD,00000001,?,00000000,00423E86), ref: 0058689E
      • #520.MSVBVM60(?,00004008), ref: 005868C0
      • __vbaStrVarMove.MSVBVM60(?), ref: 005868CA
      • __vbaStrMove.MSVBVM60 ref: 005868D5
      • __vbaFreeVar.MSVBVM60 ref: 005868DE
      • __vbaStrCopy.MSVBVM60 ref: 005868F3
      • __vbaLenBstr.MSVBVM60(00000000), ref: 00586914
      • #685.MSVBVM60 ref: 0058692A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00586935
      • __vbaFreeObj.MSVBVM60 ref: 00586956
      • __vbaI4Str.MSVBVM60(00000000), ref: 00586969
      • #685.MSVBVM60 ref: 00586979
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00586984
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005869B7
      • __vbaFreeObj.MSVBVM60 ref: 00586A00
      • __vbaAryRecMove.MSVBVM60(004442D0,?,00000000), ref: 00586A31
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00586A6F
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00586A89
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 00586AAA
      • #685.MSVBVM60 ref: 00586ABF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00586ACA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00586AFD
      • __vbaFreeObj.MSVBVM60 ref: 00586B2A
      • __vbaAryLock.MSVBVM60(?,00000000), ref: 00586B4E
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00586B86
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00586BA0
      • #520.MSVBVM60(?,00004008), ref: 00586BCA
      • __vbaAryUnlock.MSVBVM60(00000000), ref: 00586BD4
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00586BF0
      • __vbaFreeVar.MSVBVM60 ref: 00586BFD
      • #685.MSVBVM60 ref: 00586C16
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00586C21
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00586C54
      • __vbaFreeObj.MSVBVM60 ref: 00586C81
      • __vbaAryLock.MSVBVM60(00000000,00000000), ref: 00586CA5
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00586CDD
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00586CF7
      • #520.MSVBVM60(?,00004008), ref: 00586D21
      • __vbaAryUnlock.MSVBVM60(00000000), ref: 00586D2B
      • __vbaStrVarMove.MSVBVM60(?), ref: 00586D35
      • __vbaStrMove.MSVBVM60 ref: 00586D40
      • __vbaFreeVar.MSVBVM60 ref: 00586D49
      • #685.MSVBVM60 ref: 00586D56
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00586D61
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00586D94
      • __vbaFreeObj.MSVBVM60 ref: 00586DC1
      • __vbaStrCopy.MSVBVM60 ref: 00586DDF
      • #685.MSVBVM60 ref: 00586DEC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00586DF7
      • __vbaFreeObj.MSVBVM60 ref: 00586E18
      • __vbaAryDestruct.MSVBVM60(004442D0,?,00586E77), ref: 00586E58
      • __vbaFreeStr.MSVBVM60 ref: 00586E61
      • __vbaAryDestruct.MSVBVM60(004442D0,?), ref: 00586E70
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Error$#685BoundsGenerate$Move$CheckHresult$#520$CopyDestructLockUnlock$BstrChkstk
      • String ID: `2m
      • API String ID: 2555632987-3187377090
      • Opcode ID: b3f2f71e01b8413a9e8c514d1515a18d9788c1699504f35e47520dd4f9e34058
      • Instruction ID: fdbb55a53ee27e419ad023d083156fb74121a506a961c3adcdb85839f9555113
      • Opcode Fuzzy Hash: b3f2f71e01b8413a9e8c514d1515a18d9788c1699504f35e47520dd4f9e34058
      • Instruction Fuzzy Hash: 371214B5900218DFDB14DFA4DA88BDDBBB5FF48305F208169E916B72A0DB749A84CF14
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005848D0 Relevance: 96.5, APIs: 49, Strings: 6, Instructions: 290COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86,?,?,?,00584521,?,?), ref: 005848EE
      • __vbaStrCopy.MSVBVM60(6D23D8CD,00000001,?,?,00423E86), ref: 0058491B
      • __vbaStrCopy.MSVBVM60 ref: 00584927
      • __vbaOnError.MSVBVM60(000000FF), ref: 00584936
      • __vbaStrCopy.MSVBVM60 ref: 0058494D
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 00584963
      • __vbaStrMove.MSVBVM60 ref: 0058497E
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 00584994
      • __vbaStrMove.MSVBVM60(?), ref: 005849B3
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 005849C9
      • __vbaAryMove.MSVBVM60(?,?,?,?), ref: 005849FC
      • #685.MSVBVM60 ref: 00584A09
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00584A14
      • __vbaFreeObj.MSVBVM60 ref: 00584A35
      • __vbaUbound.MSVBVM60(00000001,?), ref: 00584A48
      • #685.MSVBVM60 ref: 00584A5E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00584A69
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00584AB4
      • __vbaFreeObj.MSVBVM60 ref: 00584AE4
      • #716.MSVBVM60(?,CAPICOM.Certificate,00000000), ref: 00584B0B
      • __vbaObjVar.MSVBVM60(?), ref: 00584B15
        • Part of subcall function 0058D7A0: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,00584492), ref: 0058CACE
        • Part of subcall function 0058D7A0: __vbaOnError.MSVBVM60(000000FF,6D23D8CD,00000000,?,00000000,00423E86), ref: 0058CAFE
        • Part of subcall function 0058D7A0: __vbaAryRecMove.MSVBVM60(004442D0,?,?), ref: 0058CB2E
        • Part of subcall function 0058D7A0: #685.MSVBVM60 ref: 0058CB3B
        • Part of subcall function 0058D7A0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0058CB46
        • Part of subcall function 0058D7A0: __vbaFreeObj.MSVBVM60 ref: 0058CB5E
        • Part of subcall function 0058D7A0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0058CBC8
        • Part of subcall function 0058D7A0: #685.MSVBVM60 ref: 0058CBDD
        • Part of subcall function 0058D7A0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0058CBE8
        • Part of subcall function 0058D7A0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0058CC1B
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00584B20
      • __vbaFreeVar.MSVBVM60 ref: 00584B29
      • __vbaChkstk.MSVBVM60 ref: 00584B48
      • __vbaLateMemCall.MSVBVM60(?,Import,00000001), ref: 00584B71
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 00584B89
      • #716.MSVBVM60(?,Capicom.Utilities,00000000), ref: 00584BA1
      • __vbaObjVar.MSVBVM60(?), ref: 00584BAB
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00584BB6
      • __vbaFreeVar.MSVBVM60 ref: 00584BBF
      • __vbaChkstk.MSVBVM60 ref: 00584BDF
      • __vbaLateMemCallLd.MSVBVM60(?,?,Export,00000001), ref: 00584C0C
      • __vbaChkstk.MSVBVM60 ref: 00584C1C
      • __vbaLateMemCallLd.MSVBVM60(?,?,BinaryToHex,00000001), ref: 00584C48
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 00584C52
      • __vbaStrMove.MSVBVM60 ref: 00584C5F
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00584C6F
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00584C85
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00584C98
      • #685.MSVBVM60 ref: 00584CA5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00584CB0
      • __vbaFreeObj.MSVBVM60 ref: 00584CD1
      • __vbaAryDestruct.MSVBVM60(00000000,?,00584D57), ref: 00584D17
      • __vbaFreeObj.MSVBVM60 ref: 00584D20
      • __vbaFreeStr.MSVBVM60 ref: 00584D29
      • __vbaFreeStr.MSVBVM60 ref: 00584D32
      • __vbaFreeStr.MSVBVM60 ref: 00584D3B
      • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00584D47
      • __vbaFreeObj.MSVBVM60 ref: 00584D50
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$#685AddrefChkstk$CallCopyLate$#716CheckDestructErrorHresult$ListUbound
      • String ID: BinaryToHex$CAPICOM.Certificate$Capicom.Utilities$Export$Import$`2m
      • API String ID: 1272009397-2925061297
      • Opcode ID: c40f713054fdac7a2d69adc476ee7d1efbfb1c5e75778354290578453112071f
      • Instruction ID: 3b45e7f2c9888e759cb988aaed4e9143a0d0b380fe77a25523ba06aa76225602
      • Opcode Fuzzy Hash: c40f713054fdac7a2d69adc476ee7d1efbfb1c5e75778354290578453112071f
      • Instruction Fuzzy Hash: 4DD11775A00209EFDB04DFA4DA48BDEBBB4FF48305F108169E506AB2A1DB749A45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A5010 Relevance: 94.8, APIs: 48, Strings: 6, Instructions: 322COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006A502E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A5067
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A5073
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006A5082
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A5097
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006A50A9
      • #520.MSVBVM60(?,00004008), ref: 006A50DA
      • #520.MSVBVM60(?,00004008), ref: 006A5118
      • #520.MSVBVM60(?,00004008), ref: 006A5159
      • #520.MSVBVM60(?,00004008), ref: 006A5180
      • #520.MSVBVM60(?,00004008), ref: 006A51A7
      • #520.MSVBVM60(?,00004008), ref: 006A51E2
      • #520.MSVBVM60(?,00004008), ref: 006A520F
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?), ref: 006A5224
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 006A523A
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 006A5248
      • __vbaVarCmpEq.MSVBVM60(?,?,?,00000000), ref: 006A5264
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 006A5272
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?,00000000), ref: 006A528E
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 006A529C
      • __vbaVarCmpEq.MSVBVM60(?,?,?,00000000), ref: 006A52B8
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 006A52C6
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 006A52CD
      • __vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 006A5307
      • __vbaStrCmp.MSVBVM60(true,?,?,?,?,?,?,?,?,00423E86), ref: 006A5331
      • #716.MSVBVM60(?,AloahaSync.SyncAPI,00000000,?,?,?,?,?,?,?,00423E86), ref: 006A536E
      • __vbaObjVar.MSVBVM60(?,?,?,?,?,?,?,?,00423E86), ref: 006A5378
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00423E86), ref: 006A5383
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,00423E86), ref: 006A538C
      • __vbaChkstk.MSVBVM60 ref: 006A53C4
      • __vbaChkstk.MSVBVM60 ref: 006A53F3
      • __vbaLateMemCallLd.MSVBVM60(?,?,MustChangePassword,00000002), ref: 006A542C
      • __vbaBoolVar.MSVBVM60(00000000), ref: 006A5436
      • __vbaFreeVar.MSVBVM60 ref: 006A5443
      • __vbaStrCopy.MSVBVM60 ref: 006A546C
      • __vbaStrCopy.MSVBVM60 ref: 006A5489
      • __vbaStrCopy.MSVBVM60 ref: 006A54A2
      • __vbaStrCopy.MSVBVM60 ref: 006A54BB
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 006A54CE
      • #685.MSVBVM60 ref: 006A54DB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006A54E6
      • __vbaFreeObj.MSVBVM60 ref: 006A5507
      • #685.MSVBVM60 ref: 006A5514
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006A551F
      • __vbaFreeObj.MSVBVM60 ref: 006A5540
      • __vbaFreeStr.MSVBVM60(006A55EE), ref: 006A55D5
      • __vbaFreeObj.MSVBVM60 ref: 006A55DE
      • __vbaFreeStr.MSVBVM60 ref: 006A55E7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#520Copy$Chkstk$Move$#685AddrefBoolError$#518#711#716CallIndexLateListLoadLockNullUnlock
      • String ID: AloahaCredentials:MustChangePassword$AloahaSync.SyncAPI$MustChangePassword$false$true$`2m
      • API String ID: 2481101971-223845387
      • Opcode ID: fecc0bf4b822de628f8ed24076a75e572f8dad85b5bbcba82e3cea3e28d3d60f
      • Instruction ID: d872847afe145d5fef5c6281cc1a6a28d6af4321f444dbd60ce66b9b1e4c8b90
      • Opcode Fuzzy Hash: fecc0bf4b822de628f8ed24076a75e572f8dad85b5bbcba82e3cea3e28d3d60f
      • Instruction Fuzzy Hash: 38F1F9B5800218EFDB54DF90DD48BDEBBB8BF48304F1085A9E60AB7260DB745A88CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0064C8B0 Relevance: 94.8, APIs: 63, Instructions: 322COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,00000000,00000000,?,00423E86), ref: 0064C8CE
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0064C8FE
      • #525.MSVBVM60(00000069,?,00000000,00000000,00000000,00423E86), ref: 0064C90D
      • __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064C918
      • __vbaStrToAnsi.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 0064C92D
      • __vbaLenBstr.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 0064C938
      • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,00000000,00423E86), ref: 0064C947
      • __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,00000000,00000000,00423E86), ref: 0064C955
      • __vbaFreeStr.MSVBVM60 ref: 0064C96D
      • #519.MSVBVM60(00000000), ref: 0064C98A
      • __vbaStrMove.MSVBVM60 ref: 0064C995
      • #537.MSVBVM60(00000000), ref: 0064C9A4
      • __vbaStrMove.MSVBVM60 ref: 0064C9AF
      • #537.MSVBVM60(00000020), ref: 0064C9B7
      • __vbaStrMove.MSVBVM60 ref: 0064C9C2
      • __vbaStrMove.MSVBVM60(00000001,000000FF,00000000), ref: 0064C9F7
      • __vbaStrMove.MSVBVM60(00000000), ref: 0064CA07
      • #712.MSVBVM60(00000000,00000000), ref: 0064CA12
      • __vbaStrMove.MSVBVM60 ref: 0064CA1D
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,00000000,00000000), ref: 0064CA35
      • #537.MSVBVM60(00000020,?,00000000,00000000,00000000,00423E86), ref: 0064CA47
      • __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064CA52
      • #537.MSVBVM60(00000020,?,00000000,00000000,00000000,00423E86), ref: 0064CA5A
      • __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064CA65
      • #537.MSVBVM60(00000020,?,00000000,00000000,00000000,00423E86), ref: 0064CA6D
      • __vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064CA78
      • __vbaStrMove.MSVBVM60(00000001,000000FF,00000000), ref: 0064CABD
      • __vbaStrMove.MSVBVM60(00000000), ref: 0064CACD
      • __vbaStrMove.MSVBVM60(00000000), ref: 0064CADD
      • __vbaStrCat.MSVBVM60(00000000), ref: 0064CAE4
      • __vbaStrMove.MSVBVM60 ref: 0064CAEF
      • #712.MSVBVM60(00000000,00000000), ref: 0064CAFA
      • __vbaStrMove.MSVBVM60 ref: 0064CB05
      • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,00000000,00000000,00000000), ref: 0064CB29
      • #537.MSVBVM60(00000020,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86), ref: 0064CB3B
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86), ref: 0064CB46
      • #537.MSVBVM60(00000020,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86), ref: 0064CB4E
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86), ref: 0064CB59
      • #537.MSVBVM60(00000020,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86), ref: 0064CB61
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00423E86), ref: 0064CB6C
      • __vbaStrMove.MSVBVM60(00000001,000000FF,00000000), ref: 0064CBB1
      • __vbaStrMove.MSVBVM60(00000000), ref: 0064CBC1
      • __vbaStrMove.MSVBVM60(00000000), ref: 0064CBD1
      • __vbaStrCat.MSVBVM60(00000000), ref: 0064CBD8
      • __vbaStrMove.MSVBVM60 ref: 0064CBE3
      • #712.MSVBVM60(00000000,00000000), ref: 0064CBEE
      • __vbaStrMove.MSVBVM60 ref: 0064CBF9
      • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,00000000,00000000,00000000), ref: 0064CC1D
      • #519.MSVBVM60(00000000), ref: 0064CC31
      • __vbaStrMove.MSVBVM60 ref: 0064CC3C
      • #537.MSVBVM60(00000020), ref: 0064CC44
      • __vbaStrMove.MSVBVM60 ref: 0064CC4F
      • __vbaStrMove.MSVBVM60(00000008,000000FF,00000000), ref: 0064CC96
      • #711.MSVBVM60(?,00000000), ref: 0064CCA1
      • __vbaAryVar.MSVBVM60(00002008,?), ref: 0064CCB0
      • __vbaAryCopy.MSVBVM60(?,?), ref: 0064CCC1
      • __vbaFreeStrList.MSVBVM60(00000003,?,00000000,00000000), ref: 0064CCD5
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0064CCE8
      • #685.MSVBVM60 ref: 0064CCF8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064CD03
      • __vbaFreeObj.MSVBVM60 ref: 0064CD24
      • __vbaFreeStr.MSVBVM60(0064CD9E), ref: 0064CD8E
      • __vbaFreeStr.MSVBVM60 ref: 0064CD97
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$#537Free$List$#712$#519Error$#525#685#711AnsiBstrChkstkCopySystemUnicode
      • String ID:
      • API String ID: 3345320522-0
      • Opcode ID: 7e9ee4d1b6e83d6140141697152e1e53c2f1dcdcfa9a4af2e7f236a55fd05e75
      • Instruction ID: ebddd5112676e62007e9c6d136ac517487179de579e6757c78652e36beb9b4f0
      • Opcode Fuzzy Hash: 7e9ee4d1b6e83d6140141697152e1e53c2f1dcdcfa9a4af2e7f236a55fd05e75
      • Instruction Fuzzy Hash: 20E1C975900208EFDB05DFA0DE98BDEBBB5BF48305F108269E506B62A1DB705A49CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006178B0 Relevance: 93.1, APIs: 45, Strings: 8, Instructions: 357COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86,?,?,?,?,006129A7,?), ref: 006178CE
      • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,?,00423E86), ref: 006178FE
      • #685.MSVBVM60(?,00000001), ref: 00617918
      • __vbaObjSet.MSVBVM60(00000001,00000000,?,00000001), ref: 00617923
      • __vbaFreeObj.MSVBVM60(?,00000001), ref: 00617944
      • __vbaLateMemCallLd.MSVBVM60(?,?,IsNonRepudiationEnabled,00000000), ref: 006179B2
      • __vbaVarCmpEq.MSVBVM60(?,?,00000000,00000001), ref: 006179C7
      • __vbaLateMemCallLd.MSVBVM60(?,?,IsCRLSignEnabled,00000000,00000000), ref: 006179DF
      • __vbaVarCmpEq.MSVBVM60(?,?,00000000), ref: 006179F4
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 006179FF
      • __vbaLateMemCallLd.MSVBVM60(?,?,IsCRLSignEnabled,00000000,00000000), ref: 00617A1A
      • __vbaVarCmpEq.MSVBVM60(?,?,00000000), ref: 00617A32
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 00617A40
      • __vbaLateMemCallLd.MSVBVM60(?,?,IsKeyCertSignEnabled,00000000,00000000), ref: 00617A5B
      • __vbaVarCmpEq.MSVBVM60(?,?,00000000), ref: 00617A73
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 00617A81
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00617A88
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00617AAD
      • #685.MSVBVM60 ref: 00617ACC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00617AD7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00617B22
      • __vbaFreeObj.MSVBVM60 ref: 00617B52
      • __vbaLateMemCallLd.MSVBVM60(?,00000000,IsDataEnciphermentEnabled,00000000), ref: 00617BE3
      • __vbaVarCmpEq.MSVBVM60(?,?,00000000), ref: 00617BF8
      • __vbaLateMemCallLd.MSVBVM60(?,?,IsDecipherOnlyEnabled,00000000,00000000), ref: 00617C10
      • __vbaVarCmpEq.MSVBVM60(?,?,00000000), ref: 00617C25
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 00617C30
      • __vbaLateMemCallLd.MSVBVM60(?,?,IsEncipherOnlyEnabled,00000000,00000000), ref: 00617C4B
      • __vbaVarCmpEq.MSVBVM60(?,?,00000000), ref: 00617C63
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 00617C71
      • __vbaLateMemCallLd.MSVBVM60(?,?,IsKeyAgreementEnabled,00000000,00000000), ref: 00617C8C
      • __vbaVarCmpEq.MSVBVM60(?,?,00000000), ref: 00617CA4
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 00617CB2
      • __vbaLateMemCallLd.MSVBVM60(?,?,IsKeyEnciphermentEnabled,00000000,00000000), ref: 00617CCD
      • __vbaVarCmpEq.MSVBVM60(?,?,00000000), ref: 00617CE5
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 00617CF3
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00617CFA
      • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00617D26
      • #685.MSVBVM60 ref: 00617D45
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00617D50
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00617D9B
      • __vbaFreeObj.MSVBVM60 ref: 00617DCB
      • #685.MSVBVM60 ref: 00617DF0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00617DFB
      • __vbaFreeObj.MSVBVM60 ref: 00617E1C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CallLate$Free$#685$BoolCheckHresultListNull$ChkstkError
      • String ID: IsCRLSignEnabled$IsDataEnciphermentEnabled$IsDecipherOnlyEnabled$IsEncipherOnlyEnabled$IsKeyAgreementEnabled$IsKeyCertSignEnabled$IsKeyEnciphermentEnabled$IsNonRepudiationEnabled
      • API String ID: 3988539076-2992502153
      • Opcode ID: 8bb24a3c2cb3ae258658027f99618782b867fcdd98cda02a02d95ce2706ef51f
      • Instruction ID: 62547f30bd4a93b1df54fd2cd74ca1a150b33cf8dd2390257bd881b5ba567f60
      • Opcode Fuzzy Hash: 8bb24a3c2cb3ae258658027f99618782b867fcdd98cda02a02d95ce2706ef51f
      • Instruction Fuzzy Hash: 06F10CB6900218AFDB55DF90CD88BDEB778FF48301F108699F50AA72A0DB755A88CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0057ACC0 Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 303COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,0057C109), ref: 0057ACDE
      • __vbaOnError.MSVBVM60(000000FF,00000000,?,?,00000000,00423E86), ref: 0057AD0E
      • __vbaSetSystemError.MSVBVM60(?), ref: 0057AD24
      • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000027,00000000), ref: 0057AD66
      • __vbaAryLock.MSVBVM60(?,?), ref: 0057AD7E
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0057ADBB
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0057ADD5
      • #644.MSVBVM60(?), ref: 0057ADEE
      • __vbaAryUnlock.MSVBVM60(00000000), ref: 0057ADFE
      • __vbaSetSystemError.MSVBVM60(?,?,?), ref: 0057AE1E
      • __vbaStrVarCopy.MSVBVM60(00002011,?), ref: 0057AE5B
      • __vbaStrMove.MSVBVM60 ref: 0057AE66
      • #616.MSVBVM60(00000000), ref: 0057AE6D
      • __vbaStrMove.MSVBVM60 ref: 0057AE78
      • __vbaFreeStr.MSVBVM60 ref: 0057AE81
      • #712.MSVBVM60(?,0044052C,0042ADE8,00000001,000000FF,00000000), ref: 0057AEA2
      • __vbaStrMove.MSVBVM60 ref: 0057AEAD
      • #712.MSVBVM60(?,00440354,0042ADE8,00000001,000000FF,00000000), ref: 0057AECE
      • __vbaStrMove.MSVBVM60 ref: 0057AED9
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0057AEEF
      • #610.MSVBVM60(?), ref: 0057AF08
      • #612.MSVBVM60(?), ref: 0057AF15
      • __vbaVarDup.MSVBVM60 ref: 0057AF38
      • __vbaVarDup.MSVBVM60 ref: 0057AF5E
      • #650.MSVBVM60(?,?,00000001,00000001), ref: 0057AF70
      • __vbaStrMove.MSVBVM60 ref: 0057AF7B
      • #650.MSVBVM60(?,?,00000001,00000001,00000000), ref: 0057AF94
      • __vbaStrMove.MSVBVM60 ref: 0057AF9F
      • __vbaStrCat.MSVBVM60(00000000), ref: 0057AFA6
      • __vbaStrMove.MSVBVM60 ref: 0057AFB1
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0057AFC1
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0057AFE2
      • __vbaStrCopy.MSVBVM60 ref: 0057AFF8
      • #712.MSVBVM60(?,0042FA64,0042ADE8,00000001,000000FF,00000000), ref: 0057B019
      • __vbaStrMove.MSVBVM60 ref: 0057B024
      • #712.MSVBVM60(?,0042EF60,0042ADE8,00000001,000000FF,00000000), ref: 0057B045
      • __vbaStrMove.MSVBVM60 ref: 0057B050
      • #712.MSVBVM60(?,004312D8,0042ADE8,00000001,000000FF,00000000), ref: 0057B071
      • __vbaStrMove.MSVBVM60 ref: 0057B07C
      • #712.MSVBVM60(?,00432880,0042ADE8,00000001,000000FF,00000000), ref: 0057B09D
      • __vbaStrMove.MSVBVM60 ref: 0057B0A8
      • #712.MSVBVM60(?,00432868,0042ADE8,00000001,000000FF,00000000), ref: 0057B0C9
      • __vbaStrMove.MSVBVM60 ref: 0057B0D4
      • #685.MSVBVM60 ref: 0057B0E1
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057B0EC
      • __vbaFreeObj.MSVBVM60 ref: 0057B10D
      • __vbaAryDestruct.MSVBVM60(00000000,?,0057B18B), ref: 0057B17B
      • __vbaFreeStr.MSVBVM60 ref: 0057B184
      • __vbaErrorOverflow.MSVBVM60(00000000), ref: 0057B19F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$#712$Error$Free$#650BoundsCopyGenerateListSystem$#610#612#616#644#685ChkstkDestructLockOverflowRedimUnlock
      • String ID: ($hhnnss$yyyymmdd
      • API String ID: 71954022-2964958941
      • Opcode ID: c4332bf0734846106060268cf3e1d7d12105a81b2ef3b49508194544f72c76a5
      • Instruction ID: ba9180cde57607f8eb2375b750246fa4d9f94fb86c3659fc3e67899ea685cb8b
      • Opcode Fuzzy Hash: c4332bf0734846106060268cf3e1d7d12105a81b2ef3b49508194544f72c76a5
      • Instruction Fuzzy Hash: 56D13975A00218EFDB14DFA0DE88BDDBB75BB48701F108299F506B72A0DBB45A49CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005F9C00 Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 297COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,00565FD8), ref: 005F9C1E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 005F9C4E
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,?,?,00000000,00423E86), ref: 005F9C66
      • __vbaStrCmp.MSVBVM60(null,00000000,?,?,?,00000000,00423E86), ref: 005F9C7F
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005F9CA0
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86), ref: 005F9CBC
      • __vbaInStr.MSVBVM60(00000000,0042E5EC,?,00000001,?,?,?,00000000,00423E86), ref: 005F9CD6
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005F9CEF
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,00000000,00423E86), ref: 005F9D05
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005F9D1E
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005F9D31
      • #685.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 005FA056
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,00423E86), ref: 005FA061
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 005FA082
      • __vbaFreeStr.MSVBVM60(005FA0F8,?,?,?,?,?,?,00000000,00423E86), ref: 005FA0DF
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 005FA0E8
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 005FA0F1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CopyFree$#685ChkstkErrorMove
      • String ID: USERDOMAIN$USERNAME$null
      • API String ID: 3359174267-2689664221
      • Opcode ID: 9f3121e8f5db8df457596d042929779ebfe6f06883af01da4dbf0ee3cf06e9c6
      • Instruction ID: f765329298f89cf64b932eff3a9e7032f741d9161004fe5540e60af5efc26960
      • Opcode Fuzzy Hash: 9f3121e8f5db8df457596d042929779ebfe6f06883af01da4dbf0ee3cf06e9c6
      • Instruction Fuzzy Hash: 3FD12BB1900219EBDB04DFD0DE48BEEBB78BB48705F1081A9E606B7260DB745B49CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00605C60 Relevance: 89.7, APIs: 44, Strings: 7, Instructions: 486COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 00605C7E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00605CC5
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00605CE6
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,000000A0), ref: 00605D34
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00605D60
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,000000A0), ref: 00605DAE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00605DDA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,00000090), ref: 00605E2B
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00605E57
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,000000A0), ref: 00605EA5
      • __vbaStrCmp.MSVBVM60(?,?), ref: 00605EC5
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 00605EEC
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00605F15
      • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,00423E86), ref: 00605F30
      • __vbaObjSet.MSVBVM60(0000FFFF,00000000), ref: 00605F73
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,000000A0), ref: 00605FC1
      • __vbaStrMove.MSVBVM60 ref: 00605FF4
      • __vbaFreeObj.MSVBVM60 ref: 00605FFD
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00606023
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,000000A4), ref: 00606072
      • __vbaFreeObj.MSVBVM60 ref: 0060608D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006060AE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,000000A4), ref: 006060FD
      • __vbaFreeObj.MSVBVM60 ref: 00606118
      • __vbaStrCopy.MSVBVM60 ref: 0060612F
      • __vbaStrCopy.MSVBVM60 ref: 00606144
      • __vbaStrMove.MSVBVM60(?), ref: 00606158
      • __vbaStrCopy.MSVBVM60 ref: 00606166
      • __vbaStrMove.MSVBVM60(?), ref: 0060617A
      • #595.MSVBVM60(00000008,00001000,00000008,0000000A,0000000A), ref: 006061F1
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,00000000,00000000), ref: 00606209
      • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00606224
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00606248
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,00000204), ref: 00606292
      • __vbaFreeObj.MSVBVM60 ref: 006062AD
      • #599.MSVBVM60({Home}+{End},0000000A), ref: 006062D1
      • __vbaFreeVar.MSVBVM60 ref: 006062DA
      • __vbaNew2.MSVBVM60(0042EAFC,006B58E0), ref: 0060630F
      • __vbaObjSetAddref.MSVBVM60(000000FF,?), ref: 00606341
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EAEC,00000010), ref: 00606380
      • __vbaFreeObj.MSVBVM60 ref: 0060639B
      • #685.MSVBVM60 ref: 006063A8
      • __vbaObjSet.MSVBVM60(000000FF,00000000), ref: 006063B3
      • __vbaFreeObj.MSVBVM60 ref: 006063D4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$List$CopyMove$#595#599#685AddrefChkstkErrorNew2
      • String ID: Invalid Password, try again!$Login$`Ak$`Ak${Home}+{End}$Xk$`2m
      • API String ID: 3505728567-1787672926
      • Opcode ID: 16d4ebac0fcbb7ec790f403f8ebc29fa95af214a45adecb8c31ae46bc47c3415
      • Instruction ID: 69324479720155e09a5d1c9b864df0997714463cd6d3aa60e99ae4cc0d4d85a3
      • Opcode Fuzzy Hash: 16d4ebac0fcbb7ec790f403f8ebc29fa95af214a45adecb8c31ae46bc47c3415
      • Instruction Fuzzy Hash: 6832FA75A00318EFDB14DF94C988FDEBBB5BF48300F108599E54AA7290DB745A84CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0056E040 Relevance: 87.8, APIs: 49, Strings: 1, Instructions: 343COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000,00000000,?,00423E86), ref: 0056E05E
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0056E08B
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 0056E09A
      • #685.MSVBVM60(?,?,00000000,00000000,?,00423E86), ref: 0056E0CC
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,00423E86), ref: 0056E0D7
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0056E0EF
      • #645.MSVBVM60(00004008,00000000), ref: 0056E10F
      • __vbaStrMove.MSVBVM60 ref: 0056E11A
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0056E126
      • __vbaFreeStr.MSVBVM60 ref: 0056E13B
      • #685.MSVBVM60 ref: 0056E154
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056E15F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0056E192
      • __vbaFreeObj.MSVBVM60 ref: 0056E1B6
      • #529.MSVBVM60(00004008), ref: 0056E1DC
      • #685.MSVBVM60 ref: 0056E1E9
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056E1F4
      • __vbaFreeObj.MSVBVM60 ref: 0056E20C
      • #685.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0056E219
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,00423E86), ref: 0056E224
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0056E245
      • #645.MSVBVM60(00004008,00000000), ref: 0056E279
      • __vbaStrMove.MSVBVM60 ref: 0056E284
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0056E290
      • __vbaFreeStr.MSVBVM60 ref: 0056E2A5
      • #685.MSVBVM60 ref: 0056E2BE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056E2C9
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0056E2FC
      • __vbaFreeObj.MSVBVM60 ref: 0056E326
      • #685.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0056E340
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,?,00423E86), ref: 0056E34B
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0056E36C
      • __vbaLenBstr.MSVBVM60(?,?,00000000,00000000,?,00423E86), ref: 0056E37D
      • __vbaStrToAnsi.MSVBVM60(00000000,00000000,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000,00000000,?,00423E86), ref: 0056E3A9
      • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,?,00423E86), ref: 0056E3B8
      • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,00000000,?,00423E86), ref: 0056E3C6
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0056E3D5
      • __vbaStrToAnsi.MSVBVM60(?,?,?,00000000,00000000), ref: 0056E405
      • __vbaSetSystemError.MSVBVM60(000000FF,00000000), ref: 0056E418
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0056E426
      • __vbaFreeStr.MSVBVM60 ref: 0056E440
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 0056E466
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 0056E485
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 0056E4A3
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 0056E4B9
      • #685.MSVBVM60 ref: 0056E4DC
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056E4E7
      • __vbaFreeObj.MSVBVM60 ref: 0056E508
      • __vbaFreeStr.MSVBVM60(0056E532), ref: 0056E52B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685Error$System$#645AnsiCheckHresultMoveUnicode$#529BstrChkstkCopy
      • String ID: $
      • API String ID: 1690994940-3993045852
      • Opcode ID: a30951fec86e0fabc200cfa5285c61a812c5cd689720cd12cd7ec6fd52a1d525
      • Instruction ID: 6f910ec95a394b6a3ca41372bcfba2dc57c913ddd724b975ac3c72903c02afff
      • Opcode Fuzzy Hash: a30951fec86e0fabc200cfa5285c61a812c5cd689720cd12cd7ec6fd52a1d525
      • Instruction Fuzzy Hash: A7E11775900219EFDB04DFE4DA88BDEBBB5BF48305F108529F602AB2A4DB749A44CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0064D0E0 Relevance: 82.7, APIs: 46, Strings: 1, Instructions: 418COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,005814FA), ref: 0064D0FE
      • __vbaOnError.MSVBVM60(000000FF,6D23D8CD,00000001,?,00000000,00423E86), ref: 0064D12E
      • #685.MSVBVM60 ref: 0064D148
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064D153
      • __vbaFreeObj.MSVBVM60 ref: 0064D16B
      • #685.MSVBVM60 ref: 0064D178
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064D183
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0064D1B6
      • __vbaFreeObj.MSVBVM60 ref: 0064D1DA
      • __vbaAryRecMove.MSVBVM60(004442D0,?,00000000), ref: 0064D208
      • #685.MSVBVM60 ref: 0064D215
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064D220
      • __vbaFreeObj.MSVBVM60 ref: 0064D238
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064D273
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064D287
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0064D2A2
      • #685.MSVBVM60 ref: 0064D2B7
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064D2C2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0064D2F5
      • __vbaFreeObj.MSVBVM60 ref: 0064D31F
      • __vbaUbound.MSVBVM60(00000001,00000000), ref: 0064D33E
      • __vbaLbound.MSVBVM60(00000001,00000000), ref: 0064D354
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064D3B3
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064D3CD
      • __vbaAryRecMove.MSVBVM60(004442D0,00000000,00000000), ref: 0064D437
      • #685.MSVBVM60 ref: 0064D444
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064D44F
      • __vbaFreeObj.MSVBVM60 ref: 0064D470
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064D4AE
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064D4C8
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0064D4E9
      • #685.MSVBVM60 ref: 0064D4FE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064D509
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0064D53C
      • __vbaFreeObj.MSVBVM60 ref: 0064D566
      • __vbaUbound.MSVBVM60(00000001,00000000), ref: 0064D585
      • __vbaLbound.MSVBVM60(00000001,00000000), ref: 0064D59B
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064D5FA
      • __vbaGenerateBoundsError.MSVBVM60 ref: 0064D614
      • #685.MSVBVM60 ref: 0064D656
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0064D661
      • __vbaFreeObj.MSVBVM60 ref: 0064D682
      • __vbaAryDestruct.MSVBVM60(004442D0,?,0064D6C7), ref: 0064D6A2
      • __vbaAryDestruct.MSVBVM60(004442D0,?), ref: 0064D6B1
      • __vbaAryDestruct.MSVBVM60(004442D0,?), ref: 0064D6C0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$BoundsGenerate$#685Free$CheckDestructHresult$LboundMoveUbound$Chkstk
      • String ID: !
      • API String ID: 3981342461-2657877971
      • Opcode ID: 655f3db51c06ee82fbdc88398a991ccb9c17ddae4963e44e07f37cd536bee20c
      • Instruction ID: 4d501d7c2a6c717a0da38548c6e70a0d20f06c236e4cf59e54f09ad244c35995
      • Opcode Fuzzy Hash: 655f3db51c06ee82fbdc88398a991ccb9c17ddae4963e44e07f37cd536bee20c
      • Instruction Fuzzy Hash: 9F12E474D00208EFDB14DFA4DA88BDDBBB6BF48304F208159E506B72A1DB749985CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006484F0 Relevance: 79.0, APIs: 41, Strings: 4, Instructions: 258COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,0064831C,00000000,?,?,?,?,?,?,?,00423E86), ref: 0064850E
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064853B
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0064854A
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064855F
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 00648577
      • __vbaStrMove.MSVBVM60(?,?,00000000,00000000,00000000,00423E86), ref: 00648598
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 006485B1
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 006485D1
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 006485EA
      • __vbaStrMove.MSVBVM60(006B3E24,?,?,00000000,00000000,00000000,00423E86), ref: 00648605
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064860E
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 00648627
      • __vbaAryMove.MSVBVM60(00000000,?,00000000,?,?,00000000,00000000,00000000,00423E86), ref: 0064865A
      • #717.MSVBVM60(?,00006011,00000040,00000000), ref: 00648680
      • __vbaStrVarMove.MSVBVM60(?), ref: 0064868A
      • __vbaStrMove.MSVBVM60 ref: 00648695
      • __vbaFreeVar.MSVBVM60 ref: 0064869E
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 006486B4
      • __vbaStrMove.MSVBVM60(?,006B3E20), ref: 006486DC
      • #632.MSVBVM60(?,00004008,00000003,00000002), ref: 00648712
        • Part of subcall function 00646770: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,00000000,00000000,00000000,00423E86), ref: 0064678E
        • Part of subcall function 00646770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86,?), ref: 006467BB
        • Part of subcall function 00646770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86,?), ref: 006467CA
        • Part of subcall function 00646770: __vbaAryMove.MSVBVM60(00000000,?,?,?,00000000,00000000,00000000,00423E86,?), ref: 006467EB
        • Part of subcall function 00646770: #685.MSVBVM60(?,00000000,00000000,00000000,00423E86,?), ref: 006467F8
        • Part of subcall function 00646770: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00423E86,?), ref: 00646803
        • Part of subcall function 00646770: __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86,?), ref: 00646824
        • Part of subcall function 00646770: __vbaUbound.MSVBVM60(00000001,00000000,?,00000000,00000000,00000000,00423E86,?), ref: 00646837
        • Part of subcall function 00646770: #685.MSVBVM60(?,00000000,00000000,00000000,00423E86,?), ref: 0064684D
        • Part of subcall function 00646770: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00423E86,?), ref: 00646858
        • Part of subcall function 00646770: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0064688B
        • Part of subcall function 00646770: __vbaFreeObj.MSVBVM60 ref: 006468B8
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00648737
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0064874E
      • __vbaLenBstr.MSVBVM60(00000000,00000002), ref: 00648790
      • #632.MSVBVM60(?,00004008,-00000001), ref: 006487A8
      • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 006487CD
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 006487E4
      • __vbaLenBstr.MSVBVM60(00000000,?,?,?,00000000,00000000,00423E86), ref: 00648803
      • #632.MSVBVM60(?,00004008,00000005,00000003), ref: 00648837
      • __vbaStrVarMove.MSVBVM60(?), ref: 00648841
      • __vbaStrMove.MSVBVM60 ref: 0064884C
      • __vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 0064885C
      • #685.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064886C
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00423E86), ref: 00648877
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 00648898
      • __vbaAryDestruct.MSVBVM60(00000000,?,00648922,?,00000000,00000000,00000000,00423E86), ref: 006488EB
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 006488F4
      • __vbaAryDestruct.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 00648900
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 00648909
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 00648912
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0064891B
      • __vbaErrorOverflow.MSVBVM60 ref: 00648938
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$#632#685ErrorList$BstrChkstkDestruct$#717CheckHresultOverflowUbound
      • String ID: >k$$>k$PhillipNielsJosephine$`2m
      • API String ID: 1112638210-3440370094
      • Opcode ID: cabd98c2caa7dedd28f7975ec3d92a6ff41f94aa3b4b5e377047053b6b7aebbf
      • Instruction ID: fed67f139c3dc79c80d1326b27521de8975054efe4ce98d54a1dad930c975eb8
      • Opcode Fuzzy Hash: cabd98c2caa7dedd28f7975ec3d92a6ff41f94aa3b4b5e377047053b6b7aebbf
      • Instruction Fuzzy Hash: 46B129B1900218EFDB04DFD0DE48BEEBBB9BF48705F108169E606A72A0DB745A49CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0069AC00 Relevance: 77.3, APIs: 38, Strings: 6, Instructions: 252COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069AC1E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069AC57
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069AC63
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069AC72
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069AC87
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 0069AC99
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0069ACBC
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0069ACD2
      • #685.MSVBVM60 ref: 0069ACEE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0069ACF9
      • __vbaFreeObj.MSVBVM60 ref: 0069AD1A
      • __vbaStrCopy.MSVBVM60 ref: 0069AD2F
      • __vbaStrCopy.MSVBVM60 ref: 0069AD3D
        • Part of subcall function 005ED250: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005ED26E
        • Part of subcall function 005ED250: __vbaStrCopy.MSVBVM60(?,00000001,00000000,?,00423E86), ref: 005ED29B
        • Part of subcall function 005ED250: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,?,00423E86), ref: 005ED2AA
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED2F5
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED336
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED344
        • Part of subcall function 005ED250: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005ED35B
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED3B4
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED3F5
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED403
      • __vbaObjSet.MSVBVM60(?,00000000,AloahaSync.SyncAPI,00000000,?,?), ref: 0069AD64
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0069AD74
      • __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 0069ADA1
      • __vbaVarTstGt.MSVBVM60(?,00000000,?,?,?,?,?,?,00423E86), ref: 0069ADAF
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 0069ADBF
      • #685.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 0069ADDB
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00423E86), ref: 0069ADE6
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0069AE31
      • __vbaFreeObj.MSVBVM60 ref: 0069AE61
      • __vbaChkstk.MSVBVM60 ref: 0069AE9C
      • __vbaChkstk.MSVBVM60 ref: 0069AEBF
      • __vbaLateMemCallLd.MSVBVM60(?,?,ForceWriteUsernamePass,00000002), ref: 0069AEEC
      • __vbaBoolVar.MSVBVM60(00000000), ref: 0069AEF6
      • __vbaFreeVar.MSVBVM60 ref: 0069AF03
      • __vbaLateMemCall.MSVBVM60(?,ReleaseAll,00000000,?,?,?,?,?,?,00423E86), ref: 0069AF1B
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00423E86), ref: 0069AF31
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,00423E86), ref: 0069AF3E
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00423E86), ref: 0069AF49
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00423E86), ref: 0069AF6A
      • #685.MSVBVM60 ref: 0069AF77
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0069AF82
      • __vbaFreeObj.MSVBVM60 ref: 0069AFA3
      • __vbaFreeStr.MSVBVM60(0069AFFC), ref: 0069AFE3
      • __vbaFreeStr.MSVBVM60 ref: 0069AFEC
      • __vbaFreeObj.MSVBVM60 ref: 0069AFF5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$Chkstk$#685Move$#518CallErrorLate$List$#520#711AddrefBoolCheckHresultIndexLoadLockUnlock
      • String ID: AloahaCredentials:AloahaCredentials:ForceWriteUsernamePass$AloahaSync.SyncAPI$ForceWriteUsernamePass$ReleaseAll$info$`2m
      • API String ID: 3433103156-1656823527
      • Opcode ID: da3b651c0c635b7893659e260655750ae31ce280fcf1423bf0b5d5193d7b88df
      • Instruction ID: e2bbea31d9ebca67932495727291f82fe703bd7deed9d655832f857b879e717c
      • Opcode Fuzzy Hash: da3b651c0c635b7893659e260655750ae31ce280fcf1423bf0b5d5193d7b88df
      • Instruction Fuzzy Hash: FDB14775900208EFDB04DFA4DA48BDEBBB9FF08705F208169E906B7260DB749A49CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0063E850 Relevance: 75.6, APIs: 38, Strings: 5, Instructions: 370COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0063E86E
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0063E89B
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0063E8AA
      • __vbaNew2.MSVBVM60(00437420,006B3E2C), ref: 0063E8D7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00437410,00000024), ref: 0063E940
      • __vbaNew2.MSVBVM60(00437420,006B3E2C), ref: 0063E97F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00437410,00000024), ref: 0063E9E8
      • __vbaI2I4.MSVBVM60 ref: 0063EA06
      • __vbaNew2.MSVBVM60(00437420,006B3E2C), ref: 0063EA64
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00437410,0000001C), ref: 0063EAE1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckHresultNew2$ChkstkCopyError
      • String ID: ,>k$,>k$,>k$,>k$`2m
      • API String ID: 3008934535-1010079228
      • Opcode ID: df8f374da5573a9a88ecad8f109571a6654e8b50db44eb17c08b9a34c02d1527
      • Instruction ID: ffe440b0ba1a22b430be839bba3363e47f3a7f91874ba812288b5a15799bd699
      • Opcode Fuzzy Hash: df8f374da5573a9a88ecad8f109571a6654e8b50db44eb17c08b9a34c02d1527
      • Instruction Fuzzy Hash: 24020BB5D00219DFDB14DFA0CE48BDDBBB5BB48304F10819AE60AB7290D7745A89CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00564C30 Relevance: 72.0, APIs: 33, Strings: 8, Instructions: 233COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,00423E86), ref: 00564C4E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 00564C7E
      • __vbaStrCmp.MSVBVM60(true,00000000), ref: 00564CA3
      • __vbaStrCmp.MSVBVM60(false,00000000), ref: 00564CBD
      • __vbaStrCmp.MSVBVM60(true,00000000), ref: 00564CE2
      • __vbaStrMove.MSVBVM60 ref: 00564D2B
      • __vbaStrCopy.MSVBVM60 ref: 00564D39
      • __vbaStrCopy.MSVBVM60 ref: 00564D47
      • __vbaStrCopy.MSVBVM60 ref: 00564D55
      • #520.MSVBVM60(?,00000008), ref: 00564D82
      • __vbaStrVarMove.MSVBVM60(?), ref: 00564D8C
      • __vbaStrMove.MSVBVM60 ref: 00564D97
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00564DAF
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00564DC2
      • __vbaStrCmp.MSVBVM60(0042C394,?,?,?,?,?,?,?,00000000,00423E86), ref: 00564DDB
      • __vbaStrCmp.MSVBVM60(0042C39C,?,?,?,?,?,?,?,00000000,00423E86), ref: 00564DF1
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 00564E11
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 00564E28
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 00564E36
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 00564E44
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00423E86), ref: 00564E6D
      • __vbaStrCmp.MSVBVM60(0042C39C,?,?,?,?,?,?,?,00000000,00423E86), ref: 00564E86
      • __vbaStrCopy.MSVBVM60 ref: 00564EC3
      • __vbaFreeStr.MSVBVM60(?), ref: 00564EF7
      • __vbaStrCopy.MSVBVM60 ref: 00564EE5
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 00564F0E
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,00423E86), ref: 00564F20
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00000000,00423E86), ref: 00564F44
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,00423E86), ref: 00564F56
        • Part of subcall function 00566EC0: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,00564EA0,?,?,?,?,?,?,00000000,00423E86), ref: 00566EDE
        • Part of subcall function 00566EC0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00423E86), ref: 00566F0E
        • Part of subcall function 00566EC0: #716.MSVBVM60(?,AloahaSync.SyncAPI,00000000,?,00000001,?,00000000,00423E86), ref: 00566F26
        • Part of subcall function 00566EC0: __vbaObjVar.MSVBVM60(?,?,00000001,?,00000000,00423E86), ref: 00566F30
        • Part of subcall function 00566EC0: __vbaObjSetAddref.MSVBVM60(00000001,00000000,?,00000001,?,00000000,00423E86), ref: 00566F3B
        • Part of subcall function 00566EC0: __vbaFreeVar.MSVBVM60(?,00000001,?,00000000,00423E86), ref: 00566F44
        • Part of subcall function 00566EC0: __vbaLateMemCallLd.MSVBVM60(?,00000001,info,00000000), ref: 00566F7C
        • Part of subcall function 00566EC0: __vbaVarTstGt.MSVBVM60(?,00000000,00000001), ref: 00566F8A
        • Part of subcall function 00566EC0: __vbaFreeVar.MSVBVM60 ref: 00566F97
        • Part of subcall function 00566EC0: #685.MSVBVM60 ref: 00566FB0
        • Part of subcall function 00566EC0: __vbaObjSet.MSVBVM60(?,00000000), ref: 00566FBB
        • Part of subcall function 00566EC0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00566FEE
        • Part of subcall function 00566EC0: __vbaFreeObj.MSVBVM60 ref: 00567018
      • #685.MSVBVM60 ref: 00564F70
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00564F7B
      • __vbaFreeObj.MSVBVM60 ref: 00564F93
      • __vbaFreeStr.MSVBVM60(00564FE2), ref: 00564FDB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CopyFree$Move$Chkstk$ErrorList$#520#685$#518#711#716AddrefCallCheckHresultIndexLateLoadLockUnlock
      • String ID: $AllowI2C$Do not use RKK because AllowI2C in UserPass.ini is 0$Do not use RKK because NO i2c card found$Generic$Using RKK because I found an i2c card!$false$true
      • API String ID: 2884113081-2790977346
      • Opcode ID: a6d2807a69650ff5efa83069a6be88200d57d4226c1bd818911e1276f1721733
      • Instruction ID: 508a93c8ec0b40da649d7a43d14259c37e88d08e2449e6135b5691672eb9103e
      • Opcode Fuzzy Hash: a6d2807a69650ff5efa83069a6be88200d57d4226c1bd818911e1276f1721733
      • Instruction Fuzzy Hash: 2FA11771910219EBDB04EFA4ED48AEEBB74FF48704F108129F502A76A0DB745A49CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006778B0 Relevance: 70.3, APIs: 35, Strings: 5, Instructions: 277COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006778CE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00677907
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00677913
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0067792B
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00677940
      • #520.MSVBVM60(?,00004008), ref: 0067796B
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00677990
      • __vbaFreeVar.MSVBVM60 ref: 006779A0
      • #518.MSVBVM60(?,00004008), ref: 006779DA
      • #518.MSVBVM60(?,00004008), ref: 00677A26
      • #518.MSVBVM60(?,00004008), ref: 00677A75
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00677AB6
      • __vbaVarCmpEq.MSVBVM60(?,00008002,00000000), ref: 00677AC8
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,00000000), ref: 00677AE5
      • __vbaVarCmpEq.MSVBVM60(?,00008002,00000000), ref: 00677AFA
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 00677B08
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001,00000000), ref: 00677B28
      • __vbaVarCmpEq.MSVBVM60(?,00008002,00000000), ref: 00677B3D
      • __vbaVarAnd.MSVBVM60(?,00000000), ref: 00677B4B
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00677B52
      • __vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00677B82
        • Part of subcall function 00618AF0: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,?,?,?,?), ref: 00618B0E
        • Part of subcall function 00618AF0: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 00618B3B
        • Part of subcall function 00618AF0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86), ref: 00618B4A
      • __vbaStrMove.MSVBVM60(?,FFFFFF9D), ref: 00677BBC
      • __vbaStrMove.MSVBVM60 ref: 00677BFD
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 00677C13
      • #518.MSVBVM60(?,00004008), ref: 00677C46
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00677C87
      • __vbaVarTstEq.MSVBVM60(00008002,00000000), ref: 00677C95
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00677CAC
      • __vbaStrCopy.MSVBVM60 ref: 00677CE1
      • #685.MSVBVM60 ref: 00677CEE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00677CF9
      • __vbaFreeObj.MSVBVM60 ref: 00677D1A
      • __vbaFreeStr.MSVBVM60(00677DB5), ref: 00677D9C
      • __vbaFreeStr.MSVBVM60 ref: 00677DA5
      • __vbaFreeStr.MSVBVM60 ref: 00677DAE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#518$ChkstkErrorListMove$#520#685BoolNull
      • String ID: passnotfound$set:$setpassword:$up:$`2m
      • API String ID: 1204826189-3793748752
      • Opcode ID: 183fec5ecc63d0d21d0a1d4eec64078fe0db0e9acd82a3d1d3757d2c7a65eff4
      • Instruction ID: 73412c9fa1c6161f8e9830a32167ec8d8ded2e59e24b3d81d89dddb4349927bf
      • Opcode Fuzzy Hash: 183fec5ecc63d0d21d0a1d4eec64078fe0db0e9acd82a3d1d3757d2c7a65eff4
      • Instruction Fuzzy Hash: 4FD1DAB5800218DFDB55DF90DD88BDEBB78BF48704F108599E60AB7260DB745A88CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005D60F0 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 201COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?), ref: 005D610E
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86,?), ref: 005D613B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,?), ref: 005D614A
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86,?), ref: 005D615D
      • __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00423E86,?), ref: 005D6175
      • #685.MSVBVM60(?,?,?,00000000,00423E86,?), ref: 005D61A0
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86,?), ref: 005D61AB
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86,?), ref: 005D61CC
      • __vbaChkstk.MSVBVM60 ref: 005D61F8
      • __vbaChkstk.MSVBVM60 ref: 005D621B
      • __vbaLateMemCallLd.MSVBVM60(?,00000000,scrmread,00000002), ref: 005D624B
      • __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00423E86,?), ref: 005D6255
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000000,00423E86,?), ref: 005D6261
      • #685.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000000,00423E86,?), ref: 005D626E
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00423E86,?), ref: 005D6279
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005D62AC
      • __vbaFreeObj.MSVBVM60 ref: 005D62D6
      • __vbaStrCopy.MSVBVM60 ref: 005D62F1
      • __vbaStrCopy.MSVBVM60 ref: 005D6308
      • __vbaStrCopy.MSVBVM60 ref: 005D631F
      • #685.MSVBVM60 ref: 005D632C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D6337
      • __vbaFreeObj.MSVBVM60 ref: 005D6358
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86,?), ref: 005D6371
      • __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00423E86,?), ref: 005D638A
      • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00423E86,?), ref: 005D63A9
      • #685.MSVBVM60(?,?,?,00000000,00423E86,?), ref: 005D63B6
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86,?), ref: 005D63C1
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86,?), ref: 005D63E2
      • __vbaFreeStr.MSVBVM60(005D6431,?,?,?,00000000,00423E86,?), ref: 005D6418
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00423E86,?), ref: 005D6421
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00423E86,?), ref: 005D642A
        • Part of subcall function 005D50A0: __vbaChkstk.MSVBVM60(00000000,00423E86,005D5EA8,?,?,?,00000000,00423E86), ref: 005D50BE
        • Part of subcall function 005D50A0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,005D5EA8), ref: 005D50EE
        • Part of subcall function 005D50A0: __vbaStrCopy.MSVBVM60 ref: 005D5112
        • Part of subcall function 005D50A0: __vbaStrCmp.MSVBVM60(true,00000000), ref: 005D512A
        • Part of subcall function 005D50A0: #685.MSVBVM60 ref: 005D5D82
        • Part of subcall function 005D50A0: __vbaObjSet.MSVBVM60(?,00000000), ref: 005D5D8D
        • Part of subcall function 005D50A0: __vbaFreeObj.MSVBVM60 ref: 005D5DAE
        • Part of subcall function 005D50A0: __vbaFreeStr.MSVBVM60(005D5DF5), ref: 005D5DEE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$#685$Chkstk$Error$CallCheckHresultLateMove
      • String ID: L3k$L3k$scrmread$true$`2m
      • API String ID: 818528958-4275515055
      • Opcode ID: 77ff92365db1b4ac37b1e966a9886ac0dcb82951888efc74f0f7cb6fe36e4b90
      • Instruction ID: e71b9692d8721c5d95f84a9707e3962b06c1fa0e6375258d1264535c6f00b484
      • Opcode Fuzzy Hash: 77ff92365db1b4ac37b1e966a9886ac0dcb82951888efc74f0f7cb6fe36e4b90
      • Instruction Fuzzy Hash: 729159B4900208EFDB04DFA4DA48BDEBBB5FF08705F20816AE506A7361DB759A49CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00609C90 Relevance: 63.2, APIs: 33, Strings: 3, Instructions: 235COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 00609CAE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00609CDE
      • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00423E86), ref: 00609D27
      • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00423E86), ref: 00609D41
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00609D62
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 00609D78
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 00609D8D
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00609D98
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 00609DB9
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00423E86), ref: 00609DD4
      • __vbaLateMemCallLd.MSVBVM60(?,?,serialnumber,00000000), ref: 00609DFE
      • __vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,00423E86), ref: 00609E0C
      • __vbaFreeVar.MSVBVM60(?,?,?,00423E86), ref: 00609E19
      • #685.MSVBVM60(?,?,?,00423E86), ref: 00609E32
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00423E86), ref: 00609E3D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00609E70
      • __vbaFreeObj.MSVBVM60 ref: 00609E9D
      • __vbaChkstk.MSVBVM60 ref: 00609ECC
      • __vbaLateMemCallLd.MSVBVM60(?,?,Export,00000001), ref: 00609EF9
      • __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00609F07
      • __vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00609F18
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00609F21
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00609F2A
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00609F40
      • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00609F91
      • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00609FAB
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 00609FCC
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00609FDF
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 00609FEC
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00609FF7
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0060A018
      • __vbaFreeStr.MSVBVM60(0060A071,?,?,?,?,00423E86), ref: 0060A061
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0060A06A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Error$BoundsGenerate$#685Copy$CallChkstkLate$CheckHresultMove
      • String ID: Export$serialnumber$`2m
      • API String ID: 2096954427-3165608901
      • Opcode ID: 5eb999f307bdacac1fbaed32dc8548dd149ee4954589fb5b106d2aba24ca570f
      • Instruction ID: c7afe42226d6db30d4d3f35789ac058fdcf42a93024a06dfe3234ffbdc2b0e75
      • Opcode Fuzzy Hash: 5eb999f307bdacac1fbaed32dc8548dd149ee4954589fb5b106d2aba24ca570f
      • Instruction Fuzzy Hash: 28B16E75D00208DFDB18DFA4DA88BDEBBB6FF48304F208159E506A72A1CB749A85CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006480B0 Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 179COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 006480CE
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 006480FB
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 00648107
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86), ref: 00648116
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,?,00000000,00423E86), ref: 0064812E
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,?,00000000,00423E86), ref: 00648168
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,?,00000000,00423E86), ref: 00648188
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$ChkstkError
      • String ID: `2m
      • API String ID: 1771118016-3187377090
      • Opcode ID: e80c4d2e5a053a4c81373a76401c10ab6fdcf97c5a79fcb4b4129d5810269521
      • Instruction ID: a9420ac0b9c5961bbf85e457af365c6d8068fb307ebf70c5851743f2eb753ce1
      • Opcode Fuzzy Hash: e80c4d2e5a053a4c81373a76401c10ab6fdcf97c5a79fcb4b4129d5810269521
      • Instruction Fuzzy Hash: C371F97190020ADFDB04DFA0DE48ADE7B79AB48705F108169E502A72B0DB745A49CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C38D0 Relevance: 63.2, APIs: 29, Strings: 7, Instructions: 175COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,005C33B7,?,?,00000000,?,00423E86), ref: 005C38EE
      • __vbaOnError.MSVBVM60(000000FF,?,?,00000000,00000000,00423E86,005C33B7), ref: 005C391E
      • __vbaStrCmp.MSVBVM60(true,00000000,?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3936
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3955
      • __vbaStrCmp.MSVBVM60(true,00000000,?,?,00000000,00000000,00423E86,005C33B7), ref: 005C396E
      • __vbaStrVarMove.MSVBVM60(?,?,HKLM\Software\Aloaha\forceHKLM,?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3991
      • __vbaStrMove.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C399C
      • __vbaFreeVar.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C39A5
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C39BC
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00000000,00423E86,005C33B7), ref: 005C39D0
      • __vbaFreeStr.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C39D9
      • #518.MSVBVM60(?,00004008), ref: 005C3A04
      • #520.MSVBVM60(?,?), ref: 005C3A12
      • #518.MSVBVM60(?,00004008), ref: 005C3A4A
      • #520.MSVBVM60(?,?), ref: 005C3A58
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005C3A81
      • __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 005C3A9A
      • __vbaVarOr.MSVBVM60(?,00000000), ref: 005C3AA8
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 005C3AAF
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005C3ACE
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3AF3
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3B0A
        • Part of subcall function 005DB0F0: __vbaChkstk.MSVBVM60(00000000,00423E86,HKLM\Software\Aloaha\forceHKLM,?,?,00000000,00000000,00423E86,005C33B7), ref: 005DB10E
        • Part of subcall function 005DB0F0: __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00423E86,HKLM\Software\Aloaha\forceHKLM), ref: 005DB13B
        • Part of subcall function 005DB0F0: __vbaOnError.MSVBVM60(000000FF,?,?,00000000,00000000,00423E86,HKLM\Software\Aloaha\forceHKLM), ref: 005DB14A
        • Part of subcall function 005DB0F0: __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00423E86,HKLM\Software\Aloaha\forceHKLM), ref: 005DB15D
        • Part of subcall function 005DB0F0: #518.MSVBVM60(?,00004008), ref: 005DB188
        • Part of subcall function 005DB0F0: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005DB1CC
        • Part of subcall function 005DB0F0: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005DB1DA
        • Part of subcall function 005DB0F0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005DB1F4
        • Part of subcall function 005DB0F0: #712.MSVBVM60(?,Software,SOFTWARE,00000001,000000FF,00000000,00000000,00000000,00423E86,HKLM\Software\Aloaha\forceHKLM), ref: 005DB223
        • Part of subcall function 005DB0F0: __vbaStrMove.MSVBVM60 ref: 005DB22E
        • Part of subcall function 005DB0F0: #712.MSVBVM60(?,software,SOFTWARE,00000001,000000FF,00000000), ref: 005DB24F
        • Part of subcall function 005DB0F0: __vbaStrMove.MSVBVM60 ref: 005DB25A
        • Part of subcall function 005DB0F0: __vbaVarDup.MSVBVM60 ref: 005DB298
      • __vbaStrCmp.MSVBVM60(true,00000000,?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3B24
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3B3F
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3B58
      • #685.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3B65
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3B70
      • __vbaFreeObj.MSVBVM60(?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3B91
      • __vbaFreeStr.MSVBVM60(005C3BE8,?,?,00000000,00000000,00423E86,005C33B7), ref: 005C3BE1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$Move$#518$#520#712ChkstkErrorList$#685BoolNull
      • String ID: HKLM\Software\Aloaha\forceHKLM$false$true$3k$3k$3k$`2m
      • API String ID: 3847600410-966797052
      • Opcode ID: 7b8297f6752722396c75f0445502b98c1f2a38ec1d76915a3aeed7876ea42b21
      • Instruction ID: 39defc00b653b5594e024bc90fd907f30c7567ec3a7b19c6ed521daa51d37a8d
      • Opcode Fuzzy Hash: 7b8297f6752722396c75f0445502b98c1f2a38ec1d76915a3aeed7876ea42b21
      • Instruction Fuzzy Hash: D17147B1A00218EFDB14DF90D948BDEBBB8FB48704F10C1A9E212B7660DB745A48CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00567480 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 227COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0056749E
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005674CB
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 005674DA
        • Part of subcall function 00634B20: __vbaChkstk.MSVBVM60(00000000,00423E86,0065D216,?,?,?,00000000,00423E86), ref: 00634B3E
        • Part of subcall function 00634B20: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,?,?,00000000,00423E86,0065D216), ref: 00634B6E
        • Part of subcall function 00634B20: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,?,?,00000000,00423E86,0065D216), ref: 00634B7D
        • Part of subcall function 00634B20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,0065D216), ref: 00634B8C
        • Part of subcall function 00634B20: #520.MSVBVM60(?,00004008), ref: 00634BBB
        • Part of subcall function 00634B20: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00634BE3
        • Part of subcall function 00634B20: __vbaFreeVar.MSVBVM60 ref: 00634BF6
        • Part of subcall function 00634B20: __vbaStrCopy.MSVBVM60 ref: 00634C1A
        • Part of subcall function 00634B20: #520.MSVBVM60(?,00000008,?), ref: 00634C47
        • Part of subcall function 00634B20: __vbaStrVarMove.MSVBVM60(?), ref: 00634C54
        • Part of subcall function 00634B20: __vbaStrMove.MSVBVM60 ref: 00634C61
        • Part of subcall function 00634B20: __vbaFreeStr.MSVBVM60 ref: 00634C6A
        • Part of subcall function 00634B20: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00634C80
        • Part of subcall function 00634B20: #520.MSVBVM60(?,00004008), ref: 00634CB2
        • Part of subcall function 00634B20: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00634CDA
        • Part of subcall function 00634B20: __vbaFreeVar.MSVBVM60 ref: 00634CED
      • __vbaStrToAnsi.MSVBVM60(?,00000000,Pt@,?,?,?,00000000,00423E86), ref: 00567508
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,00423E86), ref: 00567517
      • __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,00423E86), ref: 0056752A
      • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,00423E86), ref: 00567538
      • __vbaStrToUnicode.MSVBVM60(00000000,?,?,?,?,00000000,00423E86), ref: 00567546
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,00423E86), ref: 0056755C
      • __vbaAryMove.MSVBVM60(?,?,?,?,?,00000000,00423E86), ref: 00567581
      • #685.MSVBVM60(?,?,?,00000000,00423E86), ref: 0056758E
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86), ref: 00567599
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86), ref: 005675BA
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 00567633
      • #685.MSVBVM60 ref: 00567648
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00567653
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 00567686
      • __vbaFreeObj.MSVBVM60 ref: 005676B0
      • #608.MSVBVM60(?,00000000), ref: 005676CB
      • #685.MSVBVM60 ref: 0056775E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00567769
      • __vbaFreeObj.MSVBVM60 ref: 0056778A
      • __vbaAryDestruct.MSVBVM60(00000000,?,005677E8), ref: 005677C3
      • __vbaAryDestruct.MSVBVM60(00000000,00000000), ref: 005677CF
      • __vbaFreeStr.MSVBVM60 ref: 005677D8
      • __vbaFreeStr.MSVBVM60 ref: 005677E1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#520#685ErrorMove$AnsiChkstkConstructCopyDestructFixstrListUnicode$#608CheckHresultSystem
      • String ID: Pt@$`2m
      • API String ID: 563408794-3917971940
      • Opcode ID: f071d6db2d901fba4ed9bb3511cdbd5a6f54a45feca06e17c49f39c812dd6b57
      • Instruction ID: 898834cc258dccc1075f7b6790a77add2dc8d64807d31e2d31c842be8ba4d782
      • Opcode Fuzzy Hash: f071d6db2d901fba4ed9bb3511cdbd5a6f54a45feca06e17c49f39c812dd6b57
      • Instruction Fuzzy Hash: 5AA11875900208EFDB04DFA4DA88BDEBBB5FF48305F108559E506BB2A0DB749A45CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0069D090 Relevance: 61.5, APIs: 30, Strings: 5, Instructions: 207COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069D0AE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069D0F3
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069D108
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 0069D11A
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069D12F
      • #716.MSVBVM60(?,AloahaTranslator.Language,00000000,?,?,?,?,00423E86), ref: 0069D147
      • __vbaObjVar.MSVBVM60(?,?,?,?,?,00423E86), ref: 0069D151
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 0069D15C
      • __vbaFreeVar.MSVBVM60(?,?,?,?,00423E86), ref: 0069D165
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 0069D172
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00423E86), ref: 0069D17D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0069D1B0
      • __vbaFreeObj.MSVBVM60 ref: 0069D1DA
      • __vbaLateMemCallLd.MSVBVM60(?,?,info,00000000), ref: 0069D210
      • __vbaVarTstGt.MSVBVM60(?,00000000,?,?,?,00423E86), ref: 0069D21E
      • __vbaFreeVar.MSVBVM60(?,?,?,00423E86), ref: 0069D22B
      • #685.MSVBVM60(?,?,?,00423E86), ref: 0069D244
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00423E86), ref: 0069D24F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0069D282
      • __vbaFreeObj.MSVBVM60 ref: 0069D2AC
      • __vbaChkstk.MSVBVM60 ref: 0069D2D3
      • __vbaLateMemCallLd.MSVBVM60(?,?,translateit,00000001), ref: 0069D300
      • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 0069D30A
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 0069D315
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 0069D31E
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0069D331
      • #685.MSVBVM60 ref: 0069D33E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0069D349
      • __vbaFreeObj.MSVBVM60 ref: 0069D36A
      • __vbaFreeObj.MSVBVM60(0069D3BA), ref: 0069D3B3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Chkstk$#685Copy$AddrefCallCheckErrorHresultLate$#518#520#711#716IndexLoadLockUnlock
      • String ID: AloahaCredentials:translateit$AloahaTranslator.Language$info$translateit$`2m
      • API String ID: 2700337741-1547599663
      • Opcode ID: 501bcac252b7009c586997f9d38f7e4a3d26c70beeaad91f1f5eb31d2bb3bd37
      • Instruction ID: 591a2145b3ff9c1369b2d646326a310b34b3cf594563d3d8a3a1b07ace08d380
      • Opcode Fuzzy Hash: 501bcac252b7009c586997f9d38f7e4a3d26c70beeaad91f1f5eb31d2bb3bd37
      • Instruction Fuzzy Hash: F391F475900318EFDB04DFA0DA88BDEBBB9BF48705F108169E506BB2A0DB749A45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00531870 Relevance: 60.3, APIs: 40, Instructions: 330COMMON
      Download Yara Rule
      APIs
      • __vbaPowerR8.MSVBVM60(00000000,40000000,?,?), ref: 005318F2
      • __vbaPowerR8.MSVBVM60(00000000,40000000,?,?), ref: 00531936
      • _adj_fdivr_m64.MSVBVM60(?,?), ref: 00531953
      • __vbaCopyBytes.MSVBVM60(00000004,?,?), ref: 005319A3
      • __vbaErrorOverflow.MSVBVM60 ref: 005319C2
      • #572.MSVBVM60(?,00000000,?,?), ref: 00531A5C
      • __vbaStrMove.MSVBVM60 ref: 00531A6D
      • #572.MSVBVM60(?), ref: 00531A80
      • __vbaStrMove.MSVBVM60 ref: 00531A8B
      • #572.MSVBVM60(?), ref: 00531AA7
      • __vbaStrMove.MSVBVM60 ref: 00531AB2
      • #572.MSVBVM60(?), ref: 00531ACE
      • __vbaStrMove.MSVBVM60 ref: 00531AD9
      • __vbaStrMove.MSVBVM60(0042C394,00000002), ref: 00531B0F
      • __vbaStrCat.MSVBVM60(00000000), ref: 00531B18
      • __vbaStrMove.MSVBVM60 ref: 00531B1F
      • #618.MSVBVM60(00000000), ref: 00531B28
      • __vbaStrMove.MSVBVM60 ref: 00531B2F
      • __vbaStrMove.MSVBVM60(0042C394,00000002,00000000), ref: 00531B42
      • __vbaStrCat.MSVBVM60(00000000), ref: 00531B45
      • __vbaStrMove.MSVBVM60 ref: 00531B4C
      • #618.MSVBVM60(00000000), ref: 00531B4F
      • __vbaStrMove.MSVBVM60 ref: 00531B56
      • __vbaStrCat.MSVBVM60(00000000), ref: 00531B59
      • __vbaStrMove.MSVBVM60 ref: 00531B60
      • __vbaStrMove.MSVBVM60(0042C394,00000002,00000000), ref: 00531B73
      • __vbaStrCat.MSVBVM60(00000000), ref: 00531B76
      • __vbaStrMove.MSVBVM60 ref: 00531B7D
      • #618.MSVBVM60(00000000), ref: 00531B80
      • __vbaStrMove.MSVBVM60 ref: 00531B87
      • __vbaStrCat.MSVBVM60(00000000), ref: 00531B8A
      • __vbaStrMove.MSVBVM60 ref: 00531B91
      • __vbaStrMove.MSVBVM60(0042C394,00000002,00000000), ref: 00531BA4
      • __vbaStrCat.MSVBVM60(00000000), ref: 00531BA7
      • __vbaStrMove.MSVBVM60 ref: 00531BAE
      • #618.MSVBVM60(00000000), ref: 00531BB1
      • __vbaStrMove.MSVBVM60 ref: 00531BB8
      • __vbaStrCat.MSVBVM60(00000000), ref: 00531BBB
      • __vbaStrMove.MSVBVM60 ref: 00531BC2
      • __vbaFreeStrList.MSVBVM60(00000012,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00531C0E
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$#572#618$Power$BytesCopyErrorFreeListOverflow_adj_fdivr_m64
      • String ID:
      • API String ID: 846408782-0
      • Opcode ID: e9f9fed3979ad0a1e4c69e8557d2ce46496a3a7112178596b694e61e6885ffa7
      • Instruction ID: eb2c62e40832045a3142f71a26757a3a3d3b48f4a8ca8b1b90f42ea234bb87f2
      • Opcode Fuzzy Hash: e9f9fed3979ad0a1e4c69e8557d2ce46496a3a7112178596b694e61e6885ffa7
      • Instruction Fuzzy Hash: 44D1E2B1D04218AFCB04DFA9C884AEEFBF9FF98300F10851AE545A7264DB749A49CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005D4C30 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 290COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86,?,?,?,?,?,00423E86), ref: 005D4C4E
      • __vbaOnError.MSVBVM60(000000FF,?,?,00000000,?,00423E86), ref: 005D4C7E
      • #685.MSVBVM60(?,?,00000000,?,00423E86), ref: 005D4CCC
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,?,00423E86), ref: 005D4CD7
      • __vbaFreeObj.MSVBVM60(?,?,00000000,?,00423E86), ref: 005D4CF8
      • __vbaSetSystemError.MSVBVM60(?,?,00000000,?,00423E86), ref: 005D4D0D
      • #685.MSVBVM60(?,?,00000000,?,00423E86), ref: 005D4D20
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,?,00423E86), ref: 005D4D2B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005D4D5E
      • __vbaFreeObj.MSVBVM60 ref: 005D4D88
      • #685.MSVBVM60 ref: 005D4D9D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D4DA8
      • __vbaFreeObj.MSVBVM60 ref: 005D4DC9
      • __vbaSetSystemError.MSVBVM60 ref: 005D4DDE
      • #685.MSVBVM60 ref: 005D4DF1
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D4DFC
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005D4E2F
      • __vbaFreeObj.MSVBVM60 ref: 005D4E59
      • __vbaSetSystemError.MSVBVM60(?), ref: 005D4E7E
      • __vbaI4Var.MSVBVM60(?,0000000C), ref: 005D4E97
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 005D4EA6
      • __vbaSetSystemError.MSVBVM60(?,00000008), ref: 005D4EC7
      • __vbaSetSystemError.MSVBVM60(?,0000000A), ref: 005D4EF7
      • __vbaSetSystemError.MSVBVM60(?,00000006), ref: 005D4F27
      • __vbaSetSystemError.MSVBVM60(?,00000004), ref: 005D4F48
      • __vbaSetSystemError.MSVBVM60(?,0000005A), ref: 005D4F69
      • __vbaSetSystemError.MSVBVM60(?,00000058), ref: 005D4F8A
      • #685.MSVBVM60 ref: 005D503D
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D5048
      • __vbaFreeObj.MSVBVM60 ref: 005D5069
      • __vbaFreeVar.MSVBVM60(005D508A), ref: 005D5083
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$System$Free$#685$CheckHresult$Chkstk
      • String ID: %$`2m
      • API String ID: 3206689054-3816787125
      • Opcode ID: c95cc6372fbe1e5a0a604ad11498aea47a07d67f5c55e74d518186388b21a90d
      • Instruction ID: 252bdec8ba4a2515ee6063ad513b35dde4216f251766b20218c0b87e6e7227ed
      • Opcode Fuzzy Hash: c95cc6372fbe1e5a0a604ad11498aea47a07d67f5c55e74d518186388b21a90d
      • Instruction Fuzzy Hash: 4AD1E0B4D01318DFDB14DFA4DA88B9DBBB5BF08304F20815AE509AB3A1D7789A85CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0056B880 Relevance: 59.7, APIs: 31, Strings: 3, Instructions: 167COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0056B89E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0056B8CB
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0056B8D7
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0056B8E6
        • Part of subcall function 0056BB50: __vbaChkstk.MSVBVM60(00000000,00423E86,0056C04C,?,?,?,?,00423E86), ref: 0056BB6E
        • Part of subcall function 0056BB50: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,0056C04C), ref: 0056BB9E
        • Part of subcall function 0056BB50: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00423E86,0056C04C), ref: 0056BBB6
        • Part of subcall function 0056BB50: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00423E86,0056C04C), ref: 0056BBD7
        • Part of subcall function 0056BB50: __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86,0056C04C), ref: 0056BBF6
        • Part of subcall function 0056BB50: #518.MSVBVM60(?,00004008), ref: 0056BC18
        • Part of subcall function 0056BB50: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0056BC34
        • Part of subcall function 0056BB50: __vbaFreeVar.MSVBVM60 ref: 0056BC41
        • Part of subcall function 0056BB50: __vbaStrCopy.MSVBVM60 ref: 0056BC64
        • Part of subcall function 0056BB50: __vbaNew2.MSVBVM60(00425740,00000000), ref: 0056BC96
        • Part of subcall function 0056BB50: __vbaStrCopy.MSVBVM60 ref: 0056BCC3
      • #520.MSVBVM60(?,00004008), ref: 0056B914
      • __vbaStrVarMove.MSVBVM60(?), ref: 0056B91E
      • __vbaStrMove.MSVBVM60 ref: 0056B929
      • __vbaFreeVar.MSVBVM60 ref: 0056B932
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0056B948
      • #520.MSVBVM60(?,00004008), ref: 0056B972
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0056B98E
      • __vbaFreeVar.MSVBVM60 ref: 0056B99E
      • __vbaStrCopy.MSVBVM60 ref: 0056B9C2
      • __vbaStrCat.MSVBVM60(?,add:,?), ref: 0056B9D5
      • __vbaStrMove.MSVBVM60 ref: 0056B9E0
      • __vbaStrCat.MSVBVM60(00432868,00000000), ref: 0056B9EC
      • __vbaStrMove.MSVBVM60 ref: 0056B9F7
      • __vbaStrCat.MSVBVM60(?,00000000), ref: 0056BA02
      • __vbaStrMove.MSVBVM60(00000000), ref: 0056BA1E
      • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0056BA3A
      • __vbaStrMove.MSVBVM60 ref: 0056BA0D
        • Part of subcall function 0056D670: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,00423E86), ref: 0056D68E
        • Part of subcall function 0056D670: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 0056D6BB
        • Part of subcall function 0056D670: __vbaAryConstruct2.MSVBVM60(?,0043FC10,00000011,?,?,?,00000000,00423E86), ref: 0056D6CC
        • Part of subcall function 0056D670: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 0056D6DB
        • Part of subcall function 0056D670: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 0056D6FC
        • Part of subcall function 0056D670: __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,00000000,00423E86), ref: 0056D714
        • Part of subcall function 0056D670: __vbaInStr.MSVBVM60(00000000,0042E5EC,?,00000001,?,?,?,?,00000000,00423E86), ref: 0056D734
        • Part of subcall function 0056D670: __vbaStrCopy.MSVBVM60(?,00000001,?,?,?,?,00000000,00423E86), ref: 0056D74D
        • Part of subcall function 0056D670: __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00423E86), ref: 0056D762
        • Part of subcall function 0056D670: __vbaLenBstr.MSVBVM60(?,?,?,?,?,00000000,00423E86), ref: 0056D773
        • Part of subcall function 0056D670: __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,00423E86), ref: 0056D790
        • Part of subcall function 0056D670: __vbaStrMove.MSVBVM60(?,?,encrypted:,?,?,?,?,00000000,00423E86), ref: 0056D7AD
        • Part of subcall function 0056D670: __vbaStrCat.MSVBVM60(00000000,?,?,?,?,00000000,00423E86), ref: 0056D7B4
        • Part of subcall function 0056D670: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00423E86), ref: 0056D7BF
        • Part of subcall function 0056D670: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00423E86), ref: 0056D7CF
        • Part of subcall function 0056D670: __vbaInStr.MSVBVM60(00000000,0042E700,?,00000001,?,00000000,00423E86), ref: 0056D7EC
      • __vbaStrCopy.MSVBVM60 ref: 0056BA54
      • __vbaStrCat.MSVBVM60(?,remove:,?), ref: 0056BA67
      • __vbaStrMove.MSVBVM60 ref: 0056BA72
      • __vbaStrMove.MSVBVM60(00000000), ref: 0056BA83
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0056BA97
      • #685.MSVBVM60 ref: 0056BAA7
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056BAB2
      • __vbaFreeObj.MSVBVM60 ref: 0056BAD3
      • __vbaFreeStr.MSVBVM60(0056BB2F), ref: 0056BB1F
      • __vbaFreeStr.MSVBVM60 ref: 0056BB28
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CopyMove$Free$ChkstkErrorList$#520$#518#685BstrConstruct2New2
      • String ID: add:$remove:$`2m
      • API String ID: 3315090131-781404284
      • Opcode ID: 13f57c4e9ba2fb9cf1ad13facdabfd5e1d9398e0472c2374c1f3ddcaa193b165
      • Instruction ID: 4632af5d88afb102af94428491e470ad263e45f68061286470ddd84f401efe7a
      • Opcode Fuzzy Hash: 13f57c4e9ba2fb9cf1ad13facdabfd5e1d9398e0472c2374c1f3ddcaa193b165
      • Instruction Fuzzy Hash: 2771F775900209EBDB04EFE0DE98AEEBB78FF48705F108169E506B7260DB745A49CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C6C20 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 202COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,0061C190,?,?,?,00000000,00423E86), ref: 005C6C3E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,0061C190), ref: 005C6C6E
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,?,?,00000000,00423E86,0061C190), ref: 005C6C86
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86,0061C190), ref: 005C6CA0
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86,0061C190), ref: 005C6CBC
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,00000000,00423E86,0061C190), ref: 005C6CD2
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86,0061C190), ref: 005C6CED
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,00000000,00423E86,0061C190), ref: 005C6D03
      • __vbaNew2.MSVBVM60(0042EAFC,006B58E0,?,?,?,00000000,00423E86,0061C190), ref: 005C6D2B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EAEC,00000014), ref: 005C6D7C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EB0C,00000050), ref: 005C6DCD
      • __vbaStrMove.MSVBVM60 ref: 005C6DFE
      • __vbaFreeObj.MSVBVM60 ref: 005C6E07
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,00000000,00423E86,0061C190), ref: 005C6E1D
      • #685.MSVBVM60(?,?,?,00000000,00423E86,0061C190), ref: 005C6F0C
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86,0061C190), ref: 005C6F17
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86,0061C190), ref: 005C6F38
      • __vbaFreeStr.MSVBVM60(005C6F91,?,?,?,00000000,00423E86,0061C190), ref: 005C6F81
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00423E86,0061C190), ref: 005C6F8A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$CheckHresult$#685ChkstkCopyErrorNew2
      • String ID: CSP_Cache.ini$|1k$Xk$`2m
      • API String ID: 2774755398-3905406223
      • Opcode ID: 907310a9da59c8059903189ab5b544c67d7674550fa2d6263460f6df243a46d2
      • Instruction ID: 9130f09022f320b94c5cdca2820cc42992c518d9606f3d8fa200be719ba74c78
      • Opcode Fuzzy Hash: 907310a9da59c8059903189ab5b544c67d7674550fa2d6263460f6df243a46d2
      • Instruction Fuzzy Hash: DD9106B4A00218DFDB14DFA0DA48BDEBBB5FB48305F2081A9E502B72A0DB755E44CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A6420 Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 184COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006A643E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A6477
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A6483
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006A6492
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 006A649F
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006A64AA
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006A64CB
      • #716.MSVBVM60(?,AloahaSync.SyncAPI,00000000,?,?,?,?,00423E86), ref: 006A64E3
      • __vbaObjVar.MSVBVM60(?,?,?,?,?,00423E86), ref: 006A64ED
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006A64F8
      • __vbaFreeVar.MSVBVM60(?,?,?,?,00423E86), ref: 006A6501
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 006A650E
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006A6519
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 006A654C
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 006A656D
      • __vbaFreeObj.MSVBVM60 ref: 006A6590
      • __vbaChkstk.MSVBVM60 ref: 006A65C8
      • __vbaChkstk.MSVBVM60 ref: 006A65EB
      • __vbaLateMemCallLd.MSVBVM60(?,?,UserRole,00000002), ref: 006A6618
      • __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 006A6622
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00423E86), ref: 006A662E
      • __vbaLateMemCall.MSVBVM60(?,disconnect,00000000), ref: 006A6646
      • __vbaObjSetAddref.MSVBVM60(00000000,00000000,?,?,00423E86), ref: 006A665C
      • #685.MSVBVM60(?,?,00423E86), ref: 006A6669
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00423E86), ref: 006A6674
      • __vbaFreeObj.MSVBVM60(?,?,00423E86), ref: 006A6695
      • __vbaFreeStr.MSVBVM60(006A66D1,?,?,00423E86), ref: 006A66B8
      • __vbaFreeObj.MSVBVM60(?,?,00423E86), ref: 006A66C1
      • __vbaFreeStr.MSVBVM60(?,?,00423E86), ref: 006A66CA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685Chkstk$AddrefCallCopyLate$#716CheckErrorHresult
      • String ID: AloahaSync.SyncAPI$UserRole$disconnect$`2m
      • API String ID: 1366400676-3001788002
      • Opcode ID: 811e66f9e717aab56295884b68546b5feeb2cdb522c48ad93ee9f44018fa946b
      • Instruction ID: aa86ab2b17008f2e4e594906fc188c0fea9a49146beabd836f37d3e76dfaeac4
      • Opcode Fuzzy Hash: 811e66f9e717aab56295884b68546b5feeb2cdb522c48ad93ee9f44018fa946b
      • Instruction Fuzzy Hash: 228134B4900209EFDB04DFA4DA48BDDBBB5FF08705F208169E506BB2A0DB74AA45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00695D60 Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 197COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 00695D7E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00695DAE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00695DC3
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 00695DD5
      • __vbaStrCopy.MSVBVM60 ref: 00695DF7
        • Part of subcall function 0059ECC0: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,00000000,00423E86), ref: 0059ECDE
        • Part of subcall function 0059ECC0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 0059ED0E
        • Part of subcall function 0059ECC0: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00423E86), ref: 0059ED26
        • Part of subcall function 0059ECC0: #712.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000,00423E86), ref: 0059ED51
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000,00423E86), ref: 0059ED5C
        • Part of subcall function 0059ECC0: #712.MSVBVM60(?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000), ref: 0059ED7F
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000), ref: 0059ED8A
        • Part of subcall function 0059ECC0: #712.MSVBVM60(00000000,hlcr\,HKCR\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 0059EDAD
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000), ref: 0059EDB8
        • Part of subcall function 0059ECC0: #712.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 0059EDDB
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 0059EDE6
        • Part of subcall function 0059ECC0: #712.MSVBVM60(?,Software\,SOFTWARE\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001), ref: 0059EE09
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,Software\,SOFTWARE\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001), ref: 0059EE14
      • #520.MSVBVM60(?,00000008), ref: 00695E18
      • __vbaStrVarMove.MSVBVM60(?), ref: 00695E22
      • __vbaStrMove.MSVBVM60 ref: 00695E2D
      • __vbaFreeStr.MSVBVM60 ref: 00695E36
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00695E46
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,00423E86), ref: 00695E5F
      • __vbaStrCopy.MSVBVM60(?,?,00423E86), ref: 00695E7C
      • __vbaFreeVarList.MSVBVM60(00000002,00000003,?,00000003,?), ref: 00695EC8
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00423E86), ref: 00695EE0
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00423E86), ref: 00695EEE
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,00423E86), ref: 00695F0B
      • __vbaVarDup.MSVBVM60 ref: 00695E9D
        • Part of subcall function 0059CC60: __vbaChkstk.MSVBVM60(00000003,00423E86), ref: 0059CC7E
        • Part of subcall function 0059CC60: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000003,00423E86), ref: 0059CCAE
        • Part of subcall function 0059CC60: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000003,00423E86), ref: 0059CCC6
        • Part of subcall function 0059CC60: __vbaVarVargNofree.MSVBVM60(?,00000000,00000000,00000003,00423E86), ref: 0059CCE4
        • Part of subcall function 0059CC60: __vbaI4ErrVar.MSVBVM60(00000000,?,00000000,00000000,00000003,00423E86), ref: 0059CCEB
        • Part of subcall function 0059CC60: __vbaVargVarMove.MSVBVM60 ref: 0059CD1C
        • Part of subcall function 0059CC60: __vbaStrMove.MSVBVM60 ref: 0059CD63
        • Part of subcall function 0059CC60: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0059CD6F
        • Part of subcall function 0059CC60: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0059CD89
        • Part of subcall function 0059CC60: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0059CDA5
        • Part of subcall function 0059CC60: __vbaFreeStr.MSVBVM60 ref: 0059CDBF
        • Part of subcall function 0059CC60: #685.MSVBVM60 ref: 0059CE0F
      • __vbaStrCmp.MSVBVM60(0042C394,?,?,?,00423E86), ref: 00695F36
      • #685.MSVBVM60 ref: 00696039
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00696044
      • __vbaFreeObj.MSVBVM60 ref: 00696065
      • __vbaFreeStr.MSVBVM60(006960AC), ref: 006960A5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$Copy$#712Chkstk$Error$List$#520#685Varg$#518#711IndexLoadLockNofreeUnlock
      • String ID: AloahaCredentials:AllowPassword$HKLM\Software\Aloaha\GINA\Enable_PIN_or_PASS$Software\Aloaha\GINA
      • API String ID: 2962380812-4174716961
      • Opcode ID: 3c968d917c68aa43f641e8aaffad507a86a27c4f812286df6846bbff5ca6b22d
      • Instruction ID: 111946e18b246686054516326330f0e2a1d75b31e3e2349ddc13dc784a4ac01c
      • Opcode Fuzzy Hash: 3c968d917c68aa43f641e8aaffad507a86a27c4f812286df6846bbff5ca6b22d
      • Instruction Fuzzy Hash: 94911971900209EBDB00DFE0DA89BEDBB78FF48705F208169E502B76A0DB755A09CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0057BC70 Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 196COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,0057BB25,00000000,00000000), ref: 0057BC8E
      • __vbaStrCopy.MSVBVM60(00000000,?,?,00000000,00423E86), ref: 0057BCBB
      • __vbaOnError.MSVBVM60(000000FF), ref: 0057BCCA
      • #685.MSVBVM60 ref: 0057BCD7
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057BCE2
      • __vbaFreeObj.MSVBVM60 ref: 0057BD03
      • __vbaStrCopy.MSVBVM60 ref: 0057BD18
      • __vbaStrCopy.MSVBVM60 ref: 0057BD26
        • Part of subcall function 005ED250: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005ED26E
        • Part of subcall function 005ED250: __vbaStrCopy.MSVBVM60(?,00000001,00000000,?,00423E86), ref: 005ED29B
        • Part of subcall function 005ED250: __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,?,00423E86), ref: 005ED2AA
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED2F5
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED336
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED344
        • Part of subcall function 005ED250: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005ED35B
        • Part of subcall function 005ED250: #518.MSVBVM60(?,00004008), ref: 005ED3B4
        • Part of subcall function 005ED250: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005ED3F5
        • Part of subcall function 005ED250: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005ED403
      • __vbaObjSet.MSVBVM60(?,00000000,CAPICOM.Utilities,00000000,?,?), ref: 0057BD53
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0057BD63
      • #685.MSVBVM60 ref: 0057BD73
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057BD7E
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0057BDC9
      • __vbaFreeObj.MSVBVM60 ref: 0057BDF9
      • __vbaChkstk.MSVBVM60 ref: 0057BE27
      • __vbaLateMemCallLd.MSVBVM60(?,?,BinaryToHex,00000001), ref: 0057BE54
      • __vbaStrVarVal.MSVBVM60(?,00000000), ref: 0057BE62
      • __vbaChkstk.MSVBVM60 ref: 0057BE82
      • __vbaLateMemCallLd.MSVBVM60(?,?,HexToBinary,00000001), ref: 0057BEAF
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 0057BEB9
      • __vbaStrMove.MSVBVM60 ref: 0057BEC4
      • __vbaFreeStr.MSVBVM60 ref: 0057BECD
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0057BEE1
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0057BEF7
      • #685.MSVBVM60 ref: 0057BF04
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057BF0F
      • __vbaFreeObj.MSVBVM60 ref: 0057BF30
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$ChkstkCopy$#685List$#518CallErrorLateMove$AddrefCheckHresult
      • String ID: BinaryToHex$CAPICOM.Utilities$HexToBinary
      • API String ID: 169486020-3136699940
      • Opcode ID: c0153f86807498cd928ce594a6990611431145a8969a30101d061d01935e5f32
      • Instruction ID: 939ae98fc1d9e13a2002283c5933c6bd0219bdce26610e3fdf13eccf7e12ed14
      • Opcode Fuzzy Hash: c0153f86807498cd928ce594a6990611431145a8969a30101d061d01935e5f32
      • Instruction Fuzzy Hash: BD912971900208EFDB04DFA4DE48BDEBBB9FF08704F1081A9E50AA7261DB745A49CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005208D0 Relevance: 54.4, APIs: 29, Strings: 2, Instructions: 198COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 005208EE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0052091E
      • #610.MSVBVM60(?,?,?,?,?,00423E86), ref: 0052092F
      • __vbaVarDup.MSVBVM60 ref: 00520952
      • #650.MSVBVM60(?,?,00000001,00000001), ref: 00520964
      • __vbaStrMove.MSVBVM60 ref: 0052096F
      • #610.MSVBVM60(?), ref: 0052097C
      • __vbaVarDup.MSVBVM60 ref: 005209A2
      • #650.MSVBVM60(?,?,00000001,00000001), ref: 005209BA
      • __vbaStrMove.MSVBVM60 ref: 005209C5
      • __vbaStrMove.MSVBVM60 ref: 005209F8
      • __vbaVarDup.MSVBVM60 ref: 00520A17
      • #619.MSVBVM60(?,?,00000002), ref: 00520A27
      • __vbaStrMove.MSVBVM60 ref: 00520A46
      • __vbaVarDup.MSVBVM60 ref: 00520A68
      • #617.MSVBVM60(?,?,00000002), ref: 00520A7E
      • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00520A96
      • __vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00520AAB
      • __vbaI4ErrVar.MSVBVM60(00000000), ref: 00520AB2
      • __vbaFreeStrList.MSVBVM60(00000004,?,?,00000000,00000000), ref: 00520AD0
      • __vbaFreeVarList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?), ref: 00520B1C
      • __vbaStrI4.MSVBVM60(00000000,port: ), ref: 00520B69
      • __vbaStrMove.MSVBVM60 ref: 00520B74
      • __vbaStrCat.MSVBVM60(00000000), ref: 00520B7B
      • __vbaStrMove.MSVBVM60 ref: 00520B86
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?), ref: 00520B9F
      • #685.MSVBVM60 ref: 00520BAF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00520BBA
      • __vbaFreeObj.MSVBVM60 ref: 00520BDB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$List$#610#650$#617#619#685ChkstkError
      • String ID: mmdd$port:
      • API String ID: 1628101360-642465026
      • Opcode ID: 0f73b9849a99be2ddf7d6ea871c551af9fe59b7bffec957956ab8b4aa0a04325
      • Instruction ID: 90c318c1e0a0919a7db2081d8700450ed76279cd238149e11826c4b26b7750fb
      • Opcode Fuzzy Hash: 0f73b9849a99be2ddf7d6ea871c551af9fe59b7bffec957956ab8b4aa0a04325
      • Instruction Fuzzy Hash: 8391EA76900218EFDB54CF90DD88BDEBBB8FF48305F008599E50AA7161DB745A89CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C3C00 Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 197COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,0061FB66), ref: 005C3C1E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86), ref: 005C3C4E
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,?,00000000,00423E86), ref: 005C3C66
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 005C3C80
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 005C3C9A
      • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 005C3CB1
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,00000000,?,00000000,00423E86), ref: 005C3CC7
      • __vbaNew2.MSVBVM60(0042EAFC,006B58E0,?,00000000,?,00000000,00423E86), ref: 005C3CEF
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EAEC,00000014), ref: 005C3D40
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EB0C,00000050), ref: 005C3D88
      • __vbaStrMove.MSVBVM60 ref: 005C3DB9
      • __vbaFreeObj.MSVBVM60 ref: 005C3DC2
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,00000000,?,00000000,00423E86), ref: 005C3DD8
      • #619.MSVBVM60(?,00004008,00000001), ref: 005C3E04
      • #685.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 005C3EDD
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,?,00000000,00423E86), ref: 005C3EE8
      • __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 005C3F09
      • __vbaFreeStr.MSVBVM60(005C3F59,?,00000000,?,00000000,00423E86), ref: 005C3F52
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckCopyHresultMove$#619#685ChkstkErrorNew2
      • String ID: CardINI.ini$Xk$`2m
      • API String ID: 733303979-675337430
      • Opcode ID: 2ee0130dfd1be1d81d74dcadc48d3a5f6d4ea320a3873d8b57238f0f74ba094a
      • Instruction ID: 8847fce1bd6b16ac8b2bf2bd2886dc8de6191aa9200dd613021cbe8d78fafa0e
      • Opcode Fuzzy Hash: 2ee0130dfd1be1d81d74dcadc48d3a5f6d4ea320a3873d8b57238f0f74ba094a
      • Instruction Fuzzy Hash: 16910670A00218DFDB14DFA1DA48BDEBBB5FF48705F208169E506B72A0DB755A48CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005A4CD0 Relevance: 54.4, APIs: 30, Strings: 1, Instructions: 167COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(000000FF,00423E86), ref: 005A4CEE
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,000000FF,00423E86), ref: 005A4D1E
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4D36
      • #525.MSVBVM60(00000104,?,00000000,00000000,000000FF,00423E86), ref: 005A4D50
      • __vbaStrMove.MSVBVM60(?,00000000,00000000,000000FF,00423E86), ref: 005A4D5B
      • __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4D6C
      • __vbaStrToAnsi.MSVBVM60(00000000,00000000,00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4D7B
      • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4D8A
      • __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,00000000,000000FF,00423E86), ref: 005A4D98
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,000000FF,00423E86), ref: 005A4DA7
      • #616.MSVBVM60(00000000,?,?,00000000,00000000,000000FF,00423E86), ref: 005A4DBC
      • __vbaStrMove.MSVBVM60(?,00000000,00000000,000000FF,00423E86), ref: 005A4DC7
      • __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4DD8
      • #619.MSVBVM60(?,00004008,00000001), ref: 005A4E01
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 005A4E1D
      • __vbaFreeVar.MSVBVM60 ref: 005A4E2A
      • __vbaStrCat.MSVBVM60(0042E5EC,00000000), ref: 005A4E48
      • __vbaStrMove.MSVBVM60 ref: 005A4E53
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,000000FF,00423E86), ref: 005A4E6B
      • __vbaLenBstr.MSVBVM60(00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4E7C
      • #619.MSVBVM60(?,00004008,00000001), ref: 005A4EA9
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 005A4EC5
      • __vbaFreeVar.MSVBVM60 ref: 005A4ED2
      • __vbaStrCat.MSVBVM60(0042E5EC,00000000), ref: 005A4EF0
      • __vbaStrMove.MSVBVM60 ref: 005A4EFB
      • __vbaStrCopy.MSVBVM60 ref: 005A4F10
      • #685.MSVBVM60(?,00000000,00000000,000000FF,00423E86), ref: 005A4F1D
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,000000FF,00423E86), ref: 005A4F28
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,000000FF,00423E86), ref: 005A4F49
      • __vbaFreeStr.MSVBVM60(005A4F99,?,00000000,00000000,000000FF,00423E86), ref: 005A4F92
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$Bstr$#619CopyError$#525#616#685AnsiChkstkSystemUnicode
      • String ID: `2m
      • API String ID: 2386040579-3187377090
      • Opcode ID: a962d4ebe94ff8ce7ef28cb4c04478cd21a4042b5aa8d7a962481469a2efde34
      • Instruction ID: 10d0a9c03d80b674088947d5cc911fa40b84714a241c0080f236a39258968b62
      • Opcode Fuzzy Hash: a962d4ebe94ff8ce7ef28cb4c04478cd21a4042b5aa8d7a962481469a2efde34
      • Instruction Fuzzy Hash: 46712BB5900208DFDB14DFE1DA48ADEBBB9FF48705F208169E502B7260DB759A48CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005EA400 Relevance: 54.4, APIs: 30, Strings: 1, Instructions: 130COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,0065CF5D), ref: 005EA41E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,0065CF5D), ref: 005EA44E
      • __vbaSetSystemError.MSVBVM60(?,?,?,00000000,00423E86,0065CF5D), ref: 005EA463
      • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000000,00423E86,0065CF5D), ref: 005EA483
      • __vbaStrI4.MSVBVM60(?,?,?,?,00000000,00423E86,0065CF5D), ref: 005EA494
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86,0065CF5D), ref: 005EA49F
      • __vbaStrCat.MSVBVM60(0042EBD4,00000000,?,?,?,00000000,00423E86,0065CF5D), ref: 005EA4AB
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86,0065CF5D), ref: 005EA4B6
      • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00423E86,0065CF5D), ref: 005EA4BF
      • __vbaStrI4.MSVBVM60(?,?,?,?,?,00000000,00423E86,0065CF5D), ref: 005EA4D4
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86,0065CF5D), ref: 005EA4DF
      • __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,00423E86,0065CF5D), ref: 005EA4E6
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86,0065CF5D), ref: 005EA4F1
      • __vbaStrCat.MSVBVM60(0042EBD4,00000000,?,?,?,00000000,00423E86,0065CF5D), ref: 005EA4FD
      • __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86,0065CF5D), ref: 005EA508
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,00423E86,0065CF5D), ref: 005EA518
      • __vbaSetSystemError.MSVBVM60(?,00000000,00423E86,0065CF5D), ref: 005EA530
      • __vbaStrI4.MSVBVM60(?,?,?,00000000,00423E86,0065CF5D), ref: 005EA53E
      • __vbaStrMove.MSVBVM60(?,00000000,00423E86,0065CF5D), ref: 005EA549
      • __vbaStrCat.MSVBVM60(00000000,?,00000000,00423E86,0065CF5D), ref: 005EA550
      • __vbaStrMove.MSVBVM60(?,00000000,00423E86,0065CF5D), ref: 005EA55B
      • __vbaFreeStr.MSVBVM60(?,00000000,00423E86,0065CF5D), ref: 005EA564
      • __vbaStrCopy.MSVBVM60(?,00000000,00423E86,0065CF5D), ref: 005EA577
      • __vbaStrCat.MSVBVM60(?,SessionID: ,?,00000000,00423E86,0065CF5D), ref: 005EA58D
      • __vbaStrMove.MSVBVM60(?,00000000,00423E86,0065CF5D), ref: 005EA598
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,00000000,00423E86,0065CF5D), ref: 005EA5AA
      • #685.MSVBVM60(?,00000000,00423E86,0065CF5D), ref: 005EA5B7
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00423E86,0065CF5D), ref: 005EA5C2
      • __vbaFreeObj.MSVBVM60(?,00000000,00423E86,0065CF5D), ref: 005EA5DA
      • __vbaFreeStr.MSVBVM60(005EA621,?,00000000,00423E86,0065CF5D), ref: 005EA61A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$Error$ChkstkSystem$Copy$#518#520#685#711IndexListLoadLockUnlock
      • String ID: SessionID:
      • API String ID: 2021682191-404888849
      • Opcode ID: 90e1fd215181f5ae924499fdba269fbde0fc8ba0c986975a83e581d510fd0ee9
      • Instruction ID: ff436b823442a62aa393ab292df80db26443b364bde62fc0d60265875ef9c72e
      • Opcode Fuzzy Hash: 90e1fd215181f5ae924499fdba269fbde0fc8ba0c986975a83e581d510fd0ee9
      • Instruction Fuzzy Hash: CB51A775900209EFCB04EFA0EA99ADEBBB5BF48305F108169F502B3271DB745A49CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0054CC80 Relevance: 54.2, APIs: 36, Instructions: 219COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0054CC9E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0054CCCE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0054CCE3
      • __vbaInStr.MSVBVM60(00000000,0042FA64,?,00000001,?,?,?,?,00423E86), ref: 0054CCFF
      • #712.MSVBVM60(00000000,0042FA64,0042ADE8,00000001,000000FF,00000000,?,00000001,?,?,?,?,00423E86), ref: 0054CD26
      • __vbaStrMove.MSVBVM60(?,00000001,?,?,?,?,00423E86), ref: 0054CD31
      • __vbaLenBstr.MSVBVM60(?,?,00000001,?,?,?,?,00423E86), ref: 0054CD44
      • __vbaStrCopy.MSVBVM60 ref: 0054CD93
      • #685.MSVBVM60 ref: 0054CDA0
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054CDAB
      • __vbaFreeObj.MSVBVM60 ref: 0054CDCC
      • #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0054CE04
      • __vbaStrVarMove.MSVBVM60(?), ref: 0054CE0E
      • __vbaStrMove.MSVBVM60 ref: 0054CE19
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0054CE29
      • #685.MSVBVM60 ref: 0054CE39
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054CE44
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0054CE80
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0054CEA1
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$#685CopyFree$#632#712BstrCheckChkstkErrorHresultList
      • String ID:
      • API String ID: 2849207454-0
      • Opcode ID: 0f2fc19e77dee2ccfa0b771b8c92d5130e8eacba933b567b597d15ce592a83f8
      • Instruction ID: ff15e25eb3322c966e9789526eca8b36e76ca581efe3350c2111d064704e5793
      • Opcode Fuzzy Hash: 0f2fc19e77dee2ccfa0b771b8c92d5130e8eacba933b567b597d15ce592a83f8
      • Instruction Fuzzy Hash: F3A108B5900208EFDB00DFA0DA88BDEBBB5FF48705F108169E506B72A0DB745A89CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00606CE0 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 298COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 00606CFE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00606D45
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00606D5A
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 00606D6C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00455F94,00000058), ref: 00606DA3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00455F94,00000058), ref: 00606DF0
      • __vbaSetSystemError.MSVBVM60(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 00606E17
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00455F94,00000058), ref: 00606E4E
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 00606E6C
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00606E93
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042EBF0,0000005C), ref: 00606EC4
      • __vbaFreeObj.MSVBVM60 ref: 00606ED9
      • __vbaSetSystemError.MSVBVM60 ref: 00606F01
      • #685.MSVBVM60 ref: 00606F2F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00606F3A
      • __vbaFreeObj.MSVBVM60 ref: 00606F52
      • __vbaSetSystemError.MSVBVM60(000000FF,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 00606F74
      • __vbaSetSystemError.MSVBVM60(000000FF), ref: 00606F8D
      • __vbaStrCopy.MSVBVM60 ref: 00606FA8
        • Part of subcall function 005AC770: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC918
        • Part of subcall function 005AC770: __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 005AC943
        • Part of subcall function 005AC770: __vbaNew2.MSVBVM60(0042EAFC,006B58E0,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005AC966
        • Part of subcall function 005AC770: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EAEC,00000014), ref: 005AC9CC
        • Part of subcall function 005AC770: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EB0C,00000058), ref: 005ACA29
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005ACA72
        • Part of subcall function 005AC770: #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 005ACA8B
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005ACA96
      • __vbaFreeStr.MSVBVM60(?), ref: 00606FBA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00606FDB
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042EBF0,0000005C), ref: 0060700C
      • __vbaFreeObj.MSVBVM60 ref: 00607021
      • __vbaChkstk.MSVBVM60 ref: 00607041
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00455F94,000002AC), ref: 0060708B
      • #685.MSVBVM60 ref: 006070AB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006070B6
      • __vbaFreeObj.MSVBVM60 ref: 006070D7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresult$Error$ChkstkSystem$Move$Copy$#685#711List$#518#520IndexLoadLockNew2Unlock
      • String ID: Bring PIN Dialog to front$timer
      • API String ID: 3739563180-1745417365
      • Opcode ID: 705ec0fd695b07fd034a4dde241f4be688e7706012a1bb1718abadfb7743cf56
      • Instruction ID: c7f021087a12e8cbd8e88cdae5d5220e6e82436cfa18bf08685a5ca1779d9b29
      • Opcode Fuzzy Hash: 705ec0fd695b07fd034a4dde241f4be688e7706012a1bb1718abadfb7743cf56
      • Instruction Fuzzy Hash: 0AD1F4B4900208EFDB14DFA4D988BDEBBB5FF48705F208219F516AB2A1C774AA45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C88A0 Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 194COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,005C8C60,?,00000000,00000000,00000000,00423E86,005AC807), ref: 005C88BE
      • __vbaAryConstruct2.MSVBVM60(?,0044B120,00000003,?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C88F0
      • __vbaFixstrConstruct.MSVBVM60(00000104,?,?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C88FF
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C890E
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C8927
      • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C8944
      • __vbaSetSystemError.MSVBVM60(00000410,00000000,?,?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C896A
      • __vbaGenerateBoundsError.MSVBVM60 ref: 005C89AE
      • __vbaSetSystemError.MSVBVM60(00000000,00000000,000000C8,00000000), ref: 005C89D9
      • __vbaGenerateBoundsError.MSVBVM60 ref: 005C8A1D
      • __vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 005C8A36
      • __vbaSetSystemError.MSVBVM60(00000000,00000000,00000000), ref: 005C8A53
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 005C8A61
      • __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 005C8A6E
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C8A84
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00423E86,005C8C60), ref: 005C8A9E
      • #616.MSVBVM60(00000000), ref: 005C8AA5
      • __vbaStrMove.MSVBVM60 ref: 005C8AB0
      • __vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 005C8AC0
      • __vbaStrMove.MSVBVM60 ref: 005C8AD9
      • __vbaFreeStr.MSVBVM60 ref: 005C8AE2
      • __vbaStrCopy.MSVBVM60 ref: 005C8AF7
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 005C8B10
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C8B2E
      • #685.MSVBVM60(?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C8B3B
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C8B46
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C8B67
      • __vbaAryDestruct.MSVBVM60(00000000,?,005C8BC0,?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C8BB0
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,00423E86,005C8C60), ref: 005C8BB9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$System$Free$CopyFixstr$BoundsGenerateLsetMove$#616#685AnsiChkstkConstructConstruct2DestructListUnicode
      • String ID: X3k
      • API String ID: 1407977808-3018161146
      • Opcode ID: 6657a11cd2906e24397a6677c9ccbbda0c2f35a8e875f788aef763c7827d49e5
      • Instruction ID: 87fd81e43529c3d49bf4b5691f790ea5e8da823eeaa6e3bb2c9c6d8d63ebd669
      • Opcode Fuzzy Hash: 6657a11cd2906e24397a6677c9ccbbda0c2f35a8e875f788aef763c7827d49e5
      • Instruction Fuzzy Hash: 3391F3B4900348DFDB04DFE4DA88BEEBBB5FB48305F108169E506AB2A4DB746A45CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005C0CF0 Relevance: 49.1, APIs: 26, Strings: 2, Instructions: 137COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 005C0D0E
      • __vbaStrCopy.MSVBVM60(6D251654,00000000,6D30595C,?,00423E86), ref: 005C0D3B
      • __vbaOnError.MSVBVM60(000000FF), ref: 005C0D4A
      • #526.MSVBVM60(?,000000FF), ref: 005C0D60
      • __vbaStrVarMove.MSVBVM60(?), ref: 005C0D6A
      • __vbaStrMove.MSVBVM60 ref: 005C0D75
      • __vbaFreeVar.MSVBVM60 ref: 005C0D7E
      • __vbaLenBstr.MSVBVM60(?), ref: 005C0D8F
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 005C0D9E
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 005C0DAD
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 005C0DBF
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 005C0DCD
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 005C0DDB
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C0DF4
      • #608.MSVBVM60(?,00000000), ref: 005C0E17
      • __vbaInStrVar.MSVBVM60(?,00000000,?,00000008,00000001), ref: 005C0E41
      • __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 005C0E53
      • __vbaI4Var.MSVBVM60(00000000), ref: 005C0E5A
      • #616.MSVBVM60(?,00000000), ref: 005C0E65
      • __vbaStrMove.MSVBVM60 ref: 005C0E70
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005C0E80
      • #685.MSVBVM60 ref: 005C0E90
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C0E9B
      • __vbaFreeObj.MSVBVM60 ref: 005C0EBC
      • __vbaFreeStr.MSVBVM60(005C0F23), ref: 005C0F13
      • __vbaFreeStr.MSVBVM60 ref: 005C0F1C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$AnsiErrorListUnicode$#526#608#616#685BstrChkstkCopySystem
      • String ID: \Y0m$`2m
      • API String ID: 2292728281-238426587
      • Opcode ID: 0c5872ffffd3a4077103c2fd1274458dc3cc60d8897d9837823298b7579f4e36
      • Instruction ID: 514f380928e41c2b302a34ad04a1b6e3d22fefd6fe105cd0b2360cd41904ce3c
      • Opcode Fuzzy Hash: 0c5872ffffd3a4077103c2fd1274458dc3cc60d8897d9837823298b7579f4e36
      • Instruction Fuzzy Hash: 7C51C7B5900208EFDB14DFE0DE48FDEBBB8BB48705F108169F612A6160DB745A49CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00566C30 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 148COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 00566C4E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86), ref: 00566C7E
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,?,00000000,00423E86), ref: 00566C96
      • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 00566CB5
      • __vbaStrCat.MSVBVM60(\Ereignisse\LogonFail,00000000,?,00000000,?,00000000,00423E86), ref: 00566CC1
      • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 00566CCC
        • Part of subcall function 0059ECC0: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,00000000,00423E86), ref: 0059ECDE
        • Part of subcall function 0059ECC0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 0059ED0E
        • Part of subcall function 0059ECC0: __vbaStrCmp.MSVBVM60(true,00000000,?,?,?,00000000,00423E86), ref: 0059ED26
        • Part of subcall function 0059ECC0: #712.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000,00423E86), ref: 0059ED51
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000,00423E86), ref: 0059ED5C
        • Part of subcall function 0059ECC0: #712.MSVBVM60(?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000), ref: 0059ED7F
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000), ref: 0059ED8A
        • Part of subcall function 0059ECC0: #712.MSVBVM60(00000000,hlcr\,HKCR\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 0059EDAD
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001,000000FF,00000000,?,?,?,00000000), ref: 0059EDB8
        • Part of subcall function 0059ECC0: #712.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 0059EDDB
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001,000000FF,00000000,?,hklm\,HKLM\,00000001), ref: 0059EDE6
        • Part of subcall function 0059ECC0: #712.MSVBVM60(?,Software\,SOFTWARE\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001), ref: 0059EE09
        • Part of subcall function 0059ECC0: __vbaStrMove.MSVBVM60(?,Software\,SOFTWARE\,00000001,000000FF,00000000,?,software\,SOFTWARE\,00000001,000000FF,00000000,?,hkcu\,HKCU\,00000001), ref: 0059EE14
      • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,00423E86), ref: 00566CE0
      • __vbaVarDup.MSVBVM60 ref: 00566CF6
      • #520.MSVBVM60(?,?), ref: 00566D04
      • __vbaStrVarMove.MSVBVM60(?), ref: 00566D0E
      • __vbaStrMove.MSVBVM60 ref: 00566D1B
      • __vbaFreeStrList.MSVBVM60(00000003,00000000,?,?), ref: 00566D2F
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,00000000,00423E86), ref: 00566D42
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,?,00000000,00423E86), ref: 00566D5E
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 00566D7D
      • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 00566D94
      • __vbaStrMove.MSVBVM60 ref: 00566DB4
      • __vbaStrCat.MSVBVM60(\Ereignisse\LogonFail,00000000), ref: 00566DC0
      • __vbaStrMove.MSVBVM60 ref: 00566DCB
      • __vbaFreeStrList.MSVBVM60(00000003,00000000,?,00000000,?,00000001), ref: 00566DEC
      • __vbaStrCmp.MSVBVM60(0042C39C,00000000,?,00000000,?,00000000,00423E86), ref: 00566E08
      • #685.MSVBVM60(?,00000000), ref: 00566E35
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 00566E40
      • __vbaFreeObj.MSVBVM60(?,00000000), ref: 00566E61
        • Part of subcall function 00564720: __vbaChkstk.MSVBVM60(?,00423E86), ref: 0056473E
        • Part of subcall function 00564720: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0056476E
        • Part of subcall function 00564720: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,?,?,?,00423E86), ref: 00564786
        • Part of subcall function 00564720: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 005647A0
        • Part of subcall function 00564720: #685.MSVBVM60(?,?,?,?,00423E86), ref: 00564B7A
        • Part of subcall function 00564720: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00564B85
        • Part of subcall function 00564720: __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 00564BA6
        • Part of subcall function 00564720: __vbaFreeStr.MSVBVM60(00564C09,?,?,?,?,00423E86), ref: 00564BF9
        • Part of subcall function 00564720: __vbaFreeStr.MSVBVM60(?,?,?,?,00423E86), ref: 00564C02
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$#712$ChkstkErrorList$#685Copy$#520
      • String ID: \Ereignisse\LogonFail$t>k$t>k
      • API String ID: 4065364949-4086244166
      • Opcode ID: 324060f9f79ddc56ea78d9754ebdacae0dd44850527e1d5b22f02352fcfba268
      • Instruction ID: 5860ddb6d5a3524394986dd197d9a753b25fa0542f9fb4502b7850fc93125437
      • Opcode Fuzzy Hash: 324060f9f79ddc56ea78d9754ebdacae0dd44850527e1d5b22f02352fcfba268
      • Instruction Fuzzy Hash: 15513A75900209EFDB00DFE4DA48BDEBBB9FF48305F108169E502A72A1DB755A09CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0056E550 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 164COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0056E56E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0056E59E
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0056E5B3
      • #685.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0056E5C0
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 0056E5CB
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0056E5E3
        • Part of subcall function 005D2200: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005D221E
        • Part of subcall function 005D2200: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005D224B
        • Part of subcall function 005D2200: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005D225A
        • Part of subcall function 005D2200: #518.MSVBVM60(?,00004008), ref: 005D2292
        • Part of subcall function 005D2200: #518.MSVBVM60(?,00004008), ref: 005D22B6
        • Part of subcall function 005D2200: #518.MSVBVM60(?,00004008), ref: 005D22DD
        • Part of subcall function 005D2200: #617.MSVBVM60(?,?,00000005), ref: 005D22ED
        • Part of subcall function 005D2200: #617.MSVBVM60(?,?,00000006), ref: 005D2311
        • Part of subcall function 005D2200: #617.MSVBVM60(?,?,00000004), ref: 005D233B
        • Part of subcall function 005D2200: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 005D2364
        • Part of subcall function 005D2200: __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 005D237D
        • Part of subcall function 005D2200: __vbaVarOr.MSVBVM60(?,00000000), ref: 005D238B
      • #685.MSVBVM60(00000000,?,00000000,00000000,00000000,00423E86), ref: 0056E60C
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 0056E617
      • __vbaStrMove.MSVBVM60(?), ref: 0056E710
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0056E64A
        • Part of subcall function 0056EAE0: __vbaOnError.MSVBVM60(00000001,?,00000000,00000000), ref: 0056EB5B
        • Part of subcall function 0056EAE0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,00000000,?,00000000,00000000), ref: 0056EB80
        • Part of subcall function 0056EAE0: __vbaStrToAnsi.MSVBVM60(?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0056EBA8
        • Part of subcall function 0056EAE0: __vbaSetSystemError.MSVBVM60(00000000,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0056EBB6
        • Part of subcall function 0056EAE0: __vbaStrToUnicode.MSVBVM60(00000000,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0056EBC7
        • Part of subcall function 0056EAE0: __vbaFreeStr.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0056EBD5
        • Part of subcall function 0056EAE0: __vbaAryLock.MSVBVM60(?,?,?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0056EBED
        • Part of subcall function 0056EAE0: __vbaGenerateBoundsError.MSVBVM60(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0056EC0A
      • __vbaFreeObj.MSVBVM60 ref: 0056E66E
      • __vbaVar2Vec.MSVBVM60(?,?,?,?), ref: 0056E698
      • __vbaAryMove.MSVBVM60(00000000,?), ref: 0056E6A6
      • __vbaFreeVar.MSVBVM60 ref: 0056E6AF
      • #717.MSVBVM60(?,00006011,00000040,00000000), ref: 0056E6D5
      • __vbaStrVarMove.MSVBVM60(?), ref: 0056E6DF
      • __vbaStrMove.MSVBVM60 ref: 0056E6EA
      • __vbaFreeVar.MSVBVM60 ref: 0056E6F3
      • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00423E86), ref: 0056E72D
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0056E740
      • #685.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0056E74D
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 0056E758
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0056E779
      • __vbaAryDestruct.MSVBVM60(00000000,00000000,0056E7CE,?,00000000,00000000,00000000,00423E86), ref: 0056E7BE
      • __vbaFreeStr.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0056E7C7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$ErrorMove$#518#617#685Copy$Chkstk$#717AnsiBoundsCheckDestructGenerateHresultLockRedimSystemUnicodeVar2
      • String ID: `2m
      • API String ID: 2320873246-3187377090
      • Opcode ID: 62499ec17b65183f64dc3d40b108ab02413e55fb763c12539928c14edc91efe4
      • Instruction ID: 9f67b61df22196d5484fc8fa45413de2d0f0fb98705dd0a30a9e35910d39ea74
      • Opcode Fuzzy Hash: 62499ec17b65183f64dc3d40b108ab02413e55fb763c12539928c14edc91efe4
      • Instruction Fuzzy Hash: 0371E775900209EFDB04DFE4DA88BDEBBB4FF48305F108569E502AB2A0DB749A49CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0065B8F0 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 161COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,?,0064D764), ref: 0065B90E
      • __vbaOnError.MSVBVM60(000000FF,6D23D8CD,00000001,?,00000000,00423E86), ref: 0065B93E
      • __vbaStrCmp.MSVBVM60(true,00000000), ref: 0065B956
      • __vbaStrCopy.MSVBVM60 ref: 0065B975
      • __vbaStrCopy.MSVBVM60 ref: 0065B98A
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?), ref: 0065B99C
      • __vbaNew2.MSVBVM60(00425740,00000000), ref: 0065B9B8
      • __vbaStrCopy.MSVBVM60 ref: 0065B9DC
      • __vbaStrCopy.MSVBVM60 ref: 0065B9EA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0043AB64,00000038), ref: 0065BA22
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0065BA3E
      • __vbaNew2.MSVBVM60(00425740,00000000), ref: 0065BA5D
      • __vbaStrCopy.MSVBVM60 ref: 0065BA81
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0043AB64,0000002C), ref: 0065BAB1
      • __vbaFreeStr.MSVBVM60 ref: 0065BAC6
      • __vbaCastObj.MSVBVM60(00000000,0043AB64), ref: 0065BADA
      • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0065BAE5
      • #685.MSVBVM60 ref: 0065BAF2
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0065BAFD
      • __vbaFreeObj.MSVBVM60 ref: 0065BB15
      • __vbaFreeObj.MSVBVM60(0065BB49), ref: 0065BB42
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$Move$Chkstk$CheckErrorHresultNew2$#518#520#685#711CastIndexListLoadLockUnlock
      • String ID: Going to Start Services in Readerinfo$SCardSvr$true
      • API String ID: 2372686161-412317244
      • Opcode ID: a8bc86b12f9bd4a129c422cb1456cbd02f602838f33a76ffa471720e985e1810
      • Instruction ID: 9aff1b4c6c2197338617a9d96ba90ca9e7095afcef46a13ca7fb90ef83457daf
      • Opcode Fuzzy Hash: a8bc86b12f9bd4a129c422cb1456cbd02f602838f33a76ffa471720e985e1810
      • Instruction Fuzzy Hash: F771E5B5D00209EFDB04DF90DA88BEDBBB5FB48705F208169E502B72A0DB745A49CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00626890 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 177COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006268AE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006268E7
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006268F6
      • __vbaChkstk.MSVBVM60 ref: 00626939
      • __vbaLateMemSt.MSVBVM60(?,RemoteURL), ref: 00626963
      • __vbaHresultCheckObj.MSVBVM60(?,?,0045B570,00000064), ref: 006269A9
      • #518.MSVBVM60(?,00004008), ref: 006269EB
      • __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 00626A20
      • __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 00626A2E
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00626A45
      • #619.MSVBVM60(?,00004008,00000001), ref: 00626A7B
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00626A97
      • __vbaFreeVar.MSVBVM60 ref: 00626AA7
      • __vbaStrCat.MSVBVM60(00432880,?), ref: 00626AC8
      • __vbaStrMove.MSVBVM60 ref: 00626AD3
      • __vbaStrCopy.MSVBVM60 ref: 00626AE9
      • #685.MSVBVM60 ref: 00626B06
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00626B11
      • __vbaFreeObj.MSVBVM60 ref: 00626B32
      • __vbaFreeStr.MSVBVM60(00626B6A), ref: 00626B63
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$ChkstkCopy$#518#619#685CheckErrorHresultLateListMove
      • String ID: RemoteURL$http$`2m
      • API String ID: 1248986982-1676056473
      • Opcode ID: 0d2d6a92a26cdc2c047225640adfc9e912a3388b6fbe0ed4caf386cd826e5a88
      • Instruction ID: bc6b4d6df6780010e35e2185d08c98abafffeb6f240ff7101d63ae4c7be1b948
      • Opcode Fuzzy Hash: 0d2d6a92a26cdc2c047225640adfc9e912a3388b6fbe0ed4caf386cd826e5a88
      • Instruction Fuzzy Hash: 2D812BB5900318EFDB14DF94D988BDDBBB5FF08304F108199E509AB250DB759A88CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005CD4D0 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 132COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,0059CA35,?,?,?,00000000,00423E86,000000FF), ref: 005CD4EE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,0059CA35), ref: 005CD51E
      • #685.MSVBVM60(?,?,?,00000000,00423E86,0059CA35), ref: 005CD52B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86,0059CA35), ref: 005CD536
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86,0059CA35), ref: 005CD54E
      • __vbaLateMemCallLd.MSVBVM60(?,00000000,info,00000000), ref: 005CD57B
      • __vbaVarTstGt.MSVBVM60(?,00000000,?,?,00000000,00423E86,0059CA35), ref: 005CD589
      • __vbaFreeVar.MSVBVM60(?,?,00000000,00423E86,0059CA35), ref: 005CD596
      • #685.MSVBVM60(?,?,00000000,00423E86,0059CA35), ref: 005CD5AF
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,00423E86,0059CA35), ref: 005CD5BA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 005CD5ED
      • __vbaFreeObj.MSVBVM60 ref: 005CD611
      • __vbaObjSetAddref.MSVBVM60(006B32A8,00000000), ref: 005CD62D
      • #685.MSVBVM60(?,?,00000000,00423E86,0059CA35), ref: 005CD63A
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,00423E86,0059CA35), ref: 005CD645
      • __vbaFreeObj.MSVBVM60(?,?,00000000,00423E86,0059CA35), ref: 005CD666
      • __vbaStrCopy.MSVBVM60(?,?,00000000,00423E86,0059CA35), ref: 005CD67D
      • #685.MSVBVM60(?,?,00000000,00423E86,0059CA35), ref: 005CD68A
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,00423E86,0059CA35), ref: 005CD695
      • __vbaFreeObj.MSVBVM60(?,?,00000000,00423E86,0059CA35), ref: 005CD6B6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685$AddrefCallCheckChkstkCopyErrorHresultLate
      • String ID: 3k$info$`2m
      • API String ID: 3020046405-2405576901
      • Opcode ID: 64f47b613a9550e3085af39246bfe20a053e2219ae6c32b9bfb75d65226a2a5f
      • Instruction ID: f81784cf8c03c31d4c44716565e707d76783659a71f0fa877e1cd58252d2bfb6
      • Opcode Fuzzy Hash: 64f47b613a9550e3085af39246bfe20a053e2219ae6c32b9bfb75d65226a2a5f
      • Instruction Fuzzy Hash: 4151E6B5900208EFDB04DFE4DA48BDEBBB9FF08705F108169E506AB2A1DB745A44CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006244A0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 132COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 006244BE
      • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00423E86), ref: 006244EE
      • __vbaStrCmp.MSVBVM60(true,00000000,?,00000001,?,00000000,00423E86), ref: 00624506
      • __vbaStrCmp.MSVBVM60(false,00000000,?,00000001,?,00000000,00423E86), ref: 00624520
      • __vbaStrCmp.MSVBVM60(true,00000000,?,00000001,?,00000000,00423E86), ref: 00624545
      • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,00423E86), ref: 00624581
      • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00423E86), ref: 0062458F
      • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00423E86), ref: 0062459D
      • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,00423E86), ref: 006245AB
      • __vbaStrMove.MSVBVM60(00000001,?,?,?,?,00000001,?,00000000,00423E86), ref: 006245CB
      • __vbaStrCmp.MSVBVM60(0042C39C,00000000,?,00000001,?,00000000,00423E86), ref: 006245D7
      • __vbaFreeStrList.MSVBVM60(00000005,00000001,?,?,?,?,?,00000001,?,00000000,00423E86), ref: 006245FE
      • __vbaStrCopy.MSVBVM60 ref: 00624620
      • __vbaStrCopy.MSVBVM60 ref: 00624646
      • #685.MSVBVM60 ref: 00624660
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0062466B
      • __vbaFreeObj.MSVBVM60 ref: 00624683
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$FreeMove$#685ChkstkErrorList
      • String ID: Settings$SuperCache$false$true$8k$8k
      • API String ID: 3111372883-117372102
      • Opcode ID: b1d20d34cbfb8c7533af5e781cc797d513c85eae65913a32d5143c0dc51acc03
      • Instruction ID: b2b5dcbc5cbeb2dc2b786efda0cddc80812afaac2673bf498f56004f6d814b30
      • Opcode Fuzzy Hash: b1d20d34cbfb8c7533af5e781cc797d513c85eae65913a32d5143c0dc51acc03
      • Instruction Fuzzy Hash: AE515F71A10218EBDB00DFE4E948BEE7BB5FF48704F108269F502B72A0DB745A49CB55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0063DC90 Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 124COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0063DCAE
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0063DCDB
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0063DCE7
      • __vbaStrCopy.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 0063DCF3
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0063DD02
      • #520.MSVBVM60(?,00004008), ref: 0063DD24
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0063DD41
      • __vbaVarCmpNe.MSVBVM60(?,00008008,?), ref: 0063DD6C
      • __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 0063DD7E
      • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0063DD85
      • __vbaFreeVarList.MSVBVM60(00000002,?,0000000B), ref: 0063DD9F
      • #520.MSVBVM60(?,00004008), ref: 0063DDCF
      • __vbaStrVarMove.MSVBVM60(?), ref: 0063DDD9
      • __vbaStrMove.MSVBVM60 ref: 0063DDE4
      • __vbaFreeVar.MSVBVM60 ref: 0063DDED
        • Part of subcall function 0063DEA0: __vbaChkstk.MSVBVM60(?,00423E86,?,?,?,?,?,?,00000000,00000000,00423E86), ref: 0063DEBE
        • Part of subcall function 0063DEA0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0063DEEB
        • Part of subcall function 0063DEA0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0063DEF7
        • Part of subcall function 0063DEA0: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 0063DF03
        • Part of subcall function 0063DEA0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 0063DF12
        • Part of subcall function 0063DEA0: #520.MSVBVM60(?,00004008), ref: 0063DF3D
        • Part of subcall function 0063DEA0: __vbaStrVarMove.MSVBVM60(?), ref: 0063DF47
        • Part of subcall function 0063DEA0: __vbaStrMove.MSVBVM60 ref: 0063DF52
        • Part of subcall function 0063DEA0: __vbaFreeVar.MSVBVM60 ref: 0063DF5B
        • Part of subcall function 0063DEA0: __vbaNew2.MSVBVM60(00437420,006B3E2C,?), ref: 0063DFA5
        • Part of subcall function 0063DEA0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00437410,00000024), ref: 0063E00E
        • Part of subcall function 0063DEA0: #685.MSVBVM60 ref: 0063E03A
        • Part of subcall function 0063DEA0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0063E045
      • #685.MSVBVM60(00000000,00000000,00423E86), ref: 0063DE12
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0063DE1D
      • __vbaFreeObj.MSVBVM60 ref: 0063DE3E
      • __vbaFreeStr.MSVBVM60(0063DE88), ref: 0063DE6F
      • __vbaFreeStr.MSVBVM60 ref: 0063DE78
      • __vbaFreeStr.MSVBVM60 ref: 0063DE81
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$Move$#520$#685ChkstkError$BoolCheckHresultListNew2Null
      • String ID: `2m
      • API String ID: 645751184-3187377090
      • Opcode ID: 025d666ac90577629bc3b69a9a7605ce9f9145e5705daca442bcbbaa299f4762
      • Instruction ID: 87ca7cda7b2f2c59fe47eb7a18b43ab1ea082dc32a990e7cbbea33296881e0b1
      • Opcode Fuzzy Hash: 025d666ac90577629bc3b69a9a7605ce9f9145e5705daca442bcbbaa299f4762
      • Instruction Fuzzy Hash: F85117B1900219DFDB04DFA4DD88BEEBBB8BF08705F108169E506B7260DB345A49CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00617010 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 96COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0061702E
      • __vbaVarDup.MSVBVM60(?,?,?,?,00423E86), ref: 0061705B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0061706A
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 00617077
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00617082
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0061709A
      • __vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 006170AF
      • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 006170BD
      • #717.MSVBVM60(?,00006011,00000040,00000000), ref: 006170E3
      • __vbaStrVarMove.MSVBVM60(?), ref: 006170ED
      • __vbaStrMove.MSVBVM60 ref: 006170F8
      • __vbaFreeVar.MSVBVM60 ref: 00617101
      • __vbaStrCopy.MSVBVM60 ref: 00617114
      • #685.MSVBVM60 ref: 00617121
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0061712C
      • __vbaFreeObj.MSVBVM60 ref: 00617144
      • __vbaFreeStr.MSVBVM60(006171A2), ref: 00617186
      • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00617192
      • __vbaFreeVar.MSVBVM60 ref: 0061719B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$#685$#717ChkstkCopyDestructErrorVar2
      • String ID: `2m
      • API String ID: 1009974794-3187377090
      • Opcode ID: 0eee85f28b1d9ce36dfc8e8d6282ed3d69e24afdd48700c5f0bb3d151e2a91d9
      • Instruction ID: 71e22c7a5bd0cfc09e060f2d1a03cd3ce6b183f7f8fe4f7e80e279d49cf21b0a
      • Opcode Fuzzy Hash: 0eee85f28b1d9ce36dfc8e8d6282ed3d69e24afdd48700c5f0bb3d151e2a91d9
      • Instruction Fuzzy Hash: EF419675900249EFDB04DFE4DA48ADEBBB8FF08705F104169E502B72A0DB746A49CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00619C30 Relevance: 34.7, APIs: 23, Instructions: 175COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,00618BFB,?), ref: 00619C4E
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 00619C7B
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86), ref: 00619C8A
      • #518.MSVBVM60(?,00004008), ref: 00619CB5
      • #520.MSVBVM60(?,?), ref: 00619CC3
      • __vbaStrVarMove.MSVBVM60(?), ref: 00619CCD
      • __vbaStrMove.MSVBVM60 ref: 00619CD8
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00619CE8
        • Part of subcall function 00619200: __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0061921E
        • Part of subcall function 00619200: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86), ref: 0061924E
        • Part of subcall function 00619200: __vbaStrCmp.MSVBVM60(0042ADE8,00000006,?,00000000), ref: 006192D2
        • Part of subcall function 00619200: #685.MSVBVM60(?,00000000), ref: 006192E7
        • Part of subcall function 00619200: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 006192F2
        • Part of subcall function 00619200: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C,?,?,?,?,?,?,?,?,?,00619D0B), ref: 00619325
        • Part of subcall function 00619200: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00619D0B), ref: 00619349
        • Part of subcall function 00619200: #685.MSVBVM60(?,00000000), ref: 0061936B
        • Part of subcall function 00619200: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000), ref: 00619376
      • __vbaUbound.MSVBVM60(00000001,00000000), ref: 00619D25
      • __vbaAryLock.MSVBVM60(?,00000000), ref: 00619D76
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00619DB4
      • __vbaGenerateBoundsError.MSVBVM60 ref: 00619DD1
      • #518.MSVBVM60(?,00004008), ref: 00619E08
      • __vbaAryUnlock.MSVBVM60(00000000), ref: 00619E12
      • #520.MSVBVM60(?,?), ref: 00619E20
      • #518.MSVBVM60(?,00004008), ref: 00619E44
      • #520.MSVBVM60(?,?), ref: 00619E52
      • __vbaVarTstEq.MSVBVM60(?,?), ref: 00619E60
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00619E7F
      • #685.MSVBVM60 ref: 00619EB5
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00619EC0
      • __vbaFreeObj.MSVBVM60 ref: 00619EE1
      • __vbaFreeStr.MSVBVM60(00619F2E), ref: 00619F27
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Error$#518#520#685$BoundsChkstkGenerateListMove$CheckCopyHresultLockUboundUnlock
      • String ID:
      • API String ID: 1262511923-0
      • Opcode ID: f2c0d4a05034e0308cd07529dc11e8501add119921e13c5b73b1aea29b4fd437
      • Instruction ID: 935544012709805f879a8a24a2d7dfaf9f999292e06f5cf8ae0534c9b07ebd84
      • Opcode Fuzzy Hash: f2c0d4a05034e0308cd07529dc11e8501add119921e13c5b73b1aea29b4fd437
      • Instruction Fuzzy Hash: 838108B1900208DFDB14DFA4D998BDEBBB9FF48304F108199E50AB7260DB745A89CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0069CCF0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 94COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069CD0E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069CD47
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069CD53
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069CD6B
      • #520.MSVBVM60(?,00004008), ref: 0069CD8D
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0069CDA9
      • __vbaFreeVar.MSVBVM60 ref: 0069CDB6
      • __vbaStrCopy.MSVBVM60 ref: 0069CDD3
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?), ref: 0069CDE5
        • Part of subcall function 005C0F40: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,?,00000000,00423E86), ref: 005C0F5E
        • Part of subcall function 005C0F40: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 005C0F8E
        • Part of subcall function 005C0F40: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005C0FA3
        • Part of subcall function 005C0F40: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005C0FB8
        • Part of subcall function 005C0F40: #685.MSVBVM60(?,?,?,00000000,00423E86), ref: 005C0FC5
        • Part of subcall function 005C0F40: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86), ref: 005C0FD0
        • Part of subcall function 005C0F40: __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86), ref: 005C0FF1
        • Part of subcall function 005C0F40: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,?,?,00000000,00423E86), ref: 005C1009
        • Part of subcall function 005C0F40: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005C1022
        • Part of subcall function 005C0F40: #685.MSVBVM60(?,?,?,00000000,00423E86), ref: 005C102F
        • Part of subcall function 005C0F40: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86), ref: 005C103A
        • Part of subcall function 005C0F40: __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86), ref: 005C105B
        • Part of subcall function 005C0F40: __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,00000000,00423E86), ref: 005C106E
        • Part of subcall function 005C0F40: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005C1083
        • Part of subcall function 005C0F40: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 005C1091
        • Part of subcall function 005C0F40: __vbaObjSet.MSVBVM60(?,00000000,CAPICOM.EncryptedData,00000000,?,?), ref: 005C10B8
        • Part of subcall function 005C0F40: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C10C8
      • __vbaStrMove.MSVBVM60(?,?), ref: 0069CE04
      • #685.MSVBVM60 ref: 0069CE11
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0069CE1C
      • __vbaFreeObj.MSVBVM60 ref: 0069CE3D
      • __vbaFreeStr.MSVBVM60(0069CE96), ref: 0069CE86
      • __vbaFreeStr.MSVBVM60 ref: 0069CE8F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$Free$Move$Chkstk$#685Error$#520$#518#711AddrefIndexListLoadLockUnlock
      • String ID: AloahaCredentials:Encrypt$x!B$`2m
      • API String ID: 2554969253-839650354
      • Opcode ID: 9ed8b024b898c19511a19efbde2027b67ad38be54d81ba80037294ebe5c0c4a6
      • Instruction ID: 0b8d97a0a92bd2492dc5ca95fedb3b666abe700e27a8ae20758b23ed13f7310c
      • Opcode Fuzzy Hash: 9ed8b024b898c19511a19efbde2027b67ad38be54d81ba80037294ebe5c0c4a6
      • Instruction Fuzzy Hash: 82410B75900209DFDB04DFA0DA48BDDBBB8FF08705F208169E506B7260DB74AA49CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00529CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 196COMMON
      Download Yara Rule
      APIs
      • __vbaStrCopy.MSVBVM60 ref: 00529D02
      • __vbaHresultCheckObj.MSVBVM60(00000000,00402788,0042EF74,00000060), ref: 00529D5D
      • __vbaR8IntI2.MSVBVM60 ref: 00529D66
      • #537.MSVBVM60(?,?), ref: 00529D96
      • __vbaStrMove.MSVBVM60(?,?), ref: 00529DA1
      • __vbaStrCat.MSVBVM60(00000000,?,?), ref: 00529DA4
      • __vbaStrMove.MSVBVM60(?,?), ref: 00529DAF
      • __vbaFreeStr.MSVBVM60(?,?), ref: 00529DB4
      • __vbaHresultCheckObj.MSVBVM60(00000000,00402788,0042EF74,0000004C), ref: 00529DFB
      • __vbaStrMove.MSVBVM60 ref: 00529E10
      • __vbaVarCopy.MSVBVM60 ref: 00529E25
      • #606.MSVBVM60(000000FA,?), ref: 00529E42
      • __vbaStrMove.MSVBVM60 ref: 00529E4D
      • __vbaFreeVar.MSVBVM60 ref: 00529E52
      • __vbaFreeStr.MSVBVM60(00529E8C), ref: 00529E85
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$CheckCopyHresult$#537#606
      • String ID: `2m
      • API String ID: 3670525414-3187377090
      • Opcode ID: 913b9f6a7cab11204aafa836fa8bfff09e13c491cad0865407d12fbb4485f833
      • Instruction ID: dea1808cc51a73d5dd4c16a0b73da5e21bfb8fa03e163b00f985eb6d3a2e222f
      • Opcode Fuzzy Hash: 913b9f6a7cab11204aafa836fa8bfff09e13c491cad0865407d12fbb4485f833
      • Instruction Fuzzy Hash: AB7116B5D00219AFDB10DF99D988AEEFBB9FF85300F20811AE805A72A4D7746946CF50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00662070 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 63COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0066208E
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 006620BB
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 006620CA
        • Part of subcall function 00662250: __vbaChkstk.MSVBVM60(00000000,00423E86,0065D190,?,?,?,00000000,00423E86), ref: 0066226E
        • Part of subcall function 00662250: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,0065D190), ref: 0066229E
        • Part of subcall function 00662250: #520.MSVBVM60(?,00004008), ref: 006622D7
        • Part of subcall function 00662250: #518.MSVBVM60(?,00004008), ref: 00662310
        • Part of subcall function 00662250: #520.MSVBVM60(?,?), ref: 0066231E
        • Part of subcall function 00662250: __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 00662347
        • Part of subcall function 00662250: __vbaVarCmpEq.MSVBVM60(?,00008008,?,00000000), ref: 00662360
        • Part of subcall function 00662250: __vbaVarOr.MSVBVM60(?,00000000), ref: 0066236E
        • Part of subcall function 00662250: __vbaBoolVarNull.MSVBVM60(00000000), ref: 00662375
        • Part of subcall function 00662250: __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00662390
        • Part of subcall function 00662250: __vbaStrCopy.MSVBVM60 ref: 006623B7
        • Part of subcall function 00662250: __vbaStrMove.MSVBVM60(?), ref: 006623CD
        • Part of subcall function 00662250: __vbaFreeStr.MSVBVM60 ref: 006623D6
        • Part of subcall function 00662250: __vbaInStr.MSVBVM60(00000000,004312D8,00000000,00000001), ref: 006623F2
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 006620F8
        • Part of subcall function 00634B20: __vbaChkstk.MSVBVM60(00000000,00423E86,0065D216,?,?,?,00000000,00423E86), ref: 00634B3E
        • Part of subcall function 00634B20: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,?,?,00000000,00423E86,0065D216), ref: 00634B6E
        • Part of subcall function 00634B20: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,?,?,00000000,00423E86,0065D216), ref: 00634B7D
        • Part of subcall function 00634B20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,0065D216), ref: 00634B8C
        • Part of subcall function 00634B20: #520.MSVBVM60(?,00004008), ref: 00634BBB
        • Part of subcall function 00634B20: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00634BE3
        • Part of subcall function 00634B20: __vbaFreeVar.MSVBVM60 ref: 00634BF6
        • Part of subcall function 00634B20: __vbaStrCopy.MSVBVM60 ref: 00634C1A
        • Part of subcall function 00634B20: #520.MSVBVM60(?,00000008,?), ref: 00634C47
        • Part of subcall function 00634B20: __vbaStrVarMove.MSVBVM60(?), ref: 00634C54
        • Part of subcall function 00634B20: __vbaStrMove.MSVBVM60 ref: 00634C61
        • Part of subcall function 00634B20: __vbaFreeStr.MSVBVM60 ref: 00634C6A
        • Part of subcall function 00634B20: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 00634C80
        • Part of subcall function 00634B20: #520.MSVBVM60(?,00004008), ref: 00634CB2
        • Part of subcall function 00634B20: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 00634CDA
        • Part of subcall function 00634B20: __vbaFreeVar.MSVBVM60 ref: 00634CED
      • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00423E86), ref: 0066216D
      • #685.MSVBVM60(?,?,?,00000000,00423E86), ref: 006621DC
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86), ref: 006621E7
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86), ref: 006621FF
      • __vbaFreeStr.MSVBVM60(00662233,?,?,?,00000000,00423E86), ref: 0066222C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#520Copy$ChkstkErrorMove$ConstructFixstrList$#518#685BoolNull
      • String ID: AloahaInter.SemaPhore$CheckCard$WaitingForSemaphore$true$x@k$~$`2m
      • API String ID: 672694895-2965265812
      • Opcode ID: 49241d2c96fce8618d1ad29b13fa0d9e77c574005db4deb253f0b9f43aa8e234
      • Instruction ID: c7929dc36da7d4ca0b0d41d9de9ded3c290c95ad76582364ab631d4f4ccf5e01
      • Opcode Fuzzy Hash: 49241d2c96fce8618d1ad29b13fa0d9e77c574005db4deb253f0b9f43aa8e234
      • Instruction Fuzzy Hash: 1B2151B0900609DFDB00EF94DA18BDEBBB5EF08705F208168E601772A1CB785E49CB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0053C080 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 146COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0053C09E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0053C0DA
      • __vbaVarMove.MSVBVM60 ref: 0053C0FB
      • __vbaStrCmp.MSVBVM60(0042ADE8), ref: 0053C121
      • __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0053C139
      • __vbaStrCmp.MSVBVM60(0042ADE8), ref: 0053C157
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0043326C,00000040), ref: 0053C19F
      • __vbaStrMove.MSVBVM60 ref: 0053C1C4
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0053C1DA
      • __vbaStrCopy.MSVBVM60 ref: 0053C1F3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0043326C,00000044), ref: 0053C234
      • __vbaFreeVar.MSVBVM60(0053C280), ref: 0053C270
      • __vbaFreeStr.MSVBVM60 ref: 0053C279
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckFreeHresultMove$ChkstkCopyError
      • String ID: 8:@$`2m
      • API String ID: 2126626259-1038556661
      • Opcode ID: 9af3bf3e77803537911de5657a1a2c47cb1c2bcf0b9ea8f55918ef237c9d9124
      • Instruction ID: df2b8ae6fd2a2fe8b5aa2071db51f86b36b2d20d646f96c67e4c3e56a1dadf02
      • Opcode Fuzzy Hash: 9af3bf3e77803537911de5657a1a2c47cb1c2bcf0b9ea8f55918ef237c9d9124
      • Instruction Fuzzy Hash: 4A51FCB4901219EFDB04DFD4D948B9EBBB5FF48705F208159F902AB290D7749A05CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0053BCE0 Relevance: 25.7, APIs: 17, Instructions: 197COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0053BCFE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0053BD3A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053BD92
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00435454,000000E4), ref: 0053BDC9
      • __vbaFreeObj.MSVBVM60 ref: 0053BDDE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053BE15
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00435454,000000E4), ref: 0053BE4C
      • __vbaFreeObj.MSVBVM60 ref: 0053BE61
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053BE98
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00435454,000000E4), ref: 0053BECF
      • __vbaFreeObj.MSVBVM60 ref: 0053BEE4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053BF18
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00435454,000000E4), ref: 0053BF4F
      • __vbaFreeObj.MSVBVM60 ref: 0053BF64
      • #685.MSVBVM60 ref: 0053BF82
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053BF8D
      • __vbaFreeObj.MSVBVM60 ref: 0053BFA5
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$#685ChkstkError
      • String ID:
      • API String ID: 3217198854-0
      • Opcode ID: 463141719c8a41a081fa1cc930e0874a7e00cfad3091cdebe7b296f30f147676
      • Instruction ID: 328377bd1b795744fca0b994938ae187f1a3becec15d53f187cbb7ac6304a451
      • Opcode Fuzzy Hash: 463141719c8a41a081fa1cc930e0874a7e00cfad3091cdebe7b296f30f147676
      • Instruction Fuzzy Hash: 1991E3B5900208EFDB04DFA4C988BDDBBB5BF4C315F208659E612BB2A0C7759A44DF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00584400 Relevance: 25.6, APIs: 17, Instructions: 96COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0058441E
      • __vbaStrCopy.MSVBVM60(6D23D8CD,-00000001,?,00000000,00423E86), ref: 0058444B
      • __vbaStrCopy.MSVBVM60 ref: 00584457
      • __vbaOnError.MSVBVM60(000000FF), ref: 00584466
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0058447C
      • __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 005844AD
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Copy$ChkstkError
      • String ID:
      • API String ID: 1771118016-0
      • Opcode ID: 56ffbe970c26857d1c97b85e5797c487397ae87035917e69d514f47aeaa0bd12
      • Instruction ID: b218edbd512ee8432b33361f632fc74d14b8335efec847f986219a6874e8c66a
      • Opcode Fuzzy Hash: 56ffbe970c26857d1c97b85e5797c487397ae87035917e69d514f47aeaa0bd12
      • Instruction Fuzzy Hash: 3141D67191021AEBDB04EFA4EA48BADBB74FF08705F108168E902B72A0DB745A05CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00691160 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 82COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069117E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006911BA
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006911CF
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006911E1
        • Part of subcall function 0060B2E0: __vbaChkstk.MSVBVM60(?,00423E86), ref: 0060B2FE
        • Part of subcall function 0060B2E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0060B32E
        • Part of subcall function 0060B2E0: __vbaStrCopy.MSVBVM60 ref: 0060B351
        • Part of subcall function 0060B2E0: __vbaFreeStr.MSVBVM60(?), ref: 0060B363
        • Part of subcall function 0060B2E0: #685.MSVBVM60 ref: 0060B37C
        • Part of subcall function 0060B2E0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0060B387
        • Part of subcall function 0060B2E0: __vbaFreeObj.MSVBVM60 ref: 0060B39F
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00691202
        • Part of subcall function 005AC770: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC918
        • Part of subcall function 005AC770: __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 005AC943
        • Part of subcall function 005AC770: __vbaNew2.MSVBVM60(0042EAFC,006B58E0,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005AC966
        • Part of subcall function 005AC770: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EAEC,00000014), ref: 005AC9CC
        • Part of subcall function 005AC770: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EB0C,00000058), ref: 005ACA29
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005ACA72
        • Part of subcall function 005AC770: #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 005ACA8B
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005ACA96
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 00691214
        • Part of subcall function 0060D8D0: __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0060D8EE
        • Part of subcall function 0060D8D0: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00423E86), ref: 0060D91E
        • Part of subcall function 0060D8D0: __vbaAryRecMove.MSVBVM60(004442D0,?,?), ref: 0060D953
        • Part of subcall function 0060D8D0: __vbaStrCopy.MSVBVM60 ref: 0060D96A
        • Part of subcall function 0060D8D0: #685.MSVBVM60 ref: 0060D977
        • Part of subcall function 0060D8D0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0060D985
        • Part of subcall function 0060D8D0: __vbaFreeObj.MSVBVM60 ref: 0060D9A9
        • Part of subcall function 0060D8D0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0060DA2B
        • Part of subcall function 0060D8D0: #685.MSVBVM60 ref: 0060DA4E
        • Part of subcall function 0060D8D0: __vbaObjSet.MSVBVM60(?,00000000), ref: 0060DA5C
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00691259
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005ACAD4
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000), ref: 005ACAE5
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?), ref: 005ACAEF
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?), ref: 005ACB03
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?), ref: 005ACB10
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60 ref: 005ACB1B
        • Part of subcall function 005AC770: __vbaFreeStr.MSVBVM60 ref: 005ACB24
        • Part of subcall function 005AC770: __vbaFreeObj.MSVBVM60 ref: 005ACB2D
        • Part of subcall function 005AC770: __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005ACB55
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 005ACB71
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(aloahacredentials,?), ref: 005ACB8B
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60 ref: 005ACBA6
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 005ACBBF
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(aloahacredentials,?), ref: 005ACBD9
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60 ref: 005ACBF4
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 005ACC0C
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(credentialprovider,?), ref: 005ACC26
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60 ref: 005ACC41
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 0069126B
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 00691289
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00691294
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006912AC
      Strings
      • AloahaCredentials:CertificateCount, xrefs: 006911C7
      • Going to enum store, xrefs: 006911FA
      • Store enumerated, xrefs: 00691251
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Copy$Move$Chkstk$#685Error$List$#518#520#711CheckHresultIndexLoadLockUnlock$New2
      • String ID: AloahaCredentials:CertificateCount$Going to enum store$Store enumerated
      • API String ID: 3270836247-3737228184
      • Opcode ID: 5704fb81e4563bbc825db5e08a2d85c814f894fd373e0d2dd30acb06e0fb999c
      • Instruction ID: d5fc9637b19770260244e7ea9aa7d20572c776495213533bda95d783e09ba62c
      • Opcode Fuzzy Hash: 5704fb81e4563bbc825db5e08a2d85c814f894fd373e0d2dd30acb06e0fb999c
      • Instruction Fuzzy Hash: 54412C75800209EFDB00EFA0CA48BDEBBB4FF09715F108159E501B72A1DB789A49CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0051F820 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 80COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0051F83E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0051F883
      • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,00423E86), ref: 0051F89C
      • #606.MSVBVM60(?,00000002), ref: 0051F8B8
      • __vbaStrMove.MSVBVM60 ref: 0051F8C3
      • __vbaFreeVar.MSVBVM60 ref: 0051F8CC
      • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0051F8E5
      • __vbaSetSystemError.MSVBVM60(00000000), ref: 0051F8F1
      • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0051F8FF
      • __vbaFreeStr.MSVBVM60 ref: 0051F908
      • #685.MSVBVM60 ref: 0051F915
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0051F920
      • __vbaFreeObj.MSVBVM60 ref: 0051F938
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$ErrorFree$System$#606#685AnsiChkstkMoveUnicode
      • String ID: `2m
      • API String ID: 835289985-3187377090
      • Opcode ID: f6c8652583a210a6e9aff9d462008cec01e55cb144faa74ef9ed47c4fac11847
      • Instruction ID: 13f07ae9aee815e54219f83d7bbf45f3a2c6946d75dd150252d0a407120b36d4
      • Opcode Fuzzy Hash: f6c8652583a210a6e9aff9d462008cec01e55cb144faa74ef9ed47c4fac11847
      • Instruction Fuzzy Hash: 2E31C9B5900208EFDB04DFA4DA48BDEBBB8BF48305F108559F516A7261DB789A44CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005D1030 Relevance: 24.1, APIs: 16, Instructions: 104COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,00000000,?,00000000,?,00000000,00423E86), ref: 005D104E
      • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86,00000000), ref: 005D107B
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86,00000000), ref: 005D108A
      • #617.MSVBVM60(?,00004008,00000001), ref: 005D10AE
      • #528.MSVBVM60(?,?), ref: 005D10BC
      • __vbaLenBstr.MSVBVM60(00000000), ref: 005D10D9
      • #619.MSVBVM60(?,00004008,-00000001), ref: 005D10F4
      • __vbaVarAdd.MSVBVM60(?,?,?), ref: 005D1106
      • __vbaStrVarMove.MSVBVM60(00000000), ref: 005D110D
      • __vbaStrMove.MSVBVM60 ref: 005D1118
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005D1130
      • #685.MSVBVM60(?,00000000,?,00000000,00423E86,00000000), ref: 005D1140
      • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,00423E86,00000000), ref: 005D114B
      • __vbaFreeObj.MSVBVM60(?,00000000,?,00000000,00423E86,00000000), ref: 005D116C
      • __vbaFreeStr.MSVBVM60(005D11BB,?,00000000,?,00000000,00423E86,00000000), ref: 005D11B4
      • __vbaErrorOverflow.MSVBVM60 ref: 005D11D1
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$ErrorMove$#528#617#619#685BstrChkstkCopyListOverflow
      • String ID:
      • API String ID: 386560673-0
      • Opcode ID: cfc0fe070af1b3d0b3a92d2c835dd0ef13432b5371e0de587bae545dd55a86ee
      • Instruction ID: afaa9edd82ddb89c88339b2227a2ca97198836c32e1018aa6b6937fc4a748038
      • Opcode Fuzzy Hash: cfc0fe070af1b3d0b3a92d2c835dd0ef13432b5371e0de587bae545dd55a86ee
      • Instruction Fuzzy Hash: CC41E7B6C00209EFDB14DFE4DA48ADEBBB8FB48705F008259E612B7660DB745649CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0055ECF0 Relevance: 24.1, APIs: 16, Instructions: 82COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0055ED0E
      • __vbaOnError.MSVBVM60(000000FF,00000000,00000001,6D22E251,00000000,00423E86), ref: 0055ED3E
      • #573.MSVBVM60(?,00004003), ref: 0055ED60
      • #619.MSVBVM60(?,?,00000005), ref: 0055ED70
      • __vbaStrVarMove.MSVBVM60(?), ref: 0055ED7A
      • __vbaStrMove.MSVBVM60 ref: 0055ED85
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0055ED95
      • __vbaStrCat.MSVBVM60(?,00430E94), ref: 0055EDAE
      • __vbaStrMove.MSVBVM60 ref: 0055EDB9
      • #581.MSVBVM60(00000000), ref: 0055EDC0
      • __vbaFpI4.MSVBVM60 ref: 0055EDC6
      • __vbaFreeStr.MSVBVM60 ref: 0055EDD2
      • #685.MSVBVM60 ref: 0055EDDF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0055EDEA
      • __vbaFreeObj.MSVBVM60 ref: 0055EE02
      • __vbaFreeStr.MSVBVM60(0055EE40), ref: 0055EE39
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$Move$#573#581#619#685ChkstkErrorList
      • String ID:
      • API String ID: 393576852-0
      • Opcode ID: 3c2aa46e38c6de7f504ba2d4af2572ebf95c0a79dc7af6ce198255d5d703af90
      • Instruction ID: 0ac010fb482caf5fef77bfad8599998938a761c79c95abd3ce0ce8f17cd5aa95
      • Opcode Fuzzy Hash: 3c2aa46e38c6de7f504ba2d4af2572ebf95c0a79dc7af6ce198255d5d703af90
      • Instruction Fuzzy Hash: 8731DAB5900218EBDB04DFE4DE49BDEBBB8FB08705F104529E502B7261DB745A48CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0057F950 Relevance: 21.1, APIs: 14, Instructions: 106COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 0057F96E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86), ref: 0057F99E
      • #685.MSVBVM60(?,?,?,00000000,00423E86), ref: 0057F9AB
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86), ref: 0057F9B6
      • __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86), ref: 0057F9CE
      • __vbaSetSystemError.MSVBVM60(?,?,?,00000000,00423E86), ref: 0057F9E3
      • __vbaSetSystemError.MSVBVM60(00000000,006B3F84,?,?,?,00000000,00423E86), ref: 0057FA0A
      • #685.MSVBVM60(?,?,?,00000000,00423E86), ref: 0057FA26
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86), ref: 0057FA31
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0057FA64
      • __vbaFreeObj.MSVBVM60 ref: 0057FA88
      • #685.MSVBVM60 ref: 0057FAAB
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057FAB6
      • __vbaFreeObj.MSVBVM60 ref: 0057FAD7
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ErrorFree$System$CheckChkstkHresult
      • String ID:
      • API String ID: 110213536-0
      • Opcode ID: 25778f0061f3852d285cc66b1a05e9dc0fdcb279eee47ea4d6f3249ca88b8ad8
      • Instruction ID: c14e4de15538b381027bac6ec960714f7d89ade65bc848efed0ca428870ce471
      • Opcode Fuzzy Hash: 25778f0061f3852d285cc66b1a05e9dc0fdcb279eee47ea4d6f3249ca88b8ad8
      • Instruction Fuzzy Hash: 0C4106B4D00209DFDB04DFE4DA48BDEBBB9BF08305F208259E506AB2A1DB785A44DF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00551800 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 95COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0055181E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00551865
      • __vbaStrCmp.MSVBVM60(true,?,?,?,?,?,00423E86), ref: 0055187E
      • __vbaNew.MSVBVM60(00437420), ref: 005518B8
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005518C3
      • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005518D1
      • __vbaFreeObj.MSVBVM60 ref: 005518DA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00437104,00000038), ref: 0055190D
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 00551926
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00551931
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 00551949
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685AddrefCheckChkstkErrorHresult
      • String ID: true
      • API String ID: 332196084-4261170317
      • Opcode ID: 47ff475e5a43a6cbeb897f98c437cd098ecd65d17a2d7a203c8b54a4b0e7e0c0
      • Instruction ID: 9960e6de2a0627633b101571ac47929f7e81a1b936732f0f302e4b3dfd135b53
      • Opcode Fuzzy Hash: 47ff475e5a43a6cbeb897f98c437cd098ecd65d17a2d7a203c8b54a4b0e7e0c0
      • Instruction Fuzzy Hash: 1E411DB5900208EFCB00DF94C959B9E7FB5FF08345F208159F905AB2A1C779AA44CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0054D030 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 70COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0054D04E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0054D07E
      • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 0054D0A7
      • __vbaVar2Vec.MSVBVM60(?,?), ref: 0054D0B5
      • __vbaAryMove.MSVBVM60(?,?), ref: 0054D0C3
      • __vbaFreeVar.MSVBVM60 ref: 0054D0CC
      • __vbaAryCopy.MSVBVM60(?,?), ref: 0054D0E1
      • #685.MSVBVM60 ref: 0054D0EE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054D0F9
      • __vbaFreeObj.MSVBVM60 ref: 0054D111
      • __vbaAryDestruct.MSVBVM60(00000000,?,0054D160), ref: 0054D159
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685#717ChkstkCopyDestructErrorMoveVar2
      • String ID: `2m
      • API String ID: 4077061213-3187377090
      • Opcode ID: daa4a2f45cbe1745be2c86790fa8774fe16d6bfb10be60357025ba678383fbd8
      • Instruction ID: 65bbe87c56b991fd27414f4fc70ed7fa2abfe030bd7ef076bf63d9adec102e6c
      • Opcode Fuzzy Hash: daa4a2f45cbe1745be2c86790fa8774fe16d6bfb10be60357025ba678383fbd8
      • Instruction Fuzzy Hash: D131D9B5900208EBDB04DFE4DA49BDEBBB8FB08705F108519F615B72A0D7746A48CBA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A58A0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 67COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006A58BE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A58F7
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A5903
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006A5912
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A5927
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006A5939
        • Part of subcall function 0056B880: __vbaChkstk.MSVBVM60(?,00423E86), ref: 0056B89E
        • Part of subcall function 0056B880: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0056B8CB
        • Part of subcall function 0056B880: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0056B8D7
        • Part of subcall function 0056B880: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0056B8E6
        • Part of subcall function 0056B880: #520.MSVBVM60(?,00004008), ref: 0056B914
        • Part of subcall function 0056B880: __vbaStrVarMove.MSVBVM60(?), ref: 0056B91E
        • Part of subcall function 0056B880: __vbaStrMove.MSVBVM60 ref: 0056B929
        • Part of subcall function 0056B880: __vbaFreeVar.MSVBVM60 ref: 0056B932
        • Part of subcall function 0056B880: __vbaStrCmp.MSVBVM60(0042ADE8,?), ref: 0056B948
        • Part of subcall function 0056B880: #520.MSVBVM60(?,00004008), ref: 0056B972
        • Part of subcall function 0056B880: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0056B98E
        • Part of subcall function 0056B880: __vbaFreeVar.MSVBVM60 ref: 0056B99E
        • Part of subcall function 0056B880: __vbaStrCopy.MSVBVM60 ref: 0056B9C2
        • Part of subcall function 0056B880: __vbaStrCat.MSVBVM60(?,add:,?), ref: 0056B9D5
        • Part of subcall function 0056B880: __vbaStrMove.MSVBVM60 ref: 0056B9E0
        • Part of subcall function 0056B880: __vbaStrCat.MSVBVM60(00432868,00000000), ref: 0056B9EC
        • Part of subcall function 0056B880: __vbaStrMove.MSVBVM60 ref: 0056B9F7
        • Part of subcall function 0056B880: __vbaStrCat.MSVBVM60(?,00000000), ref: 0056BA02
        • Part of subcall function 0056B880: __vbaStrMove.MSVBVM60 ref: 0056BA0D
      • #685.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 006A595A
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00423E86), ref: 006A5965
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006A597D
      • __vbaFreeStr.MSVBVM60(006A59B0,?,?,?,?,00423E86), ref: 006A59A0
      • __vbaFreeStr.MSVBVM60(?,?,?,?,00423E86), ref: 006A59A9
      Strings
      • AloahaCredentials:Stack, xrefs: 006A591F
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Copy$Free$Chkstk$#520Error$#518#685#711IndexLoadLockUnlock
      • String ID: AloahaCredentials:Stack
      • API String ID: 1822164988-3050561581
      • Opcode ID: 9c4b042a427ac2b2c4f692513228e543c5983dacb09f4a394803da0f5a7564df
      • Instruction ID: 856a0998d6a415e5d3c3c71ea9d6b865cab0b85e117fe44cf93490b0d9fc886c
      • Opcode Fuzzy Hash: 9c4b042a427ac2b2c4f692513228e543c5983dacb09f4a394803da0f5a7564df
      • Instruction Fuzzy Hash: 8631FC75900209EFDB00EFA4DA48BDEBB78FF48715F108159E502B7260DB74AA49CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0062FD60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 75COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0062FD7E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0062FDBA
      • __vbaLateMemCall.MSVBVM60(?,RegASM,00000000), ref: 0062FDF3
      • __vbaStrCmp.MSVBVM60(true,00000000), ref: 0062FE10
      • __vbaStrCopy.MSVBVM60 ref: 0062FE2B
      • #685.MSVBVM60(AloahaFormSaver.dll), ref: 0062FE49
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0062FE54
      • __vbaFreeObj.MSVBVM60 ref: 0062FE6C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685CallChkstkCopyErrorFreeLate
      • String ID: AloahaFormSaver.dll$RegASM$true
      • API String ID: 2537933805-3006667744
      • Opcode ID: 87233e80ddee7e167178a49fb3204c3c1aac86312e99c928f672b88f346e0145
      • Instruction ID: cebd3a2010be2215246f511c8691b2343204a59e1036dc8fc70577fa7ec4bf14
      • Opcode Fuzzy Hash: 87233e80ddee7e167178a49fb3204c3c1aac86312e99c928f672b88f346e0145
      • Instruction Fuzzy Hash: 9A312FB4900208EFDB00DF94D949B9E7BB5FF48705F208159F901AB2A1C7799A45CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A4440 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006A445E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A4497
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006A44AF
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A44C4
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006A44D6
        • Part of subcall function 005FA560: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005FA57E
        • Part of subcall function 005FA560: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 005FA5AB
        • Part of subcall function 005FA560: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 005FA5BA
        • Part of subcall function 005FA560: __vbaVarCopy.MSVBVM60 ref: 005FA5E4
        • Part of subcall function 005FA560: __vbaStrCopy.MSVBVM60 ref: 005FA5F9
        • Part of subcall function 005FA560: #520.MSVBVM60(?,00004008), ref: 005FA624
        • Part of subcall function 005FA560: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 005FA649
        • Part of subcall function 005FA560: __vbaFreeVar.MSVBVM60 ref: 005FA659
        • Part of subcall function 005FA560: #685.MSVBVM60 ref: 005FA682
        • Part of subcall function 005FA560: __vbaObjSet.MSVBVM60(?,00000000), ref: 005FA68D
        • Part of subcall function 005FA560: __vbaFreeObj.MSVBVM60 ref: 005FA6AE
        • Part of subcall function 005FA560: #716.MSVBVM60(?,MSScriptControl.ScriptControl.1,00000000), ref: 005FA6C6
        • Part of subcall function 005FA560: __vbaObjVar.MSVBVM60(?), ref: 005FA6D0
        • Part of subcall function 005FA560: __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005FA6DB
        • Part of subcall function 005FA560: __vbaFreeVar.MSVBVM60 ref: 005FA6E4
        • Part of subcall function 005FA560: #685.MSVBVM60 ref: 005FA6F1
        • Part of subcall function 005FA560: __vbaObjSet.MSVBVM60(?,00000000), ref: 005FA6FC
      • __vbaVarMove.MSVBVM60(?,?,00000000,?,?,?,?,00423E86), ref: 006A44FB
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 006A4508
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006A4513
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006A452B
      • __vbaFreeStr.MSVBVM60(006A4571,?,?,?,?,00423E86), ref: 006A456A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CopyFree$Move$Chkstk$#685Error$#520$#518#711#716AddrefIndexLoadLockUnlock
      • String ID: AloahaCredentials:VBS
      • API String ID: 3414434287-3139287696
      • Opcode ID: f12dc3083266212169657a429ec05a961645194fb00c89afade72e6e7c8adcd4
      • Instruction ID: 2d390a73763c57002a42c8a4bc3bb32073a4c85df2cf75c2101350d490316e73
      • Opcode Fuzzy Hash: f12dc3083266212169657a429ec05a961645194fb00c89afade72e6e7c8adcd4
      • Instruction Fuzzy Hash: 5B31F9B5900209EFCB04EF94DA49BDEBBB4FF48705F108158F50267260DB799A45CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00691810 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 67COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069182E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00691867
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069187F
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00691894
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006918A6
        • Part of subcall function 00616E90: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,?,0058EEC8,?,?,?,?,?,00423E86), ref: 00616EAE
        • Part of subcall function 00616E90: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,00423E86), ref: 00616EDB
        • Part of subcall function 00616E90: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86), ref: 00616EEA
        • Part of subcall function 00616E90: #717.MSVBVM60(?,00004008,00000080,00000000), ref: 00616F13
        • Part of subcall function 00616E90: __vbaVar2Vec.MSVBVM60(?,?), ref: 00616F21
        • Part of subcall function 00616E90: __vbaAryMove.MSVBVM60(?,?), ref: 00616F2F
        • Part of subcall function 00616E90: __vbaFreeVar.MSVBVM60 ref: 00616F38
        • Part of subcall function 00616E90: __vbaVarCopy.MSVBVM60 ref: 00616F58
        • Part of subcall function 00616E90: #685.MSVBVM60 ref: 00616F65
        • Part of subcall function 00616E90: __vbaObjSet.MSVBVM60(?,00000000), ref: 00616F70
        • Part of subcall function 00616E90: __vbaFreeObj.MSVBVM60 ref: 00616F88
        • Part of subcall function 00616E90: __vbaAryDestruct.MSVBVM60(00000000,?,00616FDD), ref: 00616FCD
        • Part of subcall function 00616E90: __vbaFreeStr.MSVBVM60 ref: 00616FD6
      • __vbaVarMove.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 006918C6
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 006918D3
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006918DE
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006918F6
      • __vbaFreeStr.MSVBVM60(0069193C,?,?,?,?,00423E86), ref: 00691935
      Strings
      • AloahaCredentials:STR2BA, xrefs: 0069188C
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$FreeMove$Copy$Chkstk$Error$#685$#518#520#711#717DestructIndexLoadLockUnlockVar2
      • String ID: AloahaCredentials:STR2BA
      • API String ID: 2645920587-2631184953
      • Opcode ID: 9d29162618ecc5914cd54710d235be42b0fd35a30644d4909957aeccbca3f256
      • Instruction ID: 8c25ee82b44b4a337cd0bd1a8304d0e115fdc2e803bce3fecdc67271449cdd3f
      • Opcode Fuzzy Hash: 9d29162618ecc5914cd54710d235be42b0fd35a30644d4909957aeccbca3f256
      • Instruction Fuzzy Hash: AC310AB4900209EFCB04DF94DA59BDEBBB9FF08705F108119F512672A0DB78AA45CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00690440 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069045E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069048E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006904A3
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006904B5
      • __vbaLateMemCall.MSVBVM60(?,disconnect,00000000,?,?,?,?,00423E86), ref: 006904E4
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,00423E86), ref: 006904FF
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 0069051C
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00690527
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0069053F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Chkstk$CopyErrorFree$#518#520#685#711AddrefCallIndexLateLoadLockUnlock
      • String ID: AloahaCredentials:UnloadMiddleware$disconnect
      • API String ID: 1703638152-471183309
      • Opcode ID: 5472c66d568f7d8e5abb5ce19847e4eb00f7ae0c433836d8bf14a0d0f889cd5d
      • Instruction ID: 1cff3db748407e985587dea8606d8c21c58e1360b0caa25da68f93e0eceaef2d
      • Opcode Fuzzy Hash: 5472c66d568f7d8e5abb5ce19847e4eb00f7ae0c433836d8bf14a0d0f889cd5d
      • Instruction Fuzzy Hash: 732127B1901208EFDB10DF94DA49BDEBBB8FF08709F508158E501A72A1DBB95A48CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00691010 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069102E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00691067
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069107F
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00691094
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006910A6
        • Part of subcall function 0060B3E0: __vbaChkstk.MSVBVM60(?,00423E86), ref: 0060B3FE
        • Part of subcall function 0060B3E0: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0060B42B
        • Part of subcall function 0060B3E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0060B43A
        • Part of subcall function 0060B3E0: #518.MSVBVM60(?,00004008), ref: 0060B45C
        • Part of subcall function 0060B3E0: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 0060B49A
        • Part of subcall function 0060B3E0: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 0060B4A8
        • Part of subcall function 0060B3E0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0060B4BF
        • Part of subcall function 0060B3E0: __vbaStrCopy.MSVBVM60(?,?,00423E86), ref: 0060B4E2
        • Part of subcall function 0060B3E0: #685.MSVBVM60(?,?,00423E86), ref: 0060B9EF
        • Part of subcall function 0060B3E0: __vbaObjSet.MSVBVM60(?,00000000,?,?,00423E86), ref: 0060B9FA
        • Part of subcall function 0060B3E0: __vbaFreeObj.MSVBVM60(?,?,00423E86), ref: 0060BA1B
        • Part of subcall function 0060B3E0: __vbaFreeStr.MSVBVM60(0060BA70,?,?,00423E86), ref: 0060BA69
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,00423E86), ref: 006910C1
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 006910CE
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00423E86), ref: 006910D9
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006910F1
      • __vbaFreeStr.MSVBVM60(0069112E,?,?,?,?,00423E86), ref: 00691127
      Strings
      • AloahaCredentials:GetCSPByContainer, xrefs: 0069108C
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CopyMove$Chkstk$Error$#518#685$#520#711IndexListLoadLockUnlock
      • String ID: AloahaCredentials:GetCSPByContainer
      • API String ID: 4204152061-3156170435
      • Opcode ID: 1a52b557a30cf7a300c0335df23901976450d0e88bfa287431fe354e49d09b42
      • Instruction ID: 23f100ab371bcee306f973886c9ca212ce91aa2f5781a1143e3f4878275b64d8
      • Opcode Fuzzy Hash: 1a52b557a30cf7a300c0335df23901976450d0e88bfa287431fe354e49d09b42
      • Instruction Fuzzy Hash: 23214175900209EFCB04DFA4DA48BDEBBB4FF08705F208158F512672A0DB749A09CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006960D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006960EE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069612A
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069613F
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 00696151
        • Part of subcall function 0065D980: __vbaChkstk.MSVBVM60(00000000,00423E86,0065D46C), ref: 0065D99E
        • Part of subcall function 0065D980: __vbaAryConstruct2.MSVBVM60(?,0045EF7C,00000011,?,?,?,00000000,00423E86,0065D46C), ref: 0065D9D3
        • Part of subcall function 0065D980: __vbaAryConstruct2.MSVBVM60(?,0045EF7C,00000011,?,?,?,00000000,00423E86,0065D46C), ref: 0065D9E7
        • Part of subcall function 0065D980: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,0065D46C), ref: 0065D9F6
        • Part of subcall function 0065D980: __vbaAryMove.MSVBVM60(?,?,?,?,?,00000000,00423E86,0065D46C), ref: 0065DA29
        • Part of subcall function 0065D980: #685.MSVBVM60(?,?,?,00000000,00423E86,0065D46C), ref: 0065DA46
        • Part of subcall function 0065D980: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86,0065D46C), ref: 0065DA51
        • Part of subcall function 0065D980: __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86,0065D46C), ref: 0065DA72
        • Part of subcall function 0065D980: __vbaStrCmp.MSVBVM60(0042ADE8,00000000), ref: 0065DAEB
        • Part of subcall function 0065D980: #685.MSVBVM60 ref: 0065DB00
        • Part of subcall function 0065D980: __vbaObjSet.MSVBVM60(?,00000000), ref: 0065DB0B
      • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 0069616E
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 0069617B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00696186
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0069619E
      • __vbaAryDestruct.MSVBVM60(00000000,?,006961E1,?,?,?,?,00423E86), ref: 006961DA
      Strings
      • AloahaCredentials:PCSCCardReaders, xrefs: 00696137
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Chkstk$#685ErrorFree$Construct2Copy$#518#520#711DestructIndexLoadLockUnlock
      • String ID: AloahaCredentials:PCSCCardReaders
      • API String ID: 3495700036-3611318717
      • Opcode ID: 56a1c48de41fa0cb9e58ef094a9241c05788953707f548a7886374097513c04f
      • Instruction ID: 702994122a742f97516b4a1037ac5ccebe2082ca2c024d5fb25abb92cf241ca0
      • Opcode Fuzzy Hash: 56a1c48de41fa0cb9e58ef094a9241c05788953707f548a7886374097513c04f
      • Instruction Fuzzy Hash: 972119B5900208EFCB00DFA4DA48BDEBBB8FB08705F108119F512A72A1D7749A49CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A5CC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006A5CDE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A5D17
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006A5D26
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A5D3B
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006A5D4D
      • __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 006A5D63
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A5D7C
        • Part of subcall function 0056C330: __vbaChkstk.MSVBVM60(?,00423E86), ref: 0056C34E
        • Part of subcall function 0056C330: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0056C37B
        • Part of subcall function 0056C330: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0056C38A
        • Part of subcall function 0056C330: __vbaStrMove.MSVBVM60 ref: 0056C3BB
        • Part of subcall function 0056C330: __vbaNew2.MSVBVM60(0042EAFC,006B58E0), ref: 0056C3DB
        • Part of subcall function 0056C330: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EAEC,00000014), ref: 0056C441
        • Part of subcall function 0056C330: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EB0C,00000058), ref: 0056C49E
        • Part of subcall function 0056C330: __vbaStrMove.MSVBVM60 ref: 0056C4CF
        • Part of subcall function 0056C330: __vbaFreeObj.MSVBVM60 ref: 0056C4D8
        • Part of subcall function 0056C330: __vbaStrCmp.MSVBVM60(true,00000000), ref: 0056C4F1
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 006A5D92
      • __vbaFreeStr.MSVBVM60(006A5DB3,?,?,?,?,00423E86), ref: 006A5DAC
      Strings
      • AloahaCredentials:adduser, xrefs: 006A5D33
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Copy$ChkstkFree$Error$CheckHresult$#518#520#711IndexLoadLockNew2Unlock
      • String ID: AloahaCredentials:adduser
      • API String ID: 3089175194-4109718354
      • Opcode ID: 1ad8c1aadd91d17c4e1504a6f1d3dd119e3af17eba1bec2393f7029d6560c4f8
      • Instruction ID: 0bed05c5738fad9836fd24710b9b1eb7ea6c030fcc62b1e0ac5ec0e9032ba3e4
      • Opcode Fuzzy Hash: 1ad8c1aadd91d17c4e1504a6f1d3dd119e3af17eba1bec2393f7029d6560c4f8
      • Instruction Fuzzy Hash: F7216D71900209EBCB00EF94CA49BDEBBB4FF08705F108058E502772A0C7789E49CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00697CB0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 00697CCE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00697D07
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00697D16
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00697D2B
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 00697D3D
        • Part of subcall function 005D3210: __vbaChkstk.MSVBVM60(?,00423E86), ref: 005D322E
        • Part of subcall function 005D3210: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 005D325B
        • Part of subcall function 005D3210: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 005D326A
        • Part of subcall function 005D3210: #520.MSVBVM60(?,00004008), ref: 005D3295
        • Part of subcall function 005D3210: __vbaStrVarMove.MSVBVM60(?), ref: 005D329F
        • Part of subcall function 005D3210: __vbaStrMove.MSVBVM60 ref: 005D32AA
        • Part of subcall function 005D3210: __vbaFreeVar.MSVBVM60 ref: 005D32B3
        • Part of subcall function 005D3210: #712.MSVBVM60(?,0042FA64,0042ADE8,00000001,000000FF,00000000), ref: 005D32D4
        • Part of subcall function 005D3210: __vbaStrMove.MSVBVM60 ref: 005D32DF
        • Part of subcall function 005D3210: #608.MSVBVM60(?,0000000A), ref: 005D32F2
        • Part of subcall function 005D3210: __vbaStrVarVal.MSVBVM60(?,?,0042ADE8,00000001,000000FF,00000000), ref: 005D330B
        • Part of subcall function 005D3210: #712.MSVBVM60(?,00000000), ref: 005D3316
        • Part of subcall function 005D3210: __vbaStrMove.MSVBVM60 ref: 005D3321
        • Part of subcall function 005D3210: __vbaFreeStr.MSVBVM60 ref: 005D332A
        • Part of subcall function 005D3210: __vbaFreeVar.MSVBVM60 ref: 005D3333
        • Part of subcall function 005D3210: #608.MSVBVM60(?,0000000D), ref: 005D3346
        • Part of subcall function 005D3210: __vbaStrVarVal.MSVBVM60(?,?,0042ADE8,00000001,000000FF,00000000), ref: 005D335F
        • Part of subcall function 005D3210: #712.MSVBVM60(?,00000000), ref: 005D336A
        • Part of subcall function 005D3210: __vbaStrMove.MSVBVM60 ref: 005D3375
        • Part of subcall function 005D3210: __vbaFreeStr.MSVBVM60 ref: 005D337E
      • #685.MSVBVM60(?,?,?,?,?,00423E86), ref: 00697D5A
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00697D65
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 00697D7D
      • __vbaFreeStr.MSVBVM60(00697DA7,?,?,?,?,00423E86), ref: 00697DA0
      Strings
      • AloahaCredentials:Save_Key, xrefs: 00697D23
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Free$ChkstkCopy$#712Error$#520#608$#518#685#711IndexLoadLockUnlock
      • String ID: AloahaCredentials:Save_Key
      • API String ID: 92791194-416306129
      • Opcode ID: ab1f06aa68d0c417595dd91519a9f0bc4b2595bc7eaa7789c9dad27cb9abc897
      • Instruction ID: 40ddd342b3d90f2fc4270c943322fcd80055c38e74467e04efc332fda415a460
      • Opcode Fuzzy Hash: ab1f06aa68d0c417595dd91519a9f0bc4b2595bc7eaa7789c9dad27cb9abc897
      • Instruction Fuzzy Hash: C7212175900209DFCB00DFA4CA49BDDBBB8FF48715F108159E50277260CB75AA05CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00606460 Relevance: 16.6, APIs: 11, Instructions: 108COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0060647E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006064BA
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006064DB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,0000015C), ref: 00606515
      • __vbaFreeObj.MSVBVM60 ref: 0060652A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0060654B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00456020,0000015C), ref: 00606585
      • __vbaFreeObj.MSVBVM60 ref: 0060659A
      • #685.MSVBVM60 ref: 006065A7
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 006065B2
      • __vbaFreeObj.MSVBVM60 ref: 006065CA
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$#685ChkstkError
      • String ID:
      • API String ID: 3217198854-0
      • Opcode ID: 404e08d5c108f14dffdab354aa92467957942801995fc8fdcfba856aa398cc89
      • Instruction ID: 9589930e9be7900248e18b3744124580439f37ffe9d29493416aa475f138a080
      • Opcode Fuzzy Hash: 404e08d5c108f14dffdab354aa92467957942801995fc8fdcfba856aa398cc89
      • Instruction Fuzzy Hash: BC41B6B5940208EFCB04DFA4C948BDEBBB9EB4C705F208159E502BB2A1C775A945CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00691440 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069145E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006914A3
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006914B8
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006914CA
        • Part of subcall function 00609C90: __vbaChkstk.MSVBVM60(?,00423E86), ref: 00609CAE
        • Part of subcall function 00609C90: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00609CDE
        • Part of subcall function 00609C90: __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 00609D62
        • Part of subcall function 00609C90: __vbaStrCmp.MSVBVM60(0042ADE8,?,?,?,?,?,00423E86), ref: 00609D78
        • Part of subcall function 00609C90: #685.MSVBVM60(?,?,?,?,00423E86), ref: 00609D8D
        • Part of subcall function 00609C90: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00609D98
        • Part of subcall function 00609C90: __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 00609DB9
        • Part of subcall function 00609C90: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00423E86), ref: 00609DD4
        • Part of subcall function 00609C90: __vbaLateMemCallLd.MSVBVM60(?,?,serialnumber,00000000), ref: 00609DFE
        • Part of subcall function 00609C90: __vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,00423E86), ref: 00609E0C
        • Part of subcall function 00609C90: __vbaFreeVar.MSVBVM60(?,?,?,00423E86), ref: 00609E19
        • Part of subcall function 00609C90: #685.MSVBVM60(?,?,?,00423E86), ref: 00609E32
      • __vbaStrMove.MSVBVM60(00000000,?,?,?,?,00423E86), ref: 006914E5
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 006914F2
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006914FD
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 00691515
      Strings
      • AloahaCredentials:certhex, xrefs: 006914B0
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$ChkstkFree$#685CopyError$#518#520#711CallIndexLateLoadLockUnlock
      • String ID: AloahaCredentials:certhex
      • API String ID: 695205239-260845846
      • Opcode ID: 1c34c1251a9f6dc447b109455aecbd7c650383a6a575931e8b13707a0264a310
      • Instruction ID: c5dadf3d99ab28bbed9f16f68ecc4834ef18bed868970abb45f4508be0e16285
      • Opcode Fuzzy Hash: 1c34c1251a9f6dc447b109455aecbd7c650383a6a575931e8b13707a0264a310
      • Instruction Fuzzy Hash: E32157B5900209EFCB00DFA4C949BDEBBB8FF48705F108159F501672A1C7799A05CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A6010 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006A602E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006A6073
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A6088
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006A609A
        • Part of subcall function 005D11E0: __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,00000000,?,00000000,00423E86,00000000), ref: 005D11FE
        • Part of subcall function 005D11E0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00423E86), ref: 005D122E
        • Part of subcall function 005D11E0: #546.MSVBVM60(?,?,00000000,?,00000000,00423E86), ref: 005D123F
        • Part of subcall function 005D11E0: __vbaStrR8.MSVBVM60(00000000,00423E86), ref: 005D1254
        • Part of subcall function 005D11E0: __vbaStrMove.MSVBVM60 ref: 005D125F
        • Part of subcall function 005D11E0: __vbaFreeVar.MSVBVM60 ref: 005D1268
        • Part of subcall function 005D11E0: #685.MSVBVM60 ref: 005D1275
        • Part of subcall function 005D11E0: __vbaObjSet.MSVBVM60(?,00000000), ref: 005D1280
        • Part of subcall function 005D11E0: __vbaFreeObj.MSVBVM60 ref: 005D1298
      • __vbaStrMove.MSVBVM60(?,?,?,?,00423E86), ref: 006A60B1
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 006A60BE
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006A60C9
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006A60E1
      Strings
      • AloahaCredentials:Secondstr, xrefs: 006A6080
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$ChkstkFree$Error$#685Copy$#518#520#546#711IndexLoadLockUnlock
      • String ID: AloahaCredentials:Secondstr
      • API String ID: 3383009534-1156045992
      • Opcode ID: 8c7a8cad79bd13b966636fbe0d6f95d32df082f0ffcaa6633d256271ebe88a49
      • Instruction ID: d08bb8d605b431b290385f91d43c0cb09d1970ffc20dc9046acca6f511a47569
      • Opcode Fuzzy Hash: 8c7a8cad79bd13b966636fbe0d6f95d32df082f0ffcaa6633d256271ebe88a49
      • Instruction Fuzzy Hash: 8E212CB5900209EFCB00DFA4CA49BDEBBB4FF49705F108159F502672A1CB799A05CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00535410 Relevance: 15.1, APIs: 10, Instructions: 64COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0053542E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00535475
      • __vbaCastObj.MSVBVM60(00000000,0043038C,?,?,?,?,00423E86), ref: 00535489
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00535494
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 005354A2
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 005354AB
      • __vbaCastObj.MSVBVM60(00000000,0042AA4C,?,?,?,?,00423E86), ref: 005354BF
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 005354CA
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 005354D8
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 005354E1
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$AddrefCastFree$ChkstkError
      • String ID:
      • API String ID: 4027267587-0
      • Opcode ID: a2406542b7bf9cfa605a5c559dd3f60c09c0e50a2c6e33f4a549b94dfd5d9278
      • Instruction ID: 30e302416b9ee692586fc9dfc81765c9679f1c7094ceb838bf60ddeb8ef899ac
      • Opcode Fuzzy Hash: a2406542b7bf9cfa605a5c559dd3f60c09c0e50a2c6e33f4a549b94dfd5d9278
      • Instruction Fuzzy Hash: 5C21EDB5500208EFCB04DFA4DE49BDE7FB8FB48705F148259F615AB2A1C7789A04CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0069E070 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069E08E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069E0CA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046020C,0000003C), ref: 0069E100
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046020C,00000034), ref: 0069E151
      • #685.MSVBVM60 ref: 0069E170
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0069E17B
      • __vbaFreeObj.MSVBVM60 ref: 0069E193
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckHresult$#685ChkstkErrorFree
      • String ID: false
      • API String ID: 4158748858-734881840
      • Opcode ID: a6dc3c8179f9ed86c8bb2ba3b8606a194f3689759d886113a299758f82316332
      • Instruction ID: c6a01da0fc303da89281e3266fe12f7638282a863e795bd62c31ebcc7da1e0b7
      • Opcode Fuzzy Hash: a6dc3c8179f9ed86c8bb2ba3b8606a194f3689759d886113a299758f82316332
      • Instruction Fuzzy Hash: EF41E7B4900208EFDB00DFA4C988B9EBBB9BF48704F108559F901AB290C7B99A45CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00698030 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0069804E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0069808A
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 0069809F
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006980B1
      • #685.MSVBVM60(00000000,00000000,?,?,?,?,00423E86), ref: 006980D6
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006980E1
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006980F9
      Strings
      • AloahaCredentials:RegWrite_sz, xrefs: 00698097
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Chkstk$CopyErrorFree$#518#520#685#711IndexLoadLockUnlock
      • String ID: AloahaCredentials:RegWrite_sz
      • API String ID: 3568060291-2686080552
      • Opcode ID: 1aa236d71c879778afa8882a2167defdccdb9e631469d7303e7b6e2ae12d3d00
      • Instruction ID: 6011ccd07bbb35bc0c283591e78735f7ed4ef5667e0469906f6484b9508a8430
      • Opcode Fuzzy Hash: 1aa236d71c879778afa8882a2167defdccdb9e631469d7303e7b6e2ae12d3d00
      • Instruction Fuzzy Hash: C421FCB5900209EFDB00DFA4CA49BDEBBB8FF49705F108159F511A7261C778AA05CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00528450 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0052846E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 005284B5
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 005284CC
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 005284E9
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 005284F4
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0052850C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkCopyErrorFree
      • String ID: T0k$csp.log
      • API String ID: 885798963-2528136869
      • Opcode ID: 92d41358f880d58ad355d84883503ccf4d98756072cae3c5902dc76b37fe0d10
      • Instruction ID: 1fa48138c5415e2aaaedcd9feb2a5995fc71fe65549202d4f997b9383579fb21
      • Opcode Fuzzy Hash: 92d41358f880d58ad355d84883503ccf4d98756072cae3c5902dc76b37fe0d10
      • Instruction Fuzzy Hash: 6F2160B5900208EFDB00DF94D949B9DBBB4FF48704F108259F915AB3A0CB799A44CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00542830 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0054284E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00542895
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 005428AC
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 005428C9
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 005428D4
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 005428EC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkCopyErrorFree
      • String ID: T0k$csp.log
      • API String ID: 885798963-2528136869
      • Opcode ID: 01da9db5e6092e5077f9cb741f3f2a234c2f7dba9e804179f89a0bc6dad8aab0
      • Instruction ID: 107a3b7f63de13042630036caef12bc4acd931aca7598dde2831dcff479600dd
      • Opcode Fuzzy Hash: 01da9db5e6092e5077f9cb741f3f2a234c2f7dba9e804179f89a0bc6dad8aab0
      • Instruction Fuzzy Hash: 61214AB5900208EFCB00DF94C949B9EBBB4FF48704F508259FA16AB3A0C7789A44CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A48A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006A48BE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 006A48FA
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00423E86), ref: 006A490F
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60(?,00423E86,?,?,00000000), ref: 005AC78E
        • Part of subcall function 005AC770: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,?,00423E86), ref: 005AC7BE
        • Part of subcall function 005AC770: __vbaStrCmp.MSVBVM60(true,00000000,?,00000000,00000000,?,00423E86), ref: 005AC7D6
        • Part of subcall function 005AC770: __vbaStrCopy.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC7F5
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,00000000,00000000,?,00423E86), ref: 005AC80C
        • Part of subcall function 005AC770: __vbaVarDup.MSVBVM60 ref: 005AC843
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,000000FF,00000000), ref: 005AC86A
        • Part of subcall function 005AC770: #711.MSVBVM60(?,00000000), ref: 005AC878
        • Part of subcall function 005AC770: __vbaChkstk.MSVBVM60 ref: 005AC883
        • Part of subcall function 005AC770: __vbaVarIndexLoadRefLock.MSVBVM60(?,?,?,00000001), ref: 005AC8C1
        • Part of subcall function 005AC770: #520.MSVBVM60(?,00000000,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8D2
        • Part of subcall function 005AC770: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8DC
        • Part of subcall function 005AC770: #518.MSVBVM60(?,?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8F0
        • Part of subcall function 005AC770: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC8FD
        • Part of subcall function 005AC770: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,00000000,?,00423E86), ref: 005AC908
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,00423E86), ref: 006A4921
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 006A493E
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 006A4949
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006A4961
      Strings
      • AloahaCredentials:LoopProtect, xrefs: 006A4907
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$Chkstk$CopyErrorFree$#518#520#685#711IndexLoadLockUnlock
      • String ID: AloahaCredentials:LoopProtect
      • API String ID: 3568060291-1240724463
      • Opcode ID: eee44231e9143ea62616f7280ed70bbfabe0f3b62a314531bc959f4da27af63d
      • Instruction ID: a3102b654fb2e8ccf03ce0064864a6f2dfdbde7d11002ccc69fb657163c17cd1
      • Opcode Fuzzy Hash: eee44231e9143ea62616f7280ed70bbfabe0f3b62a314531bc959f4da27af63d
      • Instruction Fuzzy Hash: 74212CB5900208EFCB00DF94CA49BDEBBB8FF48705F108159E501A72A1CB799E05CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006338E0 Relevance: 13.6, APIs: 9, Instructions: 64COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 006338FE
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0063392E
        • Part of subcall function 00633A00: __vbaChkstk.MSVBVM60(00000000,00423E86,00633820,?,?,?,?,00423E86), ref: 00633A1E
        • Part of subcall function 00633A00: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,00633820), ref: 00633A4E
        • Part of subcall function 00633A00: #525.MSVBVM60(00000069,?,?,?,00000000,00423E86,00633820), ref: 00633A5D
        • Part of subcall function 00633A00: __vbaStrMove.MSVBVM60(?,?,?,00000000,00423E86,00633820), ref: 00633A68
        • Part of subcall function 00633A00: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,00000000,00423E86,00633820), ref: 00633A7D
        • Part of subcall function 00633A00: __vbaLenBstr.MSVBVM60(?,00000000,?,?,?,00000000,00423E86,00633820), ref: 00633A88
        • Part of subcall function 00633A00: __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,00423E86,00633820), ref: 00633A97
        • Part of subcall function 00633A00: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,00423E86,00633820), ref: 00633AA5
        • Part of subcall function 00633A00: __vbaFreeStr.MSVBVM60 ref: 00633ABD
        • Part of subcall function 00633A00: #519.MSVBVM60(?), ref: 00633ADA
        • Part of subcall function 00633A00: __vbaStrMove.MSVBVM60 ref: 00633AE5
        • Part of subcall function 00633A00: #537.MSVBVM60(00000000), ref: 00633AF4
        • Part of subcall function 00633A00: __vbaStrMove.MSVBVM60 ref: 00633AFF
        • Part of subcall function 00633A00: #537.MSVBVM60(00000020), ref: 00633B07
        • Part of subcall function 00633A00: __vbaStrMove.MSVBVM60 ref: 00633B12
        • Part of subcall function 00633A00: __vbaStrMove.MSVBVM60(00000001,000000FF,00000000), ref: 00633B47
        • Part of subcall function 00633A00: __vbaStrMove.MSVBVM60(00000000), ref: 00633B57
        • Part of subcall function 00633A00: #712.MSVBVM60(?,00000000), ref: 00633B62
        • Part of subcall function 00633A00: __vbaStrMove.MSVBVM60 ref: 00633B6D
      • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,00423E86), ref: 0063394B
        • Part of subcall function 00634230: __vbaChkstk.MSVBVM60(00000000,00423E86,00000003,?,?,?,?,00423E86), ref: 0063424E
        • Part of subcall function 00634230: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00423E86,00000003), ref: 0063427E
        • Part of subcall function 00634230: __vbaAryCopy.MSVBVM60(?,?,?,?,?,00000000,00423E86,00000003), ref: 00634293
        • Part of subcall function 00634230: __vbaAryCopy.MSVBVM60(?,?,?,?,?,00000000,00423E86,00000003), ref: 006342A8
        • Part of subcall function 00634230: #685.MSVBVM60(?,?,?,00000000,00423E86,00000003), ref: 006342B5
        • Part of subcall function 00634230: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00423E86,00000003), ref: 006342C0
        • Part of subcall function 00634230: __vbaFreeObj.MSVBVM60(?,?,?,00000000,00423E86,00000003), ref: 006342D8
        • Part of subcall function 00634230: __vbaStrCopy.MSVBVM60 ref: 0063433F
        • Part of subcall function 00634230: #685.MSVBVM60 ref: 0063434C
        • Part of subcall function 00634230: __vbaObjSet.MSVBVM60(?,00000000), ref: 00634357
        • Part of subcall function 00634230: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042DF28,0000001C), ref: 0063438A
      • __vbaAryCopy.MSVBVM60(?,?,?,00000002,?,?,?,?,00423E86), ref: 00633972
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 0063397F
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 0063398A
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 006339A2
      • __vbaAryDestruct.MSVBVM60(00000000,?,006339E8,?,?,?,?,00423E86), ref: 006339D5
      • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,00423E86), ref: 006339E1
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$CopyError$#685ChkstkFree$#537Destruct$#519#525#712AnsiBstrCheckHresultSystemUnicode
      • String ID:
      • API String ID: 2489236961-0
      • Opcode ID: af26213164e03c58b57b573b16e5785af4c4cd0bbad224d88cc2f8d3340e21a8
      • Instruction ID: e30a8ca6364c3f86a146b7c9070b858fc2e1b9f31afc6918c1b0bd281cdd8e30
      • Opcode Fuzzy Hash: af26213164e03c58b57b573b16e5785af4c4cd0bbad224d88cc2f8d3340e21a8
      • Instruction Fuzzy Hash: 2D210EB1900208EFDB00DFE4DA49BDEBBB8FB48705F108559F602B62A0D7745645CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00539800 Relevance: 12.1, APIs: 8, Instructions: 87COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0053981E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 00539865
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 00539886
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0042EBF0,0000005C), ref: 005398B7
      • __vbaFreeObj.MSVBVM60 ref: 005398CC
      • #685.MSVBVM60 ref: 005398EF
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 005398FA
      • __vbaFreeObj.MSVBVM60 ref: 00539912
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685CheckChkstkErrorHresult
      • String ID:
      • API String ID: 3196891914-0
      • Opcode ID: ec01ff4451c1527acb94df66013e3e1322bc2841523364605e7635290d4ef47e
      • Instruction ID: 13837f3c8c316c3cccb28f75603b74835e22ebc1d44644e87668492e1a2681a0
      • Opcode Fuzzy Hash: ec01ff4451c1527acb94df66013e3e1322bc2841523364605e7635290d4ef47e
      • Instruction Fuzzy Hash: 0341E8B5900208EFCB04DFA4C988BDEBBB4FF48715F108559F515AB2A0C775AA45CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00531CA0 Relevance: 10.6, APIs: 7, Instructions: 64COMMON
      Download Yara Rule
      APIs
      • __vbaStrCat.MSVBVM60(?,00430E94,?,?,?,?,?,?,?,?,?,00423E86), ref: 00531CEE
      • __vbaStrMove.MSVBVM60(?,00430E94,?,?,?,?,?,?,?,?,?,00423E86), ref: 00531CFB
      • __vbaStrCat.MSVBVM60(00431730,00000000,?,00430E94,?,?,?,?,?,?,?,?,?,00423E86), ref: 00531D03
      • __vbaStrMove.MSVBVM60(?,00430E94,?,?,?,?,?,?,?,?,?,00423E86), ref: 00531D0A
      • #581.MSVBVM60(00000000,?,00430E94,?,?,?,?,?,?,?,?,?,00423E86), ref: 00531D0D
      • __vbaCopyBytes.MSVBVM60(00000004,?,?,?,00430E94,?,?,?,?,?,?,?,?,?,00423E86), ref: 00531D31
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00430E94,?,?,?,?,?,?,?,?,?,00423E86), ref: 00531D41
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Move$#581BytesCopyFreeList
      • String ID:
      • API String ID: 2085924500-0
      • Opcode ID: d3ce484dbc08c09576f249a032346fb73dd4ebc6ce262d209c101c93419a6119
      • Instruction ID: 6a77bcf6ed5f34f058f9246edb4cb80f831f9fa9e8365fb71e234890713af481
      • Opcode Fuzzy Hash: d3ce484dbc08c09576f249a032346fb73dd4ebc6ce262d209c101c93419a6119
      • Instruction Fuzzy Hash: A021DBB1D00209AFCB04DFA4C945EEEBBB8FB48704F10856AE505E3250E7746A45CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006048F0 Relevance: 9.1, APIs: 6, Instructions: 131COMMON
      Download Yara Rule
      APIs
      • __vbaHresultCheckObj.MSVBVM60(00000000,6D276179,00437410,00000028), ref: 00604955
      • __vbaHresultCheckObj.MSVBVM60(00000000,6D276179,00437410,00000024), ref: 00604976
      • __vbaHresultCheckObj.MSVBVM60(00000000,6D276179,00437410,00000020), ref: 006049CB
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 006049DF
      • __vbaHresultCheckObj.MSVBVM60(00000000,6D276179,00437410,00000020), ref: 00604A2F
      • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00604A3F
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$CheckHresult$FreeList
      • String ID:
      • API String ID: 2772417511-0
      • Opcode ID: e8bfa34522e1574b16a950b2ec04a1d039ec7b9633a5fdf9954c9c9fa0991ec4
      • Instruction ID: 8683135089896419ad5fe37de92ff927dec61d47cd4667bcfb184acc729e0cdf
      • Opcode Fuzzy Hash: e8bfa34522e1574b16a950b2ec04a1d039ec7b9633a5fdf9954c9c9fa0991ec4
      • Instruction Fuzzy Hash: FF4129B0940218AFDB10CF98CC89EEEBBB9FF48704F20452EF545A7291D7746945CBA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005BD8D0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 005BD8EE
      • __vbaOnError.MSVBVM60(000000FF,?,?,00000000,00000000,00423E86), ref: 005BD91E
      • __vbaSetSystemError.MSVBVM60(00000064,?,?,00000000,00000000,00423E86), ref: 005BD932
      • #685.MSVBVM60(?,?,00000000,00000000,00423E86), ref: 005BD94F
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,00000000,00000000,00423E86), ref: 005BD95A
      • __vbaFreeObj.MSVBVM60(?,?,00000000,00000000,00423E86), ref: 005BD972
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Error$#685ChkstkFreeSystem
      • String ID:
      • API String ID: 770513971-0
      • Opcode ID: 25ac488c9eb0af04245123d8f6eace8bc0b9a29a6a62079695c04f24ea570a57
      • Instruction ID: d7c2613ac16d5b7f77f0419bfdfecaecda3b7295a5e3f158331ed4530361a0f0
      • Opcode Fuzzy Hash: 25ac488c9eb0af04245123d8f6eace8bc0b9a29a6a62079695c04f24ea570a57
      • Instruction Fuzzy Hash: 5E1139B1D00208EBDB00DF94DA49B8EBBB8FF08705F104159F611A72A1C7B96A04CFA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0059EC00 Relevance: 9.0, APIs: 6, Instructions: 41COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0059EC1E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0059EC4E
      • __vbaObjSetAddref.MSVBVM60(006B350C,00000000,?,?,?,?,00423E86), ref: 0059EC62
      • #685.MSVBVM60(?,?,?,?,00423E86), ref: 0059EC6F
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00423E86), ref: 0059EC7A
      • __vbaFreeObj.MSVBVM60(?,?,?,?,00423E86), ref: 0059EC92
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685AddrefChkstkErrorFree
      • String ID:
      • API String ID: 1923674218-0
      • Opcode ID: 5cfd49121fcb0dbc17943225dcd0e3c960a9f7a935836dfe36251692c03ab9a3
      • Instruction ID: 463ffea758e9cdacddd5a5c2cb1db1ee19d5d02f1a57127f45eff16f43ced9f1
      • Opcode Fuzzy Hash: 5cfd49121fcb0dbc17943225dcd0e3c960a9f7a935836dfe36251692c03ab9a3
      • Instruction Fuzzy Hash: DB1140B1941208EFDB00DFD4DA0AB8EBBB8FB08705F504159F511B72A1C7795A04CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0052D070 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86), ref: 0052D08E
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00423E86), ref: 0052D0CA
      • #685.MSVBVM60 ref: 0052D10A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052D115
      • __vbaFreeObj.MSVBVM60 ref: 0052D12D
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 156156c0115ee99af106d74ead9dc2b9e86f3edec271e2af8c51d1e9f6f3ca50
      • Instruction ID: 06828acf9d16b48297c376cf38e0c9fce86ead2c8988c9e2655ab50311f0477a
      • Opcode Fuzzy Hash: 156156c0115ee99af106d74ead9dc2b9e86f3edec271e2af8c51d1e9f6f3ca50
      • Instruction Fuzzy Hash: 4A2106B4900208EFDB00DF94DA48B9EBBB4FF08304F108148E915AB3A1D7B9AA44CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00600400 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,00000000,00000000,?,00423E86), ref: 0060041E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 0060044E
      • #685.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 00600489
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 00600494
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 006004AC
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 5c234e618b6fa0bf30fa5a6111d14b238c4154b3fec3037ced99d511f3deb46b
      • Instruction ID: cde51dd8d93f193d6ca40eeecc84cc287510aec99fd9b8c88bb6946a628f1fd0
      • Opcode Fuzzy Hash: 5c234e618b6fa0bf30fa5a6111d14b238c4154b3fec3037ced99d511f3deb46b
      • Instruction Fuzzy Hash: 42113DB0901208EFDB00DF94CA48BDEBBB5FF48715F208159E505AB291C7795B45CFA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00624840 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00423E86,?,?,?,?,0061F714,?), ref: 0062485E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00423E86), ref: 0062488E
        • Part of subcall function 005CB5D0: __vbaChkstk.MSVBVM60(0061F714,00423E86,?,?,00000000,?,?,00423E86), ref: 005CB5EE
        • Part of subcall function 005CB5D0: __vbaStrCopy.MSVBVM60(?,00000000,?,0061F714,00423E86), ref: 005CB61B
        • Part of subcall function 005CB5D0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,0061F714,00423E86), ref: 005CB62A
        • Part of subcall function 005CB5D0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000), ref: 005CB64F
        • Part of subcall function 005CB5D0: #518.MSVBVM60(?,00004008), ref: 005CB690
        • Part of subcall function 005CB5D0: __vbaInStrVar.MSVBVM60(?,00000000,00000008,?,00000001), ref: 005CB6C8
        • Part of subcall function 005CB5D0: __vbaVarTstGt.MSVBVM60(00008002,00000000), ref: 005CB6D6
        • Part of subcall function 005CB5D0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 005CB6ED
        • Part of subcall function 005CB5D0: #685.MSVBVM60(?,00000000), ref: 005CB734
        • Part of subcall function 005CB5D0: __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 005CB73F
        • Part of subcall function 005CB5D0: __vbaFreeObj.MSVBVM60(?,00000000), ref: 005CB760
      • #685.MSVBVM60(?,?,00000000,?,?,00423E86), ref: 006248AD
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,?,?,00423E86), ref: 006248B8
      • __vbaFreeObj.MSVBVM60(?,?,00000000,?,?,00423E86), ref: 006248D0
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$Free$#685ChkstkError$#518CopyList
      • String ID:
      • API String ID: 2482196459-0
      • Opcode ID: 888069588e58163c229c5367cbe9db8899690c055ec6c9e533472a327f97f8e3
      • Instruction ID: 8ab4e52a700a67352e9982946468374691fb1a69e734e373387d0019c3905b58
      • Opcode Fuzzy Hash: 888069588e58163c229c5367cbe9db8899690c055ec6c9e533472a327f97f8e3
      • Instruction Fuzzy Hash: 9D112DB5900208EFDB00DF94DA49BDEBBB8FF48704F108259F511672A1CBB99A04DFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005D40F0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(00000000,00423E86,?,?,00000000,00000000,?,00423E86), ref: 005D410E
      • __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 005D413E
        • Part of subcall function 005D3FD0: __vbaChkstk.MSVBVM60(00000000,00423E86), ref: 005D3FEE
        • Part of subcall function 005D3FD0: __vbaOnError.MSVBVM60(000000FF,?,00000000,00000000,00000000,00423E86), ref: 005D401E
        • Part of subcall function 005D3FD0: __vbaStrCmp.MSVBVM60(0042ADE8,00000000,?,00000000,00000000,00000000,00423E86), ref: 005D4036
        • Part of subcall function 005D3FD0: __vbaI4Str.MSVBVM60(00000000,?,00000000,00000000,00000000,00423E86), ref: 005D404E
        • Part of subcall function 005D3FD0: #685.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 005D4099
        • Part of subcall function 005D3FD0: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 005D40A4
        • Part of subcall function 005D3FD0: __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 005D40BC
      • #685.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 005D415A
      • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000000,00000000,00000000,00423E86), ref: 005D4165
      • __vbaFreeObj.MSVBVM60(?,00000000,00000000,00000000,00423E86), ref: 005D417D
      Memory Dump Source
      • Source File: 00000000.00000002.2093391140.0000000000513000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2093376315.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093391140.00000000004CF000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093617801.00000000006B3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2093634901.00000000006BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: __vba$#685ChkstkErrorFree
      • String ID:
      • API String ID: 3748628540-0
      • Opcode ID: 2908fd18eb88616c7dd1807d09efc79174937d3835571f36b86c58c5a473d44a
      • Instruction ID: 126582daea42ffdd129ef8fd2c9376f5ce0f826a61c3a84cbfaff3c0fd26adba
      • Opcode Fuzzy Hash: 2908fd18eb88616c7dd1807d09efc79174937d3835571f36b86c58c5a473d44a
      • Instruction Fuzzy Hash: 3201E5B1900219EFDB00DFE8CA09B9EBBB8FB08705F10415AE611B72A1C7795A45CFA5
      Uniqueness

      Uniqueness Score: -1.00%